Operative requirements supervisory guidelines

This article is the second instalment in our Retail Payment Activities Act(the “RPAA”) implementation series. In the first instalment, Case Studies and Registration Updates, we discussed the Bank of Canada’s (the “Bank”) guidance released on August 21, 2024. It included additional case scenarios on the RPAA's application and a new supervisory policy on acquisitions of control and associated requirements.

In this second instalment, we discuss the operative requirements of the RPAA that come into effect after the Bank publishes a list of all registered PSPs on September 8, 2025. Namely, the operational risk and incident response framework, the safeguarding of funds framework and the requirement to submit annual reports to the Bank. Over the past few months, the Bank has released some supervisory guidelines intended to assist payment service providers (“PSPs”) in complying with these obligations under the RPAA. The release of these supervisory guidelines provides an opportunity to review the Bank’s position on the content of the two frameworks and the annual reporting requirement.

Operational risk and incident response framework

From September 8, 2025 onwards, PSPs that perform retail payment activities will be required to implement and maintain a risk management and incident response framework (the “RMIR Framework”) that meets prescribed requirements, in accordance with subsection 17(1) of the RPAA.

The RMIR Framework must contain all elements of a PSP’s operational risk management and incident response arrangements. This includes, but is not limited to, systems, policies, procedures, and the roles and responsibilities relevant to operational risk identification, mitigation, and incident response. The RMIR Framework must be designed to preserve the integrity, confidentiality, and availability of the PSP’s retail payment activities and of the systems, data and information associated with the performance of those activities.

To achieve these objectives, PSPs must: identify operational risks that they may face when providing retail payment activities; protect against those operational risks; detect incidents, anomalous events and lapses in the implementation of the framework; respond to and recover from incidents (regardless of their materiality); and review and test their framework.

PSPs should be mindful that compliance with operational risk management and incident response requirements also applies to any retail payment activities provided by the PSP’s employees, third-party service providers, agents or mandataries. A PSP or other individual or entity that is subject to a requirement under the RPAA will be liable for a violation that is committed by any of its employees, third-party service providers, agents or mandataries, as stated in section 87 of the RPAA. 

Similarly, if a PSP is a subsidiary of another regulated entity, it is still required to comply with RPAA requirements and demonstrate its compliance to the Bank. Though a PSP may adopt elements of operational risk management and incident response arrangements of their parent company, the PSP must ensure their adopted elements comply with the RPAA requirements and develop supplementary arrangements if necessary.

PSPs can find further information in the Bank’s Operational Risk and Incident Response Supervisory Guideline.

Safeguarding of end-user funds framework

All registered PSPs that hold end-user funds must implement and maintain a framework to safeguard those funds in particular ways, from September 8, 2025 onwards.

Safeguarding end-user funds is intended to achieve two objectives, as stated in subsection 15(1) of the Retail Payment Activities Regulations (the “RPAR”): (i) to ensure that end users have reliable access without delay to their funds held by a PSP; and (ii) to protect end-user funds against financial loss in the event of a PSP’s insolvency.

To achieve the safeguarding objectives, PSPs must comply with requirements in sections 13 and 17 of the RPAR, section 20 of the RPAA, and the Bank’s guidelines. Specifically, subsection 20(1) of the RPAA requires a PSP to safeguard funds by holding them in a trust account or using insurance or a guarantee. The PSP must hold end-user funds in a safeguarding account, separate from other funds its holds, including its own funds. The Bank expects PSPs to place end-user funds in safeguarding accounts in a short period of time (i.e., as soon as practical on receipt but no later than the end of business day after the day of receipt).

When the PSP begins holding end-user funds, other safeguarding obligations also apply, for example, the PSP must:

• keep the name and contact information for each end user and a ledger of end-user funds held;
• set out its approach for meeting liquidity demands generated by end users’ requests for withdrawals and transfers;
• identify and mitigate the legal and operational risks that could hinder its ability to meet the safeguarding objectives; document how end users would be reimbursed in the event of the PSP’s insolvency;
• identify a senior officer who is responsible for overseeing the PSP’s practices for safeguarding end-user funds and for ensuring the PSP’s compliance with the end-user fund safeguarding requirements; and
• review its framework annually and after changes that could have a material impact on the way it safeguards end-user funds.

Finally, a PSP must document its compliance by taking measures to identify and investigate any instances of safeguarding incorrect amounts and conducting independent review of its compliance with the safeguarding requirements every three years.

PSPs should note these safeguarding of end-user funds guidelines are currently based on the Bank’s draft supervisory policy. The Bank is expected to publish a finalized policy near the end of 2024.

Annual reporting requirements

All registered PSPs must report quantitative metrics about their retail payment activities when registering as a PSP and after registration in their annual reports on an on-going basis. The objective of the annual reportable metrics is to supervise a PSP using a risk-based approach, take proportionate enforcement action, and monitor trends and issues within the RPAA regime.

In the annual report, a PSP must report metrics on the value of end-user funds held, the number and value of electronic fund transfers (“EFTs”) it facilitates, the number of end-users it serves, and the number of other PSPs it serves.

There are certain metrics excluded from a PSP’s annual reporting obligation. PSPs are not required to report on activities excluded from the scope of the RPAA. These include, among others: payment functions performed in relation to an EFT made for the purpose of giving effect to an eligible financial contract or to prescribed transactions in relation to securities; all payment functions performed by the system operator using a designated system (e.g., Interac e-Transfer) in relation to a single EFT; internal transactions among affiliated entities; and payment functions that are incidental to another non-payment service or business activity.

All registered PSPs will be required to submit annual reports to the Bank from September 8, 2025 onwards. PSPs can find further information in the Bank’s Annual Reporting Guidance and Annual Reporting of Retail Payment Activity Metric Guidance.

Conclusion

If you feel your business may be impacted, please contact a member of our Financial Services or Compliance teams for assistance in preparing your business for registration under, and compliance with, the RPAA.