An Opportunity for Payment Service Providers to Prepare for a New Reality - Retail Payment Activities Act Regulations Published for Comment

More than 19 months after the Retail Payment Activities Act (the “RPAA”) received Royal Assent, draft regulations to the RPAA (the “Regulations”) were released for public comment on February 10, 2023. For an overview of the RPAA, which proposes to subject a broad spectrum of payment services providers (“PSPs”) to supervision by the Bank of Canada (the “Bank”), see our May 18, 2021 Update on the then draft legislation.

The period for comment is 45 days, ending on March 28, 2023. The Department of Finance estimates that 2,500 businesses acting as PSPs will be subject to the RPAA and the Regulations when they come into force, so interested persons should carefully review the Regulations to take advantage of the invitation to comment and, if applicable, to plan for implementation.

Whether large or small, PSPs should allow significant time and resources to prepare for the new regime.

Next Milestones and Coming into Force

After considering comments received by March 28, the Government of Canada will publish the final version of the Regulations. Sometime after that publication, the Bank will issue guidance on specific topics related to the RPAA to further clarify the Bank’s supervisory expectations (the “Guidance”). Based on our review of the draft Regulations, the Guidance will be crucial for PSPs to appropriately plan for the new regulatory regime.

The provisions of the RPAA affecting PSPs, including the requirement to register with the Bank, have yet to be proclaimed in force. The Federal Cabinet will decide when each provision of the RPAA will come into force, and no timeline for that has been given. However, last fall the Bank indicated it was planning for registration to begin in 2024, followed by test runs and full implementation in 2025.

Key Elements of the Regulations

The following discussion highlights some key elements of the Regulations and their expected impacts.

Application of the RPAA

With several exceptions, including those listed in s. 9, the RPAA applies to PSPs that perform retail payment activities if the PSP has a place of business in Canada or directs the activities to end-users in Canada. The RPAA defines retail payment activity as follows:

retail payment activity means a payment function that is performed in relation to an electronic funds transfer that is made in the currency of Canada or another country or using a unit that meets prescribed criteria.

Presumably, “a unit that meets prescribed criteria” is meant to allow for the possibility of including transfers of cryptocurrency. However, for the time-being the RPAA will only apply to fiat currency transfers, as the Regulations do not take the step of prescribing other units.

The Regulations prescribe the following exemptions:

a) Retail payment activity in the form of transactions relating to securities will be exempt if performed by an individual or entity that is regulated, or exempted from regulation, under Canadian securities legislation. The rationale for characterizing this activity as a prescribed retail payment activity under s. 6(d) of the RPAA, rather than characterizing the PSPs as a prescribed class of PSPs to be exempt under s. 9(k) of the RPAA, is not clear.

b) Also exempt from the RPAA will be a service or business activity that is incidental to another service or business activity, unless that other service or business activity consists of the performance of a payment function. The impact of this provision is not clear, given that the RPAA already excludes incidental activity in the definition of a PSP:

payment service provider means an individual or entity that performs payment functions as a service or business activity that is not incidental to another service or business activity. (Emphasis added.)

c) The Regulations only prescribe SWIFT for exclusion as a PSP for the purposes of s. 9(k) of the RPAA.

We expect the Guidance to refer to, and hopefully clarify, the Bank’s interpretation of the scope of the RPAA.

Registration

The requirement in s. 23 of the RPAA for PSPs to register with the Bank before performing retail payment activities is fundamental to the proposed regulatory regime. Sections 23 and 24 of the Regulations set out in detail the extensive information that will be required for an application for registration.

Requirements for a Risk Management and Incident Response Framework

A pillar of the Bank’s proposed supervisory regime is outlined in s. 17(1) of the RPAA:

For the purposes of identifying and mitigating operational risks and responding to incidents, a payment service provider that performs retail payment activities must, in accordance with the regulations, establish, implement and maintain a risk management and incident response framework that meets prescribed requirements.

While reviewing the Regulations and this discussion of them, it is helpful to know that the RPAA defines the following terms:

incident means an event or series of related events that is unplanned by a payment service provider and that results in or could reasonably be expected to result in the reduction, deterioration or breakdown of any retail payment activity that is performed by the payment service provider.

operational risk means a risk that any of the following will result in the reduction, deterioration or breakdown of retail payment activities that are performed by a payment service provider:

(a) a deficiency in the payment service provider’s information system or internal process;

(b) a human error;

(c) a management failure; or

(d) a disruption caused by an external event.

The Regulations set out extensive requirements in s. 5, for the risk management and incident response framework (the “RM and IR Framework”) that PSPs will be required to establish and maintain. This framework, which must be in writing, must set out the following objectives among others:

(i) ensuring that the PSP is able to perform retail payment activities without reduction, deterioration or breakdown, including by ensuring the availability of the systems, data and information involved in the performance of those activities, and

(ii) preserving the integrity and confidentiality of those activities, systems, data and information.

The following summary excerpts from s. 5 provide an indication of the amount of planning and allocation of resources (human and financial) that PSPs will need for the RM and IR Framework, which must, among other things:

• set out clearly defined and measurable reliability targets for the ability to perform the retail payment activities and for the availability of the systems, data and information referred to in (i) above, as well as indicators for assessing whether each of the objectives referred to above is met;
• identify the human and financial resources that are required to implement and maintain the framework, including, with respect to human resources, their skills and training, as well as the measures that the PSP must take to ensure timely and reliable access to those resources, whether from internal or external sources;
• identify all assets — including systems, data and information — and business processes that are associated with the PSP’s performance of retail payment activities and classify them according to their sensitivity and their criticality to the performance of those activities;
• identify, and describe the potential causes of, all of the PSP’s operational risks;
• describe the systems, policies, procedures, processes, controls and any other means that the PSP must have in place to mitigate its operational risks and protect the assets and business processes;
• describe the systems, policies, procedures, processes, controls and any other means that the PSP must have in place to ensure the continuous monitoring of the following for the purpose of promptly detecting incidents, anomalous events that could indicate emerging operational risks and lapses in the implementation of the framework:

i. the payment service provider’s retail payment activities,

ii. the systems, data and information involved in the performance of those activities, and

iii. the systems, policies, procedures, processes, controls and other means referred to above;

• set out a plan for responding to and recovering from such incidents, including those involving or detected by an agent or third-party service provider;
• set out a plan for responding to the aforementioned anomalous events or lapses.
  (Emphasis added.)

The RM and IR Framework must also address agents and third-party service providers utilized by a PSP. The distinction to be drawn between the defined term “incidents” and “anomalous events or lapses”, for which there is no definition, is unclear.

In addition to establishing and maintaining a RM and IR Framework, PSPs will need to comply with requirements for yearly internal reviews, as well as testing and independent reviews every three years. The PSP must also conduct a review of its RM and IR Framework after every incident that is notifiable under s. 18 of the RPAA.

The Department of Finance expects that approximately 96% of the PSPs falling under the scope of the RPAA will be small businesses. Although s. 5(2) of the Regulations refers to “proportionality” for the RM and IR Framework, the prescriptive approach taken in the Regulations would seem to limit the ability of a small business to tailor the robustness of its RM and IR Framework.

Safeguarding of Funds

Where a PSP holds end-user funds until they are withdrawn or transferred, s. 20(1) of the RPAA requires the PSP to hold the end-user funds in: (a) a trust account; (b) a prescribed account, or (c) an account that is not used for any other purpose and for which the PSP must hold insurance or a guarantee in an amount equal to or greater than the amount in that account.

The Regulations do not prescribe other accounts for the purposes of s. 20(1)(b). Section 13 requires the accounts referenced in s. 20(1)(a) and (c) above be provided by the deposit-taking entities referred to in s. 9(a) to (d), or (f) to (h) of the RPAA (including a bank, authorized foreign bank, credit union, caisse populaire, federal or provincial trust or loan company) or by a foreign financial institution that is regulated by a regulatory regime with standards comparable to those applicable to the aforementioned entities.

The Regulations impose extensive requirements on a PSP that does not use trust accounts for end-user funds and instead relies on insurance or a guarantee. Central to these requirements is that the proceeds from the insurance or guarantee will not form part of the PSP’s insolvent estate – or in other words, that these proceeds will be bankruptcy remote.

All PSPs that hold end-user funds are required to establish, implement and maintain a written safeguarding-of-funds framework (the “Safeguarding Framework”). The Regulations set out a prescriptive list of what the Safeguarding Framework must cover. The bulk of the requirements are directed at the s. 20(1)(c) arrangements involving insurance or guarantees. The Regulations imply that bankruptcy remoteness is not a concern where funds are held in trust in a trust account, which is consistent with the treatment of trust property under Canadian insolvency laws.

Again, relevant PSPs will be required to review the Safeguarding Framework annually, including an evaluation of whether or not at all times during the preceding year the end-user funds (or proceeds of insurance/guarantees) “would have been payable to end users in the case of” an insolvency event. Any deficiencies will need to be investigated, addressed and reported to the Bank. In addition, a PSP must have an independent review of the Safeguarding Framework carried out at least every two years.

The Bank indicated that the Guidance will provide clarity on the requirements for the safeguarding of funds.

Record Keeping and Retention

Section 41 of the Regulations require PSPs to keep sufficient records to demonstrate their compliance with the RPAA and Regulations until “five years after the day on which they cease to demonstrate the payment service provider’s compliance with a current obligation.” Section 41 outlines the protective measures to be taken with respect to the records, and s. 42 extends obligations to records kept by agents and third-party service providers.

Annual Reporting

Consistent with the above-mentioned frameworks, the list of prescribed information to be contained in PSPs’ annual reports to the Bank, set out in s. 19 of the Regulations, is extensive and detailed.

Administration and Enforcement

The prescribed period for responding to information requests from the Bank under s. 65 and 66 of the RPAA is 15 days unless the information requested relates to an incident that is ongoing and could have a significant adverse impact on an individual or entity referred to in s. 94(2) of the RPAA, in which case the response period is 24 hours.

Violations under the RPAA or the Regulations will be classified as either serious or very serious. Ultimately, the administrative monetary penalty (AMP) may be up to $10 million for a very serious violation and otherwise up to $1 million. Given the wide range in penalties, the Guidance is expected to provide further information on the Bank’s calculation methodology for the AMP.

Fees

The Regulations set out amounts and formulae for registration fees and assessment fees.

Looking Forward

Our Financial Services Regulatory Group will continue to monitor legislative and regulatory developments and assist our clients to navigate the implications of the RPAA and the Regulations.

For more information related to the RPAA or the Regulations, please contact the author of this article or any member of our Financial Services Regulatory Group.