As we highlighted in our Quarterly Fintech Update in 2023, a significant development in the Canadian retail payments industry is forthcoming within this year—namely, the implementation of a new regulatory framework under the Retail Payment Activities Act (RPAA) that will impact all retail payment service providers (PSPs) operating in Canada."
In November, 2023, the RPAA was set in motion with the publication of the final Retail Payments Activities Regulations (Regulations).
More recently, the Bank of Canada (the Bank) released draft supervisory guidelines to help PSPs understand their obligations on the standards and practices in the following draft documents (copies of which can be found here), of which drafts are open for public comment until May 21, 2024:
The Bank will be responsible for supervising PSPs with the aim of building public confidence in the safety and reliability of PSPs services while protecting end users from specific risks. Individuals and entities that offer certain payment functions may be subject to RPAA and the Regulations, thereby necessitating the need to register with the Bank. This proactive approach aims to mitigate operational risks and safeguard the funds of end-users.
A guideline released by the Bank (the Guideline) is intended to help individuals and entities determine if they are subject to the RPAA and if they should register with the Bank.
This blog post will be the first in a series of subsequent posts that follow the development of RPAA, its regulations and any further guidance from the Bank. The following is a summary of the Guideline’s Four-Step Test used to assess whether a business provider is a PSP that is subject to the RPAA and its regulations. Upon such determination, the second half of the blog post outlines the requirements that need to be met by such PSPs.
To determine if registration is necessary, consider the four-step application test outlined by the Bank. If you are an entity not excluded from the RPAA, is performing one or more of the five specified payment functions related to electronic funds transfers (EFTs), with a place of business or providing services in Canada, registration is required. Even foreign PSPs, which are subject to the RPAA, regardless of their incorporation status or registration with FINTRAC, must register with the Bank.
If based on the above test, you arrived at the conclusion that you are a PSP, the Regulations will almost certainly have some impact on your business practice by introducing certain operational and regulatory compliance requirements.
The requirement for PSPs to register with the Bank is fundamental to the Bank’s exercise of this supervisory and regulatory role. The RPAA includes a transition period for PSPs to apply for registration and for the Bank to review the applications. The transition period will begin on November 1, 2024, and continues to September 7, 2025. Applications for registration under the RPAA must be made between November 1, 2024 and November 15, 2024. PSPs currently providing retail payment services can continue to provide services during the transition period, but only if they have submitted an application during that 15-day application window.
Individuals or entities who wish to start operating as a PSP after the 15-day application window but have not applied within that time will still be able to apply to register with the Bank but will be subject to potential delays in commencing their retail payment activities as registration application must be submitted at least 60 days before commencement of retail payment activities. Entities that operate as a PSP during this transition period without submitting their registration application will be in contravention of Section 104 of the RPAA and may be subject to a notice of violation and / or monetary penalty.
In order for the Bank to have regulatory oversight, PSPs will be required to report to the Bank through several channels. These include filing an annual report and filing an incident / significant change reports if applicable. The RPAA also gives the Bank authority to request information from a PSP pertaining to its compliance with the risk management regime; upon receipt of such information request, the PSPs will have a 15-day window to respond unless it has reasons to believe the information requested will have significant adverse impact on end users or other PSPs.
On September 8, 2025, the requirement for the Bank to register PSPs and publish a registry of PSPs will be in force, as well as the remaining sections of the RPAA and the Regulations concerning operational risk and end-user fund safeguarding. The Regulations require a PSP to establish objectives in relation to its Risk Management Framework. Specifically, the PSP should seek to preserve the integrity, confidentiality and the availability of its retail payment activities and of the systems, data or information involved in the provision of those activities.
To achieve these objectives, PSPs have to identify in their operational risks in the annual reports, protect its retail payment activities from those risks, detect incidents and control breakdowns and respond to and recover from incidents. The Regulations require PSPs to:
This requirement aims to protect consumer and business funds when the PSP goes insolvent and to ensure end users have reliable and timely access to their funds. The RPAA requires PSPs to hold funds in a trust or in a segregated account with insurance or a guarantee and to develop a written Fund Safeguarding Framework describing the PSP’s systems, policies, processes, procedures, controls and other means to meet the objectives of protecting end user finds.
The Act also provides the Minister of Finance with the authority to address risks related to national security that could be posed by PSPs. This includes the ability to refuse PSPs’ applications, revoke registrations, order undertakings or conditions, as well as issue national security orders for a PSP to take or refrain from any action.
The Act provides the Bank with powers to address non-compliance with the Act or violations of the Act. These powers include:
Where a PSP enters into a compliance agreement with the Bank after receiving an NOV and fails to meet the terms of that agreement, the Bank would issue a Notice of Default to the PSP. PSP issued the Notice of Default would need to pay an additional penalty. Section 48 of the Regulations established penalty ranges for “Serious” or “Very Serious” violations, ranging from $1 million per each Serious violation, up to $10 million per each Very Serious violation.
The upcoming regulatory landscape, especially the stringent framework proposed by the RPAA and the Regulations, may raise concerns for the sustainability of small PSPs. It is crucial to use the period between now and November of this year to assess whether the RPAA applies to you and to proactively prepare to meet these regulatory requirements to ensure smooth transition when the Regulations come into force. The Bennett Jones Financial Services group can support clients navigating this complex framework.
To discuss how our Financial Services team can assist you, please contact one of the authors.