The new Retail Payment Activities Act (RPAA) Regulation is designed to enhance operational transparency, prevent financial fraud, and strengthen the Canadian fintech market in alignment with international standards. In this article we discuss what is RPAA regulation, the key changes and how does it affect existing MSBs and PSPs and new players.
As the retail payments sector continues to grow and innovate, the RPAA’s final regulations offer a framework that supports this progress while safeguarding the interests of all stakeholders involved. For PSPs operating in Canada, remaining informed and compliant with these regulations is crucial for maintaining trust and stability in the payments ecosystem.
Ensure compliance with Advapay and receive expert guidance for your MSB registration to meet RPAA requirements. We provide full support to meet all requirements before the November 15, 2024, deadline, ensuring you’re ready for the new regulations effective September 8, 2025. Our legal, technical, and business expertise will streamline your registration process, ensuring compliance and avoiding disruptions.
Key Functions Under the RPAA
The RPAA covers several key functions, including managing accounts for electronic fund transfers (EFTs), holding funds, initiating transfers, and providing clearing or settlement services.
Who is considered a PSP Under the new RPAA Regulation?
If your business is providing any one of the five payment functions such as
- providing/maintaining payment accounts.
- holding funds.
- initiating EFTs.
- authorising/transmitting/receiving EFT instructions and
- providing clearing/settling services,
you are likely considered a payment service provider (PSP).
Key dates
November 1, 2024: Registration opens for payment service providers (PSPs).
November 15, 2024: Registration for existing PSPs and money services businesses (MSBs) closes.
November 1, 2024 – September 7, 2025: Transition period for compliance with the new regulations.
Join us at the online webinar “Registration of Existing MSBs with the Bank of Canada under RPAA Regulations“:
Who Needs to Register with the Bank of Canada?
To determine if registration is required, entities should follow the Bank of Canada’s four-step application test. If your organisation is not exempt from the Retail Payments Activities Act (RPAA), engages in one or more of the five specified payment functions related to electronic funds transfers (EFTs), and operates or provides services in Canada, registration is mandatory.
What Changes for Existing MSBs?
For companies with overlapping activities between PSPs and MSBs, dual registration with the Bank of Canada (BOC) and FINTRAC may be required. Existing MSBs should submit their registration applications between November 1, 2024, and November 15, 2024, to continue their retail payment activities without interruption.
What Changes for Existing PSPs?
Starting November 1, 2024, all Payment Service Providers (PSPs) in Canada must register with the Bank of Canada under the new Retail Payment Activities Act (RPAA). If existing PSPs and MSBs miss the 15-day registration window, they must cease all retail payment activities until their application is approved.
Key Changes in the Retail Payment Activities Act (RPAA)
The Retail Payment Activities Act (RPAA) marks a significant regulatory milestone in Canada’s evolving payments landscape. Enacted to oversee payment service providers (PSPs) and their activities, the RPAA aims to enhance the retail payments ecosystem’s safety, security, and efficiency. Since its introduction, the RPAA has undergone several revisions, particularly in its final regulations. These revisions have introduced key changes to balance regulatory oversight with operational flexibility for PSPs. Here are the key changes in the RPAA and their implications for payment service providers and the broader financial ecosystem.
1. Incident Restoration System Testing
One of the most notable changes in the final RPAA regulations is the requirements surrounding incident restoration and system testing. Originally, the draft regulations required that PSPs could only resume operations after fully verifying the integrity and confidentiality of all systems, data, and information. Additionally, PSPs had to ensure that retail payment activities could continue without any reduction, deterioration, or breakdown.
RPAA Key Change:
- Previous Requirement: PSPs were required to ensure full restoration and integrity of systems before resuming operations. This included a mandatory review of their post-incident risk management and incident response frameworks.
- Current Change: The final regulations have relaxed this stringent requirement, allowing PSPs to resume normal operations while continuing efforts to restore systems. The mandate for an automatic review of the risk management and incident response framework after every incident has been removed.
Implications: This change provides PSPs with greater flexibility in managing incidents. It acknowledges the practical challenges PSPs face during system disruptions, where the immediate resumption of operations is often crucial. By allowing operations to continue while restoration efforts are underway, PSPs can better manage customer expectations and minimise service disruptions while focusing on broader risk management processes.
2. Changes to Personal Information Location Requirements
Managing personal and financial information is a critical aspect of the RPAA, particularly concerning where such data is stored or processed. The draft regulations required PSPs to submit a new registration application to the Bank of Canada if they or their third-party service providers changed the jurisdiction where personal or financial information was stored or processed.
RPAA Key Change:
- Previous Requirement: If the jurisdiction of data storage or processing changed, PSPs were required to submit a new registration application.
- Current Change: The final regulations have removed the requirement for a new registration application. However, PSPs must still provide the Bank of Canada with 60 days’ notice of any such changes.
Implications: This revision significantly reduces the administrative burden on PSPs, especially those working with third-party service providers that may relocate their data storage or processing operations.
3. Safeguarding of Funds (SOF) Account Changes
The safeguarding of end-user funds is a fundamental aspect of the RPAA, ensuring protection in insolvency or other operational risks. Initially, the regulations required any changes to SOF accounts to trigger a review of the SOF framework.
RPAA Key Change:
- Previous Requirement: Any modification to SOF accounts would automatically prompt a review of the safeguarding framework.
- Current Change: The final regulations introduce a materiality threshold, meaning only changes likely to significantly impact the safeguarding of end-user funds will require a review.
Implications: This change adopts a more practical approach to fund safeguarding by focusing regulatory scrutiny on changes that truly matter. It reduces unnecessary reviews, allowing PSPs to concentrate on maintaining the integrity of the SOF framework when there is a genuine risk to end-user funds.
4. Risk Management System Testing Adjustments
Risk management is a critical focus under the RPAA. The draft regulations initially mandated triennial (every three years) testing of the risk management framework to ensure its robustness and effectiveness.
RPAA Key Change:
- Previous Requirement: PSPs were required to conduct testing of their risk management framework every three years.
- Current Change: The final regulations now require PSPs to develop a testing methodology that defines the frequency and scope of testing rather than adhering to a fixed triennial schedule.
Implications: This change allows PSPs to tailor their risk management testing to their specific operational needs and risk profiles. It allows them to focus on more frequent testing in high-risk areas or less frequently in areas with minimal risks.
5. SOF Insolvency Reviews
Insolvency protection is a critical component of the RPAA, ensuring that end-user funds remain safeguarded even if a PSP becomes insolvent. Initially, the regulations required PSPs to evaluate their insolvency protections annually.
RPAA Key Change:
- Previous Requirement: Annual reviews of insolvency protections were mandatory to ensure that end-user funds would be recoverable.
- Current Change: The final regulations have removed the annual review requirement, mandating action only when it is determined that end-user funds would not have been recoverable in an insolvency proceeding.
Implications: By removing the annual review requirement, the regulations shift the focus to targeted action when actual risks are identified. This change reduces the compliance burden on PSPs while ensuring end-user funds’ protection. PSPs can now allocate resources more efficiently, concentrating on addressing real risks rather than fulfilling a blanket annual requirement.
6. Independent Audit Frequency
Independent audits are essential for maintaining the integrity and transparency of a PSP’s operations. Initially, the RPAA required these audits to be conducted every two years.
RPAA Key Change:
- Previous Requirement: Independent audits were mandated every two years.
- Current Change: The final regulations have extended the audit frequency to every three years.
Implications: This change reduces the frequency of independent audits, alleviating some associated costs for PSPs. While audits remain crucial for ensuring compliance and operational integrity, the extended timeline still provides rigorous oversight, allowing PSPs more time to address and implement audit findings.
7. Application Information on End-User Funds
Accurate reporting on end-user funds is crucial for transparency and risk management. The draft regulations initially required PSPs to provide information with a 24-month lookback period.
RPAA Key Change:
- Previous Requirement: Reporting on end-user funds required a 24-month historical review.
- Current Change: The final regulations have reduced this lookback period to 12 months.
Implications: This adjustment streamlines the reporting process, reducing the historical data that PSPs must gather and analyse. As a result, reports are likely to be more relevant and reflective of recent trends, enhancing the accuracy of risk assessments and regulatory compliance.
8. Introduction of Net-New Obligations
While many of the changes in the RPAA focus on easing existing requirements, the final regulations also introduce several new obligations that PSPs must now adhere to:
- SOF Framework Approval: PSPs must have their board of directors (if applicable) approve the SOF framework annually. Additionally, a senior officer must approve the results of the SOF framework review. This change ensures senior management is directly involved in safeguarding funds and enhancing accountability.
- Annual Report Contents: The final regulations require PSPs to include any identified insolvency risks from the prior year in their annual reports. This requirement, along with adjustments to the prescribed information about end-user funds and transfers, increases the transparency and comprehensiveness of annual reporting.
- Change Notice Requirements: When a change notice requirement is triggered, PSPs must now include an assessment of the impact on end-user fund safeguarding. They must also provide a summary of documentation reflecting changes in the risk management and incident response framework. This new obligation ensures that the Bank of Canada is fully informed about any material changes that could affect the security of end-user funds.
National Security Requirements
The Retail Payment Activities Act (RPAA) grants the Minister of Finance significant authority to address potential national security risks that Payment Service Providers (PSPs) pose. This includes the power to take decisive actions, such as refusing PSP applications, revoking existing registrations, and imposing specific conditions or undertakings on PSPs. Additionally, the Minister can issue national security orders directing a PSP to undertake specific actions or refrain from certain activities deemed risky to national security.
Penalties for Violating Requirements
The RPAA equips the Bank of Canada with various enforcement tools to address non-compliance with the Act. These tools include:
- Compliance Agreements: The Bank can enter into agreements with PSPs to ensure adherence to the Act’s requirements.
- Notices of Violation (NOV): The Bank can issue NOVs to PSPs, which may or may not include an administrative monetary penalty (AMP). Only specific, designated violations would trigger an NOV and a corresponding AMP.
- NOVs with AMP and Compliance Agreement Offers: The Bank can combine an NOV with an AMP and propose a compliance agreement as a resolution.
- Compliance Orders: The Bank can issue direct orders to enforce compliance with the Act.
- Court Orders: The Bank can seek court enforcement to compel compliance.
- Registration Refusal or Revocation: The Bank can refuse to register a PSP or revoke an existing registration if the PSP is found in violation of the Act.
If a PSP fails to comply with the terms of a compliance agreement after receiving an NOV, the Bank will issue a Notice of Default, imposing an additional penalty on the PSP. According to the Regulations, penalties for violations are categorised as “serious” or “very serious,” with fines ranging from $1 million for each serious violation to $10 million for each very serious violation.
How Advapay can assist you:
Ensure compliance with Advapay Canada and get expert assistance with your MSB’s RPAA registration. We provide full support to meet all requirements before the November 15, 2024, deadline, ensuring you’re ready for the new regulations effective September 8, 2025. Our legal, technical, and business expertise will streamline your registration process, ensuring compliance and avoiding disruptions.
We provide:
- Registration with Bank of Canada for new and existing PSPs
- Development of documents and frameworks to comply with RPAA regulations.
- Opening of Safeguarding accounts
Read about full version of Retail Payment Activities Regulations, published by Canada Gazette.