Learn what will be expected of payment service providers and how the Bank will supervise them under the Retail Payment Activities Act.
The Department of Finance Canada published proposed regulations in Part I of the Canada Gazette to help clarify details of the Retail Payment Activities Act (RPAA).
To fulfill our obligations under the RPAA, we developed a supervisory framework for retail payments supervision. This framework establishes important principles that stem from the legislation and regulations and supports our supervisory activities:
- risk monitoring
We will publish guidance on registration, risk monitoring and enforcement to help PSPs understand what is expected of them. Together, the legislation, regulations and guidance make up our supervisory expectations.
Individuals or entities who meet the following four criteria must register with us by submitting an application along with a registration fee.
Four criteria for registration
Be a payment service provider
- Perform one or more payment functions as a service or business activity that is not incidental to another service or business activity
Perform a retail payment activity
- Perform payment functions related to an electronic funds transfer made in Canadian or foreign currencies (excluding digital currencies)
Meet certain geographic scope
- Have a place of business in Canada
- Have a place of business outside of Canada but perform retail payment activities for an end user in Canada and direct retail payment activities at individuals or entities in Canada
Perform payment functions that are not excluded from the RPAA and associated regulations
- Individuals and entities excluded under the RPAA include:
- banks and authorized foreign banks (pursuant to the Bank Act)
- credit unions, insurance companies, and trust and loan companies
- a loan company that is provincially regulated
- agents and mandataries of PSPs
- Payments Canada
- Activities excluded under the RPAA include:
- transactions using automatic banking machines
- internal transactions among affiliated entities
Process for registration
We are developing a web application (PSP portal) for applicants and registered PSPs. Among other activities, applicants and registered PSPs will be required to use the PSP portal to:
- submit their registration information
- keep their information up to date
- pay the registration fee
- comply with the reporting requirements under the RPAA
Transition period for registration
The RPAA includes a transition period for individuals or entities to apply for registration and for us to process applications. Individuals or entities that currently provide retail payment services can continue to provide these services during the transition period but only if they have submitted an application.
The RPAA prohibits us from informing applicants of the outcome of their application during the transition period.
What to expect
Once an individual or entity submits an application and pays the associated registration fee, we will begin reviewing the application.
During the review period, we will share the applications of individuals and entities who meet the registration criteria of the RPAA with:
- the Department of Finance Canada to conduct a national security review
- the Financial Transactions and Reports Analysis Centre of Canada (FINTRAC)
Applicants may need to respond to requests for information to allow us to process their application.
Applicants are responsible for keeping their information up to date.
Once registered, PSPs must:
- comply with the requirements of the RPAA
- pay an annual assessment fee
Registration may be refused or revoked if the applicant:
- fails to meet the criteria for registration
- fails to provide additional information that was requested
- provides false or misleading information
- ceases to perform retail payment activities
- commits a violation under the RPAA.
We can also refuse or revoke registration from applicants based on information provided by FINTRAC.
We must refuse or revoke registration related to a directive from the Minister of Finance if:
- national security reasons exist
- the applicant fails to provide additional information to the Minister
- the applicant fails to comply with undertakings or conditions
- the applicant provides false or misleading information
Registered PSPs must submit a new registration application if an individual or entity plans to acquire them. The new application must be submitted before the acquisition takes place.
Individuals or entities whose registration has been refused or revoked may submit a new application if they wish to perform retail payment activities.
Publication of registration decisions
We will publish registration decisions on our website, including a list of:
- registered PSPs
- individuals or entities that had their registration refused or revoked and the reasons why, including if a PSP has stopped operating
As part of our supervisory role under the RPAA, we will assess registered PSPs with respect to their:
- operational risk management and incident response framework
- safeguarding of end-user funds, if applicable
Mitigating operational risk and responding to incidents
PSPs will need to have a framework in place to manage operational risk and respond to incidents. They must also report any incident that has a material impact on end users, other PSPs or certain clearing and settlement systems.
Safeguarding end-user funds
PSPs that hold end-user funds must implement measures to safeguard these funds until they are withdrawn or transferred.
PSPs are required to submit the following reports to support the monitoring and assessment of their compliance with our supervisory expectations:
- Purpose: To provide us with up-to-date registration information and information about operational risk management, incident response and safeguarding practices for end-user funds, if applicable
- Due date: Yearly on the same day for all PSPs (to be specified in the regulations)
Significant change or new activity report
- Purpose: To notify us before a significant change in the way the PSP performs a retail payment activity or before it performs a new retail payment activity
- Due date: Required within a certain time frame before the change is made (to be specified in the regulations)
- Purpose: To notify us of incidents that have a material impact on end users, other PSPs or certain clearing and settlement systems
- Due date: Required within a certain time frame of the incident occurring (to be specified in the regulations)
We will assess a PSP’s compliance with the requirements in the RPAA and its associated regulations using information gathered from various means, including:
- responses to requests we send to PSPs
- reports submitted by registered PSPs, including annual, significant change and incident reports
Our assessments could include:
- A desk review—We may ask PSPs to submit information and documents, such as policies and procedures, for our review. This review may involve meetings and discussions with PSPs.
- An on-site visit—Our staff may make an on-site visit to observe practices, examine material or participate in meetings and discussions.
- A special audit—We may ask a PSP to have a special audit conducted and to submit the results to us.
We expect PSPs who receive a request for information to answer our questions and submit supporting documents, if applicable, to help with our assessment. PSPs will be required to provide this information to us within a time frame to be specified in the regulations.
Once we complete our assessment, we may identify gaps as well as corrective measures to address these gaps. PSPs can choose how to address and correct the issues identified. We will then confirm that they have implemented the identified corrective measures.
What to expect
We will set a minimum frequency by which we will assess each PSP’s compliance with our supervisory expectations. This will allow us to:
- take a risk-based approach to our analysis
- work efficiently
- promote compliance
We recognize that PSPs have different business structures and operational processes. We will therefore consider the risk posed by each PSP when determining if they meet our supervisory expectations.
We will contact non-compliant PSPs to:
- inform them of compliance gaps
- take enforcement action where appropriate
We have a set of enforcement tools and actions to address violations of the RPAA and its regulations. Enforcement actions aim to promote compliance and support confidence in the Canadian retail payments sector.
We may investigate PSPs to identify if there are gaps in their compliance with the RPAA and its regulations. If we have reasonable grounds to believe that a violation has occurred, we may take enforcement action against a PSP.
To identify a violation, we can use any information gathered during risk-monitoring and registration activities to aid an investigation. We could use the following methods to collect evidence:
We can take enforcement actions against PSPs who do not:
- register with us
- submit their mandatory reports
- respond to an information request
- comply with the required operational risk and incident response practices as stipulated in the RPAA
- comply with the required safeguarding practices for end-user funds as stipulated in the RPAA
Under the RPAA, we can use any of the following enforcement tools depending on the violation.
We can enter into a formal compliance agreement with a PSP to rectify non-compliance, including concerns regarding the PSP’s operational risk or safeguarding practices for end-user funds.
In some cases, if a PSP does not adhere to the terms of a compliance agreement, we can issue a notice of violation (NOV). If the PSP does not comply with a compliance agreement that was tied to a NOV, we may issue a notice of default, which leads to an additional penalty, to be prescribed in the regulations.
Notice of violation
We can issue a NOV with respect to violations of the RPAA. A NOV could be accompanied by:
- An administrative monetary penalty (AMP)—Regulations will define criteria that we will consider when determining the amount of the monetary penalty. AMPs are intended to encourage compliance with the RPAA and are not intended to be punitive.
- An offer to enter into a compliance agreement—If a PSP agrees to a compliance agreement, the AMP is reduced by half. The reduced AMP is intended to encourage the PSP to follow the compliance agreement and encourage them to direct their resources to address the underlying issue. If the PSP fails to meet the terms and conditions of the compliance agreement, the PSP is liable to pay the remaining half and an additional penalty that will be specified in the regulations.
Once we complete all proceedings of our enforcement action, we will publish NOVs on our website. NOVs will include:
- the name of the PSP
- the nature of the violation
- the amount of the AMP imposed, if applicable
If the Governor believes that a PSP is committing, or is about to commit, an act that could have a significant adverse impact on end users, other PSPs or certain clearing and settlement systems, the Governor may order a PSP to:
- stop the action
- refrain from taking the action
- remedy the situation
Since a compliance order can be issued when a PSP is about to commit an act, it can be initiated at any stage of supervision to prevent a significant adverse impact.
The Governor can apply to a superior court for an order requiring a PSP to:
- stop an action that violates the RPAA
- comply with a provision of the RPAA
- adhere to a compliance order
What to expect
We will take a graduated approach when applying enforcement actions. A graduated approach allows us to use an enforcement tool that is appropriate given the circumstances and the nature of the violation. For example, if the enforcement action does not result in a timely correction, we can choose to use another tool.
This approach aligns with the risk-based approach we follow for risk monitoring.
Our decisions are bound and supported by procedural fairness. We recognize that in making enforcement decisions, we must apply a process that is fair to the affected individual or entity. For example, we would give an individual or entity notice of an enforcement action and an opportunity to respond.
Reviews and appeals
Individuals or entities can request a review by the Governor within 30 days of receiving the following Bank decisions:
- notice of refusal of registration
- notice of intent to revoke registration
- notice of violation
- notice of default
The Governor or delegate analyzes the request along with the original decision and decides whether to uphold the decision or make a different one. We will publish the Governor’s decision on our website.
If the Governor or delegate upholds the original decision, individuals or entities can appeal that decision to the Federal Court.
We may update the supervisory framework before or after the RPAA comes into force to respond to:
- the publication of regulations in Part II of the Canada Gazette
- changes in the retail payments sector
- lessons learned through the implementation of the framework