The future of payments regulation has arrived: final regulations to the Retail Payment Activities Act released

Dec 11, 2023 6 MIN READ

The final regulations (the final regulations) to the Retail Payment Activities Act (RPAA) were published in the Canada Gazette on November 22, 2023, following a stakeholder consultation period for draft regulations (the draft regulations) published earlier this year. While the final regulations introduce some ease at the margins for certain compliance obligations, overall the changes between the draft and the final regulations are minimal and the obligations we wrote about in our Update on draft regulations largely remain intact, including the national security review provisions.

Registration for payment service providers (PSPs) opens on November 1, 2024. Existing PSPs should plan to submit their application promptly, as only existing PSPs that submit registration applications before November 16, 2024, will be able to continue carrying out retail payment activities without interruption. New PSPs and existing PSPs registering after the 15-day window will be subject to a delay of at least 60 days before being able to perform retail payment activities in order to allow the Minister of Finance to perform the national security review. Given expectations by the Bank of Canada (the Bank) that roughly 2,500 PSPs may seek registration, this two-week registration window may create a bottleneck for applications unless sufficient infrastructure and resources are in place.

PSPs will not be required to establish compliance programs that meet the full requirements under the RPAA regime immediately upon registration: the risk management and funds safeguarding requirements will come into force the following year on September 8, 2025. While the compliance burden under the RPAA will be significant, registration with the Bank may provide PSPs a key benefit: in the 2023 Fall Economic Statement, the federal government announced its intention to amend the Canadian Payments Act to expand membership eligibility in Payments Canada to registered PSPs, which would include access to the Real-Time Rail (RTR) once implemented.

Further to this, Bill C-59, the Fall Economic Statement Implementation Act, 2023 — which will implement certain provisions of the fall economic statement tabled in Parliament on November 21, 2023, and certain provisions of the budget tabled in Parliament on March 28, 2023 — was introduced on November 30, 2023. If passed, Bill C-59 would amend the Canadian Payments Act to broaden membership eligibility for the Canadian Payments Association to payment service providers, as defined in the Retail Payment Activities Act.

Key changes to the RPAA regulations

The final regulations introduce certain changes that ease compliance burdens for PSPs, which should provide some welcome, if limited, relief. Highlights include the following:

  • Incident restoration system testing: The draft regulations only allowed PSPs to resume operations following an incident after verifying that the integrity and confidentiality of all systems, data and information had been restored and that retail payment activities could be performed without reduction, deterioration or breakdown. This requirement has been deleted so that PSPs may resume normal operations while working to restore their systems. The final regulations also delete the requirement for PSPs to carry out a review of the risk management and incident response framework following each such incident.
  • Implications of personal information location change: Under the draft regulations, a PSP was required to submit a new registration application to the Bank in the event that the PSP or its third-party service providers changed the jurisdiction where certain personal or financial information was stored or processed. The final regulations delete this requirement, although the requirement to provide 60 days’ notice of any change to the Bank of Canada remains. This should provide relief from the previous concerns that a PSP risked losing its registration due to changes initiated by its third-party service providers.
  • Safeguarding of funds (SOF) account changes: The final regulations ease the burdens on PSPs stemming from changes to SOF accounts by introducing a materiality threshold. Under the final regulations, only changes to such accounts that could reasonably be expected to have a material impact on the manner in which end-user funds are safeguarded will trigger a review of the SOF framework.
  • Risk management system testing: The draft regulations required testing of the risk management framework every three years. The final regulations simply require that PSPs set out a testing methodology for its risk management and incident response framework that includes the frequency and scope of testing.
  • SOF insolvency reviews: PSPs are no longer required to evaluate their insolvency protections once a year. Instead, measures must be taken following the identification of any instance in which end-user funds held (or equivalent proceeds from insurance or a guarantee) would not have been payable to end users in the event of an insolvency proceeding.
  • Independent audit: The independent audit frequency is decreased from every two years to every three years.
  • Application information on end-user funds: PSPs were previously required to provide information regarding end-user funds with a lookback period of 24 months; this has been shortened to 12 months under the final regulations.

The final regulations also introduce several net-new obligations:

  • SOF framework: The final regulations add a requirement for the board of directors (if any) to approve the SOF framework at least annually and for the senior officer to approve the results of the SOF framework review. Incremental recordkeeping requirements in respect of SOF framework reviews, including records regarding the review’s scope and methodology, are also added.
  • Annual report contents: PSPs are now required to include any identified insolvency risks from the prior year in the annual report. While not strictly net-new, the final regulations also adjust the prescribed information that must be included in the annual reports regarding end-user fund values, funds transfers, end users and other payment service providers.
  • Change notice requirements: Under the final regulations, when the change notice requirement is triggered, the PSP must include an assessment of the effect that the change or new activity will have on the manner in which end-user funds are safeguarded, as well as a list and summary of the documentation, including in respect of the risk management and incident response framework, that has been amended or created to reflect the change.

Fee assessments

The final regulations delete the annual fee assessment formula that had been set out in the draft regulations. It is unclear, however, what effect this removal will have, as additional guidance regarding fee assessments has not yet been released. The Bank has indicated in its Regulatory Impact Analysis Statement to the final regulations that the formula will be finalized after PSPs begin registering with the Bank, as registration information will enable the Bank to better understand the number of PSPs and their characteristics to ensure that fees are fairly distributed.

National security review

In our previous Update on the draft regulations, we discussed the national security review (NSR) framework under the RPAA regime, which has been an area of significant focus by the Canadian government in recent years. The NSR requirements under the final regulations remain unchanged, and the 2023 Fall Economic Statement notes that the Department of Finance is working with security and intelligence partners to implement the new national security review process under the RPAA.

Following submission of a complete application, the Department of Finance has 60 days to review and determine whether the application should be subject to the NSR regime; if a formal NSR is ordered, the Minister of Finance has 180 days to complete the formal NSR, which can be extended in the Minister’s discretion. Because the NSR process is triggered upon initial registration, PSPs should be mindful of the NSR review submission requirements and timelines in planning ahead for registration: if existing PSPs miss the 15-day registration window from November 1 to November 15, 2024, they must cease all retail payment activities while their application is pending.

Next steps

Additional guidance from the Bank regarding the RPAA regime is expected to be released incrementally over 2024. As a matter of first priority, guidance is expected on the criteria for registration, with guidance on other topics to follow.

Given the narrow window for registration and the business continuity risk for failing to register in time, PSPs would be well advised to begin gathering application materials, including materials for the national security review process, far in advance of the November 15, 2024, deadline.