FCAC summary report of the Payment Card Network Operators’ 2021 review of market conduct practices under the Code of Conduct for the Credit and Debit Card Industry
Information contained in this publication or product may be reproduced, in part or in whole and by any means, for personal or public non-commercial purposes, without charge or further permission, unless otherwise specified. Commercial reproduction and distribution are prohibited except with written permission from the Financial Consumer Agency of Canada.
For more information, contact:
Financial Consumer Agency of Canada
427 Laurier Ave. West
Ottawa, ON K1R 1B9
www.canada.ca/en/financial-consumer-agency
Cat. No.: FC5-81/2023E-PDF
ISBN 978-0-660-47755-8
© His Majesty the King in Right of Canada, as represented by the Minister of Finance Canada, February 2023
Ce document est aussi disponible en français sous le titre : Rapport sommaire de l’ACFC sur l’examen des pratiques commerciales effectué en 2021 par les exploitants de réseaux de cartes de paiements au regard du Code de conduite destiné à l’industrie canadienne des cartes de crédit et de débit.
1. Background
This report presents the key findings of the payment card network operators’ (PCNOs) 2021 review of the market conduct practices of merchant focused agents. It also presents the Financial Consumer Agency of Canada’s (FCAC) observations related to the findings and its expectations regarding market conduct practices.
The market conduct review (MCR) is a requirement of the Code of Conduct for the Credit and Debit Card Industry (the Code).
The Code sets out market conduct obligations (MCOs) for signatory PCNOs and entities providing card payment products and services to Canadian merchants. The Code requires PCNOs to review, no less than every 3 years, the market conduct practices of all merchant focused agents registered by acquirers with the PCNOs. PCNOs must report MCR results to FCAC.
During the 2021 calendar year, the PCNOs reviewed the sufficiency of the Code-related policies and procedures (P&Ps) of 27 entities (acquirers) processing payments for Canadian merchants. The PCNO’s review focused on whether the P&Ps reflected the Code MCOs and did not extend to whether the P&Ps were being used effectively in practice.
Those acquirers reliant on downstream participants (which include merchant focused agents) are required by the PCNOs to ensure downstream participants also have such P&Ps in place. Downstream participants include independent sales organizations, payment terminal providers, payment facilitators and referral agents. Acquirers identified 268 unique downstream participants in the MCR. Acquirers and downstream participants are collectively referred to Code participants.
PCNOs launched the review in March 2021 and presented aggregated results to FCAC in November 2021. FCAC requested additional detailed information and subsequently received specific findings for each acquirer in March 2022.
FCAC notes that the PCNOs completed the 2021 MCR on schedule despite challenging circumstances, including business uncertainties related to the COVID-19 pandemic.
For further background on the payments industry, the Code, the scope of the 2021 MCR and FCAC’s role, see Annex A.
2. Key PCNO findings
2.1 Acquirers have widely adopted P&Ps, but their documenting practices are inconsistent
All 27 acquirers have some form of P&Ps in place, with 21 (78%) rated ‘sufficient’ by their PCNO reviewers. The report cited a number of reasons why the other 6 acquirers’ (22%) P&Ps were rated ‘insufficient’, including:
- no written documentation submitted to PCNOs in order to validate P&P sufficiency
- P&Ps lacked detail regarding standard operating procedures
- reliance on enterprise-wide compliance management frameworks rather than P&Ps specific to key Code processes and accountabilities, and
- inadequate oversight frameworks for downstream participants.
The depth and design of acquirer P&Ps varies greatly; many acquirers do not have a stand-alone set of Code-related P&Ps that could adequately support Code compliance.
PCNOs noted that the documentation of acquirer P&Ps varied considerably, often with the size and history of the acquirer. The PCNOs found that P&Ps are most sufficient when housed in a centralized document or location and accessible to staff. PCNOs noted that some acquirers have committed to creating stand-alone, Code-specific P&Ps.
Five acquirers refused to provide the reviewing PCNOs with a full written version of their P&Ps. The PCNOs pursued other means to assess these acquirers’ P&Ps, including virtual presentations outlining select portions of the P&Ps. Another acquirer’s materials were so limited in detail that the reviewing PCNO was unable to conduct a full evaluation.
Table 1 summarizes the documentation for acquirer P&Ps.
| Code processes/accountabilities reflected in P&Ps | |
|---|---|
| Have both policies and procedures in place | 85% |
| Have policies only | 4% |
| Have procedures only | 11% |
2.2 Acquirers are heavily dependent on downstream participants to fulfill market conduct obligations; many do not proactively monitor downstream controls
Most acquirers (15, or 56%) rely on downstream participants to provide merchant services, including onboarding, payment facilitation and payment processing. Acquirers identified 268 unique downstream participants in the MCR. Only 9 of those 15 acquirers (60%) performed due diligence on downstream participants’ P&Ps. Four of the 6 acquirers that did not perform due diligence on their downstream participants had their P&Ps rated ‘insufficient’ by their reviewing PCNOs.
Figure 1 illustrates the downstream participant relationships of the 27 acquirers.
Figure 1. Acquirer relationships with downstream participants
Text version: Figure 1
| Acquirer relationships | |
|---|---|
| Acquirers with no downstream participants | 12 |
| Acquirers with downstream participants | |
Due diligence on downstream participants' P&Ps |
9 |
No due diligence on downstream participants' P&Ps |
6 |
| Total acquirers with downstream participants | 15 |
2.3 Review cycle of acquirer P&Ps is inconsistent
Most acquirers have processes in place for reviewing their P&Ps on an annual, semi-annual or other regular basis (74%). The remainder (26%) do not have a consistent time cycle for P&P review and have no formal process for doing so when amendments are made to their market conduct obligations.
2.4 Important Code processes and accountabilities are inconsistently implemented within acquirer P&Ps
The PCNOs’ review assessed whether acquirer P&Ps reflected 8 important Code processes and accountabilities. A slight majority (52%) of acquirers accounted for all 8 key Code processes and accountabilities. Figure 2 illustrates how the 27 acquirers have implemented the 8 processes and accountabilities.
Figure 2. Acquirer implementation of 8 key processes and accountabilities
Text version: Figure 2
| Code processes/accountabilities reflected in P&Ps | |
|---|---|
| Fully implemented | 52% |
| 4 or more missing | 7% |
| 3 missing | 11% |
| 2 missing | 11% |
| 1 missing | 19% |
Table 2 provides a breakdown of how widely the 27 acquirer P&Ps implemented each of the 8 processes and accountabilities.
| Complaint handling | 93% |
|---|---|
| Roles and responsibilities | 89% |
| Reporting obligations | 89% |
| Pricing notifications and changes | 89% |
| Compliance investigations | 81% |
| Monitoring and controls | 78% |
| Employee and/or downstream participant training | 78% |
| Risk assessment | 74% |
2.5 Requirement for clear, simple and non-misleading disclosure is not widely embedded within industry P&Ps
The PCNOs found that only 52% of acquirer P&Ps speak directly to the Code requirement for disclosure to be presented in a clear, simple and non-misleading manner. This requirement applies to initial disclosure provided within merchant payment-processing agreements (such as processing rates and monthly fees) and to ongoing disclosures (90-day notices of new fees or pricing increases).
2.6 Reporting obligations are inadequately embedded within acquirer P&Ps
Acquirers have several reporting obligations under the Code and associated FCAC guidance, including:
- providing aggregate Code complaint data to PCNOs every 6 months
- submitting reportable compliance issues to PCNOs, and
- submitting an annual attestation of compliance to PCNOs.
Table 3 provides a breakdown of the PCNOs’ findings as to how specific aspects of Code reporting are embedded in the 27 acquirers’ P&Ps.
| Individual and/or functional area responsible for reporting obligations | 78% |
|---|---|
| Reporting/resolving reportable compliance issues | 70% |
| Submission of attestation of compliance | 59% |
| Aggregate reporting requirements | 59% |
| Deadlines | 56% |
2.7 Acquirers generally meet minimum requirements for fee- and rate-change notifications to merchants, but notifications often lack detail
The PCNOs found that most acquirers have P&Ps for ensuring merchants receive the minimum notice required (90 calendar days) under the Code for new fees, increased existing fees, or reduced interchange (81%). Most also have processes to ensure merchants can cancel their agreements without penalty within 90 days of receiving notice of a fee change (81%). Almost half of acquirers (48%) had P&Ps that addressed merchant relief from penalties on related contracts with downstream participants, such as payment terminal agreements with third parties.
However, fewer acquirers have processes for ensuring fee-change notifications are detailed enough for merchants to understand the impact of the change (56%). Many acquirers have not identified an individual or functional area responsible for price-change notifications and associated Code obligations (41%).
2.8 Most acquirers have P&Ps in place for Code complaint handling, but gaps exist in assigning complaint-handling responsibility to individuals or teams
The PCNOs found that 93% of acquirer P&Ps include internal processes for addressing merchants’ Code complaints. Fewer (70%) have formally assigned responsibility for complaint handling to an individual and/or functional area.
While most acquirer P&Ps address Code complaint handling, PCNOs identified gaps in the extent of certain complaint-handling functions and processes, including investigation, resolution and escalation. Table 4 provides a full breakdown:
| Individual and/or functional area responsible for complaint-handling obligations | 70% |
|---|---|
| Complaint reporting mechanism/availability | 74% |
| Applicable timelines | 78% |
| Complaint handling process | 93% |
| Investigation process | 74% |
| Resolution process | 74% |
| Escalation process | 78% |
3. FCAC observations and expectations
After reviewing the PCNOs’ MCR findings, FCAC makes the following observations and clarifies its expectations for compliance. FCAC’s expectations support and build upon Code obligations and guidance set out in Compliance Bulletin B-7 (B-7).
3.1 Documentation of acquirer P&Ps should be consistent
FCAC supports the PCNOs’ observation that Code P&Ps are most effective when organized in a dedicated, stand-alone format, rather than subsumed within larger enterprise-wide frameworks or spread across multiple documents.
Consolidating all Code-related P&Ps in a single document and/or location provides an efficient way of actively managing compliance with the Code. P&Ps should be clearly written, and acquirer and downstream participant staff should be able to easily reference Code P&Ps when addressing merchant matters, including onboarding and complaints.
3.2 Information sharing is a requirement
FCAC is concerned that a number of acquirers did not provide PCNOs with full, written Code P&Ps. If PCNOs cannot obtain necessary information from Code participants, they cannot assess compliance or provide the information to FCAC, thereby risking gaps in the PCNOs’ and FCAC’s ability to supervise compliance with the Code.
The Code requires that PCNOs provide FCAC with any information requested regarding actions taken by themselves or Code participants for the purposes of monitoring compliance. Acquirers and downstream participants must therefore provide such information, including Code P&Ps, to PCNOs upon request.
3.3 Important Code processes and accountabilities must be reflected in acquirer P&Ps
FCAC noted that a slight majority of acquirer P&Ps (52%) address the 8 Code processes and accountabilities evaluated by the PCNOs. However, there is substantial room for improvement, particularly with respect to:
- compliance investigations
- monitoring and controls
- employee and/or downstream participant training
- risk assessment
FCAC expects Code P&Ps to address:
- root-cause analysis on repeat or systemic issues and/or complaints as part of the acquirer’s remediation plan and/or efforts
- the requirement to obtain merchants’ express consent for new products and services
- prompt escalation of Code-related matters to relevant internal stakeholders and senior management to ensure issues are addressed
- ongoing training of staff and agents impacted by Code requirements both annually, and as changes are implemented or repeat and systemic issues are identified
3.4 Acquirers must manage the elevated risk of their reliance on downstream participants to fulfill market conduct obligations
Code-compliance risk is elevated when acquirers rely upon downstream participants to fulfill MCOs. PCNOs are responsible for compliance with the Code, but their line of sight is reduced when acquirers task downstream participants with merchant-facing activities.
Many acquirers appear to be significantly challenged in terms of ensuring proactive monitoring of downstream participants through clear P&Ps.
FCAC notes that all 6 acquirers whose P&Ps were rated ‘insufficient’ by the PCNOs maintain relationships with downstream participants.
PCNOs with acquirers delegating market conduct to downstream participants must be satisfied that Code obligations are met, regardless of which entity provides products or services. Acquirers must actively ensure compliance by their downstream participants. In addition to maintaining their own P&Ps, acquirers should communicate to downstream participants the importance of maintaining Code P&Ps as a critical component of a strong and effective compliance and risk management framework.
3.5 P&P review cycle should be at least annual
Review cycles for Code P&Ps are inconsistent across industry. Acquirers should review their P&Ps at least annually, and on an as-needed basis to ensure they respect FCAC expectations and respond to changes such as MCO amendments.
3.6 Clear, simple and non-misleading disclosure requirement must be reflected in acquirer P&Ps
FCAC has significant concern that only 52% of acquirer P&Ps speak to the requirement for all Code-related disclosure to be provided in a manner that is clear, simple and non-misleading. All Code P&Ps should reflect this requirement.
The Code’s clear, simple and non-misleading disclosure requirement applies to both initial and ongoing disclosure.
3.7 Code reporting obligations are inconsistently addressed in acquirer P&Ps
FCAC noted the PCNOs’ finding that many of the 27 acquirers’ P&Ps do not directly address important reporting requirements such as:
- submission of the annual attestation of compliance
- submission of semi-annual aggregate Code complaints reporting
The findings respecting the reporting and resolution of reportable compliance issues also indicate room for improvement in terms of formalizing acquirers’ compliance monitoring and associated controls.
Code P&Ps should formalize responsibilities related to Code reporting obligations, including those related to:
- reportable compliance issues
- submission of B-7 attestations of compliance
- semi-annual aggregate complaints reporting
Acquirers must report to PCNOs issues meeting the definition of reportable compliance issues set out in FCAC’s mandatory reporting guide for PCNOs. Acquirers should have monitoring tools and controls in place addressing Code MCOs.
3.8 Fee- and rate-change notifications need enhanced detail
FCAC observed that acquirer P&Ps were generally well-developed in meeting minimum notice requirements and reflecting the requirement to allow merchants to cancel agreements within required timeframes.
However, PCNOs’ findings suggest many P&Ps did not provide the level of detail required in fee-change notifications and merchant statements. Fee-change notifications must include adequate detail to allow merchants to understand the impact of the fee change.
Code P&Ps should address the assessment of any upcoming pricing changes. This may be achieved by establishing dedicated groups and/or processes to evaluate upcoming changes against Code disclosure requirements. P&Ps related to pricing changes should require that such disclosure clearly describe the nature of pricing changes and facilitate merchant understanding of how changes will impact future costs.
3.9 Merchant right to cancel related service agreements must be documented in acquirer P&Ps
A considerable share of acquirers do not have P&Ps in place to address relief from penalties on related service contracts. Acquirers reliant on downstream participants should establish processes for ensuring merchants can exercise their right to cancel not only their core payment-processing agreement, but any related service agreements, when they receive notice of an upcoming fee change.
The P&Ps of all acquirers maintaining relationships with downstream participants should account for the possibility that merchants may encounter cancellation penalties for related service contracts, such as leased payment terminals when cancelling following a fee-change notification. P&Ps should contain processes for ensuring merchants will not be required to pay those penalties.
3.10 Code-complaint-handling P&Ps lack clear accountability
Many acquirers have not designated an individual and/or functional area responsible for complaint-handling obligations. This presents risk, especially where acquirers delegate Code complaint management to downstream participants. A lack of clear accountability suggests acquirers are not always able to address merchant complaints in a timely manner.
Code P&Ps should establish clear roles and responsibilities for individuals and/or functional areas responsible for Code complaint handling and should detail processes related to complaint investigation, resolution and escalation.
4. Conclusion
The 2021 MCR produced notable findings that have already informed FCAC’s supervisory work with PCNOs. It has provided evidence for FCAC and the PCNOs to identify strengths and weaknesses within acquirer P&Ps, which in turn points to potential issues with respect to the oversight system for the Code.
The review identified some clear gaps in the development and implementation of acquirers’ Code P&Ps. In addition, the MCR demonstrated the elevated risk of non-compliance when acquirers rely on downstream participants to carry out Code MCOs.
Downstream participants often play key roles in merchant onboarding and providing ongoing payment services, and act as merchants’ point of contact for concerns and complaints.
It is therefore vital that PCNOs ensure acquirers and downstream participants demonstrate they are abiding by the Code. The MCR revealed significant inadequacies in acquirer P&Ps. Many acquirers dependent on downstream participants did not demonstrate that adequate processes and accountabilities are in place to account for the market conduct of downstream entities.
Code participants not meeting Code obligations are subject to non-compliance actions by PCNOs, including corrective action plans, fines or suspension from network access.
Well-developed P&Ps are a valuable tool for ensuring Code participants, including acquirers and downstream participants, are able to meet their Code MCOs.
FCAC has shared MCR observations and expectations with the PCNOs. The PCNOs have shared FCAC’s observations and expectations with their acquirers.
FCAC understands that PCNOs and acquirers have launched remedial actions to address deficiencies identified through the MCR process. FCAC will continue to monitor PCNO compliance with the Code.
Annex A
A.1 Canada’s payment card networks
Payment card networks are electronic payment systems used to accept, transmit or process transactions made by payment cards for money, goods or services. They transfer information and funds among card issuers, acquirers, merchants and payment card users.
In operating and managing payment card networks, PCNOs establish standards and procedures for the acceptance, transmission and processing of payment transactions and facilitate the electronic transfer of information and funds. PCNOs operating in Canada include Amex, Interac, Mastercard, Visa, Discover and UnionPay.
PCNOs administer the payments infrastructure of their networks but most PCNOs do not have direct relationships with either merchants or cardholdersFootnote 1 . PCNOs rely on card issuers, including banks and credit unions, to provide consumers with credit and debit cards and to manage the customer relationship.
PCNOs generally rely on acquirers and acquirers’ merchant-focused agents and other downstream participants to onboard merchants and to provide merchants with the physical and digital tools required to accepts credit and debit card payments. These include payment terminals, software and online payment platforms.
Acquirers in Canada include entities directly affiliated with banks, such as Moneris (a joint venture of the Bank of Montreal and Royal Bank of Canada), Chase, TD Merchant Solutions and Bank of America Merchant Solutions as well as independent entities such as Fiserv, Global Payments, Elavon and Nuvei. Non-bank financial technology companies, such as Square and Stripe, which offer merchants the ability to accept payment cards operating over payment card networks, are also considered to be acquirers for Code purposes.
While PCNOs have relationships with multiple acquirers, no single PCNO has a relationship with all 27 acquirers identified through the 2021 MCR. Similarly, most acquirers have relationships with multiple PCNOs, as this allows their merchants to accept a wide range of consumer-held payment cards.
Issuers, acquirers and downstream participants operate independently but are subject to the PCNOs’ network rules, which include the Code.
A.2 The Code of Conduct for the Credit and Debit Card Industry (the Code)
The Code was introduced in 2010 and amended in 2015. The Code’s purpose is to:
- ensure merchants are fully aware of the costs associated with accepting credit and debit card payments, thereby allowing merchants to reasonably forecast their monthly costs related to accepting such payments
- provide merchants with increased pricing flexibility to encourage consumers to choose the lowest-cost payment option
- allow merchants to decide which payment options they will accept
The nature of the payments ecosystem means the majority of PCNOs’ MCOs under the Code are carried out by other Code participants, rather than by the PCNOs themselves. This industry structure is also reflected in the distribution of, and reliance on oversight through multiple parties.
FCAC oversees PCNOs’ compliance with the Code. PCNOs are responsible for the oversight of the compliance of their acquirers and acquirers’ downstream participants.
The PCNO Working Group (PCNOWG) was established in 2013 as a forum for PCNOs to discuss non-competitive Code compliance matters, including the development and implementation of Code compliance oversight.
In 2018, FCAC published compliance bulletin B-7, which required PCNOs to develop measures and tools to monitor acquirer and downstream participant compliance, prevent compliance breaches and to take enforcement action in the event of compliance breaches. To meet B-7 requirements, the PCNOWG developed industry guidelines that include the requirement for acquirers and downstream participants to develop and implement policies and procedures (P&Ps) for complying with the Code. Compliance bulletin B-7 required P&Ps to be in place by January 1, 2021.
The Code requires PCNOs to review, no less than every 3 years, the market conduct practices of all merchant focused agents registered by acquirers with the PCNOs, in the context of the Code. PCNOs must report MCR results to FCAC.
In the 2021 MCR, the PCNOs reviewed the sufficiency of their acquirers’ P&Ps for Code compliance. The PCNO’s review focused on whether the P&Ps reflected the Code MCOs and did not extend to whether the P&Ps were being used effectively in practice. Acquirers reliant on downstream participants to provide merchants with products and services on their behalf were required by the PCNOs to ensure those downstream participants also had P&Ps in place.
The MCR identified 27 acquirers offering payment processing services to Canadian merchants. Acquirers identified 268 unique downstream participants in the MCR.
Page details
- Date modified: