The long-awaited final regulations (Regulations) under the Retail Payment Activities Act (Act) were published on November 22 in the Canada Gazette II. The Regulations help to clarify the practices and standards expected of payment service providers (PSPs) under Canada’s new supervisory framework for retail payment activities. Our previous update summarized the draft regulations released earlier this year. The draft regulations were amended by the Bank of Canada (BOC) to address the feedback it received from payment industry stakeholders. While the Regulations’ content remains largely similar, there are a few key changes that we set out below.
Operational risk management and incident response
Senior Officer and Board Approval: The Regulations clarify how often a PSP’s risk management and incident response framework (Risk Management Framework) must be approved. The Regulations require that the Risk Management Framework is approved at least once per year by a senior officer (as defined under the Regulations) and each time a material change to the Risk Management Framework occurs. The Risk Management Framework must also be approved by the PSP’s board of directors at a minimum annually.
Risk Management Framework Testing: It is no longer necessary for PSPs to test their Risk Management Framework every three years. The Regulations allow PSPs to establish the “frequency and scope of testing” for the purposes of identifying gaps in their Risk Management Framework. Nevertheless, an independent review of the Risk Management Framework must still occur at least once every three years.
Review of the Risk Management Framework: The Regulations remove the requirement to review the Risk Management Framework following an “incident.” However, the Risk Management Framework must be reviewed at least once a year and also whenever a material change is made to the PSP’s policies, procedures, or other measures relating to risk management.
Incident Record and Timing for the Resumption of Operations: PSPs can now resume their operations following an incident without having to verify that “the integrity and confidentiality of all systems, data and information have been restored and that it is able to perform retail payment activities without reduction, deterioration or breakdown.” PSPs may resume their operations as they begin to address the conditions and circumstances that led to the incident. Correspondingly, the Regulations remove the requirement to keep a record of the method and results of the verification used by the PSP at the time of the incident.
Third-Party Service Providers’ Responsibilities: The Regulations clarify the requirements under the Risk Management Framework concerning relationships with third-party service providers. These requirements now apply only in circumstances where the PSP receives services “related to a payment function” from a third-party service provider.
Safeguarding end-user funds
Senior Officer and Board Approval: Similar to the Risk Management Framework requirements, a senior officer must approve the safeguarding-of-funds framework (Fund Safeguarding Framework) at least annually and also each time a material change to the Fund Safeguarding Framework takes place. Similarly, the PSP’s board of directors must approve the Fund Safeguarding Framework at least once per year.
Independent Review of the Fund Safeguarding Framework: Instead of once every two years, the Regulations extend the timeframe in which an independent review of the Fund Safeguarding Framework must be carried out to once every three years.
PSP’s Review of the Fund Safeguarding Framework: The Regulations still require that the Fund Safeguarding Framework be reviewed by the PSP at least once a year and also following a change to the means in which the PSP holds end-user funds. In addition, the Regulations now require a separate review of the Fund Safeguarding Framework upon any of the following changes occurring, if the change could be expected to have a material impact on how the funds are safeguarded:
- the opening or closing of an account in which the PSP holds end-user funds;
- a change to the terms of the account agreement in respect to which funds are held;
- a change to the entity that provides an account where funds are held; and
- in the case of a PSP that holds insurance or a guarantee for the funds in accordance with the Act, a change in the PSP’s insurance or guarantee providers or to the terms of its insurance policy or guarantee.
Record Keeping and Reporting: The Regulations now require that the findings of each review must be reported to senior officers for their approval. In addition, the records that should be maintained for the review no longer need to specify the changes that the PSP “has made or intends to make” to the Fund Safeguarding Framework.
Evaluation of Insolvency Protection: Where a PSP uses insurance or a guarantee to safeguard end-user funds and the PSP determines there were instances in which the funds would not have been payable to end-users in the case of an insolvency event (as defined under the Regulations), the PSP no longer has to promptly report this information to the BOC. Instead, a description of the instance, its root cause and any measures taken to prevent similar instances from recurring must be reported in the PSP’s annual report.
Registration and other requirements
BOC’s Cost Recovery: Although the BOC is still required to recover its supervisory costs for administering the Act, the formula to calculate the fees to be collected from PSPs is no longer specified by the Regulations.
New Registration Application: The Regulations no longer require that PSPs submit a new registration application where the PSP or its third-party service provider stores information in a country outside of Canada and that country was not identified in the PSP’s most recent application. Instead, a change to the location in which the PSP stores data only needs to communicated to the BOC at least 60 days before the day in which the change takes effect.
Notice of a Significant Change or New Activity: Where a PSP makes a significant change to its retail payment activities or performs a new activity, it must notify the BOC. Under the Regulations, this notice now has to assess how the PSP’s operational risks will be affected, as well as how the change or new activity will affect how the PSP’s end-user funds are safeguarded (both during and following the change’s implementation). However, PSPs no longer have to provide the BOC with copies of all documentation relating to the change or activity – a summary of the relevant documentation is sufficient.
Next steps
The implementation of the Act and the Regulations will become operational in several stages:
- The BOC has stated it will soon issue guidance documents and supervisory policies to help clarify the regulatory requirements applying to PSPs. The first guidance document will explain the registration requirements for PSPs.
- The registration requirement for PSPs, as well as the provisions on administration and enforcement, will come into force on November 1, 2024. PSPs will be expected to submit a registration application to the BOC by November 16, 2024.
- The requirements for establishing a Risk Management Framework and the Fund Safeguarding Framework will be effective on September 8, 2025.
In the meantime, market participants are encouraged to become aware of the new retail payment regulatory regime and prepare for the impact that the requirements may have on their payment activities. Our lawyers at Norton Rose Fulbright are well-positioned to help our clients navigate the anticipated legal framework and ensure appropriate compliance with the Act and the Regulations.