A New Retail Payments Oversight Framework
Invitation for Comments
Closing date: October 6, 2017
Written comments should be sent to:
Financial Systems Division
Financial Sector Policy Branch
Department of Finance Canada
90 Elgin Street
In order to add to the transparency of the consultation process, the Department of Finance Canada may make public some or all of the responses received or may provide summaries in its public documents. Therefore, parties making submissions are asked to clearly indicate the name of the individual or the organization that should be identified as having made the submission. Submissions should preferably be provided electronically in PDF format or in plain text to facilitate posting.
In order to respect privacy and confidentiality, when providing your submission please advise whether you:
- consent to the disclosure of your submission in whole or in part
- request that your identity and any personal identifiers be removed prior to publication
- wish any portions of your submission to be kept confidential (if so, clearly identify the confidential portions)
Information received throughout this submission process is subject to the Access to Information Act and the Privacy Act. Should you express an intention that your submission, or any portions thereof, be considered confidential, the Department of Finance Canada will make all reasonable efforts to protect this information.
Payment systems enable millions of Canadians to transact on a daily basis and play a key role in promoting economic activity. Given the importance of payment systems to the economy, the Government oversees their operations through the stated policy objectives of safety and soundness, efficiency and consideration of user interests. The current oversight of payments in Canada is focused on the core national payment clearing and settlement systems and, to a lesser extent, on retail payments supported by supervised financial service providers such as debit and credit card networks. Given the rapid pace of innovation in the retail payments space, the federal government needs to put in place a new oversight framework to ensure the retail payments ecosystem evolves in such a way that payment services remain reliable and safe for end users and the ecosystem is conducive to the development of faster, cheaper and more convenient methods of payments.
This paper presents an oversight framework for retail payments and seeks views on its various components. It builds on the April 2015 consultation paper Balancing Oversight and Innovation in the Ways We Pay.
Technological advancements and innovation have a profound impact on Canadians’ day-to-day life. Connected devices continue to be introduced, providing real-time communication, navigation assistance and near-instant access to a vast repository of information. This improved convenience has increased consumers’ expectations vis-à-vis the various services that they use, including in the financial sector where “anytime, anywhere services” are becoming the norm. Many financial service providers and financial technology (fintech) companies have successfully leveraged the power of computing, the capacity of data and the cloud, the ubiquity of internet and mobile platforms and access to new sources of funding to develop innovative products that enhance consumers’ experience. Financial innovation is transforming all segments of the financial sector, including areas such as payments, banking, insurance, lending and wealth management. Canadians can now carry out their day-to-day banking transactions or shop on their mobile phones. They may also consult robo-advisors to manage their financial assets and rely on peer-to-peer lending to finance their projects.
Fintechs provide innovative products and services, either in partnership or in competition with traditional financial institutions. The fintech industry is growing fast, both in terms of the number of market participants and capital invested. For instance, global investments in fintechs reached a record high of $US 22.3 billion in 2015, of which $US 14.8 billion was made in North America1. In Canada, the Business Development Bank of Canada (BDC) estimates that the number of startups operating in the financial sector will increase from about 100 in 2016 to more than a thousand in 2021.
Retail payments is one of the first segments of the financial sector where fintechs became active, and this segment now generates the most fintech banking revenues (43% as of 2015)2. Innovation is not new in this space; for example, the payment card industry has evolved from magnetic stripe technology, to “Chip and PIN”, to contactless payments. However, the pace of change is accelerating. This is driven in part by incumbents and new entrants who are innovating in many areas, notably mobile payments. The impact of this financial innovation on payments has been significant, causing major changes in the way Canadians pay for goods and services. From 2008 to 2015, the number of cash and cheque transactions in Canada fell by 30 and 35 per cent, respectively. In contrast, the use of debit and credit cards has increased by 40 and 69 per cent, respectively. The number of online e-wallet and electronic person-to-person (P2P) transactions has increased over 1000 per cent between 2008 and 20153. Looking forward, one estimate suggests that Canadian non-cash payments could reach a trillion dollars by 2020, with the potential of upwards of 15 per cent of these payments being mobile, compared with one per cent in 20154.
Increased competition and innovation in retail payments has the potential to reduce prices and improve the quality of payment services for end users. Already, there are a number of newer players offering a variety of payment services such as peer-to-peer money transfers and mobile payments that compete with those offered by traditional financial institutions.
In Canada, the federal government has responsibilities with respect to the oversight and regulation of payment systems that are national or substantially national in scope, or systems that play a major role in supporting transactions in Canadian financial markets or the Canadian economy. In contrast to wholesale financial market infrastructures, retail payments increasingly operate within more fluid structures and arrangements between service providers in an evolving ecosystem. Consistent with its current legislated responsibilities, the Government of Canada is proposing a new oversight framework for retail payments to ensure the retail payments ecosystem evolves in such a way that payment services remain reliable and safe for end users and the ecosystem is conducive to the development of faster, cheaper and more convenient methods of payments.
In April 2015, the Department of Finance issued a consultation document that sought the views of Canadians on the oversight of retail payments. Since then, the Department has undertaken further analysis and conducted targeted consultations with various stakeholders to develop a policy framework. Building on this work, this paper articulates the main components of a proposed oversight framework for retail payments.
3. Role of the Government
Payments systems perform a critical function in facilitating economic activity. Consumers and businesses make payments daily and the convenience, speed, reliability and cost of payment systems affects utility, productivity and economic growth. For consumers and businesses to adopt new and better payment methods, they need to be confident that the underlying systems are reliable, safe and secure.
Given the importance of payments to the economy, the Government of Canada oversees their operation through stated policy objectives of safety and soundness, efficiency and consideration of users’ interests. The conceptual framework for payments system oversight classifies payment infrastructures into three categories based on the degree of risks they pose to the economy. The relative importance given to each of the three policy objectives varies depending on the category of payment infrastructure (see Figure 1).
Systemically Important Systems
As disruption or failure in a systemically important system has the potential to pose the greatest risks to Canadian financial stability and economic activity, safety and soundness is emphasized. The Large Value Transfer System (LVTS), which clears and settles high-value, time-sensitive wholesale payments (e.g., bank-to-bank transfers), has been designated as a systemically important system and is overseen by the Bank of Canada under the Payment Clearing and Settlement Act. The Department of Finance also has a role in the regulation of systemically important systems owned and operated by Payments Canada.
Prominent Payment Systems
A disruption or failure in a prominent payment system could pose risks to Canadian economic activity and affect general confidence in the payments system. The Automated Clearing Settlement System (ACSS), which clears and settles a high volume of retail payments (e.g., cheques, direct deposits), has been designated as a prominent payment systems and is overseen by the Bank of Canada under the Payment Clearing and Settlement Act. The Department of Finance also has a role in the regulation of prominent payments systems owned and operated by Payments Canada.
Retail payment services, such as mobile wallets and the credit and debit card networks, are used to process lower transaction values. Consumers and businesses rely on such services for their day-to-day transactions. Because of the availability of substitutes, a shock or disruption in a single service would have a limited impact on the economy. User interests therefore receive a greater emphasis than with systemically important and prominent payment systems.
4. Motivation for a new retail payments oversight framework
The current oversight of payments in Canada is focused on the core national payment clearing and settlement systems (i.e., LVTS and ACSS). Policy objectives for retail payments conducted by regulated financial service providers such as banks and payment card networks are supported through legislation and codes of conduct. However, other retail payment service providers (PSPs) are not currently subject to a comprehensive oversight framework. For instance, non-traditional PSPs are not subject to operational requirements including mechanisms to safeguard consumer funds in the event of insolvency, specific disclosure rules or complaint handling procedures. This can create risks and confusion for payment service end users who may expect similar levels of protections irrespective of the payment service provider they use.
Through internal analysis and consultation with stakeholders and experts, the Department has identified key risks inherent to retail payments. Accounting for existing oversight, the key risks to end users have been identified. These risks can be classified under five broad categories: operational risk; financial risk; market conduct risk; efficiency risk; and money laundering and terrorist financing risk.
Operational risk relates to inadequate or failed internal processes, system failures, human errors, or external events that may disrupt or compromise payment services. It often arises due to weak governance and risk-management practices and can affect the availability, reliability and security of payment services. The sources of operational risk are wide-ranging and can include the lack of system redundancy, poor data security, and inadequate policies and standards with respect to end user privacy.
Financial risk relates to the failure to ensure sufficient liquidity exists to meet payment obligations and the failure to properly safeguard end-user funds held by the payment service provider. Causes include inadequate segregation of operating and client funds.
Market Conduct Risk
Market conduct risk relates to the behaviour of payment service providers with respect to end users that may lead to harm. For example, a service provider may provide misleading, inadequate or insufficient information to users when they sign up for a new service or throughout its use. Certain basic information on terms and conditions such as fees, liability rules and privacy policies are required for end-users to make fully informed choices regarding their use of payment services. Should a dispute occur, dispute resolution and redress mechanisms should be available and effective.
Efficiency risk relates to the sub-optimal provision of payment services. Inefficiencies may translate into higher prices for payment services and prevent end users from benefiting from the most advanced technology. Competition and innovation are key forces that foster efficiency. Barriers to entry and/or abuse of market power have the opposite effect. Measures to address efficiency risk are addressed under the section “Innovation and Competition” later in this paper.
Money Laundering and Terrorist Financing Risk
Money laundering and terrorist financing risk relates to the use of PSPs by criminals to disguise the origin of funds derived from criminal activity or used to finance terrorist activities. These activities can destabilize the economy, compromise the integrity of the financial sector, and facilitate the conduct of further criminal activities.
The rapidly changing retail payments space is a global phenomenon and other jurisdictions are facing similar oversight challenges. In response to evolving business models, activities and products, some jurisdictions have moved to introduce oversight frameworks for retail payments that focus on payment activities rather than the type of entity performing them. In addition to extending oversight to entities that were not previously covered, these frameworks are aimed at fostering innovation and enabling appropriate market entry.
While traditional PSPs still account for the vast majority of retail payments in Canada, the emergence and growth of new entrants is expected to continue. A new retail payments oversight framework is required to ensure that, as retail payments continue to evolve, an appropriate balance is maintained between the Government’s three policy objectives:
- Safety and soundness – With regards to payments, safety and soundness refers to the appropriate measurement, management and control of risks. Safety and soundness are essential conditions to achieve a stable financial system and a well-functioning economy. Given the potential to transmit negative shocks, payment systems and services must be operated with appropriate regard to safety and soundness. A retail payments oversight framework should contain measures that are proportionate to the risk these systems or services pose to the economy. This oversight should contribute to public confidence in retail payment systems.
- Efficiency – Efficiency in payments includes how effectively the payment clearing and settlement processes are carried out to meet end-users’ needs, as well as ensuring the efficient allocation of resources to deliver the service. A retail payments oversight framework should foster competitive market conditions and help remove barriers to entry to drive cost reductions and innovation.
- User interests – Payment systems and services should be designed and operated to meet the needs of Canadians and protect end-user interests. These needs include convenience and ease of use, price, safety, privacy and effective redress mechanisms. Disclosure of price, risks and performance standards is important to enable Canadians to make informed choices. End-user interests are not homogenous and are reflective of a wide range of needs and customer profiles.
These three objectives may be complementary. For instance, to the extent that measures promoting safety and soundness and end-user interests foster public confidence in new retail payment services, they can help foster competition and innovation. Increased competition and innovation can both directly benefit end-users and increase payment system efficiency, which would contribute to economic growth. However, unduly burdensome regulations may stifle competition and innovation. To help achieve an appropriate balance between these objectives, four principles have been identified to guide the development of the oversight framework:
- Necessity – Oversight should address risks that can lead to significant harm to end users and avoid duplication and overlap with effective existing rules.
- Proportionality – The level of oversight should be commensurate with the level of risk posed by a payment activity. One of the key considerations is the cost of compliance, as the oversight measures should not create a barrier to competition and innovation by unduly burdening PSPs.
- Consistency – Similar risks should be subject to a similar level of oversight, irrespective of the type of entity or the technology. A clear and consistent oversight regime is desirable to promote competition and innovation.
- Effectiveness – Oversight should be designed to maximize effectiveness. For example, requirements should be clear, accessible and easy to integrate within different payment services, and the entity that poses the risk should be responsible for managing it. Additionally, the regulator should have the ability to enforce oversight requirements when necessary.
5. Proposed Retail Payments Oversight Framework
The current oversight of retail payments in Canada is largely based on an institutional approach where rules target specific types of payment service providers such as banks and card network operators. The Task Force for the Payments System Review recommended5 an overhaul of Canada’s payment system oversight that includes the adoption of a functional approach, so that risks associated with a particular payment function are treated similarly regardless of the type of organization providing the service. A functional approach is consistent with recent international trends in payments oversight, notably in the European Union and Australia. In its 2015 consultation paper entitled Balancing Oversight and Innovation in the Ways We Pay, the Government sought the views of Canadians on the merits of a functional approach to retail payments oversight. This approach received broad stakeholder support.
Through internal analysis and engagement with various stakeholders, the Department of Finance has identified five core functions performed by PSPs in the context of electronic fund transfers:
- Provision and Maintenance of a Payment Account: provides and maintains an account held in the name of one or more end users for the purpose of making electronic fund transfers.
- Payment Initiation: enables the initiation of a payment at the request of an end user.
- Authorization and Transmission: provides services to approve a transaction and/or enables the transmission of payment messages.
- Holding of Funds: enables end-users to hold funds in an account held with a PSP until it is withdrawn by the end user or transferred to a third party through an electronic fund transfer.
- Clearing and Settlement: enables the process of exchanging and reconciling the payment items (clearing) that result in the transfer of funds and/or adjustment of financial positions (settlement).
The oversight framework would apply to any PSP when performing one of the above-mentioned payment functions in the context of an electronic fund transfer ordered by an end user (i.e., a person or entity that is not a PSP or a financial intermediary). If a PSP outsources some of its operations, it would be required to ensure that outsourced operations meet the same requirements as if they were provided internally. The retail payments oversight framework would thus cover a wide array of day-to-day transactions conducted through various payment methods, such as credit card transactions, online payments, pay deposits, debit transactions, pre-authorized payments, and peer-to-peer money transfers. However, consistent with the principles developed to guide the development of the oversight framework, certain types of transactions posing limited risk to end users would be excluded from the perimeter of the oversight framework:
- Transactions entirely made in cash;
- Transactions conducted via an agent authorized to negotiate or conclude the sale or purchase of goods or services on behalf of the payer or the payee, if the funds held by the agent on behalf of the payer or payee is kept in a trust (e.g., real estate agent or lawyer);
- Transactions made with instruments that allow the holder to acquire goods or services only in the premises of the issuing merchant (e.g., store cards) or within a limited network of merchants that have a commercial agreement with an issuer (e.g., shopping mall cards);
- Transactions related to securities asset servicing (e.g., dividends distribution, redemption or sale) and derivatives;
- Transactions at ATMs for the purpose of cash withdrawals and cash deposits;
- Transactions between entities of a same corporate group, if no intermediary outside of the corporate group is involved in the transaction; and
- The clearing and settlement of transactions made through systems designated under the Payment Clearing and Settlement Act.
The application of the retail payments oversight framework would be limited to transactions that are carried out solely in fiat currencies (i.e., regulated currencies such as the Canadian dollar). Various types of unregulated virtual currencies now exist. However, the use of virtual currencies in retail payments is limited. The Government will continue to monitor the use of virtual currencies in retail payments and propose adjustments to the perimeter as warranted. It has already taken steps to mitigate money laundering and terrorist risks associated with virtual currencies. In June 2014, a legislative amendment was made to the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA) to make “dealers in virtual currency” money services businesses, in order to implement anti-money laundering and anti-terrorist financing measures. Supporting regulations are currently being developed to define “dealers in virtual currency”, to establish related obligations and to bring these legislative amendments into force.
1) Is the proposed perimeter appropriate to mitigate risks in retail payments?
Effective oversight of retail payments mitigates risks to end users and supports consumers and businesses’ confidence in payment services. The proposed oversight framework would be anchored in federal legislation. Considerations to determine whether specific proposed measures to mitigate identified risks would be introduced through legislated or voluntary vehicles will include effectiveness, the scope of federal jurisdiction, and input received from provincial oversight authorities.
This section presents proposed measures for a retail payments oversight framework. The key risks that these measures aim to mitigate are discussed with each measure. In general, financial risks are addressed through fund safeguarding requirements; operational risks are addressed through principles-based security and operational requirements; and market conduct risks are addressed through disclosures, dispute resolution procedures and liability rules.
5.2.1 End-User Fund Safeguarding
To confidently use retail payment services, end users need to know that the funds held by PSPs on their behalf are safe and available when they want to use them. While certain federally and provincially regulated financial institutions are subject to prudential oversight requiring that measures be taken to protect depositor funds, there are currently no such requirements for all payment service providers that hold end-user funds. PSPs have a strong business incentive to adequately safeguard end-user funds. That said, there is a risk that a PSP may fail to hold sufficient funds in safe and liquid investments to fulfil its payment obligations or end-user demands to withdraw funds. Additionally, a PSP may not properly isolate end-user funds from its own assets, which could result in these funds being made available to other creditors should the PSP become insolvent.
A set of clear fund safeguarding requirements would help ensure that end users will be protected as the use of non-traditional PSPs grows. Other jurisdictions, such as the UK, have introduced end-user fund safeguarding requirements for PSPs. These include the requirement to protect customer funds by either segregating these funds from the assets of the PSP or obtaining an insurance policy or bank guarantee. In the case of segregation, the assets held in these accounts must be approved by the regulator as secure and liquid. In Canada, some provinces have measures in place to protect client funds in industries where these funds are held overnight or longer, such as the legal profession, funeral service professionals, travel agents and agencies, real estate brokers and mutual fund and securities dealers. A basic requirement across all of these industries is that client funds be segregated from the entities’ own assets by placing them in trust accounts. Additional measures vary across industries and include minimum working capital requirements, providing security such as surety bonds, insurance and consumer compensation funds.
As part of the retail payments oversight framework, the Government proposes to require PSPs to place end-user funds held overnight or longer in a trust account that meets the following requirements:
- The account must be at a deposit-taking financial institution that is either a member of the Canada Deposit Insurance Corporation or covered under a provincial deposit insurance regime;
- The account must be in the name of the PSP;
- The account must be clearly identified as the PSP’s trust account on the records of the PSP and the financial institution;
- The account may only be used to hold end-user funds;
- The PSP must ensure that the financial institution does not withdraw funds from the account without the PSP’s authorization (e.g., service fees incurred by the PSP must be paid from the PSP’s general account); and
- The assets held in the account must be cash held on deposit or highly secure financial assets that can be readily converted into cash.
PSPs would be required to maintain detailed accounting records that would allow for the accurate identification of funds held in trust and the beneficiaries. Additionally, PSPs would be required to report on their trust accounts in their annual filings to the regulator. Consideration could also be given to requiring PSPs to comply with the necessary requirements (with CDIC or a provincial equivalent) to ensure that separate trust coverage is provided for each end user as beneficiaries of the trust. Additionaly requirements would include, for example, that the assests held in the account meet the deposit insurer’s definition of eligible deposits.
2) Is the proposed requirement to place end-user funds in trust accounts combined with detailed record keeping, annual filings and the regulator’s compliance tools (described in Annex C) appropriate?
3) Should any exemptions from the trust account requirements exist (e.g., where funds held are below a specified per-user threshold (e.g., $100) or where funds are only held for a short period of time)? Would additional measures be desirable?
5.2.2 Operational Standards
A PSP could experience an operational failure in various ways, including situations where a system is not working when it is supposed to (lack of availability); a system is working but is not protecting data that it is transmitting (lack of confidentiality); or, a system is prone to inaccuracies (lack of integrity). Often, these problems are due to weak operational and security procedures. Strong operational standards can help mitigate risks and promote users’ confidence by setting system’s performance objectives and service-level targets. Currently, there are a variety of industry-driven standards, such as the Payment Card Industry Data Security Standard, but there is no minimum standard applicable to the entire retail payments sector.
To assess operational risks in core national payment clearing and settlement systems, the Bank of Canada considers the system’s risk-management practices relative to the Bank’s risk-management standards, which incorporate the the Principles for Financial Market Infrastructures (PFMIs). The PFMIs are international standards related to the risk-management, efficiency, and transparency for systemically important payment systems and other financial market infrastructure. They address a variety of operational risks to ensure a common base level of risk management across systemically important payments systems in all countries.
Operational failures in retail payments can damage a PSP’s reputation or perceived reliability, lead to legal disputes, and result in financial losses. They can have economic implications for PSPs, and the consumers that rely on them. This may include, for example, the risk that end-user data is unintentionally disclosed by a PSP. To mitigate these operational risks, the oversight framework would require that PSPs performing any of the five payment functions comply with a set of principles related to establishing security and operational objectives and policies and business continuity planning that would be based on the PFMIs and adapted to address operational risks inherent to retail payments:
- A PSP should establish a robust operational risk-management framework with appropriate systems, policies, procedures and controls to identify, monitor and manage operational risks.
- A PSP’s management should clearly define the roles and responsibilities for addressing operational risk and should endorse the PSP’s operational risk-management framework. Systems, operational policies, procedures and controls should be reviewed, audited and tested periodically and after significant changes.
- A PSP should have clearly defined operational reliability objectives and should have policies in place that are designed to achieve those objectives.
- A PSP system should have comprehensive physical and information security policies that address all major potential vulnerabilities and threats.
- A PSP should have a business continuity plan that addresses events posing a significant risk of disrupting operations. The plan should be designed to protect end users’ information and payment data and to enable recovery of accurate data following an incident. The plan should also seek to mitigate the impact on end users following a disruption by having a plan to return to normal operations.
- A PSP should identify, monitor, and manage the risks that end users, participants, other PSPs, and service and utility providers might pose to its operations. In addition, a PSP should identify, monitor, and manage the risks that its operations might pose to others.
Operational system testing could be conducted through self-assessment in the case of small firms, or through third-party verification in the case of the largest firms. These objectives and policies would include ensuring an appropriate level of data protection and confidence, and emphasize end user and system data protection.
4) Are the proposed measures to address operational risks appropriate?
When not provided with sufficient product or service information, end users can make financial decisions that may lead to unfair and/or unanticipated outcomes for them. In particular, insufficient information disclosures can lead to various forms of harm, such as confusion about settlement times, transaction reversals and liability. Informed users are better able to actively participate in the financial marketplace and make decisions that best meet their needs.
While risks to end users due to a lack of adequate, clear and easy-to-understand information exist across all five payment functions, particular attention is required for functions that involve a direct PSP/end user business relationship (e.g., provision and maintenance of a payment account, payment initiation).
Disclosures are currently required for certain PSPs, including under the Bank Act, the Competition Act and the Code of Conduct for the Credit and Debit Card Industry in Canada (the Code). Provincial legislation can also provide protection against unfair contracts and offer legal recourse to end users. While these safeguards can offer basic protections, they may not address all information asymmetries specific to payments.
Under the proposed oversight framework, all PSPs that perform a function that involve a direct PSP/end user relationship would have to provide end users with information on the key characteristics of the service or product (e.g., charges and fees, functions, limitations, security guidelines), customers’ responsibilities, the PSP’s responsibilities, terms and conditions, the end user’s history of payment transactions on an account, as well as receipts for transactions carried out6. Disclosures would have to meet the following principles:
- Information must contain adequate and relevant content;
- Information must be provided in a timely manner;
- Information must be presented in language that is clear, simple and not-misleading; and,
- Information must be easily accessible.
In addition to the above-mentioned disclosures, these PSPs would need to provide a separate, concise summary containing key information related to a payment service on the cover page of the terms and conditions regarding the use of the service.
5.2.4 Dispute resolution
An effective and efficient complaint handling system for payment transactions contributes to consumer and merchant confidence. There is currently no obligation for many PSPs to have complaint-handling procedures in place, creating uncertainty that consumer disputes will be treated in a fair and impartial manner. Redress mechanisms are important to resolve disputes, some which may engender financial harm, such as:
- Unilateral transaction reversals made by another party to the transaction;
- Unauthorized payments made on the user’s account or errors made by the PSP; or,
- Excessive processing delays for transactions.
Having mechanisms to handle consumer complaints is widely recognized as an essential element of dispute resolution. This would include the following elements:
- Ensuring the organization has appropriate capacity to respond to complaints;
- Having a senior management team that is committed to having an efficient, timely and impartial complaint handling process and that deploys the resources necessary to achieve it;
- Designating a senior official within the organization that is responsible for complaint handling;
- Designation of officers to receive and deal with complaints;
- Providing clients with a free and easily-accessible complaint process; and
- Reviewing and auditing the complaint-handling process with a view to make improvements if needed.
To reduce market conduct risks, it is proposed that PSPs performing aa function that involves a direct PSP/end user business relationship have documented procedures for dealing with complaints that meet these six elements. Each of these PSPs would also have to provide the regulator with aggregate data about complaints on an annual basis and a copy of their complaint handling procedures.
Many federally and provincially-regulated financial institutions have a designated external complaint body (ECB) to which their customers can elevate an issue when internal dispute resolution channels are exhausted. These ECBs are independent from financial institutions and are mandated to provide, free of charge for the customers, an impartial review of disputes referred to them. As such, they increase confidence in the financial system by providing service users additional recourse in cases of dispute with a financial service provider. Under the proposed oversight framework, an ECB would be designated to receive complaints that fail to be resolved through PSPs’ internal complaint handling processes. In order for the process to work properly, PSPs would be required to:
- Advertise their complaint handling procedures and the possibility for customers to refer cases to the designated ECB;
- Provide the ECB with all the information it may need in resolving the dispute; and
- Participate in the dispute resolution process (e.g., participate in conciliation sessions and to ECB consultations).
5) Are the proposed essential elements for a complaint handling process appropriate?
An unauthorized transaction is a transfer made from a user’s account without the user’s consent. It can be attributed to fraud, the failure of the user to protect passwords, or a breach of a PSP’s systems. Errors can occur due to end-user failure to provide a PSP with accurate information or as a result of a failure in the payment chain during the course of a transaction. Unclear rules can contribute to financial harm for end users. While unauthorized transactions are more closely related to the payment initiation and authorization and transmission functions, errors can occur at any stage of a payment transaction and within all five payment functions.
There are liability rules related to unauthorized transactions and errors for certain payment instruments and systems (e.g., Payments Canada system rules, provisions in the Cost of Borrowing (Banks) Regulations for lost or stolen credit cards, the Canadian Code of Practice for Consumer Debit Card Services). However, liability rules are not applicable to all retail payment services. Other jurisdictions, notably the EU and Australia, have specified when a user is liable for a loss related to an unauthorized transaction or error.
Under the proposed retail payments oversight framework, payors would not be held liable for losses due to unauthorized transactions or errors unless they acted fraudulently or failed to fulfil certain obligations. Cases where the payor could be held liable include:
- The payor has not taken reasonable care to protect the security of their passwords;
- The payor has not notified the payment service provider, without undue delay, that a payment instrument has been lost or stolen, or that a password has been breached; and
- The payor has entered the payee information incorrectly such that it was impossible for the PSP to transmit the funds to the right payee. Under this scenario, the PSP would have to make reasonable efforts to recover the funds.
The payment-authorizing PSP would have to refund the payor for losses resulting from unauthorized transactions or errors. This would not prevent PSPs from having agreements with intermediaries to allocate liabilities and ensure that each entity takes responsibility for the respective parts of the transaction that are under their control.
6) Are the proposed measures regarding liability in case of errors and unauthorized transactions appropriate?
The retail payments ecosystem is fast evolving with new players regularly entering the market. The oversight framework would require a mechanism to identify new entrants and track existing PSPs in the sector and monitor their compliance with applicable regulation. Certain countries like the United Kingdom and Australia require that payments service providers register with their regulators7. The registries can be a valuable tool for service users who wish to know which service providers are supervised and compliant with their regulatory obligations.
It is proposed that the retail payments oversight framework require all PSPs8 to apply for registration with the designated federal retail payments regulator when the oversight framework comes into force or, in the case of a new PSP, before their payment services are launched. In order to register, PSPs would be required to provide in their application the information listed in Annex B. In addition, the applicants’ owners and directors would be required to undergo a criminal record check for fraud and other financial offences under the Criminal Code.
It is proposed that the registration scheme also promote compliance with the PCMLTFA, the legislation at the center of Canada’s anti-money laundering and anti-terrorist financing regime. The PCMLTFA requires that certain PSPs facing significant money laundering and terrorist financing risk (e.g. banks, credit unions, money remitters) implement a series of measures to help deter and detect those activities. The retail payments regulator would deny or revoke registration of a PSP if it has been penalized by the Financial Transactions and Reports Analysis Centre of Canada (FINTRAC) for a “very serious” violation or, in the case of a money remitter, if it is not registered with FINTRAC.
It is proposed that registered PSPs would have the obligation to inform the registrar of changes to the information provided at registration, except for elements marked with an asterisk (*) in Annex B, within a specified timeframe. Changes to elements marked with an omega (Ω) would have to be reported to the regulator before they become effective. PSPs would also be required to submit a de-registration form when they stop performing payment functions or cease operating.
PSPs that apply for registration would be required to pay a fee that covers the costs to the registrar of treating their demand.
7) Is the level of information that would be required at registration appropriate?
8) Are the proposed criteria for registration adequate?
5.2.7 Personal Information
Recent technological innovation, particularly in the mobile payments space, has given retail payment service providers the ability to collect and store many different types of personal and sensitive information such as geo-location and purchase history. Weak protection of personal information by PSPs is a type of market conduct risk that may lead to a series of undesirable consequences for end users, such as financial or reputational harm due to data breaches.
The Personal Information Protection and Electronic Documents Act (PIPEDA) is a comprehensive, technology-neutral, scalable (i.e., flexible in order to meet the risks of any size of company) federal Act that establishes ground rules for how private sector organizations may collect, use or disclose personal information in the course of commercial activities across Canada. In general, PIPEDA applies to the commercial activities of organizations in all provinces, except where organizations operate entirely within provinces that have their own, substantially similar privacy laws (i.e., Alberta, British Columbia and Quebec). The Office of the Privacy Commissioner (OPC) monitors compliance with PIPEDA.
PIPEDA applies to all Canadian businesses in all sectors of the economy, including retail payments. However, some PSPs may not be familiar with their responsibilities under PIPEDA or applicable provincial privacy legislation. For this reason, the regulator for the oversight framework would promote awareness of, and compliance with, PIPEDA and similar provincial legislation, including by directing PSPs, at the point of registration, to relevant, existing information published by the Office of the Privacy Commissioner or other provincial regulators regarding compliance with privacy-related obligations.
5.3 Innovation and Competition
Innovation and competition promote a dynamic and efficient economy that can translate into many benefits for Canadians. Technical advancements have changed in many ways consumers’ expectations regarding product capabilities and service delivery. This is also true in retail payments, where technological innovation has paved the way for new payment services that are meeting increased demand for “anytime and anywhere payments”. Continued competition and innovation will help ensure Canada’s retail payments remain dynamic and globally competitive through services that improve access to fast, reliable and secure payment systems, and at lower costs.
The proposed oversight framework would encourage innovation and competition. It would set clearly defined parameters for market players and provide investors with greater regulatory certainty which promotes investment, enabling them to effectively compete or partner with existing players and launch services more easily.
The oversight framework would also apply measures commensurate to the level of risk posed by each PSP. This would be done through three mechanisms: principles-based requirements; the tiering of measures; and the recognition of equivalent requirements under other legislative frameworks.
1. Principles-based requirements
Measures would in general be principles-based to accommodate the diversity of business models in the retail payments sector. This would provide PSPs the flexibility to implement the measures in a way that fits their size, business model and the level of risk associated with their activities. An example of a principles-based requirement is the obligation to have, as part of operational standards, a business continuity plan. The requirement does not prescribe how PSPs’ business continuity plans should look, but only requires that each PSP has one tailored to its operations. Principles-based measures would also allow flexibility to more effectively address business models that are currently unforeseen.
2. Tiering of measures
To alleviate regulatory burden on PSPs posing a lower level of risk, consideration will be given to tiering specific measures (e.g., firms falling under a certain threshold would be subject to less stringent requirements). For example, smaller firms could be permitted to self-assess the operational reliability of their internal systems, while the larger firms could be required to conduct third-party assessments. Firms could be tiered on different dimensions such as functions (e.g., holding funds), payments values or volumes, market significance (e.g., number of end users) and the degree of interconnectedness with other retail payment systems or service providers.
3. Recognition of other oversight frameworks
Certain PSPs are currently regulated under other federal or provincial legislative statutes that contain measures that mitigate many of the risks identified in this paper. To avoid unnecessary duplication of requirements, it is proposed that the retail payments oversight framework exempt service providers from having to implement a framework measure if the entity is subject to a substantially similar requirement under another federal or provincial statute. It would be the regulator’s responsibility to determine in which circumstances this type of exemption would apply based on analysis of relevant federal and provincial legislation and discussions with the regulators responsible for ensuring compliance with those requirements.
In addition, the oversight framework would include an advisory service for small firms planning to commercialize a new product, process or service. One of the hurdles faced by small market entrants is understanding the regulatory framework within which they operate. Small firms with limited human and capital resources may find it challenging to understand and navigate the federal regulatory landscape in a timely and cost-effective way. An advisory service could guide qualified PSPs through the registration process, if needed, and assist by interpreting the various framework requirements based on their specific business model.
9) Stakeholders are invited to provide views on approaches for tiering of specific proposed measures.
10) Would the framework sufficiently promote innovation and competition?
5.4 Regulatory Authority
5.4.1. Assignment of oversight mandate
The proposed retail payments oversight framework includes a variety of measures, some of which are similar to measures contained in other federal frameworks for the financial sector. For example, banks are subject to disclosure and dispute resolution requirements under the Bank Act and core payment infrastructure is subject to financial and operational requirements under the Payment Clearing and Settlement Act. To ensure consistency in the implementation of similar measures across federal oversight frameworks, the oversight framework would leverage the mandate and expertise of existing regulators.
5.4.2 Compliance tools
The retail payments sector includes a wide array of payment service providers that vary in size and business models. The communication, compliance-assessment and remedial tools that are effective for one type of PSP, for example merchant acquirers, may not be optimal for other types of PSPs such as digital wallet providers. To fulfill its mandate, the regulator would have a combination of compliance tools that would allow for effective intervention with any type of PSP. The Government proposes to equip the regulator with the compliance tools presented in Annex C.
6. Next Steps
The evolving nature and complexity of retail payment systems requires dialogue between the Government and stakeholders to ensure the development of efficient policies that meet the needs and expectations of Canadians. The Government invites all stakeholders to participate in this consultation process. By working together, we can ensure that the Canadian payments system functions well, notably by fostering innovation and better protecting consumers and businesses. Based on the results of this consultation, the Government will propose legislation to implement the new oversight framework.
Annex A: Proposed Disclosures
Contents and Timeliness
1. Before providing a service or product, a PSP would have to provide information on:
- Service or product (key functionality and interoperability functions, limitations to use such as needing a phone);
- Charges, fees, spending limits, interest charges and expiry dates (if any);
- Security guidelines followed by PSP; and,
- Privacy and data collection policies.
2. When opening a payment account or setting up a payment initiation service, a PSP would have to provide clients information on:
- Customer’s responsibilities:
- Safeguards and measures that a customer must take (e.g., do not disclose password);
- How a user’s consent to authorize a payment transaction is given and withdrawn;
- Rules on finality of payments (e.g., maximum time to submit transaction reversal);
- Actions that an end user should take in case of loss or theft of product or service (e.g., call hotline); and,
- Liabilities for unauthorized payment transactions and processing errors.
- PSP’s responsibilities:
- Security guidelines followed by PSP;
- Privacy and data collection policies;
- Charges, fees, spending limits, interest charges and expiry dates (if any);
- The length of a contract, termination policies and penalties;
- Liabilities for unauthorized payment transactions and processing errors;
- Changes to contract, how and when a PSP would inform its user of changes (e.g., 60 days before changes take effect), and cancellation policies;
- Refund procedures and finality of payments;
- Information about dispute resolution processes; and
- The maximum time between payment and availability of funds to payee. This would include cut off times after which payments are deemed to have been received the next business day.
3. Once a payment account has been opened or a payment initiation service has been set up, and when changes are made to the terms and conditions, a PSP would have to provide information on:
- Any changes to the terms and conditions of the service; and,
- Details on actions that a client may take to cancel the payment service, including relevant fees if any.
4. For single payments transactions9, before initiating a payment, a PSP would have to provide information on:
- Any applicable charges (e.g., foreign exchange fees); and
- Estimated processing times.
5. A PSP would have to provide the user a history of all payment transactions it has authorized on a payment account in a form that is storable (e.g., can be downloaded in PDF). The information provided on each payment transaction must be available within a defined period and contain the following details:
- Name of payee;
- Date of payment;
- A reference to the method of payment;
- Itemized charges;
- Charges, fees (e.g., foreign exchange fees) and taxes levied on payment service fees, if any; and
- Total value of transaction.
6. Immediately after authorizing a one-off payment, a PSP would have to provide a receipt in a form that is durable and storable (e.g., email or paper) with the following information:
- Name of payee;
- Time and date of payment;
- A reference to the method of payment;
- Itemized charges;
- Charges, fees (e.g., foreign exchange fees) and taxes levied on payment service fees, if any;
- Total value of transaction; and,
- Refund procedures or link to more information with refund procedures.
Information Disclosures: Language
7. A PSP would have to present information in language that is clear, simple and not-misleading. The Regulator would provide guidance on this requirement, however, examples could relate to providing information that is written in a logical way, takes into consideration the target audience and their knowledge of the product of service, and avoids the use of language that is too technical.
Information Disclosures: Accessibility of Information
8. A PSP would have to provide information in a manner that is easily accessible and user-friendly. In addition, written disclosures would have to be made in a manner that allows end users to easily store the information (e.g., a downloadable PDF file rather than a temporary webpage). PSPs would have to ensure end users have enough time to receive and comprehend disclosed information (e.g., mail deliveries may require more time than information presented via email).
In order to help the average user understand the most important aspects of a payment service or product, PSPs would have to provide a separate, concise summary containing key information related to an agreement between a PSP and a user in an appropriate form, at the beginning of an agreement. This summary, like the agreement, would have to be durable and storable.
This option is intentionally principles-based to provide flexibility to the regulator. The regulator would provide guidance on these principles. Exemptions would be given to PSPs that meet substantially similar provincial or federal requirements.
Annex B : Information to be provided at registration10
- Trade names, operating names and legal names of applicant;
- Legal status of applicant (e.g., sole proprietorship, partnership, corporation or other);
- For an applicant that is a corporation, the incorporation number, the date of incorporation and the jurisdiction of incorporation;
- Business license number and place of issue;
- List of subsidiaries (and their address, phone number and website, if any);
- Parent entity (if applicable)
- Address of the place of business, telephone number, facsimile number (if applicable) and email address;
- Name of the administrators or owners
- Name of beneficial owners (if applicable);
- Point of contact within the organization;
- Business website address;
- Types of payment services providedΩ and types of payment functions performedΩ;
- Volume and values of transactions processed in Canada in the last year, or, for a new entity, an estimate for the coming year;
- Volume and values of transactions processed globally in the last year, or, for a new entity, an estimate for the coming year;
- If the PSP is not a deposit-taking financial institution, the average amount of consumer funds held by the PSP in the last completed month*;
- Information on the trust account in which consumers’ funds are held (financial institution, account number), if applicable;
- PSP’s assets’ value*; and
- Name of other regulators (domestic and foreign) supervising the applicant and the statutes under which these regulators supervise the applicant (if any);
- Registration number with FINTRAC (if applicable).
|Assist PSPs in complying with the requirements|
|1. Issuance of guidelines||Issuance of guidelines explaining in plain language the requirements PSPs are subject to; the regulator’s interpretation of them; and its expectations.|
|2. Outreach to industry||Organization of outreach activities to inform the retail payments industry of their obligations under the framework.|
|3. Toll-free line and generic email address||Activate a toll-free phone line and a generic email address to enable PSPs to reach a compliance officer when they need help with their obligations under the framework.|
|4. Record-keeping||Require PSPs to keep certain prescribed records that would demonstrate their compliance with the framework (e.g. a copy of their dispute resolution procedures, reports on the testing of their systems). These records would be accessible for compliance officers of the retail payments regulator to examine.|
|5. Annual filings||Require PSPs to file, on an annual basis or whenever there is a significant change in their business activities, prescribed information with the regulator (e.g. number of complaints filed by service users, volume of transactions).|
|6. Information demands*||Provide the regulator the ability to serve notice to require that the PSP provide specific information or documents related to their obligations under the oversight framework or to determine whether the PSP performs a regulated function.|
|7. On-site examinations||Provide the regulator the ability to enter the premises of PSPs to conduct compliance assessments, or to mandate an external auditor to conduct those on-site assessments on its behalf. The regulator or auditor would also have the authority to access, copy or print any document/information necessary to a compliance assessment.|
|8. Ability to sign Memoranda of Understanding||Provide the regulator the authority to sign memoranda of understanding (MoUs) with other domestic or foreign regulators for the purpose of consulting, sharing compliance-related information and coordinating their actions.|
|9. Compliance agreements*||Signature of agreements with PSPs in which the latter agrees to make corrective measures to become compliant.|
|10. Compliance orders*||Issuance of orders to non-compliant PSPs to change their business practices so they can meet their obligations under the oversight framework. The regulator could seek the assistance of the courts to enforce the order.|
|11. Notices of violation and administrative monetary penalties*||Establish monetary penalties for violations under the framework. The amount of the penalties would reflect the harm caused by the violation (e.g. the impact on consumers, the number of consumers affected by it, the impact on confidence in the retail payments sector) and the size of the regulated PSP. Before levying a penalty, the regulator would first issue a notice of violation, which could be challenged by the PSP.|
|12. Naming of non-compliant PSPs||Publication of the names of PSPs that are found to be in non-compliance with the requirements of the framework. The public notice would also provide information on the nature of the violation and the penalty imposed on the PSP, if applicable.|
|* Would not be used in the context of a voluntary vehicle.|
1 Accenture, Fintech and the evolving landscape: landing points for the industry, 2016.
2 McKinsey & Company, Cutting through the noise around financial technology, February 2016.
3 Canadian Payment Methods and Trends: 2016, Payments Canada Discussion Paper No.7, November 2016.
4 Mobile Payments; Costs of Losing Out, BMO Capital Markets, October 2015.
6 More details on proposed disclosures are provided in Annex A.
7 In contrast, the European Union’s second Payment Service Directive (PSD II) requires that PSPs be authorized (i.e. licensed) by their home Member State in order to operate elsewhere in the European Economic Area.
8 Except those entities that only support the delivery of payment functions as a supplier for another PSP. The PSP outsourcing its activities would be required to ensure that outsourced operations meet the same requirements as if they were provided internally.
9 One-off transactions where there is no ongoing relationship between the user and the PSP and the payment service relates only to a single transaction by the user.
10 Registered PSPs would have the obligation to inform the registrar of changes to the information provided at registration, except for elements marked with an asterisk (*), within a specified timeframe. Changes to elements marked with an omega (Ω) would have to be reported to the regulator before they become effective.