The Retail Payment Activities Act (RPAA) brought Canada’s payment service providers under federal supervision for the first time. Since the Bank of Canada’s supervisory framework came into force on 1 November 2024, hundreds of PSPs have applied — and a meaningful share have been refused, withdrawn applications, or are operating under enforcement scrutiny. The registration looks procedural on the surface. The substance underneath has tripped up firms that approached it as a form-filling exercise.
This guide walks through the registration process step by step, sets out the criteria the Bank of Canada uses to assess applications, and flags the points where applicants most often go wrong. If you are scoping registration now, our comprehensive RPAA compliance guide and PSP Canada RPAA compliance framework cover the full obligation set.
What Is RPAA Registration?
The RPAA requires every payment service provider performing a retail payment activity in Canada — or directed at end users in Canada — to register with the Bank of Canada and to comply with operational risk management, end-user fund safeguarding, incident reporting and ongoing supervisory obligations.
Registration is not a licence in the traditional sense. It is a supervisory registration. The Bank of Canada does not approve a business model; it confirms that a registered PSP has provided the information required under section 29 of the RPAA and that the Bank has no grounds under section 30 to refuse the application. The distinction matters — registration does not validate that a business is sound, only that it has met the registration threshold.
For context on how RPAA registration sits alongside other Canadian regulatory regimes, our MSB vs PSP licences guide sets out the full picture.
Do You Need to Register?
Four conditions must all be met for the RPAA to apply to your business:
You perform a retail payment activity. The RPAA defines five payment functions, any one of which engages the Act: providing or maintaining an account in the name of an end user; holding funds on behalf of an end user; initiating an electronic funds transfer at the request of an end user; authorising an electronic funds transfer or transmitting, receiving or facilitating an instruction to transfer funds; and providing clearing or settlement services.
You perform that activity as a service or business activity. Performing a payment function incidentally to another business — for example, a retailer accepting payment for its own goods — does not engage the Act. Performing the function as the service itself does.
You have a Canadian connection. The Act applies to PSPs performing retail payment activities for an end user in Canada or directing those activities at end users in Canada. Foreign PSPs serving Canadian users are caught by the regime even where they have no Canadian establishment.
You are not exempt. Certain entities are excluded — banks, credit unions, federally regulated financial institutions, the Bank of Canada itself, and a small number of other categories. The exemption list is narrower than many applicants assume.
If all four conditions apply, registration is mandatory before performing any retail payment activity. Operating without registration once supervision has commenced is an enforcement matter.
The Registration Process: Five Steps
The Bank of Canada operates registration through its PSP Connect portal. The process below summarises what applicants actually need to do.
Step 1: Complete the Self-Assessment
Before opening an application, applicants are expected to confirm using the Bank of Canada’s self-assessment tool that the RPAA applies to their business. The output of the self-assessment is the foundation for the application — if the conclusion is wrong, every subsequent step compounds the error.
Step 2: Create a PSP Connect Account
PSP Connect is the Bank of Canada’s online portal for the registration application, ongoing reporting and supervisory correspondence. The account is created in the name of an authorised individual at the applicant entity, who becomes the primary contact for the application.
Step 3: Prepare the Information Required Under Section 29
Section 29 of the RPAA sets out the information the application must contain. This includes details of the applicant entity, its directors, officers and beneficial owners, the retail payment activities to be performed, the end-user fund safeguarding arrangements, the operational risk management framework, the incident response framework, and supporting documentation.
In practice, the information request runs to tens of pages of structured questions and supporting documents. An applicant who underestimates this stage will produce an application that the Bank’s review team will return for clarification — and a returned application is a delayed application.
The full obligation set is examined in our RPAA Bank of Canada compliance guide.
Step 4: Pay the Application Fee
The Bank of Canada charges a prescribed application fee that must be paid before the application is processed. The fee is set out on the Bank of Canada’s PSP registration pages and is updated from time to time — applicants should rely on the Bank’s published rate at the time of application rather than figures quoted in older guidance. The mechanics of how the Bank funds its supervisory work are discussed in our analysis of FINTRAC’s assessment of expenses funding model, which informs the broader funding framework for Canadian financial supervision.
Step 5: Submit and Respond to Information Requests
Once submitted, the application enters the Bank of Canada’s review process. The Bank may issue further information requests, request clarification on specific points, and ultimately either register the applicant, refuse the application, or place the applicant on the public list of applicants pending a decision.
The Bank’s published list of applicants and registered PSPs is a public document. Appearing on it is itself a signal to banking partners, investors and counterparties — both that the firm has applied and, eventually, whether the firm has been registered or refused.
Grounds for Refusal
Section 30 of the RPAA sets out the grounds on which the Bank of Canada may refuse to register an applicant. These include national security concerns, integrity and competence concerns relating to directors, officers or beneficial owners, and incomplete or inaccurate information in the application itself.
The Bank’s separate published policy on refusal and revocation sets out how it interprets these grounds in practice. Two patterns emerge from refusals to date.
The first is integrity and competence findings on individuals. Where the Bank of Canada cannot satisfy itself that named directors, officers or beneficial owners are fit to be associated with a registered PSP — typically because of prior regulatory action, criminal records, undisclosed beneficial ownership, or unexplained source-of-funds questions — registration will not follow. The lessons from our analysis of the importance of having a local Canadian director for your MSB apply equally to the PSP context.
The second is operational risk and safeguarding deficiencies. Where the application’s risk management framework, incident response framework or end-user fund safeguarding arrangements do not meet the Bank of Canada’s expectations, the Bank will not simply register and supervise the firm into compliance. It will refuse.
Refused applicants face a more difficult re-application path — the public list, banking partner conversations and investor due diligence all carry the prior refusal forward. Re-application is possible but is not the same exercise as a first application.
What the Application Actually Asks For
The RPAA application is not a name-and-address form. The substance most applicants underestimate sits in three areas.
Operational risk management framework. The application requires a documented framework covering identification, assessment, mitigation and monitoring of operational risks. This is not a risk register. It is a framework, a methodology, a governance structure and a set of operational controls. Drafting this from scratch during the application window is the wrong sequence.
End-user fund safeguarding. Where a PSP holds end-user funds, the application must set out how those funds are safeguarded — segregation, trust accounts, insurance, the ranking of end users on insolvency. The Bank of Canada has been unambiguous that safeguarding is a substantive obligation, not a representation. The recent RPAA trust tax relief update for PSPs is one example of how the safeguarding framework continues to evolve.
Incident response. The application must set out the framework for identifying, escalating, reporting and remediating incidents — including the obligation to notify the Bank of Canada of incidents that have a material impact on end users or the integrity of the retail payment system.
These three areas are where most applications either succeed or stall.
After Registration: What Comes Next
Registration is the entry point, not the destination. Registered PSPs are subject to an ongoing supervisory regime that includes annual reporting, incident reporting, ongoing maintenance of the operational risk management framework, and supervisory examinations.
The annual report is a substantive document — not a confirmation letter. The detail expected, the deadline structure, and the most common mistakes are covered in our guides to PSP annual reporting requirements and the five critical PSP annual report mistakes that trigger Bank of Canada scrutiny.
PSPs also need to consider how RPAA obligations interact with parallel Canadian regimes — FINTRAC AML obligations under the PCMLTFA, data protection obligations, and where applicable, MSB registration. Many PSPs will need to register both as PSPs under the RPAA and as MSBs under the PCMLTFA — see our AML requirements for newly regulated PSPs in Canada for the overlap.
Banking access is the practical consequence most operators feel first. Canadian banks have tightened their requirements for serving PSPs, and registration status is now a precondition for most relationships. Our analysis of how to get banking for your Canadian MSB or PSP examines what banking partners actually look for.
Why This Is Not a DIY Process
The Bank of Canada publishes detailed guidance and operates the application portal in a way that is, on its face, accessible. The guidance documents are accurate. The portal works. Applicants can self-serve through the entire process.
The question is whether they should. Two facts from the Canadian PSP supervisory experience to date are worth holding alongside each other. First, a non-trivial proportion of applications submitted in 2024 and 2025 were either refused, withdrawn after extensive Bank of Canada follow-up, or registered after delays of many months. Second, the most common reason was not procedural error but substantive inadequacy in the operational risk management, safeguarding and incident response frameworks the application required.
That is not a documentation issue. It is a compliance design issue. And compliance design is the work of practitioners who have done it before, not founders or operations teams encountering RPAA expectations for the first time.
ComplyFactor’s RPAA support spans the full registration lifecycle — self-assessment, application preparation, risk framework design, safeguarding architecture, incident response drafting, post-registration annual reporting and supervisory examination support. Our Canada PSP and MSB regulatory framework services and AML compliance programme work intersect for clients who require both PSP and MSB registration.
Frequently Asked Questions
What is the RPAA registration deadline?
PSPs must be registered with the Bank of Canada before performing any retail payment activity. There is no rolling deadline; the obligation arises before activity commences. Firms already operating must register before continuing — operating an unregistered retail payment activity is an enforcement matter.
How much does RPAA registration cost?
The Bank of Canada charges a prescribed application fee, set out on its PSP registration pages and updated from time to time. Applicants should rely on the rate published by the Bank of Canada at the time of application. The cost of registration also includes the substantial internal work or external advisory required to prepare the application, which is typically a multiple of the application fee.
How long does RPAA registration take?
There is no published statutory timeline. In practice, well-prepared applications have been registered within several months of submission. Applications with material gaps in the risk management, safeguarding or incident response frameworks have taken substantially longer, with extended back-and-forth between the applicant and the Bank of Canada review team.
Can foreign PSPs register under the RPAA?
Yes. The RPAA applies to PSPs that perform retail payment activities for end users in Canada or that direct those activities at end users in Canada, regardless of whether the PSP is established in Canada. Foreign PSPs serving Canadian users are within scope and must register.
Do I need to register as both a PSP and an MSB?
In many cases, yes. The RPAA and the PCMLTFA operate in parallel. A firm that performs a retail payment activity under the RPAA and also performs an activity that triggers MSB registration under the PCMLTFA — such as money transmitting or foreign exchange — must register under both regimes. Our comprehensive Canada MSB licence guide and the parallel RPAA materials cover the overlap.
What happens if my RPAA application is refused?
A refused applicant cannot lawfully perform retail payment activities in Canada. Re-application is possible but the prior refusal is a matter of public record on the Bank of Canada’s published list, and banking partners, investors and counterparties will be aware. The re-application is treated as a fresh application but with the prior refusal in context.
Can I register and operate before my AML programme is in place?
No. Where a PSP is also an MSB, the AML programme must be in place at the time of MSB registration. Even where the PSP is not an MSB, the operational risk management framework required for RPAA registration overlaps materially with AML programme expectations, and a PSP that has registered without an operational compliance framework will fail at first examination.
What is the difference between the RPAA and the PCMLTFA?
The RPAA is administered by the Bank of Canada and covers operational risk, end-user fund safeguarding and incident reporting for retail payment activities. The PCMLTFA is administered by FINTRAC and covers AML and counter-terrorist-financing obligations including KYC, transaction monitoring, suspicious transaction reporting and recordkeeping. Many Canadian PSPs are subject to both regimes simultaneously.
Closing the Loop
RPAA registration is documented carefully on the Bank of Canada’s website and the procedural steps are not the hard part. The substance — the operational risk management framework, the end-user fund safeguarding arrangements, the incident response framework, and the integrity and competence of named individuals — is where applications succeed or fail.
The Bank of Canada has been clear that it will not register PSPs whose applications fall short of its expectations on those substantive points, and the public list of refused and withdrawn applicants is a permanent record of that.
ComplyFactor supports payment service providers through every stage of RPAA registration and post-registration supervision. If you are scoping registration, mid-application, or preparing for your first annual report, our team is here.