Retail Payment Activities Regulations: SOR/2023-229

Canada Gazette, Part II, Volume 157, Number 24

Registration
SOR/2023-229 November 3, 2023

RETAIL PAYMENT ACTIVITIES ACT

P.C. 2023-1106 November 3, 2023

Her Excellency the Governor General in Council, on the recommendation of the Minister of Finance, makes the annexed Retail Payment Activities Regulations under section 101 of the Retail Payment Activities Act footnote a.

TABLE OF PROVISIONS

Retail Payment Activities Regulations

Definitions

1 Definitions

Non-application of Act

2 Securities-related transactions

3 Incidental retail payment activities

4 SWIFT

Risk Management and Incident Response

5 Framework

6 Availability of framework

7 Provision of information and training

8 Review

9 Testing

10 Independent review

11 Notice of incident — Bank

12 Notice of incident — individual or entity

Safeguarding of Funds

13 Accounts

14 Insurance or guarantee

15 Safeguarding-of-funds framework

16 Evaluation of insolvency protection

17 Independent review

Annual Report

18 Submission

19 Contents

Significant Change or New Activity

20 Notice to Bank

Registration

21 New application — acquisition of control

22 New application — other change

23 Registry

24 Application for registration

25 Registration fee

26 Decision to review — prescribed period

27 Conduct of review — prescribed period

28 Request for review of directive — prescribed period

29 Request for review of notice — prescribed period

30 Refusal to register — prescribed period and reasons

31 Review of refusal to register — prescribed period

32 Notice of intent to revoke registration — prescribed reasons

33 Review of notice of intent — prescribed period

34 Appeal — prescribed period

35 Notice of change in information — prescribed period

36 Notice of change in prescribed information

Prescribed Supervisory Information

37 Prescribed information

38 Non-disclosure by payment service provider

39 Use of information

Record Keeping and Retention

40 Records

41 Protective measures

42 Agents, mandataries and third-party service providers

Administration and Enforcement — Provision of Information

43 Prescribed period — payment service provider

44 Prescribed period — individual or entity

45 Prescribed period — undertaking or condition

Administrative Monetary Penalties

46 Designation of violations

47 Classification

48 Penalties

49 Criteria

50 Additional penalty

51 Service of documents

Transition Period

52 National security review — prescribed periods

53 Application for registration — prescribed period

54 Publication of application information

Coming into Force

55 S.C. 2021, c. 23, s. 177

SCHEDULE

Retail Payment Activities Regulations

Definitions

Definitions

1 The following definitions apply in these Regulations.

Act
means the Retail Payment Activities Act. (Loi)
senior officer
in respect of an entity, means
  • (a) a member of its board of directors who is also one of its full-time employees;
  • (b) its chief executive officer, chief operating officer, president, chief risk officer, secretary, treasurer, controller, chief financial officer, chief accountant, chief auditor or chief actuary, or any person who performs functions similar to those normally performed by someone occupying one of those positions; or
  • (c) any other officer who reports directly to its board of directors, chief executive officer or chief operating officer. (cadre dirigeant)

Non-application of Act

Securities-related transactions

2 A transaction in relation to securities is a prescribed transaction for the purpose of paragraph 6(b) of the Act if it is performed by an individual or entity that is regulated, or exempted from regulation, under Canadian securities legislation as defined in National Instrument 14-101 Definitions, as amended from time to time, of the Canadian Securities Administrators.

Incidental retail payment activities

3 A retail payment activity that is performed as a service or business activity that is incidental to another service or business activity is, unless that other service or business activity consists of the performance of a payment function, a prescribed retail payment activity for the purpose of paragraph 6(d) of the Act.

SWIFT

4 The Society for Worldwide Interbank Financial Telecommunication (SWIFT) is a prescribed entity for the purpose of paragraph 9(k) of the Act.

Risk Management and Incident Response

Framework

5 (1) The risk management and incident response framework required under subsection 17(1) of the Act must be in writing and must

Proportionality

(2) All aspects of the risk management and incident response framework — including all objectives, targets, systems, policies, procedures, processes and controls — must be proportionate to the impact that a reduction, deterioration or breakdown of the payment service provider’s retail payment activities could have on end users and other payment service providers, having regard to factors including the payment service provider’s ubiquity and connectedness, as established using the information referred to in subparagraph 19(4)(a)(i) or paragraph 19(4)(b), as the case may be.

Third-party service providers

(3) If a payment service provider receives services related to a payment function from one or more third-party service providers, the risk management and incident response framework must

Agents and mandataries

(4) If a payment service provider intends to have agents or mandataries perform retail payment activities, the risk management and incident response framework must

Third party roles and responsibilities

(5) If the risk management and incident response framework allocates, under paragraph (1)(d), any roles or responsibilities to a third party, including a third-party service provider or an agent or mandatary, the framework must set out systems, policies, procedures, processes, controls or other means for overseeing the third party’s fulfillment of those roles and responsibilities.

Approval

(6) The risk management and incident response framework must be approved

Availability of framework

6 A payment service provider must ensure that its risk management and incident response framework remains available to all persons who have a role in implementing or maintaining it and must take all reasonable precautions to prevent its unauthorized deletion, destruction or amendment.

Provision of information and training

7 A payment service provider must ensure that all employees and other persons who have a role in establishing, implementing or maintaining its risk management and incident response framework are provided with the information and training that are necessary to carry out that role.

Review

8 (1) A payment service provider must review its risk management and incident response framework

Scope

(2) The review must evaluate

Record

(3) The payment service provider must, in respect of each review, keep a record of the date on which it is conducted and its scope, methodology and findings.

Report and approval

(4) The payment service provider must ensure that the findings of each review are reported to the senior officer referred to in subparagraph 5(1)(d)(ii), if any, for their approval.

Testing

9 (1) A payment service provider must establish and implement a testing methodology, for the purpose of identifying gaps in the effectiveness of, and vulnerabilities in, the systems, policies, procedures, processes, controls and other means provided for in its risk management and incident response framework, that

Record

(2) The payment service provider must, in respect of each test that it carries out, keep a record of

Report to senior officer

(3) The payment service provider must ensure that the record is provided to the senior officer referred to in subparagraph 5(1)(d)(ii), if any.

Independent review

10 (1) A payment service provider that has an internal or external auditor must ensure that, at least once every three years, a sufficiently skilled individual who has had no role in establishing, implementing or maintaining the payment service provider’s risk management and incident response framework carries out an independent review of

Record

(2) The payment service provider must obtain a record that sets out the independent reviewer’s name — or, if the independent reviewer carried out the review on behalf of an entity other than the payment service provider, that entity’s name — and the date of the review and describes the review’s scope, methodology and findings.

Report

(3) The payment service provider must report any gaps and vulnerabilities that are identified by the independent review, and any measures being taken to address them, to the senior officer referred to in subparagraph 5(1)(d)(ii), if any.

Notice of incident — Bank

11 (1) The notice that must be given to the Bank under section 18 of the Act must be submitted using the electronic system provided by the Bank for that purpose.

Contents

(2) The notice must contain

Notice of incident — individual or entity

12 (1) The notice that must be given under section 18 of the Act to an individual or entity referred to in any of paragraphs 18(1)(a) to (c) of the Act must be

Contents

(2) The notice must include

Safeguarding of Funds

Accounts

13 A payment service provider that holds end-user funds in accordance with paragraph 20(1)(a) or (c) of the Act must ensure that the account in which they are held is provided by an entity that is referred to in one of paragraphs 9(a) to (d) or (f) to (h) of the Act or by a foreign financial institution that is regulated by a regulatory regime that imposes standards in respect of capital, liquidity, governance, supervision and risk management that are comparable to those that apply to those entities.

Insurance or guarantee

14 (1) A payment service provider that holds end-user funds in accordance with paragraph 20(1)(c) of the Act must ensure that the insurance or guarantee referred to in that paragraph is provided by an entity that

Conditions

(2) The payment service provider must ensure that

Events

(3) For the purpose of paragraph (2)(b), the events are

Definition of insolvency proceeding

(4) For the purpose of subsection (3), insolvency proceeding means any proceeding, action, application, case or legal process relating to bankruptcy, insolvency, liquidation, dissolution or winding-up that is commenced in respect of a payment service provider under the law of any jurisdiction.

Safeguarding-of-funds framework

15 (1) A payment service provider that holds end-user funds must establish, implement and maintain a written safeguarding-of-funds framework that conforms to subsections (2) to (5) for the purpose of ensuring that

Contents

(2) The safeguarding-of-funds framework must describe the payment service provider’s systems, policies, processes, procedures, controls and other means for meeting the objectives referred to in subsection (1), including

Legal risks and operational risks

(3) The safeguarding-of-funds framework must identify legal risks and operational risks that could hinder the meeting of the objectives referred to in subsection (1) and the means of mitigating those risks, including having regard to

Identification of senior officer

(4) The safeguarding-of-funds framework must, unless the payment service provider is an individual, identify a senior officer who is responsible for overseeing the payment service provider’s practices for safeguarding end-user funds and for ensuring the payment service provider’s compliance with sections 13 to 17 of these Regulations and subsection 20(1) of the Act.

Approval

(5) The safeguarding-of-funds framework must be approved

Review of framework

(6) The payment service provider must review, at the following times, the safeguarding-of-funds framework to ensure the framework’s conformity with subsections (2) to (5) and its effectiveness at meeting the objectives referred to in subsection (1):

Record

(7) The payment service provider must, in respect of each review, keep a record of the date on which it is conducted and its scope, methodology and findings.

Report and approval

(8) The payment service provider must ensure that the findings of each review are reported to the senior officer referred to in subsection (4), if any, for their approval.

Evaluation of insolvency protection

16 (1) A payment service provider referred to in subsection 20(1) of the Act must take measures to ensure the identification of any instance, as soon as feasible after it occurs, in which the end-user funds held by the payment service provider — or equivalent proceeds from any insurance or guarantee referred to in paragraph 20(1)(c) of the Act — would not have been payable to end users had an event referred to in subsection 14(3) of these Regulations occurred.

Obligations

(2) The payment service provider must, immediately after identifying such an instance, investigate its root cause and, as soon as feasible, take the necessary measures to prevent similar instances from recurring.

Independent review

17 (1) A payment service provider referred to in subsection 20(1) of the Act must ensure that, at least once every three years, a sufficiently skilled individual who has had no role in establishing, implementing or maintaining the safeguarding-of-funds framework, in taking the measures referred to subsection 16(1) or in identifying the instances referred to in that subsection carries out an independent review of the payment service provider’s compliance with subsection 20(1) of the Act and sections 13 to 16 of these Regulations.

Record

(2) The payment service provider must obtain a record that sets out the independent reviewer’s name — or, if they carried out the review on behalf of an entity other than the payment service provider, that entity’s name — and the date of the review and describes the review’s scope, methodology and findings.

Report

(3) The payment service provider must report any gaps and vulnerabilities that are identified by the independent review, and any measures being taken to address them, to the senior officer referred to in subsection 15(4), if any.

Annual Report

Submission

18 (1) For the purpose of section 21 of the Act, a payment service provider that performs retail payment activities in a calendar year must submit the annual report in respect of that year no later than March 31 of the following year.

Form and manner

(2) The report must be submitted using the electronic system provided for that purpose by the Bank.

Contents

19 (1) For the purpose of paragraph 21(a) of the Act, the prescribed information consists of

Accounts, insurance and guarantees

(2) For the purpose of paragraph 21(b) of the Act, the prescribed information consists of

Holding of end-user funds

(3) For the purpose of paragraph 21(c) of the Act, the prescribed information consists of

Other information

(4) For the purpose of paragraph 21(d) of the Act, the prescribed information consists of

Definition of reporting year

(5) In this section, reporting year means the calendar year in respect of which an annual report is submitted.

Significant Change or New Activity

Notice to Bank

20 (1) The notice referred to in subsection 22(1) of the Act must

Definition of business day

(2) For the purpose of paragraph (1)(a), business day means a business day of the Bank.

Registration

New application — acquisition of control

21 For the purpose of subsection 24(1) of the Act, an individual or entity acquires control of

New application — other change

22 The acquisition of any of the following by a state-owned enterprise, as defined in section 3 of the Investment Canada Act, is a prescribed change for the purpose of subsection 24(2) of the Act:

Registry

23 The following is prescribed information for the purpose of section 26 of the Act:

Application for registration

24 (1) An application under subsection 29(1) of the Act must be submitted to the Bank using the electronic system provided by the Bank for that purpose.

Contact information

(2) For the purpose of paragraph 29(1)(b) of the Act, the prescribed contact information consists of

Organization and structure

(3) For the purpose of paragraph 29(1)(d) of the Act, the prescribed information consists of

Agents and mandataries

(4) For the purpose of paragraph 29(1)(e) of the Act, the prescribed information consists of, in respect of each agent or mandatary,

Volume and value of retail payment activities

(5) For the purpose of paragraph 29(1)(f) of the Act, the prescribed information consists of

End-user funds

(6) For the purpose of paragraph 29(1)(h) of the Act, the prescribed information consists of

Safeguarding of end-user funds

(7) For the purpose of paragraph 29(1)(j) of the Act, the prescribed information consists of

Third-party service provider

(8) For the purpose of paragraph 29(1)(k) of the Act, the prescribed information consists of, in respect of each third-party service provider that has or will have a material impact on the applicant’s operational risks or the manner in which the applicant safeguards or plans to safeguard end-user funds,

National security review

(9) For the purpose of paragraph 29(1)(p) of the Act, the prescribed information consists of

Registration fee

25 (1) The prescribed registration fee for the purpose of subsection 29(2) of the Act is the amount determined by the formula

$2,500 × (A ÷ B)
where
A
is the September All-items Consumer Price Index for Canada, as published by Statistics Canada under the Statistics Act, for the calendar year immediately before the year in which the application is submitted; and
B
is the September All-items Consumer Price Index for Canada, as published by Statistics Canada under the Statistics Act, for the calendar year in which this section comes into force.

Exception

(2) Despite subsection (1), the fee to be included with an application for registration that is submitted in the calendar year in which this section comes into force is $2,500.

No decrease

(3) Despite subsection (1), if a fee determined under that subsection is less than the fee that was required to be included with an application submitted in the previous calendar year, the fee is instead equal to the fee applicable in that previous year.

Decision to review — prescribed period

26 (1) The prescribed period for the purpose of subsection 34(1) of the Act is 60 days beginning on the day after the day on which the Minister is provided with a copy of the application for registration.

Extension

(2) The prescribed period for the purpose of subsection 34(2) of the Act is 60 days.

Conduct of review — prescribed period

27 The prescribed period for the purpose of section 36 of the Act is 180 days beginning on the day after the day on which the Minister decides to review the application for registration.

Request for review of directive — prescribed period

28 The prescribed period for the purpose of subsection 41(1) of the Act is 30 days beginning on the day after the day on which the applicant is notified of the refusal to register.

Request for review of notice — prescribed period

29 The prescribed period for the purpose of subsection 46(1) of the Act is 30 days beginning on the day after the day on which the payment service provider is notified of the issuance of the notice of intent.

Refusal to register — prescribed period and reasons

30 For the purpose of subsection 48(1) of the Act,

Review of refusal to register — prescribed period

31 (1) The prescribed period for the purpose of subsection 50(1) of the Act is 30 days beginning on the day after the day on which the applicant is notified of the refusal to register.

Decision

(2) The prescribed period for the purpose of subsection 50(3) of the Act is 90 days beginning on the day after the day on which the applicant requests the review.

Notice of intent to revoke registration — prescribed reasons

32 The following are prescribed reasons for the purpose of section 52 of the Act:

Review of notice of intent — prescribed period

33 (1) The prescribed period for the purposes of subsection 53(1) and section 54 of the Act is 30 days beginning on the day after the day on which the payment service provider is notified of the intent to revoke its registration.

Decision

(2) The prescribed period for the purpose of subsection 53(3) of the Act is 90 days beginning on the day after the day on which the payment service provider has completed making its representations or, if it does not make any, the day after the day on which its opportunity to do so ends.

Appeal — prescribed period

34 The prescribed period for the purpose of subsection 58(1) of the Act is 30 days beginning on the day after the day on which the applicant or payment service provider is notified of the decision under subsection 50(3) or 53(3) of the Act.

Notice of change in information — prescribed period

35 For the purpose of subsection 59(1) of the Act,

Notice of change in prescribed information

36 (1) The prescribed information for the purpose of subsection 60(1) of the Act is the information referred to in subsection 24(9) of these Regulations, other than that referred to in subparagraphs 24(9)(p)(i) and (q)(i).

Prescribed period

(2) The prescribed period for the purpose of subsection 60(2) of the Act is

Prescribed Supervisory Information

Prescribed information

37 The following is prescribed information for the purpose of subsection 64(1) of the Act:

Non-disclosure by payment service provider

38 (1) Subject to subsections (2) and (3), a payment service provider must not, directly or indirectly, disclose any information referred to in section 37.

Exception

(2) A payment service provider may disclose information referred to in section 37 to the following individuals and entities if it ensures that, subject to subsection (3), those individuals and entities do not further disclose the information to others:

Exception — securities laws

(3) A payment service provider may disclose information referred to in section 37, and need not ensure its further non-disclosure, to the extent that the disclosure is required by the securities laws of any jurisdiction.

Use of information

39 (1) For the purpose of subsection 64(3) of the Act, the Minister, the Governor, the Bank and the Attorney General of Canada may use the information referred to in section 37 of these Regulations as evidence in any proceeding.

Certain Acts

(2) For the purpose of subsection 64(4) of the Act, the payment service provider may use the information referred to in section 37 of these Regulations as evidence in any proceeding referred to in that subsection.

Record Keeping and Retention

Records

40 A payment service provider must keep, in a form that is intelligible to the Bank, sufficient records to demonstrate its compliance with the Act and these Regulations and, subject to any undertaking provided for the purpose of section 42 of the Act or any condition imposed under section 43 of the Act, must retain the records until the day that is five years after the day on which the payment service provider’s current compliance with the Act and Regulations ceases to be demonstrated by the records.

Protective measures

41 A payment service provider must take reasonable measures, with respect to all records that it is required to keep under the Act and these Regulations, to

Agents, mandataries and third-party service providers

42 A payment service provider must ensure that

Administration and Enforcement — Provision of Information

Prescribed period — payment service provider

43 (1) The prescribed period for the purpose of subsection 65(1) of the Act is 15 days beginning on the day after the day on which the request is made.

Exception — significant adverse incident

(2) Despite subsection (1), if the information requested by the Bank relates to an incident that is ongoing and that could have a significant adverse impact on an individual or entity referred to in subsection 94(2) of the Act, the prescribed period for the purpose of subsection 65(1) of the Act is 24 hours beginning when the request is made.

Prescribed period — individual or entity

44 The prescribed period for the purpose of subsection 66(2) of the Act is 15 days beginning on the day after the day on which the request is made.

Prescribed period — undertaking or condition

45 The prescribed period for the purpose of subsection 73(1) of the Act is 15 days beginning on the day after the day on which the request is made.

Administrative Monetary Penalties

Designation of violations

46 The following are designated as violations that may be proceeded with under Part 5 of the Act:

Classification

47 (1) Subject to subsection (3), each violation referred to in paragraph 46(a) or (b), other than one referred to in subsection 48(2), is classified as a serious or very serious violation, as set out in column 3 of Part 1 of the schedule or column 2 of Part 2 of the schedule, as the case may be.

Compliance agreement violation

(2) The violation referred to in paragraph 46(c) is classified as a very serious violation.

Series of violations

(3) If a notice of violation identifies two or more violations that are classified as serious violations and that arise from the contravention of the same provision of the Act or these Regulations, that series of violations is classified as a single very serious violation.

Penalties

48 (1) The range of penalties in respect of a violation, other than one referred to in subsection (2), is

Exceptions

(2) In the case of a violation in respect of section 21 or subsection 22(1), 59(1) or 60(1) or (2) of the Act,

Criteria

49 The amount payable as the penalty for a violation, other than one referred to in paragraph 48(2)(a), is to be established having regard to

Additional penalty

50 For the purpose of paragraph 82(1)(b) of the Act, the additional penalty is equal to the amount of the penalty set out in the notice of violation.

Service of documents

51 (1) Any notice that is to be served under Part 5 of the Act must be served by

Deemed service

(2) A notice is deemed to be served

Transition Period

National security review — prescribed periods

52 In respect of an application for registration that is submitted during the transition period as defined in section 103 of the Act,

Application for registration — prescribed period

53 The prescribed period for the purpose of section 104 of the Act is the period that begins on the day on which section 29 of the Act comes into force and ends on the later of

Publication of application information

54 For the purpose of section 107 of the Act, the prescribed information is

Coming into Force

S.C. 2021, c. 23, s. 177

55 (1) Subject to subsection (2), these Regulations come into force on the day on which section 29 of the Retail Payment Activities Act comes into force, but if they are registered after that day, they come into force on the day on which they are registered.

S.C. 2021, c. 23, s. 177

(2) Sections 5 to 23, 26, 27 and 29 to 36, paragraphs 37(b) to (e), items 1 to 10, 12 and 13 of Part 1 of the schedule and items 1 to 26 of Part 2 of the schedule come into force on the day on which subsection 25(1) of the Retail Payment Activities Act comes into force, but if these Regulations are registered after that day, those provisions come into force on the day on which these Regulations are registered.

SCHEDULE

(Paragraphs 46(a) and (b) and subsection 47(1))

Administrative Monetary Penalties — Designation of Provisions

PART 1

Retail Payment Activities Act
Item

Column 1

Provision of Act

Column 2

Corresponding Provision of These Regulations

Column 3

Classification of Violation
1 17(1) 5 very serious
2 17(3) very serious
3 18 11 or 12 very serious
4 19(3) serious
5 20(1) very serious
6 21 18 or 19
7 22(1) 20
8 23 very serious
9 24(1) serious
10 24(2) 22 serious
11 30 serious
12 59(1) 35
13 60(1) and (2) 36
14 61 serious
15 65(2) serious
16 66(2) 44 serious
17 67(2) very serious
18 67(3) very serious
19 69(2) very serious
20 104 53 very serious

PART 2

Retail Payment Activities Regulations
Item

Column 1

Provision

Column 2

Classification of Violation
1 6 very serious
2 7 very serious
3 8(1)(a) and (2) very serious
4 8(1)(b) and (2) very serious
5 8(3) serious
6 8(4) serious
7 9(1) very serious
8 9(2) serious
9 9(3) serious
10 10(1) very serious
11 10(2) serious
12 10(3) serious
13 13 very serious
14 14(1) very serious
15 14(2) very serious
16 15(1) very serious
17 15(6)(a) very serious
18 15(6)(b) very serious
19 15(6)(c) very serious
20 15(7) serious
21 15(8) serious
22 16(1) very serious
23 16(2) very serious
24 17(1) very serious
25 17(2) serious
26 17(3) serious
27 38(1) serious
28 40 serious
29 41 serious
30 42(a) serious
31 42(b) serious

REGULATORY IMPACT ANALYSIS STATEMENT

(This statement is not part of the Regulations.)

Executive summary

Issues: The safe and efficient movement of funds is essential to the health and strength of the national economy. Evolving technologies permit retail payment activities to be performed in new and increasingly complex ways by a larger variety of payment service providers (PSPs) across Canada. PSPs, such as payment processors and digital wallets, are currently not supervised in Canada with respect to their payment activities. The lack of requirements and supervision increases risks to Canadians, such as the risk of financial loss in instances of business insolvency, and threats to the security of sensitive personal and financial information of Canadians and Canadian businesses.

Description: The Retail Payment Activities Act (the Act), which received royal assent in June 2021, and the Retail Payment Activities Regulations (the Regulations), introduce a new retail payment supervisory regime for PSPs’ retail payment activities. The Regulations include standards for operational risk management; requirements to safeguard end-user (payer or payee) funds; requirements regarding PSPs’ registration with the Bank of Canada; reporting requirements; and penalties for violating requirements. The Regulations also include the timelines and information requirements to support the national security review process as part of the Minister of Finance’s national security authorities under the Act.

Rationale: The Regulations are required to support the coming into force of the Act. The Act and the Regulations intend to promote the safety and integrity of the financial system while ensuring responsible innovation for the benefit of Canadians.

All Canadians benefit from a stable, efficient, safe and competitive financial sector that services and drives economic growth. The objectives of the Regulations are to support the Act by establishing requirements to safeguard end-user funds should a PSP become insolvent and establish standards for operational risk management, including in response to disruptions in payment services. Further, the regime is intended to foster increased consumer and business confidence in payment services.

The inclusion of national security authorities under the Act and the Regulations for the Minister of Finance supports the integrity of the financial system with the intent to ensure retail payments are safe and secure for all end users.

The annualized $24.3 million in estimated costs associated with the Regulations are approximately 0.002% of $1.19 trillion in total transaction value for debit, credit and online transfer transactions for 2021 (Payments Canada’s Canadian Payment Methods and Trends Report 2022). All Canadians benefit from the stable, efficient, and safe movement of their funds, while ensuring responsible competition to keep transaction costs low. However, the monetary benefits to Canadians from the improvements to stability, efficiency and safety as a result of the Regulations cannot be estimated and are therefore treated qualitatively.

Issues

The safe and efficient movement of funds is essential to the health and strength of the national economy. The digitalization of money, assets and financial services is transforming financial systems around the world. These innovations carry many benefits; however, the lack of requirements and supervision increases risks to Canadians, such as the risk of financial loss in instances of business insolvency, insufficient risk-management practices that impact Canadians’ ability to reliably use payment services provided, and threats to the security of sensitive personal and financial information of Canadians and Canadian businesses.

In response to these risks, the Retail Payment Activities Act (the Act) received royal assent in June 2021. The Act introduced a new retail payment supervisory regime for payment service providers (PSPs), such as payment processors and digital wallets. The Bank of Canada is responsible for supervising PSPs’ compliance with the Act and maintaining a registry of registered PSPs. The Minister of Finance has authorities under the Act to address national security risks posed by PSPs — an authority the Minister currently does not have because PSPs are unregulated. In addition, the Minister does not have the necessary information, such as ownership interests, to make these assessments.

The Retail Payment Activities Regulations (the Regulations) are required to bring into force the Act. The Regulations include details on exemptions to the Act, prescribe key elements and details needed for PSPs to register with the Bank of Canada, comply with the Act, and for the Bank of Canada to promote compliance with the Act and Regulations. The Act provides the Bank of Canada authority to issue guidance to further support PSPs’ compliance with the Act and Regulations.

Background

Retail Payment Activities Act

The core elements of Canada’s retail payments supervisory regime are set out in the Act, which establishes obligations falling broadly into the following categories: operational risk management, end-user (payer or payee) fund safeguarding, registration requirements, reporting requirements, administration and enforcement.

The Act also provides the Minister of Finance with the authority to address risks related to national security that could be posed by PSPs. National security provisions in the Act allow the Minister to initiate a national security review and, at the end of the review, to issue a directive to the Bank of Canada to approve or refuse to register an applicant, or revoke the registration of a PSP for national security reasons. The Minister may also, by order, require any individual or entity to provide an undertaking, or impose conditions, in relation to an application for registration or any registered PSP if the Minister is of the opinion that it is necessary for national security reasons.

The Act applies to payment functions that are related to an electronic transfer of funds from one end user to another end user using a PSP. The five payment functions under the Act are

PSPs are defined under the Act as any individual or entity that performs one or more of the payment functions as a service or business activity that is not incidental to another service or business activity. For PSPs with a place of business in Canada, the Act applies to all of their payment activities, and for foreign PSPs, the Act applies to payment activities that the PSP directs to and performs for end users in Canada.

The Act excludes certain entities from the regime for all its activities, such as financial institutions that are prudentially regulated under other federal statutes, including banks and credit unions. In addition, the Act excludes certain activities, such as internal transactions among affiliated entities.

The COVID-19 pandemic has accelerated the adoption of digital payments highlighting the need for safe and reliable digital payments. As noted in Payments Canada’s Canadian Payment Methods and Trends Report 2022, Canadians are using less cash, writing fewer cheques, and are relying on electronic payment methods more than ever. Canadians’ increasing reliance on digital payment solutions provided by PSPs make them vulnerable to financial losses in the event of failures or mismanagement of these unregulated entities. Based on early estimates, it is expected there could be approximately 2 500 PSPs in scope. However, it will be difficult to know the true number until the regime is operational and individuals or entities begin to register with the Bank of Canada.

A number of jurisdictions have already established supervisory regimes to regulate retail PSPs, including the European Union, the United Kingdom and Australia. The Regulations are consistent with the approach taken in these jurisdictions.

Objective

Broadly, the objective of the Act and the Regulations is to promote the safety and integrity of the financial system while ensuring responsible innovation for the benefit of Canadians.

The objective of the Regulations is to address an important gap in financial sector supervision. The Regulations with respect to end-user fund safeguarding and operational risk-management requirements for PSPs provide minimum standards in order to reduce the risk of disruptions in payment services that result in end users being temporarily unable to access their funds or make payments. The Regulations are also intended to provide safeguards to reduce the risk of financial losses due to business insolvency or insufficient risk-management practices and enhance end-users’ ability to reliably use payment services provided by PSPs where PSPs do not currently have sound operational and fund safeguarding practices in place.

The Canadian Security and Intelligence Service recently noted in its annual Public Report that state-sponsored threat actors seek to acquire access or control over sensitive technologies, data, and critical infrastructure to advance their own military and intelligence capabilities, deprive Canada of access to economic gains, employ economic coercion against Canada, and support other intelligence operations against Canadians and Canadian interests. Consistent with the Minister of Finance’s national security authorities under the Bank Act, the Regulations related to the Minister’s national security authorities are intended to provide the details needed to support the Act so that the Government can respond to potential national security-related risks posed by presently unregulated PSPs.

The Regulations also intended to encourage PSPs’ compliance with the Act by specifying details on enforcement, including what provisions of the Act and Regulations are designated as violations. Only designated violations would be subject to a notice of violation and an accompanying administrative monetary penalty.

The principles that guide the Act and the Regulations are

Description

The Regulations include standards for operational risk management, including in response to disruptions in payment services; requirements to safeguard end-user funds; requirements regarding PSPs’ registration with the Bank of Canada; reporting requirements; and penalties for violating requirements. The Regulations also include the timelines and information requirements to support the national security review process as part of the Minister of Finance’s national security authorities under the Act.

Scope

In line with the principles of necessity, proportionality, consistency and effectiveness, the Act excludes certain entities, including prudentially regulated financial institutions, such as banks and credit unions, from its application. The Act excludes certain activities performed by entities from its application, such as payment functions performed in relation to instruments issued by merchants or groups of merchants that allow the instrument holder to purchase goods or services only from the issuing merchant or the group of merchants, such as closed loop gift cards.

As part of the exclusions, the Act does not apply to payment functions performed in relation to an electronic funds transfer that is made for the purpose of giving effect to prescribed transactions in relation to securities. The Regulations provide that these prescribed transactions are those performed by an individual or entity under Canadian securities legislation, as these are not transactions for the purpose of retail payments and are activities performed by entities already overseen by provincial regulators.

The Act provides authority to prescribe retail payment activities and entities that are exempt from its application. The Regulations exclude the Society for Worldwide Interbank Financial Telecommunication global messaging network (SWIFT) from the Act, since it is already subject to oversight by 10 major central banks, including the Bank of Canada.

For clarity and consistency with the definition of a “payment service provider” under the Act, the Regulations exclude retail payment activities performed as a service or business activity that is incidental to another service or business activity that is not a payment function.

The Bank of Canada will release guidance that provides further direction to PSPs regarding the Act’s scope and exclusions.

Risk management and incident response

In order for PSPs to identify and mitigate operational risks, such as cyber attacks, and respond to incidents, the Act requires PSPs to establish, implement and maintain a risk management and incident response framework (Risk Management Framework).

Aligned with global practices of operational risk management, the Regulations require a PSP to establish objectives in relation to its Risk Management Framework. Specifically, the PSP should seek to preserve the (1) integrity; (2) confidentiality; and (3) the availability of its retail payment activities and of the systems, and data or information involved in the provision of those activities.

To achieve these objectives, the Regulations require a PSP to (1) identify its operational risks; (2) protect its retail payment activities from those risks; (3) detect incidents and control breakdowns; and (4) respond to and recover from incidents. The Regulations also require a PSP to (1) internally review, test, and — for some PSPs —independently review its Risk Management Framework; (2) establish roles and responsibilities for the management of operational risk and incidents; (3) have access to sufficient human and financial resources to establish, implement and maintain its Risk Management Framework; and (4) manage its risks from third-party service providers, agents and mandataries.

Recognizing the diversity in the payments ecosystem, the Regulations provide that a PSP must ensure that all aspects of its Risk Management Framework are proportional to the impact that a reduction, deterioration, or breakdown of its retail payment activities could have on end users and other PSPs.

PSPs are required, through the Regulations, to demonstrate their compliance with sound operational risk management through various reporting requirements to the Bank of Canada.

Safeguarding of funds

Fund safeguarding is intended to protect consumers’ and businesses’ funds against financial loss in the event a PSP were insolvent, and to ensure that end users have reliable and timely access to their funds. The Act intends to satisfy these objectives by requiring PSPs to (1) hold funds in trust, in a trust account; or (2) hold funds in a segregated account and hold insurance or a guarantee in respect of the funds. The Act also provides the authority for regulations to prescribe alternative approaches; however, none are proposed at this time.

To support the objectives of safeguarding end-user funds, the Act provides the authority for regulatory requirements respecting accounts, and any measures to be taken by PSPs to ensure that funds or proceeds from any insurance or guarantee are payable to end users in the event of an insolvency.

To ensure end users have reliable and timely access to their funds, the Regulations require that accounts used to hold end-user funds be held at prudentially regulated financial institutions (e.g. banks, provincial credit unions, foreign financial institutions).

Where PSPs choose the insurance or guarantee option to safeguard end-user funds, the Regulations require that the insurance or guarantee be from a prudentially regulated financial institution that is not an affiliate of the PSP. In addition, the proceeds from the insurance or guarantee must not form part of the PSP’s general estate and must be payable for the benefit of end users as soon as feasible following an insolvency event. The Bank of Canada must also be notified 30 days in advance of the insurance or guarantee being cancelled.

For all fund safeguarding options, the Regulations require that PSPs have a written safeguarding-of-funds framework (Fund Safeguarding Framework) to ensure that end users have reliable access to their funds without delay, and that, in the event of PSP insolvency, the funds or proceeds of the insurance or guarantee are paid to end users without delay. The Fund Safeguarding Framework must describe the PSP’s systems, policies, processes, procedures, controls and other means to meet the objectives noted above. This includes the PSP’s use of liquidity arrangements and holding of end-user funds in secure and liquid assets, and keeping a ledger with the names of their end users and the amount of funds held.

Further, the PSP’s safeguarding measures must be reviewed on an annual basis or in other specified circumstances, be subject to triennial independent reviews. PSPs would also be required to evaluate when the end-user funds held by them were not sufficiently safeguarded in the prior year and assess measures that would need to be implemented to mitigate reoccurrence.

Bank of Canada guidance will provide clarity on the requirements for the safeguarding of funds.

Reporting

The Act provides the Bank of Canada with several legal mechanisms to obtain information from PSPs to support its supervision activities. Under the Act, registered PSPs are required to report to the Bank of Canada through several channels, including annual reports, incident reports and significant change reports.

(1) Annual report

The Act provides that PSPs must submit an annual report to the Bank of Canada with prescribed information regarding their Risk Management Framework, funds safeguarding, and any other prescribed information.

Regarding the Risk Management Framework, the Regulations require PSPs to include the following in the annual report: objectives; changes to its Risk Management Framework; a description of its operational risks; and human and financial resources to implement and maintain the Risk Management Framework. Regarding fund safeguarding, the Regulations require PSPs to include the following in the annual report: information on its account providers; a description of the means it uses to safeguard funds; a description of its Fund Safeguarding Framework; and independent reviews conducted in the past year.

Lastly, the Regulations require that the annual report include information on the PSP’s ubiquity and interconnectedness, as demonstrated by (1) the value of end-user funds held; (2) the volume of electronic fund transfers in relation to which they performed a retail payment activity; (3) the value of electronic fund transfers in relation to which they performed a retail payment activity; (4) the number of end users; and (5) the number of PSPs that services are provided to.

(2) Significant change report

Under the Act, PSPs are required to notify the Bank of Canada before they make a significant change in the way they perform a retail payment activity or before they perform a new retail payment activity. Significant changes are those that could reasonably be expected to have a material impact on operational risks and on the manner in which end-user funds are safeguarded. The Regulations establish that a PSP must notify the Bank of Canada of a significant change at least five business days prior to making the change. The significant change notice would need to include information on the reason for the change, the PSP’s assessment of the effect of the change on operational risks or funds safeguarding practices, and new or amended policies introduced due to the change.

(3) Incident report

To mitigate the impact of major incidents on end users and other impacted individuals and entities, the Act requires that PSPs report incidents that have a “material impact” on an end user, other PSPs, or designated financial market infrastructures to the Bank of Canada and to impacted individuals and entities.

The Regulations require that the notice to the Bank of Canada includes a description of the incident, its impact on individuals or entities listed in the Act, and actions taken by the PSP to respond to the incident. The notice to impacted end users, other PSPs and specified financial market infrastructures would need to include a description of the incident, its impact on individuals or entities listed in the Act, and corrective measures that can be taken by those impacted individuals or entities.

(4) Information requests

The Act provides authority to the Bank of Canada to request information from a PSP pertaining to its compliance with the regime, and for a PSP to comply with the request within a prescribed time period. The Regulations set out the standard time period of 15 days to respond, unless the information being requested relates to events which are ongoing and could have a significant adverse impact on individuals or entities, such as end users or other PSPs. This is intended to be used by the Bank of Canada in situations, such as a widespread network outage, in which case the time period is 24 hours. The Bank of Canada will provide additional guidance on the definition of “significant adverse impact.”

(5) Notices of change in information

To ensure the Bank of Canada’s registry stays up to date, PSPs are required to notify the Bank of Canada of changes to certain registration-related information. The Regulations set out when changes to various types of information must be submitted to the Bank of Canada.

Registration

As part of applicants’ registration application, they must pay a one-time prescribed registration fee. The Regulations set this fee at $2,500, to be adjusted for inflation over time. There is also a separate annual assessment fee paid by PSPs, which is outlined in the costs section.

The Bank of Canada may refuse an application or revoke a PSP’s registration and will maintain a registry of registered PSPs. Further, the Act requires PSPs to file a new application with the Bank of Canada if a new individual or entity seeks to acquire control of it.

The Act sets out information that applicants must include when they seek to register with the Bank of Canada as a PSP, including the applicant’s name, contact information, business structure, third parties and operations, ubiquity and interconnectedness (i.e. values and volumes metrics), information about its end-user funds safeguarding practices and a description of their Risk Management Framework, or a description of the framework that it plans to implement. The Regulations set out additional details regarding the application requirements of the Act. For example, where the Act requires PSPs to include contact information, the Regulations specify that the contact information includes the PSP’s telephone number, email address, website and mailing address.

To determine the trigger for when a PSP must submit a new application, the Regulations define control, including the manner of acquiring control, presumptions respecting control of entities and acquisition of control, and acquisitions by more than one transaction or event.

Further, the Regulations establish that the Bank of Canada may refuse to register an applicant or revoke a PSP’s registration if the applicant or PSP has failed to pay its assessment fees, or if the Act does not apply to the applicant or no longer applies to the PSP. With regards to the public registry, the Regulations require that the Bank of Canada’s registry includes information on each PSP, such as its registration status, business contact information and payment functions performed.

National security safeguards

The Regulations related to national security support the Minister of Finance’s authorities. The national security provisions of the Act and the Regulations are modelled on the regimes applicable to federally regulated financial institutions, such as the Bank Act. They are also consistent with Investment Canada Act and promote harmonization between the two regimes.

The national security review process components prescribe how PSPs are to be registered and how national security reviews are to be conducted. This includes timelines for review by the Minister, information to be provided by applicants and PSPs at the time of application, information that must be updated on an ongoing basis, as well as triggers for re-registration. As part of the registration process for PSPs, the Act provides the Department of Finance, on behalf of the Minister, with time to review applications for a prescribed period of time for national security concerns. The Regulations prescribe this period as 60 days. If a formal national security review is required, the Minister will inform the Bank of Canada, who will in turn inform the PSP of the Minister’s decision. The Regulations outline 180 days for national security reviews, which can be extended at the discretion of the Minister.

Upon completion of the review, the Act provides that the Minister may issue a directive to the Bank of Canada to approve or refuse the registration. The Minister may also, by order, require any individual or entity to provide an undertaking, or impose conditions, in relation to an application for registration or any registered PSP if the Minister is of the opinion that it is necessary to do so for reasons related to national security. The Department of Finance will inform the Bank of Canada, which will then inform the applicant or PSP of the Minister’s decision. The Regulations also set out 30 days for a PSP to request a review of the Minister’s decision.

To support the Bank of Canada’s supervisory responsibilities and the Minister of Finance’s authorities for national security, PSPs must notify the Bank of Canada of changes to prescribed information. The Regulations further detail which changes to registration information must be submitted to the Bank of Canada as soon as the PSP becomes aware of the change, and which changes to registration information must be submitted to the Bank of Canada 30 or 60 days in advance of the change taking place.

Prescribed supervisory information

The Act provides a regulation-making authority to prohibit PSPs from disclosing prescribed supervisory information as evidence in civil proceedings to ensure the protection of sensitive supervisory information. The Regulations establish what information shared between the Bank of Canada and PSPs will be treated as “supervisory information,” including any direction, notice, assessment, testing, audit, investigation, plan or report prepared by the Bank of Canada as part of its supervision of a PSP, as well as any reports, letters, recommendations or plans made by the Bank of Canada as a result of a supervisory review or analysis of the PSP.

Record keeping

The Act includes a regulation-making authority respecting the keeping and retention of records to aid the Bank of Canada, the Minister of Finance or other designated entities to monitor the PSP’s compliance with the requirements under the Act. The Regulations set out that a PSP should maintain sufficient records to demonstrate the PSP’s compliance with the Act and the Regulations. Records must be retained for five years unless otherwise specified in a condition or undertaking.

Administration and enforcement

The Act provides the Bank of Canada with powers to address non-compliance with the Act or violations of the Act. These powers include (1) entering into compliance agreements; (2) issuing notices of violation (NOVs) with or without an administrative monetary penalty (AMP); (3) issuing NOVs with an AMP and an offer to enter into a compliance agreement; (4) issuing compliance orders; (5) applying to the court for an order (i.e. court enforcement); and (6) refusal or revocation of a registration. The Act also provides an opportunity for an individual, entity and PSP to request a review of certain Bank of Canada decisions by the Governor of the Bank of Canada, in addition to an appeal of the Governor’s decision to Federal Court if requested by impacted parties.

The Regulations designate violations under the Act and Regulations. Only designated violations would be subject to an NOV and an accompanying AMP. Where a PSP enters into a compliance agreement with the Bank of Canada after receiving an NOV and fails to meet the terms of that agreement, the Bank of Canada would issue a Notice of Default to the PSP. The Act sets out that the PSP issued the Notice of Default must pay an additional penalty specified in the Regulations. Where a PSP has violated a compliance agreement entered into regarding a designated violation or violations under the Act and the Regulations, the Regulations establish that the additional penalty would be equal to the amount of the penalty set out in the NOV.

The Regulations related to AMPs consider existing approaches under financial sector regimes, such as under the Proceeds of Crime (Money Laundering) and Terrorist Financing Act, and other regimes in Canada.

The Regulations establish penalty ranges for serious or very serious violations in increasing severity, according to the significance of the violation.

The Act provides for the reclassification of a series of serious violations as a very serious violation. Under the Regulations, if a Bank of Canada NOV identifies two or more serious violations that arise from the contravention of the same provision of the Act or its Regulations, that series of serious violations would be reclassified as a single very serious violation.

The Regulations establish the following criteria that the Bank of Canada will consider when determining an AMP:

For violations of the Act’s requirements relating to the provision of information, such as annual reporting, the Regulations do not classify these violations as serious or very serious. Instead, if the violation has continued for no more than 30 days, the amount of the penalty in respect of the violation is $500 for each day that it has continued. If the violation has continued for more than 30 days, the range of penalties in respect of the violation is from $15,000 to $1,000,000.

The Bank of Canada will publish guidance with further information on its AMP calculation methodology under the Act on its website.

Coming into force

The Regulations come into force when the relevant provisions of the Act come into force, fixed by orders of the Governor in Council. Regulations related to registration, national security and compliance come into force when the Act provision requiring PSPs to submit a registration application comes into force. The regulations addressing operational risk management, end-user funds safeguarding, reporting, record keeping and prescribed supervisory information come into force when the Bank of Canada must register PSPs and notify PSPs of their registration.

Consultation

The Regulations were developed through extensive consultation with payment industry stakeholders, including PSPs, industry associations, academics and industry experts. The Department of Finance conducted two separate public consultations on retail payments oversight in 2015 and 2017. The Department also sought views from stakeholders through the Finance Canada Payments Consultative Committee (FinPay). The Department of Finance and the Bank of Canada have discussed and engaged on the regulatory topics with several industry associations.

The Department of Finance public consultations indicated that there is widespread support for the regime. Many stakeholders pointed to gaps resulting from the current institutional approach to oversight and supported the proposed functional approach so that risks associated with a particular payment function are treated similarly regardless of the type of organization providing the service.

There is general support for a principles-based approach to regulation whereby PSPs have the flexibility to implement the Act and associated requirements based on their business models and the needs of their customers, and for the Bank of Canada to have flexibility to adjust its supervisory expectations, guidance, and interpretations to account for the rapid growth and change in the retail payments space.

To support the Department of Finance in its development of the Regulations, throughout 2020 and 2021, the Bank of Canada published various discussion papers on industry practices and policy issues relevant to the Regulations through its Retail Payments Advisory Committee (RPAC). The RPAC comprises a group of regionally diverse PSPs that may be subject to the Act, ranging in business model, size, maturity, and geographic location. The RPAC met nine times between February 2020 and November 2021 to discuss policy topics, including best practices for fund safeguarding, operational risk management practices that PSPs currently adhere to, and registration procedures and information that would help the Bank of Canada fulfill its supervision responsibilities. The discussion papers and summaries of stakeholder feedback are posted on the Bank of Canada’s website and were carefully considered in the development of the Regulations. In general, stakeholders on the RPAC noted broad agreement or alignment with the regulatory concepts presented in the discussion materials. They also mentioned the importance of principles-based requirements that account for the existence of other similar regimes as well as requirements in the payments ecosystem already in place.

The Bank of Canada and the Department of Finance frequently met with individual PSPs to better understand the industry and discuss the key issues related to the Act and the Regulations. One-on-one discussions with stakeholders have been ongoing throughout the policy development process, ranging from larger and more ubiquitous PSPs to relatively smaller and/or newer individuals or entities. These one-on-one discussions have been informative in understanding the industry’s current practices, such as where they currently hold end-user funds, and the impact of the regulatory requirements.

The Department of Finance also consulted extensively with the Canadian Security Intelligence Service, the Communications Security Establishment, and the Royal Canadian Mounted Police, who are experts and have mandates in national security, on the inclusion and design of the national security safeguards. The information and feedback received from these stakeholders were used to inform the development of the Regulations, including those provisions that set out the specific national security information requirements applicable to PSPs, as well as timelines for ministerial decisions.

Publication in the Canada Gazette, Part I

The Regulations were published in the Canada Gazette, Part I, on February 11, 2023, for a 45-day comment period that ended on March 28, 2023.

The Department of Finance received comments through the Canada Gazette’s Online Regulatory Consultative System, and directly from certain entities. The Department received 44 submissions on the Regulations from various stakeholders, such as industry associations, individual PSPs and other interested parties.

Stakeholders expressed support for the Regulations and see them as progress in the broader payments modernization agenda. Some stakeholders, particularly associations representing smaller PSPs, expressed concerns with the regulatory burden associated with the Regulations. These included requirements related to operational risk management, end-user fund safeguarding, and reporting. These are outlined below.

The feedback from industry during consultations has enabled the Department of Finance to better understand the practical implications of the Act and its Regulations. As a result of the feedback received, the Department of Finance, in consultation with the Bank of Canada, made changes to the Regulations to address concerns raised by stakeholders with the intention that regulatory burden is kept to a minimum while ensuring that the policy intent of the Act is met.

Comments by theme

1. Scope

The scope of who the Act applies to is outlined in the definitions of the Act as opposed to the regulatory requirements. As a result, no changes were made to the Regulations related to scope following the prepublication period. Nevertheless, some stakeholders raised questions on how to interpret definitions in the Act.

The Act applies to PSPs that perform payment functions as a service or business activity that is not incidental to another service or business activity. Stakeholders requested greater clarity on how the incidental concept will be applied in practice and sought clarity on the application of the Act to foreign PSPs. Clarity on how to interpret definitions in the Act, such as circumstances in which merchants perform incidental payment functions that are out of scope of the Act, will be addressed in Bank of Canada’s guidance.

2. Risk management and incident response

Stakeholders support the requirement of the Act to establish, implement and maintain a Risk Management Framework. Many stakeholders, including industry associations and individual businesses, suggested that specific requirements of the Risk Management Framework be clarified to reduce burden.

Changes to framework requirements

The Regulations associated with the Risk Management Framework were adjusted to clarify that PSPs need to only consider risks, assets, and third parties relevant to the performance of retail payment activities. These adjustments address many stakeholder comments on the need to clarify the scope of the operational risk management and incident response regulations to reduce undue burden.

Changes to the review, update, approval and testing of the Risk Management Framework

In response to stakeholder comments, the circumstances in which the Risk Management Framework must be reviewed by the PSP were adjusted. Specifically, the requirement for a PSP to review its Risk Management Framework after a material incident was removed, since PSPs would be expected to consider past incidents as part of their annual review of the Risk Management Framework. The requirement for PSPs to review their frameworks annually was retained, since the intent is for the framework to be kept up-to-date, which is consistent with existing standards that apply to PSPs internationally, such as in the European Union and United Kingdom. Further, the requirement for PSPs to review their frameworks before changes to their processes and procedures to address operational risks was amended to specify that the review must take place following “material” changes; this change was made because the previous wording was “significant change,” which is defined in the Act and is not appropriate for the circumstance.

Regarding approval of the Risk Management Framework, the Regulations were revised so that board approval for in-year material changes is not required; these changes can be approved by its senior officer. However, where a PSP has a board, it must approve the PSP’s framework annually.

Further, based on a few stakeholder comments, the Regulations were revised to provide PSPs the flexibility to establish the frequency and scope of their testing methodology to identify gaps and vulnerabilities in their systems, policies, procedures, processes, controls, and other means in their Risk Management Framework, as opposed to requiring PSPs to test all aspects of their framework every three years. This is intended to provide PSPs greater discretion to establish a testing program best suited to its context.

Some stakeholders raised that the requirement for an independent review every three years of a PSPs Risk Management Framework can be costly. The requirement prescribes that the review be carried out by a sufficiently skilled individual with no role in establishing, implementing or maintaining the PSP’s Risk Management Framework. This requirement was retained, as it is essential to ensuring the functioning of a PSP’s Risk Management Framework and its compliance with the Act and Regulations. The intent of an independent review is consistent with other regulatory approaches in Canada, such as the Financial Transactions and Reports Analysis Centre’s two-year effectiveness review.

Comments on implementation

In addition to comments on the Regulations, some industry associations indicated that PSPs should be able to demonstrate compliance by leveraging risk management and testing standards that they already follow and use their existing independent audits to comply with the independent review requirements in the Regulations. The Act and Regulations are intended to provide the flexibility for PSPs — which are diverse in their business models and risks — to leverage their existing practices. Bank of Canada guidance will provide details to PSPs on how they can leverage those practices, such as indicating that existing audits or practices can be leveraged as long as the PSP can demonstrate that its practices align with the requirements of the Act.

Industry associations and individual PSPs indicated that the Bank of Canada’s supervision should be commensurate with the level of risk posed by an individual or entity’s payments activities to reduce burden on smaller PSPs. Further, some stakeholders indicated that the Bank’s risk-based approach to supervising PSPs should not be based solely on size, but rather the risk of an individual or entity’s payment activities to the broader payments ecosystem.

The policy intent of the Act and Regulations allows for a risk-based, proportional approach to be taken for PSPs to implement their Risk Management Framework. The Regulations require that a PSP must ensure that all aspects of its Risk Management Framework are proportional to the impact that a reduction, deterioration, or breakdown of its retail payment activities could have on end users and other PSPs, while also considering its ubiquity and interconnectedness to the financial system. Bank of Canada guidance will provide examples of how a PSP may consider implementing such an approach, including expectations that more ubiquitous and interconnected PSPs should implement more stringent targets for the operational availability of their retail payment activities.

Several stakeholders indicated that greater clarity is needed on what is meant by “incidents that have a material impact” on affected individuals and entities, for the purpose of reporting such incidents to the Bank of Canada and affected individuals and entities. The Act defines “incident” as an event or series of related events that is unplanned by a PSP and that results in or could reasonably be expected to result in the reduction, deterioration or breakdown of any retail payment activity that is performed by the PSP. The Bank of Canada’s guidance will provide examples of incidents that could have a material impact, such as end-user funds being stolen or a cyber attack that results in a service outage.

3. Safeguarding of funds

Stakeholders generally support the policy intent of fund safeguarding with some suggestions to adjust the Regulations to reduce burden and other comments related to fund safeguarding outside the scope of the Regulations.

Changes to fund safeguarding requirements

To reduce burden, based on a few stakeholder comments, the Department of Finance adjusted the Regulations to clarify that when a PSP makes a change to the accounts or the insurance or guarantees it uses to safeguard end-user funds, only “material” changes would require a PSP to review its Fund Safeguarding Framework, as opposed to all changes. In addition, the approval process of the Fund Safeguarding Framework was amended to align with the approval process of the operational risk framework. Both frameworks now require a PSP senior officer and the PSPs’ board of directors to approve them at least once a year; material changes made outside of these processes now only require senior officer approval. Further, the Regulations were changed to require that compliance with the end-user fund safeguarding requirements be independently reviewed every three years, instead of two, also to align with the independent review cycle for PSPs’ operational risk management framework.

Other comments related to fund safeguarding and implementation

Some stakeholders provided comments regarding requirements found in the Act, which have not been addressed, since they are beyond the scope of the Regulations. A few stakeholders suggested that PSPs should be permitted to obtain insurance or guarantees to protect end-users’ funds against insolvency of the PSP without the additional requirement to hold funds in a separate account. These two requirements are in the Act and are therefore out of scope of these Regulations. Some associations representing smaller PSPs also raised that some PSPs face difficulty accessing deposit accounts from regulated financial institutions to hold customer funds. Further, some stakeholders representing financial institutions requested a shield from liability, so that financial institutions offering accounts to PSPs for their end-users’ funds are not responsible for the PSP’s failure to comply with the Act or other legal obligations. The Act applies to PSPs as defined in the Act and these entities are responsible for their own compliance.

Several stakeholders also sought clarity on the permitted asset holdings for end-users’ funds, for example demand deposits and government bonds, and whether PSPs can retain interest. Neither the Act nor the Regulations specify the characteristics of assets such as their risk level or liquidity features — the ability to convert assets into cash — that are held for the purposes of end-user fund safeguarding. The Regulations require PSPs to describe its liquidity arrangements and its use of secure and liquid assets to meet the objectives of providing end-users with reliable access without delay to their funds and protecting funds in the event of the PSP’s insolvency. The Bank of Canada’s guidance will set out what the Bank considers to be secure and liquid assets such as cash or guaranteed investment certificates. Further, a PSP would also have to consider its own contractual obligations to decide whether it, or end users, retain interest from funds held, which is outside the scope of the Act and Regulations.

A few stakeholders requested greater clarity on what regulatory standards foreign account and insurance or guarantee providers must comply with for PSPs to use them to hold or safeguard end-user funds. The intent is that foreign providers follow prudential requirements recognized internationally that are similar to those followed by Canadian (federally regulated or provincially regulated) financial institutions. The Bank of Canada’s guidance will highlight its expectations of what a PSP must do when it uses a foreign financial institution to safeguard funds such as analyzing how the regulatory regime compares with principles and standards set by the Basel Committee on Banking Supervision.

4. Reporting

Under the Act, PSPs are required to report information to the Bank of Canada to support its supervision activities. This occurs at registration and on an ongoing basis through several channels, including annual reports, incident reports and significant change reports. PSPs commented and raised concerns on aspects of the Regulations concerning prescribed information at registration and in the reports they must provide to the Bank of Canada.

i. Metrics

Under the Act, PSPs are required to report quantitative metrics of their retail payment activities at registration and on an annual basis through submitting annual reports. These metrics will be used by the Bank of Canada for a number of purposes in relation to the Act, which includes as inputs for the assessment fee formula to levy fees on PSPs, the supervision of PSPs through a risk-based approach, and monitoring of trends and issues.

Stakeholders raised concerns that the required level of detail on the requested metrics was onerous. The Department of Finance and the Bank of Canada held follow-up discussions with the stakeholders that raised these concerns to better understand current practices in measuring, tracking, and reporting of retail payment activity metrics that they would be required to report. These discussions assisted in determining what changes could be made to the Regulations to reduce the level of detail and amount of data requested.

Changes to metrics in reporting requirements

The Department of Finance adjusted selected provisions concerning metrics, such as changing the requirement to provide data on the number of end users and number of other PSPs from monthly to annually, reducing the historical reporting period at registration from 24 to 12 months and removing the requirement to provide metrics on payment categories. These changes address concerns from industry without compromising the Bank of Canada’s ability to meet its mandate to supervise PSPs where metrics are used as an input.

ii. National security

The Act requires PSPs to provide information relevant for the Minister and designated entities to conduct national security assessments of the applicant PSP and registered PSPs.

There was limited feedback on the national security aspects of the Regulations, so broader concerns about regulatory burden and compliance were considered when reviewing these provisions.

Changes to national security reporting requirements

The Department of Finance amended a re-registration requirement and certain information reporting requirements to reduce burden without compromising the ability of the Minister or authorized persons to carry out their national security obligations under the Act. In the proposed Regulations, a registered PSP would have to submit a new application for registration when it intends to store and process personal and financial information in a previously undisclosed country. This provision was changed, and the registered PSP is now only required to provide the Minister with a 60-day notice prior to the change. The amendments also narrow the scope of information required, such as no longer requiring a PSP to report which employees within an exempt PSP have access to personal and financial information of the end users, employees or business partners, and clarifying ongoing reporting requirements related to identifying which other PSPs it plans to work with. These changes address broader concerns with reducing regulatory burden without compromising the ability of the Minister or authorized persons to carry out their national security obligations under the Act.

Changes to new PSPs performing retail payment activities in the transition period

In response to national security concerns, the Department of Finance amended the provision of the Regulations that would have allowed new PSPs to immediately carry out retail payment activities during the transition period upon submission of their application. While existing PSPs will be able to carry out retail payment activities upon submitting their application during the 15-day transition window, new PSPs who file outside of the 15-day transition window will be subject to a 60-day delay before being able to perform retail payment activities. This approach will provide the Minister and designated entities with an opportunity to review, and where appropriate, intervene early in the regulatory process to address national security risks before the new business commences. This decision balances national security concerns stemming from new PSPs entering into Canada’s retail payment economy with the significant business consequences of preventing existing PSPs from carrying on their business.

iii. Significant change reporting

Under the Act, PSPs are required to notify the Bank of Canada before they make a significant change, i.e. those changes that could reasonably be expected to have a material impact on operational risks or the manner in which end-user funds are safeguarded, or before it performs a new retail payment activity. The Regulations also specify that PSPs must describe any changes made to their retail payment activities in the reporting year in their annual report.

Stakeholders expressed a need for additional clarity on what scenarios would constitute a significant change that would require them to submit a significant change report.

Changes to significant change reporting

The Department of Finance revised the Regulations to provide additional clarity that a PSP will have to assess the effect of a significant change or new activity on its operational risks and on the manner in which end-user funds are safeguarded both during and following implementation of the change or new activity. The Bank of Canada’s guidance will also provide additional clarity on what scenarios could require a PSP to submit a significant change report, such as when it makes a change to its safeguarding funds account provider or when it ceases to perform a retail payment activity. To reduce burden, the Department of Finance also amended the Regulations to clarify that a description of only significant changes rather than all types of changes need to be included in the PSP’s annual report. These changes align with suggestions made in stakeholder submissions.

Modern treaty obligations and Indigenous engagement and consultation

The Regulations are not expected to have any differential impacts on Indigenous people or implications for modern treaties, as per the Government of Canada’s obligations in relation to rights protected by section 35 of the Constitution Act, 1982, modern treaties, and international human rights obligations.

Instrument choice

Parliament decided, by passing the Act in June 2021, that it is desirable and in the national interest to supervise and regulate retail payment activities performed by PSPs to mitigate operational risks and to safeguard end-user funds. In addition, it is desirable and in the national interest to address risks related to national security that could be posed by PSPs. To fulfill these objectives, the Act establishes the main elements of this supervisory regime, and the Regulations are required to operationalize the Act. Therefore, no other instruments were considered.

Regulatory analysis

Benefits and costs

A cost-benefit analysis (CBA) report is available upon request from the contact listed at the end of this Regulatory Impact Analysis Statement.

The total costs associated with the Regulations over a 10-year period are estimated at $170.6 million (present value [PV]). This is $24.3 million (PV) annually, which is approximately 0.002% of $1.19 trillion in retail payments for 2021, based on the total transaction value for debit, credit and online transfer transactions (Payments Canada’s Canadian Payment Methods and Trends Report 2022). All Canadians benefit from the stable, efficient, and safe movement of their funds. In addition, the Regulations ensure responsible competition to keep transaction costs low. The monetary value of the benefits to Canadians from the improvements to stability, efficiency and safety as a result of the Regulations cannot be estimated and is therefore treated qualitatively.

The estimated costs associated with the Regulations over a 10-year period of $170.6 million are higher than the $151.9 million estimated at the time of the prepublication in the Canada Gazette, Part I. The latest estimate includes the registration fees of $2,500 for each PSP, whereas the prepublished estimate did not. In addition, in the latest estimate, most costs increased by approximately 7% due to the increase in the Consumer Price Index from 2021 to 2022. After the majority of PSPs register with the Bank of Canada, the annual costs associated with the Regulations is estimated at $19.1 million, which is higher than the $18.2 million estimated at prepublication also due to the increase in the Consumer Price Index. Annual costs, excluding inflation, decreased by approximately $300,000 as a result of changes to the Regulations following prepublication to reduce burden, such as removing the requirement for a PSP to review its Risk Management Framework after a material incident, reducing the frequency that the Safeguarding of Funds Framework must be independently reviewed and removing requirements pertaining to metrics in annual reporting.

Benefits

The Regulations benefit Canadians by supporting the coming into force of the Act, which establishes safeguarding arrangements for end-user funds should a PSP become insolvent and establishes standards for operational risk management, including in response to disruptions in payment services. Further, the supervisory regime is intended to foster confidence in payment services for consumers and businesses and lead to responsible innovation in the payments ecosystem. All Canadians benefit from a stable, efficient, safe and competitive financial sector that services and drives economic growth. The inclusion of national security authorities for the Minister of Finance promotes the stability and integrity of the financial system with the intent to ensure retail payments are safe and secure for consumers and businesses. While the dollar value benefit from a reduction in risks cannot be quantified, with an estimated $1.19 trillion in Canadian retail payments for 2021, it is expected that the benefits to Canadians from a reduction in risks far exceed the costs of the Regulations to regulated PSPs.

The new supervisory regime promotes regulatory compliance by PSPs performing one of five payment functions in respect of an electronic funds transfer and a fiat currency. Registration requirements ensure that entities performing one or more payment functions register with the Bank of Canada and be included in a public registry of PSPs. Operational risk and end-user funds safeguarding requirements ensure that registered PSPs create and implement business practices that reduce risk and protect consumers from service disruption. The supervisory regime enables the Bank of Canada to promote compliance with the Act and the Regulations by levying AMPs on PSPs that are in non-compliance.

Costs

As a result of the Regulations, PSPs are expected to carry an estimated $17,829,720 (PV) in compliance costs and $152,739,078 (PV) in administrative costs for an estimated $170,568,798 (PV) in total costs over a 10-year period (or $24,285,160 annually, in present value). Approximately 2 500 PSPs are estimated to be affected, all of which are businesses. However, it will be difficult to know the true number until the regime is operational and entities begin to register with the Bank of Canada.

These costs primarily stem from the following requirements: (1) to review, test and update the Risk Management Framework; (2) for PSPs that hold end-user funds, to establish, implement and maintain a written Fund Safeguarding Framework; (3) for PSPs that hold end-user funds, to review the Fund Safeguarding Framework and conduct independent reviews; (4) to provide information required in the registration application, annual report, notice of incident and significant change report; and (5) the one-time registration fee.

Under the Act, the Bank of Canada must ascertain its total expenses incurred in connection with the administration of the Act. This amount must be recovered through registration fees, submitted with an entity’s registration application, and through annual assessment fees. Under the Regulations, PSPs will pay a $2,500 fee to the Bank of Canada at registration application. Although the annual assessment fee provisions of the Act require an assessment fee formula to be specified in the Regulations, this formula will be finalized after PSPs begin registering with the Bank of Canada. Registration information is needed to better understand the number of PSPs and their characteristics before distributing the Bank of Canada’s costs among them to achieve intended policy intent and ensure fees are fairly distributed. Once the Act is fully operational, the Bank of Canada will recover its supervisory costs in any given year through the combination of registration fees collected that year and the annual assessment fee levied on each registered PSP. The entirety of the Bank of Canada’s supervisory costs associated with the Act fall under obligations and requirements created by the Act and are not part of the costs associated with the Regulations.

Cost-benefit statement
Table 1: Monetized costs
Impacted stakeholder Description of cost 2024 2029 2033 Total (PV) Annualized value
Industry Compliance with the Regulations $16,878,459 $337,569 $337,569 $17,829,720 $2,538,551
Industry Administrative costs associated with the Regulations $41,006,546 $18,790,469 $18,790,469 $152,739,078 $21,746,609
All stakeholders Total costs $57,885,005 $19,128,038 $19,128,038 $170,568,798 $24,285,160
Qualitative impacts

The Regulations have the following positive impacts:

Distributional impact analysis

It is assumed that roughly 2 500 businesses are impacted by these Regulations.

Based on an analysis of payment values expected to generate approximate revenues of less than $5 million, 96.4% of PSPs are considered a small business. This is similar to Statistics Canada’s estimate that 98.1% of businesses are small businesses. It is estimated that the average small business will face a total cost of $1,952 (PV).

Consumer impacts

The Regulations are expected to have a positive impact on consumers. The new requirements establish safeguarding arrangements for end-user funds should a PSP become insolvent and establish standards for operational risk management, including in response to disruptions in payment services.

The Regulations are not expected to have a significant impact on the cost of payments. The total costs associated with the Regulations over a 10-year period are estimated at $170.9 million (PV). This is $24.3 million (PV) annually, which is approximately 0.002% of $1.19 trillion in retail payments, based on the total transaction value for debit, credit and online transfer transactions for 2021 (Payments Canada’s Canadian Payment Methods and Trends Report 2022). The benefits to Canadians from the improvements to stability, efficiency, integrity and safety as a result of the Regulations cannot be quantified and are therefore treated qualitatively. Further, some PSPs have indicated that consistent rules across the industry, as well as Bank of Canada oversight to ensure compliance, will increase business confidence in PSPs, leading to new opportunities for partnerships and investment.

Competition impacts

The Regulations impose consistent obligations for all PSPs performing retail payment activities in Canada. This will level the playing field and ensure that all PSPs meet minimum standards for similar activities.

Regarding Canada’s competitiveness position relative to that of other countries, several other jurisdictions, including the United Kingdom, Australia, the European Union, and certain states in the United States, have implemented similar regulatory regimes for new and emerging PSPs. The Act and the Regulations are generally consistent with the approach taken in these jurisdictions and will promote a consistent regulatory environment between Canada and the other jurisdictions. They are also consistent with the G7 Finance Ministers and Central Bank Governors’ Statement on Digital Payments (G7 Finance Ministers and Central Bank Governors meetings, 2020), which calls for payment services to be appropriately supervised and regulated.

Sensitivity analysis

For the cost-benefit analysis, it is assumed that roughly 2 500 businesses would be impacted by the Regulations in the first year. However, the exact number and characteristics of PSPs will not be known until they register with the Bank of Canada. A sensitivity analysis was performed as part of the cost-benefit analysis. Costs associated with the Regulations are proportional to the number of PSPs; for example, if there are half as many PSPs, the total costs associated with the Regulations would also be half, as shown in the table below.

Table 2: Results of sensitivity analysis on costs of the Regulations from varying the number of PSPs
Number of PSPs and costs Low Central High
Number of PSPs 1 250 2 500 3 750
Total costs (PV) $85,284,399 $170,568,798 $255,853,197
Total costs (annualized) $12,142,580 $24,285,160 $36,427,740
Average cost per PSP (annualized) $9,719 $9,719 $9,719

In the central analysis, it is assumed that 2% of the population of PSPs will enter the market each year of the analysis. However, the overall number of affected PSPs is expected to remain stable throughout the period, due to consolidation and attrition. The table below shows results of a sensitivity analysis using 0% and 5% new entrants and exits annually.

Table 3: Results of sensitivity analysis on costs of the Regulations from varying the number of PSP entrants and exits
Entrants and exits None 2% per year 5% per year
Total affected PSPs 2 500 2 950 3 600
Total costs (PV) $165,752,650 $170,568,798 $177,793,020
Total costs (annualized) $23,599,448 $24,285,160 $25,313,726
Average cost per active PSP (annualized) $9,440 $9,719 $7,032

In the central analysis, PSP administrative and compliance costs vary proportionally to their payment volumes. A sensitivity analysis varied this assumption by using flat costs across PSPs, regardless of size, and an alternative scenario where there are economies of scale (square root) where PSPs’ costs associated with the Regulations increase based on the square root of their share of all payment volume. While the fixed and linear costs result in the same average cost to PSPs, a scenario where larger firms are able to capitalize on economies of scale would result in much lower costs, as shown in the table below.

Table 4: Results of sensitivity analysis on costs of the Regulations from varying assumptions on PSPs’ costs relative to their size
Cost growth Square root (economies of scale) Linear None (uniform fixed cost)
Small businesses share of total costs 51.8% 6.6% 96.4%
Total costs (PV) $43,677,662 $170,568,798 $170,568,798
Total costs (annualized) $6,218,716 $24,285,160 $24,285,160
Average cost per PSP (annualized) $2,487 $9,719 $9,719

In the central scenario, present values are calculated using a discount rate of 7%. Since the majority of costs are incurred annually, the present value costs are fairly insensitive to discount rates of 4% and 10%, and no discounting, as shown in the table below.

Table 5: Results of sensitivity analysis on costs of the Regulations from varying the discount rate
Discount rate Undiscounted 4% 7% 10%
Net costs $230,037,346 $192,411,836 $170,568,798 $152,767,119

Small business lens

Small business lens summary

Analysis under the small business lens concluded that the Regulations will impact small businesses. It is estimated that approximately 2 500 businesses are impacted by these Regulations, with 96.4% being small businesses. The total incremental administrative and compliance costs imposed on small businesses are estimated at $11,331,127 (PV) over 10 years, which is equivalent to $4,648 (PV) per small business impacted. Note that costs for each PSP are assumed to reflect their payment values in comparison to the industry as a whole, with the exception of the $2,500 registration fee, which is the same for all PSPs.

Table 6: Compliance costs
Activity Annualized value Present value
Compliance with the Regulations $950,516 $6,676,026
Total compliance cost $950,516 $6,676,026
Table 7: Administrative costs
Activity Annualized value Present value
Administrative costs associated with the Regulations $662,782 $4,655,101
Total administrative cost $662,782 $4,655,101
Table 8: Total compliance and administrative costs
Totals Annualized value Present value
Total cost (all impacted small businesses) $1,613,298 $11,331,127
Cost per impacted small business $673 $4,725

These costs primarily stem from the following requirements: (1) to review, test and update the Risk Management Framework; (2) for PSPs that hold end-user funds, to establish, implement and maintain a written Fund Safeguarding Framework; (3) for PSPs that hold end-user funds, to review the Fund Safeguarding Framework and conduct independent reviews; (4) to establish the contents of the registration application, annual report, notice of incident and significant change report; and (5) the one-time registration fee.

The Regulations account for the impacts on small businesses through the principle of proportionality — the level of supervision should be commensurate with the level of risk posed by the entity’s payment activities. For example, the provisions of the Regulations for operational risk provide that a PSP must ensure that all aspects of its Risk Management Framework are proportional to the impact that a reduction, deterioration, or breakdown of its retail payment activities could have on end users and other PSPs. Therefore, smaller PSPs, as measured by the value and volume of their payment activity, will see a lower regulatory burden to fulfill the Regulations’ operational risk requirements than larger PSPs. Since costs are proportional to the size of the business, additional compliance flexibilities were not considered necessary.

One-for-one rule

The one-for-one rule applies, as the Regulations are a new regulatory title that introduces new administrative costs for businesses. PSPs that choose to conduct retail payment activities under the Act’s new scope will experience a new administrative burden due to the Regulations’ administrative requirements, namely that PSPs prepare and submit reports to the Bank of Canada, as well as the costs to meet new operational risk management and end-user funds safeguarding measures.

Using assumptions and data presented above and the methodology developed in the Red Tape Reduction Regulations, it is estimated that the regulated community will assume total administrative costs of $7,771,887 (2012 Canadian dollars, 7% discount rate, base year of discounting in 2012) for all PSPs registered under the regime.

Regulatory cooperation and alignment

The Regulations are intended to align with other jurisdictions, such as the United Kingdom (U.K.), Australia, and the European Union (EU), which have already established regulatory regimes for payment activities of new and emerging PSPs.

The elements of the Regulations align closely with many of the requirements found in the European regimes (including the U.K., which adopted the EU regulations during its time as a member of the EU), such as requirements for registration, operational risk management frameworks, funds safeguarding, incident reporting, and record keeping. PSPs operating internationally and foreign regulators were also consulted on their experiences with similar requirements in foreign jurisdictions to ensure alignment as much as possible and to minimize the regulatory burden on PSPs. There are some structural differences between the jurisdictions cited, where certain regimes may be voluntary (e.g. Australia) or overseen by a non-central bank regulator (e.g. the U.K.). Requirements in the United States that apply to PSPs were also considered in the development of the Regulations; however, they are at the state level.

In addition, with respect to provincial regulatory cooperation, the Act provides that the Governor of the Bank of Canada may exempt entities or classes of entities from certain provisions of the Act and the Regulations where there is, in the Governor’s opinion, a substantially similar provision in another federal or provincial Act. This is in view of avoiding regulatory duplication and in recognition of complementary objectives and powers with respect to the oversight of PSPs.

Strategic environmental assessment

In accordance with the Cabinet Directive on the Environmental Assessment of Policy, Plan and Program Proposals, a preliminary scan concluded that the amendments would not result in positive or negative environmental impacts. Therefore, a strategic environmental assessment is not required.

Gender-based analysis plus

A gender-based analysis plus (GBA+) assessment was undertaken for the Regulations. The results indicate that by enhancing protections for end users of payment services in Canada, including merchants and consumers that broadly represent the Canadian population, the Regulations are expected to benefit all Canadians. Some vulnerable groups who face additional financial literacy and capability challenges, including newcomers to Canada and elderly people, may experience additional indirect benefits from the end-user protection measures. Given that all Canadians are expected to benefit from these measures, with some more vulnerable groups benefiting more than others, no specific measures to address or mitigate GBA+ impacts are required.

Implementation, compliance and enforcement, and service standards

Implementation

The Regulations will come into force on the days that the relevant provisions of the Act come into force, as fixed by an order of the Governor in Council. The following days have been fixed by an order of the Governor in Council:

PSPs will have an approximate two-week window from November 1 to 15, 2024, to submit their application for registration. The purpose of this is to encourage applicants to apply en masse, which will ensure the Bank of Canada and the Department of Finance can efficiently and expeditiously process applications. PSPs that do not submit in this window will still be able to register with the Bank of Canada on a rolling basis, but will be subject to potential delays in commencing their retail payment activities, depending if they are an existing or a new PSP, and if they apply before or after September 8, 2025.

The Bank of Canada is a Crown Corporation that operates independently and at arm’s length from the federal government. As supervisor, it requires sufficient time following publication of the Regulations to fully implement the regime, including finalizing its supervisory guidance to support PSPs’ compliance with the Act and Regulations. The Bank of Canada has discussed its scope and registration guidance with industry and incorporated feedback from them into this guidance which will be available within a month of publication of the Regulations. The Bank of Canada will begin broad consultations on its guidance concerning operational risk, end-user fund safeguarding, significant change notification and incident notification approximately three months following publication of the Regulations and will provide final guidance on these topics to industry approximately one year prior to the relevant provisions coming into force. The overall approach the Bank of Canada is taking in releasing its supervisory guidance ensures PSPs will have sufficient time to prepare for compliance and the timing aligns with other Canadian financial sector supervisors that have registration and reporting requirements, such as the Financial Transaction and Reports Analysis Centre of Canada.

During and following the consultation period, at RPAC meetings and through industry events and meetings with industry associations, the Bank of Canada and Department of Finance outlined the proposed timing, consistent with the order, to bring the Act into force. Industry is generally supportive, provided that sufficient guidance is published by the Bank of Canada to aid them in applying for registration and complying with the fund safeguarding and operational risk management requirements.

The remaining provisions of the Act that are not being brought into force as part of these Regulations concern the Bank of Canada’s requirements to recover its supervisory costs associated with administering the Act through annual assessment fees, net of registration application fees. The annual assessment fee provisions of the Act require an assessment fee formula to be specified in Regulations. This formula was prepublished in the Canada Gazette, Part I, and will be finalized after PSPs begin registering with the Bank of Canada. Registration information is needed to better understand the number of PSPs and their characteristics before distributing the Bank of Canada’s costs among them to achieve intended policy intent and ensure fees are fairly distributed. Until the assessment fee regulations are finalized and brought into force by order, the Bank of Canada is covering its supervisory costs, estimated at up to $44 million annually, through its revenue and registration application fees, reducing its contribution to the government’s consolidated revenue fund.

Compliance and enforcement

Under the Act and the Regulations, the Bank of Canada will be responsible for supervising PSPs, promoting compliance among PSPs of their obligations under the Act and Regulations, and monitoring and evaluating trends related to retail payment activities.

The Act also provides the Minister of Finance with the authority to address risks related to national security that could be posed by PSPs. This includes the ability to refuse PSPs’ applications, revoke registrations, order undertakings or conditions, as well as issue national security orders for a PSP to take or refrain from any action. The Minister will be supported by the Department of Finance, as well as Canada’s security and intelligence community (designated entities) providing information (intelligence and analysis) in accordance with their respective mandates.

PSPs that are subject to the Act and the Regulations will have to register with the Bank of Canada. As part of the registration process, the Regulations require applicants to provide certain information, for example, names, addresses and third-party service providers. This information will be consistent with what is asked for in other federal regimes, such as the Investment Canada Act.

Applications deemed complete by the Bank of Canada will be sent to the Department of Finance. Applications received by the Department of Finance from the Bank of Canada must, under the Regulations, be processed within 60 days. This period will include time for the security and intelligence community to complete initiation screening and notify the Department of their decision: either no concerns or concerns. The Minister of Finance will then decide whether to initiate a formal national security review. The timeline for a national security review, under the Regulations, is 180 days, which can be extended. At the end of the review, the Minister of Finance can decide to

Contact

Nicolas Marion
Senior Director
Payments Policy
Financial Services Division
Financial Sector Policy Branch
Department of Finance
90 Elgin Street
Ottawa, Ontario
K1A 0G5
Email: fin.payments-paiements.fin@fin.gc.ca