Frequently Asked Questions: Retail Payment Activities Act (RPAA) in Canada

Written By Mohit Gogna

1. What is the purpose of the Retail Payment Activities Act (RPAA) and its related regulations? The RPAA aims to establish a regulatory framework for payment service providers (PSPs) performing retail payment activities in Canada. The Bank of Canada's objects under the RPAA are to supervise these PSPs to ensure compliance, promote the adoption of policies and procedures that implement their obligations, and monitor trends and issues related to retail payment activities. In pursuing these objectives, the Bank must consider the efficiency of payment services and the interests of end users. The associated regulations provide detailed rules and requirements for PSPs, covering aspects like registration, safeguarding of end-user funds, risk management, and incident response.

2. Who needs to register as a Payment Service Provider (PSP) under the RPAA? Any individual or entity performing retail payment activities, which involve payment functions related to electronic funds transfers in any currency or using prescribed units, may need to register. However, certain entities are exempt, such as federally or provincially regulated banks, insurance companies, and trust and loan companies (under specific conditions). The Department of Finance Canada is also working to expand Payments Canada’s membership eligibility to include PSPs subject to the Retail Payment Activities Act, which will then make these PSPs eligible to apply for a Real-Time Rail (RTR) settlement account at the Bank of Canada.

3. What are the key requirements for a PSP's risk management and incident response framework? A PSP is required to establish and maintain a written risk management and incident response framework. This framework must include objectives for ensuring the integrity, confidentiality, and availability of retail payment activities and related systems, data, and information. It must also define measurable reliability targets and indicators for assessing the achievement of these objectives, and identify the necessary human and financial resources, including skills and training. The framework should address operational risks that could lead to a reduction, deterioration, or breakdown of payment activities, including those arising from third-party service providers and other business activities. Regular testing of the framework is also required to identify and address any deficiencies.

4. How must a PSP safeguard end-user funds under the RPAA and its regulations? PSPs performing the payment function of holding funds are required to safeguard these funds through specific means. They can either hold the funds in trust in a designated trust account that is not used for any other purpose, or in a separate account and obtain insurance or a guarantee equal to or greater than the amount held. These safeguarding accounts must be held with eligible account providers, which include certain Canadian financial institutions and foreign financial institutions that are prudentially regulated under comparable standards. PSPs must segregate end-user funds from their own and other client funds and ensure that the account provider acknowledges in writing that they have no right of set-off or compensation against the safeguarded funds for any amount owed by the PSP. The regulations also detail requirements for liquidity management and procedures for the return of funds in the event of insolvency.

5. What is the Bank of Canada's role in supervising PSPs, and what powers does it have for non-compliance? The Bank of Canada is responsible for supervising PSPs to verify compliance with the RPAA and to promote the adoption of sound practices. To fulfill this role, the Bank can request information from PSPs, examine their records, and inquire into their business affairs. In cases of non-compliance or violations of the Act or its regulations, the Bank has a range of enforcement powers. These include entering into compliance agreements, issuing notices of violation (NOVs) which may include administrative monetary penalties (AMPs), issuing compliance orders, applying to the court for enforcement, and ultimately refusing or revoking a PSP's registration.

6. What are the potential penalties for violating the RPAA or its regulations? The RPAA and its regulations establish administrative monetary penalties (AMPs) for violations, with the purpose of promoting compliance rather than punishment. Violations are classified as either serious or very serious. The maximum penalty for a serious violation is up to $1,000,000 per violation, while for a very serious violation, it is up to $10,000,000 per violation. Furthermore, a series of serious violations arising from the same provision can be reclassified as a single very serious violation.

7. What is the significance of the Real-Time Rail (RTR) and how does the Bank of Canada regulate access to it? The Real-Time Rail (RTR) is a key payment system in Canada. The Bank of Canada sets the settlement account access policy for the RTR. Entities wishing to participate directly in the RTR require a settlement account at the Bank. There are two types of settlement accounts: unrestricted and restricted. Unrestricted accounts allow the holder to settle on their own behalf and act as a settlement agent for indirect participants, while restricted accounts only permit settlement on the account holder's own behalf. Applicants for unrestricted accounts face stricter requirements due to the broader impact of a potential shortfall in their payment capacity. The Bank assesses applicants based on their financial stability and ability to maintain sufficient payment capacity for their RTR payments.

8. How does the Retail Payment Activities Act address national security concerns related to PSPs? The RPAA includes provisions for national security reviews of applications for registration. The Minister of Finance may designate persons or government authorities to receive copies of registration applications and may decide to review an application if they believe it is necessary for national security reasons. During a national security review period, the Bank of Canada is prohibited from registering the applicant unless the Minister informs the Bank that they have decided not to review the application. The Minister also has the power to issue directives to the Bank to refuse registration, require undertakings, or impose conditions on applicants or registered PSPs if deemed necessary for national security.

Timeline of Events

  • June 29, 2021: The Retail Payment Activities Act (RPAA) receives Royal Assent (S.C. 2021, c. 23, s. 177). Sections 1 to 10, 12 to 16, and 61, subsections 62(1), (3), and (4), and section 63 come into force.

  • November 1, 2024: Sections 11, 28 to 44, 49, and 51, subsection 62(2), and sections 64 to 98 and 101 to 108 of the RPAA come into force.

  • November 16, 2024: Section 23 of the RPAA comes into force.

  • October 2024 (Implied): The Bank of Canada publishes a supervisory guideline on "Operational Risk and Incident Response" for payment service providers (PSPs) under the Retail Payment Activities Regulations (RPAR). This guideline provides guidance on setting objectives for integrity, confidentiality, and availability of retail payment activities, developing reliability targets and indicators, identifying and assessing operational risks, implementing testing programs, and managing third-party service providers.

  • December 2024 (Implied): The Bank of Canada publishes a supervisory guideline on "Safeguarding End-User Funds" for PSPs under the RPAA. This guideline details the permissible means of safeguarding end-user funds, including holding them in a safeguarding account or in trust, and outlines requirements related to account providers, trust arrangements, secure and liquid assets, and procedures in case of insolvency.

  • December 2024 (Implied): The Bank of Canada publishes "Safeguarding End-User Funds - Overview of Findings from Retail Payments Supervision Consultation," indicating updates to the safeguarding guideline based on stakeholder feedback, particularly regarding the treatment of end-user funds not yet segregated.

  • February 2025 (Implied): The Bank of Canada has existing policies regarding settlement account access for Payments Canada payment systems, including the Real-Time Rail (RTR).

  • February 2025 (Implied): The Bank of Canada has processes for PSPs to notify it of significant changes or new activities and for incident notification.

  • March 17, 2025: The Bank of Canada announces planned changes to its Contingent Term Repo Facility.

  • March 18, 2025: Changes to Canada’s Debt Distribution Framework are announced.

  • March 19, 2025: The Bank of Canada will publish additional metrics to enhance CORRA transparency.

  • September 8, 2025: Sections 17 to 22, 24 to 27, 45 to 48, 50, and 52 to 60 of the RPAA come into force.

  • Future (as indicated): The Department of Finance Canada is working to expand Payments Canada’s membership eligibility criteria to include payment service providers subject to the Retail Payment Activities Act. Once eligible, these PSPs will be able to apply for an RTR settlement account at the Bank of Canada.

Mohit Gogna
Previous

End-to-End STCS Reporting: Streamline Your Monthly Compliance Cycle
Next

Understanding Anti-Money Laundering: A Comprehensive Guide for Regulated Entities in Canada