Retail Payment Activities Act - What Now?

By Deanna Ladouceur 

Your business has now registered with the Bank of Canada as a PSP during the initial registration period under the obligations of the Retail Payment Activities Act (RPAA). You might be wondering - what’s next? What are my key obligations and next steps to remain compliant within the RPAA?

Our RPAA experts have developed the below detailed guide to help all PSPs (new and existing) figure out their next steps and obligations under the RPAA. 

RECAP OF REGISTRATION DATES AND TIMELINES FOR PSP ACTIVITIES

• If a PSP registered during the initial 2-week registration period from November 1-15th 2024, they are able to continue retail payment activities, or if not yet operational but now registered, begin providing retail payment activities without a waiting period.

• If a PSP registers after November 15th, 2024 (and 60 days before September 8, 2025), the PSP must wait 60 days after submitting their registration before beginning PSP activities.

• If a PSP registers after 60 days before September 8th, 2025, the PSP must wait until they get approval from the Bank of Canada to begin performing retail payment activities.
  

Important Dates for PSPs that submitted their registration

• November 1-15, 2024: The registration provisions of the RPAA came into force and all PSP's who currently perform payment activities were required to submit a registration application by November 15, 2024.

• Post November 15, 2024: PSP are required to ensure that their registration information with the Bank of Canada is kept up to date, and must use PSP Connect to provide any amendments and/or notice of change information.

• September 8th, 2025: The rest of the RPAA obligations come into force, which includes the requirements to establish risk management, safeguarding, and incident reporting frameworks.

• Post September 8, 2025: The Bank of Canada will begin to publish a PSP registered and revoked list

• March 31, 2026: PSPs must submit annual reporting for the previous calendar year no later than March 31.
  

What to Expect from the Bank of Canada

• The Bank will publish a list of PSP applicants in December 2024.

• The Bank will watch for applications from individuals and entities they believe may be PSP's and invite them to register as appropriate.

• Should the Bank require additional information regarding any PSP application they may reach out to PSPs.

• The Bank will share certain applications with the Department of Finance Canada that trigger a national security review. Should the PSP be subject to a national security review and fail the review, the Bank will refuse registration and the PSP will be notified.

• If an individual or entity thinks they are a PSP and have not yet registered, they should do so as soon as possible, and the Bank may take enforcement action against PSPs that are subject to the RPAA and fail to register. 
  

PSP Obligations

In addition to registering with the Bank of Canada and keeping the registration information up to date, PSP’s must;

• develop and implement a risk management framework,

• implement a safeguarding of funds framework (if the PSP holds end user funds at rest),

• maintain comprehensive incident response and reporting plans,

• establish monitoring for the purpose of the detection of incidents and breakdowns,

• periodically review and test the risk management, incident response and safeguarding of funds frameworks, and

• ongoingly report to the Bank of Canada in the form of change and new activity reports, notifications and annual reporting.
  

1. The Risk Management Program

 An appropriate risk management program will preserve the integrity, confidentiality and availability of retail payment activities and of the systems, data and information associated with those activities. The risk management program will need to identify objectives, have defined reliability targets for the performance of the retail payment activities and availability of the systems and data and where appropriate defined recovery time targets.

In developing a risk management program PSPs should include at a minimum documented roles and responsibilities for the management of the program, documented assets lists which must be classified according to their criticality and sensitivity.

The PSP must take a risk-based approach to identify operational risks and potential causes, related to performing payment activities without reduction, deterioration, or breakdown. The risk assessment must assess the operational risks related to:

• business continuity and resilience;

• cybersecurity;

• fraud;

• information and data management;

• information technology;

• human resources;

• process design and implementation;

• product design and implementation;

• change management;

• physical security of persons and assets; and

• third parties.

The risk assessment must also take into consideration the PSPs proportionality of risk related to its business activities and relationships. For areas that have been identified as having a higher proportionality of risk, the controls or measures implemented to mitigate the identified risk must be more stringent, including conducting enhanced ongoing monitoring.  The PSP must further prioritize the risks by materiality and use the prioritization to inform the systems, policies, procedures, processes and controls needed to mitigate the risks.

Additionally, the PSP must review and update the operational risks and potential causes at least annually, as new risks are identified, or after an incident has occurred. This includes assessing emerging or evolving risks resulting from changes to both external and internal environments.

The PSP must have systems, policies, procedures and controls to manage its risks, and ensure that retail payments activities are without reduction, deterioration or breakdown. The PSP must also document how it ensures the availability of the systems, data and information involved in retail payment activities.

• indicators that identify and detect incidents and breakdowns,

• controls that protect from risks and vulnerablities to payment activities,

• procedures to escalate, respond to and recover from incidents.

• compensating measures on how the PSP manages risks arising from third-party service providers, agents and mandatories,

• processes of how the PSP both internally and independently reviews and tests the risk management program, including assessing and reviewing the performance of agents, mandatories and third-party service providers, and

The framework must also identify the human and financial resources required to implement and maintain the framework, including the skill level and training required, as well as the budget and contingency funds the PSP has allocated. Guidance suggests that PSPs must consider investments in system and technology, as well as measures required to ensure timely and reliable access to human and financial resources either from internal or external sources.

PSPs are also required to evaluate the adequacy of the human and financial resources, both during business-as-usual operations and in the event of incidents, to determine if any adjustments are needed to continue to achieve operational risk management objectives. PSPs must review and evaluate the sufficiency of the human resources, including the adequacy of their skills and training, on an annual basis.

At least once every three years, PSPs are required to ensure that a sufficiently skilled individual who has had no role in the establishment, implementation or maintenance of the risk management and incident response framework, carries out an independent review of the conformity of the obligations and compliance with the Act and Regulations.

2. Safeguarding of Funds Framework

PSP that holds end user funds at rest must hold the funds in accordance with the requirements set out by the legislation and guidance. Which means the PSP must establish segregated safeguarding accounts, and maintain insurance, guarantee or trusts agreements* (as applicable). The PSP will need to document:

• the conditions and requirements of any end user accounts;

• the agreements in place;

• conditions for any insurance and guarantees providers;

• the conditions of any investments or assets used;

• any liquidity arrangements; and

• the all-encompassing management of holding end user funds.

*The AML Shop has developed a program with Alliance Trust Company (www.alliancetrust.ca) to provide Trust services to hold the funds under the Trust Agreement.  Alliance Trust Company received its Trust Charter to operate as a Corporate Trust Company in December 2007.   

The PSP must maintain policies and procedures around roles and responsibilities, reporting requirements, insolvency and wind-up procedures, processes surrounding end users access to funds, and how the PSP reviews and reports on the safeguarding framework.

The PSP must also have procedures to support how they identify legal and operational risks that could hinder the meeting of any objectives and the means of mitigating those risks, including:

• the identity of the account providers which hold end user funds and if applicable any insurance or guarantee providers;

• the location and jurisdiction of the PSP;

• the end users;

• the providers of accounts where end user funds are held; and

• if applicable of any insurance or guarantee providers, the terms of any trust arrangement with end users if applicable, and the terms of insurance policies or guarantees if applicable.

Additionally, detailed documentation on the following:

• how the PSP ensures they are able to place end user funds in a safeguarding account as soon as practical upon receipt;

• how they reconcile and return end user funds; and

• the processes and controls for the reconciliation of ledgers of end users’ funds.

The PSP must be able to demonstrate compliance with obligations such as daily tracking of the amount of end user funds held, the amount of end user funds to be safeguarded, and the amount of end user funds safeguarded.

3. Incident Response and Reporting

PSP are required to ensure there are documented procedures for the detection, escalation, notification and reporting of incidents. Procedures must include:

• establishing clearly defined roles and responsibilities;

• escalation and reporting procedures;

• incident investigation processes;

• documentation standards and requirements;

• procedures for responding to and recovering from events and incidents;

• resolution and remediation plans;

• mitigating measures the PSP takes to prevent further damage; and

• procedures that detail the requirement to act as soon as feasible to address the root cause of the incident.

The PSP must ensure that it documents an incident response plan. These plans should be proportionate to the impact that a reduction, deterioration, or breakdown of the payment activities could have. Obligations to be captured as part of the comprehensive plans include:

• determining the root cause(s);

• possible or verified impact on retail payment activities such as downtime;

• number of transactions affected;

• possible or verified impact on end users and other PSPs or clearing houses and settlement systems; and

• possible or verified impact on the data or information involved.
  

4. Notifications to the Bank

There are several instances of changes that require PSPs to notify the Bank.

a. Notification of changes to business information

The PSP must notify the Bank of any changes to business information including but not limited to:

• a change in the name of the PSP or any names the PSP uses to perform payment functions as an activity;

• a change in the PSPs address or any of the prescribed contact information;

• any change in prescribed information in relation to affiliated entities, directors, senior managers or owners;

• any change to the prescribed information in relation to agents and mandataries;

• any change to prescribed information in relation to any third-party service providers; and

• any change in the registration under a provincial act respecting retail payment activities.

The notice of change must be submitted using the online PSP Connect portal and be provided within 30 days on which the change occurs.

b. Significant Change or New Activity

The PSP must notify the Bank before making a significant change in the way the PSP performs a retail payment activity or before it performs a new retail payment activity. This notice must be given at least 5 business days before the change comes into effect or before the PSP performs the new retail payment activity. The notice to the Bank must include information such as, but not limited to:

• an assessment of the effect the change will have on the risk management and/or the manner in which end user funds are safeguarding;

• a list and summary of all the documentation in relation to the risk management or safeguarding of funds framework that has been amended or created to reflect the change or new activity.

• Examples of changes that would qualify as significant are vast and could include:

• starting to outsource or ceasing to outsource activity related to the provision of retail payment activities;

• making changes related to the safeguarding of end user funds such as the change to the means of safeguarding, an insurance or guarantee provider, opening or closing a safeguarding account, substantive changes to the terms of a safeguarding account agreement or the terms of the insurance or guarantee agreements;

• entering, amending, or termination an agreement with a third-party service provider for the provision of services related to retail payment activities if the entering amending or terminating that agreement could reasonably be expected to have a material impact on the risk or manner in which end users’ funds are safeguarded;

• Starting or ceasing to use all agents and mandataries for the provision of retail payment activities;

• offering a new retail payment activity product or ceasing to perform a retail payment activity;

• changes to the degree of participation in the payment systems; and

• changes to the organizational structure or level of staffing in a way that could be reasonably be expected to have a material impact on the risk management or manner in which end user funds are safeguarded.

c. Notification of change in prescribed information

PSPs are required to notify the Bank when there is a change in prescribed information, including, but not limited to:

• changes in any foreign regulators;

• changes of whether the PSP becomes or ceases to be publicly traded;

• changes to countries of residence or citizenship of the PSP and or any affiliated entities, individual or entities that control the PSP, BOD, senior officers;

• changes in any other PSPs that the entity provides payment services for;

• changes in the contact information for any individual or entity other than an employee or agent or mandatory, identified to be given access to any end user personal or financial information; and

• changes to the countries in which the PSP or a third-party service providers store or processes any personal or financial information.

The timelines to notify the Bank in the above examples range from as soon as feasible after becoming aware of the change to in some cases 30 to 60 days before the change takes effect.

5. PSP Acquisitions and New Registrations with the Bank of Canada

PSPs must file a new application for registration with the Bank of Canada before performing retail payment activities through a new legal entity, or before becoming part of a newly created legal entity resulting from the amalgamation of two or more entities.

This means the new legal entity must submit a new application for registration rather than amending an existing application.

Additionally, a new registration is required should a state-owned enterprise plan to acquire ownership interest in a PSP or the right to appoint the PSP CEO or other senior management or acquire rights to elect members of the Board of directors.

The obligations of an acquisition of the PSP are outlined in guidance provided by the Bank in detail and should be reviewed by a skilled professional in each case.

6. Annual Reporting

PSPs must submit annual reporting to the Bank no later than by March 31st for the previous year. The first reporting cycle for all PSPs is March 2026.

Annual reporting must include, but is not limited to:

• descriptions of all roles and responsibilities allocated to the Program for any reporting year, including the controls for overseeing the fulfillment of these responsibilities;

• information on how the PSP ensured that all persons who had a role in establishing, implementing and/or maintaining the program were provided with the information and training that was necessary to carry out their role(s);

• records of the human and financial resources that were required for implementing and maintaining the program during any given reporting year;

• a description of the operational risks in respect of the reporting year, including potential causes and the manner in which they were identified;

• a description of any changes made to the risk management, the incident response framework, and/or the safeguarding frameworks during the reporting year;

• plans for maintenance and implementation to the frameworks;

• information of the classification of any assets and business processes during the reporting year;

• details on every bank who provides end user accounts and providers of insurance and guarantees;

• descriptions of how any assessments were carried out during the reporting year on third party service providers who provide payment functions;

• descriptions of all reviews, testing, and independent reviews that were carried during the reporting year, as well as a description of testing methodology;

• details of any incidents experienced during the reporting year;

• the number and values of electronic funds transfers performed;

• the number of end users; and

• the value of end user funds held at any time during the reporting year.
  

For more information about the Retail Payment Activities act or to reach a RPAA expert, please contact us via the form below.

QUICK LINKS