Retail Payment Activities Act (Canada)

The RPAA requires compliance from PSPs that perform retail payment activities in Canada. This includes:

• Companies and individuals that perform retail payment functions such as:
  • Payment processing
  • Electronic funds transfers
  • Holding payment service users' funds
  • Digital wallet services
  • Money transfers
• Both domestic and foreign PSPs that:
  • Have a place of business in Canada, or
  • Serve Canadian end users (individuals or businesses in Canada)

However, some entities are excluded from the Act, including:

• Banks and other federally regulated financial institutions
• Provincial credit unions
• Systems designated under the Payment Clearing and Settlement Act
• Closed-loop payment systems
• Payment activities performed for internal purposes within corporate groups

If you need to determine whether specific activities or entities fall under the RPAA's scope, consult with legal experts or the Bank of Canada directly.

A PSP should evaluate whether AWS is considered a third-party service provider under the RPAA in the context of their specific use of AWS services and overall payment operations. Relevant evaluation criteria may include:

• AWS service connection to payment activities:
  • Do AWS services directly support retail payment functions?
  • Are AWS services integral to the payment processing infrastructure?
  • Do AWS services store or process payment-related data?
• Operational significance:
  • How critical are AWS services to the PSP's payment operations?
  • Would an AWS service disruption impact the PSP's ability to perform payment activities?
  • Are AWS services used for core infrastructure or just auxiliary functions?
• Risk assessment:
  • What operational risks might AWS services present for payment activities?
  • Could AWS service issues affect the PSP's regulatory compliance?
  • What is the potential impact of AWS service disruptions?
• Contractual relationship:
  • What is the nature of the service agreement with AWS?
  • Are there specific provisions related to payment processing?
  • How integrated is AWS in the PSP's payment operations?

AWS should not be considered an “agent” or “mandatary” under the RPAA because it does not perform retail payment activities or other services as a representative of PSPs. AWS functions as a third-party service provider, providing technology services that PSPs may use to build and operate their payment functions.

Ultimately, customers are responsible for meeting the Bank of Canada’s expectations for data protection under the RPAA and RPAR. When using AWS services, data protection is a shared responsibility between AWS and our customers. Customers maintain control and responsibility for how their data is stored, processed, and protected while using AWS services, while AWS provides secure infrastructure and tools to help customers meet their compliance obligations. For more information about data protection when using AWS, please refer to Data Protection & Privacy at AWS page.

AWS customers maintain full control of the content that they upload to the AWS services under their AWS account, and responsibility for configuring access to AWS services and resources. AWS customers:

• Determine the geographic region(s) where their content will be stored and the type of storage;
• Choose the secured state of their content in transit and at rest; and
• Manage access to their content, as well as access to AWS services and resources through users, groups, permissions, and credentials that they control.

AWS prohibits, and our systems are designed to prevent, remote access by AWS personnel to customer data for any purpose, including service maintenance, unless access is requested by the customer, is required to prevent fraud and abuse, or to comply with law.

AWS designs all of its systems to prevent access by AWS personnel to customer data for any unauthorized purposes. We commit to that in our AWS Customer Agreement and AWS Service Terms. AWS operations never require us to access, copy, or move a customer’s data without that customer’s knowledge and authorization.

For more information, please refer to Operator Access on AWS page.

AWS customers choose the AWS Region(s) in which their content is stored. Customers can choose to replicate and back up their content in more than one AWS Region. AWS will not move or replicate customer content outside of their chosen AWS Region(s) without their agreement. For more information on how to implement controls to manage data residency within your AWS environment, please refer to "Controls that enhance data residency protection" documentation.

AWS offers a GDPR-compliant AWS Global Data Processing Addendum (AWS DPA), which enables customers to comply with contractual obligations. The AWS DPA is incorporated into the AWS Service Terms, and applies to all customers globally whenever they use AWS services to process personal data, regardless of which data protection laws apply to that processing.

AWS may use three types of sub-processors: (1) AWS entities that provide the infrastructure on which the AWS services run; (2) AWS entities that support specific AWS services which may require these entities to process customer data; and (3) third parties that AWS has contracted with to provide processing activities for specific AWS services. The AWS Sub-processors webpage provides more information about the sub-processors that AWS engages in accordance with the AWS DPA, to provide processing activities on customer data on behalf of customers. Sub-processors relevant to an individual customer will depend on the AWS Region(s) the customer selects and the particular AWS services that the customer uses.

Where AWS authorizes a Sub-processor as described in Section 6.1 of the DPA, AWS will:

• Restrict the Sub-processor’s access to Customer Data only to what is necessary to provide or maintain the Services in accordance with the Documentation, and AWS will prohibit the Sub-processor from accessing Customer Data for any other purpose;
• Enter into a written agreement with the Sub-processor and, to the extent that the Sub-processor performs the same data processing services provided by AWS under the DPA, AWS will impose on the Sub-processor the same contractual obligations that AWS has under the DPA; and
• Remain responsible for its compliance with the obligations of the DPA and for any acts or omissions of the Sub-processor that cause AWS to breach any of AWS’s obligations under the DPA.

AWS provides information about its control environment through whitepapers, reports, certifications, and third-party attestations. This documentation can help PSPs understand the AWS controls relevant to the services they use and how those controls have been validated. With a non-disclosure agreement in place, AWS customers can download security and compliance documents from AWS Artifact, including AWS ISO certifications, a Payment Card Industry Data Security Standard (PCI DSS) Attestation of Compliance, System and Organization Control (SOC) reports, and more. For more information, please refer to AWS Artifact.