PSP Assessments Under the RPAA By The Bank of Canada

The Bank of Canada's Supervisory Mandate

Supervision of End-User Funds Safeguarding

The Bank of Canada is tasked with overseeing how payment service providers (PSPs) protect the funds belonging to their users. This falls under the Bank's responsibilities as defined by the Retail Payment Activities Act (RPAA). The Bank will regularly check if PSPs are following the rules for safeguarding these funds, as laid out in the RPAA and its associated regulations. A key part of this process involves PSPs providing a legal opinion. This opinion needs to explain how a proper trust arrangement has been set up, whether under common law or the Civil Code of Quebec. It should also point out any potential issues with the trust's validity or the PSP's adherence to safeguarding rules, and how those issues are being handled.

Periodic PSP Assessments Under the RPAA

The Bank of Canada conducts regular assessments of payment service providers (PSPs) to gauge their compliance with the Retail Payment Activities Act (RPAA). These assessments are not a one-off event; they are periodic, meaning they happen at set intervals or when circumstances warrant. The goal is to ensure that PSPs consistently meet the regulatory standards set forth by the RPAA. This ongoing scrutiny helps maintain the integrity and stability of the retail payments system. A special audit might be triggered if initial assessments reveal significant concerns or if there's a need for a deeper examination of specific operational areas.

Risk-Based and Proportional Supervisory Approach

The Bank of Canada employs a supervisory strategy that is both risk-based and proportional. This means that the intensity and focus of supervision are tailored to the specific risks a PSP presents and the scale of its operations. Not all PSPs are supervised in the same way; the approach is adjusted to fit the circumstances. This method allows the Bank to allocate its resources effectively, concentrating on areas where the potential for harm is greatest. It also means that smaller PSPs with lower risk profiles may face less intensive oversight compared to larger, more complex entities.

The Bank's supervisory activities are designed to be adaptable, ensuring that regulatory oversight is relevant and effective without imposing undue burdens on compliant entities. This measured approach supports innovation while maintaining confidence in the retail payments ecosystem.

Conducting a PSP Assessment

Evaluating Compliance with Safeguarding Requirements

The Bank of Canada undertakes assessments to verify that registered Payment Service Providers (PSPs) are meeting the safeguarding requirements stipulated by the Retail Payment Activities Act (RPAA). This involves a thorough review of how PSPs protect end-user funds. A key focus is on whether the PSP has adequate measures in place to segregate and protect these funds from the PSP's own operational assets. If a PSP relies on insurance or a guarantee to meet these obligations, the Bank will scrutinize the terms of such agreements. Specifically, it will look for any clauses that could prevent the PSP from fulfilling its safeguarding duties, such as termination provisions or conditions that might limit coverage when it's most needed. This detailed examination helps to confirm that the financial protections for end-users are robust and reliable under the RPAA framework.

The Role of Legal Opinions in PSP Assessments

As part of the assessment process, the Bank of Canada may request legal opinions from PSPs. These opinions serve to clarify specific legal interpretations or the enforceability of certain arrangements related to safeguarding obligations. For instance, a PSP might provide a legal opinion to confirm that its chosen method of safeguarding funds is compliant with the RPAA and any relevant regulations. The Bank reviews these opinions to gain assurance that the PSP has sought appropriate legal counsel and that its interpretation of the law aligns with regulatory expectations. This step is particularly important when dealing with complex structures or novel approaches to fund safeguarding.

Addressing Identified Risks and Compliance Gaps

Following an assessment, if the Bank of Canada identifies any risks or gaps in a PSP's compliance with the RPAA, it will communicate these findings to the PSP. The expectation is that the PSP will then take prompt and effective corrective action. This might involve revising policies and procedures, implementing new controls, or making changes to operational practices. The Bank will typically set clear timelines for these corrective measures and will subsequently verify that the PSP has successfully addressed the identified issues. Failure to rectify compliance gaps can lead to further supervisory scrutiny or enforcement actions.

• The Bank will inform the PSP of any identified compliance gaps.
• PSPs are expected to propose and implement corrective actions.
• The Bank will monitor the implementation of these actions and verify their effectiveness.

Information Gathering and Reporting Obligations

Payment service providers (PSPs) registered under the Retail Payment Activities Act (RPAA) are subject to several obligations regarding information gathering and reporting. The Bank of Canada monitors PSPs through a structured set of requirements to ensure effective oversight and maintain sector integrity.

Reporting Electronic Funds Transfer Metrics

One of the main areas where PSPs must report to the Bank is electronic funds transfer activities. Metrics such as transaction volumes, value of transfers, and number of end users are required. This data must be up-to-date and accurate.

Regular submission of these metrics allows the Bank to monitor transaction patterns and assess risk exposure in real time.

Reporting Metric	Data Required	Frequency
Number of transactions	Total annual transactions	Annually
Funds transferred	Total value (CAD)	Annually
End users served	Active clients list	Annually

Ongoing Reporting Activities for PSPs

PSPs must submit a range of reports, with the annual report being the most comprehensive:

• Annual Report: Due by March 31 of the year following the reporting year, covering risk management, incident response, and safeguarding of end-user funds for the prior year.
• Significant Change or New Activity Report: Notify the Bank at least five business days before any significant operational change or launch of a new retail payment activity.
• Incident Reports: Required promptly following any operational incident impacting end-user funds or PSP operations.

PSPs must maintain accurate information in the PSP Connect portal, as the Bank relies on this data for its desk investigation processes and broader compliance assessments.

Bank of Canada's Data Protection Measures

The Bank of Canada is required to protect information submitted by PSPs. Information gathered is kept confidential, following the confidentiality provisions in the RPAA:

• Stored reports and data are accessed only by authorized Bank staff.
• Data is used solely for regulatory, supervisory, and desk investigation purposes.
• The Bank does not release confidential submissions externally without proper legal authority.

PSPs should treat reporting as an ongoing obligation, not just an annual requirement, as incomplete or late submissions can lead to further scrutiny or enforcement actions.

In summary, the reporting and information-gathering obligations serve as the backbone of the Bank's supervisory framework under the RPAA. By following these requirements, PSPs help maintain the reliability and safety of Canada’s retail payments system.

Assessment Methodologies Employed by the Bank

The Bank of Canada uses a few different ways to check if payment service providers (PSPs) are following the rules set out in the Retail Payment Activities Act (RPAA). It's not just one-size-fits-all; they tailor their approach. Think of it like a doctor checking your health – sometimes it's a quick chat, other times it's more involved.

Desk Assessments and Document Review

This is often the first step. The Bank will ask for documents and information to review. This could include policies, procedures, financial statements, and details about how a PSP safeguards client funds. They're looking for evidence that the PSP's internal controls and practices align with the RPAA's requirements. It’s a way to get a broad picture without needing to visit the PSP's office right away. They might ask for things like:

• Proof of how client funds are kept separate.
• Details on the PSP's risk management framework.
• Information on their internal audit processes.

This initial review helps the Bank understand the PSP's operations and identify any immediate areas of concern or areas that might need a closer look later on.

On-Site Assessments and Practice Observation

If the desk review suggests more scrutiny is needed, or as part of a regular supervisory cycle, the Bank may conduct on-site assessments. This means Bank officials will visit the PSP's premises. During these visits, they don't just look at papers; they observe how things are actually done. This could involve watching staff interact with clients, seeing how transactions are processed, and generally getting a feel for the day-to-day operations. It's about seeing the policies in action. They might also interview staff at various levels to get a clearer understanding of processes and responsibilities.

Mandatory Special Audits and Scope Definition

In certain situations, particularly if there are significant concerns about compliance or safeguarding, the Bank has the authority to require a PSP to undergo a mandatory special audit. This is a more intensive examination, usually conducted by an independent external auditor appointed by the PSP but with terms of reference agreed upon with the Bank. The Bank will clearly define the scope of this audit, specifying exactly what areas need to be investigated. This could be triggered by:

• Serious concerns about the safeguarding of end-user funds.
• Evidence of significant non-compliance with the RPAA.
• A need to investigate a specific incident or risk.

The findings from these special audits are critical for the Bank to assess the PSP's overall compliance and determine if any corrective actions are necessary.

Responding to Information Requests

Timelines for Responding to Information Requests

When the Bank of Canada requires additional details or documentation as part of its supervisory activities under the Retail Payment Activities Act (RPAA), it will issue a formal request for information. These requests are a standard part of the assessment process, whether for initial registration or ongoing supervision. PSPs are legally obligated to respond to these requests within the specified timeframes.

The regulations generally provide a period of 15 days for a Payment Service Provider (PSP) to submit the requested information. However, it is important to note that certain circumstances may necessitate a more immediate response. In specific situations, the Bank may require information to be provided within a shorter period, such as 24 hours. PSPs must carefully review each request to understand the exact deadline and the nature of the information required.

Required Documentation for PSP Assessments

The documentation requested by the Bank of Canada will vary depending on the specific assessment being conducted and the PSP's activities. Generally, requests may include, but are not limited to:

• Policies and procedures related to safeguarding end-user funds.
• Operational risk management frameworks and incident response plans.
• Records of electronic funds transfer volumes and values.
• Information pertaining to governance structures and key personnel.
• Evidence of compliance with any specific directives or guidance issued by the Bank.

It is advisable for PSPs to maintain organized and readily accessible records to facilitate prompt and accurate responses. The Bank may also request supporting documents that substantiate the information provided in the PSP's registration application or ongoing reports.

Additional Communication Channels for Clarification

Beyond formal written requests for information, the Bank of Canada may utilize other communication channels to clarify details or gather further information. These can include:

• Messages sent through the PSP Connect portal.
• Direct telephone calls with designated contacts at the PSP.
• Scheduled meetings, either virtual or in-person, with PSP representatives.

PSPs are expected to engage with the Bank through these channels and provide timely responses to any queries. Such communications are often intended to resolve ambiguities or obtain supplementary details that aid in a thorough assessment of the PSP's compliance with the RPAA and its associated regulations. Prompt and open communication can help to streamline the assessment process and address potential concerns proactively.

Enforcement Actions and Compliance Promotion

Enforcement Tools for RPAA Violations

The Bank of Canada possesses a range of tools to address non-compliance with the Retail Payment Activities Act (RPAA). These measures are designed to encourage adherence to the Act and to build confidence in Canada's retail payments sector. The Bank employs a graduated approach to enforcement, meaning the specific action taken will depend on the nature and severity of the violation. This approach aligns with the Bank's overall risk-based supervisory framework, ensuring that responses are proportionate to the circumstances.

When a payment service provider (PSP) fails to meet its obligations under the RPAA, the Bank may initiate various enforcement actions. These can include:

• Warning Letters: For less serious infractions or initial instances of non-compliance, a warning letter may be issued. This letter will clearly outline the identified violation, specify the corrective actions expected from the PSP, and indicate potential consequences for future non-compliance.
• Compliance Agreements: In situations requiring more formal remediation, the Bank may enter into a compliance agreement with a PSP. This agreement details the steps the PSP must take to rectify the non-compliance, particularly concerning operational risks or the safeguarding of end-user funds. Failure to adhere to the terms of a compliance agreement can lead to further action.
• Notices of Violation (NOV): For more significant breaches of the RPAA, a Notice of Violation may be issued. An NOV can be accompanied by an Administrative Monetary Penalty (AMP) or an offer to enter into a compliance agreement. The amount of an AMP may be reduced if the PSP agrees to a compliance agreement, incentivizing prompt resolution.
• Compliance Orders: In cases where a PSP's actions, or potential actions, could have a significant adverse impact on end-users, other PSPs, or critical clearing and settlement systems, the Bank can issue a compliance order. This order may require the PSP to cease an activity, refrain from undertaking a specific action, or remedy an existing situation. Such orders can be issued proactively to prevent harm.
• Court Enforcement: As a final measure, the Bank of Canada may seek a court order from a superior court. This can compel a PSP to stop violating the RPAA, comply with its provisions, or adhere to a previously issued compliance order.

Promoting Confidence in the Retail Payments Sector

Beyond direct enforcement, the Bank of Canada actively promotes confidence in the retail payments sector through transparency and by setting clear expectations. The publication of registration decisions, including lists of registered PSPs and reasons for refusals or revocations, contributes to market clarity. Furthermore, information regarding Notices of Violation and the outcomes of enforcement actions is made public, providing accountability and deterring future misconduct. This commitment to transparency helps ensure that participants and users of the retail payments system can operate with a greater degree of certainty.

Actions for Non-Compliance with Supervisory Expectations

PSPs that do not meet the Bank's supervisory expectations, as determined through ongoing monitoring and periodic assessments, will be contacted directly. The Bank will inform these PSPs of identified compliance gaps and work with them to seek appropriate corrective measures. If these measures are not taken or are insufficient, the Bank is prepared to escalate its response, potentially leading to the enforcement actions described above. The Bank's approach is guided by principles of procedural fairness, ensuring that PSPs are given notice of potential actions and an opportunity to respond before decisions are finalized. This process aims not only to correct specific instances of non-compliance but also to serve as a general deterrent across the industry.