Final Retail Payment Activities Regulations Issued
The final Retail Payment Activities Regulations (the “Regulations”) in respect of the Retail Payment Activities Act (the “RPAA”) have been issued, setting forth the requirements that will apply to payment service providers (“PSPs”) in Canada. Draft versions of these regulations were previously issued for comments, for more detail on the draft regulations, please refer to our prior legal update.
The final Regulations are substantially in line with the draft regulations previously published. Like the draft regulations, they prescribe proposed standards for operational risk management, requirements for safeguarding end-user funds, registration requirements, reporting requirements, penalties for non-compliance and national security safeguards.
- Beginning on November 1, 2024, individuals and entities that perform retail payment activities will be required to apply to the Bank of Canada for registration as a PSP and PSPs will be able to submit their applications until November 15, 2024. Furthermore, the Regulations related to enforcement actions and national security reviews of individuals and entities as part of their registration as PSPs will be in force on November 1, 2024.
- Beginning on November 16, 2024, PSPs that have not applied for registration will continue to be able to apply but may be subject to delays in commencing their retail payment activities and risk being offside the requirement to be registered before performing retail payment activities. If a PSP refuses or fails to submit a registration application, the Bank of Canada may use its enforcement powers, including the ability to impose administrative monetary penalties.
- On September 8, 2025, the requirement for the Bank of Canada to register PSPs and publish a registry of PSPs will be in force, as well as the remaining substantive provisions of the RPAA and Regulations related to operational risk management, end-user funds safeguarding, reporting, record-keeping and supervisory information.
Changes to the Draft Regulations
In response to industry feedback during consultations, the Department of Finance, in consultation with the Bank of Canada, made the following changes to the Regulations to address stakeholder concerns:
- Scope: There were no modifications to the Regulations concerning the scope of application.
- Risk Management Framework: The Regulations for the Risk Management Framework were amended to specify that PSPs should only consider risks, assets, and third parties relevant to the performance of retail payment activities. These changes were made in response to stakeholder feedback concerning the need for clarity in the scope of operational risk management and incident response regulations to alleviate undue burden.
- Review of Risk Management Framework: In response to stakeholder feedback, the Regulations no longer require a PSP to review its Risk Management Framework after a material incident, since past incidents are expected to be considered during a PSP’s annual review of its Risk Management Framework. The annual review requirement was retained to ensure the framework stays updated, aligning with international standards applicable to PSPs such as in the EU and UK. Additionally, the Regulations will require a PSP to review its Risk Management Framework before implementing “material” changes to its processes and procedures to address operational risks, replacing the previous "significant change" language.
- Approval of Risk Management Framework: The Regulations were modified to eliminate the need for board approval for in-year material changes, allowing a senior officer to approve such changes. However, in cases where a PSP has a board, annual approval of the PSP’s Risk Management Framework by the board is still required.
- Testing Methodology: The Regulations were revised to grant PSPs flexibility in determining the frequency and scope of their testing methodology for identifying gaps and vulnerabilities in their systems, policies, procedures, processes, controls and other means in their Risk Management Framework, as opposed to the previous requirement of testing all aspects in their Risk Management Framework every three years. The change aims to allow PSPs greater discretion in tailoring a testing program best suited to their specific context.
- Review of Fund Safeguarding Framework: The Regulations have been revised to clarify that only “material” changes to the accounts or the insurance or guarantees for safeguarding end-user funds would necessitate a PSP to review its Fund Safeguarding Framework, as opposed to a review of all changes. The approval process of the Fund Safeguarding Framework was amended to align with the approval process of the Risk Management Framework, with both frameworks now requiring a PSP senior officer and a PSP’s board of directors to approve them at least once a year and material changes made outside of these processes only requiring senior officer approval. Further, the Regulations were amended to require that compliance with the end-user fund safeguarding requirements be independently reviewed every three years instead of two years, aligning with the review cycle for a PSPs’ Risk Management Framework.
- Re-Registration: The final Regulations have been amended to require a registered PSP to provide 60-days’ notice to the Minister prior to when the PSP intends to store and process personal and financial information in a previously undisclosed country, as opposed to the previous requirement in the draft Regulations which required the PSP to submit a new registration application upon such a change. The final Regulations also eliminate the requirement for PSPs to report which employees within an exempt PSP have access to personal and financial information of end users, employees or business partners, and clarified ongoing reporting requirements in regards to working with other PSPs. These changes were aimed to alleviate regulatory burdens without compromising national security obligations.
- Reporting Metrics: The final Regulations changed the frequency to provide data on the number of end users and number of other PSPs from monthly to annually and reduced the historical reporting period requirement at registration from 24 to 12 months. The final Regulations also eliminated the requirement to provide metrics on payment categories.
- Transition Period: The Regulations have been amended to prevent new PSPs from immediately conducting retail payment activities upon submitting their application during the transition period. Existing PSPs can engage in retail payment activities upon submitting their application within the 15-day transition window between November 1-November 15, 2024, but new PSPs applying outside this period will be subjected to a 60-day delay after submitting their application before being able to perform retail payment activities. This approach is intended to allow the Minister and designated entities time to review, intervene and address national security risks before the new business commences.
- Effect of a Significant Change or New Activity: The Regulations have been amended to clarify that a PSP will have to assess the effect of a significant change or new activity on its operational risks and on the manner in which end-user funds are safeguarded both during and following implementation of the change or new activity. The Regulations have also been amended to clarify that only significant changes, rather than all types of changes need to be included in the PSP’s annual report.
What Will be Addressed in the Bank of Canada Guidance
Supervisory guidance to support PSPs’ compliance with the Act and Regulations is expected to be published one year prior to the relevant provisions coming into force. The Bank of Canada also intends to consult on its guidance concerning operational risk, end-user fund safeguarding, significant change notification and incident notification approximately three months following publication of the Regulations.
As noted in the Regulatory Impact Analysis Statement accompanying the Regulations, the Bank of Canada will provide further guidance on the following items:
- RPAA’s Scope and Exclusions – Currently, the Act excludes certain entities, including the Society for Worldwide Interbank Financial Telecommunication global message network (SWIFT) and prudentially regulated financial institutions from its application. The Act also excludes certain activities, such as payment functions performed in relation to closed loop gift cards, electronic fund transfers for securities transactions and retail payment activities “incidental” to another service or business activity that is not a payment function. The Bank of Canada is expected to release guidance that provides further direction to PSPs regarding the Act’s scope and exclusions, including greater clarification on how the incidental concept will be applied to entities in practice, and how the RPAA will apply to foreign PSPs.
- Safeguarding of funds – The Act and Regulations provides several options for safeguarding funds include holding funds in trust or in a segregated account with insurance or a guarantee. Additional measures are prescribed in the Regulation in relation to the option chosen by PSPs but all safeguarding options will require that PSPs have a Fund Safeguarding Framework and that safeguarding measures are reviewed annually or under specified circumstances. The Bank of Canada guidance will provide further clarity on the requirements for the safeguarding of funds.
- Definition of “Significant Adverse Impact” – The Regulations set out a standard time period of 15 days to respond, unless the information being requested relates to events which are ongoing and could have a “significant adverse impact to end users or other entities. The Bank of Canada is expected to clarify the definition of “significant adverse impact” in its supervisory guidance.
- Administrative Monetary Penalty (AMP) – The Regulations designate violations that would be subject to an AMP and outlines penalty ranges for serious and very serious violations. The Regulations also provide a criteria for determining AMPs considering the harm caused, the entity's history of violations, and the level of intention or negligence. The Bank of Canada is expected to publish guidance with further information on AMP calculation methodology under the RPAA.
- Leveraging Existing Risk Management Practices – The Regulatory Impact Analysis Statement notes that the RPAA and Regulations are intended to provide the flexibility for PSPs to leverage their existing practices. To achieve this, the Bank of Canada guidance will provide details to PSPs on how they can leverage their existing risk management and testing standards to comply with the risk management requirements in the RPAA and Regulations, and use their existing independent audits to comply with the independent review requirements in the Regulations, as long as the PSP can demonstrate that their practices align with the requirements of the RPAA.
- Risk Management Framework – The guidance will aim to provide examples of how a PSP may implement their Risk Management Framework, while taking into consideration the proportionality of its framework against the impact that a reduction, deterioration, or breakdown of its retail payment activities could have on end users and other PSPs. The Bank of Canada guidance will also advise PSPs, particularly PSPs that are more interconnected with the financial system, to set stringent targets for the operational availability in their retail payment activities.
- “Incidents that have a Material Impact” – The Bank of Canada’s guidance will provide greater clarity regarding examples of and what is meant by “incidents that have a material impact”, for the purposes of reporting such incidents to the Bank of Canada and affected individuals and entities. For example, such incidents may include theft of end-user funds or a cyber-attack causing service outages. The RPAA defines an "incident" as “an event or series of related events that is unplanned by a payment service provider and that results in or could reasonably be expected to result in the reduction, deterioration or breakdown of any retail payment activity that is performed by the payment service provider.”
- Permitted Holdings for End-User Funds – Currently, neither the RPAA nor the Regulations elaborate on characteristics of assets held for safeguarding end-user funds, such as risk level and liquidity features. PSPs are required to describe liquidity arrangements and the use of secure, liquid assets to ensure end-users have reliable access to their funds and protect end-user funds in case of a PSP’s insolvency. The Bank of Canada guidance will elaborate on what is considered to be secure and liquid assets, such as cash or guaranteed investment certificates.
- Foreign Account Requirements – The Bank of Canada's guidance will outline expectations for PSPs using foreign financial institutions to safeguard funds, including analyzing how the regulatory regime aligns with principles and standards set by the Basel Committee on Banking Supervision.
- Significant Change Reports – The Bank of Canada’s guidance will further clarify scenarios requiring a PSP to submit a significant change report, such as changes to the PSP’s safeguarding funds account provider or when the PSP ceases to perform a retail payment activity.
(a) Scope of Application
As a reminder, subject to certain prescribed exemptions, the RPAA generally applies to PSPs that perform any of the following five payment functions:
- the provision or maintenance of a payment account;
- the holding of end-user funds until withdrawn by the end user or transferred to another individual or entity;
- the initiation of a payment at the request of an end user;
- the authorization or transmission of a payment message; or
- the provision of clearing or settlement services.
The RPAA applies to payment activities for PSPs with a place of business in Canada or those that provide services to end users in Canada.
Exemptions from Scope
The RPAA excludes certain entities and activities from its oversight, namely prudentially regulated financial institutions such as banks and credit unions as well as payment functions that involve closed-loop gift cards.
The Regulations also exempt the following activities:
- Securities transactions: The Regulations provide that payment functions that are performed for the purpose of giving effect to transactions in relation to securities and that are performed by an individual or entity that is regulated, or exempted from regulation, under Canadian securities legislation are exempt from the RPAA.
- SWIFT transactions: The Regulations exclude the Society for Worldwide Interbank Financial Telecommunication (SWIFT) global messaging network from the RPAA.
- Incidental Retail Payment Activities: The Regulations provide that retail payment activities that are performed as a service or business activity that is “incidental” to another service or business activity, which are not payment functions, are also excluded from the RPAA.
(b) Operational Risk Management and Incident Response
Under the RPAA, PSPs are required to establish, implement and maintain a risk management framework to identify and mitigate operational risks and respond to incidents (the “Risk Management Framework”). The new Regulations outlined several requirements related to the Risk Management Framework that a PSP must comply with.
The Regulations require a PSP to establish three objectives related to its Risk Management Framework: (1) integrity; (2) confidentiality; and (3) availability of its retail payment activities and systems and data or information involved in the provision of those activities.
Accordingly, the Regulations require each PSP to take the following steps to achieve these objectives:
- identify its operational risks;
- protect its retail payment activities from those risks;
- detect incidents and control breakdowns;
- respond to and recover from incidents;
- review, test and – for some PSPs – audit its Risk Management Framework;
- establish roles and responsibilities for the management of operational risk and incidents;
- have access to sufficient human and financial resources to establish, implement and maintain its Risk Management Framework; and
- manage its risks from third-party service providers, agents and mandataries.
Under the Regulations, a PSP is responsible for ensuring that its Risk Management Framework is proportionate to the potential impact on end users and other PSPs if its retail payment activities were to decrease, deteriorate or break down.
The Regulations require that PSPs demonstrate their compliance with sound operational risk management through various reporting requirements to the Bank of Canada, as discussed below.
(c) End-User Funds Safeguarding Requirements
Under the RPAA, PSPs must either hold funds in a trust account or a segregated account, with insurance or a guarantee to safeguard end-user funds against financial losses due to insolvency, to provide users with reliable and timely access to their funds.
Furthering those objectives, the Regulations have incorporated the following requirements and measures that guarantee end-user funds or related proceeds are accessible to end users:
- Accounts taking custody of end-user funds must be held at prudentially regulated financial institutions such as banks, provincial credit unions, or foreign financial institutions.
- The insurance or guarantee from a prudentially regulated financial institution cannot be an affiliate of the PSP if the end-user funds are safeguarded through the insurance or guarantee.
- The proceeds from the insurance or guarantee cannot form part of the PSP's general estate and must be payable for the benefit of end-users as soon as feasible following an insolvency event.
- The Bank of Canada must be notified 30 days in advance of the cancellation of the insurance or guarantee.
- PSPs must have a written fund safeguarding framework to ensure that end-users have reliable access to their funds without delay. This document must describe the PSP's systems, policies, processes, procedures, controls and other means to meet the objectives noted above.
- PSPs must keep a ledger with the names of their end-users and the amount of funds held, use liquidity arrangements and hold end-user funds in secure and liquid assets.
- PSPs will be required to have annual reviews and independent reviews every three years (changed from every two years in the draft Regulations) of their safeguarding measures to evaluate when end-user funds held by them were not sufficiently safeguarded in the prior year and assess measures that would need to be implemented to mitigate reoccurrence.
(d) Reporting Requirements
PSPs will be required to notify the Bank of Canada of changes to registration-related information. Furthermore, the Regulations establish that a PSP must respond to an information request from the Bank of Canada, as outlined in the RPAA, within 15 days. However, if the requested information is related to ongoing events that could have a “significant adverse impact” on end-users, the response time may be reduced to 24 hours.
The Regulations also set out in detail various types of information PSPs are required to disclose in their annual reports, incident reports and significant change reports to the Bank of Canada.
The Regulations require PSPs to provide prescribed information on their Risk Management Framework and fund safeguarding in their annual report to the Bank of Canada. Specifically, PSPs must report their objectives, changes made to their framework, operational risks, and resources used to implement and maintain their Risk Management Framework. PSPs must also provide information on their account providers, a description of their fund safeguarding framework, the means they use to safeguard funds and independent reviews conducted in the past year. Additionally, PSPs must include information on their ubiquity and interconnectedness based on the value of end-user funds held, volume and value of electronic fund transfers, number of end-users, and the number of PSPs providing services.
Significant Change Reports
PSPs will be required to notify the Bank of Canada at least five days before making a significant change that could materially impact operational risks or the safeguarding of end-user funds. The notification should include information on the reason for the change, its effects and any new policies introduced.
PSPs must report incidents that have a material impact on an end user, other PSPs, or designated financial market infrastructures to the Bank of Canada and other impacted individuals and entities. The notice to the Bank of Canada must include a description of the incident, its impact, and actions taken by the PSP in response to the incident. The notice to impacted end users, other PSPs and specified financial market infrastructures should include a description of the incident, its impact and corrective measures that can be taken by impacted persons.
(e) Registration Requirements
The Regulations prescribe the information that will be required to be disclosed by the PSP in connection with its application, including information related to organization and structure, contact information, agents, volume and value of its retail payment activities and end-user funds, means of safeguarding end-user funds, third-party service providers, and national security.
Applicants will be required to pay a registration fee of $2500, which will be adjusted for inflation over time, as well as an assessment fee. Although the formula for the annual assessment fee was previously provided in the draft Regulations, this formula has been removed in the final Regulations and will be finalized after PSPs begin registering with the Bank of Canada, as further information is needed to better understand the number of PSPs and their characteristics before determining the fees.
The Regulations also specify the circumstances under which a change of control requires PSPs to file a new application with the Bank of Canada under the RPAA. The Regulations clarify that a new application must be made when a PSP is acquired by a state-owned enterprise. The final Regulations removed a prior requirement that had been included in the draft regulations that a new application be made when data storage/processing by the PSP or its third-party service provider is in a country outside of Canada and was not identified in the PSP’s initial application for registration.
The Regulations will require a public registry to be maintained by the Bank of Canada which will list each PSP’s registration status, payment functions and contact information.
(f) Record-Keeping and Retention Requirements
The Regulations require PSPs to maintain records demonstrating compliance with the RPAA and the Regulations for five years unless specified otherwise.
(g) National Security Safeguards
The proposed national security review process prescribe how PSPs are to be registered and how reviews are to be conducted, including timelines, information requirements and triggers for re-registration. The Regulations prescribe a 60-day review period for initial registration and 180 days for national security reviews, with the possibility of extension based on the discretion of the Minister. The Regulations also outline a 30-day window for PSPs to request a review of the Minister’s decision after receiving a refusal to register. For national security purposes, PSPs would be required to notify the Bank of Canada of changes to certain prescribed registration information laid out in the Regulations.
(h) Prescribed Supervisory Information
Currently, the RPAA allows for a regulation-making authority to prevent PSPs from using certain supervisory information as evidence in civil proceedings to protect sensitive supervisory information. The Regulations define “prescribed supervisory information” (“PSI”) to include any type of direction, notice, assessment, testing, audit, investigation, plan or report prepared by the Bank of Canada as part of its supervision of a PSP, as well as any reports, letters, recommendations or plans made by the Bank of Canada as a result of a supervisory review of a PSP.
(i) Administration and Enforcement
Under the Regulations, only designated violations would be subject to a notice of violation (“NOV”) accompanied by a potential administrative monetary penalty (“AMP”). The Regulations establish several criteria for the Bank of Canada to consider when determining an AMP, including: (1) the extent of the harm caused or could have been caused by the violation; (2) the individual or entity's history of prior violations within the preceding five-year period; and (3) the degree of intention or negligence on the part of the individual or entity committing the violation.
The Regulations also establish penalty ranges for “Serious” or “Very Serious” violations classified under the RPAA, ranging from $1,000,000 per each Serious violation, up to $10,000,000 per each Very Serious violation. However, violating the RPAA's requirement to provide information (such as annual reporting) will not take severity into account. The Regulations prescribe that for violations lasting up to 30 days, the penalty is $500 per day, and the penalty ranges from $15,000 to $1,000,000 for violations lasting more than 30 days.
The RPAA and Regulations set out the framework for an extensive new regulatory regime applicable to PSPs. To ensure forthcoming compliance with these new regulations, it is important that PSPs conduct a thorough review of the requirements set forth and prepare accordingly.
For more information about our firm’s Fintech expertise, please see our Fintech group page.