On April 30, 2021, the federal government introduced An Act Respecting Retail Payment Activities (short title, Retail Payment Activities Act) (the “RPAA”). The much-anticipated RPAA comes in response to a consultation paper published by the Department of Finance in 2017, for a “New Retail Payments Oversight Framework” (the “2017 Consultation Paper”). We discuss the 2017 Consultation Paper here. The RPAA signals the government’s continued willingness to regulate new and increasingly complex “retail payment activities” driven by innovative payment methods and technologies.
The RPAA will serve as the first regulatory regime for retail payment providers in Canada. Not surprisingly, it comes in the midst of a broader regulatory response by a government focused on protecting consumers, fostering competition and promoting innovation in the digital age. Further evidence of this broader strategy can be observed in other recent legislative proposals like the Consumer Privacy Protection Act (“CPPA”), and amendments to the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (“PCMLTFA”) and Payment Clearing and Settlement Act (“PCSA”).
Who will be regulated?
As a starting point, the RPAA will regulate “retail payment activities” that are either:
- Performed by a “payment service provider” (“PSP”) that has a place of business in Canada, or
- Performed for an “end user” in Canada by a PSP that does not have a place of business in Canada, but directs retail payment activities at individuals or entities that are in Canada.
End users are the individuals or entities that use a payment service to send or receive payment. A PSP is an entity that performs a “payment function” as a service or business activity that is not incidental to another service or business activity. The notion of what constitutes “incidental” to another service will likely be the subject of debate at the margins of this legislation. Given regulatory analyses in other areas like the registration of funds transmitters as moneys services businesses, the determination will likely focus on excluding companies where the payment function they facilitate is a minor component of their business model, rather than a central component of it. An example of a payment function that is “incidental” could be a non-bank lender who transfers funds to fund a borrower’s purchase. The funds payment function is simply a corollary to their true service – lending to consumers.
What activities will be regulated?
The subject of regulation under the RPAA is “retail payment activity” performed by a PSP or for an end user and defined as a “payment function that is performed in relation to an electronic funds transfer that is made in Canadian currency or another country currency or using a unit that meets prescribed criteria”. A payment function consists of:
- the provision or maintenance of an account that, in relation to an “electronic funds transfer”, is held on behalf of one or more end users;
- the holding of funds on behalf of an end user until they are withdrawn by the end user or transferred to another individual or entity;
- the initiation of an “electronic funds transfer” at the request of an end user;
- the authorization of an “electronic funds transfer” or the transmission, reception or facilitation of an instruction in relation to an “electronic funds transfer”; or
- the provision of clearing or settlement services.
Electronic funds transfers are defined as “a placement, transfer or withdrawal of funds by electronic means that is initiated by or on behalf of an individual or entity”.
This expansive definition of a “retail payment activity” may indicate the government’s willingness to broaden the reach of the RPAA to non-fiat currencies such as virtual currencies or even something like loyalty points. Such application would likely be contingent on prescribed criteria being put in place, and subject to any concerns around federal jurisdiction to do so. This potential breadth in application is important because, while the RPAA is linked by many to the rollout of Payment Canada’s real-time retail payment system, the proposed Act contains no such restrictive language.
The following are notable exemptions from payment functions regulated under the RPAA:
- those related to closed loop gift cards and prepaid cards, provided they are issued by a merchant or a party that is excluded from the RPAA.
- those made for the purposes of a cash withdrawal at an ATM;
- those performed by systems designated as systemically important or “prominent” pursuant to the Payment Clearing and Settlement Act (designation currently includes retail systems like the Automated Clearing and Settlement System (the “ACSS”) and Interac e-Transfer);
- those performed entirely between the PSP and entities it has an “affiliation” with; and
- any other payment function prescribed pursuant to the regulations
Certain payment service providers and financial institutions are also excluded from the scope of the RPAA, including:
- banks and authorized foreign banks,
- credit unions,
- a provincial government or an agent thereof if they accept deposits transferable by order,
- insurance companies,
- a trust company and loan companies,
- Payments Canada,
- the Bank of Canada,
- prescribed individuals or entities; and
- agents of registered PSPs.
The RPAA indicates that additional exclusions may be included in the regulations. It is interesting to note that the list of excluded entities does not mirror the list of entities that are either mandatory or entitled members of Payments Canada. For example, “insurance companies” are not all entitled to membership in Payments Canada. Under paragraph 4(2)(d) of the Canadian Payments Act, only life insurance companies are entitled to membership. Similarly, securities dealers are entitled to Payments Canada membership, but are not currently listed as excluded from the scope of the RPAA. While membership criteria in Payments Canada is being considered by the Department of Finance, definitive changes have not been made.
Who is the regulator?
Interestingly, the Bank of Canada (“BoC”) will be the regulator responsible for ensuring that entities comply with requirements under the RPAA. The RPAA also empowers the BoC to issue guidelines on how the RPAA applies. Accordingly, the RPAA marks a notable expansion in the scope of the BoC’s supervisory role.
How will payment providers be regulated?
Once the RPAA comes into force, PSPs will be required to register with the BoC before performing any retail payment activities. In applying for registration, the PSP will need to be prepared to document:
- a description of the PSPs operational risk management and incident response framework (discussed below);
- annual reports setting out information regarding trust accounts and other prescribed information relating to end user funds;
- information describing the manner in which the PSP safeguards end user funds;
- information on the PSP’s third party service providers that may have a material impact on the PSPs operational risks or the manner in which the PSP safeguards or plans to safeguard end user funds;
- any information in relation to the PSP or the retail payment activities it performs for national security purposes;
- A declaration that states whether the PSP is registered with FINTRAC, and/or whether the PSP is registered under a provincial Act respecting retail payment activities;
The BoC may refuse or revoke registration on a variety of grounds, including those related to national security, and failures to comply with requests from the Minister of Finance. The BoC may also refuse or revoke registration for a PSPs failure to comply with certain requirements under the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (the “PCMLTFA”). Notably, this includes a failure to register as a money services business. A PSPs registration may be revoked where they have been served with a notice of violation for committing a “serious” or “very serious” violation under the PCMLTFA.
Operational risk management and incident response framework
A PSP is required to establish an operational risk management and incident response framework to identify and mitigate operational risks, and respond to “incidents”; namely, events that could result in the “reduction, deterioration or breakdown” of any retail payment activity.
The RPAA defines “operational risk” to include:
- a deficiency in the PSP’s information system or internal process;
- a human error;
- a management failure; or
- a disruption caused by an external event.
The RPAA makes it clear that in the event a PSP becomes aware of an incident that has a material impact on an (a) end user, (b) PSP, and (c) clearing house of a clearing and settlement system (as defined in the PCSA), the PSP will be required to notify the BoC. Specific requirements for the framework and form on notice will be set out in the regulations.
Effective mitigation of PSPs’ operational risk will be crucial to maintaining trust in any payment system that allows for PSP participation. The RPAA currently provides scant detail on the operational risk management framework; further assessment will have to be reserved pending the release of the draft RPAA regulations.
Safeguarding end-user funds
There are additional requirements for PSP that holds end-user funds as a retail payment activity. In such circumstances, the PSP must hold the funds in a designated trust account or a prescribed account for the sole purpose of performing the retail payment activity. The PSP must also be insured or guarantee an amount equal to greater than the amount held in the account. Exceptions exist for deposit taking institutions under certain circumstances. These requirements are similar to those in place for electronic money institutions (“EMIs) established by the Payment Service Directive EU 2015/2366 (“PSD2”) and implemented by various national authorities.
The RPAA marks an important step forward in the regulation of PSPs and in broadening participation in Canada’s retail payments systems. There is still work to be done on important issues like operational risk management, and end –user protection. We will be following further developments closely.
A special thank you to Noah Walters, articling student, for his assistance in the preparation of this article.