CAN GVT Retail Payment Activities


On Feb. 11, 2023, CAN GVT proposed payment service provider rules.


  • CAN GVT published a consultation on proposed retail payment activities regulations.
  • Aims to address gap in payments supervision for payment service providers (PSPs).
  • Establishes obligations for operational risk management, end-user (payor or payee) funds safeguarding, registration, reporting requirements, administration, enforcement.
  • Purpose of Proposal
  • Address issue PSPs, such as card networks, payment processors and digital wallets, are currently not supervised in Canada with respect to their payment activities.
  • Lack of requirements and supervision increases risks to Canadians, such as the risk of financial loss in instances of business insolvency, threats to security of sensitive data.
  • Regulation required to support the coming into force of the Retail payment activities act (CAN GVT SC 2021 c. 23 s. 177), which received royal assent in Jun. 2021.
  • Proposal Scope
  • Applies to payment functions related to electronic transfer of funds from one end user to another using a PSP; for payment activities of PSPs with place of business in CAN.
  • Five payment functions are provision or maintenance of a payment account; holding of end-user funds until withdrawn by end user/transferred to another individual or entity.
  • Additionally, payment functions of initiation of payment at the request of an end user.
  • Authorization or transmission of a payment message; or the clearing or settlement.
  • PSPs defined as an individual or entity that performs one or more of payment functions as a service/business activity not incidental to another service or business activity.
  • Excluded certain entities, such as financial institutions prudentially regulated under other federal statutes, including banks and credit unions, excludes certain activities.
  • Risk Management
  • Requires PSPs to establish, implement and maintain a risk management and incident response framework (Risk Management Framework), as further set out in proposal.
  • Must establish three objectives - preserve integrity, confidentiality, and availability of its retail payment activities, and of the systems, data, or information involved.
  • Further, must identify operational risks; protect retail payment activities from risks.
  • Detect incidents and control breakdowns; and respond to and recover from incidents.
  • Review, test, and — for some PSPs —audit its Risk Management Framework; establish roles and responsibilities for the management of operational risk and incidents.
  • Have access to sufficient human, financial resources to establish, implement, maintain risk management framework; manage 3-party service provider, agent, mandatary risk.
  • Framework proportional to impact issues with retail payment activities could have.
  • Safeguarding of Funds
  • PSPs would be required to hold funds in trust, in a trust account; or hold funds in a segregated account and hold insurance or a guarantee in respect of the funds.
  • Accounts used to hold end-user funds be held at prudentially regulated financial institutions (e.g. banks, provincial credit unions, and foreign financial institutions).
  • Where PSPs choose the insurance or guarantee option to safeguard end-user funds, option must be from non-affiliated prudentially regulated financial institution.
  • Proceeds from insurance or guarantee must not form part of the PSP’s general estate.
  • Payable for the benefit of end users as soon as feasible following an insolvency event.
  • CAN CB must be notified 30 days in advance of insurance/guarantee being canceled.
  • Written safeguarding-of-funds framework required for all funds safeguarding options.
  • Safeguarding measures reviewed annually, may have an biennial independent review.
  • Reporting
  • Annual report required, with objectives, changes to risk management framework, operational risks description, human and financial resources to implement framework.
  • Means to safeguard funds, fund safeguarding framework, any independent reviews.
  • Last, include information on PSP’s ubiquity, interconnectedness, per specified criteria.
  • Significant change report before significant change in/new retail payment activity.
  • Incident reporting required for incidents that have a material impact on the market.
  • Information requests from CAN CB due 15 days; 24 hours if significant adverse impact.
  • Certain notices of change in information must reported to CAN CB, as specified in rule.
  • Registration
  • One-time prescribed registration fee of $2,500 due as part of applicants' application.
  • Separate annual assessment fee required; proposal set out data needed to apply.
  • Established when CAN CB may refuse to register applicant or revoke PSP’s registration.
  • National Security Safeguards
  • Prescribed how PSPs are to be registered, how national security reviews conducted.
  • Included timelines for review by Minister (60 days), data provided by applicants and PSPs at application, information to be updated annually, triggers for re-registration.
  • If a formal national security review is required, the Minister will inform CAN CB.
  • Outlined 180 days for national security reviews, extended at discretion of the Minister.
  • Prescribed Supervisory Information
  • Prohibited PSPs from disclosing prescribed supervisory information as evidence in civil proceedings to ensure the protection of sensitive supervisory information.
  • Set what data shared between CAN CB, PSPs is prescribed supervisory information.
  • Including any direction, notice, assessment, testing, audit, investigation, plan or report prepared by CAN CB, reports, letters, recommendations/plans related to supervision.
  • Recordkeeping
  • PSPs must maintain sufficient records to demonstrate compliance with act, regulations.
  • Records retained for five years unless otherwise specified in condition or undertaking.
  • Administration and Enforcement
  • Designated violations, penalty ranges increasing in severity according to significance.
  • Up to $1mn penalty per violation for serous; $10mn per violation for very serious.
  • Provides for reclassification of a series of serious violations as a very serious violation.
  • CAN CB must ascertain total expenses for administration via registration fees.
  • Proposed regulation established the methodology for the annual assessment fee.
  • Consultation
  • 45 days consultation on proposed retail payment activities rules, until Mar. 28, 2023.
  • Feb. 2023 CAN PAY on Proposal
  • On Feb. 15, 2023, CAN PAY reported retail payments activities act (RPAA) rule release.
  • Called critical step towards broadening access to Canada's payment infrastructure.
  • However, stated legislative changes are still needed, just one step to broaden access.
  • Said CAN PAY's membership eligibility must also be expanded to include eligible PSPs, CU locals, and systemically important Canadian Financial Market infrastructures.
  • To do that, changes to the Canadian Payments Act (CAN GVT RSC 1985 c. C-21), which sets out CAN PAY's mandate, eligibility for membership, and more, are required.
  • Follows CAN PAY Dec. 2022 letter calling for such changes to the act, see #157013.
  • Mar. 2023 CAN PAY Next Steps
  • On Mar. 2, 2023, CAN PAY published interview with Ron Morrow, Executive Director of Supervision at the Bank of Canada on how the RPAA will support payment innovation.
  • Encouraged all to look at proposed regulations and contribute to their development.
  • Beyond regulation period, will be looking for further input re supervisory expectations.
  • Focus will be on goal of ensuring payment service providers register and are appropriately managing operational risks appropriately, safeguarding end-users’ funds.
  • After the regulations are finalized, will start to publish guidance for the industry.
  • Will take risk-based approach that will focus on end-user impacts and efficiency.
  • Want to carry out supervision mandate in way that builds confidence and innovation.
  • Mar. 22, 2023 CAN PAY Rule Response
  • On Mar. 22, 2023, CAN PAY submitted its response to proposed RPAA regulations.
  • Seeks clear scope of the definition of payment service provider and clear direction on activities excluded from RPAA registration requirements to ensure accurate oversight.
  • Also, recommends the prompt disclosure of registration revocations to the public.
  • Nov. 22, 2023 CAN GVT Finalized RPAA
  • On Nov. 22, 2023, CAN GVT finalized RPAA, regulating retail payment activities in CAN.
  • Regulates PSPs to safeguard funds/financial system with operational risk requirements.
  • On Nov. 1, 2024, provisions on registration and associated regulations come into force.
  • Requirement for PSP to be registered with CAN CB comes into effect on Nov. 16, 2024.
  • On Sep. 8, 2025, sections on operational risk, end-user fund safeguarding take effect.
  • PSPs have 2-week window from Nov. 1 to 15, 2024, to submit registration application.
  • PSPs that do not submit in this window will still be able to register on a rolling basis, but will be subject to potential delays in commencing their retail payment activities.
  • Delay depends on if PSP is existing or new, and if applies before or after Sep. 8, 2025.

Regulators CAN CB; CAN GVT; CAN PAY
Entity Types CU; MSB
Reference OG Vol. 157 No. 24, SOR/2023-229, P.C. 2023-1106, PR, 11/22/2023; PR, 3/22/2023; Sp, 3/2/2023; PR, 2/15/2023; RF, OG Part 1 Vol. 157 No. 6, 2/11/2023; Citation: CAN GVT SC 2021 c. 23 s. 177;
Functions Client Money; Compliance; Exams; Financial; Legal; Operations; Outsourcing; Privacy; Product Administration; Record Retention; Registration/Licensing; Reporting; Risk; Settlement; Treasury
Countries Canada
Category
State
Products Cards; Clearing; Payments
Regions Am
Rule Type Final
Rule Date 2/11/2023
Effective Date 11/1/2024
Rule Id 163327
Linked to Rule :157013
Reg. Last Update 11/22/2023
Report Section International

Last substantive update on 11/24/2023