Comprehensive Guide to RPAA Compliance – Bank of Canada

By /

The Retail Payment Activities Act (RPAA) represents a fundamental shift in Canada’s payment regulatory landscape, establishing the Bank of Canada as the primary supervisor of payment service providers. Enacted on June 29, 2021, the RPAA creates a mandatory registration framework for entities performing retail payment functions, marking Canada’s entry into comprehensive payment services regulation.

The registration window closed on November 15, 2024, following a 15-day application period that began November 1, 2024. PSPs that submitted applications during this window may continue operating during the transition period until September 7, 2025, when full compliance requirements take effect. The Bank of Canada will publish registration decisions on September 8, 2025.

This regulatory framework significantly impacts Canadian fintech companies, payment processors, money service businesses, and any entity facilitating electronic funds transfers. Unlike traditional licensing regimes, the RPAA establishes a registration system focused on operational risk management and end-user fund protection rather than market entry authorization. Non-compliance carries substantial enforcement risks, including administrative monetary penalties and operational restrictions.

Legislative Framework Overview

RPAA Development and Implementation

The RPAA emerged from Canada’s recognition that the rapidly evolving payments landscape required modern regulatory oversight. Passed on June 29, 2021, the legislation addresses gaps in payment services supervision while maintaining Canada’s competitive fintech environment. The Act provides the Bank of Canada with supervisory authority over retail payment activities, complementing existing federal and provincial financial services regulation.

The implementation timeline spans multiple years, with regulations published in Part II of the Canada Gazette on November 22, 2023. This phased approach allows payment service providers time to understand requirements and develop compliance frameworks before full operational obligations take effect in September 2025.

Bank of Canada’s Supervisory Mandate

The RPAA grants the Bank of Canada specific supervisory powers focused on operational risk management and end-user fund protection. Importantly, this is not a licensing regime – the Bank does not authorize market entry or guarantee business viability. Instead, registration confirms that PSPs meet baseline operational standards and maintain adequate risk management frameworks.

The Bank’s mandate specifically excludes prudentially regulated institutions such as banks, credit unions, and insurance companies, which remain under existing federal and provincial oversight. This targeted approach ensures regulatory efficiency while addressing supervision gaps in the payments ecosystem.

Integration with Existing Financial Regulation

PSPs must navigate both RPAA registration and existing regulatory requirements. FINTRAC registration as a Money Service Business (MSB) remains mandatory for entities conducting foreign exchange or funds transmission activities. The RPAA complements rather than replaces these obligations, creating a comprehensive regulatory framework addressing different risk aspects.

Provincial MSB licensing requirements also remain in effect where applicable, particularly in Quebec and British Columbia. PSPs must ensure compliance with all applicable federal, provincial, and territorial requirements in addition to RPAA registration.

Four-Step Registration Test

Step 1: PSP Definition and Payment Functions

What Constitutes a PSP

Under section 2 of the RPAA, a PSP is defined as “an individual or entity that performs payment functions as a service or business activity that is not incidental to another service or business activity.” The critical determination is whether payment functions constitute core business activities rather than supporting services.

Bank of Canada has published a self assessment calculator on their website to help individuals or entities assess whether they could be subject to the Retail Payment Activities Act (RPAA). Also, to supplement the Bank of Canada’s other guidance on registering as a payment service provider (PSP) 

The Five Payment Functions

PSPs must perform at least one of the following functions to trigger registration requirements:

1. Provision or Maintenance of Accounts

  • Storing end-user personal or financial information for future electronic funds transfers
  • Maintaining payment credentials, account balances, or transaction history
  • Example: Digital wallet services storing user payment information for recurring transactions

2. Holding Funds on Behalf of End Users

  • Keeping payer or payee funds at rest and available for future withdrawal or transfer
  • Maintaining indebtedness to end users regarding their funds
  • Example: Prepaid card programs, neobank services, marketplace escrow accounts

3. Initiation of Electronic Funds Transfers

  • Launching the first payment instruction enabling an EFT requested by end users
  • Capturing and packaging EFT data from end-user credentials and transaction details
  • Example: Payment initiation services, online payment platforms

4. Authorization of EFTs/Transmission of Payment Instructions

  • Establishing whether an EFT can be performed or confirming end-user consent
  • Sending, receiving, or facilitating payment instructions between parties
  • Example: Payment processors, card networks, gateway services

5. Provision of Clearing or Settlement Services

  • Calculating final positions, transforming payment instructions, or confirming fund availability
  • Posting credits and debits to discharge payment obligations
  • Example: Payment system operators, settlement service providers

Step 2: Retail Payment Activities Scope

Electronic Funds Transfer Definition

Section 2 of the RPAA defines an EFT as “a placement, transfer or withdrawal of funds by electronic means that is initiated by or on behalf of an individual or entity.” This encompasses all non-cash fund movements including debit and credit card transactions, direct deposits, peer-to-peer payments, and online transfers.

Currency Coverage

The RPAA applies to payment functions related to EFTs conducted in:

  • Canadian dollars (CAD)
  • Foreign fiat currencies (USD, EUR, GBP, etc.)
  • Prescribed units meeting regulatory criteria

Digital Currency Exclusion

Digital currencies and cryptocurrencies are explicitly excluded from RPAA scope. However, PSPs facilitating conversion between digital currencies and fiat currencies may still fall within the Act’s coverage for the fiat currency components of their operations.

Step 3: Geographic Scope Requirements

Canadian Place of Business Criteria

PSPs are subject to RPAA registration if they have a place of business in Canada, defined as:

  • Physical location in Canada (including home offices)
  • Incorporation in Canada under federal or provincial legislation
  • Employees, agents, or mandataries in Canada

Foreign PSP Requirements

Foreign PSPs without a Canadian place of business must register if they both:

  • Perform retail payment activities for end users in Canada
  • Direct retail payment activities at individuals or entities in Canada

Factors indicating Canadian end-user presence include:

  • Canadian IP addresses during payment function performance
  • Canadian shipping addresses or service delivery locations
  • Payment products localized for Canadian markets

Factors indicating direction at Canadian entities include:

  • Marketing or advertising targeted at Canadians
  • Operating .ca domain names
  • Canadian business directory listings
  • Agreements with Canadian entities for payment services

Step 4: Exclusions from RPAA

Entity-Based Exclusions

The following entities are excluded from RPAA application:

  • Banks and authorized foreign banks under the Bank Act
  • Insurance companies and fraternal benefit societies
  • Trust and loan companies under federal legislation
  • Provincially regulated financial institutions accepting transferable deposits
  • Bank of Canada and Canadian Payments Association
  • Provincial Crown entities accepting transferable deposits
  • SWIFT messaging network

Activity-Based Exclusions

Specific activities are excluded regardless of the entity performing them:

Incidental Activities: Payment functions performed solely to support non-payment business activities. Key indicators include:

  • Payment functions essential only for delivering core non-payment services
  • No direct revenue generation from payment activities
  • End users not expecting payment services as primary offering
  • No marketing of payment capabilities as distinct services

Securities Transactions: Activities performed by entities regulated under Canadian securities legislation for securities-related transactions

Merchant Instruments: Payment functions using instruments issued by merchants for purchases only from the issuing merchant or specific merchant groups

Internal Transactions: EFTs between affiliated entities where the PSP is an affiliated party and no external PSPs participate

ATM Cash Withdrawals: Payment functions for cash withdrawals at automatic teller machines

Registration Process and Requirements

PSP Connect Portal System

The Bank of Canada developed PSP Connect, a dedicated web application for PSP registration, information updates, and fee payments. The platform serves as the primary interface for all Bank-PSP interactions throughout the registration process and ongoing compliance activities.

Required Documentation and Information

Section 29(1) of the RPAA specifies comprehensive information requirements including:

  • Detailed business structure and corporate information
  • Payment function descriptions and operational processes
  • Geographic scope documentation
  • Third-party service provider relationships
  • Affiliated entity disclosures
  • Risk management framework descriptions
  • End-user fund safeguarding plans
  • Financial information and audit reports

Application Timeline and Review Process

The registration process follows a structured timeline:

  • Application Submission: November 1-15, 2024 (completed)
  • Review Period: 10 months from application receipt
  • National Security Review: Conducted by Department of Finance
  • FINTRAC Coordination: Information sharing for regulatory coordination
  • Decision Publication: September 8, 2025

Registration vs. Licensing Distinction

RPAA registration differs fundamentally from traditional licensing regimes. The Bank of Canada does not authorize market entry or provide business operation approval. Registration confirms compliance with operational risk standards and end-user protection requirements but does not guarantee business success or prevent insolvency.

Financial Requirements

Registration Application Fee

PSPs must pay a $2,500 CAD non-refundable registration fee under subsection 29(2) of the RPAA. This flat fee applies uniformly to all applicants regardless of business size or complexity. The fee is exempt from Canadian sales tax and increases annually based on Statistics Canada’s Consumer Price Index adjustments.

Payment Methods

Registration fees must be paid through PSP Connect using:

  • Credit cards (primary payment method)
  • Electronic funds transfer (after unsuccessful credit card attempts)
  • Direct deposit or wire transfer (limited circumstances after multiple payment failures)

Annual Assessment Fees

Registered PSPs will pay ongoing annual assessment fees calculated using a formula developed by the Department of Finance. These fees recover the Bank’s supervisory costs not covered by registration fees, with amounts varying based on PSP size and risk profile.

Post-Registration Compliance Framework

Risk Management and Incident Response (RMIR) Framework

Effective September 8, 2025, registered PSPs must establish, implement, and maintain comprehensive RMIR frameworks addressing:

  • Operational risk identification and assessment
  • Incident response procedures and escalation protocols
  • Business continuity and disaster recovery planning
  • Third-party risk management programs
  • Regular framework testing and validation

Safeguarding of End-User Funds (SoF) Framework

PSPs holding end-user funds must implement robust safeguarding measures including:

  • Segregated account requirements for end-user funds
  • Insurance or guarantee alternatives meeting prescribed criteria
  • Daily reconciliation and monitoring procedures
  • Insolvency protection mechanisms
  • Regular compliance auditing and reporting

Ongoing Reporting Requirements

Registered PSPs must maintain compliance through:

  • Annual reporting on operations and risk management
  • Incident reporting for significant operational events
  • Material change notifications for business structure or activity modifications
  • Information updates through PSP Connect for corporate changes

Current Status and Key Dates

The RPAA implementation follows a carefully structured timeline:

  • Registration Window: November 1-15, 2024 (CLOSED)
  • Transition Period: November 16, 2024 – September 7, 2025
  • Full Compliance Effective: September 8, 2025
  • Registration Decisions Published: September 8, 2025

New PSP Applications During Transition Period

During the transition period, individuals and entities who wish to start operating as a PSP after the 15-day application window but have not applied within that time must submit their registration application at least 60 days before they plan to start conducting retail payment activities.

Critical Requirements for New PSPs:

  • 60-Day Advance Application: New PSPs must apply at least 60 days before starting operations
  • No Operations Without Application: Cannot commence retail payment activities until application is submitted
  • Same Registration Requirements: Must meet all four-step criteria and provide identical documentation
  • Same $2,500 CAD Fee: Registration fee remains unchanged for new applicants

Post-September 8, 2025 Requirements

After September 7, 2025, registration is required before executing any retail payment operations. New PSPs starting after this date must:

  • Obtain Registration Approval: Cannot operate without confirmed registration
  • Meet Full Compliance Standards: RMIR and SoF frameworks must be operational from day one
  • Complete National Security Review: No operations permitted until government security clearance

During the transition period, PSPs that submitted applications may continue operations while the Bank reviews submissions.

Practical Application Examples

Stablecoin-to-Fiat Conversion Services

Entities converting stablecoins to fiat currency and transmitting funds to counterparties likely perform multiple payment functions including EFT initiation and instruction transmission. Even without holding fiat funds in segregated accounts, these activities may constitute PSP functions requiring registration.

Payment Gateway Operations

Payment gateways facilitating merchant transactions typically perform authorization and instruction transmission functions. Depending on their role in the payment chain, they may require RPAA registration regardless of whether they hold merchant or consumer funds.

Marketplace Payment Facilitation

Online marketplaces processing payments between buyers and sellers often hold funds temporarily and maintain user payment information. These activities likely trigger multiple payment function requirements necessitating PSP registration.

Cross-Border Payment Services

Services facilitating international fund transfers for Canadian end users must assess both payment function performance and geographic scope requirements to determine RPAA applicability.

Enforcement and Penalties

Consequences of Non-Registration

Entities required to register but failing to comply face significant enforcement actions including:

  • Administrative monetary penalties proportional to violation severity
  • Notice of violation requiring immediate compliance
  • Operational restrictions preventing continued payment activities
  • Public disclosure of non-compliance status

Bank of Canada Enforcement Approach

The Bank emphasizes compliance encouragement over punitive enforcement, particularly during the transition period. However, willful non-compliance after September 8, 2025, will trigger progressively severe enforcement measures designed to ensure regulatory effectiveness.

Strategic Recommendations

Immediate Compliance Steps for Unregistered PSPs

For Existing PSPs That Missed the November 15 Deadline:

  • Cannot operate until September 8, 2025 unless they submitted an application during the prescribed window
  • Face enforcement action if continuing operations without registration
  • Must wait for future registration opportunities as announced by the Bank of Canada

For New PSPs During Transition Period (November 16, 2024 – September 7, 2025):

  • Submit application immediately if planning to start operations
  • Wait 60 days minimum after application submission before commencing activities
  • Prepare comprehensive documentation meeting all RPAA requirements
  • Develop RMIR and SoF frameworks before application submission

For PSPs Planning to Start After September 8, 2025:

  • Must obtain registration approval before any operations
  • Complete full compliance implementation including operational frameworks
  • Undergo national security review as part of registration process
  • Maintain continuous compliance from first day of operations

Entities that missed the registration window should:

  • Conduct immediate RPAA applicability assessment using the four-step test
  • Document current payment functions and operational procedures
  • Develop risk management frameworks meeting RMIR requirements
  • Prepare registration documentation for potential future application opportunities
  • Engage specialized legal counsel for compliance strategy development

Legal Counsel Consultation Importance

Given the RPAA’s complexity and significant compliance implications, PSPs should engage Canadian fintech legal specialists experienced in payment services regulation. Professional guidance ensures accurate applicability assessment and effective compliance strategy development.

Risk Assessment and Documentation

PSPs should maintain comprehensive documentation demonstrating:

  • Detailed payment function analysis supporting registration decisions
  • Risk management framework implementation meeting regulatory standards
  • End-user fund safeguarding procedures addressing SoF requirements
  • Ongoing compliance monitoring ensuring continued regulatory adherence

The RPAA represents a fundamental evolution in Canadian payment services regulation, requiring careful analysis and strategic compliance planning for affected entities. Professional guidance and proactive compliance measures remain essential for navigating this new regulatory landscape successfully.

Related Posts

Scroll to Top