Digital payments and e-commerce transactions have become increasingly popular since the COVID-19 outbreak. Fintech companies, such as payment service providers (PSPs), threaten traditional payment method facilitators.
The Retail Payment Activities Act aims to ensure compliance and accountability for PSPs.
Our Fintech lawyers in Canada have created an executive summary of the RPAA to help you understand what the RPAA regulations mean for your business.
What Is The Retail Payment Activities Act (RPAA)?
Until the RPAA regulations came into effect, Canadian PSPs only had to register as money service businesses (MSBs) with the Financial Transactions and Reports Analysis Centre of Canada (FINTRAC).
Up until the RPAA, compliance obligations were limited to anti-money laundering. Now, the new RPAA regulations have changed that, and below you will find everything PSPs and Fintech companies need to know about the RPAA.
RPAA: An Executive Summary For Fintech Companies
By implementing the RPAA, the Bank of Canada (BoC) aims to support a supervisory framework for retail payments. This framework will regulate eligible Fintech companies that become members and participants of Payments Canada.
In the long run, the RPAA will ensure that PSPs are more effectively regulated while safeguarding the reliability and safety of their ecosystem through efficiency.
Key Provisions of the RPAA for Fintech Companies
To understand your obligations under the RPAA, you must understand the key provisions, which include the following:
1. Incident Response and Risk Management
Under these provisions, Fintech companies must:
- Establish, execute, and maintain incident response and risk management frameworks.
- Comply with financial and operational measures.
- Comply with consumer protection legislation of provinces where services are offered.
- Manage risks from third parties, such as mandataries, agents, and providers.
2. Reporting Provisions
As a registered PSP, you must report to the BoC using the channel designed for your reporting document. For example, some reports include significant change reports, incident reports, and annual reports.
All of these apply to Fintech companies, and as a result compliance teams need measures in place to meet the Bank of Canada’s reporting requirements.
3. Funds Safeguarding and Record-Keeping
Fintech companies must hold funds until the end user transfers or withdraws them. Safeguarding funds must be segregated from the account provider and other PSP’s accounts.
A leniency granted by the Bank of Canada is that your account provider doesn’t have to be a bank or Canadian. It can be an EMI or other intermediary.
In conjunction with the safeguarding requirement, PSPs must maintain adequate records to show compliance with the RPAA.
4. Registration with the Bank of Canada
You must apply for registration with the BoC before performing any retail payment activities. This provision applies to new and existing Fintech companies.
The BoC will then maintain a public registry of all the PSPs, even those whose registration was revoked or refused.
5. Administration & Enforcement
A PSP registration is required during the first year, which is $2,500.
There is also an annual assessment fee, and adjustments will occur every subsequent year.
Serious violations also carry monetary and non-monetary penalties. For example, Fintech companies can be fined $1,000,000 for serious violations.
If the violations are found to be very serious, the fines for violations can reach CAD $10,000,000!
Key Exclusions Under The RPAA
Now that you have some basic familiarity with the core RPAA provisions, understanding the exclusions outlined in the Act is just as important. Some exclusions to the RPAA include the following:
- Authorized foreign banks.
- Canadian banks.
- Financial institutions that aren’t captured under federal regulations. An example of this would be a provincial credit union.
- Incident retail payments. These can include internal transactions of affiliated entities, certain EFT payments, and transactions involving the SWIFT global messaging network.
Risk Management Under the RPAA: What Are Your New Obligations?
Once the RPAA is in full effect, Fintech companies must work hard to maintain risk management frameworks. These include managing risks related to:
- Operational risks
- Cybersecurity
- Client funds and data protection
- Third-party agents and service providers
- Fraud
- Business continuity
You must create an extensive framework to manage these risks to avoid violating the RPAA. Our compliance officers and lawyers can help you create a risk management framework under the RPAA.
Implications of the RPAA for Fintech Companies
As the RPAA goes into effect, Fintech companies will face various financial and compliance challenges. As the new regulations come into full force, here is what PSPs must consider:
1. Assessing Role in the Ecosystem: The five PSP payment functions have unique profit margins and expense structures. So, depending on your PSP, necessary compliance may also be unique.
2. Evaluating Compliance & Risk Management Frameworks: Fintech companies must adapt to the RPAA. They must assess their internal policies and consider whether they can meet the additional requirements and costs.
3. Creating a Future Roadmap: All Fintech companies must work towards creating a roadmap that will account for sustainable compliance and risk frameworks that align with the RPAA. In the long run, this will ensure that companies don’t rely too heavily on third parties.
4. Timeline Compliance: Fintech companies must ensure that their risk management frameworks comply with the new regulations, which can lead to delays in projected market entry. To rectify this and ensure timely compliance, PSPs must allocate resources to assess risks and manage and reduce them within the timeline provided by the RPAA.
5. Managing Non-Compliance: The RPAA outlines all monetary and non-monetary penalties for violations. If any PSP is non-compliant, the penalties may affect its ability to continue operations. Fintech companies must establish a complete compliance framework to avoid such issues.
How Can You Prepare for the RPAA: 4 Practical Steps for Fintech Companies
The road ahead is long for Fintech companies to ensure compliance. However, our compliance officers and lawyers have outlined practical steps for PSPs to follow to prepare for the RPAA:
1. Assess Gaps
To prepare for these new regulations, Fintech companies must examine whether there are any gaps between the regulations and current practices.
Such an examination will determine how much effort and resources the PSP requires to meet these new obligations. Some PSPs that operate in different jurisdictions might also need to take additional steps to meet requirements.
If you require help with this, you can contact Renno & Co. Fintech for more information.
2. Create a Comprehensive Framework
Once you address gaps, you must implement the changes required for compliance. For example, you might have to modify your Fintech company's operating model to ensure compliance.
On the other hand, you might also need to ensure efficiency within your operations. PSPs should create an extensive framework with actionable steps to help execute the framework.
3. Develop Plans for Stakeholders
Our Fintech lawyers recommend that you determine and build important regulatory relationships for your company. Once you have this information, you must develop plans for stakeholders regarding communication and engagement.
Such a plan will help ensure these relationships are beneficial to your PSP.
4. Create Accountability Checks Within the Organization
Fintech companies must instill enterprise-wide commitment to the new regulations. One way to do this is to create accountability checks that you can reinforce through reward processes.
For example, PSPs can create channels for reporting issues to board members and senior management. Such a governance process will guarantee compliance from the bottom to the top.
PSPs must also occasionally assess staff to ensure that skills and resources are utilized efficiently.
Contact Renno & Co. Fintech to Ensure RPAA Compliance
If you want to ensure complete RPAA compliance, it is crucial to outsource some of the efforts to professionals. Our team of compliance officers and lawyers can guarantee compliance within the RPAA framework.
You can schedule a free consultation with Renno & Co. Fintech to discuss more about RPAA and what our Fintech lawyers can do for Fintech companies in Canada.
