Summary of RPAA Regulations: Key Points Every PSP Should Know

The COVID-19 pandemic brought about an advancement to the world of digital payments, causing the frequency of contactless and e-commerce transactions to skyrocket. 

‍As you may have noticed that in today's world, Payment Service Providers (PSPs) are challenging traditional methods of payments. They are playing an increasingly significant role in responding to the demand from consumers and merchants for more intuitive and seamless experiences in transferring money. 

‍The rapid growth in the payment sector has given rise to new complexities and risks in fraud, cybercrime, and identity theft. To avoid the threats that come with it, the Canadian government has developed new rules and regulations to foster a regulatory environment in Canada that strikes a balance between being efficient and robust.

What is RPAA all about?

The finаlizeԁ regulаtions unԁer the Retаil Pаyment Aсtivities Aсt (RPAA) were published on November 22, 2023, рroviԁe PSPs with а сleаr раth to сomрliаnсe. 

The Retail Payment Activities Act (RPAA) is a new law that requires most Money Services Businesses (MSBs) to register with the Bank of Canada as Payment Service Providers (PSPs). 

The RPAA, аlong with its finаlizeԁ Regulаtions, create а framework for regulating payment service providers, which is overseen by the Bank of Cаnаԁа.

This frаmework has new rules on top of the anti-money-laundering requirements applicable to MSBs under the Financial Transactions and Reports Analysis Centre of Canada (FINTRAC).

Whereas FINTRAC regulations are aimed at ensuring that payment companies aren’t used to launder money, the RPAA is aimed at ensuring that payment companies are run properly.

In particular, the aim of the RPAA is to build confidence in the safety and reliability of PSP services while protecting end users from specific risks. The RPAA аlso раves the wаy for PSPs to obtаin Pаyments Cаnаԁа membership аnԁ раrtiсiраte in Cаnаԁа's Real-Time retail payment system once the Cаnаԁiаn Pаyments Aсt is аmenԁeԁ. 

Who is Affected?

The RPAA applies to both domestic and foreign PSPs that provide services to end-users in Canada. This includes individuals or entities performing the following payment functions:

• Payment Service Providers
• Businesses with Clients Funds (e.g., account providers)
• Remittance Companies
• Multi-Currency Account Vendor
• Payment Gateway Providers
• Merchant Account Providers

The important point to be noted here is that the RPAA does not apply to regulated financial institutions like banks and credit unions or activities involving closed-loop gift cards, ATM withdrawals, or SWIFT transactions.

Key Requirements Under the RPAA

• Registration and Record Keeping‍
  All currently operational PSPs must register with the Bank of Canada from November 1 to November 15, 2024. For a one-time registration, a CAD 2,500 charge is levied, and PSPs should keep records showing how they are adhering to the RPAA for five years. 
  If a PSP does not register between November 1 to November 15, 2024, then it must wait until 60 days after submitting its registration application to begin resume services.
  If significant changes occur in the PSP—such as being acquired by a state-owned enterprise or changes in data storage outside Canada—a new requirement for registration may arise. 

• RPAA Compliance Officer‍
  It is a requirement for PSPs to hire or outsource a competent compliance officer/team to oversee your company’s compliance with the RPAA. They can also help in giving your employees compliance training to improve their understanding of your RPAA obligations and their involvement in adhering to regulations.
  

• Risk Management‍
  You are required to establish a written risk management and incident response framework to preserve the integrity and privacy of retail payment activities. This includes the capability to identify and mitigate any operational risks.
  ‍
  
  1. Identification and Assessment of Risk: Regular identification of possible risks that can affect operations and assessment of likelihood and impact.
  2. Controls and Mitigation Strategies: Put in place controls and mitigation strategies on the identified risks, such as regularly testing and updating these controls.
  3. Incident Management: A structured approach used to develop capabilities for incident management in terms of incident detection, response, recovery, and communication procedures.

• Safeguarding Customers Funds and Transaction Records‍
  You are required to record general information of all your customers, like — name, address, date of birth, and occupation. This will also help in the verification of customer's identity and assist them instantly in case of a threat. 
  
  ‍A PSP that is holding customers/end-users funds must maintain a fund-safeguarding framework. This arrangement ensures that end-user funds are accessible to them even if the PSP faces bankruptcy.
  ‍
  
  1. a. Trust or Insured: PSPs must hold end-user funds either in a trust account or in an insured or guaranteed segregated account. 
  2. b. Segregation: This safeguarding account must be segregated from the PSP’s and account provider’s other accounts. 
  3. c. “Bank” Account: The good news is that your account provider doesn’t have to be Canadian and doesn’t have to be a bank (it can be an EMI or other intermediary.

• Reporting to the Bank of Canada‍
  PSPs have an obligation to submit annual reports, incident reports, significant change reports and provide responses to any information requested by the Bank of Canada within 15 days. 

• National Security‍
  There is a provision for PSPs to undergo a national security review by the Minister of Finance at initial registration. The Minister is empowered with the ability to refuse applications, revoke registrations, or attach further conditions to avoid national security risks.
  ‍
  
  1. Initial Security Review: This is carried out at first registration to assess any possible national security risk.
  2. Ongoing Monitoring: Continuous monitoring and re-assessments are done when the PSPs change or introduce more services.

Changes Arising from Draft Regulations

The final set of rules has cut down some major requirements compared to the earlier drafts, giving some relief to the PSPs. They have introduced extension of deadlines and reduction in some reporting obligations. 

‍PSPs will additionally benefit from less stringent obligations in terms of reporting and testing along with regulatory relief in compliance obligations compared to earlier drafts.

‍Although we see ease in the process, the strict requirements for reporting and testing are still standing tall and strong to ensure the supervisory framework is sufficiently robust.

Penalties for Non-Compliance

The RPAA has included various listings of heavy fines for non-compliance, which range from CAD 1 million for serious offences to CAD 10 million for very serious offences. 

What are the future trends to keep a lookout for?

As the financial landscape evolves, PSPs must stay informed about emerging trends and regulatory updates to maintain compliance and competitive advantage.

1. Blockchain and Cryptocurrency: Understand how the RPAA will impact virtual asset services. As of now, it seems as though the RPAA does not apply to virtual asset activities but that may change in the near future.
2. Improved Cybersecurity: Stay adaptive to new cybersecurity threats and use the latest available protection methods.
3. Regulatory Technology (RegTech): Leverage RegTech solutions that contribute to automation and rationalization of processes in compliance.

What are the actionable steps for PSPs?

1. Get registered: get registered as a PSP with the RPAA. It’s important to start preparing for this as soon as possible given the November deadline. Renno can help.
2. Prepare Risk Management Framework: Prepare the required risk management frameworks that will ensure you are meeting regulatory requirements.Renno can help.
3. Operationalize Risk Management Framework: Hire seasoned professionals to assist your implementation of your written risk management framework
4. Prepare for Reporting Requirements: Establish detailed recordkeeping and reporting processes to meet the requirements for annual reporting obligations.
5. Engage with the Bank of Canada: Join the pilot program for registration and stay connected with the new guidelines and updates.

It will help PSPs tremendously if they proactively  manage the complexities of the RPAA regulations, while ensuring compliance and contributing to a secure payment landscape within Canada.

How Renno & Co. Fintech's Services Can Help

RPAA compliance requires a well-structured operational approach. Renno & Co.’s Fintech team can lend a helping hand to navigate through these complicated RPAA regulations. Our team of experts can help you get registered, develop your written risk management framework, and remain compliant with the RPAA.

As the only multi-ԁisсiрlinаry рroviԁer of both сomрliаnсe аnԁ legаl serviсes, Renno & Co. ensures that you аre сovereԁ from all angles. 

Book a Free Consultation

The content on this website is provided for general information purposes only and does not constitute legal or other professional advice or an opinion of any kind.

‍