The Bank of Canada (“BoC”) has released minutes of the September and October meetings of the Retail Payments Advisory Committee (“RPAC”), and related discussion materials for these meetings and the November meeting, including discussion guides on (1) the registration scope, (2) the registration process, (3) record-keeping requirements, (4) reporting requirements and (5) approach to fees. These guides include information of interest to entities in the payment space, particularly those that may become subject to BoC oversight pursuant to the Retail Payment Activities Act (“RPPA” or the “Act”), which received Royal Assent on June 29, 2021. Further details on the RPAA are discussed in our previous blog post.
The RPAC is a forum established by the BoC to gather industry expertise about the retail payments landscape and the RPAA.
Registration Scope Discussion Guide
The registration scope discussion guide describes the BoC’s current thinking on three topics: (i) the payment functions subject to the RPAA; (ii) when performance of any of the payment functions is considered to be incidental to the entity’s primary business; and (iii) when an entity that performs a payment function, despite not having a place of business in Canada, may be subject to the RPAA.
Five Payment Functions
- The provision or maintenance of an account that, in relation to an electronic funds transfer (“EFT”), is held on behalf of one or more end users.
- Examples include payments processors (e.g., for online vendors and other commercial users), digital/electronic wallets, challenger banks, any account used to send or receive EFTs, dormant or seldom-used accounts (e.g., one-time use of a payment service provider (“PSP”) would be captured if the end user’s information is stored).
- The holding of funds on behalf of an end user until they are withdrawn by the end user or transferred to another person or entity.
- Examples include reloadable cards that could be used essentially like a debit card, and electronic accounts which permit end users to view balances and initiate EFTs.
- The initiation of an EFT at the request of an end user.
- Examples include:
- Payment processors
- Credit cards
- Prepaid cards
- POS, tablet POS, web terminal, or mobile processing services to merchants
- E-commerce platforms
- Billing payment platforms
- Recurring payment platforms
- Examples include:
- The authorization of an EFT or the transmission, reception or facilitation of an instruction in relation to an EFT.
- Examples would include the same activities as those listed in (C), above.
- The provision of clearing or settlement services.
- Examples include credit card networks, debit card networks and prepaid card networks.
Entities can be excluded from the requirement to register with the BoC, even where one of the five payment functions are performed, so long as the function performed is “incidental to another service or business activity”. The BoC clarified that they are still developing the concept of incidental and are not yet ready to provide a definition. However, the following examples were provided as cases that would be treated as incidental:
- Telecommunications companies or internet service providers
- Cloud computing providers
- Companies specializing in Application Programming Interfaces (APIs)
- Online casinos
- Law or accounting firms
Payment service providers will be subject to the RPAA, even if they are not physically present in Canada, if they are directing and providing payment services to end users in Canada. PSPs with a physical presence in Canada will be subject to the requirements with respect to their end users both inside and outside Canada.
Registration Process Discussion Guide
The registration process discussion guide proposes a four step registration process:
- Registration screening - Registration screening deals with screening excluded entities and removing them from the application process to reduce the number of unnecessary applications.
- Registration application - The registration application’s main goal is to determine whether the applicant is a PSP within the scope of the RPAA. The discussion guide outlines the type of information that may be required as part of the registration process.
- Coordinating with the Financial Transactions and Reports Analysis Centre of Canada (“FINTRAC”) and the Department of Finance Canada - Once the application is accepted and deemed to be within the scope of the Act, the application information is shared with FINTRAC and the Department of Finance Canada. In this step, FINTRAC will inform the BoC whether the applicant has been found guilty of a specified offense, which could result in the bank refusing a PSP’s registration. Additionally, the Minister of Finance may direct the BoC to refuse the PSP’s registration due to concerns related to national security.
- Registration decisions, reviews and publication - Lastly, the BoC may refuse the PSP’s registration for reasons set out in the RPPA, such as for providing false or misleading information, which may be appealed to the Governor of the BoC.
Record Keeping Discussion Guide
The record keeping discussion guide states that PSPs could be required under future regulations to keep records to demonstrate their compliance with the RPAA. Records could include policies and procedures, results of audits, and logs used to support risk management. PSPs could be required to maintain records for five years, which would align with other regulatory obligations, such as those under the PCMLTFA. Additionally, these documents and records could be expected to be: (1) kept in electronic form, (2) provided to the BoC in an accessible form, and (3) protected from destruction, loss, falsification, inaccuracies, inappropriate access and use. The BoC is aware of five different triggers for when the five year period could begin: (1) creation of the document, (2) end of calendar, fiscal or tax year, (3) after the document is superseded, (4) point of approval, and (5) an incident or issue that is identified.
Annual Reporting and Information Requests Discussion Guide
The annual reporting and information requests discussion guide outlines sets out how the BoC will routinely collect information from PSPs. The BoC’s intended use of annual reports is to (1) gather information about PSPs and (2) to select and prioritize PSPs or issues for supervisory purposes. The goal for the annual reporting process is to provide the BoC with what is described as “high level and structured information” from PSPs. This information will be gathered by a series of questions regarding PSPs’ businesses, operational risk and end-user fund safeguarding practices in an electronic template provided by the BoC.
Conversely, while annual reporting is used to provide the BoC with uniform and consistent information about PSPs, the BoC’s use of information requests is intended to ensure a PSP’s compliance. The BoC offered the following examples of information requests:
- To initiate a more detailed review of a PSP following its annual reporting submission (e.g., the BoC may seek more specific information from a PSP, including copies of policies, procedures, etc.);
- Follow up on information previously received by the BoC from a PSP (e.g., from a significant change notice);
- Investigate a concern with a PSP’s compliance; or
- Obtain any other information to support the BoC’s objects under the RPAA.
The discussion paper states that it is not the purpose of these information requests to have PSPs create new documents, but rather that PSPs will typically be asked to submit documentation that they should already have per RPAA requirements.
Approach to Fees Discussion Guide
Under the RPAA, the BoC is required to recoup costs incurred to carry out the job of supervising PSPs. There will be two types of fees as set out in the approach to fees discussion guide: (i) a fee at the registration application stage; and (ii) an annual assessment fee.
Registration Application Fee
PSP registrants will need to pay a fee as part of their application and the BoC will only review the application once it has received its fee. The fee will be non-refundable, even if it is determined an applicant is not a PSP or is found to be ineligible for registration. However, the BoC proposes to create a free self-screening process which potential applicants can use in advance. Based on the BoC’s preliminary estimates, the registration fee will be approximately $2,500 per application. The discussion guide emphasizes that this is a preliminary estimate and there is a recognition that this fee could be considered a barrier to entry for some PSPs.
Annual Assessment Fee
Where the cost of supervision is not fully recouped through the registration application process, the balance would need to be allocated through an annual assessment fee to each registered PSP. The annual assessment fee would have two parts: (i) a minimum, equal fee charged to all registered PSPs to reflect expenses incurred by the BoC to conduct supervisory activities for all PSPs on an on-going basis; and (ii) a variable fee charged to each registered PSP driven by a set of quantitative metrics, such as payment volumes or end-user funds held, in connection with that PSP’s payment activities.
RPAC meeting participants expressed concern with scope; in particular, they wanted to ensure clarity and fairness in defining “incidental”, to ensure that those businesses not primarily engaged in retail payment activities were not captured under the RPAA. Participants flagged that many e-commerce platforms and online marketplaces could be storing information for payment purposes or outsource that function to a PSP. Consequently, they suggested that the BoC consider these different types of business models and activities when defining “incidental”, so that these businesses and activities are not unintentionally captured.
In the discussion on payment business models, participants suggested that the BoC should consider aligning its interpretation of initiating an electronic funds transfer with that of the PCMLTFA. Also, it was suggested that clarity be provided on whether certain entities could be expected to meet more stringent requirements, as the operational risk management requirements could apply differently to each entity in a payment transaction.
In relation to the registration process, participants noted that not all violations of the requirements set out by FINTRAC should be considered when refusing registration and that not being able to register with the BoC under the RPAA would impact PSPs more negatively than not being able to register as a money service business under FINTRAC’s regime.
The BoC stated that the insights would be reviewed and they may reach out to specific participants with technical questions.
The BoC is continuing to work with industry partners including the RPAC to help develop any guidance underpinning the RPAA and develop the applicable supervisory framework.