With only 60 days left, the Bank of Canada (BoC)’s operational framework for payment service providers (PSPs) will come into force under the Retail Payment Activities Act (RPAA) and Retail Payment Activities Regulations (RPAR) – collectively referred to as Retail Payments Supervision (RPS) on September 8, 2025. If your business performs any of the following five payment functions, RPS apply to you, and you should already be registered with the BoC:
- The provision or maintenance of a payment account;
- The holding of end-user funds until withdrawn or transferred;
- The initiation of a payment at the request of an end-user;
- The authorization of an electronic funds transfer, transmission, reception, or facilitation of a payment message;
- The clearing or settlement of payment transactions.
With the deadline approaching, PSPs should be close to finalizing their operational risk and incident response policy frameworks which must include mapping all operational risk factors to BoC guidance. Key areas to focus on include:
- Identifying the human and financial resources that are required to implement and maintain the framework;
- Allocating specific roles and responsibilities in respect of the implementation and maintenance of the framework;
- Identifying the assets (systems, data, and information) and business processes that are associated with the PSPs performance of retail payment activities;
- Identifying operational risks, which must cover:
- business continuity and resilience,
- cybersecurity,
- fraud,
- information and data management,
- information technology,
- human resources,
- Identifying process and product design and implementation related to operational risk;
- Establishing measures for protecting payment activities from identified risks;
- Reviewing and testing of the framework; and
- Managing its risks from third-party service providers, agents, and mandataries.
Additionally, PSPs that hold end-user funds must adhere to the safeguarding requirements under RPS. To safeguard funds on behalf of end-users, PSPs must utilize one of the following methods:
- Hold the funds in trust in a trust account used solely for that purpose; or
- Hold the funds in a segregated account backed by eligible insurance or guarantee in an amount equal to or greater than the funds held.
As a reminder, RPS requirements are in addition to your existing AML obligations under the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA). We’re advising clients every day to align their policies, controls, and documentation to meet the BoC’s expectations. This often means creating and implementing new frameworks for many organizations. If you haven’t finalized your framework yet, now is the time to act.
Outlier is here to help, so please get in touch.