The final regulations to the Retail Payment Activities Act (RPAA) will be published in the Canada Gazette on November 22, 2023 (Regulations). Since the release of the draft regulations (Draft Regulations) in February 2023, the Bank of Canada (Bank) has been consulting with the industry to obtain feedback on the content of the Regulations. Although there was some accommodation made to address certain industry comments, as noted below, the Regulations are substantially similar to the draft regulations released earlier this year.
Note that additional comments may be included in the Regulatory Impact Analysis Statement when the Regulations are published in the Canada Gazette.
The Regulations will come into force in phases as follows:
The registration requirements will come into force on November 1, 2024, together with the administration and enforcement powers. Registration by payment service providers (PSPs) with the Bank will be required by November 16, 2024.
The requirements to establish risk management and funds safeguarding frameworks will come into force on September 8, 2025.
The material changes that were made to the Regulations are as follows:
Risk Management and Incident Response Framework
The Draft Regulations prohibited a PSP from resuming operations after the occurrence of an “incident” until all issues have been resolved, the PSP had “verified that the integrity and confidentiality of all systems, data and information has been restored” and the PSP was able to perform retail payment activities without reduction, deterioration or breakdown.” This requirement has now been removed so that PSPs can resume operations while they continue to address the issues that gave rise to the incident.
The requirements in respect of third-party service providers have been clarified. The requirements only apply to third-party service providers that perform services that are otherwise subject to the RPAA.
The rules concerning the approval of the risk management and incident response framework (RM Framework) have been amended. The Regulations now require the RM Framework to be approved by a senior officer, as defined, at least once a year and following a material change to the RM Framework. Additionally, the RM Framework must be approved by the board of directors at least once a year regardless of any changes made to it.
In respect of a review of the RM Framework, the Regulations now require a review of the RM Framework whenever a material change is made to a PSP’s systems. This is a net new requirement. The requirement to review the RM Framework following an “incident” has now been removed.
The prescriptive requirement for a PSP to test their RM Framework every three years has been removed. Instead, while testing is still required, it is left up to the PSP to determine the frequency and scope of testing. Note that there is still a requirement to undertake an independent review of a PSP’s RM Framework at least once every three years.
Safeguarding of Funds Framework (Safeguarding Framework)
The rules in respect of approving the Safeguarding Framework have been revised to be consistent with the rules in respect of approving the RM Framework as set out above.
The Regulations provide greater clarity on when a review of the Safeguarding Framework should occur and the records that should be maintained with respect to that review.
In that regard, the requirements in respect of when a PSP’s Safeguarding Framework must be reviewed have been refined slightly. While there is still a requirement to review the Safeguarding Framework at least once a year, a separate review of the Safeguarding Framework will also be required after the implementation of any of the following changes:
- The opening or closing of an account where end-user funds are held;
- A change in the entity that provides any account where end-user funds are held;
- A change to the terms of the account agreement in respect of any account where end-user funds are held; and
- A change in any insurance or guarantee providers (where that is the method of safeguarding).
The Draft Regulations required a review of the Safeguarding Framework for certain changes in all circumstances. The Regulations now only require a review where the changes “could be expected to have a material impact on how the funds are safeguarded,” providing PSPs with greater discretion to determine if the review requirement is invoked.
The findings of each review must be reported to and approved by a senior officer.
Where a PSP uses insurance or a guarantee to safeguard end-user funds and the PSP identifies an instance where these funds would not be payable to end-users, it is required to immediately take measures to prevent the same from recurring, but there is no longer an obligation to report this separately to the Bank. Instead, this reporting will now be captured in the annual report.
The requirement for an independent review of the Safeguarding Framework has been changed from once every two years to once every three years.
The Regulations introduce a new administrative monetary penalty rated as “very serious” where the PSP fails to hold end-user funds in an account as required by the RPAA.
The Regulations make minor drafting amendments to the metrics to be included in the PSP’s annual report to the Bank, including information related to end-user funds and electronic fund transfers.
While the Draft Regulations required the annual report to describe any changes a PSP made to its retail payment activities, the Regulations now only require the reporting of “significant” changes as contemplated by subsection 22(1) of the RPAA. Subsection 22(2) of the Act states that, “for the purposes of subsection (1), a change is significant if it could reasonably be expected to have a material impact on operational risks or the manner in which end-user funds are safeguarded.” While not identical, it is helpful in this regard to note that, in the Payment Clearing and Settlement Act (another statute administered by the Bank) “significant change” is defined broadly as any change that could reasonably be expected to have a material impact” on a regulated entity’s efficiency, safety or soundness. This definition will likely influence what the Bank considers to be a significant change in the context of the RPAA.
Where a PSP undertakes a significant change or new activity, it is required to provide notice to the Bank. Under the Draft Regulations, the PSP was required to provide the Bank with copies of all its documentation relating to its revised RM and Funds Safeguarding Framework addressing the change. The Regulations now only require a summary of the changes that have been made.
One of the more significant changes made to the Regulations relates to the storage of personal and financial information. Previously, the Draft Regulations required a PSP to submit a new application in the event that the PSP stored information in a country outside of Canada, where that country was not identified in its initial application. This requirement has now been removed. Instead changing where data is stored, the change must be communicated to the Bank 60 days prior to the change occurring.
For registration, the Draft Regulations required PSPs to provide a large amount of financial and transaction information for its business operations in the previous two-year period. The Regulations only require that information for the previous year, which is a welcome change for PSPs.
The Draft Regulations set out a formula for determining the fee amount to be assessed on an annual basis for each PSP. That formula has been removed. While the Bank is still required under the RPAA to determine its expenses and assess those against each PSP, the method for doing so is no longer prescribed.
For the sake of completeness and convenience, we have set out below a summary of the material provisions of the final Regulations by updating our February 2023 Blakes Bulletin: Keeping Up With How Canadians Pay: Draft Regulations of Retail Payment Activities Act Released.
These Regulations create a comprehensive and prescriptive compliance regime for PSPs that will require the significant expenditure of both financial and human resources.
Risk Management and Incident Response
Some of the most prescriptive and onerous provisions of the Regulations deal with the risk management and incident response framework (Framework) that a registered PSPs must implement.
In that regard, the Regulations provide comprehensive requirements that PSPs must follow in implementing their Framework and dictate what must be addressed in the Framework. The requirements do not take a risk-based approach and instead are quite prescriptive. These requirements should be reviewed by PSPs to understand their scope and nature.
Here is a sampling of some of the requirements for a PSP’s Framework:
The Framework must contain expressly stated objectives. The two objectives that are mandated by the Regulations are:
That a PSP can perform its payment activities without “reduction, deterioration or breakdown” and ensure the availability of its systems, data, and information to perform those activities; and
That the integrity and confidentiality of a PSPs payment activities, data and information be preserved.
The Framework must set out “clearly defined and measurable reliability targets” (i.e., service levels) and indicators to assess if the above-noted objectives of the Framework are met.
The Framework must also identify the human and financial resources required to implement and maintain the Framework. For human resources, the required skill level and training of personnel must be outlined.
The Framework must also identify all of a PSP’s assets (including systems, data and information) and business processes associated with the PSP’s performance of payment activities. These assets must then be classified according to their sensitivity and criticality to the performance of payment activities.
A PSP must identify and describe all the potential causes of its operational risks. The Regulations set out an itemized list of the required risks to be considered in that exercise, including business continuity, cybersecurity, fraud, data management, information technology, human resources, process and product design and implementation, and change management. Having identified these operational risks, the Framework must then describe the systems, policies and procedures that a PSP has in place to mitigate these risks and protect its assets.
A PSP is expected to engage in continuous monitoring of its payment activities, systems and mitigation controls to detect incidents or other anomalous events that could indicate operational risk or lapses in the Framework. All these measures must be described in the Framework.
Where a PSP uses third-party service providers or agents, the Framework must also provide policies and procedures for oversight of these parties.
A PSP’s Framework must also have a comprehensive plan for responding to and recovering from incidents. An incident is defined as “an event or series of related events that is unplanned and that results in or could reasonably be expected to result in the reduction, deterioration or breakdown of any payment activity performed by a PSP”. The Regulations provide prescriptive requirements in respect of what is to be included in a PSP’s incident response plan. Other requirements that must be included in the Framework in respect of incident response include a requirement to investigate, implement mitigation measures to prevent further damage, and act immediately to address the root cause of the incident. Detailed records must be retained in respect of each incident.
The Framework requirements are clearly very detailed. However, the Regulations provide that a PSP’s Framework must be proportionate to the impact that a reduction or breakdown of its payment activities could have on end-users and other PSPs, taking into account the PSP’s “ubiquity and connectedness” as well as its relative size. As such, the larger the PSP, the more robust the Framework is expected to be. However, all of the regulatory Framework requirements are mandatory, which means that, regardless of size, ubiquity or interconnectedness, all PSPs must implement a comprehensive Framework in accordance with the requirements of the Regulations.
Where a PSP uses a third-party service provider, it must include all such providers in their Framework and assess their ability to deal with specific operational risks. This assessment must be undertaken at least once a year and before entering into, renewing, extending or substantially amending a contract with the third party. Records of the assessment must be retained. There are similar requirements in respect of the use of agents by a PSP.
The Framework must also be reviewed at least once a year to evaluate it and its compliance with the regulatory requirements. A Framework review is also required before any significant changes are made to the PSP’s operations or controls. A record must be kept of the outcome of the review documenting the scope, methodology and findings. Findings of the review must be reported to a senior officer.
In addition to the review, the effectiveness of the Framework must also be tested to identify any gaps and vulnerabilities taking specific factors into account. A testing requirement is also triggered prior to implementing any significant changes to a PSP’s systems, policies, or procedures. Records of the effectiveness testing must be maintained (including information on the methodology and the measures taken to address results) and a copy must be provided to a senior officer.
In addition to the effectiveness review and testing requirements, the Framework must be independently reviewed (either internally or using an external auditor) at least every three years. The review must be documented and describe the scope, methodology use and findings. Gaps and vulnerabilities must be addressed and reported to a senior officer.
The Framework is thus not only prescriptive and onerous; it will require PSPs to devote significant attention and resources to managing compliance with the RPAA. These requirements will be especially burdensome to start-up companies with limited resources and previously light compliance burdens. Although the Regulations speak of proportionality, there are no exemptions or relief from these requirements for smaller organizations.
A key feature of the RPAA is a rigorous framework for safeguarding end-user funds. The fund safeguarding regime applies in respect of PSPs that will hold end-user funds until the funds are transferred to another person, or the end-user withdraws them. As such, where a PSP holds end-user funds, it is required to implement both a compliance program and framework to deal with them.
The RPAA requires PSPs to hold end-user funds in trust in a segregated trust account or in a segregated account backed by insurance or guarantee. The Regulations set out detailed requirements in respect of each of these options for safeguarding end-user funds:
Account Requirements: PSPs are required to maintain end-user funds in an account held with an eligible financial institution. In Canada, the eligible institutions are banks, credit unions and trust or loan companies. The Regulations contemplate that end-user funds may also be held with a foreign financial institution if it is subject to a regulatory framework comparable to the regulations applicable to eligible financial institutions in Canada in respect of capital, liquidity, governance, supervision, and risk management. As such, PSPs will be permitted to hold end-user funds both in Canadian and foreign regulated financial institutions, which will be particularly important for foreign PSPs that will be registered with the Bank and may hold end-user funds across multiple jurisdictions.
Insurance or Guarantee Requirements: PSPs that wish to satisfy end-user fund safeguarding requirements by holding insurance or a guarantee must ensure that the insurance or guarantee is provided by an eligible Canadian or foreign financial institution. The eligible financial institutions are the same prudentially regulated institutions noted above and include insurance companies. The financial institution that provides insurance or a guarantee in respect of end-user funds cannot be an affiliate of the PSP, but there is no restriction prohibiting the same eligible financial institution from both holding the segregated account for end-user funds and providing the required insurance or guarantee. In this respect, we note that federal financial institutions statutes define a guarantee to include a letter of credit. Although the RPAA does not specifically address this, the insurance or guarantee requirement will not be satisfied if the end-user funds are simply held in a third-party bank account that is covered by deposit insurance because deposit insurance, such as that provided by the Canada Deposit Insurance Corporation (CDIC), protects against the failure of the bank holding the PSP’s account and not against the failure of the PSP itself.
Bankruptcy Remoteness: If a PSP relies on insurance or a guarantee to meet the fund safeguarding requirements, the PSP must ensure that the insurance or guarantee proceeds will not form part of the PSP’s estate in a bankruptcy and that the proceeds are payable for the benefit of end-users as soon as feasible after an insolvency event, among other requirements. These bankruptcy remoteness requirements are specific only to the insurance or guarantee safeguarding option. Where end-user funds are held in trust in a segregated account with an eligible financial institution, we expect the trust funds will be excluded from the PSP’s estate under general insolvency law principles, including section 67(1)(a) of the Bankruptcy and Insolvency Act.
Policies and Controls: In addition to establishing the Framework, PSPs are required to establish, implement and maintain a safeguarding-of-funds framework to ensure that end-users have reliable access without delay to their funds and that these funds, or insurance or guarantee proceeds, are paid to end-users as soon as feasible following an insolvency event. Among other requirements, a PSP’s safeguarding-of-funds framework must detail the use of liquidity arrangements and the holding of end-user funds in the form of secure and liquid assets, the use of a ledger system to keep a record of end-users and their funds, as well as a framework on how an insolvency administrator for the PSP will have access to those records and administer the allocation of safeguarded funds or guarantee or insurance proceeds to end-users in an insolvency scenario. For comparison, in the context of deposit insurance administered by the CDIC for federal deposit-taking institutions, these arrangements are subject to extensive regulation, which in the context of RPAA, appear to apply in a more principles- or results-based approach. This could raise complex legal and operational considerations for PSPs, although the regulatory impact analysis statement accompanying the proposed Regulations notes that the Bank is expected to provide further clarity on the safeguarding of funds requirements. It remains to be seen how prescriptive the Bank’s guidelines will be in this respect.
Reviews and Effectiveness Testing: The safeguarding-of-funds framework must be overseen by a dedicated senior officer and similar to the Framework, it must be reviewed at least annually. An annual review must also assess the effectiveness of the end-user fund safeguarding measures that were implemented in the preceding year and report the results of the investigation and any remediation steps taken, if deficiencies are identified, to the Bank. In addition, similar to the requirements in respect of the Framework, a PSP holding end-user funds must ensure that its safeguarding-of-funds framework is subject to an independent review every three years.
Provision of Information
In addition to the establishment of the Framework, the safeguarding-of-funds program, effectiveness reviews, testing requirements and external review, PSPs are also required to submit annual reports to the Bank, containing detailed information and reporting (Report). Perhaps most surprising is the amount of prescribed additional information that a PSP will be required to include in its Report.
The reporting program effectively takes each compliance element outlined in the “Framework” section above and requires the PSP to provide the Bank with a description on how it is implementing each requirement. This includes information on training, testing, and information on all reviews conducted. The Report must also describe how the Framework was appropriately approved and made available to the PSP’s employees and others who have a role in the Framework. The Report further requires a similar analysis and summary in respect of all required elements of the funds safeguarding program.
In addition to reporting on a PSP’s compliance obligations, the Report also requires detailed information in respect of the PSP’s business over the previous year. The information requested in this regard is quite detailed. By way of example, the following is required information in the Report in respect of each reporting year:
The maximum value of end-user funds expressed in Canadian dollars held by the PSP at any time for all end-users and for end-users in Canada
For each month, the average value of the end-user funds of all currencies held each month
For each month, the number of electronic funds transfers performed for end-users generally and in Canada specifically
The total number of end-users for which the PSP performed a payment activity
Financial metrics for the reporting year, including revenues, gross profits or losses, operating profits or losses, assets, liabilities and equity
There are also additional detailed reporting requirements for payment activity and revenues.
The annual report also requires a PSP to provide a description of any changes during the reporting year to the PSP’s payment activities, as well as information on any activities that the PSP began or ceased to provide.
This prescriptive, detailed annual reporting process will likely require most PSPs to make changes to their information gathering, record-keeping and other compliance and reporting processes. It will also require PSPs to dedicate extensive resources to compliance with the regime under the RPAA.
Importantly, PSPs that do not have a place of business in Canada are still required to establish their ubiquity and interconnectedness in Canada, although they are permitted to provide a more limited subset of the information set out above.
Record Keeping and Retention
The Regulations also outline a PSP’s obligations with respect to record keeping and retention. In that regard, a PSP is required to keep, in a form that is intelligible to the Bank, sufficient records to demonstrate its compliance with the RPAA and Regulations and must take reasonable measures to secure them.
Administrative Monetary Penalties
Finally, the Regulations also set out details relating to violations of the RPAA, the classification of those violations and the range of penalties in respect of a violation. Similar to the administrative monetary penalty regulations under the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA), classifications of violations are either considered “serious” or “very serious.” Among the very serious violations are those relating to a PSP’s obligations to implement and maintain the Framework, including a failure to carry out the required review, effectiveness testing and independent testing required within the periods prescribed, and a failure to appropriately safeguard end-user funds.
Penalties for a serious violation can range up to C$1-million per violation, while penalties for a very serious violation can range up to C$10-million per violation. These penalties are much more severe than those set out in the PCMLTFA (where the highest penalty is up to C$500,000 per violation) and are more aligned with the expanded monetary penalties regime administered by the Financial Consumer Agency of Canada in respect of federal financial institutions.
In respect of the PCMLTFA, we note the majority of PSPs are also money services businesses under the PCMLTFA. As such, PSPs will be subject to the requirements of the anti-money laundering regime under the PCMLTFA as well as the requirements of the RPAA and its Regulations. The combined effect of the compliance obligations under these two statutes is daunting and the resources required to comply will be significant. Going forward, PSPs will be required to dedicate significant resources to their regulatory compliance obligations.
For more information, please contact:
or any other member of our Financial Services group.
Blakes and Blakes Business Class communications are intended for informational purposes only and do not constitute legal advice or an opinion on any issue. We would be pleased to provide additional details or advice about specific situations if desired.
For permission to republish this content, please contact the Blakes Client Relations & Marketing Department at [email protected].
© 2024 Blake, Cassels & Graydon LLP