Final retail payment activities regulations released

By Kevin Landry & Eryka Gregory

The Retail Payment Activities Regulations (“Regulations”) under the Retail Payment Activities Act (“RPAA”) were finalized and published in the Canada Gazette Part II on November 23, 2023. The RPAA was enacted by the Federal Government in June 2021 with the objective of regulating retail payment service providers (“PSPs”) in Canada. A draft version of the Regulations (“draft regulations”) were released earlier this year and were open for comment^[1] – this represents another step forward for fintech in Canada.

Material changes to the draft regulations

The final Regulations are substantially similar to the draft regulations with some key changes to note, which appear to lessen the regulatory burden:

Risk Management and Incident Response Framework (“RM Framework”)

• Previously, PSPs were prohibited from resuming operations following an ‘incident’ (as defined in the RPAA, and in essence means an event reasonably expected to result in the breakdown of any retail payment activity that is performed by a PSP) until it is verified that the integrity and confidentiality of all systems, data and information had been restored. Under the final Regulations, PSP’s can resume operations while addressing the incident.
• It was clarified that the requirement for a PSP to annually assess Third-party Service Providers for things like security and data protection only applies to Third-party Service Providers that provide services related to a payment function.
• Approval of the RM Framework must now be approved by a senior officer of the PSP at least once a year and following each material change to the Framework. The PSPs board of directors (if any) must also approve the RM Framework at least once a year.
• Review of a PSPs RM Framework was modified to be required after “material” change to its operations or its system policies, procedures, processes, controls or other means of managing operational risk and the requirement to review the RM Framework following an “incident” was removed.
• Testing for gaps in PSP systems is a requirement for incident response frameworks. Now, the testing can be conducted at the frequency and scope determined by the PSP instead of once every three years.

Safeguarding of Funds Framework (“SF Framework”)

• The draft regulations required a review for “any” changes made to the Framework, now a review is required for “material” changes.
• Similar changes were made as above to require a senior officer’ approval for the SF Framework at least once a year and following each material change to the Framework. The PSPs board of directors (if any) must also approve the SF Framework at least once a year.
• An independent review of the SF Framework will be required once every three years rather than every two years.

Significant change or new activity

• PSPs that undertake a significant change or new activity are required to provide notice to the Bank of Canada. Under the draft regulations PSPs were required to provide all documentation of the change or new activity. PSPs now only need to list and summarize the documentation.

Reporting requirements

• The final Regulations amended the frequency to provide data on the number of PSPs and end-user from monthly to annually and reduced the historical reporting from 24 months to 12 months.

Registration requirements

• The final Regulations require a registered PSP to provide 60 days notice to the Minister prior to when the PSP intends to store and process financial and personal information in a previously undisclosed country. The draft regulations required the PSP to submit a new registration application in those circumstances, which has been removed.
• Changes have been made to the Transition Period, where new PSPs who file an application for registration outside the 15-day transition period (being November 1, 2024 to November 15, 2024) will be subject to a 60-day delay before being able to engage in retail payment activities.

Assessment fees

• The draft regulations assessment fee formula has been removed from the final Regulations.

The Regulations will come into force in the following phases

• The registration requirements will come into force on November 1, 2024, together with the administration and enforcement powers. PSPs will be required to submit their applications by November 15, 2024.
• The requirements to establish the risk management framework and the funds safeguarding framework will come into force on September 8, 2025.

This update is intended for general information only. For more information regarding the RPAA and the Regulations or for questions regarding Open Banking and Financial Technology (Fintech), please contact the Author or a member of our Banking & Finance Group.

Click here to subscribe to Stewart McKelvey Thought Leadership.

[1] Lawyers from our Banking & Finance group published a Thought Leadership piece on these regulations earlier this month.