As we highlighted in our Quarterly Fintech Update in 2023, a significant development in the Canadian retail payments industry is forthcoming within this year—namely, the implementation of a new regulatory framework under the Retail Payment Activities Act (RPAA) that will impact all retail payment service providers (PSPs) operating in Canada."

In November, 2023, the RPAA was set in motion with the publication of the final Retail Payments Activities Regulations (Regulations).

More recently, the Bank of Canada (the Bank) released draft supervisory guidelines to help PSPs understand their obligations on the standards and practices in the following draft documents (copies of which can be found here), of which drafts are open for public comment until May 21, 2024:

  • operational risk and incident response;
  • incident notification;
  • safeguarding end-user funds; and
  • notice of significant change or new activity.

Background

The Bank will be responsible for supervising PSPs with the aim of building public confidence in the safety and reliability of PSPs services while protecting end users from specific risks. Individuals and entities that offer certain payment functions may be subject to RPAA and the Regulations, thereby necessitating the need to register with the Bank. This proactive approach aims to mitigate operational risks and safeguard the funds of end-users.

A guideline released by the Bank (the Guideline) is intended to help individuals and entities determine if they are subject to the RPAA and if they should register with the Bank.

This blog post will be the first in a series of subsequent posts that follow the development of RPAA, its regulations and any further guidance from the Bank. The following is a summary of the Guideline's Four-Step Test used to assess whether a business provider is a PSP that is subject to the RPAA and its regulations. Upon such determination, the second half of the blog post outlines the requirements that need to be met by such PSPs.

Who Has to Register With Bank Of Canada?

To determine if registration is necessary, consider the four-step application test outlined by the Bank. If you are an entity not excluded from the RPAA, is performing one or more of the five specified payment functions related to electronic funds transfers (EFTs), with a place of business or providing services in Canada, registration is required. Even foreign PSPs, which are subject to the RPAA, regardless of their incorporation status or registration with FINTRAC, must register with the Bank.

The Four-Step Test:

  1. Are you a payment service provider? Yes—proceed to #2; No—no need to register.

    The RPAA defines a PSP as "an individual or entity that performs payment functions as a service or business activity that is not incidental to another service or business activity." If your business is providing any one of the five payment functions such as (1) providing/maintaining payment accounts, (2) holding funds, (3) initiating EFTs, (4) authorizing/transmitting/receiving EFT instructions, and (5) providing clearing/settling services, you are likely a payment service provider.

    The Guideline notes that an entity is likely not a PSP if the payment function is performed to directly support a non-payment service or business activity. In other words, the payment function provided is "incidental" to your primary business. The Guideline provides more detailed examples and explanations on activities that constitute payment functions.
  2. Do you perform a retail payment activity? Yes—proceed to #3; No—no need to register.

    A retail payment activity is a payment function performed in relation to an EFT that is made in the currency of Canada or another country (excluding digital currencies). Section 2 of the RPAA defines an EFT as "a placement, transfer or withdrawal of funds by electronic means that is initiated by or on behalf of an individual or entity." If your payment service involves moving money between a payer and a payee through any electronic means, you are likely performing a retail payment activity.
  3. Where is your place of business?

    If you are carrying out your retail payment activity at a place of business in Canada, is performing retail payment activities for Canadian end users or is planning to expand business into Canada, then you are likely captured by the geographic scope under Sections 4 and 5 of the RPAA.
  4. Are you or your activities excluded from the RPAA?

    The RPAA has entity-based exclusions and activities-based exclusions that exclude certain PSPs performing retail payment activities. The Guidelines provide more detailed examples of the exclusions, but generally, entities such as Schedule I, II, III banks, authorized foreign banks, insurance companies, provincially regulated financial institutions, including credit unions, are excluded from the RPAA. Activities that pose limited risks to end users and activities that are prudently regulated or not considered to be retail payments are also excluded from the RPAA. Examples of these transactions include transactions using automatic banking machines, internal transactions among affiliated entities and securities transactions performed by an individual or entity that is regulated or exempted from regulation under Canadian securities legislation.

What's Next for PSPs

If based on the above test, you arrived at the conclusion that you are a PSP, the Regulations will almost certainly have some impact on your business practice by introducing certain operational and regulatory compliance requirements.

PSP Registration Requirement

The requirement for PSPs to register with the Bank is fundamental to the Bank's exercise of this supervisory and regulatory role. The RPAA includes a transition period for PSPs to apply for registration and for the Bank to review the applications. The transition period will begin on November 1, 2024, and continues to September 7, 2025. Applications for registration under the RPAA must be made between November 1, 2024 and November 15, 2024. PSPs currently providing retail payment services can continue to provide services during the transition period, but only if they have submitted an application during that 15-day application window.

Individuals or entities who wish to start operating as a PSP after the 15-day application window but have not applied within that time will still be able to apply to register with the Bank but will be subject to potential delays in commencing their retail payment activities as registration application must be submitted at least 60 days before commencement of retail payment activities. Entities that operate as a PSP during this transition period without submitting their registration application will be in contravention of Section 104 of the RPAA and may be subject to a notice of violation and / or monetary penalty.

Bank Supervision and PSP Reporting Requirements

In order for the Bank to have regulatory oversight, PSPs will be required to report to the Bank through several channels. These include filing an annual report and filing an incident / significant change reports if applicable. The RPAA also gives the Bank authority to request information from a PSP pertaining to its compliance with the risk management regime; upon receipt of such information request, the PSPs will have a 15-day window to respond unless it has reasons to believe the information requested will have significant adverse impact on end users or other PSPs.

Standards for Operational Risk Management

On September 8, 2025, the requirement for the Bank to register PSPs and publish a registry of PSPs will be in force, as well as the remaining sections of the RPAA and the Regulations concerning operational risk and end-user fund safeguarding. The Regulations require a PSP to establish objectives in relation to its Risk Management Framework. Specifically, the PSP should seek to preserve the integrity, confidentiality and the availability of its retail payment activities and of the systems, data or information involved in the provision of those activities.

To achieve these objectives, PSPs have to identify in their operational risks in the annual reports, protect its retail payment activities from those risks, detect incidents and control breakdowns and respond to and recover from incidents. The Regulations require PSPs to:

  • internally review and test its Risk Management Framework;
  • establish roles and responsibilities for the management of operational risk and incidents;
  • have access to sufficient human and financial resources to establish, implement and maintain its Risk Management Framework; and
  • manage its risks from third-party service providers, agents and mandataries.

Requirements to Safeguard End-User Funds

This requirement aims to protect consumer and business funds when the PSP goes insolvent and to ensure end users have reliable and timely access to their funds. The RPAA requires PSPs to hold funds in a trust or in a segregated account with insurance or a guarantee and to develop a written Fund Safeguarding Framework describing the PSP's systems, policies, processes, procedures, controls and other means to meet the objectives of protecting end user finds.

National Security Requirements

The Act also provides the Minister of Finance with the authority to address risks related to national security that could be posed by PSPs. This includes the ability to refuse PSPs' applications, revoke registrations, order undertakings or conditions, as well as issue national security orders for a PSP to take or refrain from any action.

Penalties for Violating Requirements

The Act provides the Bank with powers to address non-compliance with the Act or violations of the Act. These powers include:

  • entering into compliance agreements;
  • issuing notices of violation (NOV) with or without an administrative monetary penalty (AMP)—note that only designated violations would be subject to an NOV and an accompanying AMP.
  • issuing NOVs with an AMP and an offer to enter into a compliance agreement;
  • issuing compliance orders;
  • applying to the court for an order (i.e. court enforcement); and
  • refusal or revocation of a registration.

Where a PSP enters into a compliance agreement with the Bank after receiving an NOV and fails to meet the terms of that agreement, the Bank would issue a Notice of Default to the PSP. PSP issued the Notice of Default would need to pay an additional penalty. Section 48 of the Regulations established penalty ranges for "Serious" or "Very Serious" violations, ranging from $1 million per each Serious violation, up to $10 million per each Very Serious violation.

Conclusion

The upcoming regulatory landscape, especially the stringent framework proposed by the RPAA and the Regulations, may raise concerns for the sustainability of small PSPs. It is crucial to use the period between now and November of this year to assess whether the RPAA applies to you and to proactively prepare to meet these regulatory requirements to ensure smooth transition when the Regulations come into force. The Bennett Jones Financial Services group can support clients navigating this complex framework.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.