Case scenarios about cloud computing

Publication date: October 2, 2024

The following fictional case scenarios provide more detail about performing the following payment functions: initiation of an electronic funds transfer (EFT) and the authorization of an EFT or the reception, transmission, reception or facilitation of an instruction in relation to an EFT.

The examples provided are not a replacement for the Criteria for registering payment service providers supervisory policy, but rather they are meant to complement the policy. They should be read in conjunction with the policy.

These examples build off each other. We recommend reading them in the order they appear.

Case scenario: Cloud platform operator with no additional services (infrastructure –as –a service)

Company X is a financial services company that offers acquiring services.

Company X’s interface is hosted at Company A, which operates a cloud platform. Company A provides its clients with secure storage space on its servers for a fee and manages the corresponding infrastructure. Company A’s clients include payment service providers (PSPs) and financial institutions offering payment services, such as Company X. Company A neither manages Company X’s operating system, nor does it have access to the information Company X stores on its servers.

Company A does not perform any payment function under the Retail Payment Activities Act (RPAA). Regardless of whether its clients store end-user personal or financial information that is leveraged for retail payment transactions, Company A does not have access to, nor ownership of, that information. Since it does not operate the software that its clients use on its servers, Company A also does not initiate transactions or pass on instructions in relation to a transaction.

As a result, Company A does not meet the definition of a PSP under the RPAA and does not need to register with the Bank of Canada.

Case scenario: Cloud platform with financial analytics tools (software –as –a service)

Company B is a competitor of Company A. Like Company A, Company B also stores data for third-party financial institutions on the cloud platform it operates. However, unlike Company A, Company B offers a turnkey payment solution.

Company B manages the operating system, middleware and applications used on its servers. Company B’s clients integrate their interface with Company B through an application programming interface to offer Company B’s payment initiation service under their own brands.

In this case, Company B performs the following functions: initiation of an EFT and authorization of an EFT or transmission, reception and facilitation of an instruction in relation to an EFT. This is because Company B manages the applications through which the payment instructions are received and channelled. These payment functions are not considered incidental, since Company B provides payment services as a distinct offering from its core infrastructure-as-a-service business. It specifically advertises its payment services and receives revenues from them.

Given the above, Company B meets the definition of a PSP under the RPAA and needs to register with the Bank of Canada, assuming it meets the other registration criteria.

Disclaimer

The case scenarios are illustrative examples reflecting the Bank of Canada’s interpretation of certain requirements set out in the Retail Payment Activities Act (RPAA). All names, facts and descriptions in these scenarios are entirely fictitious and do not reflect any real or actual individuals or entities.

Additionally, they do not represent legal advice and should not be used as a replacement for seeking such advice if an individual or entity is unsure about whether they are required to register with the Bank of Canada as a payment service provider. The nature of the products and services offered by each individual or entity will vary, as will the circumstances around offering these products and services. Therefore, any individual or entity that may be subject to the RPAA should assess their own situation on a case-by-case basis according to their own facts and circumstances. Any entity or individual that may be subject to the RPAA is ultimately responsible for determining whether they are required to register with the Bank.

The examples provided are not a replacement for the Criteria for registering payment service providers supervisory policy, but rather they are meant to complement the policy. They should be read in conjunction with the policy.

On this page
Table of contents