The Canadian fintech review: Retail Payments Activities Act

Click here to watch the video

The Act on retail payment activities will task senior managers at payment service providers (PSPs) with building much more compliance into their operations. Also, for many, this will be the first time their business has been subject to such significant oversight.

In this video, Andrew Bernstein and Brigitte Goulard explain why PSPs will soon receive some of the scrutiny usually reserved for banks – and what they can do to adapt. Also in the video:

  • How this legislation aims to protect end users
  • Who is exempt from the law
  • Penalties Bank of Canada may impose
  • Advice for PSPs as they navigate the law

Click here to view other videos and webinars in this series.

Video printing

Brigitte Goulard (00:06): Why don’t you tell us a bit about what the Retail Business Act is and what it means?

Andrew Bernstein (00:11): So the Retail Payment Activities Act establishes the legal framework within which the Bank of Canada oversees retail payment activities providers. The Act was passed in 2021 by Parliament and regulations are expected in 2022. The Bank of Canada, which will take on the role of regulator, will oversee any retail payment activity conducted by a payment service provider with a place of business in Canada, or if they engage in Canadian retail payment activities for an end user in Canada, whether an individual or a business. So what is a retail payment activity? It is a payment function performed in relation to an electronic funds transfer made in Canadian currency or another currency, or using a device that meets certain prescribed criteria. So what is a payment feature? These are activities such as maintaining an account in relation to electronic funds transfer, holding funds on behalf of end users, initiating an electronic funds transfer, authorizing other electronic funds transfers, or clearing or settlement services. So that’s what the Retail Payments Act is about. It deals with large entities such as PayPal or Amazon and smaller entities that may be engaged in narrower retail payment activities.

Brigitte Goulard (01:44): So very broad application because it captures many activities and many different bodies. But what is interesting is that the act on retail payment activities has also provided some exceptions for certain activities and for certain entities. For example, regulated financial institutions, such as banks, will not be subject because they are already subject to their own onerous requirements. Closed-loop prepaid cards, such as your Tim Hortons card that you like to use so often.

Andrew Bernstein (02:13): I have several Tim Hortons cards, maybe I’ll take you out for a coffee afterwards.

Brigitte Goulard (02:17): OK that’s good. That sounds good. So they will not be subject to the Retail Payment Activities Act. Cash withdrawals from ATMs, not items. Agents and duties of a payment service provider, and finally something very specific, which is electronic money transfers for the purpose of giving effect to very specific contracts such as derivatives and secured lending agreements. So basically you could say it’s like everything except for a few things, and those – everything, so all the bodies that will be subject to – will probably for the first time ever be subject to an environment that is much more regulated than that they currently take care of. And it’s going to be a bit of a shock, I think, to a number of payment service providers, especially those that are more innovative and maybe not experienced in dealing with the regulator.

Andrew Bernstein (03:12): So what kind of oversight can these payment service providers expect from the Bank of Canada?

Brigitte Goulard (03:16): So I think there are five things they need to think about. The first is registration. Every single payment service provider that carries out the activity you mentioned, and that is not one of the exempted entities, must register with the Bank of Canada, and the Bank will maintain a public registry of all such entities. that people can go and check to make sure they are one of the bodies under supervision. The next two that I will talk about are probably the core of what is written in the act on retail payment activities. The first is the reduction of operational risk and the handling of incidents. So a PSP has to file with the Bank of Canada guidelines, procedures that will reduce operational risk and deal with events such as them losing access to the funds being transferred, they losing some data, those types of risks will need to be addressed in such a policy, and they have to impose some controls. So it’s a very good framework to ensure that the risk is contained. The third aspect, which is also very important, is the protection of end user funds. So let’s say, for example, you take milk for your coffee, but you refuse to pay for my coffee, and I pay you for my coffee via PayPal.

Andrew Bernstein (04:37): Right.

Brigitte Goulard (04:37): So the end user fund that will be transferred to you must be separated from the PSP’s own funds. So there is going to be segregation of these funds. They will be subject to specific rules. So basically people want some safety net to make sure their money is protected. Finally, the fourth is that there will be a lot of reporting. So if financial institutions that are used to dealing with regulated bodies, regulators, know that the regulators love their reports. So be prepared, PSPs out there, you’re going to be asked to do a lot of reports⁠—annual reports, reports when you change your activities⁠—so there’s going to be a layer of reporting that you’re going to be . required to do. And finally, fees. The Bank of Canada will approach the PSPs to fund their supervisory activities. So you can expect some fees. In your competence as an administrative law attorney, you have dealt with a number of regulatory bodies in the past.

Andrew Bernstein (05:44): Yes.

Brigitte Goulard (05:44): So what do you think of the enforcement tools currently provided in the Retail Payments Act? Sufficient, not sufficient?

Andrew Bernstein (05:53): Yes, I would describe them as typical. And I think we’ll find that most of the time it’s sufficient. They range from fairly benign, such as requesting information or a special audit, or verifying certain aspects of compliance, to slightly more heavy-handed, such as asking a PSP to enter into a compliance agreement for the purpose of implementing compliance measures. And why would a PSP do that? A PSP would do that because the hammer that the Bank of Canada has is administrative monetary penalties. And the RPAA actually provides for fairly significant administrative monetary penalties, up to $10 million for individual PSPs that violate the law. So, you know, what’s interesting is that the fines are very significant and much higher than you see even in most criminal fines. But because the purpose of the penalties is to enforce compliance and not to punish, you don’t have the protections that a criminal defendant might have. Now, an important thing is that due diligence is a defense in relation to a breach. So it is not enough to show, strictly speaking, non-compliance. PSP wants the opportunity to say, “We actually tried really hard, and this just didn’t work.” And the other tool that not all regulators have is the actual obligation to publicize breaches. So other regulators may have the option that if you commit a violation, they don’t have to name you, or they don’t even have to say that a violation has occurred. The Bank of Canada will have an obligation to explain that a PSP has committed a breach. So I consider these very robust tools.

Andrew Bernstein (07:59): You are a former regulator so I assume you loved your reports. What is your view on these tools and what advice would you have for payment service providers to prepare?

Brigitte Goulard (08:11): So you’re right, these tools when I was Deputy Commissioner of the Financial Consumer Agency of Canada were very similar. You know, compliance agreements, penalties and so on. I think the three steps I would really recommend to the PSPs is to minimize the risk of non-compliance. The first is, understand your requirements. Understand what is expected of you. The legislation, for example in relation to operational risk, is very specific on what kind of controls you need to have, what kind of information you need to include in your policies. Understand what it is. And then through that understanding, make sure that when you create those policies, that they actually reflect the risk that you have. It’s not just, “Oh no, the regulators are asking us about this, you know, let’s do this kind of thing on this side of the table for half an hour and then we’re done.” You know, the time you take is very important because it will definitely go a long way to demonstrate due diligence. The second is once you get that document, implement those policies and procedures. Make sure you have those controls, make sure they’re reviewed, adequately, when necessary. Make sure your people understand what is being asked of them. Do the training required, do the communication. It’s very critical where I’ve often seen where there’s been a problem is that the policy procedure looks good, but the implementation where what’s on paper doesn’t necessarily match what the technology does, so make sure that’s there. And finally, have these controls in place. Legislation provides or mandates certain controls, but keep testing it, especially for PSPs where their product is really about technology.

Andrew Bernstein (10:01): Right.

Brigitte Goulard (10:01): It’s not about having a register and you take the money and make sure you count it correctly. It’s all about technology and there were so many times when I was a regulator where, you know, the intent to comply was there. The information was completely posted correctly. The disclosures occurred, guidelines and procedures. But someone had been tinkering in the background with the technology, which ended up affecting something they hadn’t expected. So make sure you do the checks and test so that you comply. So before we wrap it up, Andrew, any last words of wisdom to make sure they don’t end up in—well, it would be nice if they ended up in your office, but hopefully not in our office because of a potential breach.

Andrew Bernstein (10:43): Exact. Come for a social visit. Do not come because you have received a violation notice.

Brigitte Goulard (10:49): Words of wisdom.

Andrew Bernstein (10:50): This is a new regime. It is a robust regime. And there will be bumps in the road as the regulator and the regulated test the limits of the new regime. You probably won’t be one of the test subjects. So I would strongly encourage people to do what Brigitte suggested, make sure things are in order, not just in order in theory, but in order in practice. And it allows you to focus on your business instead of focusing on regulatory issues that may arise.

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *