A new era for payment service providers in Canada: A review of the scope and requirements of the Retail Payment Activities Act
On February 14, 2024, The Bank of Canada (the “Bank”) released How to complete a registration application: A step-by-step guide (the “Step-by-Step Guide”). The Step-by-Step Guide aims to help payment service providers (“PSPs”) gather the documents PSPs need to complete their application for registration with the Bank under the Retail Payment Activities Act (the “RPAA”).
The Step-by-Step Guide is part of a recent initiative by the Bank aimed at offering guidance to PSPs required to register under the RPAA beginning on November 1, 2024. The release of guidance by the Bank represents the culmination of a years-long process to enact and begin implementation of the RPAA.
Through a series of articles we have tracked this process. We first discussed the RPAA in FinTech Companies be warned… regulation is on the way, which outlined the background of the RPAA and its impact on PSPs. Our second article, Canada publishes proposed Retail Payment Activities Regulations, provided a summary of the proposed regulations under the RPAA and outlined the process to finalize the regulations. Third, we discussed a concern among those in the payments industry that the RPAA will have a disproportionate impact on small PSPs in Comments on proposed Retail Payments Activities Act regime raise concerns for small payment service providers. And finally, in our most recent article, Update on the implementation of the Retail Payment Activities Act, we discussed the timing of the rollout of the RPAA.
With the advent of the guidance from the Bank, we believe it is appropriate to re-visit the pertinent requirements of the RPAA.
What is the RPAA?
The RPAA is federal legislation that is intended to regulate PSPs which engage in “retail payment activities” in Canada. The RPAA is designed to protect consumers by ensuring the safe and efficient movement of funds and supervising the risk of financial loss to Canadians. In recent years, there have been rapid advances in technology that have enabled PSPs to move currency in new and unique ways. Because PSPs were operating without any regulatory oversight, the RPAA is intended to address this regulatory gap.
The core elements of the RPAA fall generally into the following categories: operational risk management, end-user (payor or payee) funds safeguarding, registration requirements, reporting requirements, administration and enforcement. The Bank has supervisory authority over entities registered under the RPAA.
Registration
All PSPs are required to register with the Bank. A PSP is an individual or entity that performs payment functions as a service or business activity that is not incidental to another service or business activity. An entity need only be performing one of five payment functions delineated in the RPAA to be considered a PSP.
The following five activities are considered to be payment functions under the RPAA:
- the provision or maintenance of an account that, in relation to an electronic funds transfer (“EFT”), is held on behalf of one or more end-users;
- the holding of funds on behalf of an end-user until they are withdrawn by the end-user or transferred to another individual or entity;
- the initiation of an EFT at the request of an end-user;
- the authorization of an EFT or the transmission, reception or facilitation of an instruction in relation to an EFT; or
- the provision of clearing or settlement services.
That said, the registration requirement in the RPAA is not set to come into effect until November 16, 2024. In preparation for the registration requirement to come into effect, the Bank has set a window whereby PSPs are required to apply for registration. All PSPs must apply with the Bank during the registration window from November 1, 2024 to November 15, 2024 (the “Registration Period”). Any PSP that has not applied for registration by November 15, 2024, will be in violation of the RPAA.
PSPs are required to register through the Bank’s PSP Connect portal. The Bank is still in the process of building the PSP Connect portal. The current fee to register is CAD$2,500.
As mentioned, the Bank has published a Step-by-Step Guide to registration using PSP Connect. The Step-by-Step Guide lists every question contained in the application for registration and provides detailed explanations for the different answers to be provided.
Following the November 15, 2024 deadline to register, the Bank will take ten months to review the applications for registration that have been submitted. During this period of time, PSPs are permitted to operate in Canada, provided that they have applied for registration. On September 8, 2025, the Bank will publish the list of registration decisions including the list of PSPs that were refused registration. PSPs that were refused registration will be notified before the list of refusals has been published.
Risk management and incident response
PSPs are required to establish, implement, and maintain a risk management and incident response framework (a “RMIR Framework”). This requirement will not come into effect until September 8, 2025. However, PSPs are required to include a description of a PSP’s RMIR Framework and the plans to implement and establish said framework, in a PSP’s application for registration. Practically speaking therefore, PSPs will need to have at least a broad sense as to what their RMIR Framework will look like prior to the Registration Period.
A RMIR Framework must conform to a number of specific requirements. The RMIR Framework must be in writing and shall (among other requirements):
- set out the following as its objectives:
- ensuring that the PSP is able to perform retail payment activities without reduction, deterioration or breakdown, including by ensuring the availability of the systems, data and information involved in the performance of those activities, and
- preserving the integrity and confidentiality of those activities, systems, data and information;
- set out clearly defined and measurable reliability targets for the ability to perform the retail payment activities and for the availability of the systems, data and information referred to above, as well as indicators for assessing whether each of the objectives referred to above is met;
- allocate specific roles and responsibilities in respect of the implementation and maintenance of the framework; and
- identify the assets — including systems, data and information — and business processes that are associated with the PSP’s performance of retail payment activities and classify them according to their sensitivity and their criticality to the performance of those activities.
It is important to note that the Bank is expected to release final guidelines on the RMIR Framework in the third quarter of 2024. Currently, the Bank has released draft guidelines regarding the RMIR Framework (“RMIR Draft Guidelines”). The RMIR Draft Guidelines are open for comment. The Bank is accepting comments on the RMIR Draft Guidelines by e-mail until May 21, 2024. The RMIR Draft Guidelines will assist PSPs in creating and implementing their RMIR Framework.
Safeguarding of funds
PSPs that hold end-user funds until they are withdrawn by the end-user or transferred to another individual or entity are subject to a number of requirements under the RPAA. First, these PSPs are required to hold end-user funds in one of two ways.
The first option, is the PSP may hold end-user funds in trust in a trust account that is not used for any other purpose. The second option, is the PSP may hold end-user funds in an account that is not used for any other purpose and hold insurance or a guarantee in respect of the funds that is in an amount equal to or greater than the amount held in the account. In either case, the account that holds the end-user funds must be maintained at a bank or similar entity that, generally, imposes standards in respect of capital, liquidity, governance, supervision, and risk management.
In the case the PSP decides to utilize insurance or a guarantee instead of a trust, there are additional obligations. For example, the PSP must ensure that the proceeds from the insurance or guarantee will not form part of the PSP’s estate.
Further, a PSP that holds end-user funds must also establish, implement, and maintain a written safeguarding-of funds framework (“SoF Framework”) for the purpose of ensuring that end-users have reliable access without delay to the end-user funds that are being held by a PSP and, if an insolvency event occurs in respect of the PSP, those end-user funds, or proceeds of the insurance or guarantee, are paid to end-users as soon as feasible.
A PSP’s SoF Framework is required to include a significant amount of detailed information. The SoF Framework must describe the PSP’s systems, policies, processes, procedures, controls, and other means for meeting the objectives referred to in the immediately preceding paragraph. Specifically, the SoF Framework must describe the PSP’s use of liquidity arrangements and its holding of end-user funds, in the form of secure and liquid assets, keep a ledger that sets out the name and contact information of each end-user whose funds are held by the PSP and the amount of funds belonging to each of those end-users that is held by the PSP at the end of each day, among other requirements.
The requirements relating to the SoF Framework will come into effect on September 8, 2025. However, PSPs are required to include specific information in relation to the PSP’s safeguarding of end-user funds in a PSP’s application for registration. Practically speaking therefore, PSPs will need to have at least a broad sense as to what their plans are for safeguarding end-user funds prior to the Registration Period.
The Bank is expected to release final guidelines on the scope of the safeguarding of end-user funds sections of the RPAA in the third quarter of 2024. Currently, the Bank has released draft guidelines regarding the safeguarding of end-user funds requirements of the RPAA (“SoF Draft Guidelines”). The SoF Draft Guidelines are open for comment. The Bank is accepting comments on the SoF Draft Guidelines by e-mail until May 21, 2024.
Provision of information
PSPs are required to submit an annual report to the Bank (an “Annual Report”). A PSP’s Annual Report must include information regarding the accounts, insurance and guarantees of a PSP, the holding of end-user funds, the PSP’s RMIR Framework, etc. This requirement is set to come into effect on September 8, 2025, meaning a PSP’s first Annual Report will relate to fiscal year 2025 and will be required to be submitted by March 31, 2026.
Some of the information required to be included in a PSP’s Annual Report includes:
- a description of any changes made to the PSP’s RMIR Framework during the reporting year and the PSP’s plans for the framework’s maintenance and implementation;
- a description of the human and financial resources for implementing and maintaining the RMIR Framework that were available to the PSP during the reporting year;
- a description of the PSP’s operational risks in respect of the reporting year, their potential causes and the manner in which they were identified;
- a description of any incidents that the PSP experienced during the reporting year;
- information on any entity that has provided the PSP with an account used for safeguarding end-user funds.
PSPs are also required to submit notices anytime a PSP undergoes a “significant change” in the way the PSP performs a retail payment activity or before it performs a new retail payment activity. A change is significant if it could reasonably be expected to have a material impact on operational risks or the manner in which end-user funds are safeguarded.
The notice indicating the PSP has undergone a significant change must be given to the Bank at least five business days before the day on which the PSP makes a significant change in the way it performs a retail payment activity or the day on which it performs a new retail payment activity. The notice must include a description of the change or new activity to be performed, the reason for the change or new activity, the PSP’s assessment of the effect that the change or new activity will have on its operational risks and on the manner in which end-user funds are safeguarded, both during and following implementation of the change or new activity, etc.
Conclusion
Payment providers that will be considered PSPs under the RPAA must begin preparing for registration with the Bank as soon as possible. The requirements imposed upon PSPs, as described herein, are extensive and the mandatory frameworks will entail a significant investment of time to create and implement. If your business may be impacted, please contact a member of our Financial Services or Compliance teams for assistance in preparing your business for registration under, and compliance with, the RPAA.