Final Regulations published
As anticipated, the Retail Payment Activities Regulations (Regulations) are set to be published on Nov. 22, 2023, bringing Canada much closer to regulating payments businesses, including paytechs and certain fintechs (collectively referred to as payment service providers or PSPs) under a formal retail payments supervisory framework (the Framework) overseen by the Bank of Canada (the Bank).
What you need to know:
- PSPs will have to submit a registration application to the Bank between Nov. 1 and Nov. 16, 2024.
- The Bank will be required to notify applicants if they have been registered or refused registration on Sept. 8, 2025. This date is also when the compliance requirements kick in.
- During the transition period, the Bank may request further information from applicants. Applicants’ information will also be shared with the Financial Transactions and Reports Analysis Centre of Canada (FINTRAC) and the federal Minister of Finance.
- Reasons to refuse an applicant’s registration could include, for example, that the applicant is not registered as a money service business with FINTRAC, that the applicant has provided false or misleading information, or that the Minister of Finance has directed the Bank to refuse the applicant on national security grounds.
- The Regulations are substantially similar to the Draft Regulations that were consulted on earlier this year.
- The Regulations finalize specific compliance and operational requirements for (1) creating and implementing a risk management and incident response framework that is reviewed annually (or before material changes) by the business, (2) safeguarding end-user funds, (3) reporting, (4) registration and (5) record keeping.
Finalized regulations address some public consultation concerns
The Department of Finance and the Bank consulted payment industry stakeholders in the development and finalization of the Regulations. The Bank published a summary of a consultation discussion that it held with its Retail Payments Advisory Committee.
What’s changed from the Draft Regulations?
The Regulations are very similar to the Draft Regulations, with a few notable changes
- The Regulations add the requirement that a PSP’s risk management framework and safeguarding-of-funds framework be approved by its board of directors, if any, at least once a year (i.e., approval by a senior officer alone is insufficient).
- PSPs will require an independent review of their safeguarding-of-funds framework just once every three years, as opposed to once every two years. PSPs will be required to review their safeguarding-of-funds framework upon any change to the provider of the account where funds are held. This may broadly impact PSPs who holds aggregate accounts at banks or other financial institutions that experience a change.
- The manner in which requirements apply to a PSP’s third-party service providers has been limited only to third-party service providers that perform services that are otherwise subject to the RPAA.
- PSPs are also to report the average value of end-user funds held at the end of each day for end users in Canada (in Canadian dollars), as well as the average value of end-user funds (expressed in the currency applicable) held at the end of each day for end users in Canada, and those held for all end users. PSPs must now also report the name of any other PSP in Canada for which it plans to perform a retail payment activity in the subsequent two years (the Draft Regulations only required this for the previous two years).
- One notable change is that the Draft Regulations’ formula for assessment fees (cost recovery) has been removed from the Regulations, though the Bank of Canada will still have a legislative requirement to recover fees from registered PSPs. Given that the Bank recently published a consultation paper on the reporting of payments values and volumes, which was proposed in the Draft Regulations as the key factor to ascertain fees, policy work on this aspect may still be underway.
Who is subject to the new supervisory Framework?
It is estimated that approximately 2,500 PSPs will be impacted by the Framework, due to its broad scope.
The Framework will apply to any retail PSP (located inside or outside of Canada)1 when performing one or more of the following payment functions in the context of an electronic funds transfer (EFT):
- Providing and maintaining a payment account
- Initiating payment(s)
- Authorizing and transmitting EFTs, or facilitating instructions related to an EFT
- Holding funds on behalf of end users
- Providing clearing or settlement services
Who is excluded from the Framework?
Despite the broad definition of payment functions listed above that are expected to be subject to the Framework, the Regulations provide further clarification on who is exempt from the Framework.
To prevent regulatory and supervisory duplication, the Act empowers the Governor of the Bank to exempt certain entities or classes of entities from certain provisions of the Framework if they are already subject to substantially similar provisions in another Canadian federal or provincial law.
Specifically, the Act excludes from the Framework certain types of transactions that pose limited risk to end users.
The Regulations further exclude transactions that are already regulated (or already exempted from regulation) under Canadian securities laws and SWIFT, as well as payment activities that are considered “incidental” to another service or business. The Bank has committed to provide further information on the meaning of incidental in the near future. Our team will continue to monitor for these developments.
If you would like to know more about the Act, its Regulations or have any questions regarding the impact the coming Framework might have on your business activities, please do not hesitate to reach out to the authors of this article or any member of BLG’s Financial Services Regulatory Group.
For more information on the Framework or related financial services regulatory matters, please feel free to contact any of the authors below.
1 A PSP that is located outside of Canada is subject to the RPAA in respect of any retail payment activity (as applicable) that is performed for an end user in Canada.