Who is Caught by Canada’s New Retail Payment Systems Regulation?
Who is Caught by Canada’s New Retail Payment Systems Regulation?
The Retail Payment Activities Act
The federal government introduced legislation to regulate retail payment providers in Canada. The much-anticipated draft of An Act Respecting Retail Payment Activities (the “RPAA”) is part of the 2021 budget implementation bill (Bill C-30), which passed second reading on May 27, 2021. The RPAA aims to implement the retail payments oversight framework, which was originally announced in 2017 by the Department of Finance in a consultation paper, A New Retail Payments Oversight Framework (the “2017 Consultation Paper”). The RPAA sets out the general framework for the regulation of retail payments activities in Canada, while the details of the regime will be set out in regulations (the “Regulations”) enacted by the Department of Finance and guidelines (the “Guidelines”) developed by the Bank of Canada (the “BOC”) which will be the designated supervisory authority under the RPAA.
For participants in the retail payments space, their initial concern will be to determine if the RPAA applies to them. In order to do so, such participants will need to determine if they are required to register under the RPAA. This bulletin will provide an overview of the proposed RPAA and set out some of the factors entities will need to consider when determining if they are required to register pursuant to it.
The term “retail payments” may raise some confusion among market participants. It does not refer to payments made by consumers. Instead, “retail payments” is used (for instance, by the Committee on Payment and Settlement Systems of the Bank for International Settlement) to distinguish between payments systems used for transfers of large amounts between systemically relevant market participants (often termed “large-value payment systems”) and payment systems used by consumers, businesses and governments for lower value transfers often relating to the purchase of goods or services or the payments of amounts due to governments (i.e., retail payment systems).
Where large-value payment systems tend to be operated or controlled by central banks or other government entities, retail payment systems are almost entirely made up of private sector participants. This difference is reflected in the purpose of regulation in each sector. The regulation of large-value payment systems generally is intended to reduce or identify systemic risks, while the regulation of retail payment systems is intended to protect end users (particularly with respect to their funds which are held by participants in retail payment systems) and encourage innovation in the retail payment sector. While both these purposes are identified in the preamble to the RPAA, the ostensible purpose for the legislation is to address risks to national security, which is a matter of federal regulation in Canada. It remains to be seen if the provinces will also regulate in this sector as a consumer protection matter.
Scope of Application
The RPPA has both a well-defined and a very broad scope of application. Effectively, the RPAA applies to any “retail payment activity” that is either performed by a “payment service provider” (“PSP”) that has a place of business in Canada, or performed for an “end user” in Canada (each of which is described further below) by a PSP that does not have a place of business in Canada but directs retail payment activities at individuals or entities that are in Canada. Therefore, the jurisdiction of the RPAA is geographic (to all of Canada) on the basis of both the end user and the PSP, or either of them. In respect of PSPs which are regulated in another jurisdiction but deal with Canadian end users, perhaps the federal government may consider some kind of substituted compliance regime (particularly where the end users are businesses as opposed to consumers). This would be consistent with other federal and provincial financial sector regulation regimes which recognize the relatively small size of the Canadian market and the need to allow non-Canadian firms a means to enter the marketplace without being subject to full regulation. It remains to be seen if such a regime will be instituted by the Regulations or the Guidelines.
End Users & PSPs
An “end user” is defined as an individual or entity that uses a payment service as a payer or payee and thus encompasses both consumer and business clients. Therefore, if a distinction is to be made between consumers and businesses, it will need to be made through definitions included in the Regulations or Guidelines.
A PSP is defined as an individual or entity who performs “payment functions” as a service or business activity that is not incidental to another service or business activity. Determining whether a payment function is ancillary to a PSP’s main activity seems, a priori, to be a highly fact specific analysis. Consequently, one could expect, in the absence of clearer guidance in the Regulations or Guidelines, very different interpretations on the subject. For example, where should the line be drawn with respect to a company that offers ride sharing and delivery services through hundreds of independent merchants but also has the ability to offer a wallet with which to record balances that can be used to pay those merchants? Is the payment functionality incidental to the services offered or is the payment functionality the essential part of the service which attracts customers and merchants? These issues come up routinely in other jurisdictions which regulate retail payment systems and will need to be addressed in the Canadian retail payments regime as well.
Retail Payment Activity & Payment Function
A “retail payment activity” is defined as a “payment function” that is performed in relation to an electronic funds transfer (“EFT“) that is made in the currency of Canada or another country or, significantly, using a unit that meets prescribed criteria. On the cusp of the increasingly standardized acceptance of cryptocurrency payments, the RPAA is the first regulatory framework potentially contemplating this type of transaction in the context of retail payment activities.
A “payment function” is described as:
- the provision or maintenance of an account that, in relation to an EFT, is held on behalf of one or more end users;
- the holding of funds on behalf of an end user until they are withdrawn by the end user or transferred to another individual or entity;
- the initiation of an EFT at the request of an end user;
- the authorization of an EFT or the transmission, reception or facilitation of an instruction in relation to an EFT; or
- the provision of clearing or settlement services.
Such description is quite broad, as EFTs are defined under the RPAA to include placement, transfer or withdrawal of funds by electronic means that is initiated by or on behalf of an individual or entity.
Some activities and entities are completely excluded from the application of the RPAA and do not need to register under it. For example, EFTs made with an instrument issued by a merchant or an issuer that is not a PSP and has an agreement with a group of merchants that allows the holder of the instrument to purchase goods or services from the issuing merchant or any other merchant taking part in such a group will not be captured by the RPAA (i.e. gifts cards, merchant payment cards or wallets connected to a merchant’s app). The carve out pertaining to merchant-issued instruments (commonly referred to as the “closed loop” exemption) seems fairly clear and easily applicable in practice. However, the same cannot be said for the exemption relating to instruments provided by an issuer but accepted by a specific group of merchants, also known as the “limited network” exemption. Effectively, unless further interpretative guidance is provided, it will be arduous to delimit the boundaries of what constitutes such a network of merchants. The limited network exemption is usually expected to apply to something like a shopping mall gift card, but it could equally apply to a broad internet marketplace with thousands of merchants (for instance, an eBay or kijiji electronic wallet) or the previous example involving a ride sharing / delivery company. This exemption may prove to be much broader than the drafters intended, especially if there is insufficient clarity on when an issuer is or is not a PSP.
Additionally, payment functions performed for the purpose of giving effect to an “eligible financial contract” as defined under the Canada Deposit Insurance Corporation Act (generally these would be payments related to foreign exchange derivatives as most other such payments are already made through large-value payment systems) and cash withdrawals at ATM machines are excluded. Retail payment activities performed between affiliated entities are also excluded (allowing businesses to set up internal cash management systems without worrying about regulation). Finally, any payment activity using a system designated under section 4 of the Payment Clearing and Settlement Act (i.e. large-value payment systems) also fall outside of the RPAA’s scope of application. This exemption is what limits the RPAA to retail payment systems.
In terms of entities that would otherwise meet the definition of a PSP but are excluded from the application of the RPAA (and do not need to be registered pursuant to it), federally and provincially regulated financial institutions such as banks, foreign banks, credit unions, insurance and trust companies as well as loan companies are exempted. Additionally, Payments Canada and the BOC are exempted. These are all entities that are already subject to government oversight and regulated through other legislation.
There is also an exemption from registration for agents of PSPs as long as the PSP has provided information about the agent as part of the registration process. This is very similar to the exemptions for agents of money services businesses under the Proceeds of Crime (Money Laundering) and Terrorist Financing Act. However, it is not clear if the circumstances are the same here, particularly since the agent is likely to be providing all the end user facing services and at some level will be involved in providing the payment functions (for instance, the agent will be undoubtedly be involved in the transmission of instructions relating to the EFT if they act as an intermediary between the end user and the PSP).
Once the legislation is in force, the completion of a prescribed application form and the payment of a registration fee will be required for PSPs wishing to perform any retail payment activities (unless exempt as described above). A record of all registered PSPs will be maintained and be made publicly available by the BOC. The BOC will also publish a list displaying individuals or entities who have been refused registration or whose registration has been revoked. Although an applicant has the possibility of appealing such refusal, one should be aware that the following reasons may be used as the basis for the refusal:
- reasons related to national security;
- if an applicant fails to provide requested additional information;
- if an applicant fails to comply with an order or undertaking required by the Minister of Finance (the “Minister”);
- if an applicant fails to comply with a condition imposed by the Minister;
- if an applicant has provided false or misleading information;
- if an applicant is not registered as a money service business under the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (the “PCMLTFA”);
- if an applicant has committed a “serious violation” under the PCMLTFA; or
- if an applicant has been deemed to have committed a violation under the RPAA.
Although the RPAA is still subject to the legislative process and drafts of the Regulations or the Guidelines remain to be published, participants in the retail payments space should not wait for absolute certainty before acting. For many entities it will be clear whether or not they will be required to register under the RPAA, and they can begin the process of determining how to comply now. For other entities whose status is not as clear, they should decide if they want to make their views known as part of the legislative and regulatory process or perhaps attempt to arrange their affairs to give themselves the greatest chance of avoiding registration, if desired.
A Cautionary Note
The foregoing provides only an overview and does not constitute legal advice. Readers are cautioned against making any decisions based on this material alone. Rather, specific legal advice should be obtained.
© McMillan LLP 2021
Insights (5 Posts)
While consumer interest in electric bicycles is increasing, regulatory interest in electric bicycles, or ebikes, is waning.
An overview of a recent Alberta Privacy Commissioner breach notification decision relevant to employee snooping.
Lessons learned from Alberta’s Office of the Information and Privacy Commissioner (OIPC) 11-Year Report
An overview of Alberta's Office of the Information and Privacy Commissioner 11-Year Report.
A look at the takeaways from the recent audit of Health Canada's IT systems.
This bulletin provides guidance regarding voice phishing, or "vishing" attacks. As they rise in popularity, companies must take action to protect their assets.
Get updates delivered right to your inbox. You can unsubscribe at any time.