With the view of promoting innovation and competition while protecting the public interest, the Department of Finance (the Department) has followed up on an earlier Consultation Paper,1 and issued an Invitation for Comments on A New Retail Payments Oversight Framework (Framework).2 If pursued, the proposed Framework will expand the scope of federal regulation and oversight in the payments area. With the view of achieving a plain level field it will enhance the reach of legislation and regulation to participants in national retail payment systems which are not regulated financial institutions. What follows is a summary of this important document.
To begin with, the Department observed,
The current oversight of payments in Canada is focused on the core national payment clearing and settlement systems (i.e., LVTS and ACSS). Policy objectives for retail payments conducted by regulated financial service providers such as banks and payment card networks are supported through legislation and codes of conduct. However, other retail payment service providers (PSPs) are not currently subject to a comprehensive oversight framework.
The Department has identified five categories of key risks inherent to retail payments. These key risk categories are operational; financial; market conduct; efficiency; and money laundering and terrorist financing.
Acknowledging that "traditional PSPs still account for the vast majority of retail payments in Canada," the Department nevertheless observed "the emergence and growth of new entrants," so that
A new retail payments oversight framework is required to ensure that, as retail payments continue to evolve, an appropriate balance is maintained between the Government's three policy objectives:
- Safety and soundness;
- Efficiency; and
- User interest.
These objectives are said to potentially be complementary and regardless, in their implementation, an appropriate balance is to be achieved among them so that "unduly burdensome regulations may not stifle competition and innovation." With the view of striking an appropriate balance, the Department identified four guiding principles for the development of the Framework:
- Necessity – Oversight should address risks that can lead to significant harm to end users and avoid duplication and overlap with effective existing rules.
- Proportionality – The level of oversight should be commensurate with the level of risk posed by a payment activity. One of the key considerations is the cost of compliance, as the oversight measures should not create a barrier to competition and innovation by unduly burdening PSPs.
- Consistency – Similar risks should be subject to a similar level of oversight, irrespective of the type of entity or the technology. A clear and consistent oversight regime is desirable to promote competition and innovation.
- Effectiveness – Oversight should be designed to maximize effectiveness. For example, requirements should be clear, accessible and easy to integrate within different payment services, and the entity that poses the risk should be responsible for managing it. Additionally, the regulator should have the ability to enforce oversight requirements when necessary.
In the footsteps of the recommendations of the December 2011 Task Force for the Payments System Review,3 as well as "recent international trends," and claiming "broad stakeholder support," the Department adopted a functional approach "so that risks associated with a particular payment function are treated similarly regardless of the type of organization providing the service." To that end it "has identified five core functions performed by PSPs in the context of electronic fund transfers," so that any PSP performing one such function in an electronic fund transfer ordered by an end user will be subject to the Framework:
- Provision and Maintenance of a Payment Account;
- Payment Initiation;
- Authorization and Transmission;
- Holding of Funds; and
- Clearing and Settlement.
The Framework is to be anchored in federal legislation and to apply only to transactions that are carried solely in fiat currencies, albeit not exclusively in Canadian dollars. It will require new entrants (generally speaking, all except regulated financial institutions) and will address:
- financial risks through fund safeguarding requirements;
- operational risks through principles-based security and operational requirements; and
- market conduct risks through disclosures, dispute resolution procedures, and liability rules.
More in detail, protection from financial risks is to be achieved by requiring a PSP to hold funds in a trust account meeting the following requirements:
- The account must be at a deposit-taking financial institution that is either a member of the Canada Deposit Insurance Corporation or covered under a provincial deposit insurance regime;
- The account must be in the name of the PSP;
- The account must be clearly identified as the PSP's trust account on the records of the PSP and the financial institution;
- The account may only be used to hold end-user funds;
- The PSP must ensure that the financial institution does not withdraw funds from the account without the PSP's authorization (e.g., service fees incurred by the PSP must be paid from the PSP's general account); and
- The assets held in the account must be cash held on deposit or highly secure financial assets that can be readily converted into cash.
As for protection against operational risks:
- A PSP should establish a robust operational risk-management framework with appropriate systems, policies, procedures and controls to identify, monitor and manage operational risks.
- A PSP's management should clearly define the roles and responsibilities for addressing operational risk and should endorse the PSP's operational risk-management framework. Systems, operational policies, procedures and controls should be reviewed, audited and tested periodically and after significant changes.
- A PSP should have clearly defined operational reliability objectives and should have policies in place that are designed to achieve those objectives.
- A PSP system should have comprehensive physical and information security policies that address all major potential vulnerabilities and threats.
- A PSP should have a business continuity plan that addresses events posing a significant risk of disrupting operations. The plan should be designed to protect end users' information and payment data and to enable recovery of accurate data following an incident. The plan should also seek to mitigate the impact on end users following a disruption by having a plan to return to normal operations.
- A PSP should identify, monitor, and manage the risks that end users, participants, other PSPs, and service and utility providers might pose to its operations. In addition, a PSP should identify, monitor, and manage the risks that its operations might pose to others.
For their part, measures against market conduct risks fall into three categories:
1. Disclosures which are to meet the following principles [Emphasis in the original]:
- Information must contain adequate and relevant content;
- Information must be provided in a timely manner;
- Information must be presented in language that is clear, simple and not-misleading; and,
- Information must be easily accessible.
2. Dispute resolution ought to include the following elements:
- Ensuring the organization has appropriate capacity to respond to complaints;
- Having a senior management team that is committed to having an efficient, timely and impartial complaint handling process and that deploys the resources necessary to achieve it;
- Designating a senior official within the organization that is responsible for complaint handling;
- Designation of officers to receive and deal with complaints;
- Providing clients with a free and easily-accessible complaint process; and
- Reviewing and auditing the complaint-handling process with a view to make improvements if needed.
3. Under liability rules,
payors would not be held liable for losses due to unauthorized transactions or errors unless they acted fraudulently or failed to fulfil certain obligations. Cases where the payor could be held liable include:
- The payor has not taken reasonable care to protect the security of their passwords;
- The payor has not notified the payment service provider, without undue delay, that a payment instrument has been lost or stolen, or that a password has been breached; and
- The payor has entered the payee information incorrectly such that it was impossible for the PSP to transmit the funds to the right payee. Under this scenario, the PSP would have to make reasonable efforts to recover the funds.
Another matter to be addressed by the Framework is the protection of personal information.
1 Balancing Oversight and Innovation in the Ways We Pay: A Consultation Paper, 13.4. 2015, available online: https://www.fin.gc.ca/activty/consult/onps-ssnp-eng.asp
2 A New Retail Payments Oversight Framework, Invitation for Comments, 07.07.2017 (Closing date: October 6, 2017), available online: http://www.fin.gc.ca/activty/consult/rpof-cspd-eng.asp
3 Moving Canada into the Digital Age, available online: https://web.archive.org/web/20160305163736/http://paymentsystemreview.ca/wp-content/themes/psr-esp-hub/documents/rf_eng.pdf
To discuss these issues, please contact the author(s).
This publication is a general discussion of certain legal and related developments and should not be relied upon as legal advice. If you require legal advice, we would be pleased to discuss the issues in this publication with you, in the context of your particular circumstances.
For permission to republish this or any other publication, contact Janelle Weed.
© 2019 by Torys LLP.
All rights reserved.