FDATA North America issues response to Bank of Canada’s RPAA consultation

The Financial Data and Technology Association (FDATA) of North America has called for further clarity from the Bank of Canada in its new supervisory guidelines for payment services providers (PSPs).

FDATA North America, which represents more than 30 financial technology companies and consumer-permissioned data access platforms in Canada and the US, made the request in its response to the Bank of Canada’s Retail Payments Supervision Consultation.

In its response, the organisation said it is “broadly supportive of the objectives of the regulations to implement the Retail Payment Activities Act”, while requesting additional clarity in the Bank’s guidance.

Implementation of the RPAA regulations will establish a robust regulatory framework for as many as 2,500 PSPs, according to FDATA North America, and will “once finalized and implemented, meaningfully advance the modernization of Canada’s financial services marketplace”.

It suggested in its written response that the implementation of these regulations should facilitate an “expedited inclusion” into the scope of Canada’s consumer-driven banking framework of payment use cases, as announced by Deputy Prime Minister and Minister of Finance Chrystia Freeland in Budget 2024. 

FDATA North America added that incorporating payment initiation use cases “at this early stage” will align Canada with other G7 nations, the majority of which have “both already adopted regulatory regimes for non-bank PSPs and implemented Open Finance frameworks”.

The Bank of Canada is inviting feedback on its draft supervisory guidelines until May 21, with the guidelines due to be published in the second half of 2024.

It is seeking responses on each of the four guidelines, including operational risk and incident response, incident notification, safeguarding end-user funds, and notice of significant change or new activity.

For operational risk and incident response, FDATA North America cited the need for “comprehensive due diligence” for outsourced service providers, flexible compliance standards like SOC II Type 2 audits, clear thresholds for distinguishing different types of PSPs, and an extended 24-hour reporting period for material breaches.

Its response includes a proposal that PSPs report incidents solely to the Office of the Privacy Commissioner (OPC) to “reduce duplicative reporting and administrative burdens”.

When it comes to safeguarding end-user funds, FDATA requested clarity on the definition of “holding funds” and recommended excluding firms that facilitate transactions but don’t hold funds.

Steve Boms, executive director at FDATA North America is speaking at Open Banking Expo Canada on the panel session titled ‘Does Canada need an interoperable path with the US?’. See the full agenda and register for your ticket here.