The retail payment activities framework launches in eight months, and there have been new developments from the Bank of Canada (the "Bank") in connection with the requirements. On February 14, 2024, the Bank released its Registration Step-by-Step Guide (the Registration Guide) for payment service providers (PSPs). The Bank also released draft supervisory guidelines (the Draft Guidelines) on February 21, 2024, providing insight into how it will apply the Retail Payment Activities Act (RPAA).

Registration Support for PSPs

The registration requirements of the RPAA will begin to take effect on November 1, 2024. Businesses that are currently operating as PSPs must submit a registration application between November 1-15, 2024. After this transition period, individuals and entities who wish to start operating as a PSP or neglected to apply during this window must submit their registration application at least 60 days before they plan to start conducting retail payment activities.

You may be a PSP and need to register with the Bank if you perform at least one of the following payment functions:

  • the provision or maintenance of an account that is held on behalf of one end user or more;
  • the holding of funds on behalf of an end user;
  • the initiation of an electronic funds transfer at the request of an end user;
  • the authorization of an electronic funds transfer or transmission, reception or facilitation of an instruction in relation to an electronic funds transfer; or
  • the provision of clearing or settlement services.

Banks, insurance companies, provincial credit unions, caisse populaires and several other entities are exempted from the registration requirements.

The Registration Guide makes it clear that the Bank will require significant information from PSPs, such as full documentation and diagrams for all payment activities, details on interactions with other financial entities, value/volume metrics, information regarding data privacy practices, and declarations about Financial Transactions and Reports Analysis Centre of Canada (FINTRAC) and provincial/territorial registrations.

The Bank is developing a web application it calls "PSP Connect" for use by applicants and registered PSPs. PSP Connect is to be used to submit and update the registration information outlined in the Registration Guide and to comply with RPAA ongoing reporting requirements.

New Proposed Supervisory Guidelines

The Bank has issued four Draft Guidelines for consultation, including:

Operational Risk and Incident Response Guideline

  • There are numerous obligations in connection with the risk management and incident response framework required under the RPAA, to be detailed in PSP policies, procedures and documentation that must be reviewed annually and approved by the PSP's Board of Directors. An appendix to this Draft Guideline includes a non-exhaustive list of expected documents.
  • Regular personnel training is required and third-party service providers, agents or mandataries must be subject to ongoing controls and due diligence assessments by the PSP in order to meet the Bank's objectives detailed in the guideline and to satisfy risk/control metrics.
  • Information Technology (IT) and cyber security expectations are outlined in detail in the Draft Guideline, to support expected incident monitoring and response capabilities.

Incident Notification Guideline

  • This Draft Guideline provides some examples concerning incidents that could have a 'material impact' and trigger reporting requirements, such as where end-user funds are stolen or a PSP experiences an outage of or slowdown in its retail payment activities for eight or more hours.
  • Material incidents are to be reported to the Bank, affected end users and clearing houses no later than 24 hours after the PSP becomes aware of the incident, together with various listed details.

Safeguarding End-User Funds Guideline

  • The Bank has provided some helpful clarification in this Draft Guideline on the nature of 'holding funds' for an end user and confirmed that a PSP may choose to use a combination of means to safeguard end-user funds. For example, a PSP can safeguard a portion of its end-user funds by holding them in trust in a trust account, while protecting the remainder of the funds using insurance or a guarantee.
  • There are detailed expectations around end-user funds data, including that the PSP must have the means necessary to keep track of specific amounts of end-user funds.
  • PSPs must establish a trust arrangement with its end users that forms a valid express trust established under Canadian law. Complex and multi-jurisdictional arrangements for holding and safeguarding end-user funds will require a formal legal opinion to assess the validity of the trust arrangement.
  • PSPs must have controls in place to detect when the amount covered by an insurance or guarantee falls below the amount of end-user funds that are designated to be safeguarded through that insurance or guarantee.
  • The Draft Guideline provides some useful detail on its expectations around liquidity access and related arrangements, including which assets it considers to be secure and liquid (and not), and expectations around a PSP insolvency.
  • A PSP's safeguarding-of-funds framework must be reviewed and approved by its Board of Directors at least annually, and an independent compliance review is to be conducted at least every three years.

Notice of Significant Change or New Activity Guideline

  • The Bank has provide some examples of what could qualify as a 'significant change', such as a change of the safeguarding account provider or a PSP operating in a new geographic location.
  • All significant changes and new activities will require an assessment of the impact of the change or new activity on the PSP's management of operational risk and on the manner in which end-user funds are safeguarded.

The Bank has requested industry feedback on the Draft Guidelines by May 21, 2024. It indicated that final guidelines can be expected before the end of 2024, since the RPAA requirements to establish risk management and funds safeguarding frameworks will come into effect on September 8, 2025.

How We Can Help

Our Financial Services team can help navigate the various registration steps and ongoing compliance requirements under the RPAA, including:

  • assessing whether you are required to register as a PSP;
  • determining how, when and what information is required to register; and
  • providing advice on key processes and best practices to comply with the RPAA and related guidelines.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.