Understanding the Retail Payment Activities Act (RPAA)
Welcome to this introductory guide on the core responsibilities of Payment Service Providers (PSPs) under Canada’s Retail Payment Activities Act (RPAA). This document is designed to simplify a complex piece of legislation and make its key obligations clear and understandable for those new to the topic.
The RPAA was created to build a safer and more reliable digital payment landscape in Canada. As technology evolves, more companies are offering new ways to move money. The primary goals of the Act are to supervise these providers to:
- Mitigate operational risks that could disrupt services.
- Safeguard the funds that users entrust to them.
- Build confidence in the retail payment sector, which in turn fosters a healthy environment for competition and innovation.
At the heart of the Act is the “Payment Service Provider” or PSP. The law defines a PSP as:
an individual or entity that performs payment functions as a service or business activity that is not incidental to another service or business activity.
In simple terms, a “Retail Payment Activity” involves performing any of the five core “payment functions” defined in the Act. These include essential services like providing and maintaining an account for an end user, holding funds on their behalf until they are transferred or withdrawn, and initiating or authorizing electronic funds transfers at a user’s request.
Now that we understand the purpose of the Act, let’s explore the first concrete step any aspiring PSP must take to operate legally in Canada.
→ Need help understanding if your business qualifies as a PSP? ComplyFactor can assess your activities and guide you through the qualification process.
The First Step: Registration with the Bank of Canada
Under Section 23 of the Act, a Payment Service Provider is legally required to register with the Bank of Canada before performing any retail payment activities. This registration is not a mere formality; it is a comprehensive process where the PSP must demonstrate its readiness to comply with the law.
The application for registration requires detailed information about the business. While the full list is extensive, the key categories of information a PSP must provide include:
- Corporate & Leadership Details: Who you are, your corporate structure, and the key personnel responsible for compliance.
- Description of Activities: The specific payment functions you perform (or plan to perform) and the scale of your operations, including the volume and value of transactions.
- Risk Management Framework: A description of your comprehensive plan to identify and mitigate the operational risks associated with your payment activities.
- Fund Safeguarding Plan: A description of how you plan to protect end-user funds, if you perform the function of holding funds on their behalf.
- Use of Third Parties: Information on any third-party service providers that have a material impact on your operations or the safeguarding of funds.
Once a PSP is registered, it must adhere to a set of ongoing obligations. These responsibilities form the core of the RPAA’s consumer protection and system stability mandate, beginning with robust risk management.
→ ComplyFactor can streamline your Bank of Canada registration by preparing your application documentation and ensuring all required information is complete and compliant.
Core Obligation 1: Managing Operational Risk
The cornerstone of a PSP’s daily responsibilities is its Risk Management and Incident Response Framework. Mandated by Section 17 of the Act, this framework serves as the PSP’s operational playbook—a comprehensive, written plan for ensuring its services are reliable, secure, and resilient. It proves to the regulator that the PSP has thought through potential failure points and is not just a document, but a living system of policies, procedures, and controls.
Key Components of the Risk Management Framework
Key Components of the Risk Management Framework
| Component | What It Means for the PSP |
| Objectives & Targets | Defining what success looks like for the reliability, integrity, and confidentiality of its services, including measurable performance targets. |
| Risk Identification | Systematically identifying potential causes of service disruptions, from internal human error and process deficiencies to external cybersecurity threats. |
| Protective Measures | Describing the specific systems, policies, and controls used to mitigate the identified risks and protect critical assets like user data and IT systems. |
| Detection & Monitoring | Explaining the systems and processes for continuously monitoring activities to promptly detect security incidents, system anomalies, or other issues. |
| Incident Response Plan | A detailed, step-by-step plan for responding to, managing, and recovering from incidents to minimize their impact on users. |
| Regular Reviews & Testing | A process for annually reviewing the entire framework and regularly testing its effectiveness through exercises like simulations or tabletop walk-throughs. |
A crucial concept governing this framework is proportionality. The law recognizes that PSPs vary greatly in size and complexity. The framework’s sophistication should be proportionate to the PSP’s size, its interconnectedness with other PSPs, and the potential impact a service disruption could have on its end users. A large, highly connected PSP is expected to have a more stringent framework than a small, niche provider.
While a robust framework is designed to prevent issues, it must also contain a clear protocol for responding when an incident inevitably occurs, linking risk mitigation directly to incident response.
Core Obligation 2: Responding to Incidents
An incident is defined by the Act as an unplanned event that results in—or could reasonably be expected to result in—a reduction, deterioration, or breakdown of any retail payment activity. The legal duty to notify the Bank of Canada and affected parties is triggered when an incident has a “material impact.”
The term “material impact” is not left to guesswork. The Bank of Canada provides clear examples to help PSPs understand when this threshold is met.
Examples of a Material Impact
- Loss of End-User Funds: Any amount of an end user’s funds held by the PSP becomes unrecoverably lost or permanently unavailable. A material loss of funds often indicates a failure in the PSP’s fund safeguarding framework (discussed in Section 5) and triggers the most serious notification requirements.
- Significant Service Outage: A service outage materially impacts the availability of retail payment activities for end users (e.g., inability to access payment accounts).
- Confidential Information Breach: Unauthorized access or disclosure of confidential information that creates a real risk of significant harm, such as financial loss, identity theft, or damage to reputation.
- Compromised Integrity: The integrity of the PSP’s activities is compromised, such as through transaction processing errors, incorrect routing of funds, or a compromise of the transaction ledger.
When a material incident occurs, the PSP must follow specific notification rules.
Incident Notification at a Glance
| Requirement | Key Details |
| Who to Notify | The Bank of Canada and any materially affected end users, other PSPs, or clearing houses. |
| When to Notify | “Without delay,” and in any case no later than 48 hours after determining that the incident has a material impact. |
| How to Notify the Bank | Using the official incident reporting templates available in the online “PSP Connect” portal provided by the Bank of Canada. |
| Required Information | A clear description of the incident, its material impact on affected parties, and the measures the PSP has taken to respond to and fix it. |
Beyond managing service disruptions and data integrity, the RPAA places a direct and critical responsibility on certain PSPs to protect the actual funds held for users.
Core Obligation 3: Safeguarding End-User Funds
This obligation applies specifically to PSPs that perform the payment function of “holding of funds on behalf of an end user” until those funds are withdrawn or transferred. If a PSP holds user money, Section 20 of the Act requires it to protect those funds from loss, particularly in the event the PSP becomes insolvent.
There are two primary methods a PSP can use to meet this requirement.
Two Ways to Safeguard End-User Funds
| Method | Key Requirements |
| Funds Held in Trust | End-user funds must be held in a dedicated trust account that is legally separate from the PSP’s own corporate funds and is not used for any other purpose. |
| Funds Secured by Insurance/Guarantee | End-user funds must be held in a dedicated separate account AND be fully covered by an insurance policy or a guarantee. The value of the policy or guarantee must be equal to or greater than the amount of user funds held. |
Regardless of the method chosen, the PSP must establish a written “Safeguarding-of-Funds Framework.” This framework is a specialized component of the PSP’s overall risk management strategy, focused specifically on financial risk to the end user. Its two main objectives are to ensure that end users have reliable and timely access to their funds and that those funds can be paid out to users as soon as feasible if the PSP were to go out of business. This legal separation is crucial because it protects end-user money from being seized by the PSP’s own creditors in the event of bankruptcy.
These core operational duties are supported by ongoing communication and reporting requirements to ensure the Bank of Canada remains informed of a PSP’s activities and compliance.
Ongoing Compliance: Reporting and Notifying Changes
Compliance with the RPAA is not a one-time event at registration; it requires continuous diligence and transparent communication with the Bank of Canada. All registered PSPs must submit a detailed Annual Report that provides updates on their risk framework, fund safeguarding practices, and operational metrics.
Beyond the annual report, a PSP has a crucial duty to notify the Bank of Canada before making a “significant change” or starting a “new retail payment activity.” This proactive notification ensures the regulator is aware of developments that could alter a PSP’s risk profile.
A “significant change” is defined in the Act as a change that could reasonably be expected to have a material impact on operational risks or the way end-user funds are safeguarded.
Examples of a Significant Change
- Changing the primary method of safeguarding end-user funds (e.g., switching from a trust account model to an insurance-backed model).
- Moving or expanding the operations of a retail payment activity to a geographic location outside of Canada.
- Starting to outsource (or ceasing to outsource) a key activity related to a retail payment activity, such as fraud monitoring or IT management.
- Changing a core technology or adopting a significant new technology, such as switching cloud service providers for critical systems.
A PSP must provide notice of such a change to the Bank of Canada at least five business days before the change takes effect.
For any new PSP, understanding these interconnected responsibilities is the key to building a compliant and trustworthy service.
Key Takeaways for New PSPs
For any individual or organization looking to enter the Canadian payment ecosystem, the Retail Payment Activities Act establishes a clear set of rules designed to protect consumers and the financial system. For those building a sustainable, trustworthy payment business in Canada, these three foundational pillars are the most critical:
1. Build on a Foundation of Risk Management: The RPAA treats risk management not as a checkbox, but as the core of your business license. Your documented frameworks for managing operational risk and safeguarding user funds are your primary evidence of operational maturity and your commitment to protecting users.
2. Transparency is Mandatory: Proactive and timely communication with the Bank of Canada is a legal requirement, not an option. Whether it’s reporting a material incident, notifying the Bank of a significant upcoming change, or submitting a detailed annual report, transparency is essential for regulatory oversight.
3. End-User Protection is Paramount: The ultimate goal of the RPAA is to protect the end user. Every obligation—from risk management and incident response to fund safeguarding—is designed to ensure that users’ funds are secure and that their confidence in the digital payment system is well-placed. Robust risk management and clear accountability are the pillars of this protection.
How ComplyFactor Can Help Your PSP Achieve RPAA Compliance
Navigating Canada’s Retail Payment Activities Act doesn’t have to be overwhelming. ComplyFactor specializes in helping Payment Service Providers achieve and maintain full RPAA compliance efficiently and cost-effectively.
Our PSP Compliance Services
🎯 Bank of Canada Registration Support
- Complete application preparation and documentation
- Review of all required information for accuracy and completeness
- Guidance on corporate structure and licensing requirements
- Ongoing liaison with Bank of Canada during the application process
📋 Risk Management Framework Development
- Custom Risk Management and Incident Response Frameworks
- Proportionate frameworks tailored to your PSP’s size and complexity
- Annual framework reviews and testing protocols
- Compliance gap assessments and remediation plans
🛡️ Fund Safeguarding Solutions
- Evaluation of trust account vs. insurance/guarantee options
- Safeguarding-of-Funds Framework development
- Trust account setup and compliance verification
- Insurance policy review and adequacy assessment
🚨 Incident Response & Reporting
- 24/7 incident response support and guidance
- Bank of Canada notification assistance (48-hour compliance)
- Incident investigation and root cause analysis
- PSP Connect portal submission support
📊 Ongoing Compliance Management
- Annual Report preparation and submission
- Significant change notification management
- Regulatory calendar and deadline tracking
- Quarterly compliance health checks
🎓 Training & Advisory
- RPAA and RPAR compliance training for your team
- Best practices workshops and tabletop exercises
- Regulatory update alerts and impact assessments
- Strategic compliance consulting
Why Choose ComplyFactor?
✅ RPAA Specialists: Deep expertise in Canadian payment regulations and Bank of Canada requirements
✅ Practical Approach: We deliver compliance solutions that work in the real world, not just on paper
✅ Cost-Effective: Flexible engagement models from one-time projects to ongoing retainer support
✅ Proven Track Record: Successfully supported numerous PSPs through registration and ongoing compliance