A new era for payment service providers in Canada: how PSPs can prepare

New Canadian regulations for PSPs to ensure safety in financial services and enable Real Time Rail participation.

In setting the stage for a consumer-directed financial ecosystem, the Canadian federal government released the final regulations under the Retail Payment Activities Act (RPAA) on November 22, 2023 with the Bank of Canada’s Guidelines supporting the RPAA still under consultation.

The act and the underlying regulations give the Bank of Canada a supervisory role over Payment Service Providers (PSPs). The aim is to build confidence in the safety and reliability of their services while protecting users from certain risks. PSPs will be required to register with the Bank and to comply with RPAA requirements that focus on two key areas for PSPs: safeguarding end-user funds and establishing operational risk management.

The RPAA is a set of requirements applying to Canadian PSPs as well as global participants that engage in retail payment activities in Canada. PSPs are required to register with the Bank of Canada under this mandate and to follow the guidance published under the supervisory framework. PSPs that are domestic or authorized foreign banks, credit unions and insurance companies that are prudentially regulated by federal or provincial laws are exempt from registration.

The RPAA supervisory framework is intended to complement the work led by Payments Canada to modernize Canada’s payments ecosystem, including the Real Time Rail (RTR) and taken with the recently announced intention to create a legislative framework for consumer-directed finance overseen by the Financial Consumer Protection Agency of Canada (FCAC), the RPAA is the third leg of the stool to support fostering innovation and greater market participation in the Canadian financial services ecosystem.

PSPs that must register should prepare for the two-week regulatory registration window in November 2024.

Understanding the RPAA

The RPAA regulates PSPs and their retail payment activities in Canada. It is designed to protect consumers by regulating PSPs to safeguard end-user funds, mitigate operational risk and respond to incidents.

The final RPAA regulations published in November 2023 require all entities defined as PSPs to register with the Bank of Canada.¹

It is critical for PSPs to understand what the changes mean for their organization and how they should prepare.

Who are designated as PSPs?

The RPAA defines a PSP as “any individual or entity that performs one or more of the payment functions as a service or business activity that is not incidental to another service or business activity”. Entities covered under this act include payment processors, digital wallets, currency transfer services and other payment technology companies that do not hold funds for end users.

RPAA applies if individuals or entities meet all four of the following criteria:²

1. Act as a PSP, performing one or more of the five payment functions:³

• Provision or maintenance of an account
• Holding of funds on behalf of an end user
• Initiation of an electronic funds transfer
• Authorization of an electronic funds transfer or an instruction in relation to an electronic funds transfer
• Clearing or settlement services

2. Perform a retail payment activity.

3. For PSPs with a place of business in Canada, RPAA applies to all payment activities; for foreign PSPs, the RPAA applies to payment activities the PSP directs to and performs for end users in Canada.

4. Perform payment activities that are not excluded from the RPAA and associated regulations (e.g., prudentially regulated financial institutions).

The registration process

The Bank of Canada is working to deploy a portal where PSPs can complete their registration and submit the requisite supporting information.⁴ At the time of writing, the Bank was running a pilot phase for the portal registration process to assess its effectiveness.

The registration window is expected to open from November 1 to 15, 2024. All PSPs are required to complete the registration application and meet any outstanding requirements by September 8, 2025.

The Bank of Canada has shared draft requirements so that PSPs can start gathering the required information before the window opens. The draft requirements include the following:⁵

• Contact information, including for any third parties, agents and mandataries, and affiliated entities
• Business structure, ownership, debtholders and key staff
• Retail payment functions that PSPs perform or plan to perform, including any agents and mandataries or affiliates that may be performing retail payment functions on their behalf
• The actual or projected values and volumes of end-user funds held both inside and outside of Canada
• The actual or projected number of end users, both in and outside Canada
• The method(s) PSPs use or plan to use to safeguard end-user funds
• Whether PSPs have in place or have plans to establish a risk management and incident response framework
• Any registrations for retail payment activities with FINTRAC or under any other federal, provincial or territorial act

In addition, the Bank of Canada recently released a step-by-step guide to completing the registration application.

Expectations under RPAA

The Bank of Canada has divided the requirements into four categories. ⁶

• Operational risk and incident response
• Safeguarding end-user funds
• Significant change reporting
• Incident notification

Key value drivers for PSPs

Building trust with consumers and ecosystem partners

Canadian consumers continue to place significant trust in their banks.⁷ The Canadian financial services landscape has traditionally been dominated by six large federally regulated banks with a cluster of smaller financial institutions and credit unions that focus on specific markets.

The Canadian Bankers Association found that 86% of Canadians trust their bank to offer secure digital banking services, and 87% trust their bank to protect their personal information.⁸

Registration and the ability to comply with the RPAA will demonstrate that PSPs take their role in the financial ecosystem seriously and that they’ve established the necessary safeguards to build and promote trust.

For financial institutions that already operate from a position of trust, registration with the Bank of Canada will help PSPs reduce the friction of providing services and accelerate business opportunities. Additional benefits include the potential for faster due diligence, third-party onboarding and contracting paths within the ecosystem.

In addition, PSPs looking for funding can build investors’ confidence by showcasing their commitment and investments towards  tmeeting the RPAA’s compliance obligations.

Registering with the Bank of Canada can help PSPs get a foothold in the system by building trust with customers and financial institutions and focus on what they are good at – innovation.

While PSPs have until September 2025 to meet the requirements, they should consider starting to make these investments now to begin realizing the benefits of a sound risk management program. Risk management is foundational for all financial institutions. These partnerships can unlock a significant value for a PSP. This is especially true as banks face increasing pressure to address rapidly evolving risks and updated regulatory requirements for third-party risk management, model risk, and operational risk and resilience.

With the RPAA regulations coming into force, established provincially and federally regulated financial institutions will find it easier to work with trusted PSPs that contribute to a resilient financial ecosystem.

How EY teams can help

EY teams can assist with custom solutions and toolkits to help PSPs understand and manage their RPAA obligations. EY can help facilitate a PSP’s self-assessment of their current capabilities and operating models against the RPAA requirements. This will help PSPs understand the gap between their current state and future state requirements, identify areas where risk and controls need to be enhanced, and document their progress.

EY has the right experience and risk leaders to help enable PSPs to demonstrate compliance to their boards, regulators and other external stakeholders, reducing confusion and wasteful spend.

Key areas where EY can help include:

• Preparation of the overall Bank of Canada registration activities.
• A maturity assessment of RPAA risk management and incident reporting requirements: Designed to walk the user through the RPAA’s key risk requirements and to help identify the process, controls and risks associated with the RPAA regulatory obligations.
• RPAA Risk Management gap assessment and prioritization roadmap: In addition, EY help identify gaps in PSP’s current risk program and identify practical solutions to address these as well as develop a realistic plan to achieve compliance.
• Identify key reporting and documentation requirements: EY can advise PSPSs on RPAA’s core requirement to keep records to provide demonstrable evidence of compliance activities. EY can provide best practices for maintaining and retaining the RPAA risk assessment, associated controls, issues and risk acceptance activities.

While the RPAA signifies an expansive obligation for PSPs that operate in the Canadian market, in the long run these obligations will not only protect consumers, but also open a market to PSPs to offer innovation in a safe and sound financial ecosystem.

The time for PSPs to act is now. If you are interested in learning more about how EY teams can help, please reach out to one of our authors.