As was expected and announced in Budget 2021: A Recovery Plan for Jobs, Growth and Resilience, on April 30, 2021 the federal government released Bill C-30 containing, among other things, a draft of the long-awaited Retail Payments Activities Act (RPAA). While the devil will be in the detail of the implementing regulations, much can be gleaned from a review of the provisions of the RPAA as drafted.
The new regulatory payments regime, to be regulated by the Bank of Canada (Bank), is ground-breaking in that it provides for the first regulatory scheme for retail payment providers in Canada.
The RRPA provides who it will apply to and, equally as important, who it will not.
As a starting point, the RPAA applies to “any retail payment activity that is performed by a payment service provider” with a place of business in Canada. It also applies to retail payment activity performed for an end user in Canada by a payment service provider that does not have a place of business in Canada but directs retail payment activities to individuals and entities in Canada. “Retail payment activity” is defined as a payment function (as defined) in relation to an electronic funds transfer (as defined) that is made in Canadian currency or another country currency or “using a unit that meets prescribed criteria”. This definition leaves open the possibility of the RRPA applying to digital currency transactions.
The use of the phrase “directs retail payment activities to persons in Canada” is similar to the language used in the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA) in respect of the requirement for foreign money services businesses to be registered in Canada. In that regard, FINTRAC (the Financial Transactions and Reports Analysis Centre of Canada, the regulator of money services businesses under the PCMLTFA) interprets “directing” services to persons in Canada to include marketing or advertising directed to Canadians, having a .ca domain name or having a business listed in a Canadian business directory. Other criteria that will be considered in determining if activities are “directed” to persons in Canada include offering products and services in Canadian dollars, seeking feedback from Canadian clients and describing services as being offered in Canada.
As expected, the RPAA applies to payment activity performed for an “end user”. End Users include both consumer and corporate clients that use a payment service provider as a payee or a payor. As such, the scope of the RRPA extends beyond consumer protection.
II. PAYMENT SERVICE PROVIDERS (PSPs)
The RRPA, subject to the exclusions discussed below, applies to “payment service providers” which are defined to include persons that perform “payment functions” as a service or business activity that is not incidental to another service or business activity. This definition would exclude those persons who perform “payment functions” that are ancillary to their main activity and do not offer payment functions as a service in and of itself, but rather, as a corollary of the actual service that is offered. For example, electronic funds transfers sent by a lender funding a loan would likely be viewed as incidental payment function activity. How the ancillary concept will be interpreted will be critical in determining when in fact a payment service provider will be subject to the RPAA. This is an area that will benefit from interpretive guidance.
III. PAYMENT FUNCTIONS
The core of the RPAA focuses on those who provide “payment functions”. A payment function is defined in the RPAA as follows:
the provision or maintenance of an account that, in relation to an electronic funds transfer, is held on behalf of one or more end users;
the holding of funds on behalf of end users until withdrawn or transferred;
the initiation of an electronic funds transfer at the request of an end user;
the authorization of an electronic funds transfer or the transmission, reception or facilitation of an instruction related to an electronic funds transfer; or
the provision of clearing and settlement services.
The definition is quite broad and encompasses most types of electronic funds transfers. Electronic funds transfers are defined to include placement, transfers or withdrawals of funds by electronic means that are initiated by or on behalf of an individual or entity. This definition will include not only basic wire transfers but also e-wallets, stored value products, acquiring activities and payment facilitation activities.
There are some important exclusions from the application of the RPAA.
Specifically, the RPAA does not apply to electronic funds transfers made with an instrument issued by a merchant or an issuer that is not a payment service provider and has an agreement with a group of merchants, that allows holders of the instrument to purchase goods and services from the issuing merchant or any merchant in the group. This will exclude closed loop stored value and prepaid cards from the scope of the RPAA provided they are issued by a merchant or a party that is excluded from the scope of the RPAA (discussed below). There are also exclusions for cash withdrawals at ATM machines as well as for eligible financial contracts as defined in the CDIC Act. The RPAA contemplates that additional exclusions may be set out in the regulations.
There are also exclusions for retail payment activity between affiliated entities and for payments performed using a system that is designated under section 4 of the Payment Clearing and Settlement Act, thereby excluding the newly designated Interac e-transfer system.
In addition, certain regulated entities are excluded from the scope of the RPAA. These include federally and provincially regulated financial institutions (banks, authorized foreign banks, insurance companies, trust and loan companies, credit unions), the Canadian Payments Association and the government of a province if it accepts deposits. The RPAA contemplates that there may be additional exclusions in the regulations.
Where an entity is acting as an agent of a payment service provider, they will also be excluded from the scope of the RPAA in respect of activity undertaken in that capacity.
V. REQUIREMENTS OF THE RPAA
In respect of the requirements set out below, it should be noted that the RPAA provides that if there is a provision in a provincial or federal Act or regulation that is substantially similar to these provisions of the RPAA that apply to a PSP (or a category of PSPs), an order can be made under the RPAA that would exempt such PSPs from some or all of these requirements.
1. Operational Risk Management and Incident Response
A payment service provider is required to establish, implement and maintain a risk management and incident response framework in order to identify and mitigate operational risks and to respond to incidents.
“Operational Risk” is defined to include a risk that may result in a reduction, deterioration or breakdown of retail payment activities as a result of:
(i) a deficiency in the PSP’s information system or internal processes;
(ii) a human error;
(iii) a management failure; or
(iv) a disruption caused by an external event.
An “incident” is defined to include an event or series of related events that are unplanned and that result or could be expected to result in the reduction, deterioration or breakdown of any retail payment activity performed by the PSP.
The requirements of the risk management and incident response framework (Framework) will be set out in regulations. The Bank has the right to examine the Framework and provide for corrective measures.
In the event that a PSP becomes aware of an incident that may have a material impact on:
(i) an end user;
(ii) a PSP that performs retail payment activities (whether or not the RPAA applies to them); or
(iii) a clearing house of a clearing and settlement system designated under the Payment Clearing and Settlement Act
there is a requirement to notify such persons or entities as well as the Bank. The form of required notice will be set out in the regulations.
2. Safeguarding of Funds
Where a PSP’s retail payment activity involves the holding of end user funds, the PSP is required to hold the end user funds in a segregated trust account, or an account that is only used for that purpose and that is insured or guaranteed. There are exceptions if the PSP is a deposit taking institution and the end user funds are guaranteed or insured by a deposit insurance scheme. Set off rights are prohibited in respect of these accounts.
3. Provision of Information
PSPs are required to submit annual reports to the Bank setting out information in respect of, among other things, their operational risk management and Framework, information in respect of trust accounts and any other prescribed information relating to end user funds. Where a PSP wants to make a significant change in the manner in which it performs a retail payment activity or add a new retail payment activity, it is required to provide prior notice to the Bank where the change or new service could reasonably be expected to have a material impact on operational risk or the manner in which end user funds are safeguarded.
PSPs are required to be registered with the Bank before performing any retail payment activities (once the legislation is in force).
There will be a prescribed application form requiring basic information in respect of the PSP, as well as the following additional information:
the number of end users or estimated number of end users for whom the PSP intends to provide services;
a description of the PSP’s Framework;
information in respect of the manner in which the PSP safeguards end user funds;
information on the PSP’s third party service providers;
a declaration as to whether the PSP is registered with FINTRAC;
information on the services the PSP performs or plans to perform.
There is a duty to ensure that this information is updated if it changes.
All applications will be subject to a national security review and may be rejected on those grounds or for other reasons including if the application is incomplete or contains false or misleading information.
One of the most significant grounds upon which an application may be refused is if a PSP is not registered as a money services business (MSB) under the PCMLTFA. However, not all entities that fall within the definition of a PSP under the RPAA are in fact required to be registered as MSBs with FINTRAC. For example, payment processors that process credit card and debit card transactions for merchants are excluded from the requirement to register as MSBs. Similarly, persons and entities that provide payment services in respect of utility payments, payroll and commission services, mortgage and rent payment services and certain tuition payment services are also exempt from registration requirements. In that regard, there seems to be a disconnect between the requirements of the PCMLTFA in respect of MSBs and the registration requirements of the RPAA. Hopefully, this discrepancy will be addressed in the regulations. In our experience, FINTRAC will not allow certain types of businesses to be registered as MSBs where they believe that their activities are not intended to be caught by the PCMLTFA.
Related to the PCMLTFA, a PSP’s application (or registration) can also be refused or revoked where the PSP has been issued with a notice of violation under the PCMLTFA in respect of a violation that is classified as “serious” or “very serious”. While there are very few violations that fall within this category, one of the most common violations under the PCMLFTA (in our experience) is where a regulated entity fails to file a suspicious transaction report; this violation is classified as a “very serious” violation. As those that are familiar with the PCMLTFA are aware, there is very often disagreement between regulated entities and FINTRAC as to what constitutes a suspicious transaction that requires reporting. In addition, there are very often inadvertent gaps in the compliance policies or systems of a PCMLTFA regulated entity that may give rise to what FINTRAC would find to be a “very serious violation” of the PCMLTFA. There are also often subjective interpretations as to how the PCMLTFA is meant to apply in different circumstances and FINTRAC’s view on these matters changes from time to time. As such, it is not uncommon for a regulated entity to be found to have committed a “very serious” violation, while it otherwise remains in material compliance with the provisions of the PCMLTFA. Moreover, under the revised regulations to the PCMLTFA, not only does FINTRAC have the ability to determine if a PSP should have filed an STR for any given set of circumstances, but it will also subjectively assess if a PSP’s STR filings were made “as soon as practicable”, as required by the PCMLTFA, which by its very nature is an inherently subjective determination. Given the subjective nature of FINTRAC’s examinations, this provision is very concerning.
There are many enforcement powers provided under the RPAA. The Bank may request information from PSPs or require a special audit of a PSP (at the PSP’s expense) to verify compliance with the RPAA. It can enter into a compliance agreement with a PSP for the purposes of implementing compliance measures or issue a compliance order.
Moreover, the RPAA provides for administrative and monetary penalties for PSPs that commit violations of the RPAA. Similar to the PCMLTFA, the RPAA provides that the purpose of the penalties is to enforce compliance rather than to punish. Due diligence is a defence in a proceeding in relation to a violation. As is the case with the PCMLTFA, in the event that a PSP is deemed to have committed a violation, the Bank is obligated to make that information public.
It should be noted that a PSP will be liable under the RPAA in respect of the actions of its employees, agents and third party service providers acting within their scope of authority. This will require more extensive due diligence to be performed on service providers by PSPs.
VIII. TRANSITIONAL PROVISIONS
There are transitional provisions in the RPAA and provisions that require FINTRAC to provide notice to the Bank in respect of PSPs and their compliance with the PCMLTFA.
There remain a lot of open issues and questions that will hopefully be answered by the regulations and by regulatory guidance. A lot of work will need to be done by PSPs to ready themselves for the new regime.
For further information, please contact:
Jacqueline Shinfield 416-863-3290
Paul Belanger 416-863-4284
Bonny Murray 416-863-5272
Vladimir Shatiryan 416-863-4154
or any other member of our Financial Services Regulatory group.