The year 2020 will be remembered as a turning point for many reasons, including the year the world was forced to move online to an extent never seen before. Online commerce reached stratospheric levels in 2020 – Amazon’s fourth quarter 2020 earnings report showed it to be the highest quarter on record in terms of revenue, generating $ 125.56 billion dollars in sales. All forms of contactless payment have become not only convenient but necessary, and while overall consumer spending has declined, online spending with its corollary of electronic payments has increased. Payments Canada reported that in 2020, electronic payments made up 77% of all transactions, and on the retail side, consumer behavior was showing what could be a permanent increase in electronic forms of payment.
To date, financial technology (fintech) companies operating in the retail payments space in Canada (other than regulated financial institutions such as banks) have benefited only from light agency oversight. regulation of financial services, with many payment providers beyond the reach of both the federal government Proceeds of Crime (Money Laundering) and Terrorist Financing Act (Proceeds of Crime Act) and Quebec Money Services Businesses Act. The federal government was monitoring technological change and lack of regulation in the payments space even before the explosive growth of e-commerce in 2020. On April 30, 2021, as part of Budget Bill C-30, the government released a draft Retail Payment Activities Act (RPAA). The RPAA is following the recommendations made by the Department of Finance in its 2017 consultation paper calling for a new retail payments oversight framework to ensure end-user protection and build confidence in the retail payments ecosystem in Canada .
Although not yet finalized, the RPAA can subject most FinTech companies operating in the retail payments space to a new regulatory regime under the supervision of the Bank of Canada (BoC), including a process. registration that may be subject to national security review and continuous operation. conditions.
Application of RPAA
The RPAA will apply to any retail payment activity that is
- made by a payment service provider having a place of business in Canada; or
- performed for an end user in Canada by a payment service provider that has no establishment in Canada but directs retail payment activities to persons or entities in Canada.
A “payment service provider” (PSP) is an individual or entity that performs payment functions as a service or business activity that is not incidental to another service or business activity. This broad definition may require regulatory guidance on whether a particular activity is considered incidental.
Similar to the Proceeds of Crime Act, the PGRFA is intended to have extraterritorial effect and will apply not only to PSPs in Canada, but also to foreign PSPs directing retail payment activities to persons located in Canada. Therefore, foreign PSPs should carefully consider their retail payment activities when dealing with Canadian customers. Directing services to people in Canada may involve targeted marketing or advertising; using a “.ca” domain name; or be listed in a Canadian business directory.
What constitutes the retail payment business?
A “retail payment activity” is defined as a payment function performed in connection with an electronic transfer of funds in Canadian currency or in the currency of another country or by using a unit that meets prescribed criteria. While these prescribed criteria are likely spelled out in implementing regulations for the RPAA, the term “unit” can be interpreted broadly to include virtual currencies (such as bitcoin and other cryptocurrencies). Likewise, the “payment function” is broadly and generously defined in terms that will require clarification in regulation or by the regulator in order to determine which activities are covered by PGRFA and which are not.
Which activities are excluded?
The RPAA specifically excludes from its scope the following retail payment activities:
- Banks and other regulated entities: payment functions performed by a bank; an authorized foreign bank; a credit union; a provincial government or an agent thereof if it accepts transferable deposits by order; an insurance company; a trust company; a loan company; the Canadian Payments Association; the BoC; or prescribed persons or entities;
- Prepaid payment products: electronic funds transfers through an instrument issued by a merchant – or a non-PSP that has an agreement with a group of merchants) that allows the holder to purchase goods or services only from the issuing merchant or merchants in that group (eg, closed loop gift cards);
- ATM withdrawals: ATM cash withdrawals;
- Eligible financial contracts: a payment function executed to give effect to an “eligible financial contract” as defined in the Canada Deposit Insurance Corporation Act;
- Designated systems: electronic funds transfers made by systems designated under the Payment Clearing and Settlement Act (this includes the new Interac electronic transfer system);
- Internal operations: payment functions performed entirely between a PSP and its affiliated entity; or
- PSP officers: registered PSP agents engaged in retail payment activities under their authority as agents.
Additional exemptions from the PGRFA may be prescribed in regulations.
Registration under the RPAA
Once the RPAA is in effect, a PSP must register with the BoC before performing retail payment activities. Registration requests should contain prescribed information, including details of the services to be provided, a description of the PSP’s operational risk management and incident response framework, safeguards in place to protect user funds and whether the PSP is registered with Financial Transactions. and the Report Analysis Center of Canada (FINTRAC).
The BoC may refuse or revoke registration for several reasons, including if the applicant provides false or misleading information, is not registered as a Money Services Business (ESM) under the Money Market Products Act. criminality when required or has received a Notice of Violation under the Proceeds of Crime Act for a violation classified as “serious” or “very serious”. However, whether an entity is required to register as an EMM is subject to debate, as it comes down to whether the provision of money transfer or money transfer services is simply incidental to the actual activities of the entity. Therefore, PSPs should carefully assess whether registration as an ESM is required under the proceeds of crime law on the basis of their specific business activities.
Notably, the applications are also subject to review by the Minister of Finance for reasons related to national security. The Minister of Finance may reject an application or require commitments or impose conditions on the registration of an applicant for reasons of national security.
The BoC will also keep a register of registered PSPs – which will likely be similar to the register of MSBs maintained by FINTRAC – as well as a list of people whose registration has been refused or revoked and the reasons for that refusal.
PSPs must establish, implement and maintain a risk management and incident response framework that meets certain prescribed criteria, in order to identify and mitigate operational risks and respond to incidents. The framework will be subject to an assessment by the BoC, which may provide the PSP with a list of corrective measures it deems appropriate.
Safeguarding of funds
Subject to exceptions for deposit-taking institutions, a PSP that holds end-user funds must hold such funds in a prescribed account, a trust account that is not used for any other purpose, or an account that is not used for no other purpose and which is insured or guaranteed for at least the amount held in the account.
The RPAA will impose a notification obligation on
- a PSP that is aware of any incident that has a significant impact on an end user, another PSP or a clearing house of a clearing and settlement system; and
- a PSP that wishes to make a significant change in the way it performs a retail payment activity or add a new retail payment activity, which could reasonably be expected from the change or new activity on operational risk or the way whose end user funds are protected.
Registrants will also be required to submit an annual report to the BoC containing information regarding their operational risk management and incident response framework and other prescribed information.
Administration and enforcement
The RPAA will give the BoC investigative and audit powers, as well as the power to impose administrative monetary penalties up to a maximum of $ 10 million for non-compliance with the RPAA.
In particular, a person or entity is responsible for violations committed by any of its employees, third party service providers or agents acting under their authority, whether or not the person who actually committed the violation is identified.
Currently, no date has been set for the entry into force of the PGRFA and implementing regulations have not been published. Once in effect, the RPAA will provide a transition period for PSPs to register and bring their practices into compliance with the new requirements. Given its history and the number of open questions that remain unresolved, the RPAA is unlikely to be finalized for some time. However, PSPs in Canada and abroad should closely monitor the progress of the PGRFA so that they are ready to update their practices without any disruption to their operations once the PGRFA comes into effect.