The Retail Payment Activities Act was enacted in June 2021, creating a new regulatory regime for retail payment activities under the supervision of the Bank of Canada. Previously, the Canadian retail payments industry was largely unregulated. The introduction of the RPAA also represents uncharted territory for the BOC, which will assume the role of regulator for an entire industry sector for the first time.
Ron Morrow, BOC’s Executive Director of Retail Payments Oversight, noted that the new oversight framework will regulate how businesses make daily payments, store or transfer their money through electronic means. The BOC estimates that more than 2,500 entities, including many fintech payment firms, will be subject to its supervision and urges them to start planning and preparing for the new regulatory regime.
Registration guidelines, risk monitoring and compliance
As McMillan specialists explained, both domestic PSPs and foreign PSPs conducting retail payment activities to individuals or entities in Canada will need to register with the BOC when the RPAA provisions requiring registration come into effect, which will likely be in 2024.
To facilitate the registration process, the BOC is currently developing a web portal through which registered applicants and PSPs must submit their registration data, pay the registration fee and comply with the information obligations provided for in the RPAA. The BOC will share requests from those who meet the RPAA registration criteria with the Financial Transactions and Reports Analysis Center of Canada (FINTRAC) and Finance Canada to conduct a national security review.
PSPs shall implement a framework to mitigate operational risk and incident response. Under this framework, PSPs are required to report to the BOC incidents that have a material impact on end users, other PSPs, or certain clearing and settlement systems.
In addition, PSPs will also be required to submit three types of reports to allow the BOC to assess their compliance with the oversight framework:
an annual report containing details about operational risk mitigation, incident response and protective measures for end-user funds, if applicable.
a significant change or new activity report that notifies the BOC before a PSP performs new retail payment activity or significantly change the way you perform an existing activity.
a incident report alerting the BOC of incidents that have a material impact on end users or other entities.
In addition to risk monitoring, the BOC has developed a suite of compliance tools to address violations under the RPAA and promote compliance. BOC may enter into a formal compliance agreement with a PSP to remedy non-compliance or may also issue a violation notice for violations of the RPAA and post the name of the company and the nature of its violations on the BOC website.
McMillan’s experts advise players in Canadian retail payments to prepare for the new regulatory regime, including conducting an assessment to determine if they will need to register as a PSP once the requirements go into effect.