A call to action for payment service providers: Recent updates to Canada’s Retail Payment Activities Act & Regulations

The publication of final regulations (the “Regulations”) under the Retail Payment Activities Act (the “RPAA”) on November 22, 2023, signified a major advancement in the creation of the Bank of Canada’s supervisory framework for retail payments and payment service providers (“PSPs”).

The Bank of Canada has issued an update on its plans, including details on the schedule for releasing supervisory guidance for PSPs. This article will provide an overview of the RPAA and delve into fresh insights gained from the Regulations published by the Bank of Canada.

RPAA: Overview

The RPAA establishes a federal retail payment supervisory structure to (i) address the risks to national security posed by PSPs, (ii) protect end user funds, and (iii) foster trust in Canada’s retail payment sector.  The Bank of Canada is mandated by the RPAA and Regulations to supervise PSPs that engage in retail payment activities.

Who should register as a PSP?

Registration with the Bank of Canada is required for individuals or entities that meet each of the four requirements listed below:

1. Under the RPAA, an individual or entity qualifies as a PSP if it undertakes one or more of the following five payment functions;
   1. Managing electronic fund transfer accounts for end users;
   2. Safeguarding end user funds until withdrawal or transfer;
   3. Initiating fund transfers upon end user request;
   4. Authorizing or facilitating electronic fund transfers, including processing instructions; or
   5. Providing clearing or settlement services.
2. Participation in Retail Payment Activities involving payment functions related to electronic funds transfers;
3. Inclusion within the geographical scope of the RPAA, either by having a Canadian presence or serving entities or individuals in Canada; and
4. Absence of exclusions, with exemptions for specific activities and entities specified. The RPAA delineates two types of exclusions.
   1. Exempt activities: Excluded transactions encompass incidental activities, securities-related transactions, and internal transactions.
   2. Exempt entities: Conversely, excluded entities include banks, authorized foreign banks, and provincially-regulated trust companies.

Entities or individuals meeting these conditions must register with the Bank of Canada through a PSP Connect account and pay an application fee. Registration commences November 1, 2024, with a 15-day window for existing PSPs as discussed below.

Amendments to the draft regulations

The Regulations have undergone modifications following the initial February 11, 2023 draft regulations. The Regulations were implemented following input gathered from industry stakeholders during a period of public consultation. A synopsis of the substantive modifications to the Regulations as compared to the initial draft regulations are as follows:

RISK MANAGEMENT AND INCIDENT RESPONSE

PSPs are required to assess risks, assets, and third parties pertinent to their retail payment activities. These modifications were introduced in response to concerns voiced by stakeholders regarding the potential excessive burden imposed by the draft regulations on risk management and incident response protocols.

Given that PSPs are required to contemplate prior incidents within their annual reports, the mandate for PSPs to review risk management frameworks after significant incidents has been eliminated.

Senior officers are now authorized to approve “in-year” material changes and the governing board of a PSP is required to approve the PSP’s framework annually. The directive for PSPs to test their risk management framework every three years has been rescinded. Instead, the Regulations solely necessitate PSPs to establish a testing procedure to evaluate gaps and liabilities in their risk management and incident response framework.

SAFEGUARDING OF FUNDS

PSPs are required to retain funds until the end user withdraws or transfers them and to maintain a written framework for safeguarding funds. The criteria for when a PSP’s safeguarding framework must undergo review have been slightly refined. While an annual review remains mandatory, an additional review of the safeguarding framework is now necessary after the occurrence of any of the following changes:

• Opening or closing of an account containing end-user funds;
• Change in the entity administering any account containing end-user funds;
• Revision to the terms of the account agreement for an account containing end-user funds; or
• Adjustment in insurance or guarantee providers (if employed for safeguarding).

Although the draft regulations mandated a review of the safeguarding framework for specific changes in all scenarios, the Regulations now stipulate a review only when changes “could be expected to have a material impact on how the funds are safeguarded,” granting PSPs more discretion to determine whether a review is warranted. The outcome of each review must be reported to and sanctioned by a senior officer.

If PSPs employ insurance or guarantees in an effort to safeguard end-user funds and ascertain instances where said funds would not be payable to end-users, immediate action must be taken to prevent recurrences. There is however no longer a distinct requirement to report this to the Bank of Canada; rather, it will be integrated into the annual report.

The obligation for an independent evaluation of the safeguarding framework has been extended from biennial to triennial intervals. The Regulations introduce a new “very serious” administrative monetary penalty in cases where a PSP fails to maintain end-user funds in compliance with the RPAA.

ANNUAL REPORT

The Regulations underwent adjustments regarding specific reporting obligations, including (i) shortening the historical reporting period upon registration from 2 years to 1 year, (ii) transitioning the requirement for reporting data on end users and other PSPs from monthly to annually, and (iii) eliminating the necessity to report metrics on payment categories.

Under the draft regulations, a PSP was obligated to file a new registration application if it projected that it would process and retain personal and financial data in an undisclosed country. This obligation has been substituted; currently, the Regulations mandate a PSP to furnish a 60-day notice to the Minister of Finance prior to the implementation of such a change. Moreover, the extent of data to be provided has been reduced, and the Regulations have eliminated the necessity for a PSP to disclose which employees within an exempt PSP maintain access to end users’ personal and financial data.

As a result of national security considerations, new restrictions have been imposed by the Regulations on a PSP’s immediate commencement of retail payment activities upon the submission of an application. Throughout the transition period, existing PSPs may maintain retail payment operations if they file an application between November 1-15, 2024. Nevertheless, both existing and new PSPs applying on a date following this date range will encounter a 60-day postponement prior to engaging in retail payment activities. Unregistered PSPs who apply subsequent to the transition period will be prohibited from conducting operations until they receive registration approval.

The Regulations specify that a PSP is required to evaluate the impact of a substantial change or new undertaking on its operational risks and the procedures employed to protect end-users’ funds. This assessment is mandatory both during the implementation process and thereafter.

Looking ahead

On September 8, 2025, the transition period will conclude, and the foregoing supervisory framework with corresponding requirements for risk management and safeguarding of funds, will come into effect.

Throughout the transition period, the Bank of Canada reserves the right to seek additional information from applicants. Applicant data will be disclosed to both the federal Minister of Finance and the Financial Transactions and Reports Analysis Centre of Canada (“FINTRAC”). Rejection of an application’s registration may encompass scenarios such as the applicant not being registered as a money services business with FINTRAC, the provision of inaccurate or misleading information by the applicant, or the Minister of Finance instructing the Bank of Canada to decline the applicant for reasons related to national security concerns.

In anticipation of registration applications, PSPs are encouraged to collect and identify the following: (i) contact details; (ii) organizational structure, proprietorship and critical phases; (iii) functions related to retail payments; (iv) transaction amounts and frequencies; (v) end-user funds and approaches to safeguarding; (vi) relevant federal and provincial regulatory bodies; and (vii) a system pertaining to risk management and responding to incidents.

Our Structured Finance group remains committed to overseeing legislative and regulatory advancements, along with any directives from the Bank of Canada. For more information on the RPAA or its Regulations, please reach out to any member of Miller Thomson’s Structured Finance group.