Bank Of Canada Releases More Retail Payments Activities Act Resources For Fintech, Crypto And Payfac Businesses

MT
McCarthy Tétrault LLP

Contributor

McCarthy Tétrault LLP provides a broad range of legal services, advising on large and complex assignments for Canadian and international interests. The firm has substantial presence in Canada’s major commercial centres and in New York City, US and London, UK.
As part of our series following the evolution of the Retail Payments Activities Act (RPAA) as we approach the initial registration period commencing on November 1, 2024...
Canada Technology

As part of our series following the evolution of the Retail Payments Activities Act (RPAA) as we approach the initial registration period commencing on November 1, 2024, we highlight key aspects of new resources the Bank of Canada released this month that will be of interest to fintech, neo-banking and crypto business models in Canada.

Between October 2 and October 16, 2024, the Bank of Canada (Bank) released a host of additional guidance, including additional case scenarios (Case Scenarios), and updated supervisory policies and guidelines related to retail payments supervision (Supervisory Policies) in advance of the initial RPAA registration period which commences on November 1, 2024.

These new Case Scenarios and updated Supervisory Policies help payments, fintech, crypto and other payments-related businesses to:

  • determine whether or not they will be required to register with the Bank as a payment services provider (PSP) (see our previous blog post here on registration); and
  • have a better understanding of how to complete the registration application.

The Bank also updated its step-by-step guide for how to complete a PSP registration application.

Additional Case Scenarios: Fintech, Crypto, Payfacs

The Case Scenarios include detailed discussion of whether or not certain of the following common (though not exhaustive) businesses would have to register as a PSP with the Bank, and if so, what regulated payment function they would be engaged in:

  • merchant acquiring
  • neo-banking
  • digital wallets
  • money transferers
  • card programs, including program managers
  • cloud computing
  • software-as-a-service (SaaS)
  • infrastructure-as-a-service (IaaS)
  • lending (including buy-now-pay-later)
  • e-commerce and marketplaces
  • crypto-backed services

The Case Scenarios cover certain esoteric, but increasingly popular, financial services models in the payments industry. By doing so, many businesses whose services and products interact with the payments system now have more factual information to conduct their own threshold assessment of whether or not they would need to register as a PSP with respect to their Canadian activities. Specifically, the Case Scenarios provide a basis on which to support a determination of which regulated payment function a business is engaged in so it can be more certain of which requirements under the inaugural framework apply to the business.

Who Holds the Funds?

The Bank amended its criteria for registering as a PSP, adding clarity to what constitutes the "holding of funds" payment function. Holding funds "at rest" continues to be a regulated payment function; however, the Bank made more clear that temporarily holding funds in transit (in the midst of being processed) or immediate transfers that experience processing delays due to ordinary business procedures (like overnight settlement and anti-fraud or anti-money laundering measures) alone will not subject a PSP to the registration requirements of the RPAA. In cases where multiple PSPs are involved in a single electronic funds transfer (EFT) from one end user account to another, it is the initial and final PSP that would be considered holding funds on behalf of such end users, and not the intermediary PSPs.

Updated Supervisory Policies Published

  • Operational Risk and Incident Response: Of all the updated Supervisory Policies, the most extensive updates made by the Bank were to this policy, which included, among others:
    • generally, taking a more nuanced approach with respect to the requirements of the Supervisory Policy, making clear that the measures taken by PSPs with respect to operational risk and incident response need to be tailored to each PSP's circumstances and that PSPs should take a risk-based approach to: (i) establishing, implementing and maintaining their operational risk frameworks, and (ii) their continuous monitoring and detection capabilities;
    • the addition of recovery time objectives and recovery point objectives to the Bank's required reliability targets for more ubiquitous or interconnected PSP (the draft policy previously only included system availability targets and recovery point objectives);
    • clarification regarding relationships with third parties, including that written, inter-company agreements should govern the relationships between a PSP and its affiliates, and that the PSP's operational risk framework should include risks associated with services provided by affiliates; and
    • further guidance regarding PSPs taking a risk-based approach to assessments of third parties, including identification and mitigation of risks associated with the use of third parties and overseeing fulfillment of their respective roles and responsibilities.
  • Reporting of Retail Payments Activity Metrics at Registration: Clarified reporting with respect to affiliates and the names of PSPs to which the applicant PSP provides or intends to provide retail payment activities.
  • Incident Notification: Clarified that PSPs' incident reporting obligations apply only with respect to incidents that have a "material impact", and that PSPs should consider factors such as individual circumstances, business model and the nature of the specific services they offer to determine if an incident has a material impact on an end user, PSP or clearing house; incidents are to be reported using the template that will be available on PSP Connect.
  • Notice of Significant Change or New Activity: Added examples of changes that the Bank would consider to be significant, which provide helpful contextual guidance for when notice of a change is required to be provided by the PSP to the Bank, and that the process to notify the Bank of changes to registration information is separate from the process used to notify the Bank of a significant change.

Of note, the much-anticipated final Supervisory Policies related to the safeguarding of end-user funds were not released at this time and are expected to be released by the Bank later in 2024.

NEW Supervisory Policies Published

The Bank also released several new Supervisory Policies, as follows:

  • Reporting Changes to Registration Information: Applies once PSPs are already registered with the Bank under the RPAA, and includes a helpful appendix summarizing the applicable deadlines for when PSPs are required to notify the Bank of changes to their registration information.
  • Annual Reporting: Describes the annual reporting process, whereby PSPs must submit their completed annual report form through PSP Connect to the Bank by March 31 of each year. The annual report form will ask specific questions regarding the PSPs compliance with the RPAA and may change from year to year.
  • Annual Reporting of Retail Payment Activity Metrics: Provides guidance to PSPs on understanding the annual reporting requirements for retail payment activity metrics, including activities that need to be reported and guidance on calculations, along with illustrative examples. The metrics PSPs are required to report upon include the value of end user funds held, number of electronic funds transfers facilitated, and number of end users and PSPs it serves. These metrics may be used by the Bank for the purposes of risk-based supervision, proportionate enforcement actions and monitoring trends and issues.

As a reminder, the initial registration application period under the RPAA runs from November 1, 2024 to November 15, 2024 (the Initial Registration Period). Beginning on November 16, 2024, entities that have not applied for registration during the Initial Registration Period will continue to be able to apply but must wait at least 60 days following submission of an application to commence retail payment activities.

To view the original article click here

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More