a hand holding a guitar

Insights

ARTICLE

AMP It Up: Navigating the Bank of Canada’s Enforcement Approach for Payment Service Providers (PSPs)

On June 17, 2024, the Bank of Canada (the Bank) published a much-anticipated set of guidelines to explain its approach to the enforcement of payment service providers (PSPs).

What you need to know:

The new guidelines relate to the use of administrative monetary penalties (AMPs) and other enforcement tools and processes within the authority of the Bank when the new regulatory PSP framework is in play, as we previously summarized here. The purpose of these enforcement tools is not to punish non-compliance, but rather, to promote compliance and encourage behaviour changes among PSPs. The overarching purpose is to maintain and preserve the safety and integrity of the financial system and of the Canadian retail payments sector as a whole.

The guidelines set out how the Bank will exercise its discretion, which may be applied differently according to the circumstances of each violation. Ultimately, enforcement tools (including AMPs) should be selected and applied in a manner that is proportionate to the violation.

Enforcement tools:

The types of violations that may be pursued by the Bank include failing to register, failing to submit mandatory reports and notices, failing to respond to information requests, failing to comply with requirements regarding operational risk and incident response, and failing to comply with requirements regarding safe-guarding end-user funds.

If an investigation shows that the Bank has reasonable grounds to believe an individual or entity committed the violation, the Bank may select a proportionate enforcement tool.

Available enforcement tools include:

  • Warning Letters. These letters identify areas of non-compliance and seek corrective actions.
  • Compliance Agreements. These agreements are collaborative in nature and are agreed to without the issuance of notices of violation or penalties.
  • Notices of Violation. These notices may be issued in conjunction with an AMP or with an AMP and a compliance agreement.
  • Compliance Orders. If a PSP is committing or about to commit an act that could have a significant adverse impact, the Bank may direct the PSP to cease or refrain from committing the act and perform any acts necessary to remedy the situation.
  • Court Enforcements. These enforcements could be pursued to require a PSP to cease contravention of the regulations, comply with the regulations, or to recover debts owed to the Crown or the Bank.
  • Revocations of Registration Status. The Bank will be publishing their policy on refusal and revocation of registration ahead of the registration period beginning November 1, 2024.

Administrative monetary penalties:

How do AMPs work?

If the Bank has reasonable grounds to believe a PSP is violating the Retail Payment Activities Act (RPAA) and/or the Retail Payment Activities Regulations (RPAR), the Bank may issue a Notice of Violation (NOV) to facilitate and encourage compliance. A NOV may be issued with or without a proposed AMP. Per the RPAA, the Bank must issue the NOV in conjunction with an AMP within two years of the Bank becoming aware of the alleged violation. When issuing a NOV with an AMP, the Bank may offer a compliance agreement to the PSP which, if accepted, reduces the AMP amount by half.

How does the Bank determine the amount of the AMP?

The guidelines provide that the Bank should proceed through the following steps when determining the AMP amount:

1. Verify that there is a designated violation of the RPAR

If the Bank decides to open an investigation into an alleged violation, the Bank will determine whether there are reasonable grounds to believe the PSP committed such violation, and whether an enforcement tool should be used.

2. Classify the designated violation

Designated violations are classified as serious or very serious. Two or more serious violations can be reclassified as a single very serious violation.

3. Apply the appropriate AMP range for the specific classification of violation

For a serious violation, the AMP ranges from $0 to a maximum of $1 million per violation. For a very serious violation, the AMP ranges from $0 to a maximum of $10 million per violation. Violations of the reporting and notification requirements are typically not classified as serious or very serious. Instead, the AMPs range from $500 per day for each day the violation continues up to 30 days, and $15,000 to $1,000,000 if the violation continues for more than 30 days.

4. Take into account, the harm, violation history and intent or negligence in the given situation

When analyzing harm, the Bank will consider both the potential harm that could have been caused and the actual harm done by the violation. Actual or potential harm will carry 60 per cent of the weight of the penalty when determining the total amount of the AMP. When determining an AMP amount for harm, the Bank will examine the relative proportion of retail payments supervised by the Bank that could be affected by the violation. The Bank will also consider the degree of risk the harm could lead to and/or the extent of losses that were caused.

When considering a PSP’s violation history, the bank will determine whether the entity has committed a prior violation under the RPAA and/or RPAR, in the five years immediately preceding the violation. A violation that has been appealed and ultimately ruled as “not committed” will not be included in a PSP’s violation history. Violation history will carry 20 per cent of the weight of the penalty when determining the total amount of the AMP. To establish an amount for violation history, the Bank will analyze the number and nature of past violations. As well, the Bank will examine the degree of similarity between past and current violations and the amount of time elapsed between the violations.

Intent or negligence will carry 20 per cent of the weight of the penalty when determining the total amount of the AMP. The Bank will consider the behaviour and actions that have caused the violation to occur and continue. A subjective assessment will be completed to analyze whether the PSP was aware or wilfully blind to the violation. Additionally, an objective assessment will be completed to determine whether the PSP is falling below industry standards and/or employing insufficient oversight.

How are AMPs paid and what happens if you do not pay?

If the PSP does not challenge the NOV, the AMP must be paid within 30 days of issuance unless otherwise specified. By paying the AMP, the PSP is deemed to have committed the violation.

If the PSP does not pay the AMP or challenge the NOV, they are still deemed to have committed the violation and are required to pay. If the registered PSP has not paid within 30 days and does not have a place of business in Canada, their PSP registration will be revoked.

Compliance orders

As discussed above, the Bank may issue a Compliance Order if a PSP is committing or about to commit an act that could have a significant adverse impact.

Potential adverse impacts could include:

  • loss of end-user funds (stolen funds, transaction processing errors, incorrect routing);
  • breach of confidential information (cyber or other information security incidents);
  • outage of retail payment activity (system failure); and
  • compromised integrity of a PSP retail payment activity (misdirection of funds).

To determine the significance of a potential adverse impact, the Bank may consider the following:

  • extent of the potential impact (number of affected users, total amount of funds lost, scale of service interruption);
  • duration of the potential impact;
  • irreversibility of potential impact (unrecoverable lost end-user funds, lasting data integrity issues); and;
  • other relevant factors depending on circumstances.

When selecting enforcement tools, the Bank will consider the various facts and circumstances of each case, including:

  • The impact of the violation. This includes potential and actual harm caused.
  • The general compliance history of the PSP.
  • The circumstances of the violation. This could include the degree of cooperation, the presence of intent or negligence, and any efforts to address non-compliance.

Governor’s review:

There are four types of decisions that may be challenged through a Governor’s review:

  • notice of refusal to register;
  • notice of intent to revoke registration;
  • notice of violation, including any AMP; and
  • notice of default.

The purpose of this review is to provide affected parties an opportunity to have a decision reviewed by an independent and impartial decision-maker. The Bank maintains an internal separation between adjudicative functions and supervisory activities to ensure independence and impartiality.

The outcome of the Governor’s review may be appealed to the Federal Court within 30 days.

Issuing public notice of decisions:

If a Bank refuses or revokes a PSP’s registration, it will provide notice to the affected PSP directly. If the violation in a NOV is confirmed, either because it is not challenged or the challenge is unsuccessful in a Governor’s review, the Bank will publish the name of the PSP in a list of refusals and revocations on its website, along with reasons for such refusal or revocation.

The published information will include:

  • the name of the PSP;
  • the nature of the violation;
  • the amount of the AMP, if any;
  • a brief description of reasons for the notice of violation; and
  • a brief description of the compliance agreement related to the notice of violation, if applicable.

Roles and responsibilities of the Executive Director and the Managing Director:

To ensure adequate independence and impartiality in the process, the Bank has an Executive Director and a Managing Director. The Executive Director acts as an independent reviewer of decisions issued by staff who report to the Managing Director. As such, the Managing Director will maintain independence from the Executive Director when conducting any supervisory activities that could lead to a Governor’s review.

Next steps

For proactive strategies and tailored advice on managing compliance challenges for PSPs, from registration to enforcement, please reach out to the authors or key contacts listed below or any lawyer from BLG’s Financial Services Regulatory Group.

The authors would like to thank summer law students, Arielle Amacker and Sammi Cloth, for their efforts and contribution to this article

Key Contacts