Understanding Canada’s RPAA: A Guide for Payment Service Providers

If you’re a Payment Service Provider (PSP) in Canada, you may have heard the buzz about the Retail Payment Activities Act (RPAA)—a new federal regulation that represents a significant milestone in our country’s payment landscape. Approved by Parliament in June 2021 and finalized in November 2023, the RPAA aims to regulate retail payment activities for consumer protection. 

With key deadlines approaching in November this year, it’s crucial to understand whether the RPAA applies to your business and how you can remain compliant. In this guide, we’ll give you a high-level breakdown of the RPAA, including: 

• What is the RPAA?
• Who the RPAA applies to
• Overview of RPAA regulations
• What PSPs need to know

What is the RPAA?

The RPAA is a Canadian federal regulation designed to oversee and safeguard the activities of PSPs engaged in retail payments. The act aims to protect end-user funds, mitigate operational risks, and build confidence in the Canadian retail payment sector by enforcing standards.

Who the RPAA Applies to

The RPAA primarily targets PSPs, defined as entities performing functions that result in electronic fund transfers. Generally, the scope of the RPAA is broad and applies to PSPs that provide services including maintaining payment accounts, holding end-user funds, initiating or authorizing electronic funds transfers (EFTs), and providing clearing or settlement services. This applies to both domestic and foreign PSPs operating in Canada​​.

To break it down, you may be a PSP if you perform at least one of the following functions, according to the Bank of Canada’s guidelines: 

• You provision or maintain an account that is held on behalf of one end user or more
• You hold funds on behalf of an end user
• You initiate an electronic funds transfer at the request of an end user
• You authorize an electronic funds transfer or transmission, or receive or facilitate an instruction in relation to an electronic funds transfer 
• You provision clearing or settlement services

What is an end user? The Bank of Canada describes them as: “the individuals or entities located at the end points of retail payment transactions.” Your end users may not be your direct customers when an electronic funds transfer involves several PSPs.

However, not all businesses engaged in payment activities are included in the RPAA. There are two exclusion types outlined by the Bank of Canada:

• Entity-based exclusions — Banks, insurance companies, provincially regulated financial institutions, and others on a select list. 
• Activity-based exclusions — Retail payment activities posing limited risk to end users, or activities that are heavily regulated or not considered to be retail payments. 

That said, it’s best to err on the side of caution. To do so, explore the detailed guidelines from the Bank of Canada designed to help you determine if you are subject to the RPAA.

Overview of RPAA Regulations

RPAA regulations are designed to build public confidence in the payment system and facilitate fair competition and innovation. The guidelines can be broken down into four categories: 

1. Operational Risk and Incident Response

PSPs must create tailored risk management and incident response frameworks, which include annual reviews, detailed documentation of roles and responsibilities, and continuous monitoring for potential risks. They will need structured plans for incident response, root cause identification, and recovery. 

Additionally, PSPs must address auditor-identified gaps, assess third-party service providers' performance and risks, and implement controls when using agents to stay compliant. Regular testing will ensure these frameworks maintain the integrity, confidentiality, and availability of their systems and data.

2. Safeguarding End-User Funds

To protect consumers, PSPs must ensure end-user funds are accessible and protected from financial loss in case of insolvency. This involves segregating the funds from their own and promptly placing them in a safeguarded account. They are required to establish comprehensive frameworks that include maintaining accurate end-user records, addressing liquidity demands, mitigating risks, documenting reimbursement procedures, assigning a responsible officer, and conducting regular reviews. 

Additionally, PSPs must investigate any instances of incorrect fund safeguarding and undergo independent compliance reviews every three years.

3. Significant Change Reporting

PSPs need to notify the Bank of Canada at least five business days before making any major changes to their payment operations or starting new payment activities. This advance notice ensures that the Bank is informed and can oversee the changes effectively.

4. Incident Notification

If PSPs become aware of an incident that significantly impacts an end user, another PSP, or a clearing house of a clearing and settlement system, they must quickly notify the affected individuals or entities, as well as the Bank of Canada.

What PSPs Need to Know

1. Compliance Deadlines and Phases

The RPAA will be rolled out in phases. If you’re a PSP, you’ll need to register with the Bank of Canada and submit an application between November 1 - 15, 2024. 

PSPs already offering retail payment services can continue during the transition period, which lasts until September 7, 2025, as long as they apply within the specified window. Full compliance, including ongoing risk monitoring and reporting, will be enforced by 2025.

2. How to Register 

The Bank of Canada will be launching an online portal called PSP Connect where you can complete registration. In the meantime, you can begin collecting the following information that will be required at registration: 

• Contact information, including for any third parties, agents, and affiliated entities
• Business structure, ownership, debtholders and key staff
• Retail payment functions, including any agents and mandataries or affiliates that may be performing retail payment functions on your behalf
• The actual or projected values and volumes of end-user funds held, both inside and outside of Canada
• The actual or projected number of end-users, both inside and outside of Canada
• The method(s) you use or plan to use to safeguard end-user funds
• Whether you have in place or have plans to establish a risk management and incident response framework
• Any registrations for retail payment activities with FINTRAC or under any other federal, provincial or territorial act

See more details in the Bank of Canada’s step-by-step guide to completing the RPAA registration application. 

3. Potential Penalties for Non-Compliance

Non-compliance with the RPAA can lead to severe penalties, including fines and the revocation of registration. The Bank of Canada has several tools to address violations. If a PSP fails to meet the terms of a compliance agreement, they will receive a Notice of Default and incur additional penalties. Serious violations can result in fines up to $1 million per violation, while very serious violations can lead to fines up to $10 million per violation. Retailers must adhere to these regulations to avoid legal and operational disruptions.

Get Help with RPAA Regulations 

The RPAA requires PSPs to hold end-user funds in a trust or segregated account with insurance or a guarantee. In support of our valued PSP clients, DCGroup, in partnership with Digital Commerce Bank, is developing a product to provide PSPs segregated trust accounts in order to meet the safeguarding of funds requirements under the RPAA. Please get in touch today to learn more!