Canada: The Bar Is Set: Draft Retail Payment Activities Act Regulations Are Published

On February 10, the proposed Retail Payment Activities Act Regulations were published for consultation in the Canada Gazette, Part I¹ (the Regulations).

What you need to know

• The Retail Payment Activities Act² (RPAA), which received Royal Assent in June 2021, and the Regulations introduce a new supervisory regime for the retail payment activities of payment service providers (PSPs), including those who offer digital wallets. Although the Government reserved, under the "retail payment activity" definition, the right to extend the scope of the RPAA to virtual currencies by way of regulation, these draft Regulations haven't done so.
• The Regulations provide standards for operational risk management and details as to requirements with respect to 1) safeguarding of end-user funds; 2) PSPs' registration with the Bank of Canada (the Bank); 3) PSPs' reporting obligations. The Regulations also set out the penalties for violating requirements and include the requirements to support the national security review process as part of the Minister of Finance's national security authorities under RPAA.
• Comments on the Regulations can be submitted to the Government until March 28, 2023.
• More details as to what the Regulations mean for PSPs and other stakeholders will be discussed during a webinar to be held on February 23 at noon. Please join us by registering here.

The oversight framework: prescriptive yet principle-based

The 2017 federal consultation paper, "A New Retail Payments Oversight Framework," states that "unduly burdensome regulations may stifle competition and innovation"³ and, to prevent this from happening, the paper identifies four principles to guide the development of the oversight framework: necessity, proportionality, consistency and effectiveness.

The Regulations aim to satisfy all four principles by imposing a highly prescriptive framework while still providing some flexibility, either through the adoption of language that permits room for interpretation or by integrating elements of proportionality that take into consider the size and activities of each PSP in the market.

We provide below at a high-level summary of key aspects of the Regulations.

Registration

Regulations provide additional details regarding the PSPs registration process, including the establishment of a one-time $2,500 registration fee.

Risk management and incident response

The Regulations require PSPs to develop a written, comprehensive risk management and incident response framework (the Framework) that covers an extensive list of requirements ranging from:

• high-level obligations, such as inserting in the Framework's objects a statement to the effect that the PSP can perform retail payment activities without reduction, deterioration or breakdown, including ensuring the availability of systems, data and information involved in the PSP's performance of those activities; to
• very focused requirements, such as identifying all assets and business processes that are associated with the PSP's performance of its activities and classifying them according to their sensitivity and criticality to the performance of those activities.

This highly prescriptive approach seeks to ensure that all potential end-user harm has been identified and appropriately addressed by PSPs. In addition, PSPs must also undertake nuanced testing to ensure integrity and compliance of the Framework.

Recognizing the diversity of PSPs, the Regulations provide for the development of a Framework that is proportional to the impact that a reduction, deterioration or breakdown of a PSP's activities can have on end-users or on other service providers having regard to the size and value of the PSP's activities. The Regulations specify how to assess the "proportionality" element.

The Framework must also consider how any third-party service providers or agents and mandataries will fit into the risk management and incident response requirements.

Safeguarding of funds

To safeguard user-funds, the RPAA requires PSPs to either 1) hold funds in trust, in a trust account or 2) hold funds in a segregated account and hold insurance or a guarantee in respect of the fund. Accounts used to hold end-user funds must be held in prudentially regulated financial institutions. PSPs must establish a written framework with respect to the safeguarding of funds (Funds Framework) to ensure that end-users have access to funds being held by the PSPwithout delay, including ensuring that the funds, or the proceeds of the insurance or guarantee, are paid to the end-users as soon as feasible when an insolvency event occurs.

The Funds Framework must describe the systems, policies, processes, procedures and controls to meet those objectives. It must also identify any legal and operational risks that could hinder meeting those objectives and the means of mitigating such risks. PSPs must review their Funds Framework at least once per year as well as following any changes in how the PSP safeguards funds, changes in the entities in which such funds are held or in the terms of the insurance policy or guarantee securing such funds.

However, the Regulations provide for some flexibility for PSPs to create their own compliant Funds Framework while ensuring accountability. Rather than prescribing the specific mechanics of safeguarding end-user funds in trust or otherwise, the Regulations set out the parameters within which PSPs can develop their own systems and processes to safeguard funds, specifically, ensuring end-users have ready and reliable access to their funds, including in the event of a PSP's insolvency.

At least once every two years, a PSP's Funds Framework will be reviewed by an independent "sufficiently skilled individual" to ensure it complies with the RPAA and the Regulations.

Insurance requirements

The insurance or guarantee required under the RPAA with respect to the end-user funds held by PSPs must be issued by a federally regulated financial institution, or a provincially regulated insurance, trust or loan company, or a foreign financial institution subject to comparable standards relating to capital, liquidity, governance, supervision, and risk management, and which in each case is not an affiliate of the PSP.

PSPs must ensure that: (i) the proceeds from the insurance or guarantee do not form part of the PSP's general estate; (ii) the proceeds are payable for the benefit of an end-user as soon as feasible following the bringing of insolvency proceedings, or the consent to such proceedings, by the PSP, or the passage of 30 days from the bringing of insolvency proceeding against the PSP, unless such proceedings have been discontinued (collectively "insolvency events"); (iii) the insurance or guarantee will survive the PSP's insolvency; and (iv) the Bank will be given 30 days' notice of the cancellation or termination of the insurance or guarantee.

Note that the Regulations only address insolvency events, not other forms of reorganization, arrangement nor default in payment absent an insolvency.

National security review and considerations

PSPs are also subject to national security review reporting and approval requirements. Under the RPAA and Regulations, the Minister of Finance can commence national security reviews within 60 days of the submission of an initial application for registration, in connection with acquisitions of control transactions or in the event of certain "other changes." The provisions are designed to be similar to the national security provisions in the Investment Canada Act (ICA). Unlike the ICA, which regulates Foreign Direct Investment, the RPAA national security provision in the RPAA is largely investor-nationality agnostic and applies to Canadians as well as non-Canadians. That said, substantive assessments under the RPAA are expected to be like those under the ICA. Under the ICA, reviews typically focus on Chinese, Russian and State-Owned Enterprise investors as well as investors with potential links to organized crime. Under the RPAA, reviews can be 180 days or longer and result in conditional or unconditional approvals or rejections.

Reporting obligations

The Regulations impose several reporting obligations which appear to be onerous:

• A new registration application if an individual or entity plans on acquiring control of a PSP, or if a PSP plans on making prescribed "other changes," which include acquisitions by State Owned Enterprises or the storage or processing of certain information in a country outside Canada.
• An annual report that includes a broad spectrum of information ranging from a description of any changes made to the PSP's Framework during the reporting year and the PSP's plans for the Framework's maintenance and implementation, to details regarding the PSP's retail payments activities, volumes and dollar amounts as well as any changes to operations, practices or service provider relationships.
• Advance notice when a PSP makes a significant change in the way it performs a retail payment activity or a new retail payment activity.
• Notice to the Bank and to any affected individual or entity of any material incident and the PSP must describe in the notice the incident, the nature of the material impact and any corrective actions.

Enforcement and administrative monetary penalties

The Regulations designate specific provisions of the RPAA, or the Regulations, that can be subject to a notice of violation (and potentially an administrative monetary penalty). The Regulations classify such violations as either serious or very serious with a potential reclassification of a series of serious violations as a very serious violation. A serious violation can be subject to a penalty of up to $1,000,000 per violation and a very serious violation can be subject to a penalty of up to $10,000,000 per violation.

Certain violations which pertain to the provision of information, such as annual reporting, are not classified and are subject to their own administrative penalty regimes that carry a penalty of $500 per day if the violation has carried on for less than 30 days and from $15,000 to $1,000,000 if the violation has carried on for more than 30 days.

The high level of prescriptiveness found in the Regulations will enable the Bank to take enforcement actions on each specific requirement thereunder, which would not be the case if such requirements were found in guidelines rather than regulations (i.e., because guidelines do not have force of law).

What's next

The Bank will be providing further guidance on the scope, exclusions and requirements under the RPAA and Regulations.

Specific provisions of the Regulations come into force when the related RPAA provisions come into force:

• Regulations related to registration, national security and compliance will come into force when the RPAA provision requiring PSPs to submit a registration application comes into force.
• Regulations addressing operational risk management, end-user funds safeguarding, reporting, record keeping and prescribed supervisory information will come into force when the Bank registers PSPs and notifies PSPs of their registration.
• Regulations related to assessment fees will come into force when the relevant provisions of the RPAA come into force.

The Regulations prescribe detailed compliance requirements and PSPs, particularly those that may not be familiar with dealing with regulators other than FINTRAC, may find it challenging to comply with the RPAA and the Regulations. PSPs will also need to consider if they are subject to the Proceeds of Crime Money Laundering and Terrorist Financing Act. PSPs are encouraged to seek out counsel to ensure appropriate compliance.

Footnotes

1. Canada Gazette, Part 1, Volume 157, Number 6

2. Retail Payment Activities Act (S.C. 2021, c. 23, s. 177) was enacted in June 2021

3. A New Retail Payments Oversight Framework, 2017, Department of Finance, Government of Canada

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.