The Bank of Canada has published new supervisory guidance related to the Retail Payment Activities Act (RPAA) and its associated regulations (RPAR).
The guidance provides detailed information on administrative monetary penalties (AMPs), the enforcement process and tools, public notice of decisions, review of decisions by the Governor of the Bank of Canada, roles and responsibilities of key officials, and criteria for determining a “significant adverse impact.”
The bank’s guidance outlines the factors considered when issuing and determining the amount of an AMP. AMPs promote compliance with the RPAA and RPAR, with penalties proportionate to violations. The bank’s approach is case-by-case, similar to FINTRAC’s policy.
Key AMP criteria include actual and potential harm related to the violation, violation history within the last five years, and the degree of intent or negligence in committing the violation. AMPs can reach up to $1 million for serious violations, and for very serious violations, up to $10 million.
The enforcement process involves various tools for non-compliance with the RPAA or RPAR, such as warning letters, compliance agreements, notices of violation (NOVs), compliance orders, court enforcement, and revocation of registration status. The process often starts with a complaint, leading to a potential investigation. The bank can collect information through desk investigations, information requests, interviews, onsite investigations, and special audits.
The bank will publicly disclose registration decisions, enforcement decisions, and governor’s decisions. A PSP registry, including refusals and revocations, will be available starting September 8, 2025.
PSPs can appeal decisions under the RPAA through the governor’s review process, distinct from the Bank’s broader supervisory powers. If the appeal is not resolved within the specified period, it can be taken to the federal court.
The guidance also defines the roles and responsibilities of key officials. The executive director of payments, supervision and oversight is responsible for supervising PSPs and governor’s reviews but does not partake in supervisory activities. The managing director of supervision oversees all registration and enforcement actions, maintaining independence from the executive director in supervisory matters
Lastly, the guidance defines “significant adverse impact,” relevant for compliance orders and information request timelines. Examples include loss of end-user funds, data breaches, system failures, and compromised integrity of retail payments activities.