Canada: The Retail Payment Activities Act: The Countdown to Registration Has Begun

Published on Dec 17, 2023

A major milestone for the implementation of the Bank of Canada’s retail payments supervisory regime was met on November 22, 2023, with the publication of final regulations (the “Regulations”) under the Retail Payment Activities Act (RPAA). Also published that day were the coming into force dates for provisions of the RPAA and the Regulations. The Bank of Canada (the “Bank”) has provided an update on its preparations including timing for its release of guidance for payment services providers (PSPs).

PSPs need to prepare for the following key dates:

  • November 1-15, 2024 will be the window for PSPs to submit their applications for registration.
  • September 8, 2025 will mark the end of the transition period and the imposition of the supervisory framework including risk management and safeguarding of funds requirements.

This update will explore the new information learned from the publication of the Regulations and statements by the Bank. The Regulations reflect some significant movement from the draft regulations as highlighted below.

Overview of the RPAA

The RPAA will require an individual or entity to register with the Bank if all four of the following criteria are met:

  • The individual or entity is a PSP. To be considered a PSP under the RPAA, an individual or entity must perform one or more of the five payment functions described in the act, which include:
    • providing or maintaining an account that, in relation to an electronic funds transfer, is held on behalf of one or more end users;
    • holding funds on behalf of an end user until they are withdrawn by the end user or transferred to another individual or entity;
    • initiating an electronic funds transfer at the request of an end user;
    • authorizing an electronic funds transfer or transmitting, receiving or facilitating an instruction in relation to an electronic funds transfer; or
    • providing clearing or settlement services;

  • Perform Retail Payment Activities. Under the RPAA, “retail payment activity” is defined as a payment function performed in relation to an electronic funds transfer that is made in the currency of Canada or another country or using a unit that meets prescribed criteria;

  • Fall Under the Geographical Scope of the RPAA. To fall within the geographical scope of the RPAA, a PSP either needs to have a place of business in Canada, or direct services, and perform services, for entities or individuals in Canada; and

  • No Exclusions Apply. The RPAA sets out two categories of exclusions: exempt activities and exempt entities. Incidental activities, securities related transactions and internal or closed loop transactions are among the list of excluded transactions, while banks, authorized foreign banks and provincially-regulated trust companies are among the list of excluded entities.

Individuals or entities who satisfy the above criteria will need to register with the Bank by creating a PSP Connect account and paying the applicable application fee of $2,500. The registration process will open on November 1, 2024, and existing PSPs will have 15 days to register with the Bank. More information on registration is anticipated to be released in Q1 of 2024 when the Bank expects to release a step-by-step registration guide.

Material Changes from the Draft Regulations

The Regulations have been revised based off the draft regulations, which were released on February 10, 2023. See our May 18, 2021 Update on the then draft legislation and our February 21, 2023 Update on the then draft regulations.

The revisions were made based on feedback received from industry stakeholders during a public consultation period. Below is a summary of the material changes to the Regulations from the draft regulations.

Risk Management and Incident Response

The Regulations clarify that PSPs only need to consider risks, assets and third parties relevant to the performance of retail payment activities. These adjustments were made to address concerns from stakeholders about the undue burden the draft regulations would create in relation to risk management and incident response.

As PSPs are already expected to consider past incidents as part of their annual reviews, the requirement for PSPs to review their risk management frameworks following a material incident was removed.

Senior officers can now approve “in-year” material changes; however, where a PSP has a board, the board must approve the PSP’s framework annually.

The requirement that PSPs test their risk management framework every three years has been removed. The Regulations only require a PSP to establish a testing methodology for assessing the gaps and vulnerabilities in their risk management and incidence response framework, including the scope and frequency of the testing.

Safeguarding of Funds

To ease burdens on PSPs, the Regulations now have a materiality threshold for the requirements surrounding safeguarding of funds. Now, a PSP will be required to review its fund safeguarding framework only after material changes (rather than all changes) to the accounts or the insurance or guarantees a PSP uses to safeguard end-user funds.

The approval of the fund safeguarding framework was also modified to align with the approval process of the Risk Management Framework. Both frameworks now require a senior officer and the board of directors of the PSP to approve them once a year.

The Regulations were amended to require that compliance with the end-user fund safeguarding requirements be independently reviewed every three years, instead of every two years.

Reporting

Provisions concerning the metrics of certain reporting obligations were amended, such as reducing the historical reporting period at registration from 24 months to 12 months, changing the requirement to provide data on the number of end users and number of other PSPs from monthly to annually and eliminating the requirement to provide metrics on payment categories.

The draft regulations required a PSP to submit a new application for registration if it intends to process and store personal and financial information in a undisclosed country. This requirement was replaced, and now the Regulations only require a PSP to provide 60-days’ notice to the Minister before such a change. In addition, the scope of information that needs to be provided was narrowed, removing the requirement that a PSP must report which employees within an exempt PSP have access to end users’ personal and financial information.

Due to national security concerns, new limitations have been placed on a PSP’s ability to carry out retail payment activities immediately upon submitting their application. During the transition period, existing PSPs will be able to continue to carry out retail payment activities provided they submit their application during the November 1-15, 2024 window. However, existing or new PSPs who apply after that 15-day window, will be subjected to a 60-day delay before they can perform retail payment activities. After the transition period, unregistered PSPs who apply will not be allowed to operate until they have been accepted for registration.

The Regulations clarify that a PSP will need to assess the effect of a significant change or new activity on its operational risks and the manner it safeguards end-users’ funds. This assessment is required both during and following the implementation of the change or new activity.

Next Steps and Important Dates

Q1 of 2024: Guidance from the Bank to be released, including a step-by-step guide on how PSPs can register and draft guidance on operational risk requirements, end-user fund safeguarding requirements, significant change reporting and incident reporting.

Q2 of 2024:The pilot program for testing PSP Connect and other process testing to begin.

Q3 of 2024: The Bank to publish its finalized guidance on risk-management requirements, significant change reporting and incident reporting.

November 1, 2024: The requirement for PSPs to submit an application for registration with the Bank will come into force. Operating PSPs will have 15 days to submit their application.

September 8, 2025:End of the transition period. The Bank will begin to publish registration decisions on PSPs who registered in November of 2024. In addition, among other things, the requirements under the RPAA regarding risk management and safeguarding of funds will come into force.

PSPs Need to Prepare for Registration

PSPs should be gathering information in preparation for their registration application:

  • Contact information
  • Business structure, owner, key stages
  • Retail payment functions
  • Values and volumes of transactions
  • End-user funds and means of safeguarding
  • Applicable federal and provincial authorities
  • Risk Management and incident response framework

Looking Forward

Our Financial Services Regulatory Group will continue to monitor legislative and regulatory developments, as well as any guidance from the Bank , and be available to assist our clients to navigate the implications of the RPAA and the Regulations.

For more information related to the RPAA or the Regulations, please contact the author of this update or any member of our Financial Services Regulatory Group.