Comment period on regulations that accompany new legislation ends March 28
With the recent filing of long-anticipated proposed regulations to accompany new legislation governing retail payment activities, the Bank of Canada’s executive director of retail payments supervision hopes retail payment providers and the lawyers who advise them will give feedback before the comment period ends on March 28.
“Every day, millions of Canadians place their trust in payment service providers,” says Ron Morrow, adding that the purpose of legislation passed in June 2021, An Act Respecting Retail Payment Activities, is to help ensure that this trust is “well-founded and that payment service providers are meeting some minimum standards for managing risk.” The RPAA is the first regulatory regime for governing approximately 2,500 retail payment providers (domestic and foreign) operating in Canada.
Regulations to go with legislation
The Ministry of Finance Canada published the proposed regulations that go with the legislation in mid-February, and like the act itself, they will have the force of law.
Morrow says the comment period provides an opportunity for legal experts who advise payment service providers and fintech companies to review the proposed regulations and provide feedback to the government. It’s an essential step in finalizing these regulations.
It is vital that PSPs or their lawyer familiarize themselves with the proposed regulations and provide comments if they feel that something needs to be changed, Morrow says.
“If there is something wrong, or if you think it reaches too far, or the burden is too high, now is your chance to speak up,” he says, adding that it will be more difficult to amend the regulations once made final.
However, Morrow says he hopes there will be minimal need for changes to the regulations, given that a retail payment advisory committee collaborated in their creation. It is a group of about two dozen payment service providers, including household names and those more under the radar of most Canadians.
When the regulations come into force, they would support the legislation by establishing requirements to establish standards for operational risk management and safeguard end-user funds where a PSP becomes insolvent.
“The payments ecosystem in Canada and globally has been evolving pretty rapidly,” Morrow says, noting the “sharp uptick” in mobile and digital payments. “So, the motivation behind the legislation is that many of these folks currently don’t fall into any regulatory sphere. We want to ensure that whenever money changes hands electronically, . . . there’s some minimum standard that people can rely on to ensure that their interests are being looked after.”
Maintaining the integrity of payment systems in Canada
Morrow notes that the act and the regulations require payment service providers to do three things.
- Register with the Bank of Canada if a business’s purpose is to help people and companies make day-to-day payments or store and transfer their money electronically. A PSP must pay a one-time registration fee, currently $2,500 and adjusted for inflation over time.
- Demonstrate that they are doing a good job of managing operational risks, such as ensuring a business continuity plan and encrypting and protecting people’s information.
- Safeguard money that is help on behalf of PSP customers, such as keeping it in a segregated account and returning it to the customer should the PSP go bankrupt.
The regulations detail the reporting requirements, which include filing annual reports, significant change reports, incident reports, information requests, and notices of change in information.
Under the act, PSPs must also establish a framework for mitigating risk to preserve the integrity, confidentiality and availability of its retail payment activities and associated data. This framework would include identifying operational risks; protecting retail payment activities from those risks; manage its risks from third parties; detecting incidents and control breakdowns, and reviewing, testing, and auditing its risk management framework; establishing roles and responsibilities for the management of operational risks and incidents; and have sufficient human and financial resources for its risk management framework.
The regulations require a review of the risk management framework at least once a year. A review is also needed before implementing significant changes to a PSP’s operations or control or where an incident with a material impact occurs.
The risk management framework must also be tested at least once every three years for effectiveness, identifying gaps and vulnerabilities. An effectiveness review is also necessary where the PSP implements significant changes to its systems, policies, or procedures.
Finally, the risk management framework requires an internal or external auditor to conduct a review at least every three years.
The regulations also deal with national security concerns. In cases of a change of control, or other changes, the Minister of Finance can commence national security reviews. The “other changes” include when a state-owned enterprise acquires voting rights, ownership interests, or director and executive appoint rights in a PSP, and the PSP or its third-party service providers store or process information in a country outside Canada not identified in the PSP’s most recent application for registration.
Under the RPAA, reviews can be 180 days or longer and could result in conditional or unconditional approvals or rejections. The RPAA national security provision applies to Canadians as well as non-Canadians. National security reviews typically focus on State-Owned Enterprise investors and investors with known links to organized crime.
The regulations also propose penalties for non-compliance and enforcement of the RPAA regime. These include entering into compliance agreements, issuing notices of violations, imposing monetary penalties, issuing compliance orders, applying for court orders, and refusing or revoking a registration.
After receiving notice, when a PSP fails to comply with a compliance agreement, the Bank of Canada could issue a notice of default, and the PSP would pay a penalty. The proposed penalty for serious violations is up to $1 million per violation, while more severe violations can attract fines of up to $10,000,000 for each violation.
Other violations relating to the provision of information have their own administrative penalty regime. If the violation continues for up to 30 days, the penalty will be $500 per day. For violations that continue beyond 30 days, the penalties range from $15,000 to $1,000,000.
Balancing of regulation of operational risk and not overburdening PSPs
Morrow admits the regulations “do get pretty granular” in some areas, especially on expectations around managing operational risk. “There’s a lot of information there.” However, he adds there is “no one size” approach.
There will be “lots of different ways people can demonstrate their compliance with the act,” he says, noting some PSPs will think a lot is being demanded to demonstrate managing operational risk, especially for smaller players. However, Morrow says the regulations balance meeting the legislation’s goals and not overburdening PSPs.
Morrow suggests that the most significant piece of feedback to the regulations he expects will revolve around the compliance costs. He recognizes that there is a need for balance between creating an environment of innovation in the PSP community, with thriving small and larger players, and creating a standard of compliance.
Morrow also says that payment services providers he talked to generally embrace the legislation because sometimes “they have found it difficult” to operate as a business that isn’t regulated.
“We think we’ve found an appropriate point on that trade off. But we’re also very open to hearing views from others on whether we’ve struck the right balance.”