The federal government introduced a draft of the long anticipated Retail Payment Activities Act (“RPAA”) in Bill C-30. The RPAA will establish an oversight framework for retail payment activities, the first of its kind in Canada.
Bill C-30 follows on the commitment made by the federal government in the 2021 budget, A Recovery Plan for Jobs, Growth, and Resilience, to fund the development of the RPAA as part of measures to further strengthen Canada’s financial sector. A draft of the RPAA has been anticipated since 2017, when it was first announced by the federal Department of Finance in a consultation paper titled "A New Retail Payments Oversight Framework".
While a number of details remain to be addressed in regulations, the major elements of the proposed oversight framework are now clear.
Purpose of the RPAA
The RPAA is a response to emerging payment service providers and evolving technologies that are changing how Canadians make payments. The federal government has determined, as stated in the Preamble of the RPAA, that it is in the national interest to regulate such activities in order to safeguard end-user funds and to foster competition and innovation among payment service providers by building confidence in the retail payment sector.
Application of the RPAA
The RPAA will apply to any “retail payment activity” that is performed by a “payment service provider” that has a place of business in Canada. It will also apply to retail payment activity that is performed for end users in Canada by non-Canadian payment service providers that direct retail payment activities at Canadian end users. End users include both individuals and entities that use a payment service as a payer or payee.
“Retail payment activity” is defined a “payment function” that is performed in relation to an electronic funds transfer that is made in the currency of Canada or another country or using a unit that meets prescribed criteria. This leaves open the possibility of the RPAA applying not only to transactions carried out in fiat currency, but also to retail payments involving digital currency.
“Payment service providers” (PSPs) are defined as individuals or entities that perform “payment functions” as a service or business activity, which is not incidental to another service or business activity. Of course, it may not always be straightforward to determine when a payment function is performed as a service or business activity as compared to when it is incidental to another service or business activity and we anticipate that absent further guidance on these parameters, there will likely be much debate on the application of this definition.
“Payment functions” are defined as:
a) the provision or maintenance of an account that, in relation to an electronic funds transfer, is held on behalf of one or more end users;
b) the holding of funds on behalf of an end user until they are withdrawn by the end user or transferred to another individual or entity;
c) the initiation of an electronic funds transfer at the request of an end user;
d) the authorization of an electronic funds transfer or the transmission, reception or facilitation of an instruction in relation to an electronic funds transfer; or
e) the provision of clearing or settlement services.
Exclusions under the RPAA
Certain types of payment functions will be excluded from the application of the RPAA:
- payment functions performed in relation to an electronic funds transfer that is made with an instrument that is issued by a merchant (or by an issuer that is not a PSP and has an agreement with a group of merchants) and that allows the holder of the instrument to purchase goods or services only from the issuing merchant or any merchant in the group (this will include closed-loop gift cards);
- payment functions that are performed in relation to an electronic funds transfer that is made for the purpose of giving effect to an “eligible financial contract” or for the purpose of giving effect to a prescribed transaction in relation to securities;
- payment performed in relation to an electronic funds transfer for the purposes of a cash withdrawal at an ATM;
- payments performed using a system that is designated under section 4 of the Payment Clearing and Settlement Act; and
- retail payment activities performed between affiliated entities.
Certain entities will also be excluded from the scope of the RPAA. Generally, this includes regulated financial institutions, provincial governments, Payments Canada, and entities acting as an agent of a PSP.
The RPAA’s accompanying regulations, yet to be released, may set out additional exclusions.
Supervision and Registration
The Bank of Canada (the “Bank”) is designated as the supervisory authority under the RPAA.
Once the RPAA comes into force, PSPs will be required to register with the Bank before performing payment functions. Registration will involve completing a prescribed application form, providing certain information and paying the prescribed registration fee. The Bank will maintain a public registry of all registered PSPs and publish a list of PSPs that the Bank has refused to register.
Operational Requirements under the RPAA
The RPAA focuses on two primary operational requirements for PSPs.
1. Operational Risk Management and Incident Response
PSPs will be expected to establish, implement and maintain a risk management and incident response framework for the purposes of identifying and mitigating “operational risks” and responding to “incidents".
If a PSP becomes aware of an incident that has a material impact on end users, another PSP, or a clearing house of a clearing and settlement system (as defined in the Payment Clearing and Settlement Act) the PSP is obligated to notify the affected individuals or entities and the Bank of the incident.
A PSP’s framework and notice of material incidents must both meet certain prescribed requirements, which are not yet spelled out in the draft legislation or regulations.
2. Safeguarding End-User Funds
If a PSP holds end-user funds until they are withdrawn by the end user or transferred to another individual or entity, the PSP must either:
a) hold the end-user funds in a separate trust account;
b) hold the end-user funds in a prescribed account or in a prescribed manner; or
c) hold the end-user funds in an account that is not used for any other purpose and is insured or guaranteed for at least the amount held in the account.
This obligation will not apply to end-user funds held by a PSP if such end-user funds are deposits that are guaranteed or insured under legislation in the province in which the funds are held.
Reporting and Enforcement
PSPs will be required to submit annual reports to the Bank, which include certain prescribed information, similar to that which will be required in the initial registration application. PSPs will also be subject to certain notice requirements if they significantly change the way they perform retail payment activities or undertake a new retail payment activity.
The Bank has the authority to request that PSPs provide the Bank with any information deemed necessary for the purposes of verifying compliance with the RPAA. The Bank may also direct that a PSP undertake a special audit or that a PSP allow an authorized person to examine the records and business of a PSP to confirm compliance.
In response to violations of the RPAA, the Bank may impose non-punitive administrative or monetary penalties for violations of the RPAA, up to a maximum of $10,000,000.
The RPAA contemplates accompanying regulations, which will likely fill in certain gaps that are left in the draft legislation. The Bank of Canada is expected to develop guidance for PSPs to assist with the interpretation of their obligations under this new regulatory framework.
PSPs will be required to register under the new regime during a transitional period, of a length yet to be determined, which will commence on a date to be fixed by order of the Governor in Council.
Special thank you to Heather Whiteside, articling student, for her assistance.