Retail Payment Activities Act (RPAA) Compliance Guide: Complete PSP Registration & Requirements Canada

🎯 Expert RPAA Compliance Support

Navigating Bank of Canada PSP registration requirements? ComplyFactor provides comprehensive compliance solutions for payment service providers under the Retail Payment Activities Act, including MLRO services, operational risk frameworks, safeguarding policies, and registration application support.

Get Expert RPAA Compliance Support →

Understanding the Retail Payment Activities Act: What Canadian PSPs Must Know in 2026

The Retail Payment Activities Act (RPAA) represents Canada’s most comprehensive regulatory framework for payment service providers. As of January 2026, the transition period has ended—any payment service provider (PSP) not yet registered with the Bank of Canada is operating illegally and faces substantial penalties.

Critical Status Update: The RPAA transition period concluded September 7, 2025. PSPs who applied during the transition may continue operating pending their registration decision. PSPs applying now must receive approval before commencing any retail payment activities. Operating without registration exposes organizations to administrative monetary penalties potentially exceeding $100,000 per violation, plus potential criminal prosecution.

If your business initiates electronic funds transfers, maintains end-user accounts, authorizes payments, or transmits payment instructions, you likely require RPAA registration. This comprehensive guide clarifies registration criteria, compliance requirements, and implementation strategies for the Bank of Canada’s supervisory framework.

Who Must Register as a Payment Service Provider Under RPAA?

Domestic PSPs: Core Registration Triggers

The RPAA mandates registration for any individual or entity with a place of business in Canada performing retail payment activities. According to the Bank of Canada’s supervisory criteria, registration is required if you perform any of these payment functions in relation to an electronic funds transfer (EFT):

Core Payment Functions:

Initiating electronic funds transfers – sending payment instructions on behalf of payers or payees
Maintaining accounts – providing account facilities through which EFTs are initiated
Authorizing electronic funds transfers – approving or authenticating payment transactions
Transmitting payment instructions – routing payment messages between parties
Providing clearing services – calculating positions between financial institutions
Providing settlement services – effecting final transfer of funds

Critical Distinction: These activities must be performed “in relation to” an electronic funds transfer and cannot be merely incidental to another primary business activity. For example, an e-commerce platform processing its own payment acceptance is likely performing incidental functions. A platform processing payments for third-party merchants is performing non-incidental payment functions requiring registration.

Foreign PSPs: Cross-Border Registration Requirements

Foreign payment service providers without a Canadian physical presence must register if they satisfy both conditions:

Condition 1: Serve Canadian End Users

Perform retail payment activities for individuals or entities physically located in Canada
Physical location determines end-user status—Canadian citizens temporarily abroad are not Canadian end users

Condition 2: Direct Activities at Canada

Market payment services to Canadian individuals or entities
Maintain a Canadian website or localized content
Accept Canadian currency
Provide customer support in Canadian languages or time zones
Advertise in Canadian media or through Canadian channels
Target Canadian businesses specifically

Example: A UK-based payment processor serving a Canadian merchant is not automatically subject to RPAA if they don’t actively market to Canadian businesses. However, if they maintain a .ca website, advertise “solutions for Canadian merchants,” or provide CAD settlement, they likely meet the “directing activities” threshold. <div style=”border-color:#e7484899;border-style:solid;border-width:1px;border-radius:16px;color:#1e1e1e;background:linear-gradient(86deg,rgb(255,240,242) 6%,rgb(255,255,255) 100%);margin-top:16px;margin-bottom:32px;padding:24px;font-family:-apple-system,BlinkMacSystemFont,’Segoe UI’,Roboto,Oxygen-Sans,Ubuntu,Cantarell,’Helvetica Neue’,sans-serif”> <div style=”display:flex;align-items:center;gap:12px;margin-bottom:12px”> <span style=”font-size:20px”>⚠️</span> <p style=”color:#e74848;font-size:16px;font-weight:600;line-height:1.5;margin:0″>COMMON MISTAKE</p> </div> <p style=”color:#1e1e1e;font-size:18px;font-weight:500;line-height:1.5;margin:0″>Foreign PSPs incorrectly assume they’re exempt because they partner with a registered Canadian PSP. This is false. You remain independently responsible for registration regardless of your partner’s status. The RPAA holds both entities accountable—partnership doesn’t transfer compliance obligations.</p> </div>

Entity-Based Exclusions: Who Doesn’t Need RPAA Registration

Section 9 of the RPAA excludes specific entities already subject to federal or provincial prudential regulation:

Federal Financial Institutions:

Banks and authorized foreign banks under the Bank Act
Federal credit unions
Federally regulated insurance companies
Federally regulated trust and loan companies

Provincial Financial Institutions:

Credit unions and caisses populaires under provincial regulation
Provincially regulated insurance companies
Provincially regulated trust and loan companies accepting deposits transferable by order

Important: These exclusions are entity-based, not activity-based. If an excluded entity establishes a separate legal entity to perform payment activities, that new entity may require registration.

Activity-Based Exclusions: Exempt Payment Functions

Even if your entity doesn’t qualify for exclusion, certain payment activities are excluded:

Designated System Activities (Section 7): Payment functions performed using systems designated under Section 4 of the Payment Clearing and Settlement Act are excluded. However, functions performed outside these designated systems remain in scope.

Incidental Activities (Section 8): Payment functions incidental to another service or business activity are excluded. The Bank assesses whether functions are truly incidental based on:

Whether payment functions generate separate revenue
Whether payment services are marketed independently
The prominence of payment services in your business model
Whether you hold end-user funds

Securities and Derivatives (Section 6): Payment functions performed for carrying out securities transactions or eligible financial contracts are excluded, but only to the extent they directly facilitate those transactions.

For detailed comparison of MSB vs PSP licensing requirements, see our comprehensive guide.

RPAA Registration Timeline: Critical Dates for PSP Compliance

The Transition Period: Now Concluded

November 1, 2024 – September 7, 2025: Transition period during which existing PSPs could submit applications while continuing operations.

Current Status (January 2026): The transition period has ended. Different rules now apply based on your application timing:

If You Applied Before September 8, 2025:

Section 108 of the RPAA allows continued operations until receiving a registration decision
You may continue performing retail payment activities pending the Bank’s decision
Registration decisions began issuing September 8, 2025
No communication about your application status was permitted during the transition period

If You’re Applying After September 8, 2025:

You must be registered before performing any retail payment activities
You cannot operate while your application is pending
Processing times vary but expect 60-90 days minimum for straightforward applications
Applications requiring national security review may take 180+ days

Critical Deadline for New Market Entrants: Plan for 4-6 months from application submission to potential registration approval. Build this timeline into your Canadian market entry strategy.

Application Processing Timeframes

Understanding realistic timeframes helps with business planning:

Standard Processing: 60-90 days for applications with:

Complete information submitted initially
No national security review triggers
Straightforward corporate structures
No complex safeguarding arrangements

Extended Processing: 90-180+ days for applications involving:

Incomplete initial submissions requiring additional information
Complex corporate structures with multiple affiliates
Foreign beneficial ownership
Novel safeguarding arrangements requiring legal opinion review
National security review

Refusal Decision Timing:

45 days after additional information period expires
45 days after application deemed complete (for prescribed refusal reasons)
30 days for refusals under subsection 48(2)
Immediately following ministerial directive

The $2,500 application fee is non-refundable regardless of outcome or processing time.

Core RPAA Compliance Requirements for Registered PSPs

1. Operational Risk Management and Incident Response Framework

Every registered PSP must establish, implement, and maintain a comprehensive operational risk framework. The Bank of Canada’s operational risk guideline establishes minimum expectations.

Framework Documentation Must Include:

Risk Identification and Assessment: Systematic processes for identifying operational risks across all business lines, technology systems, and third-party dependencies
Risk Monitoring and Measurement: Key risk indicators, monitoring thresholds, and escalation triggers
Risk Mitigation and Control: Preventive and detective controls addressing identified risks
Incident Classification: Criteria defining incident severity levels and classification methodology
Incident Response Procedures: Step-by-step response protocols for different incident types
Business Continuity Planning: Recovery time objectives, recovery point objectives, and continuity strategies
Disaster Recovery Planning: Technology recovery procedures and testing schedules
Third-Party Risk Management: Due diligence, ongoing monitoring, and contingency plans for material service providers
Testing and Validation: Framework testing frequency, methodologies, and documentation requirements

Senior Officer Designation and Responsibilities:

Section 1 of the Retail Payments Activities Regulations defines “senior officer” as:

A board member who is also a full-time employee (e.g., executive board members)
C-suite executives: CEO, COO, President, CRO, CFO, Chief Accountant, Chief Auditor, or functional equivalents
Any officer reporting directly to the board, CEO, or COO

Key Points:

Senior officers need not be Canadian residents
Senior officers need not be direct employees (can be outsourced)
Senior officers must report directly to board/CEO/COO to satisfy the definition
Senior officers require sufficient seniority and authority to fulfill their responsibilities

Senior Officer Responsibilities Include:

Receiving operational incident reports
Being notified of material framework deficiencies
Overseeing framework implementation and effectiveness
Approving material framework changes
Ensuring adequate resources for risk management

For organizations requiring comprehensive AML compliance programs that integrate with RPAA operational frameworks, ComplyFactor provides integrated solutions addressing both requirements.

2. Safeguarding End-User Funds: Three Approved Methods

PSPs holding end-user funds face strict safeguarding requirements under subsection 20(1) of the RPAA. You must protect end-user funds through one of three approved methods—you cannot mix methods for the same funds.

Option A: Trust Arrangement

Establish a valid express trust under common law or the Civil Code of Québec meeting these requirements:

Trust Structure Requirements:

Funds held in dedicated safeguarding account at eligible Canadian financial institution
Account used exclusively for safeguarding (no operational expenses, no settlement activities, no corporate payments)
Trust clearly segregates end-user funds from all corporate funds
Trust documented with appropriate legal instruments

Legal Opinion Requirements: The Bank expects written legal opinions from qualified counsel confirming:

A valid express trust has been established under applicable law
Trust terms satisfy all RPAA and RPAR requirements
No structural issues compromise trust validity
Trust arrangement will function effectively during PSP insolvency

Common Trust Pitfalls to Avoid:

Using trust accounts for settlement with payment networks (compromises trust integrity)
Retaining interest earned on trust funds (may invalidate trust depending on terms)
Commingling even temporarily with corporate funds
Paying any expenses from trust account other than trust administration costs

Option B: Insurance Product

Obtain insurance from an eligible provider with these characteristics:

Insurance Policy Must Ensure:

Coverage value equals or exceeds end-user funds held
Coverage adjusts as fund amounts fluctuate
Proceeds payable to end users (not forming part of PSP estate)
Payout triggered by PSP insolvency events defined in subsection 14(3) RPAR
Proceeds payable “as soon as feasible” after insolvency event
Policy survives PSP insolvency and creditor compromises
PSP receives minimum 30-day cancellation notice

PSP Insolvency Events (subsection 14(3) RPAR) include:

Bankruptcy orders
Receivership appointments
Winding-up orders
Proposals under Bankruptcy and Insolvency Act
Arrangements under Companies’ Creditors Arrangement Act

Monitoring Obligations: PSPs using insurance must:

Monitor coverage daily against end-user fund balances
Implement systems detecting when coverage falls below required amounts
Adjust coverage promptly when fund amounts increase
Maintain documented methodology for determining coverage values

Option C: Guarantee Instrument

Secure a guarantee from an eligible provider ensuring:

Guarantee Terms Must Include:

Value equal to or exceeding end-user funds held
Guarantee survives PSP insolvency, creditor compromises, debt restructuring
Proceeds benefit end users exclusively
Payout triggered by same insolvency events as insurance
Proceeds payable “as soon as feasible” after trigger event
Minimum 30-day cancellation notice to Bank of Canada
Guarantee remains valid despite PSP obligation extinguishment

Guarantee Format: While the RPAR doesn’t prescribe guarantee format, the Bank expects:

Legal agreement between PSP and guarantee provider
Clear terms demonstrating subsection 14(2) compliance
Explicit provisions addressing each required element
Legal opinions confirming guarantee validity and enforceability

Eligible Insurance/Guarantee Providers:

Providers must be:

Canadian financial institutions listed in paragraphs 9(a) to 9(h) of RPAA; or
Foreign financial institutions prudentially regulated under comparable capital, liquidity, governance, supervision, and risk management standards to Canadian institutions

Providers cannot be affiliated with the PSP.

Critical Clarification on Deposit Insurance:

CDIC (Canada Deposit Insurance Corporation) coverage or provincial deposit insurance does not satisfy RPAA safeguarding requirements. Here’s why:

Deposit insurance protects account holders (the PSP) if the financial institution fails
RPAA safeguarding protects end users if the PSP fails
These are fundamentally different protection scenarios
Deposit insurance alone provides no protection when the PSP becomes insolvent

You may hold safeguarded funds in CDIC-insured accounts, but you must also implement trust, insurance, or guarantee arrangements protecting end users from PSP insolvency.

🔔

COMPLIANCE ALERT

The Bank of Canada expects legal opinions on safeguarding arrangements during periodic assessments. Prepare for this by obtaining written legal opinions from qualified counsel when establishing your safeguarding method. Opinions should address validity, compliance with all RPAA/RPAR requirements, and effectiveness during insolvency scenarios.

3. Safeguarding-of-Funds Framework: Operational Documentation

Beyond selecting a safeguarding method, subsection 15(1) of RPAR requires a comprehensive written framework ensuring:

Framework Objectives:

End users have reliable access without delay to their funds during normal operations
Insurance/guarantee proceeds pay to end users “as soon as feasible” following PSP insolvency

Required Framework Elements:

Operational Procedures:

Daily reconciliation processes for end-user fund balances
Safeguarding account monitoring and control procedures
Processes for adding/removing funds from safeguarding arrangements
Controls preventing unauthorized use of safeguarded funds

Insolvency Procedures:

How insolvency administrators will be informed of events triggering payout
Procedures for calculating each end user’s entitlement
Methods for returning funds to individual end users
Timeline expectations for completing distribution
Documentation requirements for claims processing

Risk Identification: Subsection 15(3) requires identifying legal and operational risks that could hinder framework objectives, including:

Risks related to insurance/guarantee policy terms
Risks from third-party service provider dependencies
Technological risks affecting fund access
Legal risks affecting trust validity or insurance/guarantee enforceability
Operational risks during business transitions or system failures

For guidance on implementing robust safeguarding frameworks, see our detailed regulatory framework resources.

4. Annual Reporting to the Bank of Canada

Registered PSPs must submit annual reports by March 31 each year, beginning March 31, 2026.

First Annual Report (Due March 31, 2026):

Covers calendar year 2025
Financial metrics based on your most recent financial year-end
Submitted through PSP Connect portal
Reporting form available in early 2026

Report Categories:

Operational Risk and Incident Response:

Significant incidents experienced
Framework testing results
Material framework changes
Control deficiencies identified and remediation

Safeguarding End-User Funds (if applicable):

Average and peak end-user fund balances
Safeguarding method(s) used
Insurance/guarantee coverage values
Safeguarding account details

Retail Payment Activity Metrics:

Electronic funds transfer volumes by type
Electronic funds transfer values by currency
Number of end-user accounts maintained
Cross-border transaction statistics
Geographic distribution of activities

The Bank will publish detailed reporting guidance outlining specific metrics, definitions, and calculation methodologies.

The PSP Registration Application Process

Step 1: Confirm Registration Requirement

Before investing in application preparation, definitively confirm your registration obligation using this methodology:

Analysis Framework:

Place of Business Test:
- Do you have offices, employees, or operations in Canada?
- If yes → Domestic PSP registration likely required
Foreign PSP Test (if no Canadian place of business):
- Do you serve end users physically located in Canada?
- Do you actively market to Canadian individuals or entities?
- If yes to both → Foreign PSP registration likely required
Payment Function Test:
- Do you initiate EFTs, maintain accounts, authorize payments, transmit instructions, or provide clearing/settlement?
- If yes → Continue analysis
Incidental Activity Test:
- Are payment functions your primary business or a marketed service?
- Do you generate separate payment services revenue?
- Do you hold end-user funds?
- If any yes → Likely non-incidental (registration required)
Exclusion Test:
- Are you an entity listed in section 9 of the RPAA?
- Do you perform functions only using designated systems under Section 4 PCSA?
- Are your activities truly incidental to another primary business?
- If no to all → Registration required

The Bank provides a self-assessment questionnaire to assist with this analysis. However, the questionnaire provides guidance only—not an official determination. Seek legal counsel if uncertainty remains.

Step 2: Prepare Required Information and Documentation

Section 29 of the RPAA and Section 24 of RPAR prescribe mandatory application information:

Corporate and Governance Information:

Basic Corporate Data:

Legal name, all trade names, and business number (BN)
Incorporation/formation jurisdiction and date
Corporate registry information
Head office and all operational locations

Organizational Structure:

Ultimate beneficial owners (individuals with 25%+ ownership or control)
Corporate organization chart showing all affiliated entities
Parent companies and subsidiaries
Ownership percentages for all material stakeholders

Governance:

Board of directors (all members with full details)
All officers
Senior officer designation with justification of qualifications

Operational and Business Information:

Payment Activities:

Detailed description of each payment function performed
Payment products and services offered
Technology platforms and systems used
Payment networks and systems accessed

Business Profile:

All business activities (payment and non-payment)
Revenue breakdown by activity type
Client types and geographic markets served
Business plans for next 12-24 months

Retail Payment Metrics:

Historical electronic funds transfer volumes (if operating)
Historical values by currency
Number of end-user accounts (if applicable)
Cross-border transaction statistics
Projected volumes and values for next 12 months

Third-Party Relationships:

Material Third-Party Service Providers: Must report any provider with material impact on:

Operational risk management
Safeguarding of end-user funds
Core payment functionality

Required details:

Provider legal name and location
Services provided
Materiality assessment
Alternative provider arrangements (if any)

Agents and Mandataries:

Legal name and business information
Payment functions performed on your behalf
Authority scope
Locations where agents/mandataries operate

Affiliated Entities:

Relationship type and nature
Ownership percentage
Business activities
Involvement in your payment operations

Safeguarding Information (if holding end-user funds):

Method Selection:

Safeguarding method chosen (trust, insurance, or guarantee)
Detailed explanation of how method satisfies RPAA requirements

Supporting Documentation:

Trust documents and legal opinions (if trust)
Insurance policies and coverage calculations (if insurance)
Guarantee agreements and legal opinions (if guarantee)
Safeguarding-of-funds framework document

For Foreign PSPs Without Canadian Presence:

Canadian Agent/Mandatary (Required under paragraph 29(1)(o)):

Name and address in Canada
Authority to accept notices and orders on your behalf
Contact information

This representative serves as your official contact point for Bank of Canada communications and service of legal documents.

Step 3: Complete PSP Connect Application

Access the Bank’s PSP Connect portal to submit your application:

Account Setup:

One email address per application
Create organizational profile
Designate primary contact

Authorized Users and Delegates: You may designate individuals to:

Complete application sections
Submit supporting documents
Respond to Bank information requests
Pay application fees
Receive application status updates

Consultants and Third-Party Assistance: If using consultants, add them as delegates rather than sharing login credentials. Delegates can access your application while maintaining clear accountability.

Application Sections: Complete all required sections:

Corporate information
Governance and management
Business activities
Payment functions
Third-party relationships
Operational framework
Safeguarding arrangements (if applicable)
Financial information

Supporting Documentation: Upload required documents:

Corporate registry extracts
Organizational charts
Operational risk framework
Safeguarding-of-funds framework
Insurance policies or guarantee agreements
Legal opinions
Business plans
Financial statements

Application Fee Payment:

$2,500 non-refundable fee
Payable via PSP Connect
Application not considered submitted until fee received

Step 4: Bank of Canada Review Process

After submission, your application enters a multi-stage review:

Completeness Review: The Bank assesses whether your application contains all required information. If incomplete:

You receive an information request under subsection 29(3)
You have a prescribed period to respond
Failure to respond may result in refusal

Substantive Review: The Bank evaluates:

Whether you meet registration criteria
Framework adequacy and completeness
Safeguarding arrangement effectiveness
Third-party risk management sufficiency
Governance and accountability structures

Parallel Reviews:

FINTRAC Review: If you’re also subject to the Proceeds of Crime (Money Laundering) and Terrorist Financing Act, FINTRAC reviews your application concurrently for AML/CFT risks. The Bank will not issue a registration decision until FINTRAC completes its review.

National Security Review (if applicable): The Minister of Finance may initiate a 180-day national security review if deemed necessary. You’ll be notified if selected.

Additional Information Requests: Common reasons for requests include:

Unclear safeguarding arrangements requiring clarification
Missing beneficial ownership details
Incomplete third-party service provider information
Framework gaps requiring remediation plans
Financial stability concerns requiring additional documentation
Novel business models requiring detailed explanation

Respond comprehensively and promptly. The Bank may request clarification on your responses.

Step 5: National Security Review (if Triggered)

If the Minister of Finance initiates national security review:

Review Timeline:

Up to 180 days initially
Extendable for additional 180-day periods at Minister’s discretion
Extensions have no practical limit

Information Requirements: You must provide prescribed information under paragraphs 24(9)(a)-(p) of RPAR, including:

Foreign ownership details
Foreign government relationships or influence
Critical infrastructure involvement
Sensitive technology or data access
National security sensitive contracts
Other prescribed factors

Designated Review Authorities: The Minister may designate these authorities to conduct review:

Royal Canadian Mounted Police (RCMP)
Communications Security Establishment (CSE)
Canadian Security Intelligence Service (CSIS)

Possible Outcomes:

Ministerial Directive to Refuse: The Minister may direct the Bank to refuse your registration if national security concerns exist.

Conditions or Undertakings: The Minister may impose conditions on your registration, such as:

Restrictions on certain activities
Enhanced reporting requirements
Limitations on data storage or access
Prohibitions on specific third-party relationships

Approval Without Conditions: The review concludes with no restrictions.

Review Rights: You may request review of ministerial decisions within 30 days under RPAR procedures.

Step 6: Registration Decision

If Approved: You receive written notice of registration including:

Registration confirmation
Registry information
Ongoing obligations summary
Next reporting deadlines

You appear in the public PSP Registry within days.

If Refused: You receive written refusal notice including:

Specific refusal reasons
Right to request independent review
Review request timeline and procedures

Refusals appear on the Bank’s public list of refused/revoked entities.

For organizations requiring comprehensive PSP compliance development, ComplyFactor provides end-to-end registration support and framework implementation.

Changes Requiring New Registration Applications

Acquisitions and Control Changes

Subsection 24(1) of the RPAA mandates new registration applications before acquisitions of control take effect.

What Constitutes “Acquisition of Control”:

While the RPAA doesn’t define “control” explicitly, the Bank assesses based on:

Legal ownership percentages
Voting rights
Board representation
Operational control
Veto rights on key decisions
Management influence
Economic interest

Common Acquisition Scenarios:

Merger or Acquisition: If Company A acquires PSP B, PSP B must submit a new application reflecting the acquisition before closing.

Ownership Change: If new investors acquire controlling stakes in a PSP, the PSP must submit a new application.

Corporate Restructuring: If a PSP reorganizes in a manner changing control, a new application is required.

Application Timing:

Submit new application before acquisition completes
Continue operating under existing registration until new registration approved
Don’t close acquisition until new registration received

Prescribed Changes

Subsection 24(2) requires new applications before “prescribed changes” occur. While RPAR doesn’t currently prescribe specific changes, monitor regulatory updates as the Bank may prescribe:

Material business model changes
Major operational system changes
Significant third-party relationship changes
Other material changes affecting risk profile

Material Changes Requiring Notification (Not New Applications)

While new applications aren’t required for all changes, you must notify the Bank within 30 days of:

Governance Changes:

New or departing directors or officers
Senior officer changes
Material changes to governance processes

Relationship Changes:

New material third-party service providers
Termination of material provider relationships
Material changes to provider services
New agents/mandataries or terminations
Material affiliated entity changes

Operational Changes:

New payment functions performed
Cessation of payment functions
Material operational system changes
Geographic expansion
Material business activity changes

Corporate Changes:

Legal name changes
Trade name changes
Address changes
Business number changes
Corporate structure changes not rising to “control” level

Safeguarding Changes:

Changes to safeguarding methods
New insurance policies or guarantees
Safeguarding account changes
Material framework modifications

Submit changes through PSP Connect. The Bank updates the registry promptly to maintain accuracy.

Post-Registration Compliance Obligations

Ongoing Operational Framework Maintenance

Registration is not a one-time event—it triggers continuous compliance obligations:

Framework Updates:

Review and update frameworks annually minimum
Update whenever material operational changes occur
Enhance frameworks based on lessons learned from incidents
Incorporate regulatory guidance as published

Testing and Validation:

Test business continuity plans annually minimum
Test disaster recovery procedures regularly
Validate incident response procedures
Review third-party contingency arrangements

Documentation:

Maintain current framework documentation
Retain testing results and findings
Document framework changes and rationale
Keep audit trails of significant decisions

Independent Reviews

PSPs must commission periodic independent reviews assessing:

Operational Risk Framework Review:

Framework design adequacy
Implementation effectiveness
Control testing
Gap identification
Remediation recommendations

Safeguarding Framework Review (if applicable):

Safeguarding method effectiveness
Legal arrangement validity
Operational procedure adequacy
Insolvency readiness
End-user entitlement accuracy

Review Characteristics:

Independence:

Reviewers must be independent of operations reviewed
External third parties preferred
Internal audit acceptable if independent

Qualifications:

Reviewers must possess relevant expertise
Understanding of payment systems
Familiarity with RPAA requirements
Industry experience

Frequency:

Risk-based frequency (typically annually or biennially)
Higher risk PSPs require more frequent reviews
Reviews after major changes or incidents

Scope:

Design adequacy assessment
Operating effectiveness testing
Compliance verification
Best practice benchmarking

For independent AML audit services that can be combined with RPAA framework reviews, ComplyFactor offers integrated assessment solutions.

Incident Reporting and Management

When operational incidents occur:

Immediate Response:

Activate incident response procedures
Contain and mitigate impacts
Assess scope and severity
Notify senior officer

Bank of Canada Notification: The Bank expects notification of:

Material operational disruptions
Cybersecurity incidents affecting operations
Safeguarding arrangement issues
Major third-party provider failures
Incidents affecting end users

While formal incident reporting requirements continue developing, proactive communication demonstrates sound risk management.

Incident Documentation:

Maintain detailed incident logs
Document response actions taken
Conduct post-incident reviews
Implement lessons learned

Remediation:

Address root causes
Enhance controls
Update frameworks
Report remediation to Bank

Annual Reporting Compliance

March 31 Annual Deadline: Submit complete annual reports through PSP Connect.

Quality Expectations:

Accurate data
Complete responses to all questions
Consistency with operational records
Timely submission

Consequences of Late or Incomplete Reports:

Potential violations under RPAA
Enhanced supervisory scrutiny
Possible administrative monetary penalties

Bank of Canada Supervisory Engagement

Expect regular supervisory activities:

Periodic Assessments:

Scheduled reviews of RPAA compliance
Framework effectiveness evaluations
Safeguarding arrangement verification
Third-party risk management review

Information Requests:

Ad hoc data requests
Clarification questions
Thematic review participation

On-Site Examinations:

Physical location visits
Staff interviews
System demonstrations
Document reviews

Intensity Factors: Supervisory intensity increases based on:

Volume of end-user funds held
Number of end users served
Operational complexity
Geographic scope
Incident history
Compliance track record

Interplay with Other Canadian Regulatory Regimes

FINTRAC Anti-Money Laundering Requirements

RPAA and FINTRAC obligations are independent. Bank of Canada PSP registration doesn’t exempt you from FINTRAC registration if you operate as a money services business (MSB).

Concurrent Obligations:

If you provide services meeting the MSB definition under the Proceeds of Crime (Money Laundering) and Terrorist Financing Act, you must:

Register with FINTRAC as an MSB
Implement AML/CFT compliance programs
Conduct customer due diligence
Report suspicious transactions
Maintain required records
Comply with all FINTRAC obligations

FINTRAC’s Role in RPAA Process: FINTRAC reviews PSP applications for AML/CFT risks. The Bank of Canada doesn’t issue registration decisions until FINTRAC completes its review.

For comprehensive guidance on FINTRAC MSB registration and compliance, including detailed requirements and timelines, see our complete guide.

Provincial Payment Services Regulation

Depending on your activities and location:

Quebec:

Act respecting financial services cooperatives may apply
Additional provincial requirements possible

Other Provinces:

Provincial money transmission licensing may apply
Provincial consumer protection legislation
Provincial privacy laws

Key Point: RPAA registration doesn’t replace provincial obligations. Conduct jurisdictional analysis for each province where you operate.

Securities Regulatory Requirements

The RPAA includes a limited exclusion for payment functions performed “for carrying out securities transactions or for carrying out eligible financial contracts.”

Narrow Exclusion Scope:

Applies only to functions directly facilitating the securities transaction
Other payment functions by the same entity remain in scope
Payment platforms serving securities industry likely still require registration

Privacy and Data Protection Laws

PSPs must comply with:

Federal:

Personal Information Protection and Electronic Documents Act (PIPEDA)
Privacy obligations for customer and transaction data

Provincial:

Quebec’s Act respecting the protection of personal information in the private sector
British Columbia’s Personal Information Protection Act
Alberta’s Personal Information Protection Act

For detailed guidance on data protection compliance for Canadian PSPs, see our comprehensive privacy framework guide.

Consequences of RPAA Non-Compliance

Administrative Monetary Penalties

The Bank may issue notices of violation with administrative monetary penalties (AMPs) for RPAA violations.

Violation Classifications:

Minor Violations:

Lower penalties (thousands range)
Technical compliance issues
Limited impact violations

Serious Violations:

Moderate penalties (tens of thousands range)
Compliance framework deficiencies
Safeguarding issues
Reporting failures

Very Serious Violations:

Substantial penalties ($100,000+ potential)
Operating without registration
Material safeguarding failures
Persistent non-compliance
False or misleading information

Penalty Calculation Factors:

Aggravating Factors (increase penalties):

Prior violation history
Intentional or reckless conduct
Failure to cooperate with Bank supervision
Harm to end users or payment system stability
Attempted concealment
Senior management involvement

Mitigating Factors (reduce penalties):

Voluntary disclosure
Prompt remediation
Cooperation with Bank
First offense
No harm to end users
Good compliance history

Penalty Payment:

Payable within specified timeframe
Failure to pay may result in additional enforcement
Outstanding penalties may affect registration status

Registration Refusal

The Bank may refuse registration under subsection 48(1) if:

Prescribed Reasons:

You don’t meet prescribed registration requirements
Information provided is false or misleading
Required information isn’t provided despite requests

Public Interest Grounds:

Registration would be contrary to public interest
Bank determines you pose unacceptable risks

Refusal Consequences:

Application denied
$2,500 fee not refunded
Name published on refused entities list
Cannot perform retail payment activities
May reapply after addressing deficiencies

Registration Revocation

The Bank may revoke existing registration under section 51 if:

Grounds for Revocation:

False or misleading information provided (initial application or ongoing)
RPAA or RPAR violations
Failure to comply with Bank orders or directives
Cessation of retail payment activities
Revocation would be in the public interest

Revocation Consequences:

Registration immediately terminated
Must cease all retail payment activities
Published on revoked entities list
May trigger safeguarding arrangement payouts
Must notify end users and facilitate fund return

Revocation Process:

Written notice from Bank
Opportunity to respond
Right to request independent review
Potential appeal to Federal Court

Criminal Offenses

Section 91 of the RPAA creates criminal offenses for:

Prohibited Conduct:

Knowingly providing false or misleading information
Destroying, mutilating, or falsifying required records
Obstructing Bank officials performing duties
Failing to comply with ministerial orders or directives

Penalties Upon Conviction:

Fines up to $500,000
Imprisonment
Both fine and imprisonment

Prosecution:

Summary conviction or indictment possible
Serious violations typically pursued by indictment
Corporate officers may be personally liable

Special Considerations for Different PSP Types

Using Designated Payment Systems (Interac e-Transfer)

Key Question: Do I need to register if I use Interac e-Transfer?

Short Answer: Yes, almost always.

Detailed Explanation:

Section 7 of the RPAA excludes payment functions performed using systems designated under Section 4 of the Payment Clearing and Settlement Act. Interac e-Transfer uses such a system.

However, the exclusion is narrow:

Only functions performed on the designated system are excluded
Most PSPs perform functions outside the designated system
Those external functions require registration

Common Functions Outside the Designated System:

Initiating the electronic funds transfer (sending initial instruction)
Maintaining the account from which transfers originate
Transmitting certain payment instructions
Account management functions

Result: Most PSPs using Interac e-Transfer must register because they perform payment functions outside the designated system as part of delivering the service.

Agent and Mandatary Structures

Section 10 of the RPAA provides a limited exclusion for agents and mandataries.

Exclusion Requirements:

Agents/mandataries are excluded if:

They perform retail payment activities on behalf of a registered PSP
Functions performed are within the scope of their authority as agent/mandatary
They appear on the registered PSP’s agent/mandatary list

Key Implications:

For Agents/Mandataries:

Must be listed on principal PSP’s registration
Exclusion applies only to agency/mandatary functions
Any non-agency payment functions require separate registration
Subject to principal’s liability for violations

For Principal PSPs:

Maintain current agent/mandatary lists
Update lists when relationships change
Ensure agents/mandataries understand scope of authority
Implement oversight and monitoring

Liability Considerations:

Section 87 of the RPAA states:

Principal PSP is liable for violations by agents/mandataries acting within authority
Liability exists whether or not the specific agent/mandatary is identified
Agents/mandataries may also be directly liable

Best Practices:

Define agent/mandatary authority clearly in written agreements
Provide training on RPAA requirements
Monitor agent/mandatary compliance
Implement quality assurance programs
Update principal PSP about relationship changes

Foreign PSPs Without Canadian Physical Presence

Foreign PSPs face unique compliance challenges:

Canadian Representative Requirement:

Paragraph 29(1)(o) mandates designating a Canadian agent/mandatary to:

Accept notices from the Bank of Canada
Accept orders and directives
Serve as official contact point

Representative Characteristics:

Must have Canadian address
Need not be employee
Must have authority to accept service on your behalf
Should be responsive and reliable

Operational Considerations:

Safeguarding Arrangements:

Can you effectively protect Canadian end users from foreign jurisdiction?
Will insurance/guarantee providers pay to Canadian end users?
Do arrangements address cross-border insolvency complexities?

Framework Accessibility:

How will Bank of Canada access your operations for examination?
Can you produce records promptly?
Do you have Canadian representation for meetings?

Independent Reviews:

Can reviewers assess your foreign operations effectively?
Do reviewers understand both Canadian requirements and your home jurisdiction?

Legal Opinions:

Ensure counsel understands Canadian law requirements
Address cross-border legal issues
Confirm enforceability in Canada

For organizations expanding internationally, our guide to global MLRO services addresses multi-jurisdictional compliance challenges.

PSPs Holding Minimal End-User Funds

If you hold end-user funds briefly or in minimal amounts:

No Exemption: Safeguarding requirements apply regardless of amount or duration.

Practical Approaches:

Minimize holding periods to reduce exposure
Use same-day settlement where possible
Implement trust arrangements for any holding period
Monitor balances continuously

Alternative: Structure operations to avoid holding end-user funds entirely, if feasible.

Best Practices for Sustainable RPAA Compliance

1. Build Frameworks Before Applying

Don’t treat registration as the compliance endpoint. The Bank expects operational frameworks when you register—not plans to develop frameworks.

Pre-Registration Implementation:

Develop complete operational risk framework
Create safeguarding-of-funds framework
Implement policies and procedures
Train staff on requirements
Test controls and procedures
Conduct gap analysis against Bank guidelines

Benefit: Demonstrates readiness and may accelerate approval.

2. Invest in Qualified Legal Counsel

RPAA compliance involves complex legal issues:

Legal Opinion Requirements:

Trust validity under common law or Quebec civil law
Insurance/guarantee policy effectiveness
Corporate structure implications
Cross-border enforceability (for foreign PSPs)

Counsel Selection:

Canadian law expertise essential
Payment systems knowledge valuable
RPAA-specific experience ideal
Responsiveness and availability critical

3. Implement Robust Third-Party Oversight

Third-party service providers create significant risk:

Due Diligence:

Assess provider stability and capabilities
Evaluate business continuity arrangements
Review security and operational controls
Verify regulatory compliance

Ongoing Monitoring:

Regular performance reviews
Incident monitoring
Control testing
Financial health monitoring

Contingency Planning:

Identify alternative providers
Document transition procedures
Test contingency arrangements
Update plans regularly

4. Establish Proactive Bank Communication

Don’t wait for Bank to contact you:

Regular Updates:

Notify Bank of material changes promptly
Provide context for complex changes
Seek clarification on unclear requirements
Raise concerns early

Incident Communication:

Report material incidents proactively
Provide regular status updates
Share post-incident analysis
Demonstrate remediation effectiveness

5. Maintain Comprehensive Documentation

Documentation proves compliance:

Document Everything:

Policy and procedure development
Framework testing and validation
Incident response and remediation
Third-party due diligence
Training delivery
Control testing
Management reviews and approvals

Retention:

Maintain records for reasonable periods
Organize for efficient retrieval
Protect confidentiality
Ensure accessibility for Bank reviews

6. Conduct Regular Compliance Self-Assessments

Don’t wait for Bank assessments:

Self-Assessment Process:

Quarterly or semi-annual compliance reviews
Gap analysis against Bank guidelines
Control effectiveness testing
Issue tracking and remediation
Senior management reporting

Independent Reviews:

Annual or biennial third-party reviews
Qualified reviewer selection
Comprehensive scope
Management response to findings
Remediation tracking

For organizations requiring independent compliance assessments, ComplyFactor provides regulator-ready review services.

7. Monitor Regulatory Developments Actively

The RPAA framework continues evolving:

Stay Informed:

Subscribe to Bank’s retail payments newsletter
Monitor guidance publications
Participate in industry consultations
Review enforcement actions
Track registry updates

Adapt Proactively:

Update frameworks based on new guidance
Enhance controls based on industry incidents
Implement best practices as they emerge
Engage with industry associations

8. Integrate RPAA with Broader Compliance

RPAA compliance shouldn’t exist in isolation:

Integration Opportunities:

Combine with AML/CFT compliance programs
Align with cybersecurity frameworks
Incorporate into enterprise risk management
Coordinate with privacy compliance
Leverage existing control frameworks

Efficiency Benefits:

Reduced duplication
Consistent governance
Shared resources
Holistic risk view
Better risk mitigation

For organizations implementing comprehensive compliance frameworks, ComplyFactor provides integrated solutions addressing multiple regulatory requirements.

Frequently Asked Questions About RPAA Compliance

Q: I applied before September 8, 2025, but haven’t received a decision. Can I still operate?

Yes. Section 108 of the RPAA allows PSPs who applied during the transition period to continue operations until receiving a registration decision (approval or refusal). This provision remains in effect regardless of processing duration.

Q: I’m registered with FINTRAC as an MSB. Do I still need Bank of Canada PSP registration?

Yes, unless you qualify for a specific RPAA exclusion. FINTRAC and Bank of Canada registration requirements are independent. FINTRAC registration addresses anti-money laundering and terrorist financing concerns. Bank of Canada registration addresses operational resilience and safeguarding. Most MSBs require both registrations.

For comparative analysis, see our MSB vs PSP licensing guide.

Q: Can I use my parent company’s operational risk framework?

Yes, if the framework:

Adequately addresses your specific operations and risks
Includes appropriate governance and oversight for your entity
Meets all RPAA and RPAR requirements
Is appropriately tailored to your risk profile

Document how the parent framework applies to your operations and ensure your senior officer has appropriate oversight.

Q: How do I verify if a PSP is registered?

Check the Bank of Canada’s public PSP Registry. The registry includes:

All registered PSPs
Registration dates
Payment functions performed
Contact information
Agents and mandataries lists

Q: What happens if my insurance/guarantee provider cancels my policy?

You must:

Notify the Bank of Canada within 30 days (per paragraph 14(2)(d) of RPAR)
Establish alternative safeguarding arrangements before cancellation effective date
Ensure no gap in end-user fund protection
Update your safeguarding-of-funds framework

Failure to maintain continuous safeguarding constitutes a serious violation.

Q: How long does PSP registration remain valid?

RPAA registration doesn’t expire. However, the Bank may revoke registration for:

RPAA violations
False or misleading information
Cessation of retail payment activities
Public interest grounds

Maintain ongoing compliance to preserve registration.

Q: Can I appeal a registration refusal?

Yes. The refusal process includes:

Written refusal notice from Bank (includes reasons)
Right to request independent review of refusal
Review conducted by reviewer independent of Bank
Review decision issued
Right to appeal review decision to Federal Court

Refusal notices explain the process, timelines, and requirements.

Q: Do third-party service providers need their own PSP registration?

Only if they independently perform retail payment activities meeting registration criteria. Providing services to a PSP doesn’t automatically require registration. However:

Assess whether the provider performs payment functions
Determine if functions are performed “in relation to” EFTs
Evaluate whether functions are incidental to other services
Consider whether any exclusions apply

If registration is required, both you and the provider must register.

Q: What’s the difference between agents/mandataries and third-party service providers?

Agents/Mandataries:

Act on your behalf with authority to bind you
Perform payment functions within their authority scope
Excluded from registration if properly authorized and listed
Create liability for the principal PSP

Third-Party Service Providers:

Provide services to you under contract
Don’t act as your legal representative
Require registration only if they independently meet PSP criteria
Don’t automatically create liability for you (though operational risk exists)

Determine the correct categorization based on legal relationship and authority.

Q: How do I update my registration information after changes occur?

Submit updates through PSP Connect within 30 days of material changes. Updates are required for:

Governance changes (directors, officers, senior officer)
Relationship changes (third parties, agents, affiliates)
Operational changes (payment functions, locations)
Corporate changes (name, address, structure)
Safeguarding changes (methods, arrangements)

The Bank updates the public registry to reflect changes.

Q: What happens to end-user funds if my registration is revoked?

If You Hold Funds in Trust:

Trust continues despite revocation
Trustees must return funds to end users
Court may appoint trustee if necessary

If You Use Insurance/Guarantee:

Revocation may trigger payout provisions
Insurance/guarantee provider pays end users
Follow procedures documented in safeguarding-of-funds framework

Your Obligations:

Notify end users promptly
Facilitate fund return process
Cooperate with trustees/administrators
Maintain records of fund ownership

Q: Can I operate in Canada while my foreign home jurisdiction registration is pending?

No. RPAA registration is independent of foreign registrations. You cannot perform retail payment activities in Canada until you receive Bank of Canada registration approval (unless you applied before September 8, 2025 and are covered by section 108).

Q: Are there different RPAA requirements based on PSP size?

The RPAA applies equally to all PSPs regardless of size. However, the Bank applies risk-based supervision, meaning:

All PSPs must meet the same baseline requirements
Higher-risk or larger PSPs face more intensive supervision
Framework sophistication should be proportionate to your risk profile
Independent review frequency may vary based on risk

Larger or higher-risk PSPs should implement more robust controls.

Understanding RPAA Cost Recovery Framework

While not yet implemented, the RPAA includes provisions for cost recovery:

Registration Fee:

$2,500 non-refundable application fee (currently implemented)

Annual Assessment Fees:

Bank will recover supervisory costs through annual fees levied on registered PSPs
Fee formula methodology pre-published in Canada Gazette, Part I (February 2023)
Final regulations pending
Implementation timing to be determined

Cost Recovery Principles:

PSPs pay proportionate shares based on size and risk
Fees fund Bank’s RPAA supervision activities
Formula considers factors like transaction volumes, end-user funds held, and operational complexity

Monitor Bank communications for cost recovery implementation announcements.

Conclusion: Implementing Effective RPAA Compliance

The Retail Payment Activities Act fundamentally reshapes Canada’s payment services landscape. While compliance demands significant investment in frameworks, governance, and resources, it also delivers meaningful benefits:

Regulatory Clarity:

Clear expectations for operational resilience
Defined safeguarding standards
Transparent supervisory framework

Market Confidence:

Enhanced credibility with Canadian financial institutions
Demonstrated commitment to end-user protection
Competitive differentiation through regulatory compliance

Operational Excellence:

Stronger operational risk management
Better incident preparedness
More robust third-party oversight
Improved business continuity

Strategic Opportunities:

Potential access to designated payment systems
Foundation for expansion into new payment services
Platform for innovation with appropriate risk management

Success under the RPAA requires embedding compliance into your organizational DNA. Organizations that view RPAA as an opportunity to strengthen operations—rather than merely a regulatory burden—will thrive in Canada’s evolving payment ecosystem.

Critical Next Steps:

Determine registration status definitively – Don’t assume exclusions apply
Develop comprehensive frameworks immediately – Don’t wait for registration
Secure qualified legal counsel – Ensure opinions support your arrangements
Implement robust governance – Assign clear accountability
Establish Bank communication – Be proactive and transparent
Plan for ongoing compliance – Registration is just the beginning

For organizations requiring expert guidance through RPAA registration, operational framework development, or ongoing compliance support, ComplyFactor offers tailored solutions combining deep regulatory expertise with practical implementation experience. Our team has guided numerous PSPs through successful registration and compliance implementation across multiple jurisdictions.