a hand holding a guitar

Insights

ARTICLE

Four-step test for PSPs: First supervisory policies to describe registration criteria for Retail Payment Activities Act

On the heels of the recently finalized Retail Payment Activities Regulations, the Bank of Canada (the Bank) has shared a trove of information, including supervisory policies, case scenarios, and frequently asked questions (collectively referred to as “Guidance”), to expound on its interpretation of who will be subject to its new mandate. The Guidance represents a continuation of the wide net that the Government of Canada has cast by way of the Retail Payment Activities Act (the RPAA), and its stated expectation that approximately 2,500 companies will be required to register with the new regime. 

As we have previously mentioned, payment service providers (PSPs) will be required to register with the Bank of Canada in November 2024 and begin complying with supervisory expectations by September 2025.

One of the advantages of registration is that, following anticipated amendments to the Canadian Payments Act, registered PSPs may be eligible to become members of Payments Canada and to access other core payment systems such as the real-time rail (once it is operational).

The four-step test to determine registration

The Bank’s Guidance characterizes who will need to register using a four-step test, which can be summarized as follows:

  1. Are you a payment service provider?
  2. Do you perform a retail payment activity?
  3. Where is your place of business?
  4. Are you or your activities excluded from the RPAA?

Step 1: Payment service provider

PSPs are individuals or entities that perform payment functions as a service or business activity that is not incidental to another service or business activity. The Bank’s Guidance expands significantly on its view of how the payment functions and incidental should be interpreted.

Payment functions

i. Providing or maintaining a payments account

You are providing or maintaining an account on behalf of an end user if you store end-user personal or financial information in relation to future electronic funds transfers (EFTs). Personal or financial information is defined very broadly to include virtually any end user information that could be used to facilitate an EFT. Notably, you may be performing this payment function even if customers do not have direct access to their account.

ii. Holding funds

You are holding funds on behalf of an end user if you keep funds at rest and available for future withdrawal or transfer by a payer or payee (i.e., end user). Notably, funds in transit are not deemed to be held; this is important as the end-user funds safeguarding expectations will apply to PSPs that are deemed to hold funds.

iii. Initiating EFTs

You are initiating an EFT if you are the individual or entity that launches the first payment instruction enabling an EFT requested by a payer or payee. The Bank distinguishes between push payments and pull payments; ultimately, the key point is that for any particular transaction, only one individual or entity performs initiation, and it is the individual or entity that captures the data inputs from the payer and payee at the onset of the transaction.

iv. Authorizing EFTs or transmitting, receiving, or facilitating instructions in relation to EFTs

This payment function appears to be the broadest, as it includes several components. In terms of authorization, the key question to consider is whether you enable an EFT to happen. For example, if you request that an end user confirm sending or receiving an EFT, confirm whether the end user has sufficient funds, establish a pre-authorized payments arrangement with end users, or debit or credit accounts, then you are authorizing EFTs.

In terms of transmission, reception, and facilitations, the key question is whether you send or receive payment instructions. Notably, the Bank also states that providing the infrastructure that enables payment instructions to be sent or received is also covered by this payment function, which could significantly broaden the scope of PSPs to include various technology providers.

v. Clearing and settlement services

Activities that could meet the threshold of clearing services include several activities that are a precursor to settlement, such as acting as a clearing agent in connection with a clearing and settlement system, calculating final positions and netting positions, and confirming availability of funds for settlement.

Settlement refers to the discharge of an obligation. According to the Bank’s Guidance, you are only performing settlement services if you provide settlement services to other entities (which can include other PSPs). Therefore, internal settlement amongst different end users of a single PSP would not be considered settlement for these purposes.

Incidental

Incidental has long been one of the most enigmatic parts of the RPAA. Given the breadth of the payment functions described above, the incidental analysis may be pivotal to excluding entities that would otherwise be required to register with the Bank.

The Bank has published a few guiding principles and indicators with respect to what constitutes “incidental”. The Bank states that you are likely not a PSP if you perform payment functions only to directly support a non-payment service or business activity you undertake, in which case your payment functions may be considered incidental to your non-payment business. For example, if the payment functions are performed because they are necessary to a non-payment service or activity, then it would be incidental and therefore exempt from the RPAA.

On the other hand, the Bank posits that you are likely a PSP if you perform a payment function as a distinct service or business activity that does not exclusively support a non-payment service or business activity.

The Bank has described some indicators that it cautions should not be rigidly applied and that the Bank will weigh subjectively to conduct a contextual analysis based on the evidence and information available in each case. The indicators include:

  • Revenues or commercial advantage: A payment function is likely not an incidental service or business activity if it directly generates revenues or provides you with a direct commercial advantage.
  • End-user expectations: If an end user can reasonably expect or understand to be receiving payment services when using or receiving the services you offer, this could indicate that the payment function is a distinct service and is not incidental to your other non-payment service or business activity.
  • Marketing/advertising: Marketing or advertising the payment functions you perform can indicate that you offer the payment functions as a separate service or business activity and therefore they are not performed incidentally.

While the indicators are helpful, applying them on a case-by-case basis requires substantial analysis of each activity, and any determination remains subject to the Bank’s discretion.

Step 2: Retail payment activity

Retail payment activities are payment functions performed in relation to EFTs that are made in Canadian or foreign currency, or using a “unit that meets prescribed criteria”. There is currently no other prescribed unit. In line with the Bank’s Guidance, it may be helpful to think of a payment function as preceding an EFT (e.g., a payment instruction is initiated and authorized, followed by the actual movement of funds).

Currently, registration requirements only apply to fiat currencies (e.g., CAD, USD, etc.) and do not apply to virtual currencies. However, further criteria could be prescribed in the regulations that would include other units (e.g., virtual currency units).

Step 3: Place of business (Domestic vs. Foreign)

For PSPs who have a place of business in Canada, this step is clear. However, the analysis is more nuanced for PSPs that operate from outside of Canada, in which case the RPAA only applies to PSPs that perform retail payment activities for an end user in Canada and direct retail payment activities at individuals or entities in Canada. The language used in the RPAA and the Bank’s Guidance are similar to the approach taken by the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA) and Financial Transactions and Reports Analysis Centre of Canada (FINTRAC) with respect to foreign money service businesses.

The Bank states that factors to consider to ascertain whether an end user is in Canada include the end user’s IP address at the time the payment function was performed, the shipment address of goods or the address where services are provided is in Canada, or if the end user’s payment product or service (e.g., banking services; debit, prepaid, or credit card; or payment processing service) is localized for the Canadian market.

In terms of directing services at those in Canada, the Bank takes a very similar approach to FINTRAC by considering, for example, whether a business markets or advertises at those in Canada, its website has a “.ca” domain name, or is listed in a Canadian business directory.

At the same time, FINTRAC and the Bank have taken opposite approaches to determining when an individual is considered “in Canada”. FINTRAC’s guidance for foreign MSBs states that an individual may be deemed to be "in Canada" even when they are temporarily living, attending school, working, or vacationing outside of Canada. Conversely, the Bank’s guidance for foreign PSPs states that an individual will not be considered to be in Canada when they are temporarily living outside of Canada, attending school outside of Canada, working outside of Canada or vacationing outside of Canada. The Bank’s approach for the RPAA is reasonable because if Canadians who temporarily traveled abroad were considered “in Canada”, then foreign PSPs around the world could inadvertently be scoped in to the RPAA when they service Canadians who are abroad.

Step 4: Exclusions

The Bank differentiates between entity-based and activity-based exclusions. Entity-based exclusions scope out entire entities from the application of the RPAA; these include banks and authorized foreign banks, insurance companies, and trust companies.

Activity-based exclusions scope out certain activities from the RPAA, but do not necessarily mean that the entity as a whole is excluded from the RPAA (the entity can still be required to register as a PSP if it performs other activities that are not excluded from the regime). For example, payment functions performed in relation to merchant instruments (e.g., specific gift cards or vouchers) are activities that are excluded. Further, “eligible financial contracts” and transactions related to securities performed by individuals or entities that are regulated or exempted from regulation under Canadian securities legislation as defined in National Instrument 14-101 Definitions of the Canadian Securities Administrators are excluded.

With respect to the exemption for systems designated by the Payment Clearing and Settlement Act (PCSA), it is clear that the Bank takes a very narrow view to the exemption to only include the operators of those designated systems. For example, the Bank states that participating in or using the designated system does not exclude a PSP from having to register. Rather, an individual or entity must register if it performs any payment function outside of the designated system.

In terms of agents of PSPs, registered PSPs are responsible for ensuring that its agents comply with the RPAA’s requirements and therefore the agent does not have to independently register with the Bank. However, if an agent also performs retail payment activities outside of the agency relationship it has with a registered PSP, it may be required to register as a PSP independently.

Affiliated entities that each individually perform payment functions are not excluded from registering as a PSP. Therefore, subsidiaries may be required to register separately even if their parent organization is already registered.

Businesses now have more to think about when assessing whether or not their activities are subject to the new regime.

Next steps

If you would like to know more about the RPAA, its regulations or have any questions regarding the impact it may have on your business activities, please do not hesitate to reach out to the authors of this article or any member of BLG’s Financial Services Regulatory Group.

For more information on the Framework or related financial services regulatory matters, please feel free to contact any of the authors below.

Key Contacts