On February 10, the proposed Retail Payment Activities Act Regulations were published for consultation in the Canada Gazette, Part I1 (the Regulations).
The 2017 federal consultation paper, “A New Retail Payments Oversight Framework,” states that “unduly burdensome regulations may stifle competition and innovation”3 and, to prevent this from happening, the paper identifies four principles to guide the development of the oversight framework: necessity, proportionality, consistency and effectiveness.
The Regulations aim to satisfy all four principles by imposing a highly prescriptive framework while still providing some flexibility, either through the adoption of language that permits room for interpretation or by integrating elements of proportionality that take into consider the size and activities of each PSP in the market.
We provide below at a high-level summary of key aspects of the Regulations.
Regulations provide additional details regarding the PSPs registration process, including the establishment of a one-time $2,500 registration fee.
The Regulations require PSPs to develop a written, comprehensive risk management and incident response framework (the Framework) that covers an extensive list of requirements ranging from:
This highly prescriptive approach seeks to ensure that all potential end-user harm has been identified and appropriately addressed by PSPs. In addition, PSPs must also undertake nuanced testing to ensure integrity and compliance of the Framework.
Recognizing the diversity of PSPs, the Regulations provide for the development of a Framework that is proportional to the impact that a reduction, deterioration or breakdown of a PSP’s activities can have on end-users or on other service providers having regard to the size and value of the PSP’s activities. The Regulations specify how to assess the “proportionality” element.
The Framework must also consider how any third-party service providers or agents and mandataries will fit into the risk management and incident response requirements.
To safeguard user-funds, the RPAA requires PSPs to either 1) hold funds in trust, in a trust account or 2) hold funds in a segregated account and hold insurance or a guarantee in respect of the fund. Accounts used to hold end-user funds must be held in prudentially regulated financial institutions. PSPs must establish a written framework with respect to the safeguarding of funds (Funds Framework) to ensure that end-users have access to funds being held by the PSPwithout delay, including ensuring that the funds, or the proceeds of the insurance or guarantee, are paid to the end-users as soon as feasible when an insolvency event occurs.
The Funds Framework must describe the systems, policies, processes, procedures and controls to meet those objectives. It must also identify any legal and operational risks that could hinder meeting those objectives and the means of mitigating such risks. PSPs must review their Funds Framework at least once per year as well as following any changes in how the PSP safeguards funds, changes in the entities in which such funds are held or in the terms of the insurance policy or guarantee securing such funds.
However, the Regulations provide for some flexibility for PSPs to create their own compliant Funds Framework while ensuring accountability. Rather than prescribing the specific mechanics of safeguarding end-user funds in trust or otherwise, the Regulations set out the parameters within which PSPs can develop their own systems and processes to safeguard funds, specifically, ensuring end-users have ready and reliable access to their funds, including in the event of a PSP’s insolvency.
At least once every two years, a PSP’s Funds Framework will be reviewed by an independent “sufficiently skilled individual” to ensure it complies with the RPAA and the Regulations.
The insurance or guarantee required under the RPAA with respect to the end-user funds held by PSPs must be issued by a federally regulated financial institution, or a provincially regulated insurance, trust or loan company, or a foreign financial institution subject to comparable standards relating to capital, liquidity, governance, supervision, and risk management, and which in each case is not an affiliate of the PSP.
PSPs must ensure that: (i) the proceeds from the insurance or guarantee do not form part of the PSP’s general estate; (ii) the proceeds are payable for the benefit of an end-user as soon as feasible following the bringing of insolvency proceedings, or the consent to such proceedings, by the PSP, or the passage of 30 days from the bringing of insolvency proceeding against the PSP, unless such proceedings have been discontinued (collectively “insolvency events”); (iii) the insurance or guarantee will survive the PSP’s insolvency; and (iv) the Bank will be given 30 days’ notice of the cancellation or termination of the insurance or guarantee.
Note that the Regulations only address insolvency events, not other forms of reorganization, arrangement nor default in payment absent an insolvency.
PSPs are also subject to national security review reporting and approval requirements. Under the RPAA and Regulations, the Minister of Finance can commence national security reviews within 60 days of the submission of an initial application for registration, in connection with acquisitions of control transactions or in the event of certain “other changes.” The provisions are designed to be similar to the national security provisions in the Investment Canada Act (ICA). Unlike the ICA, which regulates Foreign Direct Investment, the RPAA national security provision in the RPAA is largely investor-nationality agnostic and applies to Canadians as well as non-Canadians. That said, substantive assessments under the RPAA are expected to be like those under the ICA. Under the ICA, reviews typically focus on Chinese, Russian and State-Owned Enterprise investors as well as investors with potential links to organized crime. Under the RPAA, reviews can be 180 days or longer and result in conditional or unconditional approvals or rejections.
The Regulations impose several reporting obligations which appear to be onerous:
The Regulations designate specific provisions of the RPAA, or the Regulations, that can be subject to a notice of violation (and potentially an administrative monetary penalty). The Regulations classify such violations as either serious or very serious with a potential reclassification of a series of serious violations as a very serious violation. A serious violation can be subject to a penalty of up to $1,000,000 per violation and a very serious violation can be subject to a penalty of up to $10,000,000 per violation.
Certain violations which pertain to the provision of information, such as annual reporting, are not classified and are subject to their own administrative penalty regimes that carry a penalty of $500 per day if the violation has carried on for less than 30 days and from $15,000 to $1,000,000 if the violation has carried on for more than 30 days.
The high level of prescriptiveness found in the Regulations will enable the Bank to take enforcement actions on each specific requirement thereunder, which would not be the case if such requirements were found in guidelines rather than regulations (i.e., because guidelines do not have force of law).
The Bank will be providing further guidance on the scope, exclusions and requirements under the RPAA and Regulations.
Specific provisions of the Regulations come into force when the related RPAA provisions come into force:
The Regulations prescribe detailed compliance requirements and PSPs, particularly those that may not be familiar with dealing with regulators other than FINTRAC, may find it challenging to comply with the RPAA and the Regulations. PSPs will also need to consider if they are subject to the Proceeds of Crime Money Laundering and Terrorist Financing Act. PSPs are encouraged to seek out counsel to ensure appropriate compliance.
To discuss these issues, please contact the author(s).
This publication is a general discussion of certain legal and related developments and should not be relied upon as legal advice. If you require legal advice, we would be pleased to discuss the issues in this publication with you, in the context of your particular circumstances.
For permission to republish this or any other publication, contact Janelle Weed.
© 2024 by Torys LLP.
All rights reserved.