PSP Annual Reporting Requirements Canada: Complete Compliance Guide to Avoid Bank of Canada Enforcement

By /
📋

EXPERT ANNUAL REPORTING SUPPORT

Struggling with your PSP annual report requirements? ComplyFactor’s regulatory experts provide comprehensive support for RPAA annual reporting, operational risk frameworks, and end-user funds safeguarding compliance. Our MLRO services and compliance audit services ensure your annual report meets Bank of Canada expectations. Contact our team today for expert guidance.

If you’re a payment service provider (PSP) registered under Canada’s Retail Payment Activities Act (RPAA), you face a critical compliance deadline every March 31st. The Bank of Canada’s annual reporting requirements are comprehensive, technically demanding, and strictly enforced. Missing this deadline or submitting incomplete information doesn’t just risk regulatory scrutiny—it can trigger enforcement action that threatens your ability to operate.

This guide breaks down everything Canadian PSPs need to know about annual reporting requirements, from operational risk management to end-user funds safeguarding, financial metrics, and incident reporting. Whether you’re preparing your first annual report or streamlining your compliance process, understanding these requirements is essential to maintaining your registration and avoiding costly penalties.

Understanding PSP Annual Reporting Under the RPAA

The RPAA established a comprehensive regulatory framework for payment service providers operating in Canada. Section 21 of the RPAA and sections 18-19 of the Retail Payment Activities Regulations (RPAR) mandate that all registered PSPs submit an annual report to the Bank of Canada by March 31 each year.

This isn’t a simple formality. The annual report is a detailed assessment of your compliance with operational risk management obligations, end-user funds safeguarding requirements, record-keeping practices, and incident reporting protocols. The Bank of Canada uses this information to support its risk-based approach to retail payments supervision and to assess whether PSPs are meeting their regulatory obligations.

What Makes PSP Annual Reporting Different

Unlike traditional financial reporting, PSP annual reporting under the RPAA focuses specifically on:

  • Operational risk management frameworks and incident response capabilities
  • End-user funds safeguarding mechanisms and insolvency protection
  • Ubiquity and interconnectedness metrics that measure your systemic importance
  • Significant changes to your business operations, technology, or service providers
  • Incident reporting covering operational failures, cyber security events, and data breaches
  • Financial metrics specifically related to retail payment activities

The Bank of Canada expects PSPs to demonstrate not just compliance with specific rules, but a comprehensive understanding of how risks are identified, managed, and mitigated across all retail payment activities.

💡

PRO TIP

Start gathering documentation for your annual report at least 60 days before the March 31 deadline. Many PSPs underestimate the time required to compile operational risk data, validate financial metrics, and document safeguarding arrangements across multiple jurisdictions and service providers.

Critical Deadline: March 31 Annual Filing Requirement

Every registered PSP must submit a completed annual report to the Bank of Canada by March 31 each year. This deadline is absolute and applies regardless of your fiscal year-end date.

What the March 31 Deadline Covers

Your annual report must include information from the previous calendar year (January 1 to December 31), with one important exception: financial metrics should reflect your most recent fiscal year-end, even if that falls outside the calendar year reporting period.

For example, if you’re filing in March 2026:

  • Operational risk data covers January 1, 2025 to December 31, 2025
  • Incident reporting covers January 1, 2025 to December 31, 2025
  • Ubiquity metrics cover January 1, 2025 to December 31, 2025
  • Financial metrics reflect your most recent fiscal year-end (which might be June 30, 2025, December 31, 2025, or another date)

Consequences of Missing the Deadline

The Bank of Canada takes annual reporting deadlines seriously. Failure to submit your annual report by March 31 can result in:

  • Immediate regulatory scrutiny and increased supervisory attention
  • Formal enforcement action under section 31 of the RPAA
  • Administrative monetary penalties for non-compliance with reporting obligations
  • Suspension or cancellation of your PSP registration under section 11 of the RPAA
  • Reputational damage that affects banking relationships and business partnerships

For PSPs already facing compliance challenges, a missed annual report deadline can be the catalyst for comprehensive supervisory intervention, including on-site examinations and enhanced monitoring requirements.

Section 1: Operational Risk and Incident Management Framework

The operational risk section is typically the most detailed component of the annual report. The Bank of Canada expects PSPs to demonstrate that they have established, implemented, and maintain a comprehensive risk management and incident response framework as required by section 5 of the RPAR.

Framework Approval and Governance

Your annual report must confirm that your risk management and incident response framework was approved during the reporting year by:

  • The senior officer designated under subparagraph 5(1)(d)(ii) of the RPAR
  • Your board of directors, if you have one
  • The senior officer again when material changes were made to the framework

This isn’t just a box-checking exercise. The Bank of Canada expects documented evidence of board-level oversight and senior management accountability for operational risk management. If your framework wasn’t approved as required, you must disclose this deficiency in your annual report.

Operational Risk Categories You Must Address

The Bank of Canada requires PSPs to identify operational risks across specific categories:

Technology and Systems Risks:

  • Information technology failures and system outages
  • Cyber security threats including malware, ransomware, and DDoS attacks
  • Data management and information security vulnerabilities
  • Network security defences and access controls

Operational Process Risks:

  • Business continuity and resilience capabilities
  • Fraud detection and prevention controls
  • Process design and implementation failures
  • Change management procedures

Third-Party and External Risks:

  • Third-party service provider dependencies and failures
  • Physical security of persons and assets
  • Human resources risks including key person dependencies

For each category where you’ve identified risks, your annual report must demonstrate how your framework addresses detection, prevention, and response measures.

⚠️

COMMON MISTAKE

Many PSPs fail to classify their assets and business processes by both sensitivity AND criticality as required by the RPAR. Simply identifying that you have “critical systems” isn’t sufficient—you must demonstrate a structured methodology for assessing both the sensitivity of data/information and the criticality of systems to your payment functions.

Protective and Detective Controls

The annual report requires detailed disclosure about your defensive measures, particularly for technology risks. You must report which of the following systems, policies, and controls you have implemented:

Monitoring and Detection Capabilities:

  • Key indicators and internal thresholds for anomaly detection
  • Logging and monitoring systems for transaction processing
  • Network defences including firewalls and intrusion detection systems
  • Malware detection and endpoint protection
  • Vulnerability detection and patch management processes
  • Security monitoring and threat intelligence capabilities

Protective Controls:

  • Access management including multi-factor authentication and privileged access controls
  • Vulnerability management, remediation, and patching procedures
  • Security software including antivirus and endpoint detection
  • Securely configured devices and hardened systems
  • Network security defences and segmentation
  • Secure cloud services and outsourced IT arrangements
  • Secure information system media handling
  • Secure system development life cycle practices

PSPs that cannot demonstrate comprehensive coverage across these controls must explain gaps and provide timelines for remediation in their annual report.

Incident Response Planning Requirements

Section 5(1)(h) of the RPAR requires your framework to include detailed incident response plans. Your annual report must confirm these plans address:

  • Policies and procedures for implementing the response plan
  • Escalation procedures for different incident severity levels
  • Third-party incident response procedures for service provider-caused incidents
  • Containment measures to limit incident impact
  • Root cause investigation methodologies
  • Impact verification and assessment procedures
  • Prevention measures to avoid recurrence
  • Implementation timeframes for response actions
  • Reporting procedures including frequency and level of detail
  • Transaction status identification during incident response
  • Record retention requirements for incident documentation

The Bank of Canada has observed that many PSPs have incident response plans that lack sufficient detail on timeframes, escalation triggers, and specific responsibilities. Your annual report should demonstrate that your plans are operationally actionable, not just conceptual frameworks.

Third-Party Service Provider Management

If you use third-party service providers to support retail payment activities, your annual report must provide extensive detail about your risk management approach:

Assessment Requirements: You must confirm whether you:

  • Established operational risk management criteria before engaging each third party
  • Conducted assessments of third parties before entering into agreements
  • Regularly assess third-party performance and risk management practices
  • Have clearly allocated responsibilities between your PSP and each third party

What the Bank Expects You to Assess: Your third-party assessments should cover:

  • Ability to protect your PSP’s and end users’ data and information
  • Protection of connections to and from your systems
  • Service provider performance against defined service levels
  • How you’re informed of changes to services or risk management practices
  • How you’re notified of security breaches or incidents
  • Appropriateness of the service provider’s incident response plans
  • Adequacy of dedicated roles and responsibilities

PSPs that haven’t conducted these assessments—or conducted them only after engaging service providers—must disclose this non-compliance in the annual report.

Agent and Mandatary Oversight

For PSPs using agents or mandataries to perform retail payment activities, the annual report requires confirmation that:

  • Roles and responsibilities are clearly specified and documented
  • Operational risk management criteria are established before agents begin operating
  • Regular assessments are conducted of agent/mandatary compliance with criteria
  • Agents’ operational risk management practices meet your standards

The Bank of Canada has emphasized that PSPs remain fully accountable for compliance even when activities are performed by agents. Your annual report must demonstrate active oversight, not passive delegation.

Resource Allocation Reporting

Your annual report must quantify both human and financial resources dedicated to operational risk management:

Human Resources Metrics:

  • Total number of employees (full-time equivalents)
  • Number of employees dedicated to retail payment activities
  • Number of employees dedicated to operational risk management and incident response

Financial Resources Metrics:

  • Percentage of annual budget dedicated to retail payment activities
  • Percentage of retail payment activity budget dedicated to operational risk management

These metrics help the Bank of Canada assess whether you have adequate resources to effectively manage operational risks relative to the scale and complexity of your operations.

Independent Review Requirements

Section 10 of the RPAR requires PSPs with an internal or external auditor to conduct an independent review of their risk management and incident response framework at least every three years.

Your annual report must disclose:

  • When the last independent review was conducted
  • Whether you’re within the three-year review cycle
  • If you’ve been operating for three or more years without conducting a review (which constitutes non-compliance)

PSPs without auditors are exempt from this requirement, but must confirm this exemption status in the annual report.

For comprehensive guidance on building robust operational risk frameworks that meet Bank of Canada expectations, see our AML compliance program development services which include operational risk assessment and incident response planning.

Section 2: End-User Funds Safeguarding Requirements

If your PSP performs payment function (b) under the RPAA—holding funds on behalf of end users until withdrawn or transferred—the annual report requires extensive documentation of your safeguarding arrangements. This section is complex, highly technical, and subject to strict regulatory interpretation.

Determining If You Hold End-User Funds

Before completing this section, you must accurately determine whether you perform the “holding funds” payment function. The Bank of Canada’s interpretation focuses on whether you have control and custody of funds, not merely whether funds pass through your systems.

Key indicators that you hold end-user funds include:

  • Funds reside in accounts under your control before being transferred
  • End users can maintain fund balances with your PSP
  • You have discretion over the timing of fund transfers
  • Funds are pooled or commingled before distribution

If you’re uncertain whether you hold funds, this ambiguity itself presents compliance risk. The Canadian PSP registration criteria provide additional context for determining which payment functions you perform.

Two Methods of Safeguarding End-User Funds

The RPAA allows two methods for safeguarding end-user funds, and your annual report must clearly identify which method(s) you use:

Method 1: Trust Account (Paragraph 20(1)(a) of RPAA)

Holding end-user funds in trust in a trust account that is not used for any other purpose. This method requires:

  • A valid express trust established under Canadian law
  • Trust accounts provided by prudentially regulated financial institutions
  • Legal agreements confirming the trust relationship
  • Proper trustee designation (the PSP, account provider, or third party)

Method 2: Insurance or Guarantee (Paragraph 20(1)(c) of RPAA)

Holding end-user funds in an account not used for any other purpose AND maintaining insurance or guarantee coverage in an amount equal to or greater than the funds held. This method requires:

  • Dedicated safeguarding accounts at regulated financial institutions
  • Insurance or guarantee policies from prudentially regulated providers
  • Coverage amounts that match or exceed funds held
  • Policies that specifically cover PSP insolvency scenarios

Many PSPs use a combination of both methods, particularly when operating across multiple jurisdictions with different regulatory frameworks.

Critical Timing Requirement: Placing Funds in Safeguarding Accounts

One of the most scrutinized aspects of safeguarding compliance is whether you place end-user funds into safeguarding accounts on receipt. Your annual report must disclose:

  • Whether ALL end-user funds are placed in safeguarding accounts on receipt
  • Whether SOME end-user funds are placed in safeguarding accounts on receipt
  • Whether you face processing constraints that prevent placement on receipt

If you face processing constraints, you must demonstrate that:

  • The constraints cannot be avoided despite your best efforts
  • Funds are placed in safeguarding accounts by the end of the next business day
  • You’ve documented the nature of the constraints
  • You’ve implemented measures to minimize delays

The Bank of Canada has indicated that routine operational inefficiency does not constitute an unavoidable processing constraint. PSPs must demonstrate genuine technical or systemic limitations beyond their control.

rgin-top:16px;margin-bottom:32px;padding:24px;font-family:-apple-system,BlinkMacSystemFont,’Segoe UI’,Roboto,Oxygen-Sans,Ubuntu,Cantarell,’Helvetica Neue’,sans-serif”>
🔔

COMPLIANCE ALERT

Processing constraints that delay placement of funds in safeguarding accounts constitute temporary shortfalls that MUST be reported in your annual report. Even if funds are placed by the next business day, these instances must be documented with root causes and remediation measures. There is no materiality threshold—all shortfalls must be reported.

Account Provider Requirements

Your annual report must identify all financial institutions that provide safeguarding accounts for end-user funds. The RPAR requires these institutions to be:

  • Canadian financial institutions (banks, credit unions, trust companies) regulated by OSFI or provincial regulators, OR
  • Foreign financial institutions that are prudentially regulated in their home jurisdiction

For each account provider, you must report:

  • The name of the financial institution
  • The jurisdiction in which it’s regulated
  • The name of the prudential regulator
  • Whether accounts are provided by Canadian or foreign institutions

PSPs using foreign account providers face additional scrutiny. The Bank of Canada expects clear justification for why Canadian banking relationships are not feasible and evidence that foreign providers offer equivalent regulatory protection.

Trust Arrangement Documentation

If you use the trust method (paragraph 20(1)(a)), your annual report must confirm several technical legal requirements:

Valid Trust Establishment:

  • Whether your trust arrangement forms a valid express trust under Canadian law
  • Where the trust is established (Canada outside Quebec, Quebec under simple administration, or other jurisdiction)
  • Whether you have obtained legal opinions confirming trust validity

Trust Mechanics:

  • Who serves as trustee (the PSP, account provider, or third party)
  • Whether legal agreements with account providers explicitly state that funds are held in trust for end users
  • Whether account titles clearly indicate the trust nature of the funds

Trust Integrity: If you hold end-user funds in the form of secure and liquid assets (not cash), you must confirm whether you’ve assessed whether this compromises trust validity. This is a technically complex area where the type of asset and trust jurisdiction significantly affect legal analysis.

PSPs that cannot confirm valid trust arrangements must disclose this compliance gap in the annual report. Invalid trusts may not provide insolvency protection, exposing end users to loss in the event of PSP failure.

Insurance and Guarantee Requirements

For PSPs using the insurance/guarantee method, the annual report requires detailed policy information:

Provider Information:

  • Name of each insurance or guarantee provider
  • Country or jurisdiction where provider is regulated
  • Name of the prudential regulator
  • Whether the provider is affiliated with the PSP (which is prohibited under section 14 of RPAR)

Policy Details:

  • Reference number or policy number for each contract
  • Policy coverage amount in Canadian dollars
  • Policy expiry dates
  • Whether coverage amounts meet or exceed funds held

Coverage Verification: PSPs must actively monitor that insurance or guarantee amounts remain equal to or greater than the amount of end-user funds held. Any period where coverage falls short—even briefly—constitutes a shortfall that must be reported in the annual report.

Safeguarding-of-Funds Framework Requirements

Beyond the mechanics of trust accounts or insurance policies, section 15 of the RPAR requires PSPs to establish a comprehensive safeguarding-of-funds framework. Your annual report must confirm that this framework includes:

Liquidity Approach: How you ensure end users have reliable access to their funds, including:

  • Whether you hold funds as cash, cash equivalents, or secure and liquid assets
  • Details of any liquidity arrangements with third parties
  • Policies for converting assets to cash if needed

Asset Management: For PSPs holding funds in secure and liquid assets (beyond simple cash), you must report:

  • Types of assets held (government securities rated A- or higher, corporate securities rated AA- or higher, GICs, etc.)
  • Book value of each asset type at reporting year-end
  • Whether you’ve assessed if holding assets compromises trust validity

Legal and Operational Risk Analysis: Your framework must identify legal and operational risks that could hinder your ability to safeguard funds, including:

  • Jurisdictional risks if accounts are held outside Canada
  • Counterparty risks related to financial institution stability
  • Operational risks in fund transfer and reconciliation processes
  • Legal risks in trust structures or insurance arrangements

Senior Officer Oversight: The framework must identify a senior officer responsible for:

  • Overseeing safeguarding practices
  • Ensuring compliance with safeguarding requirements
  • Approving material changes to safeguarding arrangements

Your annual report must confirm whether the framework was approved by this senior officer and by the board of directors during the reporting year.

Ledger Maintenance Requirements

Section 15(1)(c) of the RPAR requires PSPs to keep an accurate ledger recording:

  • The amount of funds held on behalf of each end user
  • The name and contact information of each end user
  • Updates to fund amounts by the end of each day

Your annual report must confirm whether you maintain this ledger as required. The Bank of Canada views ledger maintenance as critical to enabling end-user fund returns in insolvency scenarios. PSPs without accurate, current ledgers face significant enforcement risk.

Insolvency Procedures Documentation

Your safeguarding framework must include procedures for returning funds to end users in the event of your insolvency. The annual report requires confirmation that these procedures address:

  • How insolvency administrators will access relevant records and documentation
  • How end users will be contacted as soon as feasible
  • How errors or deficiencies in the ledger will be identified and corrected
  • How shortfalls in funds will be addressed
  • The role of agents, mandataries, or third-party service providers in facilitating returns

These procedures must be operational, not theoretical. The Bank of Canada expects PSPs to have tested or validated that administrators could actually execute fund returns based on documented procedures.

Shortfall Identification and Reporting

Section 16 of the RPAR requires PSPs to take measures to identify shortfalls as soon as feasible after they occur. A shortfall exists when:

The sum of end-user funds held in trust/safeguarding accounts plus insurance or guarantee coverage is less than the total amount of end-user funds owed to users.

Your annual report must include a detailed table of all shortfall instances during the reporting year, including:

For Each Shortfall:

  • Date the shortfall occurred
  • Date the shortfall was resolved
  • Root cause (processing constraint, insufficient insurance, trust invalidity, operational failure, etc.)
  • Shortfall amount in Canadian dollars
  • Description of the specific root cause
  • Measures taken to prevent recurrence

Important: There is no materiality threshold for shortfall reporting. All shortfalls, regardless of duration or amount, must be disclosed in the annual report.

Common root causes include:

  • Processing constraints causing delayed placement of funds in safeguarding accounts
  • Insurance policy expiry or cancellation before renewal
  • Insufficient insurance coverage as fund volumes increased
  • Market value declines in assets used to hold funds
  • Ledger errors or data integrity issues
  • Erroneous removal of funds from safeguarding accounts
  • Third-party outages affecting fund transfers

PSPs with persistent shortfalls—particularly those lasting beyond the next business day after receipt—face heightened scrutiny and potential enforcement action.

Independent Review of Safeguarding Compliance

Section 17 of the RPAR requires PSPs to conduct an independent review of safeguarding compliance at least every three years. Your annual report must disclose:

  • The date of your most recent independent review
  • Whether you’re within the three-year review cycle
  • If you’ve never conducted a review despite operating for three or more years

This independent review is separate from the operational risk framework review. It must specifically examine your compliance with end-user funds safeguarding requirements, including trust validity, insurance adequacy, ledger accuracy, and shortfall identification procedures.

Indirect Safeguarding Arrangements

Some PSPs obtain access to safeguarding accounts through an unaffiliated intermediary PSP rather than directly with a financial institution. Your annual report must disclose:

  • Whether you rely on an unaffiliated PSP for access to safeguarding accounts
  • The name of any intermediary PSP(s) you use
  • Whether you act as an intermediary providing other PSPs with account access
  • The names of any PSPs for which you provide intermediary services

These arrangements create additional complexity in demonstrating compliance. The Bank of Canada expects PSPs using indirect arrangements to document clear agreements allocating responsibilities and ensuring that safeguarding obligations are met despite the intermediated structure.

For expert support in establishing compliant safeguarding arrangements and preparing comprehensive annual report disclosures, ComplyFactor’s compliance framework services provide end-to-end safeguarding documentation and independent reviews.

Section 3: Significant Change and Incident Reporting

Your annual report must comprehensively disclose all significant changes and incidents that occurred during the reporting year. This section creates a compliance record of material events that could affect your operational risk profile or ability to meet regulatory obligations.

Significant Changes Under Subsection 22(1) of the RPAA

Section 22 of the RPAA requires PSPs to notify the Bank of Canada before making certain significant changes. Your annual report must list ALL significant changes made during the year, even if you previously submitted individual notifications.

Significant Change Categories:

Changes related to safeguarding end-user funds including:

  • Changes in entities providing safeguarding accounts
  • Opening or closure of safeguarding accounts
  • Changes to account agreement terms
  • Changes in insurance or guarantee providers
  • Changes to insurance policy or guarantee terms

Changes related to operational risk:

  • Starting or ceasing to outsource retail payment activities
  • Entering into, amending, or terminating third-party service provider agreements that materially impact operational risk
  • Starting or ceasing use of agents or mandataries
  • Adopting new technologies or changing existing technologies that materially impact operational risk
  • Moving or expanding operations to new geographic locations

Changes related to business operations:

  • Expanding to new market segments or offering new products
  • Changing degree of participation in payment systems
  • Participating in new payment systems
  • Changes to organizational structure or staffing levels that materially impact operational risk

For each significant change, you must report:

  • The nature of the change (selecting from predefined categories)
  • The date when the change took effect
  • If applicable, evidence that you submitted advance notification as required

PSPs that made significant changes without submitting advance notification must disclose this non-compliance in the annual report and may face enforcement action.

⚠️

COMMON MISTAKE

Many PSPs incorrectly assume that submitting a notice of significant change means they don’t need to report the change again in the annual report. ALL significant changes must be disclosed in the annual report regardless of whether advance notification was provided. The annual report creates a comprehensive compliance record of all material changes during the year.

Changes in Retail Payment Activities Performed

Your annual report must explicitly identify any retail payment activities you began or ceased performing during the reporting year. For each of the five payment functions defined in section 2 of the RPAA, you must indicate:

  • Whether you began performing the activity during the year
  • Whether you ceased performing the activity during the year
  • If neither applies, confirm the activity status remains unchanged

The Five Payment Functions:

  1. Providing or maintaining payment accounts
  2. Holding end-user funds
  3. Initiating electronic funds transfers
  4. Authorizing, transmitting, receiving, or facilitating instructions for electronic funds transfers
  5. Providing clearing or settlement services

Changes in payment functions performed can have significant implications for your compliance obligations. Starting to hold end-user funds triggers comprehensive safeguarding requirements. Ceasing to perform certain functions may affect your registration category or regulatory capital requirements.

Incident Reporting in the Annual Report

Section 18 of the RPAA requires PSPs to report incidents that materially impact end users, other PSPs, or clearing houses. Your annual report must comprehensively list ALL incidents that occurred during the year, regardless of whether they met the threshold for immediate incident notification.

This creates a complete record of operational issues, allowing the Bank of Canada to assess the frequency, severity, and root causes of incidents across your operations.

Incident Types to Report:

Financial Impact Incidents:

  • End-user funds were lost
  • Account provider ceased operations or experienced financial distress, making end-user funds inaccessible

Technology and System Failures:

  • Technology or system failures affecting payment processing
  • Loss of data center operations
  • Loss or failure of third-party infrastructure
  • Cyber attacks including ransomware, DDoS, or unauthorized access

Data and Information Incidents:

  • Confidential information accessed or disclosed without authorization
  • Compromise to ledgers or transaction records
  • Unauthorized changes to or deletion of data

Processing and Operational Incidents:

  • Transaction processing errors affecting end users or other PSPs
  • Improper calculations at clearing or settlement
  • Other operational failures affecting payment services

For each incident type, report:

  • The number of incidents that occurred during the year
  • Brief descriptions of material incidents
  • Whether any incident resulted in an insolvency proceeding event

The Bank of Canada uses this information to identify systemic vulnerabilities, compare incident rates across PSPs, and determine whether additional supervisory intervention is warranted.

For guidance on developing comprehensive incident response frameworks that meet regulatory expectations, see our resources on Canadian PSP compliance requirements.

Section 4: Ubiquity and Interconnectedness Metrics

This section requires PSPs to report quantitative metrics that help the Bank of Canada assess systemic importance, market concentration, and interconnectedness within the Canadian retail payments ecosystem.

PCSA-Designated Payment Systems Participation

The Payment Clearing and Settlement Act (PCSA) designates certain payment systems as systemically important. Your annual report must identify all PCSA-designated systems in which you directly participate:

  • Automated Clearing Settlement System (ACSS)
  • Canadian Derivatives Clearing Service (CDCS)
  • CDSX
  • The Continuous Linked Settlement (CLS) Bank
  • Global Clearing Management System (GCMS) and Single Message System (SMS)
  • Interac e-Transfer
  • Inter-Member Network (IMN)
  • Lynx
  • SwapClear
  • VisaNet

Direct participation in multiple designated systems indicates higher interconnectedness and potential systemic importance.

Metrics Requirements: Place of Business Distinction

The specific metrics you must report depend on whether you have a place of business in Canada. This distinction recognizes that domestic PSPs may have broader impact on the Canadian payments ecosystem than foreign PSPs operating cross-border.

PSPs WITH a Place of Business in Canada must report metrics for:

  • ALL end users globally
  • End users located specifically in Canada

PSPs WITHOUT a Place of Business in Canada report metrics only for:

  • End users located in Canada

This structure allows the Bank of Canada to assess both your global scale and your specific impact on Canadian end users and payment flows.

End-User Funds Held (For PSPs Performing Payment Function B)

If you hold end-user funds, you must report both maximum and average values during the reporting year:

Maximum Value Held: Report the single highest value of end-user funds you held at any point during the year, expressed in Canadian dollars. This might have occurred during seasonal peaks, after major fundraising, or during periods of delayed fund transfers.

Average Value Held: For each month from January through December, calculate and report the average value of end-user funds held at the end of each day. This must be reported:

  • In Canadian dollars
  • Broken down by each currency in which you held funds (CAD, USD, EUR, etc.)

These metrics help the Bank assess:

  • The scale of your holding funds activities
  • Your potential impact on end users in an insolvency scenario
  • Whether your safeguarding arrangements are proportionate to the funds you hold

PSPs that don’t perform payment function (b) must enter zeros and confirm they don’t hold end-user funds.

Electronic Funds Transfer (EFT) Volume Metrics

For all PSPs, regardless of whether you hold funds, you must report comprehensive data about electronic funds transfers:

Number of EFTs: For each month, report the total number of EFTs you processed:

  • In all currencies combined
  • Broken down by each individual currency

Value of EFTs: For each month, report the total value of EFTs you processed:

  • Expressed in Canadian dollars
  • Broken down by each original transaction currency

These monthly metrics reveal:

  • Transaction volume trends and seasonality
  • Currency preferences of your end-user base
  • Growth rates in payment processing activity
  • Your relative scale compared to other PSPs in the market

PSPs processing millions of high-value transactions face different risk profiles and supervisory expectations than those processing fewer, smaller-value payments.

End-User and PSP Relationship Counts

Your annual report must quantify your network effects and interconnectedness:

Number of End Users: Report the total count of individual end users and businesses for whom you performed retail payment activities during the year. This should include:

  • ALL end users globally (for PSPs with Canadian place of business)
  • End users located in Canada only (for all PSPs)

Number of Other PSPs Served: If you provide retail payment services to other PSPs (B2B relationships), report:

  • Total count of PSP clients globally
  • Count of PSPs with a place of business in Canada

PSPs serving large end-user populations or acting as infrastructure providers to other PSPs have heightened systemic importance and face proportionately greater supervisory expectations.

Payment Method Breakdown

To understand the composition of your payment activities, you must estimate the distribution of EFT value across payment methods:

Payment Method Categories:

  • Card issuance
  • Card acceptance
  • Direct credit or direct debit
  • E-money or digital wallet
  • International remittance
  • Other methods

For each category, report the percentage of total EFT value attributable to that method. The percentages must sum to 100%.

This breakdown helps the Bank of Canada understand:

  • Which payment rails you rely on most heavily
  • Your exposure to specific system dependencies
  • Whether you specialize in particular payment types or operate diversified services
💡

PRO TIP

If you don’t have precise data for ubiquity metrics, reasonable estimates are acceptable—but document your estimation methodology. The Bank of Canada expects PSPs to continuously improve data collection capabilities. Providing rough estimates in year one is acceptable; providing the same rough estimates in year three suggests inadequate systems and controls.

Currency Reporting Requirements

For all metrics involving funds held or transaction values, you must report:

  • The total amount in Canadian dollars (converted at appropriate exchange rates)
  • The amount in each original currency (CAD, USD, EUR, GBP, etc.)

This dual reporting allows the Bank to assess:

  • Your exposure to foreign exchange risk
  • Whether you primarily serve domestic or cross-border payment flows
  • Currency concentrations that might affect liquidity or operational risk

Use the Bank of Canada’s published exchange rates for currency conversions, or if a currency isn’t included in the Bank’s published rates, use rates from your normal business operations (and document this approach).

Section 5: Financial Information Requirements

The financial information section provides the Bank of Canada with visibility into your overall financial health, business scale, and the proportion of your activities dedicated to retail payments.

Financial Year-End Reporting

Unlike other sections of the annual report that cover the calendar year (January 1 to December 31), financial metrics should reflect your most recent fiscal year-end, even if that falls outside the calendar year reporting period.

For example, if you file your annual report in March 2026 but your fiscal year ends on June 30, you would provide financial metrics as of June 30, 2025 (your most recent fiscal year-end), not December 31, 2025.

Required Financial Metrics

Your annual report must include the following metrics, reported in Canadian dollars:

Revenue:

  • Total Revenue: Income from all activities, including both retail payment and non-retail payment business lines
  • Revenue from Retail Payment Activities: Revenue directly attributable to performing payment functions, including transaction fees, account fees, authorization fees, payment network commissions, and clearing/settlement service revenue

Operating Expenses: Total operating and administrative expenses incurred through normal business operations (covering all business lines, not just retail payments)

Profit or Loss Before Tax: Total revenue less all expenses other than income tax. If you operated at a loss, report this as a negative number.

Total Assets: Sum of current and non-current assets, including cash, accounts receivable, property, equipment, intangible assets, and investments.

Total Liabilities: Sum of current and non-current liabilities, including accounts payable, accrued expenses, debt, and other obligations.

Total Equity: The difference between total assets and total liabilities. If you have negative equity, report this as a negative number.

Revenue Attribution to Retail Payments

One of the most challenging aspects of financial reporting is accurately attributing revenue to retail payment activities, particularly for PSPs that offer multiple financial services beyond payments.

What Counts as Retail Payment Revenue:

  • Transaction processing fees charged to end users
  • Monthly or annual account maintenance fees for payment accounts
  • Foreign exchange margins on currency conversion
  • Payment network interchange or scheme fees you collect
  • Authorization and authentication service fees
  • Clearing and settlement service revenue
  • Commissions from payment cards or networks

What Generally Does NOT Count:

  • Interest income from funds held (unless it’s paid to end users)
  • Non-payment financial services (lending, investing, insurance)
  • Software licensing unrelated to payment processing
  • Professional services or consulting

If you can’t precisely calculate retail payment revenue, a reasonable estimate is acceptable—but document your methodology and work toward more precise tracking in future years.

Audited vs. Unaudited Financial Statements

Your annual report must disclose whether:

  • Your financial statements are audited annually
  • The amounts you’ve reported were covered in your most recent audit
  • You prepare financial statements for other reporting purposes
  • Your most recent financial statements reflect the reporting period

When Unaudited Metrics Are Acceptable:

You may report unaudited financial metrics if:

  • You normally prepare audited statements, but the audit for the most recent fiscal year hasn’t been completed by the March 31 annual report deadline
  • You don’t prepare audited financial statements for any purpose

For example, if your fiscal year ends December 31, 2025, but your audit won’t be completed until April 2026, you may submit unaudited financial metrics for the December 31, 2025 year-end rather than providing older audited metrics from December 31, 2024.

Accounting Standards

Your annual report must identify which accounting framework you use:

  • Generally Accepted Accounting Principles (GAAP) – typically Canadian ASPE or US GAAP
  • International Financial Reporting Standards (IFRS)
  • Other frameworks (with specification)

This information helps the Bank of Canada interpret your financial metrics and compare them appropriately across PSPs using different accounting standards.

Financial Health Assessment

The Bank of Canada uses your financial metrics to assess:

Business Viability:

  • Whether you’re generating sustainable revenue from retail payments
  • Your profitability trends and ability to fund ongoing operations
  • Capital adequacy relative to the scale of your operations

Risk Profile:

  • Whether you have sufficient resources to invest in operational risk management
  • Your ability to withstand operational losses or incident-related costs
  • Financial stress indicators that might affect your ability to meet regulatory obligations

PSPs showing declining revenue, persistent losses, or deteriorating capital positions face heightened supervisory scrutiny and may be required to submit more frequent financial updates or participate in enhanced monitoring programs.

Section 6: Record-Keeping Compliance

The final section of the annual report addresses your compliance with record-keeping obligations under section 23 of the RPAA and section 20 of the RPAR.

Comprehensive Record-Keeping Requirements

Section 23 requires PSPs to keep records that demonstrate compliance with ALL obligations under the RPAA, including:

Operational Risk Management Records:

  • Risk assessments and risk registers
  • Incident response plans and incident logs
  • Third-party service provider assessments
  • Agent and mandatary evaluations
  • Testing and audit reports
  • Framework approval documentation

End-User Funds Safeguarding Records:

  • Safeguarding framework documents
  • Trust agreements and legal opinions
  • Insurance policies and guarantee contracts
  • Account provider agreements
  • Ledgers of end-user funds
  • Shortfall identification and remediation documentation
  • Independent review reports

Change Management Records:

  • Significant change notifications
  • Change impact assessments
  • Implementation plans and approvals

Incident and Reporting Records:

  • Incident notification submissions
  • Root cause analyses
  • Remediation action plans

Financial and Operational Records:

  • Financial statements and audit reports
  • Transaction processing records
  • Reconciliation documentation

Record Retention Requirements

Section 20 of the RPAR specifies minimum retention periods for different record types:

Seven-Year Retention: Records relating to safeguarding end-user funds must be retained for at least seven years, including:

  • Trust arrangements and agreements
  • Insurance and guarantee documentation
  • Ledgers and fund reconciliations
  • Shortfall reports and remediation records

Six-Year Retention: All other records demonstrating compliance with the RPAA must be retained for at least six years.

These retention periods begin from the date the record is created or the date of the last transaction to which the record relates, whichever is later.

Annual Report Record-Keeping Confirmation

Your annual report requires a simple but critical attestation:

Has the PSP appropriately documented and retained all relevant records to demonstrate compliance with obligations under the RPAA?

Response options:

  • Yes – You maintain comprehensive records meeting all requirements
  • Partially – You maintain some but not all required records
  • No – You have significant gaps in record-keeping

PSPs responding “Partially” or “No” must be prepared for follow-up inquiries from the Bank of Canada and should have remediation plans in place.

Why Record-Keeping Compliance Matters

Inadequate records create multiple compliance risks:

During Supervisory Reviews: If you can’t produce records demonstrating compliance, the Bank of Canada may presume non-compliance and take enforcement action even if you actually met substantive requirements.

During Incident Response: Poor record-keeping hampers your ability to conduct root cause analysis, implement effective remediation, and demonstrate to regulators that you’ve addressed issues.

During Insolvency: Inadequate ledgers and safeguarding documentation can prevent or delay the return of end-user funds, exposing end users to loss and you to potential legal liability.

The Bank of Canada has emphasized that record-keeping isn’t merely an administrative requirement—it’s a foundational control that enables all other compliance obligations.

For comprehensive support in establishing robust record-keeping systems that meet RPAA requirements, see ComplyFactor’s AML compliance program services which include documentation frameworks and retention policy development.

Common Annual Reporting Mistakes That Attract Regulatory Scrutiny

Based on supervisory observations and enforcement actions, certain mistakes consistently appear in PSP annual reports and trigger heightened Bank of Canada scrutiny:

1. Incomplete or Inconsistent Responses

The Issue: PSPs provide contradictory information across different sections of the annual report, or leave required fields incomplete.

Example: A PSP reports using 15 employees dedicated to retail payments in the resource allocation section, but later indicates that zero employees are dedicated to operational risk management—a mathematical impossibility if they’re performing regulated activities.

Why It Matters: Inconsistencies suggest either poor internal data management or a lack of understanding of regulatory requirements. Both issues trigger follow-up inquiries and potential on-site examinations.

How to Avoid: Designate a single compliance officer to coordinate annual report completion across business units. Implement quality control reviews that specifically check for consistency across sections before submission.

2. Claiming Framework Approval Without Documentation

The Issue: PSPs confirm that their operational risk or safeguarding frameworks were approved by senior officers and boards, but cannot produce approval documentation when requested.

Example: A PSP indicates its risk management framework was approved in January 2025, but internal documents show the framework wasn’t actually finalized until March 2025, after significant changes were already implemented.

Why It Matters: The Bank of Canada views governance and oversight as critical controls. False attestations of framework approval constitute serious compliance failures that can result in enforcement action under section 61 of the RPAA (providing false or misleading information).

How to Avoid: Maintain board meeting minutes and senior officer approval memos that explicitly reference framework approval. Schedule framework reviews and approvals at the beginning of each year to ensure timely completion.

3. Underreporting or Failing to Report Shortfalls

The Issue: PSPs don’t report instances where funds weren’t placed in safeguarding accounts on receipt, believing brief delays are immaterial or normal processing gaps.

Example: Due to banking partner cutoff times, a PSP routinely places end-user funds in safeguarding accounts the morning after receipt. The PSP doesn’t report these daily shortfalls because funds are safeguarded within 24 hours and “no end user was harmed.”

Why It Matters: There is NO materiality threshold for shortfall reporting. The Bank of Canada expects disclosure of ALL instances, regardless of duration or amount. Failure to report shortfalls can be grounds for enforcement action separate from the underlying safeguarding violation.

How to Avoid: Implement automated monitoring that flags any instance where funds aren’t placed in safeguarding accounts on the same day as receipt. Report these instances in the annual report even if they’re quickly remediated, along with explanations of processing constraints and remediation measures.

4. Inadequate Third-Party Risk Management Documentation

The Issue: PSPs report that they conduct third-party assessments, but the “assessments” consist only of reviewing vendor marketing materials or conducting cursory reference checks.

Example: A PSP engages a cloud infrastructure provider for critical payment processing systems. The PSP’s “assessment” consists of reviewing the provider’s SOC 2 report but doesn’t address how the PSP is informed of incidents, how data protection is ensured, or what the provider’s recovery time objectives are.

Why It Matters: Section 5(3) of the RPAR specifies detailed elements that third-party assessments must address. Generic due diligence doesn’t satisfy these requirements. The Bank of Canada can determine through follow-up inquiries whether assessments were truly comprehensive.

How to Avoid: Develop standardized third-party assessment templates that explicitly address each element required by paragraph 5(3)(b) of the RPAR. Maintain detailed assessment reports that demonstrate evaluation of cyber security, incident response, change management notifications, and performance monitoring.

5. Mischaracterizing Incidents to Avoid Reporting

The Issue: PSPs classify operational failures as “near misses” or “minor glitches” to justify not reporting them as incidents in the annual report.

Example: A system outage prevents payment processing for three hours, but the PSP classifies it as “scheduled maintenance” because some customers were notified in advance. The incident isn’t reported because it was “planned,” even though the extended duration was unplanned and exceeded the maintenance window.

Why It Matters: The annual report should include ALL incidents, regardless of whether they met the threshold for immediate notification under section 18. The Bank of Canada uses comprehensive incident reporting to identify patterns, assess risk management effectiveness, and compare incident rates across PSPs.

How to Avoid: When in doubt, report the incident. Include all operational failures, system outages, data breaches, and processing errors in the annual report. Let the Bank of Canada determine significance rather than self-screening incidents out of the report.

6. Using Stale or Generic Data for Metrics

The Issue: PSPs provide metrics based on rough estimates, outdated systems, or generic allocations rather than actual transaction data.

Example: A PSP reports that 80% of transaction value is attributable to “card acceptance” simply because that’s their primary business line, without actually calculating the specific proportion from transaction records.

Why It Matters: The Bank of Canada uses metrics to assess systemic importance, compare PSPs, and allocate supervisory resources. Inaccurate metrics skew the regulatory landscape and may subject your PSP to inappropriate scrutiny (if metrics overstate your importance) or insufficient oversight (if metrics understate your significance).

How to Avoid: Invest in data collection systems that enable accurate metric calculation. If you must estimate, document your methodology and implement plans to improve data quality for future reporting cycles.

7. Ignoring Changes in Payment Functions Performed

The Issue: PSPs begin or cease performing payment functions during the year but don’t properly disclose these changes in the annual report.

Example: A PSP that previously only initiated payments begins holding end-user funds for short periods to facilitate batch processing. The PSP doesn’t report starting to perform payment function (b) because the funds are only held “temporarily” and the PSP doesn’t view itself as performing a holding funds activity.

Why It Matters: Starting to perform new payment functions—particularly holding funds—triggers significant additional compliance obligations including safeguarding requirements. Failure to properly disclose these changes prevents the Bank of Canada from assessing whether you’re meeting all applicable requirements.

How to Avoid: Conduct a thorough analysis of payment functions performed at least quarterly. When business processes change—even incrementally—assess whether you’ve begun performing additional payment functions. Consult the Bank of Canada’s holding funds case scenarios for guidance on interpreting payment function definitions.

Preparing for Your Annual Report: A 90-Day Action Plan

Successfully completing your PSP annual report requires advance planning and cross-functional coordination. This timeline provides a structured approach to gathering information, validating data, and ensuring quality before the March 31 deadline.

90 Days Before Deadline (Early January): Data Gathering Phase

Week 1-2: Establish Reporting Team and Assign Responsibilities

  • Designate a compliance officer as annual report coordinator
  • Identify data owners for each report section (operational risk, safeguarding, finance, IT)
  • Schedule kickoff meeting to review requirements and assign deliverables
  • Establish internal deadlines that allow 2-3 weeks before the March 31 submission deadline

Week 3-4: Compile Operational Risk Documentation

  • Gather evidence of framework approval by senior officer and board
  • Collect incident logs and categorize incidents by type
  • Document third-party assessments conducted during the year
  • Compile agent and mandatary evaluation records
  • Retrieve independent review reports (operational risk and safeguarding)

Week 5-6: Assemble End-User Funds Safeguarding Documentation

  • Collect trust agreements and legal opinions on trust validity
  • Gather insurance policies and guarantee contracts with current coverage amounts
  • Compile ledger reconciliations and shortfall identification records
  • Document any significant changes to safeguarding arrangements
  • Retrieve account provider agreements and relationship details

60 Days Before Deadline (Early February): Data Validation Phase

Week 7-8: Calculate and Validate Quantitative Metrics

  • Calculate maximum and average end-user funds held by month
  • Compile EFT volume and value data by month and currency
  • Count end-users and PSP relationships served during the year
  • Calculate payment method breakdowns
  • Gather financial statements and calculate retail payment revenue attribution

Week 9-10: Quality Control and Consistency Review

  • Cross-check metrics for internal consistency (e.g., do employee counts align with organizational structure?)
  • Verify that significant change dates match notification submissions
  • Confirm incident counts align with incident logs
  • Reconcile financial metrics to audited or unaudited statements
  • Identify any data gaps or questions requiring clarification

Week 11-12: Draft Annual Report Responses

  • Complete all sections in PSP Connect portal
  • Draft explanatory text for open-ended questions
  • Document estimation methodologies where precise data isn’t available
  • Compile supporting documentation for potential Bank of Canada follow-up questions

30 Days Before Deadline (Early March): Review and Submission Phase

Week 13: Senior Management Review

  • Present draft annual report to senior officer for review
  • Address any questions or concerns raised during senior management review
  • Obtain formal approval for submission
  • Make any necessary revisions based on feedback

Week 14: Legal and Compliance Review

  • Have legal counsel review safeguarding arrangement disclosures
  • Verify compliance with record-keeping and documentation requirements
  • Confirm no pending significant changes that should be disclosed
  • Validate that responses accurately reflect operational reality

Week 15: Final Submission Preparation

  • Conduct final proofreading for typographical errors and inconsistencies
  • Verify all required fields are completed
  • Ensure numeric data is formatted correctly (e.g., currency figures, percentages)
  • Test file uploads if attaching supporting documentation

Week 16: Submit Before Deadline

  • Submit annual report through PSP Connect no later than March 25 (allowing buffer before March 31 deadline)
  • Save confirmation receipt from Bank of Canada
  • Archive complete copy of submitted annual report and all supporting documentation
  • Schedule post-submission debrief to identify process improvements for next year
🔔

COMPLIANCE ALERT

Don’t wait until March to begin annual report preparation. The Bank of Canada can identify rushed, incomplete submissions that were clearly prepared in the final days before deadline. Late-prepared reports consistently show more errors, inconsistencies, and gaps that trigger follow-up inquiries and heightened supervisory attention.

What Happens After You Submit Your Annual Report?

Submitting your annual report isn’t the end of the compliance process. Understanding what to expect after submission helps you prepare for potential follow-up and demonstrates your commitment to ongoing regulatory engagement.

Immediate Confirmation and Initial Review

When you submit your annual report through PSP Connect, you’ll receive an immediate confirmation receipt acknowledging the Bank of Canada has received your submission. Save this confirmation as evidence of timely filing.

The Bank of Canada then conducts an initial completeness review to verify:

  • All required fields were completed
  • Responses are internally consistent
  • Financial metrics reconcile appropriately
  • No obvious errors or omissions are present

This initial review typically occurs within 2-4 weeks of submission.

Potential Follow-Up Inquiries

Based on the information in your annual report, the Bank of Canada may issue follow-up questions seeking:

Clarification of Ambiguous Responses: If your responses are unclear or could be interpreted multiple ways, expect requests for additional explanation or context.

Supporting Documentation: The Bank may request documents supporting specific disclosures, such as:

  • Framework approval minutes
  • Third-party assessment reports
  • Insurance policies or trust agreements
  • Incident investigation reports
  • Financial statements or audit reports

Explanation of Concerning Issues: If your annual report reveals potential compliance gaps (unreported shortfalls, inadequate frameworks, significant incidents), expect detailed inquiries about root causes and remediation plans.

Respond to follow-up inquiries promptly and comprehensively. Delayed or evasive responses escalate supervisory concerns and may trigger more intrusive oversight measures.

Supervisory Risk Assessment and Classification

The Bank of Canada uses annual report information—combined with other supervisory intelligence—to assess each PSP’s risk profile and assign supervisory intensity:

Low-Risk PSPs:

  • Meet all regulatory requirements
  • Demonstrate strong operational risk management
  • Show stable financial performance
  • Report few incidents with effective remediation
  • Face minimal supervisory intervention beyond annual reporting

Medium-Risk PSPs:

  • Meet most requirements with minor gaps
  • Show adequate operational risk management with improvement opportunities
  • May face occasional incidents or compliance issues
  • Subject to periodic supervisory reviews and targeted examinations

High-Risk PSPs:

  • Demonstrate significant compliance gaps
  • Show inadequate risk management or repeated incidents
  • May have financial instability or operational challenges
  • Face enhanced supervision including frequent reviews, on-site examinations, and potentially enforcement action

Your annual report directly influences this risk classification and the supervisory resources allocated to overseeing your operations.

Potential Enforcement Actions

Annual reports that reveal serious compliance failures can trigger formal enforcement action under the RPAA:

Section 31 Enforcement Powers: The Bank of Canada can:

  • Issue warnings or directives requiring remediation
  • Impose terms and conditions on your registration
  • Suspend your registration pending compliance
  • Revoke your registration for persistent non-compliance

Administrative Monetary Penalties: Section 32 of the RPAA authorizes penalties up to $1 million per violation for individuals and $10 million per violation for entities.

Public Disclosure: The Bank of Canada may publicly disclose enforcement actions, creating reputational risks that affect banking relationships, business partnerships, and end-user trust.

Enforcement is not automatic simply because an annual report reveals compliance gaps. The Bank typically works with PSPs to develop remediation plans before resorting to formal enforcement. However, PSPs that fail to remediate issues identified in annual reports—or that provide false information—face escalating consequences.

How ComplyFactor Supports PSP Annual Reporting Compliance

Preparing comprehensive, accurate PSP annual reports requires deep regulatory expertise, robust data management capabilities, and understanding of Bank of Canada supervisory expectations. ComplyFactor provides specialized support for Canadian PSPs navigating RPAA compliance obligations.

Annual Report Preparation and Filing Services

Our compliance experts guide PSPs through the entire annual reporting process:

Pre-Submission Consultation:

  • Review your operations to identify payment functions performed
  • Assess completeness of operational risk and safeguarding frameworks
  • Identify potential compliance gaps before they’re disclosed in annual reports
  • Develop remediation plans for issues that must be reported

Data Compilation and Validation:

  • Design data collection systems for ubiquity and interconnectedness metrics
  • Calculate financial metrics and retail payment revenue attribution
  • Compile incident logs and categorize incidents appropriately
  • Verify consistency across all report sections

Report Drafting and Quality Review:

  • Complete annual report forms in PSP Connect portal
  • Draft explanatory text for complex disclosures
  • Conduct quality control reviews to eliminate inconsistencies
  • Prepare supporting documentation for potential follow-up inquiries

Ongoing Compliance Framework Development

Annual reporting is easier when you maintain compliant frameworks throughout the year. ComplyFactor’s AML compliance program services provide:

Operational Risk Management Frameworks:

  • Risk assessment methodologies and risk registers
  • Incident response plans and testing procedures
  • Third-party management programs
  • Independent review coordination

End-User Funds Safeguarding Frameworks:

  • Trust arrangement structuring and legal opinion coordination
  • Insurance and guarantee policy procurement
  • Shortfall identification procedures
  • Ledger design and reconciliation controls

Governance and Oversight Support:

  • Senior officer designation and responsibility allocation
  • Board reporting and framework approval processes
  • Policy documentation and procedure manuals
  • Training programs for compliance personnel

MLRO Services for Payment Service Providers

For PSPs that need dedicated compliance leadership without full-time headcount, ComplyFactor’s MLRO services provide:

  • Designated senior officer for operational risk and safeguarding oversight
  • Framework approval and ongoing maintenance
  • Annual report coordination and submission
  • Regulatory inquiry management and Bank of Canada liaison
  • Continuous monitoring for compliance with RPAA obligations

Our fractional MLRO services give small and mid-sized PSPs access to senior compliance expertise at a fraction of the cost of full-time leadership.

Audit and Independent Review Services

The RPAA requires independent reviews of both operational risk frameworks and safeguarding compliance. ComplyFactor’s audit services include:

  • Operational risk framework independent reviews (section 10 of RPAR)
  • Safeguarding compliance independent reviews (section 17 of RPAR)
  • Third-party assessment reports for RPAA compliance
  • Gap analyses and remediation roadmaps

Our auditors understand Bank of Canada supervisory expectations and design reviews that satisfy regulatory requirements while providing actionable insights for improving compliance programs.

Why PSPs Choose ComplyFactor for Annual Reporting Support

Specialized RPAA Expertise: Unlike generalist compliance firms, ComplyFactor focuses exclusively on payments and financial crime compliance. We understand the unique requirements of Canadian PSP regulation and Bank of Canada supervisory practices.

Practical, Scalable Approaches: We design compliance solutions proportionate to your operations. Small PSPs don’t need enterprise-grade frameworks, but they do need documentation that meets regulatory requirements. Our approach scales to your size and complexity.

Regulatory Relationships: Our team includes former regulators and compliance officers who understand supervisory perspectives. We help you anticipate follow-up questions, address concerns proactively, and maintain constructive relationships with the Bank of Canada.

End-to-End Support: From initial registration through ongoing compliance and annual reporting, ComplyFactor provides comprehensive support across all RPAA obligations. We’re not just consultants—we’re compliance partners invested in your long-term regulatory success.

To discuss your PSP annual reporting requirements and explore how ComplyFactor can support your compliance program, contact our team for a confidential consultation.

Annual Reporting as a Compliance Cornerstone

Home » Blog » PSP Annual Reporting Requirements Canada: Complete Compliance Guide to Avoid Bank of Canada Enforcement

PSP annual reporting under the RPAA isn’t just an administrative filing requirement—it’s a comprehensive assessment of your compliance with Canada’s retail payments regulatory framework. The Bank of Canada uses annual reports to evaluate operational risk management, assess end-user protection, monitor systemic importance, and identify PSPs requiring enhanced supervisory attention.

Approaching annual reporting as a compliance opportunity rather than a burden transforms it from a deadline-driven exercise into a valuable self-assessment process. PSPs that invest in robust frameworks, accurate data collection, and thoughtful disclosure build regulatory credibility that reduces supervisory friction and demonstrates commitment to compliance excellence.

As the Canadian retail payments landscape continues to evolve—with new technologies, emerging payment methods, and increasing systemic interconnections—the Bank of Canada’s supervisory expectations will similarly evolve. PSPs that establish strong compliance foundations today will be better positioned to adapt to future regulatory developments.

Whether you’re preparing your first annual report or refining your approach after several filing cycles, remember that compliance is an ongoing journey, not a destination. The annual report is a milestone in that journey, reflecting your organization’s commitment to protecting end users, managing operational risks, and contributing to a safe, efficient Canadian retail payments ecosystem.

For expert guidance on PSP annual reporting, operational risk management, end-user funds safeguarding, or any aspect of RPAA compliance, ComplyFactor’s specialized team is ready to support your regulatory journey. Contact us today to ensure your annual report demonstrates the compliance excellence that builds regulatory confidence and business sustainability.

Related Resources

About ComplyFactor: ComplyFactor is a specialized compliance consultancy providing AML advisory, audit services, fractional MLRO, and regulatory compliance support to payment institutions, electronic money institutions, and financial services firms. Our team combines deep regulatory expertise with practical implementation experience to deliver compliance solutions that protect your business while supporting sustainable growth. Learn more about our services or contact us for a confidential consultation.

Related Posts

Scroll to Top