Bank of Canada now supervises the activities of payment services providers

September 8^th marked the entry into force of several provisions of the Retail Payment Activities Act¹ (RPAA) and the mandate given to the Bank of Canada to supervise payment services providers (PSPs).

Essentially, a PSP is a person who performs any of the following activities related to an electronic funds transfer that is not incidental to another service or business activity:

• Providing or maintaining an account held in the name of end users (i.e., payer or payee) (e.g., customers paying by credit card or merchants receiving funds).
• Holding funds on behalf of an end user until they are withdrawn by the user or transferred to another person.
• Initiating an electronic funds transfer at the request of an end user.
• Authorizing an electronic funds transfer or transmitting, receiving, or facilitating an instruction for an electronic funds transfer.
• Providing clearing or settlement services.

As of September 8^th, PSPs must comply with RPAA obligations regarding operational risk management and safeguarding end-user funds, as well as reporting and recordkeeping requirements. A registry of PSP licence applicants is available here, and a registry of registered PSPs will eventually be available.

More specifically, PSP applicants are now required to:

• Establish, implement, and maintain a risk management and incident response framework to identify and mitigate operational risks.
• Notify end users, other PSPs, or clearing houses of any incident that significantly affects them and report the incident to the Bank of Canada.
• Protect end-user funds, either by holding them in a trust account or in a segregated account and have insurance or a guarantee for those funds.
• Keep their information up to date on the Bank of Canada's online portal and respond to information requests from the Bank of Canada.
• Notify the Bank of Canada at least five business days before the effective date of any significant change in how they conduct a retail payment activity or before conducting a new activity.

PSPs will also be required to submit an annual report to the Bank of Canada detailing regulatory information related to their risk management and incident response frameworks, insurance or guarantees, end-user fund holdings, and other relevant information. The first annual report must be submitted no later than March 31, 2026, in accordance with the Retail Payment Activities Regulations.²

Furthermore, the Bank of Canada possesses several enforcement tools to ensure PSP compliance with the RPAA. Depending on the circumstances, it may impose a wide range of measures, from warning letters to administrative penalties of up to $10 million, as well as the revocation of a PSP’s registration.

Additionally, following registration, PSPs should be aware that the RPAA requires a PSP to submit a new application for registration and become re-registered under that new application before making certain changes to its organization structure, including a change of control. 

The entry into force of this new legislative framework could have significant impacts on PSPs’ business in Canada. For any questions or to discuss the impacts of this new regulatory framework, please contact our team.

The authors would like to thank Gabrielle Simoneau and Charles-Alexandre Groleau, students, for their contribution to preparing this legal update.