What are the RPAA regulations, the main changes and their impact on existing and new MSBs and PSPs?

The new Retail Payment Activities Act (RPAA) regulations aim to increase operational transparency, prevent financial fraud and strengthen the Canadian fintech market in line with international standards. This article explains what the RPAA regulations are, the key changes and the impact on existing MSBs and PSPs as well as new players. 

As the retail payments industry continues to grow and innovate, the final RPAA regulations provide a framework to support this progress while protecting the interests of all relevant stakeholders. For PSPs operating in Canada, knowing about and complying with these regulations is critical to maintaining trust and stability in the payments ecosystem. 

Ensure compliance with AdvaPay and get expert guidance for MSB registration to meet RPAA requirements. Advapay will provide full support to meet all requirements by November 15, 2024 and ensure you are compliant with the new regulations that come into effect on September 8, 2025. Our legal, technical and commercial expertise will streamline your registration process, ensure compliance and avoid confusion.

 

Key functions under the RPAA 

The RPAA covers several key functions, including managing accounts for electronic funds transfer (EFT), holding funds, initiating transfers and providing clearing or settlement services.

 

Who is considered a PSP under the new RPAA regulations? 

You are likely to be considered a payment service provider (PSP) if you provide any of the five payment functions:

  • including providing/maintaining a payment account,
  • holding funds
  • initiating EFTs, 
  • authorizing/sending/receiving EFT instructions
  • providing clearing and settlement services.

 

Key dates: 

  • November 1, 2024 Registration of payment service providers (PSPs) begins 
  • November 15, 2024 Registration of existing PSPs and money service businesses (MSBs) ends 
  • November 1, 2024 – September 7, 2025 Transition period for compliance with new regulations.

Schedule a call with our specialist.

Ivan Kiselev

Senior Associate

Fintech expert

Commitment

Your business goals
are our top priority

We embody unwavering expertise, garnered through years of industry mastery. Our team’s extensive knowledge and refined skills ensure effective solutions, fostering trust and delivering excellence.

At our core lies a dedication to perpetual innovation. We thrive on pioneering approaches, leveraging cutting-edge technologies, and fostering a culture that encourages imaginative solutions.

We hold ourselves responsible for our actions, commitments, and the outcomes we deliver. This unwavering commitment builds trust, transparency, and lasting partnerships with our clients.

0 +

Years of licensing expertise

0 +

Ongoing projects

0 +

Countries worldwide

0 +

Experienced professionals

 

Who needs to register with the Bank of Canada? 

The Bank of Canada’s four-step application test must be followed to determine whether registration is required. Registration is mandatory if the organization is not exempt from the Retail Payment Activities Act (RPAA), engages in one or more of the five payment functions related to electronic funds transfers (EFTs), and operates or provides services in Canada. 

What will change for existing MSBs:

For companies with overlapping operations between PSPs and MSBs, dual registration with the Bank of Canada (BOC) and FINTRAC may be required. Existing MSBs will need to apply for registration between November 1, 2024 and November 15, 2024 and continue their retail payment activities uninterrupted.

Changes for existing PSPs:

Starting November 1, 2024, all Canadian payment service providers (PSPs) must register with the Bank of Canada under the new Retail Payment Activities Act (RPAA). If an existing PSP or MSB misses the 15-day registration deadline, it must cease all retail payment processing until its application is approved.

Significant amendments to the Retail Payment Processing Act (RPAA) 

The Retail Payment Processing Act (RPAA) is an important regulatory milestone in Canada’s evolving payments landscape. Enacted to oversee payment service providers (PSPs) and their operations, the RPAA aims to enhance the safety, security and efficiency of the retail payments ecosystem. Since its enactment, the RPAA has undergone several revisions, particularly to the final regulations. These revisions have introduced important changes to balance regulatory oversight with operational flexibility for PSPs. Below are the key changes to the RPAA and their impact on payment service providers and the broader financial ecosystem: 

  1. Event recovery system testing 

One of the most significant changes in the RPAA final regulations is the requirement for event recovery and system testing. Initially, the draft regulations required PSPs to be able to resume operations only after fully verifying the integrity and confidentiality of all systems, data and information. In addition, PSPs were required to ensure that retail payment operations could continue without degradation, disruption or failure.

RPAA Fundamental change: 

Previous requirement: PSPs were required to ensure the full recovery and integrity of their systems before resuming operations. This included a mandatory review of post-incident risk management and incident response framework. 

Current changes: The final regulations relax this strict requirement, allowing PSPs to continue normal operations while continuing their system recovery efforts. The requirement for an automatic review of the risk management and incident response framework when an incident occurs has been removed. 

Impacts: This change gives PSPs more flexibility in managing incidents. It recognizes the practical challenges faced by PSPs in the event of a system outage where the immediate resumption of operations is often critical. By allowing operations to continue during recovery efforts, PSPs can better manage customer expectations and minimize service disruption while focusing on the broader risk management process.

Connect with our experts today.

Let's get in touch
Free consultation

 

  1. Changes to requirements related to the location of personal information 

The management of personal and financial information is an important aspect of the RPAA, particularly in relation to where such data is stored or processed. Under the draft regulations, if a PSP or third-party service provider changes the jurisdiction in which it stores or processes personal or financial information, the PSP was required to submit a new registration application to the Bank of Canada 

 

Key changes to the RPAA 

Previous requirements: when the jurisdiction of data storage or processing changed, PSPs were required to submit a new registration application. 

Current changes: The final rule eliminates the requirement for a new registration application form. However, PSPs are required to notify the Bank of Canada 60 days in advance of such changes. Implications: This change significantly reduces the administrative burden on PSPs, particularly those that work with third-party service providers that may transfer data storage or processing operations.

 

  1. Safeguarding of funds (SOF) Changes to accounts 

Safeguarding of end-user funds is a fundamental aspect of the RPAA and provides protection in the event of insolvency or other operational risks. Initially, the Regulation required that changes to SOF accounts trigger a review of the SOF framework following significant changes to the RPAA: Any changes to SOF accounts automatically triggered a review of the safeguard framework. This change: only changes that may have a significant impact on the protection of end-user funds will require a review. 

Implications: This change takes a more pragmatic approach to safeguarding funds by focusing regulatory oversight on truly significant changes. Unnecessary reviews are reduced and PSPs can focus on protecting the integrity of the SOF framework where there is a real risk to end-user funds.

 

Connect with our experts today.

Let's get in touch
Free consultation

 

  1. Testing and coordination of risk management systems 

Risk management is a key focus under the RPAA. The draft regulations originally required testing every three years (every three years) to ensure the robustness and effectiveness of risk management systems.

 

Key changes to the RPAA:

The previous requirement: PSPs were required to test their risk management framework every three years. 

Current changes: The final regulations now require PSPs to develop a testing methodology that defines the frequency and scope of testing rather than following a fixed triennial schedule. 

Meaning: This change allows PSPs to tailor their risk management testing to their operational needs and risk profile. They can focus on more frequent testing in high-risk areas and less frequent testing in low-risk areas.

 

  1. SOF insolvency review

Insolvency protection is a key element of the RPAA, ensuring that end-user funds continue to be protected even if a PSP becomes insolvent. Initially, the regulations required PSPs to review their insolvency protection annually.

 

Key changes to the RPAA: 

Previous requirement: an annual review of insolvency protection measures was mandatory to ensure that end-user funds were recoverable. 

The Final Regulation removes the requirement for an annual review and only requires action to be taken if end-user funds are found to be unrecoverable in insolvency proceedings. 

Implications: By removing the requirement for an annual review, the Regulation shifts the focus to targeted action where real risk has been identified. This change reduces the compliance burden on PSPs while ensuring the protection of end-user funds and allows PSPs to focus on addressing real risks and allocate resources more efficiently rather than meeting the general annual requirements.

 

  1. Frequency of independent audits 

Independent audits are essential to maintain the integrity and transparency of a PSP’s operations. Initially, the RPAA required these audits to be conducted every two years.

 

Key changes to the RPAA: 

Previous requirement: independent audits had to be conducted every two years. 

In the final regulations, the frequency of audits is increased to once every three years. Conclusion This change reduces the frequency of independent audits and the associated costs for PSPs. While audits remain important to ensure compliance and operational integrity, the extended deadline ensures strict oversight and gives PSPs more time to address and implement audit findings.

 

  1. Application information on end-user funds 

Accurate reporting on end-user funds is crucial for transparency and risk management. The draft regulation initially required PSPs to provide information with a 24-month look-back period 

 

Key changes in the RPAA: 

Previous requirement: a 24-month look-back was required for reporting on end-user funds. 

Current change: in the final rule, this look-back period is reduced to 12 months. Conclusion: This regulation streamlines the reporting process and reduces the amount of historical data PSPs need to collect and analyze. As a result, reporting will be more relevant and reflect recent trends, which will increase the accuracy of risk assessment and regulatory compliance.



  1. Introduction of new obligations

While most of the amendments to the RPAA focus on relaxing existing requirements, the final regulations also introduce a number of new obligations that PSPs must now comply with:

Approval of the SOF Framework: The PSP must have its board of directors (where applicable) approve the SOF Framework on an annual basis. In addition, senior officials must approve the results of the SOF Framework review. This change will directly involve senior management in safeguarding funds and increasing accountability. 

Annual report content: the final regulations require PSPs to include in their annual reports the insolvency risks identified in the previous year. This requirement, together with the reconciliation of projected information on end-user funds and remittances, will enhance the transparency and comprehensiveness of the annual report. 

Change notification requirements: Where change notification requirements are triggered, PSPs must now include an assessment of the impact on the protection of end-user funds. They must also provide a summary of documentation reflecting changes to their risk management and incident response frameworks. This new obligation will ensure that the Bank of Canada is fully informed of any significant changes that may affect the safekeeping of end-user funds.

 

National security requirements 

The Retail Payment Activities Act (RPAA) gives the Minister of Finance important powers to address potential national security risks posed by payment service providers (PSPs). This includes the power to take decisive action, such as denying a PSP’s application, canceling an existing registration, or imposing certain conditions or commitments on the PSP. In addition, the Minister can issue national security orders directing PSPs to undertake certain actions or refrain from certain actions considered dangerous to national security.

Connect with our experts today.

Let's get in touch
Free consultation

Penalties for non-compliance with requirements 

The RPAA has a range of enforcement measures to help the Bank of Canada deal with non-compliance with the Act. These tools include:

Compliance agreements: The Bank of Canada can enter into agreements with PSPs to ensure compliance with the requirements of the Act. 

Notice of Violation (NOV): A NOV may or may not include an Administrative Penalty (AMP). Only certain designated violations trigger NOVs and associated AMPs; NOVs with AMPs and a proposed compliance agreement: The bank may combine NOVs and AMPs and propose a compliance agreement as a remedy. 

Compliance order: The Bank can issue a direct order to enforce compliance with the Law. 

Court order: The Bank can seek court sanctions to compel compliance. 

Refusal or cancellation of registration: If a PSP is found to have violated the Act, the Bank may refuse to register the PSP or cancel its existing registration.

if the PSP fails to comply with the terms of the compliance agreement after receiving the NOV, the Bank may issue a notice of default and impose additional penalties on the PSP. Under the regulations, penalties for non-compliance are categorized as ‘serious’ or ‘very serious’ and provide for fines ranging from USD 1 million per serious breach to USD 10 million per very serious breach.

 

How Licensium can help:

Ensure compliance with Advapay Canada and get expert assistance with MSB RPAA registration we provide full support to meet all requirements until the November 15, 2024 deadline and the new regulations that come into effect on September 8, 2025 Ensure compliance. Our legal, technical and business expertise will streamline the registration process, ensure compliance and avoid disruptions. Services we provide: 

  • Registration of new and existing PSPs with Bank of Canada 
  • Development of documents and frameworks to comply with RPAA regulations 
  • Opening of safeguarding accounts
Help center

Got a question? Get your answer

Quick answers to questions you may have. Can't find what you're looking for? Get in touch with us.

 

What is the Retail Payment Activities Act (RPAA)?

The RPAA is a Canadian law that regulates payment service providers, requiring them to register with the Bank of Canada and comply with risk management, AML, and consumer protection standards.

Who is required to register under the RPAA?

Any business that facilitates electronic payments, including payment processors, digital wallets, and cryptocurrency platforms, must register with the Bank of Canada before offering services in Canada.

What happens if a PSP does not register under RPAA?

Failure to register can result in penalties, fines, and restrictions on business operations in Canada. The Bank of Canada has the authority to take enforcement actions against non-compliant companies.

How does RPAA impact foreign payment service providers?

International PSPs operating in Canada must comply with the same registration and reporting requirements as local businesses. This ensures that all financial service providers adhere to Canadian regulatory standards.

How long does the registration process take?

The processing time depends on the complexity of the application and the completeness of the submitted documentation. On average, businesses can expect the review process to take several weeks.

77 Bloor St W, Toronto, ON M5S 1M2, Canada

Find the addresses, hours of operation, staff and more for each of our locations and affiliates.

+14377557393

Call us today or visit our appointment request page to find a time that is convenient for you.

info@licensium.io

Have a question or need assistance? We're just a message or call away! Our team is ready to help you find the best solution.

Get in touch

Have a question? Fill out the form below, and we'll get back to you as soon as possible.