Final retail payment activities regulations released
By Kevin Landry & Eryka Gregory
The Retail Payment Activities Regulations (“Regulations”) under the Retail Payment Activities Act (“RPAA”) were finalized and published in the Canada Gazette Part II on November 23, 2023. The RPAA was enacted by the Federal Government in June 2021 with the objective of regulating retail payment service providers (“PSPs”) in Canada. A draft version of the Regulations (“draft regulations”) were released earlier this year and were open for comment[1] – this represents another step forward for fintech in Canada.
Material changes to the draft regulations
The final Regulations are substantially similar to the draft regulations with some key changes to note, which appear to lessen the regulatory burden:
Risk Management and Incident Response Framework (“RM Framework”)
- Previously, PSPs were prohibited from resuming operations following an ‘incident’ (as defined in the RPAA, and in essence means an event reasonably expected to result in the breakdown of any retail payment activity that is performed by a PSP) until it is verified that the integrity and confidentiality of all systems, data and information had been restored. Under the final Regulations, PSP’s can resume operations while addressing the incident.
- It was clarified that the requirement for a PSP to annually assess Third-party Service Providers for things like security and data protection only applies to Third-party Service Providers that provide services related to a payment function.
- Approval of the RM Framework must now be approved by a senior officer of the PSP at least once a year and following each material change to the Framework. The PSPs board of directors (if any) must also approve the RM Framework at least once a year.
- Review of a PSPs RM Framework was modified to be required after “material” change to its operations or its system policies, procedures, processes, controls or other means of managing operational risk and the requirement to review the RM Framework following an “incident” was removed.
- Testing for gaps in PSP systems is a requirement for incident response frameworks. Now, the testing can be conducted at the frequency and scope determined by the PSP instead of once every three years.
Safeguarding of Funds Framework (“SF Framework”)
- The draft regulations required a review for “any” changes made to the Framework, now a review is required for “material” changes.
- Similar changes were made as above to require a senior officer’ approval for the SF Framework at least once a year and following each material change to the Framework. The PSPs board of directors (if any) must also approve the SF Framework at least once a year.
- An independent review of the SF Framework will be required once every three years rather than every two years.
Significant change or new activity
- PSPs that undertake a significant change or new activity are required to provide notice to the Bank of Canada. Under the draft regulations PSPs were required to provide all documentation of the change or new activity. PSPs now only need to list and summarize the documentation.
Reporting requirements
- The final Regulations amended the frequency to provide data on the number of PSPs and end-user from monthly to annually and reduced the historical reporting from 24 months to 12 months.
Registration requirements
- The final Regulations require a registered PSP to provide 60 days notice to the Minister prior to when the PSP intends to store and process financial and personal information in a previously undisclosed country. The draft regulations required the PSP to submit a new registration application in those circumstances, which has been removed.
- Changes have been made to the Transition Period, where new PSPs who file an application for registration outside the 15-day transition period (being November 1, 2024 to November 15, 2024) will be subject to a 60-day delay before being able to engage in retail payment activities.
Assessment fees
- The draft regulations assessment fee formula has been removed from the final Regulations.
The Regulations will come into force in the following phases
- The registration requirements will come into force on November 1, 2024, together with the administration and enforcement powers. PSPs will be required to submit their applications by November 15, 2024.
- The requirements to establish the risk management framework and the funds safeguarding framework will come into force on September 8, 2025.
This update is intended for general information only. For more information regarding the RPAA and the Regulations or for questions regarding Open Banking and Financial Technology (Fintech), please contact the Author or a member of our Banking & Finance Group.
Click here to subscribe to Stewart McKelvey Thought Leadership.
[1] Lawyers from our Banking & Finance group published a Thought Leadership piece on these regulations earlier this month.
Archive
By Killian McParland and Sophie Poulos There have been many changes in recent months affecting employers governed by federal labour and employment laws. In September 2024, Stewart McKelvey will be hosting a webinar to review…
Read MoreBy Mark Tector and Annie Gray What’s changing? Currently, workers’ compensation coverage in Nova Scotia applies to only a narrow subset of psychological injuries. Specifically, in Nova Scotia – as in all Atlantic Provinces –…
Read MoreBy Sean Kelly & Michiko Gartshore Professional regulators can incur substantial costs through discipline processes. These costs are often associated with investigations, hearings as well as committee member expenses and are an unfortunate by-product of…
Read MoreBy Christine Pound, ICD.D., Twila Reid, ICD.D., Sarah Dever Letson, CIPP/C, Sheila Mecking, Hilary Newman, and Daniel Roth Introduction The first reports under the Fighting Against Forced Labour and Child Labour in Supply Chains Act (the…
Read MoreBy Sheila Mecking and Sarah Dever Letson A recent decision out of the Court of King’s Bench of New Brunswick,[1] upheld the Municipality of Tantramar’s decision to withhold a Workplace Assessment Report under section 20(1)…
Read MoreBy Sean Kelly & Tiegan Scott Earlier this month, the Provincial Court of Nova Scotia issued its sentencing decision in R v The Brick Warehouse LP, 2024 NSPC 26, imposing a monetary penalty of $143,750 (i.e.,…
Read MoreBy Kevin Landry On April 15, 2024, the Canadian federal budget was released. Connected to the budget was an explanation of the framework for Canada’s proposed implementation of Open Banking (sometimes called consumer-driven banking). This follows…
Read MoreBy Nancy Rubin and James Gamblin The Government of Nova Scotia has embarked on a path to dramatically reshape the regulation and governance of the energy sector with the passage of Bill 404, the Energy…
Read MoreBy Kathleen Starke and Annie Gray Human rights landscape Human rights legislation prohibits discrimination in specific contexts, including employment and the provision of services. In all Atlantic Provinces, Human Rights Commissions are responsible for enforcing…
Read MoreBy Sheila Mecking and Michiko Gartshore Subtle discrimination can have a much stronger and longer effect on employees when not properly addressed. It can also result in costly consequences for an employer who does not…
Read More