Introduction
Good morning, and thank you for inviting me to attend this year’s Canadian Innovation Exchange Summit. This is an exciting event for entrepreneurs, investors and service providers who are on the cutting edge of technology innovation in Canada.
Today I want to talk about how the Bank of Canada’s evolving role in payments is keeping up with fast-paced advancements in how everyone pays for goods and services.
Exchanging payment for these goods and services—like so much else in society—is moving more and more toward the digital universe. Consumers’ use of cash at the point of sale decreased to about 22% in 2021—down from 54% in 2009.1 The COVID-19 pandemic has also led to greater use of debit and credit cards. About 85% of merchants now accept these electronic forms of payments, up from 60% in 2018.2
Mo’ money, mo’ problems
All that to say the payments ecosystem in Canada is evolving rapidly, with a sharp uptick in the use of mobile and digital payments. The fintech industry—which includes a large number of payment service providers (PSPs)—has facilitated this evolution. And this industry is growing quickly—both in terms of the number of companies involved and the amount of capital invested.
As the Notorious B.I.G. so aptly said: it’s like the more money we come across, the more problems we see. There are new ways to pay and an abundance of new players in payments. When money changes hands electronically in these new and different ways, we all need to make sure that consumers and the payments ecosystem are protected.
So, where does the Bank of Canada fit into all of this? Well, Canadians place their trust in these PSPs every day when they tap their card to make a purchase, send money electronically to friends or family, or click the check-out button with their favourite merchant online. And under the Retail Payment Activities Act, which was passed last summer, the government has mandated the Bank to supervise these PSPs.
This legislation will safeguard the trust that Canadians place in PSPs. The Act establishes a new supervisory framework to ensure that PSPs are managing certain risks that could affect their users. The impetus behind all of this is to build confidence in the safety and reliability of payment services.
Let’s dig a bit deeper into what this means when the rubber hits the road.
Who this will affect
Before we get to the how and when, let’s talk about the who. I’m sure there are fintech companies in the room today that may be wondering if the new framework will apply to them.
Simply put, if you’re in the business of helping people and companies make day-to-day payments, or store or transfer their money through electronic means, then your organization could very well be deemed a PSP that will fall under this new framework. This includes payment processers, digital wallets, money transferers and others3.
Banks and credit unions are already subject to a high degree of supervision at the federal and provincial levels, so they fall outside the scope of the Act. But we currently estimate there are over 2,500 entities that will come under our regulatory supervision. This includes well-established domestic and global entities that are household names when it comes to payments. It also includes a whole suite of newly established fintech companies.
Domestic and foreign PSPs will be required to register with us. And we will maintain a public list of all PSPs that have signed up as well as a list of those whose registration has been refused or revoked. This is all to help us better monitor PSPs’ ongoing compliance with the Act.
Our guiding principles
This framework will apply to many entities, but we’re not going to use a blanket supervisory approach to the task at hand. We will establish a common baseline of supervision for all PSPs, but we recognize that companies will have different business structures and operational processes.
That’s why we will take a risk-based approach that will focus on end-user impacts and the efficiency of payment services. Essentially, this means that both the level of supervisory attention and the supervisory actions we take will be guided by the level of risk each PSP brings to consumers and the payments ecosystem.
As a result, there is no “one size fits all” methodology. Moreover, PSPs can meet our expectations using many approaches. Our job is to make the objective very clear. And then PSPs can focus on reaching the destination, not necessarily following a prescriptive journey to get there.
Of course, with this flexible risk-based approach comes a need to ensure industry participants truly understand their obligations. We will clearly lay out the requirements and expectations so that PSPs can adapt.
The Act and forthcoming regulations will establish the mechanics of the new framework. But to truly make sure that industry players understand what’s expected of them, we will supplement these documents with supervisory guidance.
It’s important that we promote understanding and compliance within the PSP community to make sure this Act does what it was designed to do. Equally important is everyone’s understanding of the consequences of non-compliance.
Under the Act, we have the power to take action if a PSP does not comply with the Act or its regulations. This starts with a compliance agreement that lays out the terms by which the PSP must rectify its operations.
The next level of enforcement is a notice of violation. When we issue a notice of violation, we will publish on our website the company’s name and the nature of its violations. The notice may also include a monetary penalty, which will be made public and could be as high as $10 million for a very serious violation.
Finally, the Governor has the power to issue a compliance order if a PSP is committing—or is about to commit—an act that would have a significant adverse impact on consumers and other end users. Furthermore, if a situation of non-compliance becomes severe, we can pursue court enforcement, requiring the service provider to comply with the Act or an order.
Now, I’ve talked about the new powers and responsibilities the legislation provides us. I think it’s also important to be clear about some areas that remain outside our purview.
We will not be supervising all aspects of risk. For example, we will require PSPs to ensure that end users’ funds can and will be returned to them if a PSP becomes insolvent. Our supervision will not, however, prevent a PSP’s failure or insolvency from happening in the first place.
As well, customer complaints regarding fees charged by PSPs or other issues related to the fair treatment of customers are beyond the scope of our supervision.
I want to be clear that our approach to supervision will change and evolve. We need to be forward-looking to assess emerging risks and practices in retail payment activities—and to keep up with the spirit of innovation that is driving changes in how Canadians pay for goods and services.
Where to from here
So, what’s next?
Our ongoing engagement with our Retail Payments Advisory Committee continues to guide the path forward. The committee was established in 2020 to provide us with industry expertise.4 The insights we're gaining from the PSPs on this committee are shaping our advice to the Department of Finance Canada regarding the forthcoming regulations.
We’re also engaging with industry groups, individual PSPs and associations that represent them and raising awareness of the framework more broadly. The Bank has also started outreach efforts through trade shows that we know PSPs will attend.
In due course, when the draft regulations are published online, this will open the door to a formal comment process. This will give PSPs the chance to provide feedback about the new requirements.
After the subsequent publication of the final regulations, we’ll begin to publish our supervisory guidance. We will continue to seek feedback; it’s important that we take the time to ensure we’re doing this right, from the outset.
In a similar vein, the Act is expected to come into force in stages. For example, PSPs will be required to register with us before they have to comply with requirements for operational risk management and safeguarding end-user funds.5
With these steps in mind, we expect to require payment service providers to register with the Bank starting in 2024. The initial pilot and subsequent launch of our risk monitoring and compliance work is currently scheduled for 2025.
To meet this schedule, next year we will focus on finalizing the regulations and publishing our regulatory guidance.
I’d like to stress that these are our current assumptions. Ultimately, the federal government will decide how and when each provision of the Act will come into force.
Conclusion
I’m going to wrap up now, so we have time for questions.
Before I open up the floor, I want to reinforce to everyone here that our goal in all of this is to support the innovation we see in the payments ecosystem while ensuring PSPs are managing their operational risks and ensuring their consumers’ funds are protected.
By ensuring these key risks are well managed, we will further build and maintain Canadians’ confidence that mo’ ways of paying do not, in fact, create mo’ problems.
I’d like to thank you for your time and attention today, and I’d be happy to answer any questions you may have.
I would like to thank Harold Gallagher for his help in preparing this speech.
Related information
Speech: The Canadian Innovation Exchange (CIX) Summit 2022
Preparing for Payments Supervision — Executive Director, Ron Morrow speaks at The Canadian Innovation Exchange (CIX) Summit 2022 (11:30 (ET) approx.).