The Retail Payment Activities Act (RPAA), alongside its accompanying regulations, marks a significant step in Canada’s evolving regulatory landscape, aiming to enhance the supervision of PSPs in the retail sector. Enacted to address potential risks in payment systems, the RPAA and its finalized regulations, published on November 22, 2023, establish new compliance obligations for PSPs operating in Canada or serving Canadian users. As PSPs prepare for registration requirements effective November 2024, and full compliance by September 2025, understanding the RPAA’s specific obligations, particularly, preparation of legal opinion for companies, and implications is crucial.
Objectives of the Retail Payment Activities Act (RPAA)
The RPAA was designed to provide next-mentioned.
- Mitigate National Security Risks: The act enables the Canadian government to identify and address security threats related to payment service providers, ensuring safe and controlled transactions within the country.
- Enhance Consumer Protection: By safeguarding end-user funds and promoting operational reliability, the RPAA aims to strengthen consumer trust in retail payment providers.
- Promote System Stability: By introducing a structured supervisory framework, the act seeks to enhance the resilience and transparency of Canada’s retail payment system.
- Align with International Standards: The RPAA aligns with global trends in payment regulation, potentially opening paths for PSPs to gain broader access to Canada’s payment networks.
Implementation of any new regulative grounds requires involvement of professional advice.
Who Is Affected by the RPAA?
The RPAA applies to a broad range of PSPs that offer services to Canadian users, including:
- domestic and foreign PSPs: Both Canadian-based PSPs and foreign entities offering services to Canadian end-users (e.g., payers and payees) are subject to the RPAA;
- payment functions covered: The RPAA regulates PSPs engaged in five specific activities: providing or maintaining end-user payment accounts, holding end-user funds until they are withdrawn or transferred, initiating electronic fund transfers (EFTs) on behalf of end-users, authorizing EFTs or relaying related instructions and providing clearing or settlement services.
Certain activities and entities, however, are exempt from RPAA regulation, including:
- financial institutions: Banks, credit unions, and entities already regulated by Canadian financial legislation;
- incidental payment functions: Payment activities that are secondary to a provider’s primary service (e.g., closed-loop gift card systems);
- transactions excluded: ATM withdrawals, SWIFT transfers, and securities transactions, among others.
Key Requirements under the RPAA Regulations
The finalized regulations under the RPAA impose several critical requirements, each aimed at enhancing the operational resilience, compliance capabilities, and overall reliability of PSPs in Canada.
Registration and Record-Keeping
- Registration Period: PSPs must register with the Bank of Canada between November 1 and November 15, 2024. Registrations completed outside this period may face a 60-day delay in their ability to conduct retail payment activities.
- Registration Fee: A one-time registration fee of CAD 2,500, subject to future inflation adjustments.
- Public Registry: The Bank of Canada will maintain a public registry of all registered PSPs.
- Record Retention: PSPs are required to keep records demonstrating compliance with the RPAA for a minimum of five years.
- New Registrations for Prescribed Changes: PSPs must re-register in cases of significant changes, such as state-owned acquisitions or shifts in data storage locations.
Operational Risk Management
- PSPs must develop and maintain a robust risk management framework to ensure data integrity and confidentiality.
- The framework should address both ongoing operational risks and emergency incident response protocols.
- This mandate is intended to minimize disruptions, protect user data, and enhance resilience against cyber threats and other operational risks.
Safeguarding End-User Funds
- PSPs must implement fund safeguarding measures to ensure end-user funds are secure until withdrawn or transferred by the user.
- Options for Safeguarding: maintain end-user funds in a dedicated trust account with a Canadian financial institution (e.g., a bank or credit union); alternatively, funds may be safeguarded through a guarantee or insurance policy from a regulated financial institution that is not affiliated with the PSP; funds in trust or under insurance policies must be clearly isolated to avoid inclusion in the PSP’s bankruptcy estate, providing additional security to end-users.
Reporting Obligations
- Annual Reporting: PSPs must submit annual reports, with the first due on March 31, 2026.
- Incident Reporting: PSPs must notify the Bank of Canada promptly regarding any significant operational incidents.
- Change Reporting: Major organizational changes, particularly those impacting risk exposure, must also be reported.
- Response Timeline: PSPs are required to respond to information requests from the Bank of Canada within 15 days.
National Security Review
- All initial PSP registrations will undergo a national security review by Canada’s Minister of Finance.
- The Minister has authority to: reject applications based on security risks, impose conditions or revoke PSP registrations as deemed necessary and issue directives to ensure alignment with Canada’s national security interests.
Enforcement and Penalties
The RPAA imposes penalties to enforce compliance:
- serious violations: Fines up to CAD 1 million;
- very serious violations: Fines up to CAD 10 million, with infractions such as mishandling end-user funds or obstructing audits categorized as “very serious.”
These penalties serve as a deterrent and promote adherence to RPAA standards.
Changes from Draft Regulations to Final Regulations
The finalized regulations reflect several adjustments from earlier drafts, aiming to balance regulatory rigor with practical considerations for PSPs.
- Extended Timelines: PSPs are now provided additional time to implement compliance measures, particularly for complex requirements such as fund safeguarding and risk management frameworks.
- Relaxed Reporting Requirements: Several stringent reporting obligations initially proposed were either scaled back or eliminated to reduce the administrative burden on PSPs.
Next Steps for PSPs and the Bank of Canada
As the compliance deadlines approach, both PSPs and the Bank of Canada have key action points to address.
For PSPs it looks like next-mentioned.
- Prepare for Registration: Ensure readiness for the November 2024 registration period by establishing necessary documentation and compliance frameworks.
- Develop Compliance Protocols: Focus on creating robust risk management and fund safeguarding processes to meet the September 2025 compliance deadline.
- Engage with the Bank of Canada: PSPs may consider participating in pilot programs offered by the Bank of Canada to familiarize themselves with registration and reporting processes.
For the Bank of Canada it’s as follows.
- Issue Guidance: The Bank of Canada will release detailed guidance on specific aspects of the RPAA, including operational risk and incident reporting requirements.
- Pilot Program: A registration pilot program will be offered to help PSPs test and streamline the registration process, with interested PSPs encouraged to participate by December 15, 2023.
The introduction of the RPAA and its regulations marks a pivotal development in Canada’s approach to retail payment oversight, introducing a framework that balances security and compliance with operational feasibility. As the September 2025 compliance deadline approaches, PSPs must take proactive steps to align their practices with the new regulatory standards, enhancing both operational resilience and consumer trust. Through this comprehensive framework, the RPAA positions Canada to foster a safe, reliable, and competitive retail payment ecosystem that is equipped to address emerging risks in a rapidly digitizing landscape.
