On November 22, the final Retail Payment Activities Regulations (Final Regulations) were published in the Canada Gazette, Part II. The Regulations are made under the Retail Payment Activities Act (RPAA), which received Royal Assent in June 2021 and established a legal framework for the Bank of Canada (Bank) to supervise payment service providers (PSPs), including those who offer digital wallets.

Together with the RPAA, the Final Regulations establish obligations respecting operational risk management, end-user funds safeguarding, registration and reporting, and enforcement. The publication of the Final Regulations follows a consultation period on the proposed Retail Payment Activities Regulations (Draft Regulations), which were published in the Canada Gazette, Part I.

We break down the Final Regulations below, setting out key differences from the Draft Regulations and outstanding items that we expect will be addressed by supervisory guidance from the Bank.

What you need to know

  • Eased compliance burdens. Several requirements from the draft regulations have been dropped for PSPs, easing some of the compliance burdens; PSPs are still required to implement a Risk Management Framework with all required elements that the Bank will supervise, but they can do so using a risk-based approach.
  • Adjusted review and assessment timing. The annual assessment formula for determining registration fees has been deferred.
  • Revised thresholds. The requirement to review a PSP's risk management and incident response framework was softened from when a significant change occurs to only before there is a material change to its operations or at least once a year.
  • Unanswered questions, definitions and other items. Many items remain outstanding and will require further guidance, including clarifying the principle of proportional risk in determining appropriate frameworks, defining which assets can be used to safeguard end-user funds, identifying which payment functions are outside of the scope of the Final Regulations, and addressing additional compliance risks for money service businesses.
  • Expected clarifications to come. Guidance from the Bank on the standards and practices for PSPs is expected to be published in the coming months, ahead of the November 2024 registration deadline for PSPs.

How do the Final Regulations differ from the Draft Regulations?

In February 2023, we published a bulletin on the Draft Regulations. The Draft Regulations addressed 1) requirements of the operational risk and incident management framework; 2) requirements of the safeguarding of end-user funds framework; and 3) registration and reporting obligations. The Draft Regulations also set out penalties for violations, as well as requirements to support the national security review process as part of the Minister of Finance's national security authorities under the RPAA.

The Final Regulations are broadly similar to the Draft Regulations, with certain exceptions.We categorize the modifications in three categories: 1) alleviation of the compliance burden and proportionality; 2) timing adjustments; and 3) revised thresholds. For a complete review of the changes, including an explanation of the consultation process, industry participants are advised to review the Regulatory Impact Analysis Statement (RIAS).

1. Alleviation of the compliance burden

The Final Regulations demonstrate that the Bank is open to slightly alleviating the compliance burden—a concern that has been raised by industry participants. For example, in a letter to the Government of Canada's Department of Finance on March 28, 2023, Fintechs Canada advised that (absent efforts to make the RPAA and regulations more proportional, necessary, and consistent) "a non-trivial number of payment service providers will drop out of the market because of requirements that aren't proportional to the risks they pose". However, the RPAA compliance burden remains significant.

To alleviate the burden on PSPs, certain provisions of the draft regulations have changed in the Final Regulations. While the Draft Regulations required PSPs to "resume operations following an incident only once it has verified that the integrity and confidentiality of all systems, data and information have been restored and that it is able to perform retail payment activities without reduction, deterioration or breakdown", this requirement has been dropped. The requirement for a PSP to review its risk management framework after a material incident has also been removed since this would be considered in the annual review process. (The RPAA provides that PSPs must submit an annual report to the Bank with prescribed information by no later than March 31 of the following year.)

The RIAS specifies that the policy intent of the RPAA and Final Regulations allows for a risk-based, proportional approach to be taken for PSPs to implement their Risk Management Framework. The RIAS further specifies that the Bank will supervise PSPs through a risk-based approach and notes that Bank guidance will provide examples of how a PSP may consider implementing such an approach, including "expectations that more ubiquitous and interconnected PSPs should implement more stringent targets for the operational availability of their retail payment activities." In particular, smaller PSPs, as measured by the value and volume of their payment activity, will see a lower regulatory burden to fulfill the Final Regulations' operational risk requirements than larger PSPs.

2. Timing adjustments

The Final Regulations address registration fees but have deferred the section on assessment fees, which provided calculations for the portion of the amount ascertained under the RPAA that is to be assessed against each registered PSP in respect of a calendar year. As the RIAS notes, although the annual assessment fee provisions of the RPAA require an assessment fee formula to be specified, this formula will be finalized after PSPs begin registering with the Bank.

The requirement for review of a PSP's Funds Framework by an independent "sufficiently skilled individual" has shifted from once every two years to once every three years. The PSP must still review the safeguarding-of-funds framework at least once a year, as well as following certain changes, such as the opening or closure of any account in which the PSP holds end-user funds or a change in the entity that provides any account in which the PSP holds end-user funds.

With respect to the evaluation of insolvency protection, the Draft Regulations required a PSP, at least once a year, to determine whether, at all times during the preceding year, the end-user funds held by it—or equivalent proceeds from any insurance or guarantee—would have been payable to end users. The Final Regulations now require the PSP to take measures to ensure the identification of any instance as soon as feasible after it occurs.

3. Revised thresholds

The Draft Regulations required a PSP to carry out a review of its risk management and incident response framework at least once a year and before making any significant change to its operations or its policies, procedures, processes, controls or other means of managing operational risk. The Final Regulations have adjusted this to require a PSP to review its risk management and incident response framework at least once a year and before making any material change to its operations or its systems, policies, procedures, processes, controls or other means of managing operational risk. As the RIAS notes, this change was made because the previous wording—"significant change"—is defined in the RPAA and was determined not to be appropriate for the circumstance.

Similarly, to alleviate the compliance burden, the Final Regulations have been softened to require that only "material" changes to the accounts or the insurance or guarantees the PSP uses to safeguard end-user funds would require a review of its safeguarding-of-funds framework.

What remains outstanding?

First, further guidance will be required on the issue of proportionality. The 2017 federal consultation paper introducing the new retail payments oversight framework identified four guiding principles: necessity, proportionality, consistency and effectiveness. The issue of proportionality has proven central to the development of the framework, ensuring that the level of supervision is commensurate with the level of risk posed by the payment activity. This focus also came through in the RIAS, with the Department of Finance observing that the Final Regulations "[establish] regulatory certainty for consumers and PSPs, with clear requirements for PSPs that are proportionate to their retail payment activities". However, we believe that the Bank will need to provide supervisory guidance clarifying proportional impacts of the Final Regulations.

Second, further guidance will also be required on how end-user funds may be safeguarded, including clarification on setting up trust accounts, and investment or other possible use of funds by PSPs. While the requirement for a written safeguarding-of-funds framework is clear, the details of such a scheme will need to follow. The Final Regulations require PSPs to describe liquidity arrangements and use secure and liquid assets to meet the objectives of providing end-users with reliable access without delay to their funds, protecting funds in the event of the PSP's insolvency. The RIAS indicates that the Bank's guidance will set out what it considers to be secured and liquid assets, such as cash or guaranteed investment certificates, to meet the objective of providing end-users with reliable access without delay to their funds. The Bank's guidance will also set out expectations for situations where a PSP uses a foreign financial institution to safeguard funds.

Third, the issue of scope will need to be addressed in the Bank's guidance. PSPs are defined under the Act as any individual or entity that performs one or more of the payment functions as a service or business activity that is not incidental to another service or business activity. As the RIAS notes, clarity on circumstances in which merchants perform incidental payment functions that are out of the scope of the RPAA will be addressed in the Bank's guidance.

Finally, we note that many PSPs are currently required to register as money service businesses (MSBs) under the Proceeds of Crime (Money Laundering) and Terrorist Financing Act. The framework under the RPAA and the Final Regulations will add significantly to the existing MSB compliance burden on such PSPs.

Next steps

Now that the Final Regulations have been published, the Bank will begin to clarify its supervisory role through the publication of standards and practices necessary for PSPs to meet their requirements under the RPAA.

Under the Final Regulations, the provision requiring a PSP to be registered with the Bank comes into force on November 16, 2024. As the RIAS notes, PSPs will have approximately two weeks, from November 1 to 15, 2024, to submit their application for registration. With a view to national security concerns, the RIAS notes that, while existing PSPs will be able to carry out retail payment activities upon submitting their application during the 15-day transition window, new PSPs who file outside of that window will be subject to a 60-day delay. Provisions concerning operational risk and end-user fund safeguarding and associated regulations then come into force on September 8, 2025.

Although this may seem like a significant lead time, PSPs are encouraged to seek out counsel and commence the compliance process as soon as possible to meet the detailed requirements under the RPAA and Final Regulations.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.