Finance Committee on June 1st, 2021

Thank you, Mr. Chair. I will.

I certainly appreciate the enthusiasm and interest in terms of the retail payment activities act. I'm Erin O'Brien, director general of financial services at the Department of Finance. I'm joined by my colleagues, Richard Bilodeau, director general of the financial institutions division; Julie Trepanier, senior director of payments policy; and Manuel Dussault, senior director of framework policy, all within the financial sector policy branch at the department.

As has been noted, clause 178 would enact the retail payment activities act. The proposed act implements a new retail payments oversight framework that would promote growth, innovation and competition in digital payment services while ensuring that these services are provided on a safer and more secure basis for consumers and businesses.

As was noted, the retail payment sector enables millions of Canadians to send and receive money on a daily basis and plays a fundamental role in terms of supporting economic activity.

The proposed act would apply to payment service providers such as card networks, payments processors, money remitters and, as was mentioned, digital wallets. The act would require that these payment service providers safeguard end-user funds against losses and mitigate risks associated with operational failure that could disrupt their service.

The Bank of Canada would regulate payment service providers' compliance with the framework and maintain a registry of regulated payment service providers. The proposed legislation also includes national security safeguards that are modelled on the framework that applies to federally regulated financial institutions. These would enable the government to identify and respond to national security-related risks.

The proposed framework also recognizes that the federal, and provincial and territorial governments have complementary objectives and powers in this area. In particular, I would highlight two key elements.

One, the act and the framework do not apply to either federally or provincially regulated financial institutions, as these institutions are already supervised under a prudential framework. As well, the act includes a recognition mechanism whereby if a province or territory decides to develop comparable measures, the Bank of Canada could exempt a payment service provider from elements of this framework.

In conclusion, while the proposed legislation sets out the main elements of the framework, regulations and guidance will be required before it can be brought into force.

That provides a high-level summary of the key elements of the framework described in clause 178.

Currently what is outlined in the act provides for two primary protections. One, as I've mentioned, is the safeguarding of consumer funds. In essence, what the act requires is that payment service providers cannot commingle their corporate operating funds with funds that clients hold on account. In that way, it will provide broadly greater protections for users of the system.

The second requirement will be in terms of managing operational risk, for instance, ensuring that payment service providers structure their offerings in such a way that there's reliance against cybersecurity risks and whatnot, so they are operating their systems in a safe way. This way, the act will make the provision of retail payment services safer for consumers and for business users.

It does not include requirements around market conduct, such as liability and disclosure and those types of consumer protections. That is envisioned as a future element of the framework. Given the complementary jurisdiction between the federal government and provincial and territorial governments, the intention is that we would collaborate in terms of the development of what those protections will be.

The nature of those protections is unclear at the moment. For instance, would they be regulations or would we use some other tool? Those elements are all to be determined and, as I said, would be done in close collaboration with not only provinces and territories, but stakeholders more broadly.

I might ask Julie just to correct me if I'm wrong, but to my knowledge, there is no requirement in the act that touches on consumer liability or providing any kind of final guarantee. As I said, that would be in an element of market conduct, and that is envisioned to come as an element of future work.

As Ms. O'Brien said, these measures aren't included in the act.

That said, the act includes requirements to reduce operational risks, which should lower the risks associated with these types of transactions, as Ms. O'Brien also noted.

In terms of the protection of information and data, the general legal framework in Canada that provides protections for the privacy of data, PIPEDA, would continue to apply in this respect. There's nothing in the RPAA that would diminish those protections.

With regard to the coverage of cryptocurrencies, the RPAA would provide the government with authority to include coverage of cryptocurrencies or virtual currencies to the extent that they are used to make retail payments. To date, virtual currencies are not readily available in the retail payments marketplace. If and when they are, this act would give us the authority and scope to include them, as required.

Thank you so much. Maybe I'll just address your comment on cryptocurrencies. We agree. That is why this legislation is so important. Without this legislation we would have no ability to capture cryptocurrencies in the retail payments space. It's a significant gap in our regulatory framework. I just wanted to make that point clear.

With respect to your comment on national security, I would turn to my colleague, Richard Bilodeau, to step in.

Richard, are you available?

Any permanent payment service provider that wants to offer payment services in Canada would be required, under the RPAA, to register with the Bank of Canada, whether that payment service provider is a domestic company or a foreign company looking to offer those services in Canada. As part of the registration process, information related to that would be provided to the Department of Finance and to our various intelligence and security partners so that we can evaluate whether or not there's a need for us to conduct a national security review and assess if there are any national security risks related to that payment service provider or anybody associated with it.

As part of that process, if the minister were to decide that a payment service provider represented a national security risk, we would have the possibility at that point either to deny registration of that payment service provider, or to impose conditions on the payment service provider as part of its registration in Canada. There are a number of powers within the legislation that afford the minister the ability to address those conditions and make sure they're abided by.

With respect to this, the Bank of Canada has broad powers and authorities in terms of economic activity in the country. In particular, the bank currently has responsibility for oversight of both prominent and systemic payment systems in the country. Those systemic payments systems, for instance, are those owned and operated by Payments Canada, the large value transfer system. Given its expertise in terms of payment systems in general, including operational oversight, we think it's appropriate for it to take on this role with respect to oversight of retail payment systems.

Now, obviously the risk that a retail payment service provider presents is going to be very different from the nature of risk that a systemically important system presents, so the bank will be—and has already been—engaging with the sector to ensure that it understands the nature of the business and the risks, and that it will provide oversight in a proportionate way.