Published on February 10 by the Department of Finance, the Proposed Retail Payment Activities Regulations support the Retail Payments Activities Act (RPAA), the new legislative framework regulating retail payment activities in Canada (for more information about the RPAA read our article here).
The Proposed Regulations include standards for operational risk management, requirements to safeguard end-user funds to reduce the risks of disruptions in payment services that result in end users being temporarily unable to access their funds or make payments. It also incorporates requirements regarding payment service providers’ (PSPs) registration with the Bank of Canada (BoC); reporting requirements; and penalties for violating requirements.
The RPAA excludes certain entities such as prudentially regulated financial institutions (e.g. banks and credit unions) as well as certain activities such as payment functions performed in relation to an electronic funds transfer that is made for the purpose of giving effect to prescribed transactions in relation to securities.
Risk management and incident response
PSPs will be required to establish, implement and maintain a risk management and incident response framework
The PSP’s Risk Management Framework should be designed to preserve the (1) integrity; (2) confidentiality; and (3) the availability of its retail payment activities and of the systems, and data or information involved in the provision of those activities.
Safeguarding of funds
PSPs will have to (1) hold funds in trust, in a trust account; or (2) hold funds in a segregated account and hold insurance or a guarantee in respect of the funds.
To ensure end users have reliable and timely access to their funds, accounts used to hold end-user funds will have to be held at prudentially regulated financial institutions (e.g. banks, provincial credit unions, foreign financial institutions).
PSPs will be required to have a written safeguarding-of-funds framework to ensure that end users have reliable access to their funds without delay, and that, in the event of PSP insolvency, the funds or proceeds of the insurance or guarantee are paid to end users without delay.
PSPs will be required to report to the BoC through several channels, including:
Annual reports containing prescribed information pertaining their Risk Management Framework, fund safeguarding, and any other prescribed information.
Significant change reports that will have to be transmitted at least 5 days prior to making any significant change in the way they perform a retail payment activity or before they perform a new retail payment activity. “Significant changes are those that could reasonably be expected to have a material impact on operational risks or the manner in which end-user funds are safeguarded”.
Incident report of incidents that have a “material impact” on an end user, other PSPs, or designated financial market infrastructures. The incident report will have to be communicated also to impacted individuals and entities.
PSPs will also be required to register with the BoC to operate under the RPAA. While the RPAA sets out information that applicants must include when they seek to register with the Bank of Canada as a PSP, the Proposed Regulations sets out additional details regarding the application requirements of the RPAA including with regard to contact information.
The comment period is open until March 28, 2023.