On November 3, 2023, the Federal Government announced the dates on which various sections of the Retail Payment Activities Act ("RPA Act") will come into effect. As discussed in our previous article, the RPA Act regulates retail payment service providers ("PSPs") and became law in 2022. None of the operative provisions of the RPA Act had been in effect until the Federal Government's announcement on November 3, 2023.

Following this announcement, on November 22, 2023, the final Retail Payment Activities Regulations (the "Regulations") were published in the Canada Gazette. The final Regulations differ materially from the previously published draft regulations discussed in our previous article.

This article summarizes the principal provisions of the RPA Act that have now been scheduled to come into effect, as well as the now finalized Regulations.

Registration requirement

On November 16, 2024, the registration requirement under the RPA Act will come into effect. Businesses that meet the definition of a PSP will be required to register with the Bank of Canada (the "Bank") before conducting any retail payment activity. PSPs that are already operating on that date will be allowed to continue to operate while their application for registration is pending.

There are a number of related provisions that are scheduled to come into effect on November 1, 2024. These provisions primarily govern the registration process including the form, manner, and information that must be provided to the Bank upon applying for registration.

Notably, certain provisions permit the Minister of Finance to review and reject registration applications for reasons related to national security. The Minister may also, by order, direct a PSP to take or refrain from taking any measures relating to the performance of retail payment activities for reasons related to national security.

Bank's powers

On November 1, 2024, the provisions pertaining to the Bank's powers in administrating and enforcing the RPA Act will come into effect. These powers are wide ranging and have the potential to be quite intrusive. A summary of these provisions follows:

  • the Bank may request, and a PSP is required to provide, any information that the Bank considers necessary for verifying compliance with the RPA Act;
  • the Bank may request an audit of any PSP in order to verify compliance. The expenses of such an audit are payable by the PSP;
  • the Bank may examine the records and inquire into the business and affairs of a PSP in order to verify compliance; and
  • the Bank may enter into a compliance agreement with a PSP for the purpose of implementing any measure that is designed to further compliance.

Penalties

On November 1, 2024, the provisions related to penalties imposed for non-compliance with the RPA Act are set to come into effect. A summary of these provisions follows:

  • the Bank is required to make public the nature of any violation, the name of the PSP, and amount of any penalty imposed;
  • the RPA Act contains powers to order PSPs to cease or refrain from committing acts that could have a significant adverse impact upon an end-user, another PSP, or a clearing house;
  • penalties payable under the RPA Act constitute a debt due to the Federal Government and can be recovered in court, and
  • an individual or entity is liable for a violation that is committed by any of its employees, third-party service providers, or agents or mandataries acting in the course of their employment, their contract or the scope of their authority as agent or mandatary, whether or not the employee, third-party service provider or agent or mandatary that actually committed the violation is identified.

The final Regulations provide greater detail regarding the penalties under the RPA Act. A summary of these provisions follows:

  • penalties levied under the RPA Act will range from up to $1,000,000 in the case of a serious violation, to up to $10,000,000 in the case of a very serious violation;
    • the schedules to the Regulations list the offences that are considered to be serious, and the offences that are considered to be very serious;
  • in determining the appropriate penalty, regard must be had to:
    • the harm that is done by the violation and the harm that could have been done by it;
    • the history of the individual or entity that committed the violation with respect to any prior violation committed by them within the five-year period immediately before the violation; and
    • the degree of intention or negligence on the part of the individual or entity that committed the violation.

Risk management and incident response

Beginning September 8, 2025, PSPs will be required to establish, implement, and maintain a risk management and incident response framework. As part of their incident response framework, PSPs will be required to notify end-users, another PSP, a clearing house, and/or the Bank if any incident has a material impact on any of those entities.

The final Regulations outline in detail what information a risk management and incident response framework will be required to include. Among other requirements, a risk management and incident response framework shall:

  • allocate specific roles and responsibilities in respect of the implementation and maintenance of the framework;
  • identify, and describe the potential causes of the payment service provider's operational risks;
  • describe the systems, policies, procedures, processes, controls and any other means that the payment service provider must have in place to mitigate its operational risks and protect its assets and business processes; and
  • set out a plan for responding to — including recovering from — incidents, including those involving or detected by an agent or mandatary or a third-party service provider.

Safeguarding of funds

Beginning on September 8, 2025, PSPs that hold end-user funds will be required to hold such funds in a dedicated trust account. Further, these PSPs will be required to carry insurance or a guarantee in respect of end-user funds that is in an amount equal to or greater than the amount held in the trust account. A PSP will also be required to ensure the insurance or guarantee will survive any insolvency by a PSP. PSPs will only be excused from the insurance requirement if a provincial act in the province the PSP operates in already provides for such insurance.

Any PSP that holds end-user funds will also be required to establish, implement, and maintain a written safeguarding-of-funds framework. This framework must describe the PSP's systems, policies, processes, procedures, controls and other means to ensure end-users have reliable access to their funds without delay.

Provision of information

PSPs will be required to submit an annual report to the Bank that includes information regarding the PSP's risk management and incident response framework, their trust account, and end-user funds.

The final Regulations outline in detail the information that will be required to be submitted in a PSP's annual report. The required information is substantial and PSPs should prepare systems and policies for collecting the required information during a reporting year in order to efficiently complete their annual reports.

PSPs will also be required to notify the Bank before a PSP makes a significant change in the way it performs a retail payment activity.

These provisions are set to come into force on September 8, 2025.

Final regulations

As discussed, the final Regulations differ in some respects from the earlier draft regulations. Notably, the final Regulations ease the compliance burden somewhat for PSP's when compared to the draft regulations. For example, the requirement for a PSP to review their safeguarding-of-funds framework has been adjusted from once every two years, to once every three.

Overall, the final Regulations demonstrate that the Federal Government was attentive to the comments from stakeholders expressing concern with the compliance burden that the RPA Act will impose.

Conclusion

With dates now set for the implementation of the foregoing requirements under the RPA Act, entities who's businesses may be affected should begin to prepare to comply with these provisions.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.