Speakers
The Retail Payment Activities Act will task senior leaders at payment service providers (PSPs) with building a lot more compliance into their operations. What’s more, for many this will be the first time their business is subject to such significant oversight.
In this video, Andrew Bernstein and Brigitte Goulard explain why PSPs will soon receive some of the scrutiny that is usually reserved for banks—and what they can do to adapt. Also in the video:
Click here to see other videos and webinars in this series.
Brigitte Goulard (00:06): Why don't you tell us a little bit about what is the Retail Payment Activities Act and what it means?
Andrew Bernstein (00:11): So the Retail Payment Activities Act establishes the legal framework by which the Bank of Canada supervises retail payment providers. The Act was passed in 2021 by Parliament and regulations are expected in 2022. The Bank of Canada, who will take on the role of the regulator, will oversee any retail payment activity that is performed by a payment service provider with a place of business in Canada, or if they deal with Canadian retail payment activities for an end user in Canada, whether that's a natural person or a business. So what is a retail payment activity? It's a payment function that's performed in relation to an electronic funds transfer made in Canadian currency or any other currency, or using a unit that meets certain prescribed criteria. So then what is a payment function? It's activities like maintaining an account in relation to electronic funds transfer, holding funds on behalf of end users, the initiation of an electronic funds transfer, the authorization of other electronic funds transfer, or clearing or settlement services. So that's what the Retail Payment Activities Act deals with. It deals with big entities like PayPal or Amazon and smaller entities that might be doing narrower retail payment activities.
Brigitte Goulard (01:44): So very broad application because it catches a lot of activities and a lot of different bodies. But what's interesting is that the Retail Payment Activities Act has also provided some exemptions for some activities and for some entities. For example, regulated financial institutions, like banks, are not going to be subject because they're already subject to their very own onerous requirements. Closed-loop prepaid cards, like for example your Tim Hortons card that you like to use so often.
Andrew Bernstein (02:13): I have several Tim Hortons cards, maybe I'll take you for a coffee after.
Brigitte Goulard (02:17): Okay, that's good. That sounds good. So those will not be subject to the Retail Payment Activities Act. Cash withdrawals from ATMs, not subject. Agents and mandatories of a payment service provider’s, and finally something very specific, which is the electronic fund transfers for the purpose of giving effect to very specific contracts like derivatives and secured lending agreement. So basically, you can say it's like everything except a few things and those—everything, so all the bodies that will be subject—will be subject probably for the first time ever to an environment that is much more regulated than what they currently deal with. And that's going to be a bit of a shock, I think, to a number of payment service providers, especially those that are more innovative and may not have the experience of dealing with the regulator.
Andrew Bernstein (03:12): So what kind of oversight can those payment service providers expect from the Bank of Canada?
Brigitte Goulard (03:16): So I think there's like five things that they need to think about. The first one is registration. Every single payment service provider that does the activity that you've mentioned, and that is not one of the bodies that is exempted, will need to register with the Bank of Canada and the bank will keep a public registry of all of those entities so that people can go and check to make sure that they are one of the bodies that is supervised. The next ones two that I'm going to talk about, are probably the core of what’s in the Retail Payment Activities Act. The first one is the mitigation of operational risk and dealing with incidents. So a PSP will need to file with the Bank of Canada policies, procedures that will mitigate operational risk and deal with incidents such as, for example, they lose access to the funds that are being transferred, they lose some data, that type of risk will need to be addressed in such a policy, and they will need to impose some controls. So there's a very good framework to make sure that the risk is contained. The third aspect, which is also very important, is the protection of end-user funds. So let's say, for example, you take milk for coffee, but you refuse to pay for my coffee, and I pay you for my coffee through PayPal.
Andrew Bernstein (04:37): Okay.
Brigitte Goulard (04:37): So the end-user fund that would be transferred to you would need to be separated distinct from PSPs own funds. So there’s going to be segregation of those funds. They're going to be subject to specific rules. So basically, people will have a certain safety net to make sure that their funds are protected. Finally, the fourth one is that there will be lots of reporting. So if financial institutions who are used to dealing with regulated bodies, regulators, know that the regulators love their reports. So be prepared, PSPs that are out there, you will be asked to do a lot of reports—annual reports, reports when you change your activities—so that there's going to be a layer of reporting that you're going to be required to do. And finally, fees. The Bank of Canada will be turning to the PSPs to fund their supervisory activities. So you can expect some fees. In your expertise as an administrative law lawyer, you have dealt with a lot of regulatory bodies before.
Andrew Bernstein (05:44): Yes.
Brigitte Goulard (05:44): So what do you think of the enforcement tools that are currently provided in the Retail Payment Activities Act? Sufficient, not sufficient?
Andrew Bernstein (05:53): Yeah, I would describe them as typical. And I think we would find that most of the time these are sufficient. They range from fairly benign, like requesting information or a special audit, or verifying certain aspects of compliance, to a little more heavy-handed, like asking a PSP to enter into a compliance agreement for the purpose of implementing compliance measures. And why would a PSP do that? A PSP would do that because the hammer that the Bank of Canada holds is administrative monetary penalties. And the RPAA actually provides for pretty significant administrative monetary penalties, up to $10 million for certain PSPs that commit violations of the Act. So, you know, what's interesting is those fines are very significant and much higher than you see even in most criminal law fine-type offenses. But because the purpose of the penalties is to enforce compliance and not to punish, you don't have the protections that a criminal defendant might have. Now, one important thing is that due diligence is a defense in relation to a violation. So it's not enough to show, just strictly speaking, non-compliance. The PSP will have the option of saying, “Actually we tried very hard and this just didn't work out.” And the other tool that not every regulator has is the actual obligation to make violations public. So other regulators may have the option where if you commit a violation, they don't have to name you or they don't even have to say that a violation occurred. The Bank of Canada will have an obligation to explain that a PSP committed a violation. So I consider those very robust tools.
Andrew Bernstein (07:59): You're a former regulator, so I guess you loved your reports. What are your views on those tools and what advice would you have for payment service providers to prepare themselves?
Brigitte Goulard (08:11): So you're right, those tools when I was a Deputy Commissioner of the Financial Consumer Agency of Canada were very similar. You know, compliance agreements, penalties and so on. I think the three steps that I would really recommend to the PSPs is to minimize the risk of non-compliance. The first is, understand your requirements. Understand what is expected of you. The legislation, for example, with respect to operational risk, is very specific on the type of controls that you need to have, the type of information that you need to include in your policies. Understand what that is. And then through that understanding, make sure that when you draft those policies that they actually reflect the risk that you have. It's not just “Oh no, the regulators are asking us this, you know, let's do this kind of on this side of the table for a half an hour and then we're done.” You know, the time you take is very important because that will definitely go a long way to demonstrating due diligence. The second one is once you've got that document, implement those policies and procedures. Ensure that you've got those controls, ensure that they're reviewed, sufficient, when needed. Make sure that your people understand what is requested of them. Do the training that is required, do the communications. That's really critical where I've seen often where there's been an issue is that the policy procedure looks great, however, the implementation where what's on paper doesn't necessarily match what the technology is doing, so make sure that's there. And finally, have those controls in place. The legislation does provide or impose certain controls, but continue testing it, especially for PSPs where their product is really all about technology.
Andrew Bernstein (10:01): Right.
Brigitte Goulard (10:01): It's not about having a register and you take the money and make sure you count it properly. It's all about technology and there were so many times when I was a regulator where, you know, the intention of complying was there. The information was completely laid out properly. The disclosures were happening, the policies and procedures. But somebody had tinkered in the background with the technology, which ended up impacting something that they weren't expecting. So make sure you do the controls and the test so that you do comply. So before we close it up, Andrew, last words of wisdom to make sure that they don't end up in—well, it'd be nice if they ended up in your office, but hopefully not end up in our office because of a potential violation.
Andrew Bernstein (10:43): Exactly. Come for a social visit. Don't come because you've received a notice of violation.
Brigitte Goulard (10:49): Words of wisdom.
Andrew Bernstein (10:50): This is a new regime. It's a robust regime. And there's going to be bumps in the road as the regulator and the regulated test the boundaries of the new regime. You probably don't want to be one of the test cases. So I would strongly urge people to do what Brigitte suggested, make sure that things are in order, not just in order in theory, but in order in practice. And that enables you to focus on your business rather than focusing on regulatory problems that might arise.