Skip to Content

Final retail payment activities regulations released

By Kevin Landry & Eryka Gregory

The Retail Payment Activities Regulations (“Regulations”) under the Retail Payment Activities Act (“RPAA”) were finalized and published in the Canada Gazette Part II on November 23, 2023. The RPAA was enacted by the Federal Government in June 2021 with the objective of regulating retail payment service providers (“PSPs”) in Canada. A draft version of the Regulations (“draft regulations”) were released earlier this year and were open for comment[1] – this represents another step forward for fintech in Canada.

Material changes to the draft regulations

The final Regulations are substantially similar to the draft regulations with some key changes to note, which appear to lessen the regulatory burden:

Risk Management and Incident Response Framework (“RM Framework”)

  • Previously, PSPs were prohibited from resuming operations following an ‘incident’ (as defined in the RPAA, and in essence means an event reasonably expected to result in the breakdown of any retail payment activity that is performed by a PSP) until it is verified that the integrity and confidentiality of all systems, data and information had been restored. Under the final Regulations, PSP’s can resume operations while addressing the incident.
  • It was clarified that the requirement for a PSP to annually assess Third-party Service Providers for things like security and data protection only applies to Third-party Service Providers that provide services related to a payment function.
  • Approval of the RM Framework must now be approved by a senior officer of the PSP at least once a year and following each material change to the Framework. The PSPs board of directors (if any) must also approve the RM Framework at least once a year.
  • Review of a PSPs RM Framework was modified to be required after “material” change to its operations or its system policies, procedures, processes, controls or other means of managing operational risk and the requirement to review the RM Framework following an “incident” was removed.
  • Testing for gaps in PSP systems is a requirement for incident response frameworks. Now, the testing can be conducted at the frequency and scope determined by the PSP instead of once every three years.

Safeguarding of Funds Framework (“SF Framework”)

  • The draft regulations required a review for “any” changes made to the Framework, now a review is required for “material” changes.
  • Similar changes were made as above to require a senior officer’ approval for the SF Framework at least once a year and following each material change to the Framework. The PSPs board of directors (if any) must also approve the SF Framework at least once a year.
  • An independent review of the SF Framework will be required once every three years rather than every two years.

Significant change or new activity

  • PSPs that undertake a significant change or new activity are required to provide notice to the Bank of Canada. Under the draft regulations PSPs were required to provide all documentation of the change or new activity. PSPs now only need to list and summarize the documentation.

Reporting requirements

  • The final Regulations amended the frequency to provide data on the number of PSPs and end-user from monthly to annually and reduced the historical reporting from 24 months to 12 months.

Registration requirements

  • The final Regulations require a registered PSP to provide 60 days notice to the Minister prior to when the PSP intends to store and process financial and personal information in a previously undisclosed country. The draft regulations required the PSP to submit a new registration application in those circumstances, which has been removed.
  • Changes have been made to the Transition Period, where new PSPs who file an application for registration outside the 15-day transition period (being November 1, 2024 to November 15, 2024) will be subject to a 60-day delay before being able to engage in retail payment activities.

Assessment fees

  • The draft regulations assessment fee formula has been removed from the final Regulations.

The Regulations will come into force in the following phases

  • The registration requirements will come into force on November 1, 2024, together with the administration and enforcement powers. PSPs will be required to submit their applications by November 15, 2024.
  • The requirements to establish the risk management framework and the funds safeguarding framework will come into force on September 8, 2025.

This update is intended for general information only. For more information regarding the RPAA and the Regulations or for questions regarding Open Banking and Financial Technology (Fintech), please contact the Author or a member of our Banking & Finance Group.

Click here to subscribe to Stewart McKelvey Thought Leadership.

[1] Lawyers from our Banking & Finance group published a Thought Leadership piece on these regulations earlier this month.

Archive

Non-disclosure agreements: A sword or a shield?

Murray L. Murphy, K.C., CPHR, Katharine Mack and Kate Profit Non-Disclosure Agreements (“NDAs”), legal contracts in which the parties agree to keep information outlined in the agreement strictly confidential, have been the subject…

Read More

What are deceptive design patterns (DDPs)?

Charlotte Henderson and Kaitlyn Clarke Interested in understanding the impacts of AI on your business? Looking to understand how these intersect with concerns around privacy? Curious about the impacts of…

Read More

Effectively identifying and navigating subtle discrimination: A must-do list for employers

By Lynn Iding, CPHR, CCIP and Sheila Mecking Interested in understanding the impacts of subtle discrimination on your business? Curious about the latest legal developments in racial discrimination? Looking to…

Read More

Summary of Bill 14 – Act to Amend the Fair Registration Practices in Regulated Professions Act

By Sheila Mecking and Danielle Bailey-Heelan On March 25, 2025, Bill 14 was introduced by the Acting Minister of Post-Secondary Education, Training and Labour to amend the Fair Registration Practices…

Read More

Enforceable equal wages: More changes for federal employers

BY Tiegan A. Scott & Sophie Poulos

By Tiegan A. Scott and Sophie Poulos The Canada Labour Code (the “Code”) may soon require federally regulated employers to review the wage rates of certain employees under Equal Treatment…

Read More

At a glance: Key changes coming to Prince Edward Island’s Employment Standards Act

Murray L. Murphy, K.C., CPHR and Jacob E. Zelman Prince Edward Island’s new Employment Standards Act (“ESA”) received Royal Assent on November 29, 2024, with an effective date to be to…

Read More

Making AI work for your business

Sarah Dever Letson and Lauren Agnew Interested in understanding the impacts of AI on your business? Looking to understand how these intersect with concerns around privacy and cybersecurity? Curious about…

Read More

Navigating the “Towns Act”: Key changes and transition considerations for towns in Newfoundland and Labrador

BY Stephen Penney & Danielle Harris

By Stephen Penney and Danielle Harris Introduction On January 1, 2025, the Towns and Local Service Districts Act (the “Towns Act”) came into effect, changing the legislative landscape for towns…

Read More

Dealing with Canadian “retaliatory” tariffs: A primer for importers

BY Michelle Chai & Graeme Hiebert

By Michelle Chai & Graeme Hiebert In response to the 25% tariffs levied on virtually all Canadian goods by the United States, Canada has announced United States Surtax Order (2025-1)…

Read More

Balancing inclusivity and workplace safety

BY Sheila Mecking & Lauren Sorel

By Sheila Mecking and Lauren Sorel Introduction Arbitrator Trisha Perry addressed the complex interests between inclusive education and workplace safety in a recent decision (New Brunswick Teachers’ Federation v New…

Read More

Search Archive