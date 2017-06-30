TORONTO/NEW YORK (Thomson Reuters Regulatory Intelligence) - A recent disciplinary decision issued by the Financial Consumer Agency of Canada (FCAC) against an unnamed payment card network operator concerning incorrect disclosures made by third party payment processors offers little insight into how the regulator will handle similar enforcement actions in the future. The resulting uncertainty poses a challenge for compliance officers in managing third-party risk in compliance with consumer protection regulations.

DECISION #126: KEY POINTS

On May 15, 2017, the FCAC published its first decision regarding non-compliance with the Code of Conduct for the Debit Card and Credit Card Industry(here).

The Code of Conduct is a voluntary guideline that applies to credit and debit card network operators as well as third parties such as card issuers. Participating firms commit to a number of transparency requirements regarding disclosures and communications with merchants. The FCAC oversees the financial industry's compliance with the Code of Conduct, along with other voluntary Codes of Conduct(here).

Decision #126(here) is the first disciplinary action by the FCAC against a firm for non-compliance with the Code of Conduct for the Debit Card and Credit Card Industry. This Code of Conduct was first published in 2010 and has been amended in recent years; changes include increased disclosure obligations(here) relating to the sales and business practices of payment card network operators.

The disciplinary action stems from a notice of non-compliance issued by the FCAC to the unnamed firm in March 2016. The FCAC alleged that the firm had made incorrect disclosures to merchants in monthly statements issued by third-party payment processors. While the firm admitted that the disclosures failed to comply with the guidelines outlined in the Code of Conduct, the firm had adequate internal controls in place and had taken remedial measures to correct the information. As a result, it should not be held accountable for actions of third parties.

The FCAC decided to review the matter and the resulting Decision #126 is meant to outline the scope of the firm's compliance obligations with respect to disclosures issued by third-party payment processors to merchants.

As mentioned, the Code of Conduct applies to credit and debit card networks, as well as third parties. As a part of their commitment to compliance, firms voluntarily agree to implement internal controls to comply with the provisions of the Code of Conduct. Of note, the FCAC then referred to a firm's regulatory obligations under the Section 7 of the Payment Card Networks Act (PCNA) to take reasonable measures to enforce regulatory obligations against third parties. The notable part of this expectation is that Section 7 of the PCNA has not been implemented yet.

Yet, the FCAC referenced Section 7 of the PCNA, in combination with a firm's obligations under the Code of Conduct, and concluded that firms must demonstrate that they have taken reasonable measures to ensure the compliance of third parties with financial consumer regulation and voluntary Codes of Conduct. As for a definition of what constitutions reasonable measures, the FCAC stated that the standard will be determined on a case-by-case basis.

The FCAC refrained from applying sanctions to the unnamed firm, saying that since this is the first disciplinary action involving the Code of Conduct, leeway should be given. The regulator further stated that Decision #126 should not be interpreted as precedent for what may or may not constitute reasonable measures to manage third party compliance with the Code of Conduct or other FCAC rules.

THE FCAC'S SUPERVISION FRAMEWORK

The lack of concrete guidance in Decision #126 is not only puzzling for compliance personnel at payment card network operators, it also seems to be at odds with the FCAC's regulatory goals under its recently published supervision framework.

In April 2017, the FCAC published the final version of its much anticipated Supervision Framework (PDF). The document outlines the FCAC's institutional goals and is meant to be read as a blueprint for how the regulator will supervise firms, enforce financial consumer regulations and sanction non-compliant firms.

The FCAC's regulatory approach rests on 4 guiding principles under the Supervision Framework: transparency, proactivity, proportionality and accountability. These principles, in theory, should be observed by the FCAC in all of its enforcement efforts as well as in its communications with the financial institutions it regulates.

Decision #126 seems to miss the mark on some of the guiding principles outlined in the FCAC's Supervision Framework. With respect to transparency, the FCAC provided details on the nature of the regulatory violation and cited specific rules and regulations that had been breached. However, the FCAC, for undisclosed reasons, withheld the name of the payment card network operator, in contrast to its commitment to supervisory transparency. The regulator's reluctance to provide a firm answer on what the proper scope of a firm's compliance obligations are with respect to disclosures issued by third-party payment processors to merchants adds an additional layer of opacity to this enforcement action.

Proportionality is another guiding principle that Decision #126 arguably falls short on. Under the Supervision Framework, the FCAC has given itself a mandate to undertake enforcement action that is proportionate to the regulatory violation in question. Again, the FCAC's decision not to apply sanctions or provide clarity on the identity of the firm and scale of the regulatory violation hinders its ability to demonstrate that it is administering its supervisory powers in a proportionate manner.

CAUTION ADVISED FOR COMPLIANCE

Despite the FCAC's decision not to set a precedent or offer concrete guidance to firms on third-party liability issues, Decision #126 is still very noteworthy to compliance officers at any firm that serves Canadian financial consumers and is subject to oversight by the FCAC.

While the Code of Conduct is technically considered a voluntary commitment, Decision #126 signifies that the FCAC not only endorses this Code of Conduct, and presumably other Codes of Conduct it oversees, it actively monitors firms' compliance with these voluntary rules. The publication of voluntary rules on the FCAC's website is further indication that the regulator will expect firms to comply with the obligations set out in these rules. Firms that fail to do so could be on the receiving end of a notice of non-compliance, followed by further disciplinary action.

Moreover, the FCAC's decision to reference a provision of the PCNA that has not been implemented yet further adds to regulatory compliance uncertainties. Firms that serve financial consumers should routinely monitor regulatory developments from the FCAC; new regulations, even if they have not yet been officially implemented, should be treated as a compliance obligation.

The lack of concrete guidance from the FCAC on the scope of potential third party liability presents a level of uncertainty for Canadian financial firms. While firms are now aware that they have an obligation to take reasonable measures to ensure that third parties comply with FCAC regulations and Codes of Conduct, the degree of diligence that they must exercise is distinctly unclear.

--Payment Card Networks Act (PCNA):here

--FCAC Supervision Framework:here

