Victoria Graham, Elizabeth Sale, Michelle Lally, Matthew T. Burgoyne, Adam Kardash, Simon Hodgett, Haley Adams
Mar 2, 2023
On February 11, 2023, the Department of Finance published draft regulations (the draft Regulations) under the Retail Payment Activities Act (the RPAA). The draft Regulations propose significant and, in some cases, fairly prescriptive requirements that are intended to apply to all payment service providers (PSPs), regardless of the overall size and complexity of the PSP.
The Bank of Canada estimates 2,500 PSPs in Canada will become subject to this new regime, of which approximately 96.4% will be considered a small business with approximate revenues of less than $5 million. It remains to be seen whether the principles of proportionality and necessity, as articulated in the Regulatory Impact Analysis Statement accompanying the draft Regulations (the Impact Statement) will be met, and whether these small businesses will be able to successfully transition to this new regime.
The stakeholder consultation period for the draft Regulations is 45 days, which will run through to March 28, 2023. Stakeholders are strongly encouraged to review and respond to the consultation, as this regime will have a major impact on the payment systems ecosystem in Canada.
Below we set out some of the key aspects of the draft Regulations. For an overview of the RPAA, please see our prior Osler Update, available here.
1. Policy focus – national security
The Impact Statement states that addressing “the potential national security risks posed by presently unregulated PSPs” is among the policy objectives of the RPAA. The draft Regulations set out the timelines and information requirements to support the national security review (NSR) framework established under the RPAA.
National security has become an area of increased focus by the Canadian government. The publication of the draft Regulations follows a series of recent developments to modernize the NSR regime under Canada’s principal foreign investment legislation, the Investment Canada Act (ICA). In August 2022, the government implemented a voluntary notification regime for non-controlling foreign investments under the ICA and extended the timeframe within which Cabinet may commence a national security review where no voluntary notification is made. In October 2022, the government announced a policy discouraging investment in Canada’s critical minerals sector by foreign state-owned or state-influenced enterprises, and ordered divestitures of three minority investments in the sector. On December 7, 2022, Bill C-34, The National Security Review of Investments Modernization Act (Bill C-34) was introduced and it, among other things, proposes to establish a mandatory pre-closing filing regime under the ICA applicable to a non-Canadian proposing to acquire (directly or indirectly) any interest (in whole or in part) in any entity that has operations, employees or assets in Canada, in certain sensitive sectors (to be prescribed) where the non-Canadian investor could access, or direct the use of, material non-public technical information or material assets, and would acquire the power to appoint or nominate persons (such as directors or senior officers) of the entity, or have certain prescribed special rights.
In addition to the general heightened sensitivity around access to data about Canadians and Canadian businesses, the rationale for a national security screen for the PSP sector may also relate to a PSP’s potential access to critical payment infrastructure. The Department of Finance and the Bank of Canada have signaled that certain PSPs which are registered under the RPAA may be granted access to the Real-Time-Rail, Canadian’s new payment system.
This may also help to explain why the NSR under the RPAA will cover all PSPs, regardless of whether or not they are Canadian-controlled.
Given the introduction of Bill C-34, it is curious as to why the government is considering subjecting an acquisition of control of a PSP by a non-Canadian investor to two concurrent and separate (and as is discussed further below, slightly different) NSR and ministerial approval processes: one by the Minister of Innovation, Science and Industry under the ICA, and one by the Minister of Finance under the RPAA.
2. Proposed NSR RPAA Process
The NSR process under the RPAA is triggered upon initial registration, before a proposed acquisition of control of a PSP, or before certain prescribed changes to a PSP’s registration. Applications for each of these proposed events commences with the PSP filing detailed information and documents as part of its application to the Bank of Canada. Among the numerous prescribed requirements of the application are 17 requirements specifically related to the NSR.
Once the Bank of Canada certifies that the application is complete, it submits the complete application to the Department of Finance. Based on the information in the application, the Department of Finance, on behalf of the Minister of Finance, has 60 days to determine whether the application should be subject to the NSR regime under the RPAA. If the Minister of Finance orders a formal NSR, then the Department of Finance informs the Bank of Canada and the Bank of Canada, in turn, informs the PSP applicant of the review. The Minister of Finance then has 180 days from the date the Minister of Finance decides that the review is required to complete the formal NSR, although this timeline may be extended at the discretion of the Minister of Finance. The Minister of Finance can request additional information from the applicant at any time during the process. At the conclusion of the review, the Minister of Finance can approve the application, refuse the registration outright, or impose conditions or require an undertaking. A PSP may request a review of this decision within 30 days of being advised by the Bank of Canada of the Minister of Finance’s decision. Except for the opportunity to request a review of the Minister of Finance’s decision, the timeline of the RPAA NSR process, and the range of outcomes that may be ordered by the Minister of Finance, are largely consistent with the NSR regime of the ICA.
Acquisition of control and SOE matters
A PSP must apply for and obtain a new registration with the Bank of Canada (including undergoing a new NSR) prior to the occurrence of the following three events:
- an “acquisition of control” which includes the acquisition of the general partner of a limited partnership, the direct or indirect acquisitions of one-third or more of the voting shares of a corporation, or interests in a non-corporate entity that entitles them to receive one-third or more of the entity’s profits or one-third or more of its assets on dissolution, and flows up the corporate chain to the ultimate controlling interest in the PSP.
- an acquisition by a state-owned enterprise as defined in the ICA (SOE) of (i) a power to appoint the CEO or other senior management officers of the PSP or its board or a similar body, (ii) if the PSP is a corporation, any voting rights in respect of the election of its directors, or (iii) if the PSP is an entity other than a corporation, any ownership interests in the PSP, and
- a change in the storage or processing of information by the PSP or its third-party service providers in a country outside Canada that was not identified in the PSP’s most recent application for registration.
While the draft Regulations leverage the definition of SOE in the ICA, they do risk creating unnecessary regulatory complexity by defining the concept “acquisition of control” in a different manner than it is defined in the ICA. Further, if payment services are prescribed by the government as a sensitive sector under Bill C-34, as discussed above, an acquisition of interests by a non‑Canadian in a PSP would be subject to NSR review under the ICA at a much lower level than an acquisition of control as defined by the draft Regulations.
In addition to NSR considerations (including the minimum 60-day initial NSR delay and resulting uncertainty for foreign investors), stakeholders will want to consider the broader implications of the proposed acquisition of control thresholds. More typically, a change of control of a Canadian financial intermediary that is not prudentially regulated, is defined with reference to legal control (i.e., simple majority) as opposed to one-third of the voting securities of the entity. Given that many of the expected 2,500 in-scope PSPs under the RPAA may be in the earlier stages of their growth cycle, this threshold - and the related consequences (i.e., the loss of registration if the prior approval of the Bank of Canada registration is not obtained prior to closing) - will need to be considered in light of anticipated financing rounds. It is possible, for example, that a PSP could be required to obtain multiple RPAA registrations over the course of its growth cycle under the proposed thresholds set out in the draft Regulations.
Given the risk of losing their RPAA registration due to an unknown change by a third-party service provider of a PSP’s information storage or processing procedures, PSPs also will want to carefully review their third-party servicing contracts to ensure that they have appropriate contractual protections.
3. Risk management and incident response framework
PSPs will be required to establish, implement and maintain a robust risk management and incident response framework (Risk Management Framework) that includes the following, as among its objectives:
- ensuring the PSP can perform retail payment activities without reduction, deterioration or breakdown, including by ensuring the availability of its systems, data and information, and
- preserving the integrity and confidentiality of those activities, systems, data and information.
The draft Regulations set out a detailed list of prescribed requirements that must be included in the Risk Management Framework, which include the identification of the PSP’s operational risks and the processes and controls in place to protect its retail payment activities from those risks. The Risk Management Framework must also detail the processes and controls the PSP has to detect incidents and anomalous events that could indicate emerging operations risks and an incident response and recovery plan.
Other key Risk Management Framework requirements include the need to have a designated senior compliance officer (similar to the requirement to have a designated senior AML officer under the Proceeds of Crime (Money Laundering) and Terrorist Financing Act) and access to sufficient human and financial resources.
Of note, the draft Regulations require a PSP to establish and implement a customized testing methodology for the purpose of identifying gaps in the effectiveness and vulnerabilities in the processes and controls provided in its Risk Management Framework. Although not directly regulated today, many PSPs which, for example, provide third-party services to regulated entities such as banks or other financial institutions, or which are subject to payment network rules, are typically contractually required to comply with existing data security standards (such as SOC 2). It is not clear why the Department of Finance has determined that a more prescriptive standard is needed rather than granting PSPs the flexibility to leverage existing standards, and how this fits with the necessity principle articulated in the Impact Statement.
PSPs must review their Risk Management Framework at least annually and conduct in-depth effectiveness testing at least every three years and prior to making any significant changes to its systems, policies, procedures, processes or controls. For those PSPs which have an internal or external auditor, they must also obtain an independent audit every three years.
The Bank of Canada has the authority under the RPAA to assess a PSP’s Risk Management Framework and provide corrective measures that the Bank of Canada considers appropriate.
Third-party service providers
As part of its Risk Management Framework, a PSP will be required to conduct detailed operational assessments of its third-party service providers at least annually and prior to renewing or entering into any significant amendments to its third-party servicing contracts. A PSP must assess, among other things:
- the third-party service provider’s ability to protect data and information obtained from the PSP or in the course of performing services for it.
- the security of the third-party service provider’s connections to and from the PSP’s systems, and
- the third-party service provider’s risk management practices in relation to the services provided.
The draft Regulations do not contemplate any materiality or criticality thresholds, so implementing these requirements for all contractual relationships may be quite onerous.
The draft Regulations also require PSPs to include specific information in their third-party contracts. As part of their transition to the RPAA framework, PSPs will need to review, and potentially amend, their existing third-party contracts.
The RPAA requires that a PSP which becomes aware of an incident with a material impact on an end user, another PSP, or a clearing house, must notify that individual or entity and the Bank of Canada.
The draft Regulations specify that the notice to be given to the Bank of Canada in the event of a reportable incident must set out information about the PSP and a contact person for the incident, a description of the incident and its material impact on end users, other PSPs or a clearing house, and the measures taken to respond to the incident.
The notice to be provided to impacted end users, other PSPs or clearing houses must be given to each materially affected individual or entity using the most recent contact information, and must be posted on the PSP’s website if contact information is not available for every materially affected individual or entity. The notice must include the name of the PSP, a description of the incident, including when it began, the nature of its material impacts on individuals or entities, and corrective measures that could be taken by the impacted individuals or entities.
First, it is necessary to note that these reporting and notification obligations are significant and will require robust frameworks and compliance functions.
Furthermore, it is not clear from the wording of either the RPAA or the draft Regulations what is meant by “material”, or how these obligations are meant to interact with existing legislative obligations and regulatory standards. As the RPAA regulations are currently drafted, overlap in the threshold trigger, timing requirements and content and form requirements may lead to overly burdensome reporting and notification efforts for PSPs subject to federal, Alberta or Québec private sector privacy laws. Since the necessity principle articulated in the Impact Statement is meant to eliminate any duplication of RPAA obligations and existing rules, any substantive distinction between the RPAA and private sector privacy reporting and notification regimes should be clearly set out to allow organizations to appropriately tailor their compliance efforts. Confusion as to the interoperability of the RPAA and privacy legislative regimes could lead to potentially unnecessary administrative and compliance costs.
Additionally, Federally Regulated Financial Institutions (FRFIs) must comply with the Office of the Superintendent of Financial Institutions (OSFI) regulatory incident reporting regime, which requires initial reporting within 24 hours (or sooner, if possible). The OSFI Technology and Cyber Security Incident Reporting guidance sets out criteria for when a technology or cyber security incident will trigger reporting requirements, including when the impact of the incident “has potential consequences to other FRFIs or the Canadian financial system” or affects the FRFI’s “key/critical systems, infrastructure or data”. FRFIs must have internal policies and procedures for responding to and reporting incidents.
Federally regulated banks, as major players in the payments ecosystem, are already subject to these prescriptive OSFI reporting/notification rules and often flow down their internal processes and policies to service providers – many of which are PSPs subject to the RPAA’s distinct reporting and notification obligations. Again, it is not clear how the RPAA obligations will interact with the OSFI rules, and whether service providers of FRFIs will now be subject to onerous and overlapping requirements following a security incident. Furthermore, overlapping requirements for FRFIs and PSPs could cause confusion for an end-user receiving multiple notices from the same incident.
4. Safeguarding of funds
The RPAA sets out requirements to safeguard funds, which apply to all PSPs that hold user funds. Under the RPAA, such PSPs can meet these requirements by:
- holding end-user funds in trust in a trust account that is not used for any other purpose.
- holding end-user funds in an account that is not used for any other purpose and holding insurance or a guarantee in respect of the funds in an amount equal to or greater than the amount in the account, or
- holding the end-user funds as prescribed.
The government has not prescribed any alternative methods to fulfill these obligations. Accordingly, only the trust account and insurance/guarantee options are available at this time. The account used to hold end-user funds must be at a qualifying Canadian financial institution (or a foreign financial institution regulated by a regime that imposes comparable prudential requirements).
Insurance policies and guarantees must be provided by an unaffiliated third-party and the proceeds from the insurance or guarantee cannot form part of the PSP’s estate. Proceeds must be payable for the benefit of end users as soon as feasible following the insolvency proceeding triggers specified in the draft Regulations. The Bank of Canada must be provided with at least 30 days prior notice before any cancellation or termination of the insurance or guarantee, which may be challenging, as this is not wholly within the control of the PSP.
Given that this is a new regime, it will be interesting to see if an insurance market develops in order to serve this industry.
The draft Regulations also require PSPs holding end-user funds to establish a separate Fund Safeguarding Framework to ensure that end users have reliable access to their funds without delay, and providing for the funds, or proceeds of the insurance or guarantee, if applicable, to be paid out in the event the PSP is insolvent. The Fund Safeguarding Framework must set out the PSP’s systems, policies, processes, procedures and controls for meeting the various criteria specified under the draft Regulations, which are quite detailed and prescriptive. The Fund Safeguarding Framework must also identify legal and operational risks that could hinder the broad objectives established under the framework, and identify the senior officer responsible for overseeing the PSP’s safeguarding practices, among other requirements. As with the Risk Management Framework, independent review, remediation, recordkeeping and reporting obligations apply.
5. Reporting and significant change or new activity notification obligations
The RPAA requires PSPs to submit an annual report to the Bank of Canada; the draft Regulations prescribe the information to be included in these reports, as well as the timing, form and manner of submission.
The draft Regulations require the annual report to be submitted no later than March 31 of the following calendar year. The reporting requirements under the draft Regulations are comprehensive and detailed, but at a high level, PSPs must describe:
- changes to the Risk Management Framework and plans for maintenance and implementation.
- details regarding reviews, testing, independent testing and assessments carried out in the reporting year.
- descriptions of human and financial resources available to maintain the Risk Management Framework, and
- a description of operational risks identified, and all incidents the PSP experienced in the reporting year.
Detailed information is also required under the draft Regulations regarding accounts, insurance and guarantees related to safeguarding of end-user funds, the Fund Safeguarding Framework, and any independent reviews. There are also very detailed reporting requirements regarding the PSP’s ubiquity and interconnectedness, the value of funds held and retail payment transactions completed, which vary somewhat based on whether the PSP is domestic or foreign.
PSPs are also required to notify the Bank of Canada at least five business days before making a significant change in the way that they perform a retail payment activity, or before they perform a new retail payment activity. A “significant change” is defined as a change that could reasonably be expected to have a material impact on the operational risks or manner in which end-user funds are safeguarded. The notice is required to include information on the reason for the change and the PSP’s assessment of the impact of the change on its operational risks or funds safeguarding practices. The notice must be accompanied with copies of the PSP’s amended Risk Management Framework and any other documentation that has been created or amended by the PSP to reflect the change or the new activity.
Overall, based on the draft Regulations, PSPs can expect the reporting process to require substantial time, expense and personnel resources. It will be imperative that PSPs subject to the regime carefully maintain all necessary records on an ongoing basis to ensure that the annual reporting process runs as smoothly as possible.
6. Non-application of the RPAA
The draft Regulations only contemplate limited exemptions to supplement those that are currently set out in the RPAA:
- Incidental retail payment activities: The RPAA provides that a “payment service provider” is a person that performs payment functions as a service or business activity that is not incidental to another service or business activity. The scope of this carve out is very much dependent on the meaning of “incidental” and will be of key importance in determining the ambit of the RPAA. The draft Regulations clarify that a retail payment activity that is incidental to another service or business activity is exempt, unless the other service or business activity consists of the performance of a payment function. However, it is still not clear what is meant by “incidental.” The Impact Statement states that the Bank of Canada will develop guidance that provides further direction to PSPs regarding the RPAA’s scope and exclusions, and the Bank of Canada would likely benefit from additional commentary on this aspect.
- Securities dealers: The draft Regulations set out a prescribed transaction for the purpose of s. 6(d) of the RPAA. A transaction in relation to securities is a prescribed transaction if it is performed by a securities dealer regulated (or exempted from regulation) under Canadian securities laws.
- SWIFT: The Society for Worldwide Interbank Financial Telecommunication (SWIFT) is prescribed as an entity exempt from the RPAA.
7. Application to Digital Assets
The definition of “retail payment activity” in the RPAA captures electronic funds transfers in fiat, although it provides leeway for regulations to specifically scope in additional “prescribed units.” While the Bank of Canada had previously indicated that digital assets could be in scope, the draft Regulations do not prescribe any additional “units” for this purpose. Accordingly, it appears that crypto asset trading platforms (CTPs) and other digital asset-based businesses will not be subject to the RPAA for the time being, unless they are involved in certain fiat payment or transfer services to the extent that these activities are not “incidental.” Given the exemption for securities dealers noted above, it appears that CTPs also will be exempt from the application of the RPAA, provided that they deal in “Crypto Contracts” and are registered as securities dealers. Pursuant to guidance released by the Canadian Securities Administrators (CSA), a Crypto Contract is an agreement between the CTP and its user where the CTP is granted custody of the user’s crypto. CSA staff are of the view that Crypto Contracts are securities, derivatives or both, and therefore any CTP dealing in Crypto Contracts is required to register as a securities dealer pursuant to Canadian securities legislation.
8. Penalties for non-compliance
The RPAA sets out the Bank of Canada’s enforcement powers under the RPAA, as well as a PSP’s rights of review and appeal.
The draft Regulations flesh out this regime by designating certain sections of the RPAA and the draft Regulations as violations, which could provide the basis for a notice of violation or an administrative monetary penalty (AMP).
While the general structure of the AMPs will be familiar to money services businesses currently regulated by FINTRAC, the threshold amounts are considerably higher than those under that regime: the draft Regulations set out a maximum of $1 million per violation for serious violations and a maximum of $10 million per violation for very serious violations. Two or more serious violations related to the same obligation would be reclassified as one very serious violation.
In general, AMPs will be assessed based on the harm that resulted or could have resulted from the violation, the PSP’s compliance history in the preceding five-year period, and the degree or intention or negligence involved in the violation.
Violations pertaining to regulatory disclosure obligations (i.e., annual reporting) would not be classified as serious or very serious. Instead, AMPs would be assessed based on the duration of the violation.
Further guidance is expected to be provided by the Bank of Canada regarding AMP calculations.
9. Application fees
The draft Regulations establish the PSP registration fee for the first year the RPAA is in force as $2,500. This fee will be adjusted in each subsequent year to track inflation according to the formula set out in the draft Regulations. This registration fee is in addition to the annual fees assessed for each PSP as part of the RPAA’s cost recovery mandate.
Businesses that expect to be regulated as PSPs under the new regime can expect to meet significant regulatory hurdles as they seek to meet the substantial registration processing, NSR, operational risk, incident management, reporting and recordkeeping requirements that apply under the RPAA and the final version of the regulations. PSPs are encouraged to review the draft Regulations in detail and provide feedback to the Bank of Canada as necessary, including where additional guidance may be helpful.