Canada Gazette, Part I, Volume 157, Number 6: Retail Payment Activities Regulations

February 11, 2023

Statutory authority
Retail Payment Activities Act

Sponsoring department
Department of Finance

REGULATORY IMPACT ANALYSIS STATEMENT

(This statement is not part of the Regulations.)

Executive summary

Issues: The safe and efficient movement of funds is essential to the health and strength of the national economy. Evolving technologies permit retail payment activities to be performed in new and increasingly complex ways by a larger variety of payment service providers (PSPs) across Canada. PSPs, such as card networks, payment processors and digital wallets, are currently not supervised in Canada with respect to their payment activities. The lack of requirements and supervision increases risks to Canadians, such as the risk of financial loss in instances of business insolvency, and threats to the security of sensitive personal and financial information of Canadians and Canadian businesses.

Description: The Retail Payment Activities Act (the Act), which received royal assent in June 2021, and the proposed Retail Payment Activities Regulations (the proposed Regulations) introduce a new retail payment supervisory regime for PSPs’ retail payment activities. The proposed Regulations include standards for operational risk management; requirements to safeguard end-user (payor or payee) funds; requirements regarding PSPs’ registration with the Bank of Canada; reporting requirements; and penalties for violating requirements. The proposed Regulations also include the timelines and information requirements to support the national security review process as part of the Minister of Finance’s national security authorities under the Act.

Rationale: The proposed Regulations are required to support the coming into force of the Act. The Act and the proposed Regulations intend to promote the safety and integrity of the financial system while ensuring responsible innovation for the benefit of Canadians.

All Canadians benefit from a stable, efficient, safe and competitive financial sector that services and drives economic growth. The objectives of the proposed Regulations are to support the Act by establishing requirements to safeguard end-user funds should a PSP become insolvent and establish standards for operational risk management, including in response to disruptions in payment services. Further, the regime would foster increased consumer and business confidence in payment services.

The inclusion of national security authorities under the Act and the proposed Regulations for the Minister of Finance would support the integrity of the financial system with the intent to ensure retail payments are safe and secure for all end users.

The annualized $21.6 million in estimated costs associated with the proposed Regulations are approximately 0.0018% of $1.19 trillion in the total transaction value for debit, credit and online transfer transactions for 2021 (Payments Canada’s Canadian Payment Methods and Trends Report 2022). All Canadians benefit from the stable, efficient, and safe movement of their funds. In addition, the proposed Regulations ensure responsible competition to keep transaction costs low. However, the monetary benefits to Canadians from the improvements to stability, efficiency and safety as a result of the proposed Regulations cannot be estimated and are therefore treated qualitatively.

Issues

The safe and efficient movement of funds is essential to the health and strength of the national economy. The digitalization of money, assets and financial services is transforming financial systems around the world. These innovations carry many benefits; however, the lack of requirements and supervision increases risks to Canadians, such as the risk of financial loss in instances of business insolvency, insufficient risk-management practices that impact Canadians’ ability to reliably use payment services provided, and threats to the security of sensitive personal and financial information of Canadians and Canadian businesses.

In response to these risks, the Retail Payment Activities Act (the Act) received royal assent in June 2021. The Act introduced a new retail payment supervisory regime for payment service providers (PSPs), such as card networks, payment processors and digital wallets. The Bank of Canada is responsible for supervising PSPs’ compliance with the Act and maintaining a registry of registered PSPs. The Minister of Finance has authorities under the Act to address national security risks posed by PSPs – an authority the Minister currently does not have because PSPs are unregulated. In addition, the Minister does not have the necessary information, such as ownership interests, to make these assessments.

The proposed Retail Payment Activities Regulations (the proposed Regulations) are required to bring into force the Act. The proposed Regulations include details on exemptions to the Act, prescribe key elements and details needed for PSPs to register with the Bank of Canada, comply with the Act, and for the Bank of Canada to promote compliance with the Act and proposed Regulations. The Bank of Canada is developing guidance to further support PSPs’ compliance with the Act and the proposed Regulations.

Background

Retail Payment Activities Act

The core elements of Canada’s retail payments supervisory regime are set out in the Act, which establishes obligations falling broadly into the following categories: operational risk management, end-user (payor or payee) funds safeguarding, registration requirements, reporting requirements, administration and enforcement.

The Act also provides the Minister of Finance with the authority to address risks related to national security that could be posed by PSPs. National security provisions in the Act allow the Minister to initiate a national security review and, at the end of the review, to issue a directive to the Bank to approve or refuse to register an applicant, or revoke the registration of a PSP for national security reasons. The Minister may also, by order, require any individual or entity to provide an undertaking, or impose conditions, in relation to an application for registration or any registered PSP if the Minister is of the opinion that it is necessary for national security reasons.

The Act applies to payment functions that are related to an electronic transfer of funds from one end user to another end user using a PSP. The five payment functions under the Act are

PSPs are defined under the Act as any individual or entity that performs one or more of the payment functions as a service or business activity that is not incidental to another service or business activity. For PSPs with a place of business in Canada, the Act applies to all of their payment activities, and for foreign PSPs, the Act applies to payment activities that the PSP directs to and performs for end users in Canada.

The Act excludes certain entities from the regime for all its activities, such as financial institutions that are prudentially regulated under other federal statutes, including banks and credit unions. In addition, the Act excludes certain activities, such as internal transactions among affiliated entities.

The COVID-19 pandemic has accelerated the adoption of digital payments highlighting the need for safe and reliable digital payments. As noted in Payments Canada’s Canadian Payment Methods and Trends Report 2022, Canadians are using less cash, writing fewer cheques, and are relying on electronic payment methods more than ever. Canadians’ increasing reliance on digital payment solutions provided by PSPs make them vulnerable to financial losses in the event of failures or mismanagement of these unregulated entities. Based on early estimates, it is expected there could be approximately 2 500 PSPs in scope. However, it will be difficult to know the true number until the regime is operational and entities begin to register with the Bank of Canada.

A number of jurisdictions have already established supervisory regimes to regulate retail PSPs, including the European Union, the United Kingdom and Australia. The proposed Regulations would be consistent with the approach taken in these jurisdictions.

Objective

Broadly, the objective of the Act and the proposed Regulations is to promote the safety and integrity of the financial system while ensuring responsible innovation for the benefit of Canadians.

The objective of the proposed Regulations is to address an important gap in financial sector supervision. The proposed Regulations with respect to end-user funds safeguarding and operational risk-management requirements for PSPs provide minimum standards in order to reduce the risk of disruptions in payment services that result in end users being temporarily unable to access their funds or make payments. The proposed Regulations are also intended to provide safeguards to reduce the risk of financial losses due to business insolvency or insufficient risk-management practices and enhance end-user ability to reliably use payment services provided by PSPs where PSPs do not currently have sound operational and funds safeguarding practices in place.

The Canadian Security Intelligence Service recently noted in its annual public report that state-sponsored threat actors seek to acquire access or control over sensitive technologies, data, and critical infrastructure to advance their own military and intelligence capabilities, deprive Canada of access to economic gains, employ economic coercion against Canada, and support other intelligence operations against Canadians and Canadian interests. Consistent with the Minister of Finance’s national security authorities under the Bank Act, the proposed Regulations related to the Minister’s national security authorities are intended to provide the details needed to support the Act so that the Government can respond to potential national security-related risks posed by presently unregulated PSPs.

The proposed Regulations also intended to encourage PSPs’ compliance with the Act by specifying details on enforcement, including what provisions of the Act and what provisions of the proposed Regulations are designated as violations. Only designated violations would be subject to a notice of violation and an accompanying administrative monetary penalty.

The principles that guide the Act and the proposed Regulations are

Description

The proposed Regulations include standards for operational risk management, including in response to disruptions in payment services; requirements to safeguard end-user funds; requirements regarding PSPs’ registration with the Bank of Canada; reporting requirements; and penalties for violating requirements. The proposed Regulations also include the timelines and information requirements to support the national security review process as part of the Minister of Finance’s national security authorities under the Act.

Scope

In line with the principles of necessity, proportionality, consistency and effectiveness, the Act excludes from its application certain entities, including prudentially regulated financial institutions, such as banks and credit unions. The Act excludes certain activities performed by entities from its application, such as payment functions performed in relation to instruments issued by merchants or groups of merchants that allow the instrument holder to purchase goods or services only from the issuing merchant or the group of merchants, such as closed loop gift cards.

As part of the exclusions, the Act does not apply to payment functions performed in relation to an electronic funds transfer that is made for the purpose of giving effect to prescribed transactions in relation to securities. The proposed Regulations provide that these prescribed transactions are those performed by an individual or entity under Canadian securities legislation, as these are not transactions for the purpose of retail payments and are activities performed by entities already overseen by provincial regulators.

The Act provides authority to prescribe retail payment activities and entities that are exempt from its application. The proposed Regulations exclude the Society for Worldwide Interbank Financial Telecommunication global messaging network (SWIFT) from the Act, since it is already subject to oversight by 10 major central banks, including the Bank of Canada.

For clarity and consistency with the definition of a “payment service provider” under the Act, the proposed Regulations exclude retail payment activities performed as a service or business activity that is incidental to another service or business activity that is not a payment function.

The Bank of Canada will develop guidance that provides further direction to PSPs regarding the Act’s scope and exclusions.

Risk management and incident response

In order for PSPs to identify and mitigate operational risks, such as cyber attacks, and respond to incidents, the Act requires PSPs to establish, implement and maintain a risk management and incident response framework (Risk Management Framework).

Aligned with global practices of operational risk management, the proposed Regulations would require a PSP to establish three objectives in relation to its Risk Management Framework. Specifically, the PSP should seek to preserve the (1) integrity; (2) confidentiality; and (3) the availability of its retail payment activities and of the systems, and data or information involved in the provision of those activities.

To achieve these objectives, the proposed Regulations would require a PSP to (1) identify its operational risks; (2) protect its retail payment activities from those risks; (3) detect incidents and control breakdowns; and (4) respond to and recover from incidents. The PSP would also be required to (1) review, test, and — for some PSPs —audit its Risk Management Framework; (2) establish roles and responsibilities for the management of operational risk and incidents; (3) have access to sufficient human and financial resources to establish, implement and maintain its Risk Management Framework; and (4) manage its risks from third-party service providers, agents and mandataries.

Recognizing the diversity in the payments ecosystem, the proposed Regulations provide that a PSP must ensure that all aspects of its Risk Management Framework are proportional to the impact that a reduction, deterioration, or breakdown of its retail payment activities could have on end users and other PSPs.

PSPs would be required, through the proposed Regulations, to demonstrate their compliance with sound operational risk management through various reporting requirements to the Bank of Canada.

Safeguarding of funds

Funds safeguarding is intended to protect consumers’ and businesses’ funds against financial loss in the event a PSP were insolvent, and to ensure that end users have reliable and timely access to their funds. The Act intends to satisfy these objectives by requiring PSPs to (1) hold funds in trust, in a trust account; or (2) hold funds in a segregated account and hold insurance or a guarantee in respect of the funds. The Act also provides the authority for regulations to prescribe alternative approaches; however, none are proposed at this time.

To support the objectives of safeguarding end-user funds, the Act provides the authority for regulatory requirements respecting accounts, and any measures to be taken by PSPs to ensure that funds or proceeds from any insurance or guarantee are payable to end users in the event of an insolvency.

To ensure end users have reliable and timely access to their funds, the proposed Regulations would require that accounts used to hold end-user funds be held at prudentially regulated financial institutions (e.g. banks, provincial credit unions, foreign financial institutions).

Where PSPs choose the insurance or guarantee option to safeguard end-user funds, the proposed Regulations would require that the insurance or guarantee be from a prudentially regulated financial institution that is not an affiliate of the PSP. In addition, the proceeds from the insurance or guarantee must not form part of the PSP’s general estate and must be payable for the benefit of end users as soon as feasible following an insolvency event. The Bank of Canada would also need to be notified 30 days in advance of the insurance or guarantee being cancelled.

For all funds safeguarding options, the proposed Regulations would require that PSPs have a written safeguarding-of-funds framework (Fund Safeguarding Framework) to ensure that end users have reliable access to their funds without delay, and that, in the event of PSP insolvency, the funds or proceeds of the insurance or guarantee are paid to end users without delay. The Fund Safeguarding Framework must describe the PSP’s systems, policies, processes, procedures, controls and other means to meet the objectives noted above. This includes the PSP’s use of liquidity arrangements and holding of end-user funds in secure and liquid assets, and keeping a ledger with the names of their end users and the amount of funds held.

Further, the PSP’s safeguarding measures would have to be reviewed on an annual basis or in other specified circumstances, be subject to biennial independent reviews. PSPs would also be required to evaluate when the end-user funds held by them were not sufficiently safeguarded in the prior year and assess measures that would need to be implemented to mitigate reoccurrence.

Bank of Canada guidance would provide clarity on the requirements for the safeguarding of funds.

Reporting

The Act provides the Bank of Canada with several legal mechanisms to obtain information from PSPs to support its supervision activities. Under the Act, registered PSPs are required to report to the Bank of Canada through several channels, including annual reports, incident reports and significant change reports.

(1) Annual report

The Act provides that PSPs must submit an annual report to the Bank of Canada with prescribed information regarding their Risk Management Framework, fund safeguarding, and any other prescribed information.

Regarding the Risk Management Framework, the proposed Regulations would require PSPs to include in the annual report the following elements: objectives; changes to their Risk Management Framework; a description of their operational risks; and human and financial resources to implement and maintain the Risk Management Framework. Regarding funds safeguarding, the proposed Regulations would require PSPs to include in the annual report the following elements: information on their account providers, a description of the means they use to safeguard funds; a description of their Fund Safeguarding Framework; and independent reviews conducted in the past year.

Lastly, the proposed Regulations would require that the annual report include information on the PSP’s ubiquity and interconnectedness, as demonstrated by (1) the value of end-user funds held; (2) the volume of electronic fund transfers in relation to which they performed a retail payment activity; (3) the value of electronic fund transfers in relation to which they performed a retail payment activity; (4) the number of end users; and (5) the number of PSPs that services are provided to.

(2) Significant change report

Under the Act, PSPs are required to notify the Bank of Canada before they make a significant change in the way they perform a retail payment activity or before they perform a new retail payment activity. Significant changes are those that could reasonably be expected to have a material impact on operational risks or the manner in which end-user funds are safeguarded. The proposed Regulations establish that a PSP must notify the Bank of Canada of a significant change at least five days prior to making the change. The significant change notice would need to include information on the reason for the change, the PSP’s assessment of the effect of the change on operational risks or funds safeguarding practices, and new or amended policies introduced due to the change.

(3) Incident report

To mitigate the impact of major incidents on end users and other impacted individuals and entities, the Act requires that PSPs report incidents that have a “material impact” on an end user, other PSPs, or designated financial market infrastructures to the Bank of Canada and to impacted individuals and entities.

The proposed Regulations would require that the notice to the Bank of Canada include a description of the incident, its impact on individuals or entities listed in the Act, and actions taken by the PSP to respond to the incident. The notice to impacted end users, other PSPs and specified financial market infrastructures would need to include a description of the incident, its impact on individuals or entities listed in the Act, and corrective measures that can be taken by those impacted individuals or entities.

(4) Information requests

The Act provides authority to the Bank of Canada to request information from a PSP pertaining to its compliance with the regime, and for a PSP to comply with the request within a prescribed time period. The proposed Regulations set out the standard time period of 15 days to respond, unless the information being requested relates to events which are ongoing and could have a significant adverse impact on individuals or entities, such as end users or other PSPs. This is intended to be used by the Bank of Canada in situations, such as a widespread network outage, in which case the time period would be 24 hours. The Bank of Canada will provide additional guidance on the definition of “significant adverse impact”.

(5) Notices of change in information

To ensure the Bank of Canada’s registry stays up to date, PSPs are required to notify the Bank of Canada of changes to certain registration-related information. The proposed Regulations would set out when changes to various types of information must be submitted to the Bank of Canada.

Registration

As part of applicants’ registration application, they would pay a one-time prescribed registration fee. The proposed Regulations set this fee at $2,500, to be adjusted for inflation over time. There is also a separate annual assessment fee paid by PSPs, which is outlined in detail in a separate section below.

The Bank of Canada may refuse an application or revoke a PSP’s registration and will maintain a registry of registered PSPs. Further, the Act requires PSPs to file a new application with the Bank of Canada if a new individual or entity seeks to acquire control of it.

The Act sets out information that applicants must include when they seek to register with the Bank of Canada as a PSP, including the applicant’s name, contact information, business structure, third parties and operations, ubiquity and interconnectedness (i.e. values and volumes metrics), information about its end-user funds safeguarding practices and a description of their Risk Management Framework, or a description of the framework that it plans to implement. The proposed Regulations set out additional details regarding the application requirements of the Act. For example, where the Act requires PSPs to include contact information, the proposed Regulations specify that the contact information include the PSP’s telephone number, email address, website and mailing address.

To determine the trigger for when a PSP must submit a new application, the proposed Regulations would define control, including the manner of acquiring control, presumptions respecting control of entities and acquisition of control, and acquisitions by more than one transaction or event.

Further, the proposed Regulations would establish that the Bank of Canada may refuse to register an applicant or revoke a PSP’s registration if the applicant or PSP has failed to pay its assessment fees, or if the Act does not apply to the applicant or no longer applies to the PSP. With regard to the public registry, the proposed Regulations would require that the Bank of Canada’s registry include information on each PSP, such as its registration status, business contact information and payment functions performed.

National security safeguards

The proposed Regulations related to national security support the Minister of Finance’s authorities. The national security provisions of the Act and of the proposed Regulations are modelled on the regimes applicable to federally regulated financial institutions, such as the Bank Act. They are also consistent with the Investment Canada Act and promote harmonization between the two regimes.

The proposed national security review process components prescribe how PSPs are to be registered and how national security reviews are to be conducted. This includes timelines for review by the Minister, information to be provided by applicants and PSPs at the time of application, information that must be updated on an ongoing basis, as well as triggers for re-registration. As part of the registration process for PSPs, the Act provides the Department of Finance, on behalf of the Minister, with time to review applications for a prescribed period of time for national security concerns. The proposed Regulations prescribe this period as 60 days. If a formal national security review is required, the Minister will inform the Bank of Canada, who will in turn inform the PSP of the Minister’s decision. The proposed Regulations outline 180 days for national security reviews, which can be extended at the discretion of the Minister.

Upon completion of the review, the Act provides that the Minister may issue a directive to the Bank of Canada to approve or refuse the registration. The Minister may also, by order, require any individual or entity to provide an undertaking, or impose conditions, in relation to an application for registration or in relation to any registered PSP if the Minister is of the opinion that it is necessary to do so for reasons related to national security. The Department of Finance will inform the Bank of Canada, which will then inform the applicant or PSP of the Minister’s decision. The proposed Regulations also set out 30 days for a PSP to request a review of the Minister’s decision.

To support the Bank of Canada’s supervisory responsibilities and the Minister of Finance’s authorities for national security, PSPs must notify the Bank of Canada of changes to prescribed information. The proposed Regulations further detail which changes to registration information must be submitted to the Bank of Canada as soon as the PSP becomes aware of the change, and which changes to registration information must be submitted to the Bank of Canada 30 days in advance of the change taking place.

Prescribed supervisory information

The Act provides a regulation-making authority to prohibit PSPs from disclosing prescribed supervisory information as evidence in civil proceedings to ensure the protection of sensitive supervisory information. The proposed Regulations would establish what information shared between the Bank of Canada and PSPs will be treated as “prescribed supervisory information,” including any direction, notice, assessment, testing, audit, investigation, plan or report prepared by the Bank of Canada as part of its supervision of a PSP, as well as any reports, letters, recommendations or plans made by the Bank of Canada as a result of a supervisory review or analysis of the PSP.

Record keeping

The Act includes a regulation-making authority respecting the keeping and retention of records to aid the Bank of Canada, the Minister of Finance or other designated entities to monitor the PSP’s compliance with the requirements under the Act. The proposed Regulations would set out that a PSP should maintain sufficient records to demonstrate the PSP’s compliance with the Act and the proposed Regulations. Records must be retained for five years unless otherwise specified in a condition or undertaking.

Administration and enforcement

(1) Violations

The Act provides the Bank of Canada with powers to address non-compliance with the Act or violations of the Act. These powers include (1) entering into compliance agreements; (2) issuing notices of violation (NOVs) with or without an administrative monetary penalty (AMP); (3) issuing NOVs with an AMP and an offer to enter into a compliance agreement; (4) issuing compliance orders; (5) applying to the court for an order (i.e. court enforcement); and (6) refusing or revoking a registration. The Act also provides an opportunity for an individual, entity and PSP to request a review of certain Bank of Canada decisions by the Governor of the Bank of Canada, in addition to an appeal of the Governor’s decision to Federal Court if requested by impacted parties.

The proposed Regulations would designate violations under the Act and proposed Regulations. Only designated violations would be subject to an NOV and an accompanying AMP. Where a PSP enters into a compliance agreement with the Bank of Canada after receiving an NOV and fails to meet the terms of that agreement, the Bank of Canada would issue a Notice of Default to the PSP. The Act sets out that the PSP issued the Notice of Default must pay an additional penalty specified in the proposed Regulations. Where a PSP has violated a compliance agreement entered into regarding a designated violation or violations under the Act and the proposed Regulations, the proposed Regulations would establish that the additional penalty would be equal to the amount of the penalty set out in the NOV.

The proposed Regulations related to AMPs consider existing approaches under financial sector regimes, such as under the Proceeds of Crime (Money Laundering) and Terrorist Financing Act, and other regimes in Canada.

The proposed Regulations would establish penalty ranges for serious or very serious violations in increasing severity, according to the significance of the violation.

The Act provides for the reclassification of a series of serious violations as a very serious violation. Under the proposed Regulations, if a Bank of Canada NOV identifies two or more serious violations that arise from the contravention of the same provision of the Act or its regulations, that series of serious violations would be reclassified as a single very serious violation.

The proposed Regulations would establish the following criteria that the Bank of Canada will consider when determining an AMP:

For violations of the Act’s requirements relating to the provision of information, such as annual reporting, the proposed Regulations would not classify these violations as serious or very serious. Instead, if the violation has continued for no more than 30 days, the amount of the penalty in respect of the violation is $500 for each day that it has continued. If the violation has continued for more than 30 days, the range of penalties in respect of the violation is from $15,000 to $1,000,000.

The Bank of Canada would publish guidance with further information on its AMP calculation methodology under the Act on its website.

(2) Assessment fees

The Act provides that the Bank of Canada must ascertain its total expenses incurred in connection with the administration of the Act. This amount must be recovered through registration fees, submitted with an entity’s registration application, as noted in the “Registration” section, and through annual assessment fees. The intent is that once the Act is fully operational, the Bank of Canada will recover its supervisory costs in any given year through the combination of registration fees collected that year and the annual assessment fee levied from each registered PSP.

The proposed Regulations establish the methodology for the annual assessment fee. The assessment fee would comprise two parts: (1) a base amount that equally distributes a portion of costs to all registered PSPs; and (2) a metric-driven amount where the remainder of costs is proportionally distributed to all registered PSPs based on their share of retail payment activity.

The metric-driven amount would consist of a PSP’s value and volume of retail payment transactions, as well as end-user funds held, relative to those of all registered PSPs. The proposed Regulations include a formula establishing how fees would be distributed among the base amount and metric-driven amount. The Bank of Canada would communicate, to each registered PSP, the assessment fee amount levied, including the details of the PSP’s metrics and other variables that are used in the formula to arrive at these amounts.

Coming into force

The proposed Regulations would come into force when the relevant provisions of the Act come into force, fixed by orders of the Governor in Council. The provisions of the proposed Regulations related to registration, national security and compliance would come into force when the Act provision requiring PSPs to submit a registration application comes into force. The provisions of the proposed Regulations addressing operational risk management, end-user funds safeguarding, reporting, record keeping and prescribed supervisory information would come into force when the Bank of Canada must register PSPs and notify PSPs of their registration. The provisions of the proposed Regulations related to assessment fees would come into force when the relevant provisions of the Act come into force.

Consultation

The proposed Regulations were developed through extensive consultation with payment industry stakeholders, such as PSPs, industry associations, academics and industry experts. The Department of Finance conducted two separate public consultations on retail payments oversight in 2015 and 2017. The Department also sought views from stakeholders through the Finance Canada Payments Consultative Committee (FinPay). The Department of Finance and the Bank of Canada have discussed and engaged on the regulatory topics with several industry associations.

The Department of Finance public consultations indicated that there is widespread support for the regime. Many stakeholders pointed to gaps resulting from the current institutional approach to oversight and supported the proposed functional approach so that risks associated with a particular payment function are treated similarly regardless of the type of organization providing the service.

There is general support for a principles-based approach to regulation whereby PSPs have the flexibility to implement the Act and associated requirements based on their business models and the needs of their customers, and for the Bank of Canada to have flexibility to adjust its supervisory expectations, guidance, and interpretations to account for the rapid growth and change in the retail payments space.

To support the Department of Finance in its development of the proposed Regulations, throughout 2020 and 2021, the Bank of Canada published various discussion papers on industry practices and policy issues relevant to the proposed Regulations through its Retail Payments Advisory Committee (RPAC). The RPAC comprises a group of regionally diverse PSPs that may be subject to the Act, ranging in business model, size, maturity, and geographic location. The RPAC met nine times between February 2020 and November 2021 to discuss policy topics, including best practices for funds safeguarding, operational risk management practices that PSPs currently adhere to, and registration procedures and information that would help the Bank of Canada fulfill its supervision responsibilities. The discussion papers and summaries of stakeholder feedback are posted on the Bank of Canada’s website and were carefully considered in the development of the proposed Regulations. In general, stakeholders on the RPAC noted broad agreement or alignment with the regulatory concepts presented in the discussion materials. They also mentioned the importance of principles-based requirements that account for the existence of other similar regimes as well as requirements in the payments ecosystem already in place.

The Bank of Canada and the Department of Finance frequently met with individual PSPs to better understand the industry and discuss the key issues related to the Act and the proposed Regulations. One-on-one discussions with stakeholders have been ongoing throughout the policy development process, ranging from larger and more ubiquitous PSPs to relatively smaller and/or newer entities. These one-on-one discussions have been informative in understanding the industry’s current practices, such as where they currently hold end-user funds, and the impact of the proposed regulatory requirements.

The Department of Finance also consulted the Canadian Security Intelligence Service, the Communications Security Establishment, and the Royal Canadian Mounted Police, who are experts and have mandates in national security, extensively on the inclusion and design of the national security safeguards. The information and feedback received from these stakeholders was used to inform the development of the proposed Regulations, including the provisions that determine the specific national security information requirements applicable to PSPs, as well as timelines for ministerial decisions.

The consultation period for the proposed Regulations is 45 days to provide additional time for stakeholders, beyond the standard 30-day period, to review them and respond.

Modern treaty obligations and Indigenous engagement and consultation

The proposed Regulations are not expected to have any differential impacts on Indigenous people or implications for modern treaties, as per Government of Canada obligations in relation to rights protected by section 35 of the Constitution Act, 1982, modern treaties, and international human rights obligations.

Instrument choice

Parliament decided, by passing the Act in June 2021, that it is desirable and in the national interest to supervise and regulate retail payment activities performed by PSPs to mitigate operational risks and to safeguard end-user funds. In addition, it is desirable and in the national interest to address risks related to national security that could be posed by PSPs. To fulfill these objectives, the Act establishes the main elements of this supervisory regime, and the proposed Regulations are required to operationalize the Act. Therefore, no other instruments were considered.

Regulatory analysis

Benefits and costs

A cost-benefit analysis (CBA) report is available upon request from the contact listed at the end of this Regulatory Impact Analysis Statement.

The total costs associated with the proposed Regulations over a 10-year period are estimated at $151.9 million (present value [PV]). This is $21.6 million (PV) annually, which is approximately 0.0018% of $1.19 trillion in retail payments for 2021, based on the total transaction value for debit, credit and online transfer transactions (Payments Canada’s Canadian Payment Methods and Trends Report 2022). All Canadians benefit from the stable, efficient, and safe movement of their funds. In addition, the proposed Regulations ensure responsible competition to keep transaction costs low. The monetary value of the benefits to Canadians from the improvements to stability, efficiency and safety as a result of the proposed Regulations cannot be estimated and is therefore treated qualitatively.

Benefits

The proposed Regulations would benefit Canadians by supporting the coming into force of the Act, which establishes safeguarding arrangements for end-user funds should a PSP become insolvent and establishes standards for operational risk management, including in response to disruptions in payment services. Further, the supervisory regime would foster confidence in payment services for consumers and businesses and lead to responsible innovation in the payments ecosystem. All Canadians benefit from a stable, efficient, safe and competitive financial sector that services and drives economic growth. The inclusion of national security authorities for the Minister of Finance would promote the stability and integrity of the financial system with the intent to ensure retail payments are safe and secure for consumers and businesses. While the dollar value benefit from a reduction in risks cannot be quantified, with an estimated $1.19 trillion in Canadian retail payments for 2021, it is expected that the benefits to Canadians from a reduction in risk would far exceed the costs of the proposed Regulations to regulated PSPs.

The new supervisory regime would promote regulatory compliance by PSPs performing one of five payment functions in respect of an electronic funds transfer and a fiat currency. Registration requirements would ensure that entities performing one or more payment functions would register with the Bank of Canada and be included in a public registry of PSPs. Operational risk and end-user fund safeguarding requirements would ensure that registered PSPs create and implement business practices that reduce risk and protect consumers from service disruption. The supervisory regime would enable the Bank of Canada to promote compliance with the Act and the proposed Regulations by levying AMPs on PSPs that are in non-compliance.

Costs

As a result of the proposed Regulations, PSPs are expected to carry an estimated $10,544,297 (PV) in compliance costs and $141,371,249 (PV) in administrative costs for an estimated $151,915,545 (PV) in total costs over a 10-year period (or $21,629,356 annually, in present value). Approximately 2 500 PSPs are estimated to be affected, all of which are businesses. However, it will be difficult to know the true number until the regime is operational and entities begin to register with the Bank of Canada.

These costs primarily stem from the following requirements: (1) to review, test and update the Risk Management Framework; (2) for PSPs that hold end-user funds, to establish, implement and maintain a written Fund Safeguarding Framework; (3) for PSPs that hold end-user funds, to review the Fund Safeguarding Framework and conduct independent reviews; and (4) to provide information required in the registration application, annual report, notice of incident and significant change report.

Finally, under the proposed Regulations, PSPs would pay a $2,500 fee to the Bank of Canada at registration, as well as annual assessment fees. Under the Act, the Bank of Canada must ascertain its total expenses incurred in connection with the administration of the Act. This amount must be recovered through registration fees, submitted with an entity’s registration application, and through annual assessment fees. Once the Act is fully operational, the Bank of Canada would recover its supervisory costs in any given year through the combination of registration fees collected that year and the annual assessment fee levied on each registered PSP. The entirety of the Bank of Canada’s supervisory costs associated with the Act fall under obligations and requirements created by the Act and are not part of the costs associated with the proposed Regulations.

Cost-benefit statement
Table 1: Monetized costs
Impacted stakeholder Description of cost 2024 2029 2033 Total (PV) Annualized value
Industry Compliance with the proposed Regulations $9,981,732 $199,635 $199,635 $10,544,297 $1,501,271
Industry Administrative costs associated with the proposed Regulations $34,156,928 $17,974,848 $17,974,848 $141,371,249 $20,128,085
All stakeholders Total costs $44,138,660 $18,174,482 $18,174,482 $151,915,545 $21,629,356
Qualitative impacts

The proposed Regulations would have the following positive impacts:

Distributional impact analysis

It is assumed that roughly 2 500 businesses are impacted by this proposal.

Based on an analysis of payment values expected to generate approximate revenues of less than $5 million, 96.4% of PSPs would be considered a small business. This is similar to Statistics Canada’s estimate that 98.1% of businesses are small businesses. It is estimated that the average small business would face a total cost of $1,931 (PV).

Consumer impacts

The proposed Regulations are expected to have a positive impact on consumers. The new requirements would establish safeguarding arrangements for end-user funds should a PSP become insolvent and establish standards for operational risk management, including in response to disruptions in payment services.

The proposed Regulations are not expected to have a significant impact on the cost of payments. The total costs associated with the proposed Regulations over a 10-year period are estimated at $151.9 million (PV). This is $21.6 million (PV) annually, which is approximately 0.0018% of $1.19 trillion in retail payments, based on the total transaction value for debit, credit and online transfer transactions for 2021 (Payments Canada’s Canadian Payment Methods and Trends Report 2022). The benefits to Canadians from the improvements to stability, efficiency, integrity and safety as a result of the proposed Regulations cannot be quantified and are therefore treated qualitatively. Further, some PSPs have indicated that consistent rules across the industry, as well as Bank of Canada oversight to ensure compliance, will increase business confidence in PSPs, leading to new opportunities for partnerships and investment.

Competition impacts

The proposed Regulations would impose consistent obligations for all PSPs performing retail payment activities in Canada. This will level the playing field and ensure that all PSPs meet minimum standards for similar activities.

Regarding Canada’s competitiveness position relative to that of other countries, several other jurisdictions, including the United Kingdom, Australia, the European Union, and certain states in the United States, have implemented similar regulatory regimes for new and emerging PSPs. The Act and the proposed Regulations are generally consistent with the approach taken in these jurisdictions and will promote a consistent regulatory environment between Canada and the other jurisdictions. They would also be consistent with the G7 Finance Ministers and Central Bank Governors’ Statement on Digital Payments (G7 Finance Ministers and Central Bank Governors meetings, 2020), which calls for payment services to be appropriately supervised and regulated.

Sensitivity analysis

For the cost-benefit analysis, it is assumed that roughly 2 500 businesses would be impacted by the proposed Regulations in the first year. However, the exact number and characteristics of PSPs will not be known until they register with the Bank of Canada. A sensitivity analysis was performed as part of the cost-benefit analysis. Costs associated with the proposed Regulations are proportional to the number of PSPs; for example, if there are half as many PSPs, the total costs associated with the proposed Regulations would also be half, as shown in the table below.

Table 2: Results of sensitivity analysis on costs of the proposed Regulations from varying the number of PSPs
Number of PSPs and costs Low Central High
Number of PSPs 1 250 2 500 3 750
Total costs (PV) $75,957,772 $151,915,545 $227,873,318
Total costs (annualized) $10,814,678 $21,629,356 $32,444,034
Average cost per PSP (annualized) $8,693 $8,693 $8,693

In the central analysis, it is assumed that 2% of the population of PSPs would enter the market each year of the analysis. However, the overall number of affected PSPs is expected to remain stable throughout the period, due to consolidation and attrition. The table below shows results of a sensitivity analysis using 0% and 5% new entrants and exits annually.

Table 3: Results of sensitivity analysis on costs of the proposed Regulations from varying the number of PSP entrants and exits
Entrants and exits None 2% per year 5% per year
Total affected PSPs 2 500 2 950 3 600
Total costs (PV) $148,689,098 $151,915,545 $155,318,880
Total costs (annualized) $21,169,982 $21,629,356 $22,113,914
Average cost per active PSP (annualized) $8,509 $8,693 $8,888

In the central analysis, PSP administrative and compliance costs vary proportionally to their payment volumes. A sensitivity analysis varied this assumption by using flat costs across PSPs regardless of size and an alternative scenario where there are economies of scale (square root) where PSPs’ costs associated with the proposed Regulations increase based on the square root of their share of all payment volume. While the fixed and linear costs result in the same average cost to PSPs, a scenario where larger firms are able to capitalize on economies of scale would result in much lower costs, as shown in the table below.

Table 4: Results of sensitivity analysis on costs of the proposed Regulations from varying assumptions on PSPs’ costs relative to their size
Cost growth Square root (economies of scale) Linear None (uniform fixed cost)
Small businesses share of total costs 43.90% 3.04% 96.40%
Total costs (PV) $34,373,212 $151,915,545 $151,915,545
Total costs (annualized) $4,893,972 $21,629,356 $21,629,356
Average cost per PSP (annualized) $1,967 $8,693 $8,693

In the central scenario, present values are calculated using a discount rate of 7%. Since the majority of costs are incurred annually, the present value costs are fairly insensitive to discount rates of 4% and 10%, and no discounting, as shown in the table below.

Table 5: Results of sensitivity analysis on costs of the proposed Regulations from varying the discount rate
Discount rate Undiscounted 4% 7% 10%
Net costs $207,709,001 $172,376,888 $151,915,545 $135,278,124

Small business lens

Small business lens summary

It is estimated that approximately 2 500 businesses would be impacted by this proposal, with 96.4% being small businesses. It is estimated that the total incremental administrative and compliance costs imposed on small businesses would be $4,630,002 (PV) over 10 years, which is equivalent to $1,931 (PV) per small business impacted. Note that costs for each PSP are assumed to reflect their payment values in comparison to the industry as a whole. For example, a PSP with double the payment values would have double the administrative and compliance costs.

Table 6: Compliance costs
Activity Annualized value Present value
Compliance with the proposed Regulations $45,755 $321,364
Total compliance cost $45,755 $321,364
Table 7: Administrative costs
Activity Annualized value Present value
Administrative costs associated with the proposed Regulations $613,453 $4,308,638
Total administrative cost $613,453 $4,308,638
Table 8: Total compliance and administrative costs
Totals Annualized value Present value
Total cost (all impacted small businesses) $659,208 $4,630,002
Cost per impacted small business $275 $1,931

These costs primarily stem from the following requirements: (1) to review, test and update the Risk Management Framework; (2) for PSPs that hold end-user funds, to establish, implement and maintain a written Fund Safeguarding Framework; (3) for PSPs that hold end-user funds, to review the Fund Safeguarding Framework and conduct independent reviews; and (4) to establish the contents of the registration application, annual report, notice of incident and significant change report.

The proposed Regulations account for the impacts on small businesses through the principle of proportionality — the level of supervision should be commensurate with the level of risk posed by the entity’s payment activities. For example, the provisions of the proposed Regulations for operational risk provide that a PSP must ensure that all aspects of its Risk Management Framework are proportional to the impact that a reduction, deterioration, or breakdown of its retail payment activities could have on end users and other PSPs. Therefore, smaller PSPs, as measured by the value and volume of their payment activity, would see a lower regulatory burden to fulfill the proposed Regulations’ operational risk requirements than would larger PSPs. In addition, the assessment fee provisions of the proposed Regulations adjust for a PSP’s size through the metric driven amount, where costs are proportionally distributed to all registered PSPs based on their share of retail payment activities.

One-for-one rule

The one-for-one rule applies as the proposed Regulations are a new regulatory title that introduces new administrative costs for business. PSPs that choose to conduct retail payment activities under the Act’s new scope will experience a new administrative burden due to the proposed Regulations’ administrative requirements, namely that PSPs prepare and submit reports to the Bank of Canada, as well as the costs to meet new operational risk management and end-user funds safeguarding measures.

Using assumptions and data presented above and the methodology developed in the Red Tape Reduction Regulations, it is estimated that the regulated community would assume total administrative costs of $7,860,665 (2012 Canadian dollars, 7% discount rate, base year of discounting in 2012) for all PSPs registered under the regime.

Regulatory cooperation and alignment

The proposed Regulations are intended to align with other jurisdictions such as the United Kingdom (U.K.), Australia, and the European Union (EU), which have already established regulatory regimes for payment activities of new and emerging PSPs.

The elements of the proposed Regulations align closely with many of the requirements found in the European regimes (including the U.K., which adopted the EU regulations during its time as a member of the EU), such as requirements for registration, operational risk management frameworks, fund safeguarding, incident reporting, and record keeping. PSPs operating internationally and foreign regulators were also consulted on their experiences with similar requirements in foreign jurisdictions to ensure alignment as much as possible and to minimize the regulatory burden on PSPs. There are some structural differences between the jurisdictions cited, where certain regimes may be voluntary (e.g. Australia) or overseen by a non-central bank regulator (e.g. the U.K.). U.S. requirements that apply to PSPs were also considered in the development of the proposed Regulations; however, they are at the state level.

In addition, with respect to provincial regulatory cooperation, the Act provides that the Governor of the Bank of Canada may exempt entities or classes of entities from certain provisions of the Act and the proposed Regulations where there is, in the Governor’s opinion, a substantially similar provision in another federal or provincial Act. This is in view of avoiding regulatory duplication and in recognition of complementary objectives and powers with respect to the oversight of PSPs.

Strategic environmental assessment

In accordance with the Cabinet Directive on the Environmental Assessment of Policy, Plan and Program Proposals, a preliminary scan concluded that the amendments would not result in positive or negative environmental impacts. Therefore, a strategic environmental assessment is not required.

Gender-based analysis plus

A gender-based analysis plus (GBA+) assessment was undertaken for the proposed Regulations. The results indicate that by enhancing protections for end users of payment services in Canada, including merchants and consumers that broadly represent the Canadian population, the proposed Regulations are expected to benefit all Canadians. Some vulnerable groups who face additional financial literacy and capability challenges, including newcomers to Canada and the elderly, may experience additional indirect benefits from the end-user protection measures. Given that all Canadians are expected to benefit from these measures, with some more vulnerable groups benefiting more than others, no specific measures to address or mitigate GBA+ impacts are required.

Implementation, compliance and enforcement, and service standards

Implementation

The proposed Regulations would come into force on the days that the relevant provisions of the Act come into force, as fixed by orders of the Governor in Council. A final decision on timing would be taken following Canada Gazette, Part I, consultations.

Once the proposed Regulations are published in the Canada Gazette, Part II, the Bank of Canada will issue guidance on specific topics related to the Act to further clarify its supervisory expectations. These documents will explain how the Bank of Canada interprets the Act and provide transparency around the Bank of Canada’s supervisory role.

Compliance and enforcement

Under the Act and the proposed Regulations, the Bank of Canada will be responsible for supervising PSPs, promoting compliance among PSPs of their obligations under the Act and the proposed Regulations, and monitoring and evaluating trends related to retail payment activities.

The Act also provides the Minister of Finance with the authority to address risks related to national security that could be posed by PSPs. This includes the ability to refuse PSPs’ applications, revoke registrations, order undertakings or conditions, as well as issue national security orders for a PSP to take or refrain from any action. The Minister will be supported by the Department of Finance, as well as Canada’s security and intelligence community (designated entities) providing information (intelligence and analysis) in accordance with their respective mandates.

PSPs that are subject to the Act and the proposed Regulations will have to register with the Bank of Canada. As part of the registration process, the proposed Regulations would require applicants to provide certain information, for example, names, addresses and third-party service providers. This information will be consistent with what is asked for in other federal regimes, such as the Investment Canada Act.

Applications deemed complete by the Bank of Canada will be sent to the Department of Finance. Applications received by the Department of Finance from the Bank of Canada must, under the proposed Regulations, be processed within 60 days. This period will include time for the security and intelligence community to complete initiation screening and notify the Department of their decision: either no concerns or concerns. The Minister of Finance will then decide whether to initiate a formal national security review. The timeline for a national security review, under the proposed Regulations, is 180 days, which can be extended. At the end of the review, the Minister of Finance can decide to

Contact

Nicolas Marion
Senior Director
Payments Policy
Financial Services Division
Financial Sector Policy Branch
Department of Finance Canada
90 Elgin Street
Ottawa, Ontario
K1A 0G5
Email: fin.payments-paiements.fin@fin.gc.ca

PROPOSED REGULATORY TEXT

Notice is given that the Governor in Council proposes to make the annexed Retail Payment Activities Regulations under section 101 of the Retail Payment Activities Act footnote a.

Interested persons may make representations concerning the proposed Regulations within 45 days after the date of publication of this notice. They are strongly encouraged to use the online commenting feature that is available on the Canada Gazette website but if they use email, mail or any other means, the representations should cite the Canada Gazette, Part I, and the date of publication of this notice, and be sent to Nicolas Marion, Senior Director, Payments Policy, Department of Finance, 90 Elgin Street, Ottawa, Ontario K1A 0G5 (email: fin.payments-paiements.fin@fin.gc.ca).

Ottawa, February 2, 2023

Wendy Nixon
Assistant Clerk of the Privy Council

TABLE OF PROVISIONS

Retail Payment Activities Regulations

Definitions

1 Definitions

Non-application of Act

2 Securities-related transactions

3 Incidental retail payment activities

4 SWIFT

Risk Management and Incident Response

5 Framework

6 Availability of framework

7 Provision of information and training

8 Review

9 Testing

10 Independent review

11 Notice of incident — Bank

12 Notice of incident — individual or entity

Safeguarding of Funds

13 Accounts

14 Insurance or guarantee

15 Safeguarding-of-funds framework

16 Evaluation of insolvency protection

17 Biennial independent review

Annual Report

18 Submission

19 Contents

Significant Change or New Activity

20 Notice to Bank

Registration

21 New application — acquisition of control

22 New application — other change

23 Registry

24 Application for registration

25 Registration fee

26 Decision to review — prescribed period

27 Conduct of review — prescribed period

28 Request for review of directive — prescribed period

29 Request for review of notice — prescribed period

30 Refusal to register — prescribed period and reasons

31 Review of refusal to register — prescribed period

32 Notice of intent to revoke registration — prescribed reasons

33 Review of notice of intent — prescribed period

34 Appeal — prescribed period

35 Notice of change in information — prescribed period

36 Notice of change in prescribed information

Prescribed Supervisory Information

37 Prescribed information

38 Non-disclosure by payment service provider

39 Use of information

Record Keeping and Retention

40 Records

41 Protective measures

42 Agents, mandataries and third-party service providers

Administration and Enforcement — Provision of Information

43 Prescribed period — payment service provider

44 Prescribed period — individual or entity

45 Prescribed period — undertaking or condition

Administrative Monetary Penalties

46 Designation of violations

47 Classification

48 Penalties

49 Criteria

50 Additional penalty

51 Service of documents

Assessment Fees

52 Assessment

53 Information request

Transition Period

54 National security review — prescribed periods

55 Application for registration — prescribed period

56 Publication of application information

Coming into Force

57 S.C. 2021, c. 23

SCHEDULE

Definitions

Definitions

1 The following definitions apply in these Regulations.

Act
means the Retail Payment Activities Act. (Loi)
senior officer,
in respect of an entity, means
  • (a) a member of its board of directors who is also one of its full-time employees;
  • (b) its chief executive officer, chief operating officer, president, chief risk officer, secretary, treasurer, controller, chief financial officer, chief accountant, chief auditor or chief actuary, or any person who performs functions similar to those normally performed by someone occupying one of those positions; or
  • (c) any other officer who reports directly to its board of directors, chief executive officer or chief operating officer. (cadre dirigeant)

Non-application of Act

Securities-related transactions

2 A transaction in relation to securities is a prescribed transaction for the purpose of paragraph 6(b) of the Act if it is performed by an individual or entity that is regulated, or exempted from regulation, under Canadian securities legislation as defined in National Instrument 14-101 Definitions, as amended from time to time, of the Canadian Securities Administrators.

Incidental retail payment activities

3 A retail payment activity that is performed as a service or business activity that is incidental to another service or business activity is, unless that other service or business activity consists of the performance of a payment function, a prescribed retail payment activity for the purpose of paragraph 6(d) of the Act.

SWIFT

4 The Society for Worldwide Interbank Financial Telecommunication (SWIFT) is a prescribed entity for the purpose of paragraph 9(k) of the Act.

Risk Management and Incident Response

Framework

5 (1) The risk management and incident response framework required under subsection 17(1) of the Act must be in writing and must

Proportionality

(2) A payment service provider must ensure that all aspects of its risk management and incident response framework — including all objectives, targets, systems, policies, procedures, processes and controls — are proportionate to the impact that a reduction, deterioration or breakdown of the payment service provider’s retail payment activities could have on end users and other payment service providers, having regard to factors including the payment service provider’s ubiquity and connectedness, as established using the information referred to in subparagraph 19(4)(a)(i) or paragraph 19(4)(b), as the case may be.

Third-party service providers

(3) If a payment service provider receives services from a third-party service provider, the risk management and incident response framework must

Agents and mandataries

(4) If a payment service provider intends to have agents or mandataries perform retail payment activities, the risk management and incident response framework must

Third party roles and responsibilities

(5) If the risk management and incident response framework allocates, under paragraph (1)(d), any roles or responsibilities to a third party, including a third-party service provider or an agent or mandatary, the framework must set out policies, procedures, processes, controls or other means for overseeing the third party’s fulfillment of those roles and responsibilities.

Approval

(6) The risk management and incident response framework must have been approved by the senior officer referred to in subparagraph (1)(d)(ii) and the payment service provider’s board of directors, if any, within the previous year and when each material change was made to the framework.

Availability of framework

6 A payment service provider must ensure that its risk management and incident response framework remains available to all persons who have a role in implementing or maintaining it and must take all reasonable precautions to prevent its unauthorized deletion, destruction or amendment.

Provision of information and training

7 A payment service provider must ensure that all employees and other persons who have a role in establishing, implementing or maintaining its risk management and incident response framework are provided with the information and training that are necessary to carry out that role.

Review

8 (1) A payment service provider must carry out a review of its risk management and incident response framework

Scope

(2) The review must evaluate

Record

(3) The payment service provider must, in respect of each review, keep a record of the date on which it is conducted and its scope, methodology and findings.

Report and approval

(4) The payment service provider must ensure that the findings of each review are reported to the senior officer referred to in subparagraph 5(1)(d)(ii), if any, for their approval.

Testing

9 (1) A payment service provider must establish and implement a testing methodology, for the purpose of identifying gaps in the effectiveness of, and vulnerabilities in, the systems, policies, procedures, processes, controls and other means provided for in its risk management and incident response framework, that

Record

(2) The payment service provider must, in respect of each test that it carries out, keep a record of

Report to senior officer

(3) The payment service provider must ensure that the record is provided to the senior officer referred to in subparagraph 5(1)(d)(ii), if any.

Independent review

10 (1) A payment service provider that has an internal or external auditor must ensure that, at least once every three years, a sufficiently skilled individual who has had no role in the establishment, implementation or maintenance of the payment service provider’s risk management and incident response framework carries out an independent review of

Record

(2) The payment service provider must obtain a record that sets out the independent reviewer’s name — or, if the independent reviewer carried out the review on behalf of an entity other than the payment service provider, that entity’s name — and the date of the review and describes the review’s scope, methodology and findings.

Report

(3) The payment service provider must report any gaps and vulnerabilities that are identified by the independent review, and any measures being taken to address them, to the senior officer referred to in subparagraph 5(1)(d)(ii), if any.

Notice of incident — Bank

11 (1) The notice that must be given to the Bank under section 18 of the Act must be submitted using the electronic system provided by the Bank for that purpose.

Contents

(2) The notice must contain

Notice of incident — individual or entity

12 (1) The notice that must be given under section 18 of the Act to an individual or entity referred to in any of paragraphs 18(1)(a) to (c) of the Act must be

Contents

(2) The notice must include

Safeguarding of Funds

Accounts

13 A payment service provider that holds end-user funds in accordance with paragraph 20(1)(a) or (c) of the Act must ensure that the account in which they are held is provided by an entity that is referred to in one of paragraphs 9(a) to (d) or (f) to (h) of the Act or by a foreign financial institution that is regulated by a regulatory regime that imposes standards in respect of capital, liquidity, governance, supervision and risk management that are comparable to those that apply to those entities.

Insurance or guarantee

14 (1) A payment service provider that holds end-user funds in accordance with paragraph 20(1)(c) of the Act must ensure that the insurance or guarantee referred to in that paragraph is provided by an entity that

Conditions

(2) The payment service provider must ensure that

Events

(3) For the purpose of paragraph (2)(b), the events are

Definition of insolvency proceeding

(4) For the purposes of subsection (3), insolvency proceeding means any proceeding, action, application, case or legal process commenced in respect of a payment service provider, under the law of any jurisdiction, relating to bankruptcy, insolvency, liquidation, dissolution or winding-up.

Safeguarding-of-funds framework

15 (1) A payment service provider that holds end-user funds must establish, implement and maintain a written safeguarding-of-funds framework that conforms to subsections (2) to (5) for the purpose of ensuring that

Contents

(2) The safeguarding-of-funds framework must describe the payment service provider’s systems, policies, processes, procedures, controls and other means for meeting the objectives referred to in subsection (1), including

Legal risks and operational risks

(3) The safeguarding-of-funds framework must identify legal risks and operational risks that could hinder the meeting of the objectives referred to in subsection (1) and the means of mitigating those risks, including having regard to

Identification of senior officer

(4) The safeguarding-of-funds framework must, unless the payment service provider is an individual, identify a senior officer who is responsible for overseeing the payment service provider’s practices for safeguarding end-user funds and for ensuring the payment service provider’s compliance with subsection 20(1) of the Act and sections 13 to 17 of these Regulations.

Approval

(5) The safeguarding-of-funds framework must be approved by the senior officer, if any.

Review of framework

(6) The payment service provider must review the safeguarding-of-funds framework to identify any gaps or vulnerabilities and determine what changes are required to ensure that the objectives set out in subsection (1) are met

Record and report

(7) The payment service provider must keep a record of the findings of the review, and of any changes to the safeguarding-of-funds framework that it has made or intends to make as a result of the review, and must provide a copy of that record to the senior officer referred to in subsection (4), if any.

Evaluation of insolvency protection

16 (1) At least once a year, a payment service provider referred to in subsection 20(1) of the Act must determine whether, at all times during the preceding year, the end-user funds held by it — or equivalent proceeds from any insurance or guarantee referred to in paragraph 20(1)(c) of the Act — would have been payable to end users in the case of an event referred to in subsection 14(3) of these Regulations.

Failure to protect

(2) If the payment service provider determines that there were instances in which all end-user funds or equivalent insurance or guarantee proceeds would not have been payable to end users, the payment service provider must, as soon as feasible,

Biennial independent review

17 (1) A payment service provider referred to in subsection 20(1) of the Act must ensure that, at least once every two years, a sufficiently skilled individual who has had no role in the establishment, implementation or maintenance of the safeguarding-of-funds framework or in the making of the determination referred to subsection 16(1) carries out an independent review of the payment service provider’s compliance with subsection 20(1) of the Act and sections 13 to 16 of these Regulations.

Record

(2) The payment service provider must obtain a record that sets out the independent reviewer’s name — or, if they carried out the review on behalf of an entity other than the payment service provider, that entity’s name — and the date of the review and describes the review’s scope, methodology and findings.

Remedial measures

(3) The payment service provider must identify, on the basis of the independent review, any gaps or vulnerabilities with respect to its compliance with subsection 20(1) of the Act and sections 13 to 16 of these Regulations and any measures that are necessary to address them.

Report

(4) The payment service provider must report the gaps and vulnerabilities, and the measures being taken to address them, to the senior officer referred to in subsection 15(4), if any.

Annual Report

Submission

18 (1) For the purpose of section 21 of the Act, a payment service provider that performs retail payment activities in a calendar year must submit the annual report in respect of that year no later than March 31 of the following year.

Form and manner

(2) The report must be submitted using the electronic system provided for that purpose by the Bank.

Contents

19 (1) For the purpose of paragraph 21(a) of the Act, the prescribed information consists of

Accounts, insurance and guarantees

(2) For the purpose of paragraph 21(b) of the Act, the prescribed information consists of

Holding of end-user funds

(3) For the purpose of paragraph 21(c) of the Act, the prescribed information consists of

Other information

(4) For the purpose of paragraph 21(d) of the Act, the prescribed information consists of

Definition of reporting year

(5) In this section, reporting year means the calendar year in respect of which an annual report is submitted.

Significant Change or New Activity

Notice to Bank

20 (1) The notice referred to in subsection 22(1) of the Act must

Definition of business day

(2) For the purpose of paragraph (1)(a), business day means a business day of the Bank.

Registration

New application — acquisition of control

21 For the purpose of subsection 24(1) of the Act, an individual or entity acquires control of

New application — other change

22 The following are prescribed changes for the purpose of subsection 24(2) of the Act:

Registry

23 The following is prescribed information for the purpose of section 26 of the Act:

Application for registration

24 (1) An application under subsection 29(1) of the Act must be submitted to the Bank using the electronic system provided by the Bank for that purpose.

Contact information

(2) For the purpose of paragraph 29(1)(b) of the Act, the prescribed contact information consists of

Organization and structure

(3) For the purpose of paragraph 29(1)(d) of the Act, the prescribed information consists of

Agents and mandataries

(4) For the purpose of paragraph 29(1)(e) of the Act, the prescribed information consists of, in respect of each agent or mandatary,

Volume and value of retail payment activities

(5) For the purpose of paragraph 29(1)(f) of the Act, the prescribed information consists of

End-user funds

(6) For the purpose of paragraph 29(1)(h) of the Act, the prescribed information consists of

Safeguarding of end-user funds

(7) For the purpose of paragraph 29(1)(j) of the Act, the prescribed information consists of

Third-party service provider

(8) For the purpose of paragraph 29(1)(k) of the Act, the prescribed information consists of, in respect of each third-party service provider that has or will have a material impact on the applicant’s operational risks or the manner in which the applicant safeguards or plans to safeguard end-user funds,

National security review

(9) For the purpose of paragraph 29(1)(p) of the Act, the prescribed information consists of

Registration fee

25 (1) The prescribed registration fee for the purpose of subsection 29(2) of the Act is the amount determined by the formula

$2,500 × (A ÷ B)
where
A
is the September All-items Consumer Price Index for Canada, as published by Statistics Canada under the Statistics Act, for the calendar year immediately before the year in which the application is submitted; and
B
is the September All-items Consumer Price Index for Canada, as published by Statistics Canada under the Statistics Act, for the calendar year in which this section comes into force.

Exception

(2) Despite subsection (1), the fee to be included with an application for registration that is submitted in the calendar year in which this section comes into force is $2,500.

No decrease

(3) Despite subsection (1), if a fee determined under that subsection is less than the fee that was required to be included with an application submitted in the previous calendar year, the fee is instead equal to the fee applicable in that previous year.

Decision to review — prescribed period

26 (1) The prescribed period for the purpose of subsection 34(1) of the Act is 60 days beginning on the day after the day on which the Minister is provided with a copy of the application for registration.

Extension

(2) The prescribed period for the purpose of subsection 34(2) of the Act is 60 days.

Conduct of review — prescribed period

27 The prescribed period for the purpose of section 36 of the Act is 180 days beginning on the day after the day on which the Minister decides to review the application for registration.

Request for review of directive — prescribed period

28 The prescribed period for the purpose of subsection 41(1) of the Act is 30 days beginning on the day after the day on which the applicant is notified of the refusal to register.

Request for review of notice — prescribed period

29 The prescribed period for the purpose of subsection 46(1) of the Act is 30 days beginning on the day after the day on which the payment service provider is notified of the issuance of the notice of intent.

Refusal to register — prescribed period and reasons

30 For the purposes of subsection 48(1) of the Act,

Review of refusal to register — prescribed period

31 (1) The prescribed period for the purpose of subsection 50(1) of the Act is 30 days beginning on the day after the day on which the applicant is notified of the refusal to register.

Decision

(2) The prescribed period for the purpose of subsection 50(3) of the Act is 90 days beginning on the day after the day on which the applicant requests the review.

Notice of intent to revoke registration — prescribed reasons

32 The following are prescribed reasons for the purpose of section 52 of the Act:

Review of notice of intent — prescribed period

33 (1) The prescribed period for the purposes of subsection 53(1) and section 54 of the Act is 30 days beginning on the day after the day on which the payment service provider is notified of the intent to revoke its registration.

Decision

(2) The prescribed period for the purpose of subsection 53(3) of the Act is 90 days beginning on the day after the day on which the payment service provider has completed making its representations or, if it does not make any, the day after the day on which its opportunity to do so ends.

Appeal — prescribed period

34 The prescribed period for the purpose of subsection 58(1) of the Act is 30 days beginning on the day after the day on which the applicant or payment service provider is notified of the decision under subsection 50(3) or 53(3) of the Act.

Notice of change in information — prescribed period

35 For the purposes of subsection 59(1) of the Act,

Notice of change in prescribed information

36 (1) The prescribed information for the purpose of subsection 60(1) of the Act is the information referred to in subsection 24(9) of these Regulations.

Prescribed period

(2) The prescribed period for the purpose of subsection 60(2) of the Act is

Prescribed Supervisory Information

Prescribed information

37 The following is prescribed information for the purpose of subsection 64(1) of the Act:

Non-disclosure by payment service provider

38 (1) Subject to subsections (2) and (3), a payment service provider must not, directly or indirectly, disclose any information referred to in section 37.

Exception

(2) A payment service provider may disclose information referred to in section 37 to the following individuals and entities if it ensures that, subject to subsection (3), those individuals and entities do not further disclose the information to others:

Exception — securities laws

(3) A payment service provider may disclose information referred to in section 37, and need not ensure its further non-disclosure, to the extent that the disclosure is required by the securities laws of any jurisdiction.

Use of information

39 (1) For the purpose of subsection 64(3) of the Act, the Minister, the Governor, the Bank and the Attorney General of Canada may use the information referred to in section 37 of these Regulations as evidence in any proceeding.

Certain Acts

(2) For the purpose of subsection 64(4) of the Act, the payment service provider may use the information referred to in section 37 of these Regulations as evidence in any proceeding referred to in that subsection.

Record Keeping and Retention

Records

40 A payment service provider must keep, in a form that is intelligible to the Bank, sufficient records to demonstrate its compliance with the Act and these Regulations and, subject to any undertaking provided for the purpose of section 42 of the Act or any condition imposed under section 43 of the Act, must retain the records until the day that is five years after the day on which they cease to demonstrate the payment service provider’s compliance with a current obligation.

Protective measures

41 A payment service provider must take reasonable measures, with respect to all records that it is required to keep under the Act and these Regulations, to

Agents, mandataries and third-party service providers

42 A payment service provider must ensure that

Administration and Enforcement — Provision of Information

Prescribed period — payment service provider

43 (1) The prescribed period for the purpose of subsection 65(1) of the Act is 15 days beginning on the day after the day on which the request is made.

Exception — significant adverse incident

(2) Despite subsection (1), if the information requested by the Bank relates to an incident that is ongoing and that could have a significant adverse impact on an individual or entity referred to in subsection 94(2) of the Act, the prescribed period for the purpose of subsection 65(1) of the Act is 24 hours beginning when the request is made.

Prescribed period — individual or entity

44 The prescribed period for the purpose of subsection 66(2) of the Act is 15 days beginning on the day after the day on which the request is made.

Prescribed period — undertaking or condition

45 The prescribed period for the purpose of subsection 73(1) of the Act is 15 days beginning on the day after the day on which the request is made.

Administrative Monetary Penalties

Designation of violations

46 The following are designated as violations that may be proceeded with under Part 5 of the Act:

Classification

47 (1) Subject to subsection (3), each violation referred to in paragraph 46(a) or (b), other than one referred to in subsection 48(2), is classified as a serious or very serious violation, as set out in column 3 of Part 1 of the schedule or column 2 of Part 2 of the schedule, as the case may be.

Compliance agreement violation

(2) The violation referred to in paragraph 46(c) is classified as a very serious violation.

Series of violations

(3) If a notice of violation identifies two or more violations that are classified as serious violations and that arise from the contravention of the same provision of the Act or these Regulations, that series of violations is classified as a single very serious violation.

Penalties

48 (1) The range of penalties in respect of a violation, other than one referred to in subsection (2), is

Exceptions

(2) In the case of a violation in respect of section 21 or subsection 22(1), 59(1) or 60(1) or (2) of the Act,

Criteria

49 The amount payable as the penalty for a violation, other than one referred to in paragraph 48(2)(a), is to be established having regard to

Additional penalty

50 For the purpose of paragraph 82(1)(b) of the Act, the additional penalty is equal to the amount of the penalty set out in the notice of violation.

Service of documents

51 (1) Any notice that is to be served under Part 5 of the Act must be served by,

Deemed service

(2) A notice is deemed to be served

Assessment Fees

Assessment

52 (1) For the purpose of subsection 99(3) of the Act, the portion of the amount ascertained under subsection 99(1) of the Act that is to be assessed against each registered payment service provider in respect of a calendar year is equal to the sum of the base amount determined under subsection (2) and the additional amount determined under subsection (3), less the amount of any interim assessment made against the payment service provider for that calendar year.

Base amount

(2) A registered payment service provider’s base amount in respect of a calendar year is to be determined in accordance with the formula

0.2 × A ÷ N
where
A
is the amount ascertained for the calendar year under subsection 99(1) of the Act, following the deduction of the registration fees; and
N
is the number of payment service providers that were registered at any time during the calendar year.

Additional amount

(3) A registered payment service provider’s additional amount in respect of a calendar year is to be determined in accordance with the formula

(0.35 × A × Ti ÷ Tn) + (0.35 × A × Vi ÷ Vn) + (0.1 × A × Fi ÷ Fn)
where
A
is the amount ascertained for the calendar year under subsection 99(1) of the Act, following the deduction of the registration fees;
Ti
is, in the case of a payment service provider that has a place of business in Canada, the sum of its averages referred to in subclause 19(4)(a)(i)(F)(I) for each month of the calendar year or, in the case of a payment service provider that does not have a place of business in Canada, the sum of its averages referred to in subclause 19(4)(a)(i)(F)(II) for each month of the calendar year;
Tn
is the sum of the values determined for Ti in respect of all registered payment service providers for the calendar year;
Vi
is, in the case of a payment service provider that has a place of business in Canada, the sum of its averages referred to in subclause 19(4)(a)(i)(H)(I) for each month of the calendar year or, in the case of a payment service provider that does not have a place of business in Canada, the sum of its averages referred to in subclause 19(4)(a)(i)(H)(II) for each month of the calendar year;
Vn
is the sum of the values determined for Vi in respect of all registered payment service providers for the calendar year;
Fi
is, in the case of a payment service provider that has a place of business in Canada, the sum of its averages referred to in subclause 19(4)(a)(i)(C)(I) for each month of the calendar year or, in the case of a payment service provider that does not have a place of business in Canada, the sum of its averages referred to in subclause 19(4)(a)(i)(C)(II) for each month of the calendar year; and
Fn
is the sum of the values determined for Fi in respect of all registered payment service providers for the calendar year.

Sources of values

(4) The values for Ti, Vi and Fi in the formula set out in subsection (3) are to be determined on the basis of the annual report submitted by each payment service provider in respect of the calendar year or, if any information from those reports is incorrect, missing or unavailable, on the basis of any other information that is available to the Bank, including any previous annual reports.

Information request

53 The prescribed period for the purpose of subsection 100(1) of the Act is 15 days beginning on the day after the day on which the request is made.

Transition Period

National security review — prescribed periods

54 In respect of an application for registration that is submitted during the transition period as defined in section 103 of the Act,

Application for registration — prescribed period

55 The prescribed period for the purpose of section 104 of the Act is 15 days.

Publication of application information

56 For the purpose of section 107 of the Act, the prescribed information is

Coming into Force

S.C. 2021, c. 23

57 (1) Subject to subsections (2) and (3), these Regulations come into force on the day on which subsection 25(1) of the Retail Payment Activities Act, as enacted by section 177 of the Budget Implementation Act, 2021, No. 1, comes into force.

S.C. 2021, c. 23

(2) Sections 1, 24, 25, 28, 37 to 51 and 54 to 56, items 11, 14 to 19 and 21 of Part 1 of the schedule and items 29 to 33 of Part 2 of the schedule come into force on the day on which section 29 of the Retail Payment Activities Act, as enacted by section 177 of the Budget Implementation Act, 2021, No. 1, comes into force, but if these Regulations are registered after that day, those provisions come into force on the day on which these Regulations are registered.

S.C. 2021, c. 23

(3) Sections 52 and 53 and item 20 of Part 1 of the schedule come into force on the day on which section 99 of the Retail Payment Activities Act, as enacted by section 177 of the Budget Implementation Act, 2021, No. 1, comes into force, but if these Regulations are registered after that day, those provisions come into force on the day on which these Regulations are registered.

SCHEDULE

(Paragraphs 46(a) and (b) and subsection 47(1))

Administrative Monetary Penalties — Designation of Provisions

PART 1

Retail Payment Activities Act
Item

Column 1

Provision of
Act

Column 2

Corresponding Provision of
These Regulations

Column 3

Classification of Violation
1 17(1) 5 very serious
2 17(3) very serious
3 18 11 or 12 very serious
4 19(3) serious
5 20(1) very serious
6 21 18 or 19
7 22(1) 20
8 23 very serious
9 24(1) serious
10 24(2) 22 serious
11 30 serious
12 59(1) 35
13 60(1) and (2) 36
14 61 serious
15 65(2) serious
16 66(2) 44 serious
17 67(2) very serious
18 67(3) very serious
19 69(2) very serious
20 100(2) serious
21 104 55 very serious

PART 2

Retail Payment Activities Regulations
Item

Column 1

Provision

Column 2

Classification of Violation
1 6 very serious
2 7 very serious
3 8(1)(a) and (2) very serious
4 8(1)(b) and (2) very serious
5 8(1)(c) and (2) very serious
6 8(3) serious
7 8(4) serious
8 9(1) very serious
9 9(2) serious
10 9(3) serious
11 10(1) very serious
12 10(2) serious
13 10(3) serious
14 13 very serious
15 14(1) very serious
16 14(2) very serious
17 15(1) very serious
18 15(6)(a) very serious
19 15(6)(b) very serious
20 15(6)(c) very serious
21 15(6)(d) very serious
22 15(7) serious
23 16(1) very serious
24 16(2) very serious
25 17(1) very serious
26 17(2) serious
27 17(3) very serious
28 17(4) serious
29 38(1) serious
30 40 serious
31 41 serious
32 42(a) serious
33 42(b) serious

Terms of use and Privacy notice

Terms of use

It is your responsibility to ensure that the comments you provide do not:

  • contain personal information
  • contain protected or classified information of the Government of Canada
  • express or incite discrimination on the basis of race, sex, religion, sexual orientation or against any other group protected under the Canadian Human Rights Act or the Canadian Charter of Rights and Freedoms
  • contain hateful, defamatory, or obscene language
  • contain threatening, violent, intimidating or harassing language
  • contain language contrary to any federal, provincial or territorial laws of Canada
  • constitute impersonation, advertising or spam
  • encourage or incite any criminal activity
  • contain a language other than English or French
  • otherwise violate this notice

The federal institution managing the proposed regulatory change retains the right to review and remove personal information, hate speech, or other information deemed inappropriate for public posting as listed above.

Confidential Business Information should only be posted in the specific Confidential Business Information text box. In general, Confidential Business Information includes information that (i) is not publicly available, (ii) is treated in a confidential manner by the person to whose business the information relates, and (iii) has actual or potential economic value to the person or their competitors because it is not publicly available and whose disclosure would result in financial loss to the person or a material gain to their competitors. Comments that you provide in the Confidential Business Information section that satisfy this description will not be made publicly available. The federal institution managing the proposed regulatory change retains the right to post the comment publicly if it is not deemed to be Confidential Business Information.

Your comments will be posted on the Canada Gazette website for public review. However, you have the right to submit your comments anonymously. If you choose to remain anonymous, your comments will be made public and attributed to an anonymous individual. No other information about you will be made publicly available.

Comments will remain posted on the Canada Gazette website for at least 10 years.

Please note that public email is not secure, if the attachment you wish to send contains sensitive information, please contact the departmental email to discuss ways in which you can transmit sensitive information.

Privacy notice

The information you provide is collected under the authority of the Financial Administration Act, the Department of Public Works and Government Services Act, the Canada–United States–Mexico Agreement Implementation Act,and applicable regulators’ enabling statutes for the purpose of collecting comments related to the proposed regulatory changes. Your comments and documents are collected for the purpose of increasing transparency in the regulatory process and making Government more accessible to Canadians.

Personal information submitted is collected, used, disclosed, retained, and protected from unauthorized persons and/or agencies pursuant to the provisions of the Privacy Act and the Privacy Regulations. Individual names that are submitted will not be posted online but will be kept for contact if needed. The names of organizations that submit comments will be posted online.

Submitted information, including personal information, will be accessible to Public Services and Procurement Canada, who is responsible for the Canada Gazette webpage, and the federal institution managing the proposed regulatory change.

You have the right of access to and correction of your personal information. To seek access or correction of your personal information, contact the Access to Information and Privacy (ATIP) Office of the federal institution managing the proposed regulatory change.

You have the right to file a complaint to the Privacy Commission of Canada regarding any federal institution’s handling of your personal information.

The personal information provided is included in Personal Information Bank PSU 938 Outreach Activities. Individuals requesting access to their personal information under the Privacy Act should submit their request to the appropriate regulator with sufficient information for that federal institution to retrieve their personal information. For individuals who choose to submit comments anonymously, requests for their information may not be reasonably retrievable by the government institution.