On Feb. 11, 2023, CAN GVT proposed payment service provider rules.
CAN GVT published a consultation on proposed retail payment activities regulations.
Aims to address gap in payments supervision for payment service providers (PSPs).
Establishes obligations for operational risk management, end-user (payor or payee) funds safeguarding, registration, reporting requirements, administration, enforcement.
Purpose of Proposal
Address issue PSPs, such as card networks, payment processors and digital wallets, are currently not supervised in Canada with respect to their payment activities.
Lack of requirements and supervision increases risks to Canadians, such as the risk of financial loss in instances of business insolvency, threats to security of sensitive data.
Regulation required to support the coming into force of the Retail payment activities act (CAN GVT SC 2021 c. 23 s. 177), which received royal assent in Jun. 2021.
Proposal Scope
Applies to payment functions related to electronic transfer of funds from one end user to another using a PSP; for payment activities of PSPs with place of business in CAN.
Five payment functions are provision or maintenance of a payment account; holding of end-user funds until withdrawn by end user/transferred to another individual or entity.
Additionally, payment functions of initiation of payment at the request of an end user.
Authorization or transmission of a payment message; or the clearing or settlement.
PSPs defined as an individual or entity that performs one or more of payment functions as a service/business activity not incidental to another service or business activity.
Excluded certain entities, such as financial institutions prudentially regulated under other federal statutes, including banks and credit unions, excludes certain activities.
Risk Management
Requires PSPs to establish, implement and maintain a risk management and incident response framework (Risk Management Framework), as further set out in proposal.
Must establish three objectives - preserve integrity, confidentiality, and availability of its retail payment activities, and of the systems, data, or information involved.
Further, must identify operational risks; protect retail payment activities from risks.
Detect incidents and control breakdowns; and respond to and recover from incidents.
Review, test, and — for some PSPs —audit its Risk Management Framework; establish roles and responsibilities for the management of operational risk and incidents.
Have access to sufficient human, financial resources to establish, implement, maintain risk management framework; manage 3-party service provider, agent, mandatary risk.
Framework proportional to impact issues with retail payment activities could have.
Safeguarding of Funds
PSPs would be required to hold funds in trust, in a trust account; or hold funds in a segregated account and hold insurance or a guarantee in respect of the funds.
Accounts used to hold end-user funds be held at prudentially regulated financial institutions (e.g. banks, provincial credit unions, and foreign financial institutions).
Where PSPs choose the insurance or guarantee option to safeguard end-user funds, option must be from non-affiliated prudentially regulated financial institution.
Proceeds from insurance or guarantee must not form part of the PSP’s general estate.
Payable for the benefit of end users as soon as feasible following an insolvency event.
CAN CB must be notified 30 days in advance of insurance/guarantee being canceled.
Written safeguarding-of-funds framework required for all funds safeguarding options.
Safeguarding measures reviewed annually, may have an biennial independent review.
Reporting
Annual report required, with objectives, changes to risk management framework, operational risks description, human and financial resources to implement framework.
Means to safeguard funds, fund safeguarding framework, any independent reviews.
Last, include information on PSP’s ubiquity, interconnectedness, per specified criteria.
Significant change report before significant change in/new retail payment activity.
Incident reporting required for incidents that have a material impact on the market.
Information requests from CAN CB due 15 days; 24 hours if significant adverse impact.
Certain notices of change in information must reported to CAN CB, as specified in rule.
Registration
One-time prescribed registration fee of $2,500 due as part of applicants' application.
Separate annual assessment fee required; proposal set out data needed to apply.
Established when CAN CB may refuse to register applicant or revoke PSP’s registration.
National Security Safeguards
Prescribed how PSPs are to be registered, how national security reviews conducted.
Included timelines for review by Minister (60 days), data provided by applicants and PSPs at application, information to be updated annually, triggers for re-registration.
If a formal national security review is required, the Minister will inform CAN CB.
Outlined 180 days for national security reviews, extended at discretion of the Minister.
Prescribed Supervisory Information
Prohibited PSPs from disclosing prescribed supervisory information as evidence in civil proceedings to ensure the protection of sensitive supervisory information.
Set what data shared between CAN CB, PSPs is prescribed supervisory information.
Including any direction, notice, assessment, testing, audit, investigation, plan or report prepared by CAN CB, reports, letters, recommendations/plans related to supervision.
Recordkeeping
PSPs must maintain sufficient records to demonstrate compliance with act, regulations.
Records retained for five years unless otherwise specified in condition or undertaking.
Administration and Enforcement
Designated violations, penalty ranges increasing in severity according to significance.
Up to $1mn penalty per violation for serous; $10mn per violation for very serious.
Provides for reclassification of a series of serious violations as a very serious violation.
CAN CB must ascertain total expenses for administration via registration fees.
Proposed regulation established the methodology for the annual assessment fee.
Consultation
45 days consultation on proposed retail payment activities rules, until Mar. 28, 2023.
Feb. 2023 CAN PAY on Proposal
On Feb. 15, 2023, CAN PAY reported retail payments activities act (RPAA) rule release.
Called critical step towards broadening access to Canada's payment infrastructure.
However, stated legislative changes are still needed, just one step to broaden access.
Said CAN PAY's membership eligibility must also be expanded to include eligible PSPs, CU locals, and systemically important Canadian Financial Market infrastructures.
To do that, changes to the Canadian Payments Act (CAN GVT RSC 1985 c. C-21), which sets out CAN PAY's mandate, eligibility for membership, and more, are required.
Follows CAN PAY Dec. 2022 letter calling for such changes to the act, see #157013.
Mar. 2023 CAN PAY Next Steps
On Mar. 2, 2023, CAN PAY published interview with Ron Morrow, Executive Director of Supervision at the Bank of Canada on how the RPAA will support payment innovation.
Encouraged all to look at proposed regulations and contribute to their development.
Beyond regulation period, will be looking for further input re supervisory expectations.
Focus will be on goal of ensuring payment service providers register and are appropriately managing operational risks appropriately, safeguarding end-users’ funds.
After the regulations are finalized, will start to publish guidance for the industry.
Will take risk-based approach that will focus on end-user impacts and efficiency.
Want to carry out supervision mandate in way that builds confidence and innovation.
Mar. 22, 2023 CAN PAY Rule Response
On Mar. 22, 2023, CAN PAY submitted its response to proposed RPAA regulations.
Seeks clear scope of the definition of payment service provider and clear direction on activities excluded from RPAA registration requirements to ensure accurate oversight.
Also, recommends the prompt disclosure of registration revocations to the public.
Nov. 22, 2023 CAN GVT Finalized RPAA
On Nov. 22, 2023, CAN GVT finalized RPAA,regulating retail payment activities in CAN.
Regulates PSPs to safeguard funds/financial system with operational risk requirements.
On Nov. 1, 2024, provisions on registration and associated regulations come into force.
Requirement for PSP to be registered with CAN CB comes into effect on Nov. 16, 2024.
On Sep. 8, 2025, sections on operational risk, end-user fund safeguarding take effect.
PSPs have 2-week window from Nov. 1 to 15, 2024, to submit registration application.
PSPs that do not submit in this window will still be able to register on a rolling basis, but will be subject to potential delays in commencing their retail payment activities.
Delay depends on if PSP is existing or new, and if applies before or after Sep. 8, 2025.
Regulators
CAN CB; CAN GVT; CAN PAY
Entity Types
CU; MSB
Reference
OG Vol. 157 No. 24, SOR/2023-229, P.C. 2023-1106, PR, 11/22/2023; PR, 3/22/2023; Sp, 3/2/2023; PR, 2/15/2023; RF, OG Part 1 Vol. 157 No. 6, 2/11/2023; Citation: CAN GVT SC 2021 c. 23 s. 177;
