A New Retail Payments Oversight Framework Consultation

Submission to the Department of Finance Canada

October 6, 2017

Financial Institutions Division
Financial Sector Policy Branch
Department of Finance Canada
90 Elgin Street
Ottawa ON K1A 0G5

Dear Sir/Madam:

Re: A New Retail Payments Oversight Framework Consultation

1. The Office of the Privacy Commissioner of Canada (OPC) recognizes that the evolving financial consumer marketplace, coupled with advances in technologies and business models, have created opportunities and challenges for the financial sector. Given these changes, we understand that the Department of Finance Canada is currently seeking comments on a position that articulates the main components of a proposed oversight framework for retail payments.
2. By way of background, the mandate of the Office of the Privacy Commissioner of Canada (OPC) is to oversee compliance with both the Privacy Act, which covers the personal information-handling practices of federal government departments and agencies, and the Personal Information Protection and Electronic Documents Act (PIPEDA), Canada's private-sector privacy law, along with some aspects of Canada's anti-spam law (CASL). The OPC's mission is to protect and promote privacy rights of individuals. As such, our comments will be limited to those issues that relate to our mandate.
3. In general, we are pleased to see that the existing legislative privacy framework in Canada is recognized in a meaningful way in the proposed oversight framework for retail payment service providers (PSPs). Specifically we support the position that the proposed regulator would “promote awareness of, and compliance with, PIPEDA and similar provincial legislation, including by directing PSPs, at the point of registration, to relevant, existing information published by the Office of the Privacy Commissioner or other provincial regulators regarding compliance with privacy-related obligations.”^{Footnote 1}
4. The OPC also supports the objective of reaching out to emerging stakeholders, including small and medium-sized enterprises (SMEs), to help develop capacity awareness on existing regulatory compliance obligations. This is a shared challenge and goal for our Office. As our Office is currently implementing a SME outreach plan, we would be happy to cooperate and provide support to Finance Canada for promoting PIPEDA compliance to emerging stakeholders and SMEs in the financial ecosystem.

The Appropriateness of the Proposed Perimeter to Mitigate Risks

5. As the consultation paper identifies a proposed functional approach, we would like to note that the core functions related to PSPs (electronic transfers, range of electronic transactions, and issues related to outsourcing) all include dimensions that touch upon the collection, use and disclosure of personal information. To the extent that they do, we again support the Department of Finance Canada’s position that PSPs be reminded of their privacy obligations.
6. While the consultation paper notes that the proposed perimeter of the oversight framework is limited, for the moment, to fiat currency, please note that PIPEDA would still apply to organizations that engage in commercial activity, regardless if the function, transfer, or transaction is underpinned by fiat or a virtual currency.
7. To this extent, the OPC suggests that the proposed perimeter be amended to include a reference that commercial activity based on virtual currencies are covered by Canadian privacy laws and are likewise subject to oversight.
8. As regards the question of financial oversight – whether this involves an expansion of the role of existing bodies or the creation of a new body – it would be important to consider how any new powers/authorities would interact with existing regulators such as the OPC. As there are already a number of existing regulators in the financial sector ecosystem (including the OPC), the introduction of yet another oversight body, could potentially lead to an overabundance of regulators and could possibly create confusion within the marketplace.
9. Given the privacy legislative framework in Canada, a clear delineation of roles would reduce regulatory duplication and burden for business, including SMEs and emerging business models.

Elements for a Complaint Handling Process

10. The OPC notes that sections on Disclosures (5.2.3) and Dispute Resolution (5.2.4) touch upon elements that squarely relate to consent. As a result, the oversight framework should recognize that PIPEDA contains obligations for how to obtain consent and specifies conditions for valid consent. The importance of consent in the digital economy, and key principles that organizations should consider in obtaining valid and meaningful consent, are highlighted in our recent Annual Report to Parliament.^{Footnote 2}
11. As well, the proposed framework for dispute resolution could further reinforce PIPEDA obligations, which include, but are not limited to: i) appointing an individual accountable for privacy within the organization and making their contact information available upon request; and ii) developing information to explain the organization’s policies and procedures.
12. This would be an important addition given the expansion of financial technology (FinTech) companies in Canada and globally. PIPEDA - being technologically neutral, principle-based, and having cross-sectoral application – is designed to address and resolve disputes.
13. For example, the OPC has a recent finding that demonstrates how it was able to collaboratively work with a FinTech company to resolve a matter to the benefit of the organization and the individual.^{Footnote 3}

Promotion of Innovation and Competition

14. The OPC supports the statement in the consultation paper that “Weak protection of personal information by PSPs is a type of market conduct risk that may lead to a series of undesirable consequences for end users, such as financial or reputational harm due to data breaches.”^{Footnote 4}
15. As such, the OPC recommends that the proposed framework explicitly recognize the role of trust in promoting innovation and competition. In particular, privacy protection can play an important role in addressing the integrity of the retail payment system and building consumer trust to participate therein.

Other Considerations: Compliance Tools and Remedies

16. The OPC supports the Department of Finance’s position that the proposed regulator be given “… a combination of compliance tools that would allow for effective intervention with any type of PSP.”^{Footnote 5}
17. We understand that these would include tools to assess compliance – such as information demands and on-site examinations.
18. The OPC supports these measures, as well as complementary practices for proactive enforcement. Our Office has made similar observations in respect of our own ability to proactively assess compliance in our recent work on consent, which is detailed in our latest Annual Report to Parliament.^{Footnote 6} In addition, Commissioner Therrien has previously outlined the rationale and need for stronger enforcement powers to support a well-functioning digital economy.^{Footnote 7}
19. Similar powers under PIPEDA, as those proposed by Finance Canada would contribute to improving financial consumer protection, and would support the Government of Canada’s overall approach to protecting and promoting the Canadian payments system.

Other Considerations: Compliance Tools and Remedies

20. The OPC recognizes the importance of innovation in encouraging economic growth. Meeting obligations related to information and privacy rights is a catalyst for building trust and increasing consumer participation in the digital economy.
21. The emphasis on privacy in the consultation paper, and the recognition of the existing privacy oversight framework in Canada, is a positive step to build trust. Recognition of the integral importance of compliance with the existing privacy legislation framework in Canada is essential, given the role of personal information in today’s digital economy and payments system.
22. We appreciate the Department of Finance undertaking this public consultation and providing the OPC the opportunity to share our views and suggested recommendations. We are happy to follow-up to discuss the comments made in our submission, as well as other related matters.

Yours truly,