The Government of Canada’s 2019 Budget, “Investing in the Middle Class” (the “2019 Budget”) includes a plan to take the first steps towards establishing a new retail payment oversight framework (the “Proposed Framework”) to regulate payment service providers (“PSPs”) in Canada.
The plan calls for legislative action to introduce requirements for PSPs to protect users’ funds against losses and to establish sound operational risk management practices, in order to reduce financial risks and operational risks associated with these services. The Bank of Canada will be the body that oversees PSPs’ compliance with these requirements and maintain a public registry of regulated PSPs.
End-user fund safeguarding
Under the Proposed Framework, PSPs will now be required to take steps to mitigate the financial risks for end-users in carrying out transactions and ensure users that the funds held by PSPs on their behalf are safe and available to them when they want to use them. PSPs will now be required to place end-user funds held overnight or longer in a trust account that meets the following requirements:
- The account must be at a deposit-taking financial institution that is either a member of the Canada Deposit Insurance Corporation or covered under a provincial deposit insurance regime;
- The account must be in the name of the PSP;
- The account must be clearly identified as the PSP’s trust account on the records of the PSP and the financial institution;
- The account may only be used to hold end-user funds;
- The PSP must ensure that the financial institution does not withdraw funds from the account without the PSP’s authorization (e.g., service fees incurred by the PSP must be paid from the PSP’s general account); and
- The assets held in the account must be cash held on deposit or highly secure financial assets that can be readily converted into cash. 1
PSPs will be required to maintain detailed accounting records that would allow for the accurate identification of funds held in trust and the beneficiaries. Additionally, PSPs will also need to report on their trust accounts in their annual filings to the regulator. Consideration will also be given to requiring PSPs to comply with the necessary requirements (with the Canadian Deposit Insurance Corporation or a provincial equivalent) to ensure that separate trust coverage is provided for each end-user as beneficiaries of the trust. Additional requirements could include, for example, that the assets held in the account meet the deposit insurer’s definition of eligible deposits.
The Proposed Framework will also require PSPs to comply with principles related to establishing security and operational objectives and policies and business continuity planning. This is in order to mitigate risks that stem from operational failure. The following proposed principles are based on the Principles for Financial Market Infrastructures, adapted to address the operational risks inherent to retail payments:
- A PSP should establish a robust operational risk-management framework with appropriate systems, policies, procedures and controls to identify, monitor and manage operational risks.
- A PSP’s management should clearly define the roles and responsibilities for addressing operational risk and should endorse the PSP’s operational risk-management framework. Systems, operational policies, procedures and controls should be reviewed, audited and tested periodically and after significant changes.
- A PSP should have clearly defined operational reliability objectives and should have policies in place that are designed to achieve those objectives.
- A PSP system should have comprehensive physical and information security policies that address all major potential vulnerabilities and threats.
- A PSP should have a business continuity plan that addresses events posing a significant risk of disrupting operations. The plan should be designed to protect end-users’ information and payment data and to enable recovery of accurate data following an incident. The plan should also seek to mitigate the impact on end-users following a disruption by having a plan to return to normal operations.
- A PSP should identify, monitor, and manage the risks that end-users, participants, other PSPs, and service and utility providers might pose to its operations. In addition, a PSP should identify, monitor, and manage the risks that its operations might pose to others.
The Government suggests that operational system testing could be conducted through self-assessment in the case of small firms, or through third-party verifications in the case of the largest firms. These objectives and policies would include ensuring an appropriate level of data protection and confidence, and emphasize end-user and system data protection.
Future additional measures
The descriptions of the requirements above were drawn from the Department of Finance Canada’s consultation paper, titled: A New Retail Payments Oversight Framework (the “Framework Consultation”). While an invitation for comments on the Framework Consultation was issued and comments were received, they were never publicized.
The Framework Consultation paper described additional measures besides the ones mentioned above to be implemented in the Proposed Framework. These include disclosure requirements, required complaint-handling procedures, liability rules, registration requirements, and a requirement to comply with privacy legislation to protect users’ personal information.
Although for 2019 the Government has only committed to legislating for end-user fund safeguarding and operational standards requirements, contacts from the Ministry of Finance have informed us that the Government still plans on moving forward with the additional Proposed Framework measures that were not included in the 2019 Budget.
Possible registration requirements
While the 2019 Budget did not call for the implementation of registration requirements for PSPs directly, it mentioned the Government’s plan to have the Bank of Canada maintain a public registry of regulated PSPs.
If PSPs are required to register with the Bank of Canada, it has been proposed that they apply for registration once the first components of the Proposed Framework are put in place. As part of this proposal, applications will require PSPs to include information relating to their business, such as a legal status, names of owners, and the types of services provided. PSPs will also be required to provide financial information, such as the volumes of transactions processed in any given year, information on the trust account in which consumers’ funds are held, and the PSP’s assets’ value. Part of this proposal is that new PSPs will be required to register before their payment services are launched.
The registration requirements are meant to serve as a mechanism for identifying new entrants in the retail payments market and for tracking existing PSPs in the sector to monitor their compliance with the Proposed Framework. PSPs will likely be required to inform the Bank of Canada of changes to the information provided at registration and to submit a de-registration form when they stop performing payment functions or cease operating. The Government has also proposed that PSPs pay a fee upon registration.
Amendments to the Canadian Payments Act
Also included in the 2019 Budget is a proposal to introduce technical amendments to the Canadian Payments Act (“Act”). The proposed amendments would create an “associate membership” class for Payments Canada members that would allow non-traditional PSPs to participate in Payment Canada’s real-time payment system platform and exchange networks. 2
Access to these Payments Canada resources would be risk-based and PSPs wishing to take part would need to comply both with the requirements of the Proposed Framework as well as any system-specific requirements set out by Payments Canada. These would include requirements related to operational capacity, for instance, reporting procedures, testing, message format, and routing requirements, in addition to cybersecurity requirements. Payments Canada also plans on subsequently developing risk-based participation requirements.
These amendments follow a Government consultation paper on the review of the Canadian Payments Act. An invitation for comments on this consultation paper was also issued, for which 21 responses were publicized.
In the 2019 Budget, the Government has committed to legislating for the first measures of a new retail payments oversight framework. While other measures of the Proposed Framework were not mentioned in the 2019 Budget, the Government plans on continuing to move forward with these measures in the future.
The Government has also committed to making amendments to the Canadian Payments Act that would allow greater participation and access to Payments Canada’s payment system platform and exchange networks for PSPs.
At this point in time, we do not know when these changes can be expected to come into effect. No draft legislation has yet been tabled to introduce the aforementioned measures of the Proposed Framework or the amendments to the Act. Seeing as these changes were included in the Budget, we expect legislation to be drafted that introduces these changes sometime before the end of the year. However, this could change depending on the results of the 2019 Canadian federal election, scheduled to take place on or before October 21, 2019.