The 2019 Budget includes a proposal to introduce legislation to implement a new retail payment oversight framework in order to regulate payment service providers (PSPs) in Canada. While the budget provides few details about the proposed regulatory framework, we expect that it will be based on a 2017 discussion paper released by the Department of Finance. The discussion paper calls for legislative guidance to introduce requirements that protect users’ funds against losses and to establish better operational risk practices. The Bank of Canada will be the regulatory body that oversees PSPs’ compliance with such requirements as well as the one responsible for maintaining a public registry of regulated PSPs.
End-user fund safeguarding
Under the discussion paper, PSPs will be required to take steps to mitigate the financial risks for end-users. This entails the following requirements:
- The account must be at a deposit-taking financial institution that is either a member of the Canada Deposit Insurance Corporation or covered under a provincial deposit insurance regime;
- The account must be in the name of the PSP;
- The account must be clearly identified as the PSP’s trust account on the records of the PSP and the financial institution;
- The account may only be used to hold end-user funds;
- The PSP must ensure that the financial institution does not withdraw funds from the account without the PSP’s authorization (e.g., service fees incurred by the PSP must be paid from the PSP’s general account); and
- The assets held in the account must be cash held on deposit or highly secure financial assets that can be readily converted into cash.
In addition, PSPs would be required to place end-user funds held overnight or longer in a trust account and would also be required to maintain detailed accounting records that would allow for the accurate identification of funds held in trust and the beneficiaries.
The new framework would also require PSPs to comply with principles relating to security and operational objectives. This includes the following:
- A PSP should establish a robust operational risk-management framework with appropriate systems, policies, procedures and controls to identify, monitor and manage operational risks.
- A PSP’s management should clearly define the roles and responsibilities for addressing operational risk and should endorse the PSP’s operational risk-management framework. Systems, operational policies, procedures and controls should be reviewed, audited and tested periodically and after significant changes.
- A PSP should have clearly defined operational reliability objectives and should have policies in place that are designed to achieve those objectives.
- A PSP system should have comprehensive physical and information security policies that address all major potential vulnerabilities and threats.
- A PSP should have a business continuity plan that addresses events posing a significant risk of disrupting operations. The plan should be designed to protect end users’ information and payment data and to enable recovery of accurate data following an incident. The plan should also seek to mitigate the impact on end users following a disruption by having a plan to return to normal operations.
- A PSP should identify, monitor, and manage the risks that end users, participants, other PSPs, and service and utility providers might pose to its operations. In addition, a PSP should identify, monitor, and manage the risks that its operations might pose to others.
Possible registration requirements
The discussion paper mentions the plan to have the Bank of Canada maintain a public registry of regulated PSPs. If PSPs are required to register with the Bank of Canada, it has been proposed that they would need to apply for registration once the first components of the new framework are implemented. As part of this proposal, applications will require PSPs to include information relating to their business, such as legal status, names of owners, the types of services provided, and certain financial information.
Thanks to Nazish Mirza, articling student, for her contribution to this article.