New Canadian Payments Association Preauthorized Debit Rule Now in Force
By: Jordan Toye
On February 21, 2008 the Canadian Payments Association (CPA) approved major amendments to Rule H1 (the Rule), which applies to preauthorized debit (PAD) agreements (i.e. the Canadian version of an ACH Authorization). The Rule came into force On February 28, 2010. Franchisors that rely on PAD agreements to collect accounts receivables, such as royalty and advertising fees, should ensure that their PAD agreements comply with the new rules, otherwise the franchisors may find that they are unable to collect the amounts owed.
Fortunately, PAD agreements that were already in operation prior to February 21, 2010 were “grandfathered” and do not need to be updated to comply with the revised Rule. However, grandfathering of pre-existing PAD agreements only applies to the extent that the existing provisions of a PAD agreement do not conflict with the revised Rule.
All PAD agreements that are entered into after February 28, 2010 must comply with the Rule. The revised Rule introduces many items that must now be disclosed (and previously did not have to be disclosed), requires pre-debit authorization or notification in some instances and requires that each Sponsoring Member (i.e. the payee’s financial institution) have the payee (i.e. franchisor) sign a Payee Letter of Undertaking in respect of all PADs which will be issued.
The Rule applies to all Business PADs, Cash Management PADs (i.e., PADs between affiliated businesses), Funds Transfer PADs (i.e., where the payor and payee are the same) and Personal PADs. For the purpose of this article we have only focused on how the rule impacts Business PADs, specifically, the payment of goods or services related to a business, and includes payments between franchisees and franchisors.
The Rule requires that Business PAD agreements include the following prescribed disclosure items:
- The date and signature of the payor;
- Clear and unambiguous authority to debit the account;
- The PAD category (i.e. business, cash management, funds transfer or personal);
- The amount (i.e. fixed or variable), the timing (weekly, monthly, etc.) and how the PAD is triggered (i.e. by an act, event or other criteria or whether the PAD is sporadic);
- A prescribed statement regarding the payor’s right to cancel the agreement;
- The payee’s contact information; and
- A prescribed statement regarding recourse/reimbursement for unauthorized PADs or those made in error.
In addition, where the PAD at issue is a Sporadic PAD (i.e., not at set intervals), the PAD agreement must specify that the payee is required to obtain authorization prior to every PAD (discussed below in the notification section). Where a payee intends to use a third party to administer a PAD agreement, this must be disclosed to the payor.
There is also supplementary disclosure that the payee may elect to include in the PAD agreement.
Authorization, Notification and Waiver of Notification
For Sporadic PADs; the payee must obtain an authorization from the payor for each and every PAD. This preauthorization requirement cannot be waived. The preauthorization requirement does not apply to PADs which occur at Set Intervals.
For Set Interval PADs; such as monthly royalty fees or advertising contributions, the payee is required to notify the payor of the amount to be debited and the date of such debiting at least 10 days prior to the PAD for both fixed and variable amount PADs. In addition, for fixed amount PADs, the payor is also required to give at least 10 days notice before any change in the amount of a PAD or any change in the payment date.
Despite the above, notification requirements can be waived if the PAD agreement includes a waiver of the requirements in a prescribed form or if an appropriate standalone waiver is executed.
Payee Letter of Undertaking
The Rule requires that the payee’s financial institution have the payee enter into a Payee Letter of Undertaking, which outlines the payee’s obligations as an issuer of PADs. As such, issuers of PADs should expect that their financial institutions will be requesting that a Payee Letter of Undertaking be executed prior to exchanging any further PADs for the payee’s account.
The grandfathering of existing PADs means that payees, including franchisors, will not be required to have a new PAD agreement executed by each payee (franchisee) in order to comply with the new Rule. However, all PAD agreements that are entered into after February 28, 2010 must comply with the Rule or else the franchisor may be unable to debit the franchisee’s account. The result is that PAD agreements entered into after February 28, 2010 will be longer and include more fulsome disclosure than was often the case under the old rule. We recommend that franchisors check their existing PAD agreements or relevant provisions in their franchise agreements and update them to comply with the new requirements. Franchisors should also prepare current forms for new franchisees.
Workplace Violence and Harassment: Bill 168 to Impact Franchise Systems
By: Daniel Wong Meredith K. Ashton
Employers have always had an obligation under the Occupational Health and Safety Act (the OHSA), to take all reasonable precautions to protect workers, a duty which is arguably already broad enough to encompass an obligation to protect workers from violence in the workplace. The recent amendments to theOHSA, which come into force June 15, 2010, confirm the extent of this duty, and also outline a number of specific steps employers must take in relation to violence and harassment at work.
The amendments will require all employers, including franchisee and franchisor employers, to: (i) assess and report risks of violence in their workplaces; (ii) develop and implement policies and programs with respect to workplace harassment and violence; (iii) inform their workers about individuals with a history of violent behavior (to the extent necessary to prevent physical injury); and (iv) take all reasonable precautions to protect their workers from violence in the workplace.
i) Assess and Report Risks of Violence in the Workplace
One of the new duties of employers will be to undertake a risk assessment of their workplace. In undertaking this assessment, it will be useful for an employer to consider the general factors that increase the likelihood of violence, such as interaction with the public, working with money, valuables or prescription drugs, or working alone or in isolated areas.
The assessment need not be in writing unless required by a Ministry of Labour inspector, although it is good practice to have a written record of the assessment process. The results must be communicated to the health and safety committee. The risks must be reassessed as often as necessary to ensure that the employer’s policy and programs remain effective in protecting workers from workplace violence.
Once the risks have been identified, the amended OHSA will require employers to develop measures and procedures to control these risks as part of the workplace violence program. There are a number of changes employers can make within their workplace to reduce or eliminate the risks. Some examples include: increasing building security through the introduction of coded cards to control building access; developing safe work procedures, such as working alone or dealing with angry customers; and making physical changes to the workplace, i.e., increased lighting.
ii) Develop a Policy and Program on Workplace Violence and Harassment
Under the amended OHSA, employers are required to develop written policies on workplace violence and harassment and programs to implement them, regardless of size of the workplace or number of workers. The policies must be posted in a conspicuous place in the workplace and reviewed as often as necessary, at least annually. Employers must also provide appropriate information and instruction concerning the workplace violence and workplace harassment programs.
The Ontario Ministry of Labour has published guidelines to provide further details about what should be included in the workplace violence and harassment policies, as well as sample policies.
Workplace Harassment Program
The purpose of the workplace harassment program is to implement the workplace harassment policy. The OHSA amendments mandate that the workplace harassment program provide measures and procedures for workers to report incidents of workplace harassment to their employer or supervisor, and outline how the employer will investigate complaints of workplace harassment.
Workplace Violence Program
Similar to the workplace harassment program, the workplace violence program is intended to implement the workplace violence policy, and must include:
- measures and procedures to control the risks identified in the workplace assessment which may expose a worker to physical injury, summoning immediate assistance when workplace violence occurs or is likely to occur and for workers to report incidents of workplace violence to the employer or supervisor; and
- a process for how the employer will investigate and deal with incidents or complaints of workplace violence;
The reporting and investigation process for complaints of violence or harassment are very important. The employer should take care to reduce the barriers to reporting incidents or concerns related to violence or harassment by making the process known and easily accessible, reassuring employees there will be no reprisals for complaints, and ensuring that the process is confidential to the greatest extent possible. Employers should also ensure that the process provides for a timely response, and is perceived to be fair and impartial.
iii) Disclosure Obligations
The amended OHSA will require employers and supervisors to provide information regarding a person with a history of violent behavior. This will require employers to balance the rights of the potential victim of violence and the privacy rights of the person with a history of violent behaviour. If the worker can be expected to come into contact with that person, and the worker is likely to be exposed to physical injury, the employer will have an obligation to convey as much information as, and no more than, is “reasonably necessary to protect the worker from physical injury.” This provision will draw employers into making difficult judgment calls, with minimal guidance to date from the government.
iv) Other Precautions to Protect Workers
Refusal to Work
The amended OHSA will give employees the right to refuse work if the employee “has reason to believe that…workplace violence is likely to endanger himself or herself,” subject to the process outlined in the OHSA, as amended.There is an exception to this rule for certain workers, such as police officers and hospital employees, when the risk is inherent or a normal condition of that work.
The amendments will also require employers to take steps to ensure the safety of a worker when the employer knows or “ought reasonably” to be aware of domestic violence that may occur in the workplace.
Franchisor and franchisee employers should promptly review and make any necessary amendments to their workplace policies, programs, procedures and training methods in light of the impending amendments to the OHSA regarding workplace violence and harassment. Failure to comply with the new amendments will constitute an offence under the OHSA. Upon conviction, an individual may be fined up to $250,000 and/or imprisoned for up to twelve months, and a corporation will be liable for up to $500,000.
Please contact any member of Osler’s Franchiseand Distribution Group if you would like to discuss how these changes may affect your workplace policies and procedures and/or how to ensure that you meet the new obligations under the OHSA.
Payment Card Industry Data Security Standard - The Importance of Compliance for Franchisors and Franchisees
By: Simon Hodgett
Any business participating in the payment card system needs to understand the Payment Card Industry Data Security Standard (PCI Standard) and manage risks accordingly. The PCI Standard is intended to apply to all organizations that store, process or transmit cardholder data in the course of carrying out credit card transactions. It is maintained by the PCI Security Standards Council, which is a membership based organization led by the credit card brands (www.pcisecuritystandards.org). Given the breadth of its application, the PCI Standard has become one of the more influential security standards for the regulation of data protection. It is vital that franchisors and franchisees keep up to date with modifications and ensure that personnel at the appropriate levels are directed to remain compliant with the most current versions of the PCI Standard.
Application of PCI Standard
There is a common misconception that because the PCI Standard is referred to as a “standard,” that it is a legislated regulatory requirement or otherwise stands apart from contract. Although in a few jurisdictions similar requirements have been adopted in statute, in Canada this is not the case. The PCI Standard is implemented through the agreements that govern credit card systems: merchant agreements between merchants and financial institutions or transaction processors that receive transactions (in the payment system known as “acquirers”), and the agreements that acquirers have with the credit card companies (e.g. Visa Inc. and Mastercard International Incorporated).
Merchant agreements typically contain strong protections for the acquirers and card companies and substantial obligations and liability for the merchant. Merchant agreements entered into recently, specifically set out an obligation to keep current with the PCI Standard, and generally indicate that the merchant will be liable for any fines, penalties or liabilities arising from a failure to comply. Acquirers and card companies are usually granted rights to audit the merchant and its systems to ensure that the PCI Standard is being followed. Merchant agreements generally do not contain any limitation of liability.
Under the PCI Standard, organizations that store, process or transmit cardholder data must meet the following twelve broad requirements:
- install and maintain a firewall configuration to protect cardholder data;
- avoid using vendor-supplied defaults for system passwords and other security settings;
- adopt measures to protect cardholder data;
- use encryption of cardholder data across open networks;
- use and update anti-virus software or services;
- develop and maintain secure systems and applications;
- restrict access to card-holder data by business need-to-know;
- assign a unique ID to each person with computer access;
- restrict physical access to cardholder data;
- track and monitor access;
- regularly test security systems and processes; and
- maintain information security policies for employees and subcontractors.
More detailed descriptions of required measures are included under each topic.
As already mentioned, those merchants who fail to comply with the PCI Standard, face fines. In addition, in the past few years both the potential liability and the appetite to make claims for compensation for liability arising out of data breaches has widened considerably. Massive thefts of card holder data from The TJX Companies, Inc. (disclosed January, 2007), Heartland Payment Systems, Inc. (disclosed November, 2008) and many others, have resulted in a number of significant law suits and complaints to privacy authorities in the United States and Canada. Card issuers have sought damages for the costs associated with reissuing cards to consumers whose card data has been compromised. In addition, a number of class actions have been filed to directly address damages incurred by individuals whose identities have been stolen as a result of the breach.
The broad application of the PCI Standard suggests that it may also become the basis of a standard of care for system security, particularly for systems that deal with consumer and financial data. Following the PCI Standard will not be a certain defence to negligence claims, but compliance establishes a strong presumption of diligent conduct. Conversely, a failure to comply offers a clear and compelling argument that the business has not maintained its data in accordance with a well recognized standard of care, opening the company to not only claims in contract but also in tort for negligence.
It is important to bear in mind that in Canada data breaches involving consumer data will likely result in complaints and investigations by the Privacy Commissioner of Canada under the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial legislation. Once again, while not entirely determinative, compliance with the PCI Standard can be an important factor in how well the business bears the scrutiny and weathers the public relations storm associated with a major breach of privacy. This factor is particularly important for franchisors concerned with defence of the reputation of valuable brands.
What to do
The following measures, allocated appropriately among franchisor and its franchisees, should be in place to promote compliance with the PCI Standard:
- Ensure that any contracts mandating compliance (usually merchant agreements) with the PCI Standard, are identified and the liability terms clearly understood.
- Designate personnel with responsibility for reviewing, complying with and monitoring changes in the PCI Standard.
- Establish appropriate internal reporting with respect to compliance with the PCI Standard. This reporting should be to the executive level in the company.
- Undertake self assessments of practices and systems to ensure compliance, and, when necessary, engage outside resources trained in PCI Standard compliance to review systems. Where there are material noncompliance issues, put in place a plan to promptly address the issues.
- Larger organizations in particular should prepare for audits from card brands with respect to PCI compliance by ensuring information demonstrating compliance with each requirement is documented and readily available.
Review contracts with service providers to ensure not only that there is an obligation to comply with static security requirements or a general standard of “good industry practices, but also an obligation to comply with the applicable portions of the PCI Standard and its evolution over time.