Part INoticeVolume 157, Number 6Published: February 11, 2023

Retail Payment Activities Regulations

Canada Gazette, Part I, Volume 157, Number 6: Retail Payment Activities Regulations

REGULATORY IMPACT ANALYSIS STATEMENT

Key facts

Published
February 11, 2023
Comment deadline
March 28, 2023
Effective date
Unclear

Summary#

These are the proposed Retail Payment Activities Regulations to put the new Retail Payment Activities Act into effect. They would create a Bank of Canada‑run supervision system for firms that perform retail payment functions (registration, rules on safeguarding customer funds, operational risk controls, reporting and penalties). The government estimates the rules would affect about 2,500 payment service providers and cost about $21.6 million a year in total.

What it does#

  • Requires registration with the Bank of Canada for firms that perform one or more retail payment functions (card networks, payment processors, digital wallets and similar providers).
  • Sets rules for operational risk management and incident response. Firms must have a written framework, test it regularly, and carry out independent reviews.
  • Requires firms that hold customers’ money to safeguard those funds by:
    • holding them in trust accounts at prudentially regulated institutions, or
    • using segregated accounts plus insurance or a guarantee from a prudentially regulated, non‑affiliate provider.
  • Requires a written safeguarding‑of‑funds plan, daily ledgers of end‑user balances, annual checks and biennial independent reviews.
  • Creates reporting duties:
    • an annual report (due March 31 each year) with information on risk management, funds held, transaction volumes and other metrics;
    • incident reports to the Bank of Canada and to affected customers or firms for incidents that have a material impact;
    • a “significant change” notice at least five business days before certain changes;
    • updates to registration information within 30 days or as soon as feasible depending on the change.
  • Sets time limits for government review of applications for national security concerns: initial review time of 60 days, and a formal national security review period of 180 days (which can be extended). A firm has 30 days to request review of certain ministerial decisions.
  • Sets deadlines to respond to information requests: standard 15 days, and 24 hours for ongoing incidents that could cause significant adverse impact.
  • Introduces fees: a one‑time registration fee (initially $2,500) and an annual assessment fee based on a formula that mixes a flat base and metrics (transaction value, volume and funds held).
  • Establishes enforcement tools and penalties. Administrative monetary penalties would range up to $1,000,000 for serious violations and up to $10,000,000 for very serious violations.
  • Requires record keeping in a form the Bank can read, and retention generally for five years.

Who's affected#

  • Firms that offer retail payment services in Canada or to Canadians, such as card networks, payment processors, gateways, e‑wallets and other payment service providers (PSPs). The government estimates about 2,500 PSPs could be in scope.
  • Small PSPs: about 2,400 firms (roughly 96.4% of the estimated total) are expected to be small businesses. The analysis estimates an average present‑value cost of $1,931 per small business over 10 years.
  • The Bank of Canada (as supervisor) and the Minister of Finance (for national security reviews) will take on new roles.
  • Consumers and businesses that use these payment services would be indirectly affected through improved protections and reporting transparency.
  • Exact coverage depends on registration and on later guidance from the Bank of Canada; the true number of affected firms will only be known once the regime is operational.

Why it matters#

  • Safer customer funds: the rules aim to make sure customer money is accessible and protected if a PSP fails. That matters if you store money with a digital wallet or accept electronic payments as a merchant.
  • Better resilience: mandatory risk management and incident reporting aim to reduce outages, fraud and cyber‑security problems that can stop payments from working.
  • Costs for providers: firms will face new compliance work, independent reviews and fees. For many small PSPs this is a modest but real new cost (average $1,931 PV over 10 years in the government’s estimate).
  • National security screening: the Minister of Finance can review and block registrations on national security grounds, and the rules require disclosure about ownership, data flows and where data is stored.
  • It is a proposal, not final law. The consultation period noted in the Canada Gazette is 45 days from publication, so changes are possible before the regulations are finalized.

Key topics

Retail Payment Activities ActRetail Payment Activities Regulationspayment service providerPSPBank of CanadaDepartment of Financesafeguarding-of-funds frameworkRisk Management Frameworkannual reportincident reportsignificant change reportadministrative monetary penaltyassessment feenational security reviewSWIFT

Source: Canada Gazette

Official source