In Canada, there is no single regulator that sets standards for mobile payments – the sector is governed by a patchwork of legislation. Navigating the regulatory landscape can be confusing, particularly since some rules apply to banks but not startups and other FinTech companies.
That said, it’s not a complete “wild west” for startups. Anyone operating in the space should be aware of national best practices in payment standards, the potential of oversight by OSFI or FINTRAC, consumer protection legislation, and the potential application of securities law. This article catalogues the sources of regulation that apply to the mobile payments sector.
The documents in this section set out best practices for the payments industry, and do not necessarily apply to FinTech startups. However, it is possible that future Canadian FinTech regulation efforts will draw from these sources when setting out mobile payments standards, so it is helpful for startups to be familiar with these models and guidelines.
Canadian Payments Act
The Canadian Payments Act established the Canadian Payment Association, whose mandate is to create and operate national systems for the clearing and settlement of payments. The Canadian Payment Association was not designed to oversee payment systems established by others or regulate the operations of participants in the mobile ecosystem. That said, as this article goes on to discuss, this piece of legislation could provide a way forward for the industry.
Canadian NFC Mobile Payments Reference Model (the “Mobile Reference Model”)
The Canadian Bankers Association has published a set of voluntary guidelines for mobile near-field communication, also known as tap-to-pay. These guidelines deal with functionality, security, privacy, and access control. The Mobile Reference Model remains voluntary and only binds those banks and credit unions that participated in its development.
Code of Conduct for the Credit and Debit Card Industry in Canada (the “Code”)
The Code’s purpose is to ensure that merchants are fully aware of the costs associated with accepting credit and debit card payments, provide merchants with pricing flexibility and allow merchants the ability to freely choose which payment options they will accept. The Code is only applicable to credit and debit card networks and their participants (e.g. card issuers and acquirers), so unless your startup is partnering with this type of business, the Code may not be relevant.
The Bank Act provides payment rules and standards, as well as prudential oversight for federally-regulated financial institutions. These institutions are subject to oversight by the Office of the Superintendent of Financial Institutions (“OSFI”). As Bank Act and OSFI regulation targets the service provider, rather than the services themselves, many FinTech companies operating in the mobile payment space are not subject to these regulations. That said, if a startup is looking to eventually partner with or be acquired by a traditional bank, it might be prudent to build Bank Act compliance into payment protocols at the early stage, so that no redesign is required at the partnership or exit stages.
Proceeds of Crime (Money Laundering) and Terrorist Financing Act
The federal Proceeds of Crime (Money Laundering) and Terrorist Financing Act (“AML”) provides for an anti-money laundering system. Canada’s AML laws regulate “money services businesses” and impose requirements, such as registration, record keeping and the reporting of large cash transactions, suspicious transactions and terrorist property, on these entities. The definition of money services business is broad, and is generally understood to encompass a business that transfers funds from one person (the customer) to a third party recipient. This definition is comprehensive enough to cover a variety of FinTech mobile payment providers, as StartupSource’s Mat Goldstein has written about.
Loan and Trust Company Act
If a company’s payment processing (or its other services) involve taking deposits or holding funds for investment, Ontario’s Loan and Trust Company Act (“LATCA”) may apply. If LATCA applies, the company will need to register with the Superintendent of Financial Services. If the Superintendent deems a company to be non-compliant, it has the power to order the company to cease non-compliant operations. Similar legislation exists in other provinces.
With the growth of mobile payment systems comes an increase in technologies that collect, use and disclose consumers’ personal information. The federal Personal Information Protection and Electronic Documents Act (“PIPEDA”) applies to all organizations that collect, use or disclose personal information in the course of commercial activities. PIPEDA imposes certain obligations upon organizations regarding the collection, use, disclosure, retention and security of personal information. Likewise, those in the payment space would have to comply with provincial consumer protection legislation, such as Ontario’s Consumer Protection Act, which provides for certain prohibited unfair practices related to making false, misleading or deceptive representations.
Startups doing business in other provinces or countries are bound by the relevant legislation in those countries. Even domestic companies may be subject to U.S. law: for example, if a Canadian startup houses personal information on a U.S.-based server, that information may be retrievable by U.S. national security authorities under the Patriot Act, notwithstanding Canadian privacy legislation. Before expanding operations into new territories, startups should seek legal advice on the region’s mobile payments legislation (both present and upcoming – FinTech regulation is evolving at a very fast pace around the globe, with some very sophisticated and technical regulation on the table in jurisdictions like the E.U.)
Recent plans announced by the Ontario Securities Commission (the “OSC”) may provide a great example of the path forward for the regulation of FinTech mobile payments. Since the activities of some FinTech companies may trigger securities law, particularly in the mortgage or peer-to-peer lending verticals, the OSC has created an innovation hub for FinTech companies (the “OSC Launchpad”). As StartupSource has previously covered, OSC Launchpad is a tailor-made client team for the industry, with the goal of allowing startups to innovate, while still adequately protecting investors. As the blog has also discussed, innovative companies like AngelList and LendingLoop have already benefited from the OSC’s turn toward flexibility.
Similar regulatory experimentation may be needed to provide a coherent way forward for mobile payments. Under section 37 of the Canadian Payments Act, the Minister of Finance has the power to “designate a payment system,” that is “national or substantially national in scope, or plays a major role in supporting transactions in Canadian financial markets or the Canadian economy.”
Designating mobile payments as a payment system for oversight under the Canadian Payments Act would bring all mobile payment service providers, regardless of entity type, under the oversight of the Minister of Finance and the Canadian Payments Act. Revising the current regulatory framework will ensure that FinTech startups are subject to some of the same regulations as institutional entities in the mobile payment ecosystem. This, combined with an innovation hub similar to the OSC Launchpad to support FinTech startups operating in the space, may be a first step toward creating a consistent regulatory framework for mobile payment service providers, while still promoting innovation in the payment ecosystem and protecting consumers.