With the Retail Payment Activities Act (RPAA) set to significantly reshape the regulation of payment service providers in Canada, the time to prepare is now. Starting on November 1, 2024, all Payment Service Providers (PSPs) engaging in retail payment activities in Canada will be required to register with the Bank of Canada. This overview has been created specifically to help you navigate these new requirements and ensure your organization is ready.

Below, we break down who falls under the scope of the RPAA, what compliance obligations PSPs must meet, and the critical implementation timeline you need to follow. With fast-approaching deadlines and stringent compliance expectations, it's crucial to understand what is required to avoid penalties and maintain trust in Canada's evolving retail payment landscape.

What is the Retail Payment Activities Act (RPAA)?

The RPAA introduces a robust framework for the supervision of PSPs in Canada in 2024. This regime is designed to enhance the security and integrity of retail payment systems, ensuring that they operate safely and efficiently.

The regulator under the RPAA, the Bank of Canada, continues to release guidance on the RPAA regime on its Retail Payments Supervision page including various fictional case scenarios that reflect the Bank of Canada's interpretation of the RPAA's requirements.

Watch our on-demand webinar to learn more.

Who needs to register under the RPAA?

The RPAA requires PSPs to register with the Bank of Canada by November 15, 2024 at the latest.

How does the RPAA define Payment Service Provider (PSP)?

The RPAA applies to a broad range of entities involved in retail payment activities. The RPAA defines PSPs as individuals or entities that perform one or more of the five payment functions outlined in the RPAA. These functions include:

null

What is the geographic scope of the RPAA?

The RPAA covers PSPs with a place of business in Canada. It also extends to those outside Canada that direct their services at Canadian end users or perform retail payment activities for them.

Which entities and activities are excluded from the RPAA?

Certain entities and activities are excluded from the RPAA's requirements. These include, among others, banks, credit unions, insurance companies, and other entities already regulated under federal or provincial financial institution statutes. Incidental activities, securities related transactions, and internal and closed loop transactions are among the list of activities that are excluded from the application of the RPAA.

How do Payment Service Providers (PSPs) comply with the RPAA?

Registered PSPs must adhere to stringent compliance requirements aimed at mitigating operational risks and protecting end-user funds. Key compliance obligations include:

  1. Operational risk management: PSPs must establish a comprehensive framework to manage operational risks. This includes:
    • Identifying and assessing risks.
    • Implementing controls to mitigate identified risks.
    • Protecting assets and data.
    • Developing and maintaining incident response plans.
  2. Incident response and reporting: PSPs are required to report any incidents that have a material impact on end users or other PSPs. This ensures transparency and allows for timely corrective actions.
  3. Safeguarding end-user funds: PSPs that hold end-user funds must ensure these funds are adequately protected. This can be achieved by:
    • Holding funds in trust accounts.
    • Using segregated accounts with insurance or a guarantee.
    • Implementing measures to prevent unauthorized access or use of funds.
  4. Mandatory reporting: PSPs must submit annual reports to the Bank of Canada. These reports should detail the PSP's compliance with operational risk management and fund safeguarding practices. This ongoing reporting ensures continuous oversight and accountability.

What's next?

The RPAA's implementation is phased, with several critical milestones approaching rapidly. PSPs must act swiftly to ensure compliance with the new regulations:

null

Taking the necessary steps to comply with the RPAA will not only help avoid potential penalties but also enhance the trust and security of Canada's retail payment systems. For more detailed information, contact the authors or a member of our FSxT Group.