About the retail payments supervisory framework

Learn what will be expected of payment service providers and how the Bank will supervise them under the Retail Payment Activities Act.

The Department of Finance Canada published proposed regulations in Part I of the Canada Gazette to help clarify details of the Retail Payment Activities Act (RPAA).

To fulfill our obligations under the RPAA, we developed a supervisory framework for retail payments supervision. This framework establishes important principles that stem from the legislation and regulations and supports our supervisory activities:

• registration
• risk monitoring
• enforcement

We will publish guidance on registration, risk monitoring and enforcement to help PSPs understand what is expected of them. Together, the legislation, regulations and guidance make up our supervisory expectations.

Registration

Individuals or entities who meet the following four criteria must register with us by submitting an application along with a registration fee.

Four criteria for registration

Be a payment service provider

• Perform one or more payment functions as a service or business activity that is not incidental to another service or business activity

Perform a retail payment activity

• Perform payment functions related to an electronic funds transfer made in Canadian or foreign currencies (excluding digital currencies)

Meet certain geographic scope

• Have a place of business in Canada
• Have a place of business outside of Canada but perform retail payment activities for an end user in Canada and direct retail payment activities at individuals or entities in Canada

Perform payment functions that are not excluded from the RPAA and associated regulations

• Individuals and entities excluded under the RPAA include:
  • banks and authorized foreign banks (pursuant to the Bank Act)
  • credit unions, insurance companies, and trust and loan companies
  • a loan company that is provincially regulated
  • agents and mandataries of PSPs
  • Payments Canada
• Activities excluded under the RPAA include:
  • transactions using automatic banking machines
  • internal transactions among affiliated entities

Process for registration

We are developing a web application (PSP portal) for applicants and registered PSPs. Among other activities, applicants and registered PSPs will be required to use the PSP portal to:

• submit their registration information
• keep their information up to date
• pay the registration fee
• comply with the reporting requirements under the RPAA

Transition period for registration

The RPAA includes a transition period for individuals or entities to apply for registration and for us to process applications. Individuals or entities that currently provide retail payment services can continue to provide these services during the transition period but only if they have submitted an application.

The RPAA prohibits us from informing applicants of the outcome of their application during the transition period.

What to expect

Once an individual or entity submits an application and pays the associated registration fee, we will begin reviewing the application.

During the review period, we will share the applications of individuals and entities who meet the registration criteria of the RPAA with:

• the Department of Finance Canada to conduct a national security review
• the Financial Transactions and Reports Analysis Centre of Canada (FINTRAC)

Applicants may need to respond to requests for information to allow us to process their application. 

Applicants are responsible for keeping their information up to date.

Once registered, PSPs must:

• comply with the requirements of the RPAA
• pay an annual assessment fee

Registration may be refused or revoked if the applicant: 

• fails to meet the criteria for registration
• fails to provide additional information that was requested
• provides false or misleading information
• ceases to perform retail payment activities
• commits a violation under the RPAA.

We can also refuse or revoke registration from applicants based on information provided by FINTRAC.

We must refuse or revoke registration related to a directive from the Minister of Finance if:

• national security reasons exist
• the applicant fails to provide additional information to the Minister
• the applicant fails to comply with undertakings or conditions
• the applicant provides false or misleading information

Re-registration

Registered PSPs must submit a new registration application if an individual or entity plans to acquire them. The new application must be submitted before the acquisition takes place.

Individuals or entities whose registration has been refused or revoked may submit a new application if they wish to perform retail payment activities.

Publication of registration decisions

We will publish registration decisions on our website, including a list of:

• registered PSPs
• individuals or entities that had their registration refused or revoked and the reasons why, including if a PSP has stopped operating

Risk monitoring

As part of our supervisory role under the RPAA, we will assess registered PSPs with respect to their:

• operational risk management and incident response framework
• safeguarding of end-user funds, if applicable

Mitigating operational risk and responding to incidents

PSPs will need to have a framework in place to manage operational risk and respond to incidents. They must also report any incident that has a material impact on end users, other PSPs or certain clearing and settlement systems.

Safeguarding end-user funds

PSPs that hold end-user funds must implement measures to safeguard these funds until they are withdrawn or transferred.

Mandatory reporting

PSPs are required to submit the following reports to support the monitoring and assessment of their compliance with our supervisory expectations:

Annual report

• Purpose: To provide us with up-to-date registration information and information about operational risk management, incident response and safeguarding practices for end-user funds, if applicable
• Due date: Yearly on the same day for all PSPs (to be specified in the regulations)

Significant change or new activity report

• Purpose: To notify us before a significant change in the way the PSP performs a retail payment activity or before it performs a new retail payment activity
• Due date: Required within a certain time frame before the change is made (to be specified in the regulations)

Incident report

• Purpose: To notify us of incidents that have a material impact on end users, other PSPs or certain clearing and settlement systems
• Due date: Required within a certain time frame of the incident occurring (to be specified in the regulations)

Our assessment

We will assess a PSP’s compliance with the requirements in the RPAA and its associated regulations using information gathered from various means, including:

• responses to requests we send to PSPs
• reports submitted by registered PSPs, including annual, significant change and incident reports

Our assessments could include:

• A desk review—We may ask PSPs to submit information and documents, such as policies and procedures, for our review. This review may involve meetings and discussions with PSPs.
• An on-site visit—Our staff may make an on-site visit to observe practices, examine material or participate in meetings and discussions.
• A special audit—We may ask a PSP to have a special audit conducted and to submit the results to us.  

We expect PSPs who receive a request for information to answer our questions and submit supporting documents, if applicable, to help with our assessment. PSPs will be required to provide this information to us within a time frame to be specified in the regulations.

Once we complete our assessment, we may identify gaps as well as corrective measures to address these gaps. PSPs can choose how to address and correct the issues identified. We will then confirm that they have implemented the identified corrective measures.  

What to expect 

We will set a minimum frequency by which we will assess each PSP’s compliance with our supervisory expectations. This will allow us to:

• take a risk-based approach to our analysis
• work efficiently
• promote compliance 

We recognize that PSPs have different business structures and operational processes. We will therefore consider the risk posed by each PSP when determining if they meet our supervisory expectations.

We will contact non-compliant PSPs to:

• inform them of compliance gaps
• take enforcement action where appropriate

Enforcement

We have a set of enforcement tools and actions to address violations of the RPAA and its regulations. Enforcement actions aim to promote compliance and support confidence in the Canadian retail payments sector.

Investigations

We may investigate PSPs to identify if there are gaps in their compliance with the RPAA and its regulations. If we have reasonable grounds to believe that a violation has occurred, we may take enforcement action against a PSP.

To identify a violation, we can use any information gathered during risk-monitoring and registration activities to aid an investigation. We could use the following methods to collect evidence:

• desk review
• on-site visit
• special audit

We can take enforcement actions against PSPs who do not:

• register with us
• submit their mandatory reports
• respond to an information request
• comply with the required operational risk and incident response practices as stipulated in the RPAA
• comply with the required safeguarding practices for end-user funds as stipulated in the RPAA

Enforcement tools

Under the RPAA, we can use any of the following enforcement tools depending on the violation.

Compliance agreement

We can enter into a formal compliance agreement with a PSP to rectify non-compliance, including concerns regarding the PSP’s operational risk or safeguarding practices for end-user funds.

In some cases, if a PSP does not adhere to the terms of a compliance agreement, we can issue a notice of violation (NOV). If the PSP does not comply with a compliance agreement that was tied to a NOV, we may issue a notice of default, which leads to an additional penalty, to be prescribed in the regulations.

Notice of violation

We can issue a NOV with respect to violations of the RPAA. A NOV could be accompanied by:

• An administrative monetary penalty (AMP)—Regulations will define criteria that we will consider when determining the amount of the monetary penalty. AMPs are intended to encourage compliance with the RPAA and are not intended to be punitive.
• An offer to enter into a compliance agreement—If a PSP agrees to a compliance agreement, the AMP is reduced by half. The reduced AMP is intended to encourage the PSP to follow the compliance agreement and encourage them to direct their resources to address the underlying issue. If the PSP fails to meet the terms and conditions of the compliance agreement, the PSP is liable to pay the remaining half and an additional penalty that will be specified in the regulations.

Once we complete all proceedings of our enforcement action, we will publish NOVs on our website. NOVs will include:

• the name of the PSP
• the nature of the violation
• the amount of the AMP imposed, if applicable

Compliance order

If the Governor believes that a PSP is committing, or is about to commit, an act that could have a significant adverse impact on end users, other PSPs or certain clearing and settlement systems, the Governor may order a PSP to:

• stop the action
• refrain from taking the action
• remedy the situation

Since a compliance order can be issued when a PSP is about to commit an act, it can be initiated at any stage of supervision to prevent a significant adverse impact.  

Court enforcement

The Governor can apply to a superior court for an order requiring a PSP to:

• stop an action that violates the RPAA
• comply with a provision of the RPAA
• adhere to a compliance order

What to expect

We will take a graduated approach when applying enforcement actions. A graduated approach allows us to use an enforcement tool that is appropriate given the circumstances and the nature of the violation. For example, if the enforcement action does not result in a timely correction, we can choose to use another tool. 

This approach aligns with the risk-based approach we follow for risk monitoring.

Our decisions are bound and supported by procedural fairness. We recognize that in making enforcement decisions, we must apply a process that is fair to the affected individual or entity. For example, we would give an individual or entity notice of an enforcement action and an opportunity to respond.

Reviews and appeals

Individuals or entities can request a review by the Governor within 30 days of receiving the following Bank decisions:

• notice of refusal of registration
• notice of intent to revoke registration
• notice of violation
• notice of default

The Governor or delegate analyzes the request along with the original decision and decides whether to uphold the decision or make a different one. We will publish the Governor’s decision on our website.

If the Governor or delegate upholds the original decision, individuals or entities can appeal that decision to the Federal Court.

Disclaimer

We may update the supervisory framework before or after the RPAA comes into force to respond to:

• the publication of regulations in Part II of the Canada Gazette
• changes in the retail payments sector
• lessons learned through the implementation of the framework