The Dawn of a New Era for Payment Service Providers: Navigating the Retail Payment Activities Act Regime

PARNA SABET-STEPHENSON: We are going to get started. Good afternoon, and welcome to today's webinar. I'm Parna Sabet-Stephenson, leader of FinTech at Gowling WLG. We have some housekeeping items that you do see on your screen.

The Retail Payments Activities Act, or RPAA as it's well-known, has received royal assent for quite some time now. It was back in June of 2021 when it received royal assent. And the Department of Finance has since been quite busy conducting quite a lot of consultation. And we've seen the draft regulation. And finally, yesterday, the final regulations were published.

This is really the dawn of a new era for payment service providers, who, till now, did not really have a framework applicable to them specifically. I'm joined today by my partners Adam Garetson and Alana Scotchmer, as well as some of our esteemed guests from the Canadian Payment ecosystem, who will share with you insights about the regulations and the path forward.

But first, let's take a look at the big picture. As Canadians, we really benefit from a secure financial system, where we can really have an efficient movement of our funds. And there's been no shortage of innovation and digitization, and we continue to have that.

But at the same time, although they bring tremendous benefits, they also pose some risks to the Canadian consumer, businesses, as well as the system generally. What are these risks? So we're talking the security of the financial data, as well as the personal data of Canadians. We're talking about the need to respond to disruptive events, and we've certainly seen no shortage of disruptive events lately, anywhere from geopolitical instability to events that were rather unimaginable a few years ago, such as the pandemic.

There's also the risk of financial loss. It could be anywhere from cyber security events to the insolvency of payment service providers or simply insufficient risk management practices as well. And of course, there's the National Security risk. It could be anywhere from the ownership of the PSP to the transactions of they handle.

So PSPs, or Payment Service Providers, such as payment networks, payment processors, or digital wallets, till now didn't really have a regime that was applicable to them specifically. And now this is about to change. We'll follow in the path of some of the other jurisdictions who have done so, such as, for example, the European Union, United Kingdom, or Australia.

And RPAA is that for us. So we will hear about some of the impacts of the RPAA and what is required in this new era for payment service providers. With that, Adam will walk us through who is affected.

ADAM GARETSON: Thank you, Parna. Pleasure to be here today. So I'm going to talk about who is affected by the RPAA and the regulations and the regime in general. And I'm going to start with who's primarily affected. So the RPAA applies, not surprisingly, to Payment Service Providers, or also referred to as PSPs, that perform what's referred to as a retail payment activity.

And retail payment activity is defined as a payment function in relation to an electronic funds transfer. So PSPs can be an individual person or entity that performs one or more enumerated payment functions as a service or a business, which is not incidental to another business.

So what the regime sets out are five payment functions, which are, in scope, being the provision or maintenance of a payment account, the holding of end user funds until they're withdrawn or transferred, the initiation of an electronic funds transfer at the request of an end user, the authorization or transmission of a payment instruction or payment message, or the provision of clearing or settlement services.

So if you or your business are providing end-users with one or more of these five payment functions, you might be a PSP. And you might be subject to the act. The regime applies to PSPs with a place of business in Canada, but also offshore or foreign PSPs to the extent that foreign PSPs' payment activities are being directed to and performed for end-users in Canada.

So the regime captures PSPs, as we've been saying, including digital wallets, payment processors, and card networks. Also, there are certain enumerated exclusions from the legislation as well, and I'm going to walk you through a few of those.

So exclusions from the scope of the regime are both entity based, as well as activity based. And some of the examples of exclusions from the scope are financial institutions that are already prudentially regulated, like banks and credit unions, so they don't need this extra layer of regulation on top; payment systems that are regulated by payments Canada; also internal transfers amongst affiliated entities-- those are out of scope; and also foreign PSP activities, which are directed to and performed for end-users who are outside of Canada.

Also excluded from the act in the regulation are securities dealers. So similar to financial institutions, the regulations carve out electronic funds transfers that are made for the purposes of a transaction in securities. So also excluded from the regime are retail payment activities that are incidental to another service or business activity, so long as that other business activity is not itself one of the enumerated payment functions.

So for example, if you are a traditional merchant selling winter boots for a snowy Canadian winter, it's less likely that you are a PSP and more likely that you're using a PSP to assist with your electronic payment systems. And while the concept of incidental is not fully defined by the regulations in the act at this time, we are anticipating further guidance to be developed by the Bank of Canada.

So it is possible that businesses provide more than one product or service including those enumerated functions that I mentioned earlier. So if in doubt, definitely consider your business model against the test for the applicability of the legislation. So needless to say, it's important to consider whether the RPAA applies to you or your business and to determine whether you're in scope or not.

And some of the key questions to ask are, am I a payment service provider? Do I provide a payment function in relation to an electronic funds transfer? Is that activity incidental to another business, or is my business the performance of a payment function?

Generally speaking, under the regime, there is no financial soundness or fitness test as part of the review. And this isn't a regime for market conduct dispute resolution, and that's not a role to be played for the Bank of Canada. This is a registration regime primarily for PSPs with the Bank of Canada.

And when we think about who's affected by the act and the regulations, certainly the impact is much broader than just those that are subject to the scope of the regime itself. So a little bit further on in the presentation, I'm going to talk about related impacts to third-party service providers to PSPs; transactional partners, whether that's investors in a PSP company or a partner in M&A; or users of PSPs as well. But for now, I'm going to turn things over to Alana, who's going to talk about some of the consequences of being regulated.

ALANA SCOTCHMER: Thank you so much, Adam. And it's a pleasure to join you all here today. We wanted to touch on some of the consequences of being regulated. So if your business may be considered a PSP, we wanted to touch on some of those major features of becoming a regulated entity.

So essentially, PSPs are going to be required to register with the Bank of Canada and to comply with certain legal and regulatory requirements. So these are going to be set out in the RPAA itself, the Retail Payment Activities Act, the regulations to the RPAA, and then Bank of Canada guidance, which we are expecting.

So under this regime, the Bank of Canada has powers as a regulator to both administer and enforce the requirements of the RPAA. So the Bank of Canada is going to oversee, first of all, the registration of PSPs, which is going to be required in 2024. And the Bank of Canada is going to maintain a public registry of those PSPs and then oversee their regulation generally.

So in order to become registered, PSPs are going to be required to submit an application to the Bank of Canada. So that's going to contain standard application form information. And later on, these PSPs are going to be required to ensure that they have certain compliance programs in place. And we're going to discuss the elements of that in a moment.

Once they become registered, PSPs are going to need to submit annual reports to the Bank of Canada and to respond to the Bank of Canada's information requests in a timely manner. PSPs are going to also be required to maintain sufficient records to demonstrate that they are compliant with the RPAA and its regulations.

PSPs will then be searchable in an online public registry, so anyone dealing with a PSP will be able to do a public search at any point to determine whether the PSP that they're dealing with is, in fact, registered. And the Bank of Canada is empowered under the RPAA to issue regulatory guidance. They're also empowered to refuse or revoke registrations and to issue administrative monetary penalties, so these are essentially fines for noncompliance with the regime.

PSPs will fund the cost of the Bank of Canada's supervision of the regime through those registration and assessment fees. This is essentially a cost recovery mechanism, which is similar to many other financial services regulatory regimes that we have currently.

In addition to the Bank of Canada's powers, the Minister of Finance also has powers under the act to conduct national security reviews, which we will also discuss in greater detail shortly. But to give you a sense of the expected timeline, obviously the final regulations were published yesterday. So that gives us the complete framework of the regime, which is set out in the act and the regulations.

Then in early 2024, we're expecting the Bank of Canada to issue additional guidance and to conduct consultations. So the kind of guidance that we're expecting to see from the Bank of Canada includes both supervisory policies and guidelines, so supervisory policies describe how the Bank of Canada intends to carry out its role. This is going to have details on the registration and enforcement requirements.

Whereas guidelines are really going to clarify the requirements in the legislation and the regulations. So these will have the standards and practices that the Bank of Canada expects to see from PSPs, including on managing operational risks, safeguarding end user funds, and incident reporting. We've heard from the Bank of Canada that the first piece of guidance that we're expecting will be a self-assessment tool, so that will help businesses understand and go through that analysis of whether they are regulated under this regime or not.

After that consultation and guidance process gets started, we're also expecting a registration pilot to happen in the spring of 2024. And in the registration pilot, the Bank of Canada will be inviting a group of PSPs to participate in a registration dress rehearsal. So this is going to allow the Bank of Canada to really work through those kinks in the registration process, test out their registration platform, and be ready to go live.

The go live period is really those first two weeks of November in 2024. On November 1, the registration framework under the act comes into course. And then November 16 is the deadline for PSPs to submit those registration applications. So it's really those first two weeks of November in 2024 when the Bank of Canada is expecting to receive the first round of all the PSP registrations for businesses that are currently active.

Important to note that the requirements, those key compliance requirements, so to have a risk management framework and fund safeguarding framework in place-- those are not going to come into place until September 8, 2025. So in 2024, the Bank of Canada is starting to engage in these consultations and come out with all the guidance that's going to have all the details of these particular compliance pieces that need to be in place. And then businesses will have a period of time to actually operationalize those before the Bank of Canada is really going to be looking for those and enforcing those requirements. So that is important to note.

So the next thing we want to talk about is the major objectives of the PSP regime. So we've already heard reference to some of these things come up. I wanted to touch on four major areas. The first that we've already talked about a little bit is safeguarding end user funds. So fund safeguarding is really intended to protect the customers of PSPs. So these include both consumers and businesses, and these protect those customers' funds against financial loss.

Two scenarios here to be alive to. So the first is in the event that a PSP becomes insolvent, and the second is to ensure that end-users have reliable and timely access to their funds. So end user funds held by PSPs are going to be required to be kept in a trust account at a prudentially regulated financial institution.

And PSPs are going to have to ensure that those end user funds held in that trust account are covered by insurance or a guarantee, which is for the exclusive benefit of those end-users in the event of the PSPs insolvency or restructuring. So you can think of a analogy here to CDIC insurance on a bank account. This insurance or guarantee that covers the PSPs customer trust account is for the exclusive benefit of those end-users in the event of the PSP's insolvency.

PSPs are also going to be required to establish, implement, and maintain a written safeguarding of funds framework, so that's going to include reference to all the systems and policies, processes, procedures, controls, and other measures that the PSP has to meet those objectives of the safeguarding framework.

PSPs are also going to be required to, in this written framework, identify the legal and operational risks that could affect those objectives. It's going to require oversight and approval by a senior officer of the PSP and then review on at least an annual basis. In addition to the written safeguarding of funds framework, PSPs are also going to be required to maintain an operational risk management framework and an incident response framework. These are key aspects of the compliance program that's required here.

This requirement in particular is focused on helping to mitigate those risks posed by cyber attacks and other security incidents. So in the financial sector, we've seen the likelihood and the severity of those risks have really increased over the years. And the three objectives of having this risk management framework are for PSPs to preserve their integrity, their confidentiality, and also the availability of those retail payment activities and all of the systems, data, information that's required and involved in the provision of those activities.

So this requirement is really focused on safety, security, business continuity, and responding to those disruptive events that we see posed to the ecosystem in recent years. These requirements are going to be required to be applied by each PSP in proportion to the impact that a reduction or breakdown of the retail payment activities could have both on end-users and on other PSPs. So the view of these risks is enterprise level and then risks to the consumer, but also notably risks to other providers in the ecosystem.

To touch on reporting, in order to supervise this regime effectively, the Bank of Canada is going to require certain information inputs from registered PSPs. The Bank of Canada will obtain that information through several different channels, including, first of all, the registration application process. So that application information is going to include information about the PSP's business activities, its ownership, its management structure.

And then PSPs are also going to be required to update that information they provided in the registration application process to keep their registration information up to date. So for example, if a PSP changes its address, it's going to be required to notify the Bank of Canada of that kind of a change. There's also annual reporting to the Bank of Canada, and this is going to include information on a PSPs risk management framework, those operational risks, and human and financial resources it has to implement and maintain that risk management framework.

PSPs will also be required to submit significant change reports if the PSP makes a significant change in the way that it performs a retail payment activity or before performing a new retail payment activity. There's also an incident reporting requirement. So under that, PSPs are going to be required to report incidents that have a material impact on an end user, other PSPs, or designated financial market infrastructures.

So reports in that kind of a scenario will go to both the Bank of Canada and to impacted individuals and entities. So in that material incident scenario, PSPs are also going to be required to report to their regulator, to affected customers, and also to other PSPs in the ecosystem.

There are also information requests requirements, so that involves the Bank of Canada asking PSPs for information in the course of their supervision of PSPs. But it also includes information requests in connection with ongoing events that could have a significant impact on individuals or entities, end-users, other PSPs so that you can imagine the scenario of a widespread network outage, where the Bank of Canada would be reaching out to regulated PSPs and requiring certain information. And PSPs will have to get back to the Bank of Canada in a very timely fashion in that sort of a scenario.

So last thing I'll touch on here is national security. This is part of a broader trend in the regulation of financial services sector recently, and it's a response to information published by CSIS that the risks to the Canadian economy have increased recently by hostile state and nonstate actors. The powers of the minister of finance have been expanded recently in a number of areas to consider the impact of national security risks on the financial sector. We've seen this happen in the Bank Act and other federal financial institution statutes. And the RPAA is no different.

In terms of the process for these reviews, once a PSP application is submitted to the Bank of Canada, it's going to be reviewed by the Bank of Canada for that registration application purpose. But it's also going to trigger a national security review by the Department of Finance on behalf of the Minister of Finance. The Minister of Finance may then conduct an additional national security review if that's needed in the circumstances.

The minister also has the power to direct the Bank of Canada to approve or refuse an application, or it can stipulate conditions on a PSP's registration if it's necessary to do that for reasons of national security. So again, this is part of a broader trend to address those national security risks and to ensure the safety and soundness of Canada's economic system. So now I'm going to turn it back to Adam.

ADAM GARETSON: Thanks, Alana, much appreciated. At this point, I'm going to speak about some of the implications of the RPAA and the regulations for persons and entities that are not necessarily PSPs themselves, but deal with PSPs, so trying to touch on some practical considerations both for PSPs and others in the ecosystem as well.

So if you're not currently a PSPs and you may not be included within the scope of the regime itself, what are some of the key considerations to take into account when you're dealing with the PSP? And hopefully, that provides some further insight into PSPs for PSPs as well. So I'm going to consider this angle primarily from the perspective of third-party service providers to PSPs, as well as transactional partners, such as investors and counterparties in M&A, as well as end-users of PSPs as well.

And when we think about agents and third-party service providers, it's important to keep in mind that PSPs will be subject to ongoing requirements, where they're required to provide information to the Bank of Canada on a continuous basis, as Alana was saying. So in terms of initial applications by PSPs for registration, those are required to include information such as a list of the PSP's agents that perform payment functions in relation to electronic fund transfers on behalf of the PSP, along with detailed information on the agent, like their name, address, description of the payment activities, the agents performing on behalf of the PSP.

PSPs will also have to provide detailed information on third-party service providers that have or will have a material impact on the PSPs operational risks or safeguarding of funds, and this information will include a description of the services in relation to that retail payment activity that's being provided by the third party or that they will provide to the applicant PSP, as well as the geographical location of the technologies that are being used to provide the services in relation to the retail payment activities or that store end-user data.

And it's anticipated that these requirements will result in increased outreach by PSPs for due diligence requests to agents and third-party service providers to PSPs in connection with the submission of their initial applications for registration. So third-party service providers and agents can consider these information requirements and think about what they can do to prepare for compiling this information to ensure a smooth application process, both on the PSP side, as well as from an assistance perspective to the PSP registering as well, who are at their end clients at the end of the day.

As part of the risk management and incident response framework, PSPs are going to be required to conduct thorough operational assessments of their third-party service providers at least once a year, and also prior to entering into renewing or significantly amending third-party service contracts.

So from a contractual perspective, PSPs are going to be required to assess third party service provider's ability to protect data and information that's obtained from PSPs, the security of the third party service providers' technical connections that are to and from the PSP systems, as well as the third-party service providers' risk management practices that are related to the services that are being provided.

The framework also requires PSPs to have a plan to respond to incidents, as mentioned, cyber security incidents that involve or are detected by an agent or a third-party service provider. And the regulations also speak to the need for the PSP to coordinate its incident response with the third-party service provider that's involved. So PSPs will need to consider the implementation of these requirements. They'll need to look at it from a contractual perspective, and this may include a review and analysis of agreements with third parties.

So from a third-party perspective, you can expect to see proposed revisions to existing or future agreements potentially to accommodate greater compliance with the RPAA and the regulation for PSPs than would otherwise be the case today. PSPs will also need to consider significant changes that are made to the operations of agents and third-party service providers and consider whether these could have a material impact to the PSP's business prior to the integration into their systems, processes, and controls.

So if a change is significant or constitutes a new activity for the PSP, a notice of the change has to be given to the Bank of Canada at least five business days before the day on which the PSP makes the significant change in the way that it performs the retail payment activity. So PSPs may want to consider whether their relationship with a third-party service provider is significant. And if there's a significant change at a significant service provider, that could constitute a material change for the PSP that could require notice to the Bank of Canada prior to integration.

Also, registered PSPs are required to review their risk management and incidence response frameworks prior to making material changes. So that means implementing testing methodologies with respect to controls and risk management frameworks, including providing for testing before the adoption of any material changes. PSPs are also required to address in their policies the way that third-party service provider performance may be monitored and the time and manner in which a third-party service provider will inform the PSP of any detected breach of the PSP's or the provider's data, information, or systems, or other breakdowns in the services.

So PSPs are required to include in their policies the means for these assessments of third-party service providers risk management practices in relation to the services that are being provided. Another additional consideration is applications for registration as a PSP are required to be filed where there's a change in the storage or processing of information by the PSP or a third-party service provider outside the country, outside of Canada, that was not originally identified in the PSP's most recent application for registration.

So this requirement, in fact, triggers a new application registration if there's going to be a movement of information of data that's outside of the country. So as a result, PSPs will want to consider developing frameworks for third-party risk management and vendor management processes that builds in checks for things like auditing or maintaining compliance with the RPAA. So from a third-party service provider perspective, you can expect to receive more increased diligence requests than you may have in the past from PSPs, which could have knock-on implications if this information is not available to meet the PSP's requirements under the RPAA.

Turning a little bit to transactions, M&A, and commercial arrangements, the RPAA regime also includes the requirement for PSPs to file new applications for registration with the Bank of Canada if a new entity or individual seeks to acquire control of a PSP. And the regulations in the regime set out a threshold trigger for control, which generally means one third, so from a corporation perspective, one third or more of the voting shares of a corporation.

If those are acquired by a third party, a new application for registration is going to be required to the Bank of Canada. And this also has implications for noncorporate entities as well. And in those instances, the trigger is still at one third. But the trigger hits at the entity's profits or assets on dissolution. And certainly, the test and analysis flows up through the corporate chain to the ultimate controlling interest.

So essentially, acquirers of PSPs should be considering whether or not the PSP has its registration, first of all, in the course of conducting its due diligence and whether it's in compliance when this regime comes into place. And if an acquisition of one third or more of a control position of a PSP is part of a commercial transaction, a new registration application will need to be filed with the Bank of Canada. So investors in PSPs should be mindful as well if they're investing over multiple rounds. They could trigger the one third threshold at a varied stage of investment level, and then a new registration application will likely be required as well.

And we have heard from the Bank of Canada the expectation that any new application for registration will need to be reviewed and approved prior to a deal closing effectively to ensure that registration is continuous and without disruption so that the PSP business is able to continue to operate as well on an ongoing basis in a compliant manner.

And as Alana was mentioning with respect to users, the RPAA requires that a PSP, which becomes aware of an incident, such as a data incident with a material impact on an end-user, needs to notify the individual and notify the individual of some of the material pieces of information that are associated with the actual breach. So that can include the name of the PSP, a description of the incident, the nature of the impact on individuals and entities, as well as corrective measures that can be taken by the impacted individuals or entities.

So the goal of this is obviously to provide enhanced protection for end-user and Canadian data, and users should be mindful of the potential to receive greater alerts and other messages from PSPs in this regard and be mindful of continued use of any PSPs that are not registered with the Bank of Canada when the registration requirements come into place or continued use of PSPs that are subject to significant incidents going forward. With that, Parna, I'll turn it over to you to introduce our next topic.

PARNA SABET-STEPHENSON: Thank you, Adam. So now we're going to turn over and hear some of the industry reactions and perspective. I'm delighted to be joined today by Alex Vronces, the executive director of Fintechs Canada. Alex?

ALEX VRONCES: Hi, there.

PARNA SABET-STEPHENSON: Hello. Welcome.

ALEX VRONCES: Thanks for having me.

PARNA SABET-STEPHENSON: First tell us a little bit about Fintechs Canada.

ALEX VRONCES: Yes.

PARNA SABET-STEPHENSON: What's your mission? Who are your members.?

ALEX VRONCES: So Fintechs Canada is an Industry Association of Canada's most innovative financial technology companies. We're essentially a public policy advocacy organization for our members, a policy shop for our members. Our members range from the Canadian market leading fintechs you read about in the news, the global fintech companies, fintech-friendly financial institutions, and many fintech startups and scale-ups in between.

Collectively, our members serve millions of Canadians on a daily basis.

PARNA SABET-STEPHENSON: And sorry, did you say-- how many members did you say you have?

ALEX VRONCES: We have about 50 right now.

PARNA SABET-STEPHENSON: Wow. So it sounds like a significant proportion of them would actually be impacted by the RPAA. Is that fair to say? And what has been the general reaction?

ALEX VRONCES: Yeah, so a significant will be affected by the RPAA. I'd say the reaction been mixed. There are different camps. For many who aren't used to doing this sort of thing, I think there will be some pain. But there's always some pain when you're doing something new. I think being supervised by the Bank of Canada might make it harder for some smaller PSPs who aren't used to doing this sort of thing to operate in the short term.

But once new compliance programs are built, I think it'll all feel more seamless. And then there are plenty of companies who are used to dealing with regulators, whether that be companies in Canada or companies abroad. I think for them, this will feel more business as usual.

Regardless to the extent it is painful, I think it's going to be a good kind of pain. This is the kind of pain that makes you stronger in the long run by minimizing mishaps and maximizing confidence in what our companies and our sector overall is offering. That's why, from the beginning, we as an association have been very strongly supportive of what the government is doing with retail payments supervision.

PARNA SABET-STEPHENSON: Right. And what would you say is the biggest impact and implications for those members?

ALEX VRONCES: I mean, building a new compliance program and establishing that relationship with the Bank of Canada-- I think there's a lot of ambiguity right now. Because when you look at the regulations and the act, though, some things have definitely been spelled out, the Bank of Canada will have a lot of discretion in how to administer some of these requirements.

I think the important thing for us is that that discretion be administered in a very risk-based way. We've long favored this discretion because when regulators are too prescriptive, they lock in ways of doing things. They become "one size fits all." And in this sector, we can't be "one size fits all."

One size is either going to be too lax, promoting innovation but letting some irresponsible innovation squeak by. Or it's going to be too strict, stamping out innovation that would have otherwise been responsible had the requirements been more tailor-made.

I think the other thing that our members are looking forward to as a result of this regulation is that they're going to be empowered to do new things they otherwise would not have been able to do. A big one is being able to become a member of the-- I was going to say, Canadian Payments Association, but Payments Canada and access the new--

PARNA SABET-STEPHENSON: They're listening.

ALEX VRONCES: Yes. And access the new payment system when that is up and running. The government also made a very big announcement on open banking or consumer-driven banking. I know in the short term, the scope is going to be read only. But many are interested in the payments-related use cases and many see the RPAA as crucial to unlocking those.

PARNA SABET-STEPHENSON: For sure. So we talked a little bit about the implications, and also the challenge you mentioned is the compliance. Do you think-- is there a component of it that's the biggest part of the challenge? Or is it overall the reality of complying with something new for some of the smaller players, perhaps?

ALEX VRONCES: It's probably a bit of both. Again, it depends on who you ask. The fintech sector in Canada is quite diverse. I think when the regulations and the act first dropped, I think some people were a little taken aback. Because for the longest time-- and we've been working with the government from the beginning on this-- there was a lot of talk of the regulations being very principles based.

I think some felt like the regime was more prescriptive than policymakers had initially let on. In a lot of our submissions to government, we've been highlighting those areas we think can be improved. And to their credit, the government has made some changes to the regime in line with some of the industry's feedback. But the changes have been at the margins.

In my view, the government thoughtfully stood its ground on some of the things, which made those changes helpful without undermining the intent of the regime. I think that, overall, is quite healthy. It gives me more confidence in the capacity of our public institutions.

PARNA SABET-STEPHENSON: And from a readiness standpoint, where do you think we're at?

ALEX VRONCES: At least in our membership, where we keep everyone as up to date as we can, I think folks are ready. The mindset has really shifted from, how do we design this thing, to, OK, how do we build a compliance program? The only ones who may be caught off guard or still be raising big picture issues with the regimes are, I'd say, the ones who haven't been paying enough attention to what's been going on in Ottawa.

This has been a long time coming. We've been talking about it since 2015, 2016. I think the government's first consultation paper on this was 2017. So many of our members have seen it coming, have been following along, and are ready to build whatever compliance program they need.

PARNA SABET-STEPHENSON: So they're ready to build. But do you think some have already started on the path to the building? What do you think the delta is perhaps in the way they currently operate and what will be required of them?

ALEX VRONCES: I think many of them already do a lot of the things that this regime will require them to do. I think the bank heard a lot of that feedback in its RPAC consultations. So for some, I don't think the delta will be big. For some, it will be bigger. That's why I think for some, it will be painful. But again, I think this is a good kind of pain.

PARNA SABET-STEPHENSON: Thank you very much, Alex, for your input. Appreciate it. And now we're going to pass it on to Alana for the FI perspective.

ALANA SCOTCHMER: Thank you so much, Parna. So it's my pleasure to introduce Olivia Tang, who is the VP Legal Affairs for People's Group. And Olivia, welcome. I'm hoping that--

OLIVIA TANG: Thank you.

[CHUCKLES]

ALANA SCOTCHMER: I'm hoping that you can shed some light today on the perspective of an FI and of People's Group in particular, which has very robust relationships with fintechs and payment service providers. Love to get your view of the RPAA regime.

OLIVIA TANG: Yeah, I'm happy to be here. And thank you for the invite. So I think for us in the perspective and working with a lot of fintech, one of the immediate reactions is really the operational risk management framework that's been posed. I think, as Alex pointed out, something might be a bigger lift or compliance. Some may already have been doing some of them.

And for us, how it impacted us in the media side is like, OK, if we work with a lot of the fintechs, how do we change the due diligence requirements? Because there's a lot of, I guess, potential alignment between what's required of an FI through [INAUDIBLE] guidelines and then what's going to be required under this new RPAA regulations.

So I think there's a lot of opportunities for us to readjust the due diligence requirements to see how we work with third parties, some of them who fall under the PSP regimes. But on the flip side, there could be challenges, which is-- with new regulations, sometimes there may be inconsistencies that just fell through the gaps or just unintended. So I think that's something for us to keep in mind with.

And the other aspect, another big thing, as you say, is the safeguarding of funds framework. And I think, for us, it's an opportunity to look at our services and our product offerings and see how we can support this particular requirement during FI perspective for our fintechs. So those are the two I think are the greatest impacts for FIs with this regulation.

ALANA SCOTCHMER: Great. Thank you so much, Olivia. So now I will turn it over to Adam.

ADAM GARETSON: Thank you. Thanks, Alana, appreciate it. I have the pleasure of introducing Lisa Sattler, who is a senior advisor of Public Policy at Payments Canada. Lisa, thank you very much for taking the time to join us today. It's a pleasure to have you here with us.

LISA SATTLER: Thanks, Adam.

ADAM GARETSON: Maybe you could just introduce your role for us and tell us what your focus is at Payments Canada.

LISA SATTLER: Yeah, so I work with the policy team at Payments Canada and lead the government relations function in the organization. So I work very closely with our government regulators and our membership in driving policy changes within the organization and also have been working quite closely the past year on advocacy and education around changes to our legislation.

ADAM GARETSON: Awesome. Awesome. So we're in the process of certainly absorbing the final regulations to the RPAA, as well as the Fall Economic Statement that was released yesterday. And we're interested in your thoughts on the implications of the act and the regulations and what you see coming next from the Payments Canada perspective.

LISA SATTLER: Yeah. Thanks, Adam. So we've been talking a lot about the implications today, but I'd like to turn things a little bit of a different direction and look at opportunities, the RPAA carrot, if you will. So to me, that carrot, and Alex touched on it, is really more flexible options to access the payment system.

So maybe I'll take a minute to talk about what needs to happen for us to get there. So there's three key steps, RPAA implementation, changes to the Canadian Payments Act, and then, of course, the launch of the RTR. So as you noted, this week marked important achievements in the first two steps. We do have those final regulations and timelines for the RPAA implementation, and the government signaled its commitment to change our legislation and expand membership to regulated payment service providers.

Changes to our legislation is key because only our members can access our systems. So from what I understand from the feds activities this week, these changes to our legislation could be introduced into parliament before the end of this year, with royal assent pushing into next year. So coupled with this legislative change, Payments Canada will also now need to begin its own consultation on our bylaws and rules and related participation requirements to ensure we continue to manage the risks in our systems.

So we'll need to assess some of the details that come out of the legislation once it's introduced, but we are anticipating a broad or public consultation over the coming months in that regard.

The third step-- RTR implementation. So I'll give you a quick update on that. Payment Canada continues to be committed to delivering safe, secure, and efficient real-time payment system for Canada. We've recently completed a targeted risk review phase of the RTR program.

And during this phase, we worked in collaboration with our board, our regulators, our member financial institutions, as well as our stakeholders while we continued RTR delivery activities. So our current focus at the moment is work to determine the path forward to launching the RTR, and we'll communicate an update on that within the next couple of months.

Before I close out, I'd just like to take a moment to discuss some of the more tactical details around the path to broader access. I've been getting quite a few questions over the past few months around, what's the process and the requirements to become a member and become a participant? The membership process is quite simple. Once you're eligible per the legislation, we collect some basic information, corporate information, confirm your eligibility, and then proceed to board approval.

You also have to be able to pay our common services fees, which are currently around $40,000 per member per year. The process to become a participant, however, is much more complex. First you have to meet the eligibility criteria that's set out in our system bylaws. These vary, depending on the system.

If you are eligible per the bylaw, you have to meet various technical, operational, security, and other risk-related requirements that are set out in those bylaws and rules. Another step, if you're interested in being a direct settlement participant, the Bank of Canada also plays an important role because they decide if a member can have access to a settlement account in a given system. So the bank establishes its own criteria for access to settlement accounts, and it includes, depending on the system, requirements related to managing financial, cyber, operational risks.

Lastly, there's some other requirements, including your ability to pay system-related fees and participate in some of our mandatory user committees. So I just want to close out by thanking and encouraging you all to thank the government for these important developments that have occurred this week.

These developments are monumental for the Canadian payments ecosystem that will bring greater competition, safe innovation that all Canadians and Canadian businesses will benefit from. No doubt, these changes will impact us all, both from a professional perspective and a personal perspective as a consumer. So we're celebrating these changes this week.

ADAM GARETSON: Thank you, Lisa, very much appreciated. Lots of great information there. Thank you for taking the time to join us today. We really appreciate it.

LISA SATTLER: Thank you, Adam.

ADAM GARETSON: Parna, I'll turn things over to you for some final thoughts.

PARNA SABET-STEPHENSON: Thank you very much, Lisa, and I have to thank you for that note of gratitude, which is very timely, as it's US Thanksgiving today. But that was a very good reminder. And also, I quite like the term the "RPAA carrot." That that's one that we will remember. Thank you for that.

So what are some of our key takeaways? We've heard that the big timeline is 2024. We're talking about by November 16, 2024, you must be-- if you're a PSP, you must be registering with the Bank of Canada. They will be certain requirements that you will have to comply with, so you have to have a compliance program that will be intended to reflect safeguarding and use of funds, as it was discussed, operational risk management framework, incident response, as well as compliance generally with the RPAA, as well as its regulations.

And further guidance is expected from the Bank of Canada early in 2024. But also, we've heard from the Bank of Canada earlier this week that they will be hosting a session on December 13 for payment professionals, so look out for an invitation for that as well.

So with that, we will wrap up the session today. If you have any questions, please feel free to send them our way. We're happy to answer any questions you may have after the fact as well. And I'd like to Thank Alex, Olivia, and Lisa, as well as all of you for joining us today. Thank you.