14 Jun. 2024
 A new era for payment service providers in Canada: how PSPs can prepare

A new era for payment service providers in Canada: how PSPs can prepare

Authors
Abhishek Sinha

EY Canada Partner, Banking & Capital Markets

Senior leader focused on the transformative impact of technology on various industries. Dreamer. Futurist. Dad.

David Patrick

EY Canada Payments Leader, Technology Consulting

Critical thinker. Payments strategy and product professional. Innovative problem-solver.

14 Jun. 2024

New Canadian regulations for PSPs to ensure safety in financial services and enable Real Time Rail participation.

In brief
  • Canada's RPAA requires PSPs to register with the Bank of Canada for safer services.
  • New regulations focus on safeguarding funds and risk management for PSPs.
  • Compliance with RPAA allows PSPs participation in Real Time Rail system.

In setting the stage for a consumer-directed financial ecosystem, the Canadian federal government released the final regulations under the Retail Payment Activities Act (RPAA) on November 22, 2023 with the Bank of Canada’s Guidelines supporting the RPAA still under consultation.

The act and the underlying regulations give the Bank of Canada a supervisory role over Payment Service Providers (PSPs). The aim is to build confidence in the safety and reliability of their services while protecting users from certain risks. PSPs will be required to register with the Bank and to comply with RPAA requirements that focus on two key areas for PSPs: safeguarding end-user funds and establishing operational risk management.

The RPAA is a set of requirements applying to Canadian PSPs as well as global participants that engage in retail payment activities in Canada. PSPs are required to register with the Bank of Canada under this mandate and to follow the guidance published under the supervisory framework. PSPs that are domestic or authorized foreign banks, credit unions and insurance companies that are prudentially regulated by federal or provincial laws are exempt from registration.

The RPAA supervisory framework is intended to complement the work led by Payments Canada to modernize Canada’s payments ecosystem, including the Real Time Rail (RTR) and taken with the recently announced intention to create a legislative framework for consumer-directed finance overseen by the Financial Consumer Protection Agency of Canada (FCAC), the RPAA is the third leg of the stool to support fostering innovation and greater market participation in the Canadian financial services ecosystem.

PSPs that must register should prepare for the two-week regulatory registration window in November 2024.

   PSPs and money services businesses should be familiar with recent amendments to the RPAA and consider any future announcements.

Understanding the RPAA

The RPAA regulates PSPs and their retail payment activities in Canada. It is designed to protect consumers by regulating PSPs to safeguard end-user funds, mitigate operational risk and respond to incidents.

The final RPAA regulations published in November 2023 require all entities defined as PSPs to register with the Bank of Canada.¹

It is critical for PSPs to understand what the changes mean for their organization and how they should prepare.

Who are designated as PSPs?

The RPAA defines a PSP as “any individual or entity that performs one or more of the payment functions as a service or business activity that is not incidental to another service or business activity”. Entities covered under this act include payment processors, digital wallets, currency transfer services and other payment technology companies that do not hold funds for end users.

RPAA applies if individuals or entities meet all four of the following criteria:²

1. Act as a PSP, performing one or more of the five payment functions:³

  • Provision or maintenance of an account
  • Holding of funds on behalf of an end user
  • Initiation of an electronic funds transfer
  • Authorization of an electronic funds transfer or an instruction in relation to an electronic funds transfer
  • Clearing or settlement services

2. Perform a retail payment activity.

3. For PSPs with a place of business in Canada, RPAA applies to all payment activities; for foreign PSPs, the RPAA applies to payment activities the PSP directs to and performs for end users in Canada.

4. Perform payment activities that are not excluded from the RPAA and associated regulations (e.g., prudentially regulated financial institutions).

The registration process

The Bank of Canada is working to deploy a portal where PSPs can complete their registration and submit the requisite supporting information.⁴ At the time of writing, the Bank was running a pilot phase for the portal registration process to assess its effectiveness.

The registration window is expected to open from November 1 to 15, 2024. All PSPs are required to complete the registration application and meet any outstanding requirements by September 8, 2025.

The Bank of Canada has shared draft requirements so that PSPs can start gathering the required information before the window opens. The draft requirements include the following:⁵

  • Contact information, including for any third parties, agents and mandataries, and affiliated entities
  • Business structure, ownership, debtholders and key staff
  • Retail payment functions that PSPs perform or plan to perform, including any agents and mandataries or affiliates that may be performing retail payment functions on their behalf
  • The actual or projected values and volumes of end-user funds held both inside and outside of Canada
  • The actual or projected number of end users, both in and outside Canada
  • The method(s) PSPs use or plan to use to safeguard end-user funds
  • Whether PSPs have in place or have plans to establish a risk management and incident response framework
  • Any registrations for retail payment activities with FINTRAC or under any other federal, provincial or territorial act

In addition, the Bank of Canada recently released a step-by-step guide to completing the registration application.

Expectations under RPAA

The Bank of Canada has divided the requirements into four categories. ⁶

  • Operational risk and incident response
  • Safeguarding end-user funds
  • Significant change reporting
  • Incident notification
 

Requirement category

Summary of key outcomes/objectives

Operational risk and incident response

The requirements at a high level include:

  • Establishing tailored risk management and incident response frameworks, and conducting annual reviews.
  • Documenting roles and responsibilities.
  • Monitoring outsourced tasks.
  • Setting objectives and targets for integrity, confidentiality and availability of systems and data.
  • Implementing continuous monitoring and detection capabilities.
  • Having a plan to respond to, identify root cause and recover from incidents.
  • Conducting testing exercises.
  • Addressing gaps and vulnerabilities identified by an auditor.
  • Assessing performance and managing risks from third-party service providers.

When relying on agents and mandataries, developing compensating control(s) to ensure its ongoing compliance with regulatory requirements.

Safeguarding end-user funds

  • PSPs that hold funds on behalf of end users must ensure reliable access to these funds and protect them against financial loss in case of insolvency.
  • PSPs must segregate end-user funds from their own and place them in a safeguarding account promptly upon receipt.
  • PSPs must establish frameworks to meet safeguarding objectives, including maintaining end users’ records, addressing liquidity demands, mitigating risks, documenting reimbursement procedures, assigning a responsible officer and conducting regular reviews.
  • PSPs must also investigate instances of incorrect fund safeguarding and undergo independent compliance reviews every three years.

Significant change reporting

PSPs must inform the Bank of Canada prior to making significant changes to their retail payment operations or initiating new retail payment activities. This notification must be submitted to the Bank at least five business days before the change comes into effect or before the PSP performs a new retail payment activity.

Incident notification

PSPs must promptly inform affected individuals or entities, as well as the Bank of Canada, if they become aware of an incident with a significant impact on an end user, another PSP or a clearing house of a clearing and settlement system.

Key value drivers for PSPs

Building trust with consumers and ecosystem partners

Canadian consumers continue to place significant trust in their banks.⁷ The Canadian financial services landscape has traditionally been dominated by six large federally regulated banks with a cluster of smaller financial institutions and credit unions that focus on specific markets.

The Canadian Bankers Association found that 86% of Canadians trust their bank to offer secure digital banking services, and 87% trust their bank to protect their personal information.⁸

Registration and the ability to comply with the RPAA will demonstrate that PSPs take their role in the financial ecosystem seriously and that they’ve established the necessary safeguards to build and promote trust.

For financial institutions that already operate from a position of trust, registration with the Bank of Canada will help PSPs reduce the friction of providing services and accelerate business opportunities. Additional benefits include the potential for faster due diligence, third-party onboarding and contracting paths within the ecosystem.

In addition, PSPs looking for funding can build investors’ confidence by showcasing their commitment and investments towards  tmeeting the RPAA’s compliance obligations.

Registering with the Bank of Canada can help PSPs get a foothold in the system by building trust with customers and financial institutions and focus on what they are good at – innovation.

While PSPs have until September 2025 to meet the requirements, they should consider starting to make these investments now to begin realizing the benefits of a sound risk management program. Risk management is foundational for all financial institutions. These partnerships can unlock a significant value for a PSP. This is especially true as banks face increasing pressure to address rapidly evolving risks and updated regulatory requirements for third-party risk management, model risk, and operational risk and resilience.

With the RPAA regulations coming into force, established provincially and federally regulated financial institutions will find it easier to work with trusted PSPs that contribute to a resilient financial ecosystem.

How EY teams can help

EY teams can assist with custom solutions and toolkits to help PSPs understand and manage their RPAA obligations. EY can help facilitate a PSP’s self-assessment of their current capabilities and operating models against the RPAA requirements. This will help PSPs understand the gap between their current state and future state requirements, identify areas where risk and controls need to be enhanced, and document their progress.

EY has the right experience and risk leaders to help enable PSPs to demonstrate compliance to their boards, regulators and other external stakeholders, reducing confusion and wasteful spend.

Key areas where EY can help include:

  • Preparation of the overall Bank of Canada registration activities.
  • A maturity assessment of RPAA risk management and incident reporting requirements: Designed to walk the user through the RPAA’s key risk requirements and to help identify the process, controls and risks associated with the RPAA regulatory obligations.
  • RPAA Risk Management gap assessment and prioritization roadmap: In addition, EY help identify gaps in PSP’s current risk program and identify practical solutions to address these as well as develop a realistic plan to achieve compliance.
  • Identify key reporting and documentation requirements: EY can advise PSPSs on RPAA’s core requirement to keep records to provide demonstrable evidence of compliance activities. EY can provide best practices for maintaining and retaining the RPAA risk assessment, associated controls, issues and risk acceptance activities.

While the RPAA signifies an expansive obligation for PSPs that operate in the Canadian market, in the long run these obligations will not only protect consumers, but also open a market to PSPs to offer innovation in a safe and sound financial ecosystem.

The time for PSPs to act is now. If you are interested in learning more about how EY teams can help, please reach out to one of our authors.

Summary

In November 2023, the Canadian Government finalized regulations under the Retail Payment Activities Act (RPAA) to enhance the safety of the country's financial system. The act enables the Bank of Canada to supervise Payment Service Providers (PSPs) to ensure the security and reliability of their services.

To comply with the RPAA regulations, PSPs must register with the Bank of Canada and safeguard end-user funds while managing operational risks. The supervisory framework is designed to update Canada's payments ecosystem, which includes the Real Time Rail (RTR) system. However, banks, credit unions and regulated insurance companies are exempt from registration. PSPs are required to register in November 2024.

About this article

Authors
Abhishek Sinha

EY Canada Partner, Banking & Capital Markets

Senior leader focused on the transformative impact of technology on various industries. Dreamer. Futurist. Dad.

David Patrick

EY Canada Payments Leader, Technology Consulting

Critical thinker. Payments strategy and product professional. Innovative problem-solver.