top of page
  • Writer's pictureDeborah

On April 30, 2021 the federal government released Bill C-30 containing, among others, a draft of the much-awaited Retail Payments Activities Act (RPAA). The RPAA seeks to implement the previously announced federal retail payments oversight framework.


Scope applicability


The RPAA will apply to any “retail payment activity”

  • Performed by a payment service providers (PSPs) in Canada

  • Performed for an end user in Canada by a PSPs outside Canada that directs retail payment activities at individuals or entities that are in Canada

Exemptions


The RPAA will not apply to certain retail payment activities, including:

  • Merchant – issued payment function (or by an issuer that is not a payment service provider) that allows the purchase goods or services only from the issuing merchant or any merchant in the group;

  • A payment function that is performed in relation to an electronic funds transfer that is made for the purpose of giving effect to an eligible financial contract as defined in the Canada Deposit Insurance Corporation Act;

  • A payment function that is performed in relation to an electronic funds transfer that is made for the purpose of a cash withdrawal at an automatic teller machine; and

  • A prescribed retail payment activity.

  • A payment function performed by systems designated under the Payment Clearing and Settlement Act;

  • A payment function performed entirely between the PSP and an affiliated entity;

  • Payment functions performed by, inter alia, a bank, an authorized foreign bank, a credit union, a cooperative credit society, an insurance company, a trust company, a loan company, Payments Canada, the Bank of Canada (the 'Bank') or prescribed individuals or entities;

Operational Risk Management and Incident Response


Payment service provider performing retail payment activities must, in accordance with the regulations, establish, implement and maintain a risk management and incident response framework that meets prescribed requirements. “Operational risk” being defined as a risk that may result in the reduction, deterioration or breakdown of retail payment activities that are performed by a PSP as a result of:

  • A deficiency in the PSP’s information system or internal process;

  • A human error;

  • A management failure; or

  • A disruption caused by an external event.

Where a PSP that performs retail payment activities becomes aware of an incident that has a material impact on a user, PSP that performs retail payment activities and a clearing house any of a clearing and settlement system, it must, without delay, notify that individual or entity and the Bank of the incident.


Safeguarding of funds


Where the PSP performs a retail payment activity that involves the holding of end-user funds until they are withdrawn by the end user or transferred to another individual or entity, the PSP must hold the end user funds in a segregated trust account, or an account that is only used for that purpose and that is insured or guaranteed.


Provision of Information

On an annual basis and at the prescribed time and in the prescribed form and manner, PSPs performing retail payment activities must submit an annual report to the Bank that includes prescribed information regarding its risk management and incident response framework; the segregated trust account or account that us insured or guaranteed.


Prior notice should be given to the Bank where PSPs wants to make a significant change in the manner in which they perform a retail payment activity or add a new retail payment activity.


Registration


A PSP will be required to be registered with the Bank before it performs any retail payment activities. The Act provides the list of documents and information that must be provided during the registration process, including:

  • A description of the retail payment activities the applicant performs or plans to perform

  • Any prescribed information in relation to end-user funds that the applicant holds or plans to hold

  • A description of the applicant’s risk management and incident response framework or the framework that the applicant plans to establish and implement

  • Information on the applicant’s third-party service providers

  • A declaration as to whether the PSP is registered with FINTRAC.


The Act will come into force on a date yet to be fixed by order of the Governor in Council.

Recent Posts

See All

Commentaires


bottom of page