On February 10, 2023, the long-awaited draft regulations (Regulations) to the Retail Payment Activities Act (RPAA) were released, detailing the requirements of the RPAA at a more granular level (for an overview of the RPAA requirements, please see our May 2021 Blakes Bulletin: Regulation of Retail Payments in Canada - The Retail Payments Activities Act Has Arrived). The Regulations are quite prescriptive in respect of what is expected from registered payment service providers (PSPs), especially relating to operational risk management and the safeguarding of funds. As such, while the cost to register with the Bank of Canada as a PSP is minimal (initially C$2,500), the costs to implement an RPAA-compliant compliance program will be significant.
There is a 45-day comment period for the draft Regulations, closing on March 28, 2023. All comments submitted by interested parties will be posted online after the comment period closes, but there is a section where information can be included that will be treated as confidential. Unique to the RPAA, comments are to be provided in the draft Regulations themselves after each section and there is a character limit for each submission. Given the importance of this legislation to PSPs, PSPs should review the Regulations carefully as they have the potential to cause a significant impact on their business.
At this time, the date that the RPAA will come into force is unspecified. The regulatory impact analysis statement indicates that the Department of Finance will review the comments received on the Regulations before deciding on implementation.
These Regulations create a comprehensive and prescriptive compliance regime for PSPs that will likely require the significant expenditure of both financial and human resources. PSPs are well advised to review these provisions carefully and consider making submissions on the effect they will have on their business and prepare for the RPAA’s arrival.
RISK MANAGEMENT AND INCIDENT RESPONSE
Some of the most prescriptive and onerous provisions of the Regulations deal with the risk management and incident response framework (Framework) that a registered PSPs must implement.
In that regard, the Regulations provide comprehensive requirements that PSPs must follow in implementing their Framework and dictate what must be addressed in the Framework. The requirements do not take a risk-based approach and instead are quite prescriptive. These requirements should be reviewed by PSPs to understand their scope and nature.
Here is a sampling of some of the requirements for a PSP’s Framework:
The Framework must contain expressly stated objectives. The two objectives that are mandated by the Regulations are:
That a PSP can perform its payment activities without “reduction, deterioration or breakdown” and ensure the availability of its systems, data, and information to perform those activities; and
That the integrity and confidentiality of a PSPs payment activities, data and information be preserved.
The Framework must set out “clearly defined and measurable reliability targets” (i.e., service levels) and indicators to assess if the above-noted objectives of the Framework are met.
The Framework must also identify the human and financial resources required to implement and maintain the Framework. For human resources, the required skill level and training of personnel must be outlined.
The Framework must also identify all of a PSP’s assets (including systems, data and information) and business processes associated with the PSP’s performance of payment activities. These assets must then be classified according to their sensitivity and criticality to the performance of payment activities.
A PSP must identify and describe all the potential causes of its operational risks. The Regulations set out an itemized list of the required risks to be considered in that exercise, including business continuity, cybersecurity, fraud, data management, information technology, human resources, process and product design and implementation, and change management. Having identified these operational risks, the Framework must then describe the systems, policies and procedures that a PSP has in place to mitigate these risks and protect its assets.
A PSP is expected to engage in continuous monitoring of its payment activities, systems and mitigation controls to detect incidents or other anomalous events that could indicate operational risk or lapses in the Framework. All these measures must be described in the Framework.
Where a PSP uses third-party service providers or agents, the Framework must also provide policies and procedures for oversight of these parties.
A PSP’s Framework must also have a comprehensive plan for responding to and recovering from incidents. An incident is defined as “an event or series of related events that is unplanned and that results in or could reasonably be expected to result in the reduction, deterioration or breakdown of any payment activity performed by a PSP”. The Regulations provide prescriptive requirements in respect of what is to be included in a PSP’s incident response plan. Other requirements that must be included in the Framework in respect of incident response include a requirement to investigate, implement mitigation measures to prevent further damage, and act as soon as feasible to address the root cause of the incident. Detailed records must be retained in respect of each incident. PSPs can only resume operations after an incident once they have verified the integrity and confidentiality of all systems, data and information.
A Risk-Based Framework?
The Framework requirements are clearly very detailed. However, the Regulations provide that a PSP’s Framework must be proportionate to the impact that a reduction or breakdown of its payment activities could have on end-users and other PSPs, taking into account the PSP’s “ubiquity and connectedness” as well as its relative size. As such, the larger the PSP, the more robust the Framework is expected to be. However, all of the regulatory Framework requirements are mandatory, which means that, regardless of size, ubiquity or interconnectedness, all PSPs must implement a comprehensive Framework in accordance with the requirements of the Regulations.
Where a PSP uses a third-party service provider, it must include all such providers in their Framework and assess their ability to deal with specific operational risks. This assessment must be undertaken at least once a year and before entering into, renewing, extending or substantially amending a contract with the third party. Records of the assessment must be retained. There are similar requirements in respect of the use of agents by a PSP.
The Framework of a PSP must be approved by a senior officer and by the PSP’s board of directors annually and when a material change is made. All employees and other persons who have a role in the Framework must be provided with training required to carry out their roles.
Framework Reviews and Testing
The Framework must also be reviewed at least once a year to evaluate it and its compliance with the regulatory requirements. A Framework review is also required where an “incident” that may have a material impact on the PSP occurs, or before any significant changes are made to the PSP’s operations or controls. A record must be kept of the outcome of the review documenting the scope, methodology and findings. Findings of the review must be reported to a senior officer.
In addition to the review, the effectiveness of the Framework must also be tested at least once every three years to identify any gaps and vulnerabilities taking specific factors into account. A testing requirement is also triggered prior to implementing any significant changes to a PSP’s systems, policies, or procedures. Records of the effectiveness testing must be maintained (including information on the methodology and the measures taken to address results) and a copy must be provided to a senior officer.
In addition to the effectiveness review and testing requirements, the Framework must be independently reviewed (either internally or using an external auditor) at least every three years. The review must be documented and describe the scope, methodology use and findings. Gaps and vulnerabilities must be addressed and reported to a senior officer.
The Framework is thus not only prescriptive and onerous; it will require PSPs to devote significant attention and resources to managing compliance with the RPAA. These requirements will be especially burdensome to start-up companies with limited resources and previously light compliance burdens. Although the Regulations speak of proportionality, there are no exemptions or relief from these requirements for smaller organizations.
A key feature of the RPAA is a new, rigorous framework for safeguarding end-user funds. The fund safeguarding regime applies in respect of PSPs that will hold end-user funds until the funds are transferred to another person, or the end-user withdraws them. As such, where a PSP holds end-user funds, it is required to implement both a compliance program and framework to deal with them.
The RPAA requires PSPs to hold end-user funds in trust in a segregated trust account or in a segregated account backed by insurance or guarantee. The proposed Regulations set out detailed requirements in respect of each of these options for safeguarding end-user funds:
Account Requirements: PSPs are required to maintain end-user funds in an account held with an eligible financial institution. In Canada, the eligible institutions are banks, credit unions and trust or loan companies. The Regulations contemplate that end-user funds may also be held with a foreign financial institution if it is subject to a regulatory framework comparable to the regulations applicable to eligible financial institutions in Canada in respect of capital, liquidity, governance, supervision, and risk management. As such, PSPs will be permitted to hold end-user funds both in Canadian and foreign regulated financial institutions, which will be particularly important for foreign PSPs that will be registered with the Bank of Canada and may hold end-user funds across multiple jurisdictions.
Insurance or Guarantee Requirements: PSPs that wish to satisfy end-user fund safeguarding requirements by holding insurance or a guarantee must ensure that the insurance or guarantee is provided by an eligible Canadian or foreign financial institution. The eligible financial institutions are the same prudentially regulated institutions noted above and include insurance companies. The financial institution that provides insurance or a guarantee in respect of end-user funds cannot be an affiliate of the PSP, but there is no restriction prohibiting the same eligible financial institution from both holding the segregated account for end-user funds and providing the required insurance or guarantee. In this respect, we note that federal financial institutions statutes define a guarantee to include a letter of credit. Although the RPAA does not specifically address this, the insurance or guarantee requirement will not be satisfied if the end-user funds are simply held in a third-party bank account that is covered by deposit insurance because deposit insurance, such as that provided by the Canada Deposit Insurance Corporation (CDIC), protects against the failure of the bank holding the PSP’s account and not against the failure of the PSP itself.
Bankruptcy Remoteness: If a PSP relies on insurance or a guarantee to meet the fund safeguarding requirements, the PSP must ensure that the insurance or guarantee proceeds will not form part of the PSP’s estate in a bankruptcy and that the proceeds are payable for the benefit of end-users as soon as feasible after an insolvency event, among other requirements. These bankruptcy remoteness requirements are specific only to the insurance or guarantee safeguarding option. Where end-user funds are held in trust in a segregated account with an eligible financial institution, we expect the trust funds will be excluded from the PSP’s estate under general insolvency law principles, including section 67(1)(a) of the Bankruptcy and Insolvency Act.
Policies and Controls: In addition to establishing the Framework, PSPs are required to establish, implement and maintain a safeguarding-of-funds framework to ensure that end-users have reliable access without delay to their funds and that these funds, or insurance or guarantee proceeds, are paid to end-users as soon as feasible following an insolvency event. Among other requirements, a PSP’s safeguarding-of-funds framework must detail the use of liquidity arrangements and the holding of end-user funds in the form of secure and liquid assets, the use of a ledger system to keep a record of end-users and their funds, as well as a framework on how an insolvency administrator for the PSP will have access to those records and administer the allocation of safeguarded funds or guarantee or insurance proceeds to end-users in an insolvency scenario. For comparison, in the context of deposit insurance administered by the CDIC for federal deposit-taking institutions, these arrangements are subject to extensive regulation, which in the context of RPAA, appear to apply in a more principles- or results-based approach. This could raise complex legal and operational considerations for PSPs, although the regulatory impact analysis statement accompanying the proposed Regulations notes that the Bank of Canada is expected to provide further clarity on the safeguarding of funds requirements. It remains to be seen how prescriptive the Bank of Canada’s guidelines will be in this respect.
Reviews and Effectiveness Testing: The safeguarding-of-funds framework must be overseen by a dedicated senior officer and, similar to the Framework, it must be reviewed at least annually. An annual review must also assess the effectiveness of the end-user fund safeguarding measures that were implemented in the preceding year and report the results of the investigation and any remediation steps taken, if deficiencies are identified, to the Bank of Canada. In addition, similar to the requirements in respect of the Framework, a PSP holding end-user funds must ensure that its safeguarding-of-funds framework is subject to an independent review every two years.
PROVISION OF INFORMATION
In addition to the establishment of the Framework, the safeguarding-of-funds program, effectiveness reviews, testing requirements and external review, PSPs are also required to submit annual reports to the Bank of Canada, containing detailed information and reporting (Report). Perhaps most surprising is the amount of prescribed additional information that a PSP will be required to include in its Report. These additional obligations were the source of much uncertainty for PSPs awaiting the release of the draft Regulations and the required information includes broad categories of PSP data, and more so for PSPs that have a place of business in Canada.
The reporting program effectively takes each compliance element outlined in the “Framework” section above and requires the PSP to provide the Bank of Canada with a description on how it is implementing each requirement. This includes information on training, testing, and information on all reviews conducted. The Report must also describe how the Framework was appropriately approved and made available to the PSP’s employees and others who have a role in the Framework. The Report further requires a similar analysis and summary in respect of all required elements of the funds safeguarding program.
In addition to reporting on a PSP’s compliance obligations, the Report also requires detailed information in respect of the PSP’s business over the previous year. The information requested in this regard is quite detailed. By way of example, the following is required information in the Report in respect of each reporting year:
The maximum value of end-user funds of all currencies held by the PSP at any time for all end-users and for end-users in Canada
The daily average value of the end-user funds of all currencies held each month
The volume and value of electronic funds transfers performed for end-users in Canada
The total number of end-users for which the PSP performed a payment activity
Financial metrics for the reporting year, including revenues, gross profits or losses, operating profits or losses, assets, liabilities and equity
There are also detailed reporting requirements for payment activity and revenues for each month in the reporting year.
In addition to financial disclosures and compliance reporting, the Report also requires a PSP to provide a description of any changes during the reporting year to the PSP’s payment activities, as well as information on any activities that the PSP began or ceased to provide. This prescriptive, detailed annual reporting process will likely require most PSPs to make changes to their information gathering, record-keeping and other compliance and reporting processes. It will also require PSPs to dedicate extensive resources to compliance with the regime under the RPAA.
Importantly, PSPs that do not have a place of business in Canada are still required to establish their ubiquity and interconnectedness in Canada, although they are permitted to provide a more limited subset of the information set out above.
Record Keeping and Retention
The Regulations also outline a PSP’s obligations with respect to record keeping and retention. In that regard, a PSP is required to keep, in a form that is intelligible to the Bank of Canada, sufficient records to demonstrate its compliance with the RPAA and Regulations and must take reasonable measures to secure them.
Administrative Monetary Penalties
Finally, the Regulations also set out details relating to violations of the RPAA, the classification of those violations and the range of penalties in respect of a violation. Similar to the administrative monetary penalty regulations under the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA), classifications of violations are either considered “serious” or “very serious.” Among the very serious violations are those relating to a PSP’s obligations to implement and maintain the Framework, including a failure to carry out the required review, effectiveness testing and independent testing required within the periods prescribed, and a failure to appropriately safeguard end-user funds.
Penalties for a serious violation can range up to C$1-million per violation, while penalties for a very serious violation can range up to C$10-million per violation. These penalties are much more severe than those set out in the PCMLTFA (where the highest penalty is up to C$500,000 per violation) and are more aligned with the expanded monetary penalties regime administered by the Financial Consumer Agency of Canada in respect of federal financial institutions.
In respect of the PCMLTFA, we note the majority of PSPs are also money services businesses under the PCMLTFA. As such, PSPs will be subject to the requirements of the anti-money laundering regime under the PCMLTFA as well as the requirements of the RPAA and its Regulations. The combined effect of the compliance obligations under these two statutes is daunting and the resources required to comply will be significant. Going forward, PSPs will be required to dedicate significant resources to their regulatory compliance obligations.
For more information, please contact:
Jacqueline Shinfield 416-863-3290
Vladimir Shatiryan 416-863-4154
Tracy Molino 613-788-2202
or any other member of our Financial Services group.