Contact: Laine Williams, (202) 897-4757, [email protected]
May 21, 2024, Washington, DC – The Financial Data and Technology Association of North America (FDATA), a trade association representing more than 30 financial technology companies and consumer-permissioned data access platforms in Canada and the United States, today responded to the Bank of Canada’s Retail Payments Supervision Consultation regarding its new supervisory guidelines for payment service providers (PSPs). FDATA North America expressed broad support for the Retail Payments Activities Act (RPAA) regulations while requesting additional clarity in the Bank’s guidance.
FDATA North America highlighted that implementation of the RPAA regulations will establish a robust regulatory framework for as many as 2,500 PSPs, significantly advancing Canada’s financial services modernization. In the response, FDATA North America emphasized that the RPAA regulations should facilitate the inclusion of payment use cases into Canada’s consumer-driven banking framework, as announced by Deputy Prime Minister and Minister of Finance Chrystia Freeland in the 2024 budget. By incorporating payment initiation use cases at this early stage, Canada can align with other G7 nations that have already established non-bank PSP regulations and open finance frameworks.
In its comments, FDATA North America provided detailed responses to key aspects of the supervisory guidelines. For operational risk and incident response, it urged comprehensive due diligence for outsourced service providers, flexible compliance standards like SOC II Type 2 audits, clear thresholds for distinguishing different types of PSPs, and an extended 24-hour reporting period for material breaches. It proposed that PSPs report incidents solely to the Office of the Privacy Commissioner (OPC) to reduce duplicative reporting. For safeguarding end-user funds, FDATA requested clarity on the definition of “holding funds” and recommended excluding firms that facilitate transactions but don’t hold funds. Additionally, it called for explicit criteria for changes warranting notification, particularly for cloud migration, to help PSPs manage risks while complying.
A full copy of the response is available here.