If you’re a Payment Service Provider (PSP) in Canada, you may have heard the buzz about the Retail Payment Activities Act (RPAA)—a new federal regulation that represents a significant milestone in our country’s payment landscape. Approved by Parliament in June 2021 and finalized in November 2023, the RPAA aims to regulate retail payment activities for consumer protection.
With key deadlines approaching in November this year, it’s crucial to understand whether the RPAA applies to your business and how you can remain compliant. In this guide, we’ll give you a high-level breakdown of the RPAA, including:
The RPAA is a Canadian federal regulation designed to oversee and safeguard the activities of PSPs engaged in retail payments. The act aims to protect end-user funds, mitigate operational risks, and build confidence in the Canadian retail payment sector by enforcing standards.
The RPAA primarily targets PSPs, defined as entities performing functions that result in electronic fund transfers. Generally, the scope of the RPAA is broad and applies to PSPs that provide services including maintaining payment accounts, holding end-user funds, initiating or authorizing electronic funds transfers (EFTs), and providing clearing or settlement services. This applies to both domestic and foreign PSPs operating in Canada.
To break it down, you may be a PSP if you perform at least one of the following functions, according to the Bank of Canada’s guidelines:
What is an end user? The Bank of Canada describes them as: “the individuals or entities located at the end points of retail payment transactions.” Your end users may not be your direct customers when an electronic funds transfer involves several PSPs.
However, not all businesses engaged in payment activities are included in the RPAA. There are two exclusion types outlined by the Bank of Canada:
That said, it’s best to err on the side of caution. To do so, explore the detailed guidelines from the Bank of Canada designed to help you determine if you are subject to the RPAA.
Overview of RPAA Regulations
RPAA regulations are designed to build public confidence in the payment system and facilitate fair competition and innovation. The guidelines can be broken down into four categories:
1. Operational Risk and Incident Response
PSPs must create tailored risk management and incident response frameworks, which include annual reviews, detailed documentation of roles and responsibilities, and continuous monitoring for potential risks. They will need structured plans for incident response, root cause identification, and recovery.
Additionally, PSPs must address auditor-identified gaps, assess third-party service providers' performance and risks, and implement controls when using agents to stay compliant. Regular testing will ensure these frameworks maintain the integrity, confidentiality, and availability of their systems and data.
2. Safeguarding End-User Funds
To protect consumers, PSPs must ensure end-user funds are accessible and protected from financial loss in case of insolvency. This involves segregating the funds from their own and promptly placing them in a safeguarded account. They are required to establish comprehensive frameworks that include maintaining accurate end-user records, addressing liquidity demands, mitigating risks, documenting reimbursement procedures, assigning a responsible officer, and conducting regular reviews.
Additionally, PSPs must investigate any instances of incorrect fund safeguarding and undergo independent compliance reviews every three years.
3. Significant Change Reporting
PSPs need to notify the Bank of Canada at least five business days before making any major changes to their payment operations or starting new payment activities. This advance notice ensures that the Bank is informed and can oversee the changes effectively.
4. Incident Notification
If PSPs become aware of an incident that significantly impacts an end user, another PSP, or a clearing house of a clearing and settlement system, they must quickly notify the affected individuals or entities, as well as the Bank of Canada.
What PSPs Need to Know
1. Compliance Deadlines and Phases
The RPAA will be rolled out in phases. If you’re a PSP, you’ll need to register with the Bank of Canada and submit an application between November 1 - 15, 2024.
PSPs already offering retail payment services can continue during the transition period, which lasts until September 7, 2025, as long as they apply within the specified window. Full compliance, including ongoing risk monitoring and reporting, will be enforced by 2025.
2. How to Register
The Bank of Canada will be launching an online portal called PSP Connect where you can complete registration. In the meantime, you can begin collecting the following information that will be required at registration:
See more details in the Bank of Canada’s step-by-step guide to completing the RPAA registration application.
3. Potential Penalties for Non-Compliance
Non-compliance with the RPAA can lead to severe penalties, including fines and the revocation of registration. The Bank of Canada has several tools to address violations. If a PSP fails to meet the terms of a compliance agreement, they will receive a Notice of Default and incur additional penalties. Serious violations can result in fines up to $1 million per violation, while very serious violations can lead to fines up to $10 million per violation. Retailers must adhere to these regulations to avoid legal and operational disruptions.
Get Help with RPAA Regulations
The RPAA requires PSPs to hold end-user funds in a trust or segregated account with insurance or a guarantee. In support of our valued PSP clients, DCGroup, in partnership with Digital Commerce Bank, is developing a product to provide PSPs segregated trust accounts in order to meet the safeguarding of funds requirements under the RPAA. Please get in touch today to learn more!