The Bank of Canada has introduced a supervisory framework under the The Retail Payments Activities Act which sets out how it will oversee PSPs and foster compliance. The Retail Payments Activities Act was enacted in June 2021, creating a new regulatory regime for retail payment activities under the supervision of the Bank of Canada.

The Canadian retail payments sector had previously been largely unregulated. The RPAA’s introduction also represents unchartered territory for the BOC, which will be assuming the role of a regulator for an entire industry sector for the first time. Ron Morrow, the BOC’s Executive Director for Retail Payments Supervision, reportedly noted that the new supervisory framework will regulate how companies make day-to-day payments, store, or transfer their money through electronic means.

The BOC estimates that over 2,500 entities, including many fintech payment companies, will be subject to its supervision, and urges them to begin planning and preparing for the new regulatory regime. Registration, risk monitoring and enforcement guidelines As explained by McMillan specialists, both domestic PSPs and foreign PSPs that direct retail payment activities at individuals or entities in Canada will be required to register with the BOC when the provisions of the RPAA requiring registration come into force, which will likely be in 2024. To facilitate the registration process, the BOC is currently developing a web portal through which applicants and registered PSPs will be required to submit their registration details, pay the registration fee, and comply with the reporting obligations under the RPAA.

The BOC will share the applications of those who meet the RPAA’s registration criteria with the Financial Transactions and Reports Analysis Centre of Canada (FINTRAC) and Department of Finance Canada to perform a national security review. PSPs will be required to implement a framework for mitigating operational risk and responding to incidents. Under this framework, PSPs must report to the BOC incidents that have a material impact on end users, other PSPs or certain clearing and settlement systems.

Moreover, PSPs will also be required to submit three types of reports to enable the BOC to assess their compliance with the supervisory framework: an annual report containing details about operational risk mitigation, incident response and protective measures for end-user funds, if applicable.     a significant change or new activity report notifying the BOC before a PSP performs a new retail payment activity or significantly changes the way it performs an existing activity.       an incident report alerting the BOC of incidents that have a material impact on end users or other entities.

In addition to risk monitoring, the BOC has developed a set of enforcement tools to address violations under the RPAA and promote compliance. BOC can enter into a formal compliance agreement with a PSP to remedy non-compliance or they can also issue a notice of violation for contraventions of the RPAA and publish the company’s name and the nature of its violations on the BOC website. McMillan experts advise players in the Canadian retail payments to prepare for the new regulatory regime, including conducting an assessment to determine whether they will need to register as a PSP once the requirements come into force.

.