Retail Payment Activities Act (RPAA)

The Retail Payment Activities Act (RPAA) is a federal regulation that marks a significant milestone in Canada's payment landscape. Approved by Parliament in June 2021 and finalized in November 2023, the RPAA aims to regulate retail payment activities to ensure consumer protection. The RPAA will be rolled out in phases with registration beginning November 1 - 15, 2024 and enforcement starting September 8, 2025.

The RPAA primarily targets Payment Service Providers (PSSP) and aims to protect end-user funds, mitigate operational risks, and enhance confidence in the Canadian retail payment sector by enforcing standards. According to the Bank of Canada guidelines, PSSPs perform at least one of the following functions:

• You provision or maintain an account that is held on behalf of one end user or more
• You hold funds on behalf of an end user
• You initiate an electronic funds transfer at the request of an end user
• You authorize an electronic funds transfer or transmission, or receive or facilitate an instruction in relation to an electronic funds transfer
• You provision clearing or settlement services

The RPAA guidelines can be broken down into four categories:

(1) Operational Risk and Incident Response

PSPs are required to develop tailored risk management and incident response frameworks, including annual reviews, clear documentation of roles and responsibilities, and continuous risk monitoring. They must establish structured plans for incident response, root cause analysis, and recovery. Additionally, PSPs must address gaps identified by auditors, evaluate third-party service providers' performance and risks, and implement controls when using agents to ensure compliance. Regular testing is necessary to maintain the integrity, confidentiality, and availability of their systems and data.

(2) Safeguarding End-User Funds

To protect consumers, PSPs must ensure end-user funds are accessible and shielded from financial loss in the event of insolvency. This requires segregating these funds from their own and promptly placing them in safeguarded accounts. PSPs must establish comprehensive frameworks that include maintaining accurate end-user records, addressing liquidity needs, mitigating risks, documenting reimbursement procedures, assigning a responsible officer, and conducting regular reviews. Moreover, PSPs must investigate any instances of incorrect fund safeguarding and undergo independent compliance reviews every three years.

(3) Significant Change Reporting

PSPs must notify the Bank of Canada at least five business days before making significant changes to their payment operations or initiating new payment activities. This advance notice ensures the Bank is informed and able to effectively oversee the changes.

(4) Incident Notification

If PSPs become aware of an incident that significantly impacts an end user, another PSP, or a clearing house of a clearing and settlement system, they must promptly notify the affected individuals or entities, as well as the Bank of Canada.

Table of Content