Canada’s Retail Payment Activities Act (“RPAA”) has broad application as it does not apply to entities by type, but rather to certain business activity performed by a business in connection with the movement of funds.
Subject to prescribed exemptions, if an entity meets the definition of a “payment service provider” (“PSP”) under the RPAA, the entity must, among other obligations, register with the Bank of Canada (the “Bank”).
A business is considered a PSP under the RPAA if the business offers any one of the five following payment functions and does not benefit from an exemption under the RPAA:
• Providing and maintaining a payment account
• Initiating payment(s)
• Authorizing and transmitting electronic funds transfers (“EFTs”), or facilitating instructions related to an EFT
• Holding funds on behalf of end users
• Providing clearing or settlement services
Among other exemptions, the RPAA does not apply to prescribed entities, such as federally regulated financial institutions and SWIFT, and certain activities including payment functions between a PSP and an affiliated entity, securities-related transactions, and retail payment activities performed as a service or business activity that is incidental to another service or business activity that is not a payment function. The Bank has published guidance on the scope of the RPAA and its exclusions.
Money services businesses
An indicator to consider when determining the application of the RPAA is whether the business remits or transfer funds and, as a result, is a registered money services business (“MSB”). MSBs are generally considered to be PSPs, though it will not always be the case that because a business is an MSB that is a PSP (and vice-versa). MSBs are entities that, inter alia, remit or transmit funds.
Among other obligations under federal anti-money laundering and anti-terrorist financing legislation, MSBs must register with the Financial Transactions and Reports Analysis Centre of Canada (“FINTRAC”). The Bank and FINTRAC will share information on PSPs and MSBs in the context of the Bank’s supervisory functions under the RPAA.
Registration
The Bank will maintain a registry of registered PSPs including the PSP’s registration status, business contact information and payment functions performed. The Bank has discretion to refuse an application or revoke a registration. PSPs were required to submit registration applications to the Bank by November 15, 2024.
Is registration required?
A business is likely a PSP if the business is involved in any aspect of the electronic payment chain as a primary part of its business model — in other words, the business would not exist if the business does not provide such electronic payments.
When considering the application of the RPAA, the following elements may be helpful in determining whether the business activity meets the definition of any of the identified payment functions:
Considering whether the business involved is involved electronic payments? If the business accepts cash-only payments, the RPAA is not relevant.
A “retail payment activity” is generally defined in the RPAA as a payment function performed in relation to an EFT made in Canadian currency. If any aspect of the business activity involves the movement of fiat currency between persons (individuals or entities) then RPAA will not apply to businesses that deal exclusively in crypto and do not move fiat currency. However, if the business holds a customer’s Canadian dollars for the customer to purchase crypto, then the business activity may fall within the definition of a retail payment activity.
A place of business in Canada is another trigger for the application of the RPAA. If the business entity is located outside of Canada, but “directs” retail payment activity services to persons in Canada, then the foreign business may be required to register under the RPAA. The Bank has gone as far to state that a business that operates in multiple countries and is well known in Canada may need to register, even if the business does not directly market to Canadians or otherwise have a place of business in Canada.
Exemptions
The Bank has proposed case scenarios on the RPAA exemptions in published guidance. Case scenarios include the following:
Exemption for “designated systems” — payment systems that are exempt because they are critical to Canada’s economy and already regulated under a different law, such as Interac e-Transfer and VisaNet. This exemption is only for the companies that provide those designated systems: Visa for VisaNet transactions, for example, and Interac for Interac e-Transfers. If a business is a PSP that merely relies on Interac or credit cards for payments, the business is not exempt from the application of the RPAA solely because of its reliance on these payment methods.
An agent exemption is provided to entities who facilitate payments on behalf of another company and receive a commission for providing such payment service. An agent is exempt so long as the business the agent is providing the payment services to is registered as a PSP. However, if the agent offers its own payment services outside of this business relationship, the agent must register with the Bank (in respect of the payment services the agent is providing in connection with its own business activity).
The “incidental” exemption, where payment functions that are performed in a way that is “incidental” to another service or business activity will exclude the PSP from the RPAA. To determine whether the incidental exclusion applies, it’s important to consider the particular circumstances — for example, the features of the products and services, the relationship with customers and other third-party PSPs, advertising and marketing, and how revenue is earned are relevant when determining if this exclusion applies. A careful review of the business activity is required as this exclusion is somewhat subjective.
Additional Obligations
Additional obligations of PSPs under the RPAA include the following, which come into force in September 2025.
Risk management framework and incident response
PSPs must establish, implement, and maintain a risk management and incident response framework to identify and mitigate operational risks, such as cyber attacks and respond to incidents. PSPs will be required to establish objectives related to the preservation of the integrity, confidentiality and availability of their retail payment activities and systems and will also be required to identify operational risks and mitigate and protect against them, set out measures to detect incidents, respond to and recover from incidents.
Safeguarding end-user funds
PSPs that hold end-user funds must establish, implement and maintain a written safeguarding-of-funds framework, in accordance with the requirements of the RPAA and its regulations. Accounts used to hold end-user funds must be maintained either by in trust at prudentially regulated financial institutions (e.g., banks), or a PSP can utilize an insurance or guarantee option to safeguard end-user funds, which insurance or guarantee must be from a prudentially regulated financial institution that is not an affiliate of the PSP.
Reporting
PSPs have extensive reporting and notification requirements, including submitting annual reports and providing the Bank with notification of prescribed incidents (e.g., an unplanned event that results in a breakdown of any retail payment activity performed by the PSP). Individuals or entities materially affected by an incident will also have to be directly contacted.
Conclusion
Given the broad nature of its application, business entities operating in Canada should familiarize themselves with the requirements of the RPAA as the traditional view of “retail payments” and “payment services providers” applying to prescribed entities commonly understood to provide such products or services is not relevant when it comes to the application of RPAA. Where a business is performing any one of the five payment functions identified above and cannot rely on an exemption, or guidance from the Bank concerning its interpretation of the application of the RPAA regime, the RPAA may apply to its business activity.
If you would like to know more about the RPAA or you have any questions regarding the impact of the RPAA framework on your business activities, please reach out to any of the authors.
SUHUYINI ABUDULAI, Partner at BLG, advises financial services entities, including financial institutions and Fintechs, on the regulation of financial services in Canada including consumer protection, payments, anti-money laundering, sanctions, and other regulatory requirements. She is a Certified Anti-Money Laundering Specialist and, in her role as Co-Chair of the Small and Medium Bank Forum, a member of the Department of Finance Canada’s Advisory Committee on Money Laundering and Terrorist Financing.
MATTHEW CONNORS, Counsel at BLG, advises Canadian and foreign financial institutions and Fintechs on all aspects of regulatory compliance in Canada, including with respect to banking, payments, sanctions, anti-money laundering, anti-terrorist financing, and digital assets. Matthew spent a number of years at the Bank of Canada and the Department of Finance Canada, where he held increasingly senior roles working on complex policy and regulatory matters in the financial services space.
