Elizabeth Sale, Victoria Graham, Haley Adams
May 10, 2021
Payment service providers, outside of banks and other regulated financial institutions, are currently lightly regulated in Canada. Other than laws of more general application, only the federal Proceeds of Crime (Money Laundering) and Anti-Terrorism Act (PCMLTFA) and the Quebec Money-Services Businesses Act specifically regulate payment providers who fall under the definition of money services business, and the PCMLTFA’s objects are limited to the relatively narrow purposes of intelligence gathering activities for the detection and deterrence of money laundering and terrorist financing and related matters.
All of this is about to change. After many years of consultation and discussion, the federal government has finally introduced the Retail Payment Activities Act (the Act) in Bill C-30, the most recent federal budget bill. The introduction of the Act represents a milestone in Canadian payments and is expected to build confidence in the retail payment sector and bring a new level of maturity to this ever-evolving industry.
Below we discuss the key aspects of the Act.
Who will regulate payment service providers?
The oversight of retail payments is clearly positioned as a matter subject to federal jurisdiction, as the Act’s preamble states that the federal government considers that it is desirable and in the national interest to address risks related to national security that could be posed by payment service providers (PSPs), and that it is in the national interest to supervise and regulate retail payment activities in order to mitigate operational risks and to safeguard end-user funds. Given the borderless nature of payments, a strong statement of federal jurisdiction is welcome as piecemeal provincial regulation would likely be disproportionately burdensome.
The Bank of Canada will supervise PSPs and enforce compliance with the Act, promote the adoption of policies and procedures by PSPs that are designed to implement PSPs’ obligations under the Act, as well as monitor and evaluate trends and issues related to retail payment activities. In pursuing these objects, the Bank must consider the efficiency of payment services and the interests of end users.
When does the Act apply?
The Act applies to any retail payment activity that is performed by a PSP for an end user in Canada and that:
- has a place of business in Canada; or
- does not have a place of business in Canada but directs retail payment activities at individuals or entities that are in Canada.
This extra-territorial application mirrors the application of the PCMLTFA to both domestic and foreign money services businesses, and in particular, the Act’s use of the phrase “directs retail payment activities” closely tracks the language used in the PCMLTFA to define foreign money services businesses. In the PCMLTFA context, the Financial Transactions and Reports Analysis Centre of Canada (FINTRAC) has interpreted “directing” activities at individuals or entities in Canada to encompass marketing or advertisement to persons or entities in Canada, the use of a “.ca” domain name, or appearing in a Canadian business directory, among some other indicators.
A retail payment activity is defined as a payment function that is performed in relation to an electronic funds transfer that is made in the currency of Canada or another country or using a unit that meets prescribed criteria. Accordingly, the Act will apply to electronic funds transfers that are denominated in fiat, and, while we will need to wait for the regulations to confirm, the term “unit” is sufficiently broad to cover virtual currencies. This is of particular interest since the legislative framework for digital assets, including virtual currencies, is currently in a state of flux in Canada. At this time, the provincial securities regulators are asserting jurisdiction over crypto asset trading platforms that provide custodial services to their users (see our post on recent developments here) and have not distinguished between users who buy and hold virtual currencies for investment purposes versus users who buy and hold virtual currencies as a means to pay for goods and services. It will be interesting to see how this jurisdictional issue plays out, given the strong statement of federal oversight set out in the Act’s preamble.
An end user means an individual or entity that uses a payment service as a payer or payee. As such, the Act applies to both consumer and commercial transactions.
Who is a PSP?
A PSP is an individual or entity that performs payment functions as a service or business activity that is not incidental to another service or business activity. A payment function is broadly defined to mean:
- the provision or maintenance of an account (for example, a bank account or an e-wallet) that, in relation to an electronic funds transfer, is held on behalf of one or more end users;
- the holding of funds on behalf of an end user until the funds are withdrawn by the end user or transferred to another individual or entity;
- the initiation of an electronic funds transfer at the request of an end user;
- the authorization of an electronic funds transfer or the transmission, reception or facilitation of an instruction in relation to an electronic funds transfer; or
- the provision of clearing or settlement services.
The term electronic funds transfer is also broadly defined to mean a placement, transfer or withdrawal of funds by electronic means that is initiated by or on behalf of an individual or entity.
Who is not a PSP and what activities are excluded from the application of the Act?
The Act does set out various exclusions, including:
- Regulated entities: The Act does not apply to banks, authorized foreign banks, credit unions, caisses populaires and centrals, insurance companies, trust companies, loan companies, the Canadian Payments Association, the Bank of Canada, or the government of a province if it accepts deposits, among others.
- Prepaid payment products: There is an exclusion for electronic funds transfers made with an instrument issued by a merchant — or by an issuer that is not a PSP and has an agreement with a group of merchants — and that allows the holder of the instrument to purchase goods or services only from the issuing merchant or any merchant in the group. This exclusion will cover prepaid products and gift cards (closed loop).
- ATM transactions: Cash withdrawals from an ATM are excluded.
- Designated systems: The Act does not apply to electronic funds transfers made using a system designated under the Payment Clearing and Settlement Act.
- Transactions with affiliates: Electronic funds transfers between affiliates are excluded
- Eligible financial contracts/securities transactions: electronic funds transfers that are made for the purpose of giving effect to an eligible financial contract (as defined under the Canada Deposit Insurance Corporation Act) such as derivatives agreements and securities lending agreements, etc.
- Agents and mandataries: Agents and mandataries of a PSP are exempt when performing retail payment activities in the scope of their authority as agent or mandatary, subject to certain conditions.
Other exclusions may be set out in the regulations.
What are the key obligations of a PSP?
Registration: All PSPs must be registered with the Bank of Canada before performing any retail payment activities. The Bank will maintain and publish a list of registered PSPs, as well as a list of individuals and entities that the Bank has refused to register and the PSPs that have had their registrations revoked.
The Bank is required to provide completed applications to the Minister of Finance, and the Minister may decide to review an application if the Minister is of the opinion that it is necessary to do so for reasons related to national security. The Minister may require undertakings or impose conditions, again if the Minister is of the opinion that it is necessary to do so for reasons related to national security.
Operation risk management and incident response: A PSP must establish, implement and maintain a risk management and incident response framework that meets prescribed requirements. Operational risk is a key area of non-financial risk for prudential regulators such as the Office of the Superintendent of Financial Institutions and international counterparts and it is interesting to see this principles-based approach articulated in the Act.
Under the Act, an “operational risk” is any risk that a PSP’s information system or internal process deficiency, human error, management failure, or a disruption caused by an external event, will result in the reduction, deterioration or breakdown of the PSP’s retail payment activities. An “incident” is considered to be any unplanned event or a series of related events that could be reasonably expected to result in the reduction, deterioration or breakdown of the PSP’s retail payment activities.
PSPs that become aware of an incident with a material impact on an end user; another PSP that performs retail payment activities, whether or not the Act applies to that PSP; or a clearing house of a clearing and settlement system must notify such persons or entities and must notify the Bank without delay. It is not clear, although we would expect, that such notification requirements are limited to incidents that have a material adverse impact.
Further details will be set out in the regulations.
Notification requirements: If a PSP becomes aware of an incident that has a material impact on an end user, another PSP, or a clearing house, the PSP must notify that individual or entity and the Bank of Canada.
A PSP must also notify the Bank before making a significant change in the way it performs a retail payment activity or before it performs a new retail payment activity.
Safeguarding of funds: If the PSP holds end-user funds until they are withdrawn by the end user or transferred to another individual or entity, the PSP must either:
- hold the end-user funds in trust in a trust account that is not used for any other purpose;
- hold the end-user funds in an account or in a manner as set out in the regulations, and take such measures as set out in the regulations; or
- hold the end-user funds in an account that is not used for any other purpose and hold insurance or a guarantee in respect of the funds that is in an amount equal to or greater than the amount held in the account.
This requirement does not apply to a PSP if the PSP accepts deposits and the deposits are insured or guaranteed under a provincial Act.
The term “funds” is not defined in the Act. To the extent that virtual currency transactions will be subject to the Act, we would expect that the safeguarding requirements would extend to such virtual currencies.
Annual reporting: PSPs must submit an annual report to the Bank; details will be set out in the regulations.
The regulations will set out additional details regarding the above, as well as regarding other obligations, including record keeping requirements.
What are the penalties for non-compliance?
Contraventions under the Act may give rise to administrative monetary penalties (AMPs) for designated violations. The Bank of Canada may halve the AMP if a compliance agreement is entered into with the Bank. The Act provides for a due diligence defence.
While the stated goal of the AMPs is to promote compliance and not to punish, we note that the regulations may provide for a penalty or range of penalties in respect of a violation up to a maximum of $10,000,000.
Importantly, an individual or entity is liable for a violation that is committed by any of its third-party service providers, as well as its employees and agents. PSPs will therefore need to be diligent in respect of any contractual relationships they may have with such third-parties and appropriately consider the risks of such relationships.
When will the legislation be in force?
At this time, no in-force date is set and we anticipate that it will be some time before the legislation is in force and operational. At first instance, regulations will need to be drafted and passed, and there will be a transition period to allow PSPs to register and uplift their business practices. The transition period begins on the day that section 29 (respecting applications for registration), comes into force and ends on the day that section 25(1) (duty to register), comes into force.
Domestic and foreign PSPs should take note now of these changes and closely follow the progress of this legislation, as well as the expected regulations and any guidance issued by either the Bank of Canada of the Minister of Finance, to ensure that they are well positioned to implement this new regime.