On November 22, 2023, the final Retail Payment Activities Regulations (the "Regulations") under the Retail Payment Activities Act (the "RPAA") were published in Part II of the Canada Gazette. This follows a 45-day consultation that took place after the draft regulations (the "Draft Regulations") were published in Part I of the Canada Gazette in February of this year. For more information regarding the Draft Regulations, please refer to our prior bulletin, "One Step Closer to a Regulatory Regime for Payment Service Providers - Draft Retail Payment Activities Regulations Released". In response to the consultation on the Draft Regulations, the Department of Finance received 44 submissions from various stakeholders, including payment service providers ("PSPs") and industry associations.

Key Changes from the Draft Regulations

While the Regulations are generally similar to the Draft Regulations, some notable changes were made to try and address concerns raised by stakeholders, in particular regarding the regulatory burden associated with the Regulations.

The key changes include the following:

  • In connection with the Risk Management and Incident Response Framework (the "Risk Management Framework"):
    • the requirement that a PSP resume operations following an incident only once it has verified that the integrity and confidentiality of all systems, data and information have been restored and that it is able to perform retail payment activities without reduction, deterioration or breakdown, was removed;
    • it was clarified that the requirements in respect of third-party service providers only apply to third-party service providers that perform services related to a payment function;
    • the requirement for a PSP to review its Risk Management Framework after a material incident was removed, and the requirement for a PSP to review its Risk Management Framework before making changes to its operations, processes and procedures to address operational risks was amended to specify that the review must take place following "material" changes (as opposed to "significant changes");
    • the requirement for the board of directors of a PSP to approve material changes within the previous year was removed, however where a PSP has a board of directors, it must approve the Risk Management Framework at least once a year; and
    • revisions were made to provide a PSP flexibility to establish the scope and frequency of its testing methodology to identify gaps and vulnerabilities in its systems, policies, procedures, processes, controls and other aspects of its Risk Management Framework, as opposed to requiring a PSP to test all aspects of its framework every three years.
  • In connection with the Safeguarding of Funds Framework:
    • revisions were made to clarify that when a PSP makes a change to the accounts or the insurance or guarantees it uses to safeguard end-user funds, only changes that would be expected to have a material impact on the manner in which end-user funds are safeguarded would require the PSP to review its Safeguarding of Funds Framework (rather than all changes); and
    • the approval process and independent review process for the Safeguarding of Funds Framework were amended to align with the approval process for the Risk Management Framework.
  • In connection with reporting requirements:
    • adjustments were made concerning the metrics to be reported, such as reducing the historical reporting period at registration to 12 months (from 24 months), and removing the requirement to provide metrics on payment categories; and
    • revisions were made to clarify that a description of only significant changes, rather than all types of changes, need to be included in the PSP's annual report.
  • In connection with registration requirements:
    • the requirement for a PSP to submit a new application for registration when it intends to store and process personal and financial information in a previously undisclosed country was removed (and was replaced with a requirement to provide 60-days notice to the Minister prior to such change); and
    • new PSPs, who file an application for registration outside of the 15-day transition window (between November 1, 2024 – November 16, 2024), will be subject to a 60-day delay before being able to perform retail payment activities.

We also note that, although the Bank of Canada still has a legislative requirement to recover fees from PSPs under the RPAA, the formula for the assessment fees, which was included in the Draft Regulations, has been removed from the Regulations.

Looking Ahead

Now that the Regulations have been published, further guidance from the Bank of Canada is expected which will address concerns such as the interpretation of definitions in the RPAA, including the circumstances in which merchants perform incidental payment functions that are outside the scope of the RPAA, how PSPs can leverage existing practices to meet requirements in the Regulations, what PSPs must do when they use a foreign financial institution to safeguard funds, and what scenarios could require a PSP to submit a significant change report.

The registration requirements under the RPAA will come into force on November 1, 2024. There will be a transition period such that existing PSPs that have submitted an application for registration by November 16, 2024 can perform retail payment activities until they are notified by the Bank of Canada of their registration (or that they have been refused registration). The requirements to establish a Risk Management Framework and a Safeguarding of Funds Framework will come into force on September 8, 2025.

If you have any questions about the RPAA or the Regulations, please reach out to a member of our Financial Services Group.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.