On April 30, 2021, the federal government introduced Retail Payment Activities Act (short title, Retail Payment Activities Act) (the âRPAAâ). The long-awaited RPAA follows a consultation paper released by the Ministry of Finance in 2017, for a âNew Retail Payments Oversight Frameworkâ (the â2017 Consultation Documentâ). We discuss the 2017 consultation document here. The RPAA signals the government’s continued commitment to regulate new and increasingly complex âretail payment activitiesâ through innovative payment methods and technologies.
The RPAA will serve as the premier regulatory regime for retail payment service providers in Canada. Unsurprisingly, it comes amid a broader regulatory response from a government focused on protecting consumers, promoting competition and fostering innovation in the digital age. Further evidence of this broader strategy can be seen in other recent legislative proposals such as the Consumer Privacy Protection Act (“CPPA”), and amendments to the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (“PCMLTFA”) and Payment Clearing and Settlement Act (“PCSA”).
Who will be regulated?
To begin with, the RPAA will regulate âretail payment activitiesâ which are either:
- Performed by a “payment service provider” (“PSP“) that has an establishment in Canada, or
- Performed for an “end user” in Canada by a PSP that has no establishment in Canada, but directs retail payment activities to individuals or entities located in Canada.
End users are the people or entities who use a payment service to send or receive payment. A PSP is an entity that performs a “payment function” as a service or business activity that is not incidental to another service or business activity. The notion of what constitutes an “accessory” to another service will likely be the subject of a debate on the fringes of this legislation. Given regulatory analyzes in other areas such as registering fund issuers as money services businesses, the determination will likely focus on excluding businesses where the payment function they facilitate is a minor component. of their business model, rather than a central component of it. An example of an âancillaryâ payment function could be a non-bank lender that transfers funds to finance a borrower’s purchase. The funds payment function is simply a corollary of their real service: consumer lending.
What activities will be regulated?
The subject of regulation under the RPAA is “retail payment activity” performed by a PSP or for an end user and defined as “payment function that is performed as part of an electronic funds transfer made in Canadian currency or in a currency of another country or using a unit that meets prescribed criteria“. A payment function includes:
- the provision or maintenance of an account which, in the context of an âelectronic funds transferâ, is held on behalf of one or more end users;
- holding funds on behalf of an end user until they are withdrawn by the end user or transferred to another person or entity;
- initiating an âelectronic funds transferâ at the request of an end user;
- authorizing an âelectronic funds transferâ or the transmission, receipt or facilitation of an instruction relating to an âelectronic funds transferâ; or
- the provision of clearing or settlement services.
Electronic fund transfers are defined as “an investment, transfer or withdrawal of funds by electronic means which is initiated by or on behalf of an individual or entity“.
This broad definition of a “retail payment business” may indicate the government’s desire to expand the scope of PGRFA to non-fiat currencies such as virtual currencies or even something like loyalty points. Such an application would likely depend on the establishment of prescribed criteria and any concerns about federal jurisdiction in this regard. This potential breadth of application is important because, while the PGRFA is closely linked to the deployment of Payment Canada’s real-time retail payment system, the proposed legislation does not contain such restrictive language.
Here are the notable exemptions from the payment functions regulated by the RPAA:
- those related to closed-loop gift cards and prepaid cards, provided they are issued by a merchant or an excluded party of the RPAA.
- those made for the purpose of withdrawing cash from an automated teller machine;
- those performed by systems designated as systemically important or “material” under the Payments Clearing and Settlement Act (the designation currently includes retail systems such as the Automated Clearing and Settlement System (the “SACR”) and the Interac transfer);
- those carried out entirely between the PSP and the entities with which it has an âaffiliationâ; and
- any other payment function prescribed in accordance with the regulations
Certain payment service providers and financial institutions are also excluded from the scope of the RPAA, in particular:
- banks and authorized foreign banks,
- credit unions,
- a provincial government or one of its agents if they accept deposits transferable by order,
- insurance companies,
- a trust company and loan companies,
- Payments Canada,
- the Bank of Canada,
- prescribed persons or entities; and
- registered PSP agents.
The RPAA indicates that additional exclusions may be included in the regulations. It is interesting to note that the list of excluded entities does not reflect the list of entities that are either mandatory members or authorized members of Payments Canada. For example, not all âinsurance companiesâ are eligible to be members of Payments Canada. Under paragraph 4 (2) (d) of the Canadian Payments Act, only life insurance companies are eligible for membership. Likewise, securities dealers are eligible for membership in Payments Canada, but are not currently listed as excluded from the scope of the RPAA. Although the criteria for membership in Payments Canada are under review by the Department of Finance, no final changes have been made.
Who is the regulator?
Interestingly, the Bank of Canada (âBoCâ) will be the regulator responsible for ensuring that entities comply with the requirements of the PGRFA. The RPAA also empowers the BoC to issue guidelines on how the RPAA is applied. As a result, the RPAA marks a notable expansion in the scope of the BoC’s oversight role.
How will payment providers be regulated?
Once the RPAA comes into effect, PSPs will be required to register with the BoC before performing any retail payment activity. When applying for registration, the PSP should be prepared to document:
- a description of the PSP operational risk management and incident response framework (see below);
- annual reports containing information on trust accounts and other prescribed information relating to end-user funds;
- information describing how the PSP protects end user funds;
- information about third party PSP service providers that may have a significant impact on the operational risks of the PSP or on how the PSP protects or plans to protect end user funds;
- any information relating to the PSP or its retail payment activities for national security purposes;
- A statement as to whether the PSP is registered with FINTRAC and / or whether the PSP is registered under a provincial retail payment activity law;
The BoC can refuse or revoke the registration for various reasons, including those related to national security, and for not complying with the requests of the Minister of Finance. The BoC may also refuse or revoke the registration in the event of a failure by a PSP to comply with certain requirements of the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (the “PCMLTFA”). This includes in particular the non-registration as a money services business. A PSP’s registration may be revoked if it has received a notice of violation for committing a âseriousâ or âvery seriousâ violation under the PCMLTFA.
Operational risk management and incident response framework
A PSP is required to establish an operational risk management and incident response framework to identify and mitigate operational risks and respond to âincidentsâ; that is, events that could result in the âdownsizing, deterioration or breakdownâ of any retail payment activity.
The RPAA defines âoperational riskâ as including:
- a deficiency in the information system or the internal process of the PSP;
- human error;
- management failure; or
- a disturbance caused by an external event.
The RPAA makes it clear that in the event that a PSP becomes aware of an incident having a significant impact on an (a) end user, (b) a PSP, and (c) a clearinghouse of a clearing system and settlement (as defined in the PCSA), the PSP will be required to inform the BoC. The specific requirements for the reporting framework and form will be set out in the regulations.
Effective mitigation of the operational risk of PSPs will be critical to maintaining confidence in any payment system that allows PSPs to participate. The RPAA currently provides few details on the operational risk management framework; a more in-depth evaluation should be reserved pending publication of the draft RPAA regulation.
Protect end user funds
There are additional requirements for PSPs that hold end user funds as a retail payment business. In such circumstances, the PSP must hold the funds in a designated trust account or prescribed account for the sole purpose of performing the retail payment activity. The PSP must also be insured or guarantee an amount greater than the amount held in the account. Exceptions exist for deposit-taking institutions in certain circumstances. These requirements are similar to those in force for electronic money institutions (âIME)â established by the Payment Services Directive EU 2015/2366 (âPSD2â) and implemented by various national authorities.
The RPAA marks an important step in the regulation of PSPs and in expanding participation in Canada’s retail payment systems. There is still work to be done on important issues such as operational risk management and end user protection. We will be following further developments closely.
Special thanks to Intern Noah Walters for his help in preparing this article.