The Retail Payments Activities Act (the “RPAA”) was enacted in June 2021, creating a new regulatory regime for retail payment activities under the supervision of the Bank of Canada (the “BOC”). The introduction of the RPAA is a significant milestone in the Canadian retail payments sector, which had previously been largely unregulated. The RPAA’s introduction also represents unchartered territory for the BOC, which will be assuming the role of a regulator for an entire industry sector for the first time.
The BOC recently introduced a supervisory framework under the RPAA, which sets out how it will oversee payment service providers (“PSPs”), foster compliance, and monitor and assess trends and issues in the payment system. For more information about who qualifies as a PSP, please read our bulletin titled Who is Caught by Canada’s New Retail Payment Systems Regulation?
In a recent speech, Ron Morrow, the BOC’s Executive Director for Retail Payments Supervision, noted that the new supervisory framework will apply to organizations “in the business of helping people and companies make day-to-day payments, or store or transfer their money through electronic means.” This signals that the RPAA’s broad definition of PSP is unlikely to be significantly limited in the regulations to the RPAA, which will be published for comment in the near future. The BOC estimates that over 2,500 entities, including many FinTech payment companies, will be subject to its supervision, and urges them to begin planning and preparing for the new regulatory regime.
This bulletin provides an overview of the BOC’s new supervisory framework as it pertains to registration, risk monitoring and enforcement.
Both domestic PSPs and foreign PSPs that direct retail payment activities at individuals or entities in Canada will be required to register with the BOC when the provisions of the RPAA requiring registration come into force, which will likely be in 2024. The RPAA provides a transition period to allow the BOC to process applications and to permit individuals or entities currently offering retail payments services to continue doing so as long as they have submitted an application. The length of this transition period is unknown, but the period will commence once section 29 of the RPAA (which requires registration of PSPs) comes into force. In order to facilitate the registration process, the BOC is currently developing a web portal through which applicants and registered PSPs will be required to submit their registration details, pay the registration fee, and comply with the reporting obligations under the RPAA.
The BOC will share the applications of those who meet the RPAA’s registration criteria with the Financial Transactions and Reports Analysis Centre of Canada (“FINTRAC”) and Department of Finance Canada to perform a national security review. Money services businesses (“MSBs”) performing retail payments activities covered by the RPAA must register with the BOC as a PSP. Note, however, that MSBs already registered with FINTRAC were not subject to a national security review during the MSB registration process and so must undergo a national security review before registering as a PSP. Once registered, PSPs must adhere to the RPAA’s requirements and pay an annual assessment fee. The BOC may refuse or revoke registration on several grounds, including based on information provided by FINTRAC, a directive from the federal Minister of Finance citing national security concerns, or an applicant ceasing to perform retail payment activities. The BOC will monitor unregistered individuals and entities performing payment services to ensure adherence to the registration requirement, and may use enforcement measures to compel compliance. The BOC may also monitor individuals and entities whose registration has been refused or revoked to ensure that they are no longer performing payment services.
PSPs will be required to implement a framework for mitigating operational risk and responding to incidents. Under this framework, PSPs must report to the BOC incidents that have a material impact on end users, other PSPs or certain clearing and settlement systems. In addition, PSPs holding end-user funds must institute measures to protect those funds until they are withdrawn or transferred.
PSPs will also be required to submit three types of reports to enable the BOC to assess their compliance with the supervisory framework. The first is an annual report containing details about operational risk mitigation, incident response and protective measures for end-user funds, if applicable. The second is a significant change or new activity report notifying the BOC before a PSP performs a new retail payment activity or significantly changes the way it performs an existing activity. The third is an incident report alerting the BOC of incidents that have a material impact on end users or other entities.
In addition to risk monitoring, the BOC has developed a set of enforcement tools to address violations under the RPAA and promote compliance. For example, the BOC can enter into a formal compliance agreement with a PSP to remedy non-compliance. The BOC can also issue a notice of violation (“NOV”) for contraventions of the RPAA and publish the company’s name and the nature of its violations on the BOC website. A NOV may be accompanied by an administrative monetary penalty (“AMP”) or an offer to enter into a compliance agreement. If a PSP enters into a compliance agreement, the PSP will only be required to pay one half of the AMP. However, if the PSP breaches the compliance agreement, it will be liable to pay the remaining half of the AMP as well as an added penalty that will be specified in the regulations. The AMP will be made public and could be as high as $10 million for an egregious violation.
The BOC Governor may also issue a compliance order against a PSP if the Governor believes that a PSP is engaging, or is about to engage in an act that could detrimentally affect end users, other PSPs or certain clearing and settlement systems. Furthermore, the Governor may apply to a superior court for an order mandating that a PSP stop an action that contravenes the RPAA, adhere to a provision of the RPAA, or obey a compliance order.
The BOC’s new supervisory framework is the product of consultations with multiple stakeholders, including the Retail Payments Advisory Committee (“RPAC”), which was established by the BOC to provide industry expertise on Canada’s retail payment services sector. The RPAC’s mandate has recently been extended past its one-year term ending September 2022, which will allow it to offer continued support to the BOC as it begins its journey of regulating the Canadian retail payments sector.
Players in the Canadian retail payments space would be well advised to prepare for the new regulatory regime, including conducting an assessment to determine whether they will need to register as a PSP once the requirements come into force. The BOC notes that its approach to supervision may evolve and that it may update the supervisory framework, before or after the RPAA’s registration requirements come into effect, in order to respond to the pending publication of regulations by the Department of Finance Canada, which are expected to clarify the details of the RPAA, and changes in the retail payments landscape. Such regulations are expected to be published for comment in 2023.