Key takeaways
- RPAA registration is a supervisory registration, not a licence β the Bank of Canada confirms you've met the threshold, it doesn't validate your business.
- A meaningful share of 2024β2025 applications were refused, withdrawn, or delayed for months.
- The most common failure is not procedural β it's substantive inadequacy in operational risk, fund safeguarding, and incident response frameworks.
- Many PSPs must register both under the RPAA and as an MSB under the PCMLTFA.
The Retail Payment Activities Act brought Canada's payment service providers under federal supervision for the first time. Since the Bank of Canada's framework came into force on 1 November 2024, hundreds of PSPs have applied β and a meaningful share have been refused, withdrawn, or are operating under enforcement scrutiny.
The registration looks procedural on the surface. The substance underneath has tripped up firms that approached it as a form-filling exercise. This guide walks through the process step by step, sets out the criteria the Bank of Canada uses to assess applications, and flags the points where applicants most often go wrong.
What is RPAA registration?
The RPAA requires every payment service provider performing a retail payment activity in Canada β or directed at end users in Canada β to register with the Bank of Canada and comply with operational risk management, end-user fund safeguarding, incident reporting and ongoing supervisory obligations.
Registration is not a licence in the traditional sense. It is a supervisory registration. The Bank of Canada does not approve a business model; it confirms that a registered PSP has provided the information required under section 29 of the RPAA and that the Bank has no grounds under section 30 to refuse the application. The distinction matters β registration does not validate that a business is sound, only that it has met the registration threshold.
Do you need to register?
Four conditions must all be met for the RPAA to apply to your business:
- You perform a retail payment activity. The RPAA defines five payment functions, any one of which engages the Act: providing or maintaining an account for an end user; holding funds on behalf of an end user; initiating an electronic funds transfer at an end user's request; authorising an EFT or transmitting/receiving/facilitating a transfer instruction; and providing clearing or settlement services.
- You perform it as a service or business activity. Performing a payment function incidentally to another business β e.g. a retailer accepting payment for its own goods β does not engage the Act. Performing the function as the service itself does.
- You have a Canadian connection. The Act applies to PSPs performing retail payment activities for an end user in Canada or directing those activities at end users in Canada. Foreign PSPs serving Canadian users are caught even with no Canadian establishment.
- You are not exempt. Banks, credit unions, federally regulated financial institutions, the Bank of Canada itself, and a few other categories are excluded. The exemption list is narrower than many applicants assume.
If all four apply, registration is mandatory before performing any retail payment activity. Operating without registration once supervision has commenced is an enforcement matter.
The registration process: five steps
The Bank of Canada operates registration through its PSP Connect portal. Here's what applicants actually need to do.
Step 1 β Complete the self-assessment
Before opening an application, applicants confirm β using the Bank of Canada's self-assessment tool β that the RPAA applies to their business. The output is the foundation for the application; if the conclusion is wrong, every subsequent step compounds the error.
Step 2 β Create a PSP Connect account
PSP Connect is the Bank of Canada's online portal for the application, ongoing reporting and supervisory correspondence. The account is created in the name of an authorised individual at the applicant entity, who becomes the primary contact.
Step 3 β Prepare the section 29 information
Section 29 sets out what the application must contain: details of the entity, its directors, officers and beneficial owners, the retail payment activities to be performed, end-user fund safeguarding arrangements, the operational risk management framework, the incident response framework, and supporting documentation. In practice this runs to tens of pages of structured questions and documents. Underestimate it and the Bank's review team returns the application for clarification β and a returned application is a delayed application.
Step 4 β Pay the application fee
The Bank of Canada charges a prescribed application fee that must be paid before processing. The fee is published on the Bank's PSP registration pages and updated periodically β rely on the Bank's current published rate rather than figures in older guidance.
Step 5 β Submit and respond to information requests
Once submitted, the application enters review. The Bank may issue further information requests, request clarification, and ultimately register the applicant, refuse the application, or place the applicant on the public list pending a decision. That published list of applicants and registered PSPs is a public document β appearing on it is itself a signal to banking partners, investors and counterparties.
Grounds for refusal
Section 30 sets out the grounds on which the Bank of Canada may refuse to register an applicant: national security concerns, integrity and competence concerns relating to directors, officers or beneficial owners, and incomplete or inaccurate information. Two patterns emerge from refusals to date.
1. Integrity and competence findings on individuals. Where the Bank cannot satisfy itself that named directors, officers or beneficial owners are fit β prior regulatory action, criminal records, undisclosed beneficial ownership, or unexplained source-of-funds questions β registration will not follow.
2. Operational risk and safeguarding deficiencies. Where the risk management framework, incident response framework or end-user fund safeguarding arrangements don't meet expectations, the Bank will not simply register and supervise the firm into compliance. It will refuse. Refused applicants face a harder re-application path β the public list, banking conversations and investor due diligence all carry the prior refusal forward.
What the application actually asks for
The RPAA application is not a name-and-address form. The substance most applicants underestimate sits in three areas:
- Operational risk management framework. A documented framework covering identification, assessment, mitigation and monitoring of operational risks β not a risk register, but a framework, methodology, governance structure and set of controls. Drafting it from scratch during the application window is the wrong sequence.
- End-user fund safeguarding. Where a PSP holds end-user funds, the application must set out how they're safeguarded β segregation, trust accounts, insurance, the ranking of end users on insolvency. The Bank has been unambiguous that safeguarding is a substantive obligation, not a representation.
- Incident response. The framework for identifying, escalating, reporting and remediating incidents β including notifying the Bank of incidents with a material impact on end users or the integrity of the retail payment system.
These three areas are where most applications either succeed or stall.
After registration: what comes next
Registration is the entry point, not the destination. Registered PSPs face an ongoing supervisory regime: annual reporting, incident reporting, ongoing maintenance of the operational risk management framework, and supervisory examinations. The annual report is a substantive document, not a confirmation letter.
PSPs also need to consider how RPAA obligations interact with parallel regimes β FINTRAC AML obligations under the PCMLTFA, data protection, and where applicable, MSB registration. Many PSPs will need to register both as a PSP under the RPAA and as an MSB under the PCMLTFA. Banking access is the practical consequence operators feel first: Canadian banks have tightened requirements, and registration status is now a precondition for most relationships.
Why this is not a DIY process
The Bank of Canada publishes detailed guidance and the portal works β applicants can self-serve through the entire process. The question is whether they should. Two facts from the supervisory experience to date sit alongside each other: first, a non-trivial proportion of 2024β2025 applications were refused, withdrawn after extensive follow-up, or registered after months of delay; second, the most common reason was not procedural error but substantive inadequacy in the operational risk management, safeguarding and incident response frameworks.
That is not a documentation issue β it is a compliance design issue. ComplyFactor's RPAA support spans the full registration lifecycle: self-assessment, application preparation, risk framework design, safeguarding architecture, incident response drafting, post-registration annual reporting and supervisory examination support.
Frequently asked questions
What is the RPAA registration deadline?
How much does RPAA registration cost?
How long does RPAA registration take?
Can foreign PSPs register under the RPAA?
Do I need to register as both a PSP and an MSB?
What happens if my RPAA application is refused?
What is the difference between the RPAA and the PCMLTFA?
ComplyFactor is a specialist AML and regulatory compliance advisory firm working exclusively with MSBs, PSPs, fintechs, and VASPs across Canada's FINTRAC and RPAA frameworks. Our advisors hold CAMS certification and bring direct examination experience to every engagement.
