PSP registration Canada — FINTRAC & Bank of Canada RPAA
Payment service providers operating in Canada are now subject to two separate federal registrations — FINTRAC registration as a Money Service Business under the PCMLTFA, and Bank of Canada registration under the Retail Payment Activities Act (RPAA). Both have been mandatory since September 8, 2025. Operating without either carries penalties of up to $10,000,000 CAD per violation under the RPAA, and up to $4,000,000 under the PCMLTFA following Bill C-12.
ComplyFactor manages dual PSP registration across Canada — FINTRAC MSB registration and Bank of Canada RPAA registration handled together, with the AML compliance program and operational risk framework required to support both.
PSP registration in Canada — two regulators, two registrations
Before September 2025, a Canadian payment service provider registered with FINTRAC as an MSB and its obligations were largely complete. The RPAA changed that. PSPs now answer to two federal regulators with different mandates, different portals, different obligations, and different enforcement powers.
FINTRAC — MSB registration
The anti-money-laundering obligation, under the PCMLTFA.
- Focus: anti-money laundering & counter-terrorist financing
- Key obligation: AML compliance program, STR/EFTR filing
- Maximum penalty: $4,000,000 (Bill C-12)
Bank of Canada — RPAA registration
The operational-risk obligation, under the Retail Payment Activities Act.
- Focus: operational risk, end-user fund safeguarding, incident response
- Key obligation: operational risk framework, fund safeguarding, incident reporting
- Maximum penalty: $10,000,000 per violation
Do you need to register as a PSP under the RPAA?
The RPAA applies to any individual or entity that performs one or more retail payment functions in Canada — or directs those functions at Canadian end-users, regardless of where the business is incorporated. The Act is activity-based, not entity-based: what matters is what your business does.
Providing or maintaining a payment account
Providing an account that stores monetary value or payment credentials for end-users — a digital wallet, stored-balance account, or platform payment account. The most common trigger for Canadian fintechs.
Examples: digital wallets, stored-value accounts, prepaid balance accounts with EFT capabilityHolding end-user funds
Holding funds on behalf of end-users — as a float, in escrow, or in a pooled account — is a retail payment function. It triggers registration and end-user fund safeguarding obligations.
Funds must be held in trust or a segregated account at a Canadian financial institutionInitiating electronic fund transfers
Initiating an EFT on behalf of a client — wire, ACH, Interac e-Transfer, or cross-border payment — is a core retail payment activity. The broadest trigger, capturing most payment platforms and remittance operators.
Captures payment platforms, remittance operators, and B2B payment providersAuthorising or clearing transactions
Sitting in the transaction chain as an authoriser or clearer — orchestration platforms, gateways, and intermediaries transmitting payment instructions — may trigger the RPAA even without holding funds. The Act captures the instruction chain, not just the money.
Intermediary businesses most often miss this triggerInternational PSPs serving Canadian end-users
The RPAA applies extraterritorially. A business incorporated outside Canada that performs retail payment activities directed at Canadian end-users — Canadian-facing marketing, CAD pricing, or a .ca domain — must register with the Bank of Canada before commencing.
Jurisdiction is not limited to Canadian-incorporated entitiesFINTRAC registration vs Bank of Canada RPAA — what each covers
The two registrations are independent and both mandatory. Here is exactly how they differ.
Only need FINTRAC and not the RPAA? If your business does not perform retail payment activities, see our MSB Registration Canada page instead.
MSB registrationHow to register as a PSP in Canada — FINTRAC + RPAA
Dual registration is two separate processes, two portals, and two timelines. They can — and should — be run concurrently.
Confirm your MSB activity category
Determine which PCMLTFA category applies — funds transfer is most common for PSPs. Many also qualify as foreign exchange or virtual currency dealers depending on product mix.
Build your AML compliance program
Written policies, risk assessment, and training framework must be in place before your FINTRAC registration is active — examined at your first FINTRAC review (typically 12–24 months after registration).
Submit FINTRAC online application
Complete the FINTRAC registration form — MSB activities, compliance officer designation, and locations — submitted on your behalf with all activity declarations. No application fee.
RPAA self-assessment
Use the Bank of Canada's self-assessment tool to confirm the RPAA applies to your activities. This output is the foundation of your application — an incorrect conclusion compounds through every later step.
Create PSP Connect account & apply
PSP Connect is the Bank of Canada's portal. The application requires entity details, directors and beneficial owners, payment activities and EFT flows, fund-safeguarding arrangements, operational risk and incident-response frameworks, and third-party disclosures.
Pay the fee & submit
The Bank of Canada charges a non-refundable $2,500 CAD registration fee per application. Processing for straightforward applications runs 30 to 90 days; complex applications, or those requiring further information, take longer.
The 60-day pre-commencement rule
New entrants must submit the RPAA application at least 60 days before commencing retail payment activities — and must receive Bank of Canada approval before starting. A hard rule with no grace period.
RPAA compliance obligations — what PSPs must do after registration
RPAA registration is the entry point to an ongoing supervisory relationship with the Bank of Canada. These obligations begin on the date of registration and continue for the life of the business.
FINTRAC obligations continue. RPAA registration does not replace or reduce your FINTRAC obligations — both run concurrently. Your AML compliance program, STR/EFTR filing, biennial effectiveness review, and compliance officer designation remain active under the PCMLTFA alongside every RPAA obligation.
What our PSP registration service covers
We manage both registrations together — FINTRAC and RPAA — so your business does not navigate two regulatory portals with two sets of documentation independently.
RPAA activity assessment
We assess your specific payment functions against the RPAA's statutory criteria — confirming which activities trigger registration and whether any exclusions apply to your model.
FINTRAC MSB registration
End-to-end FINTRAC registration — activity category confirmation, compliance officer designation, application submission, and the AML compliance program build.
Bank of Canada RPAA application
Full RPAA application via PSP Connect — entity and ownership documentation, payment activity description, EFT flow mapping, and all required disclosures.
AML compliance program (PCMLTFA)
Written policies, risk assessment, and training framework to support your FINTRAC registration — built for your specific payment activities and customer types.
RPAA operational risk framework
Documented framework covering technology risk, cyber risk, third-party dependencies, business continuity, and incident response — required for RPAA registration and ongoing oversight.
End-user fund safeguarding documentation
If you hold end-user funds, we document your safeguarding arrangement in the Bank of Canada's required format — designated account structure and reconciliation procedures.
Post-registration compliance setup
Annual report calendar, material-change notification procedures, FINTRAC reporting obligations, and biennial audit scheduling — all established before your registrations are active.
PSP registration timelines & costs
Dual registration has a different timeline and cost structure for each regulator. The RPAA path is the critical path for new PSPs — and FINTRAC runs concurrently alongside it.
What Canadian PSPs receive
A dual-registration engagement delivers both registrations plus the compliance documentation required to support them.
Why Canadian PSPs choose ComplyFactor
Both registrations, built concurrently — by a firm equipped for AML and operational risk.
Both registrations managed together
Most firms handle either FINTRAC or RPAA — not both. We manage dual registration end-to-end, with both frameworks built concurrently to avoid the gap PSPs fall into when they treat the two as separate projects.
RPAA operational risk framework included
RPAA registration requires an operational risk framework most AML-focused firms can't build. We cover both the AML program and the operational risk documentation the Bank of Canada examines.
The 60-day new-entrant rule, managed
We plan your timeline around the Bank of Canada's 60-day pre-commencement rule, so you don't start payment activities before approval is in hand — a common and costly mistake among self-managed applications.
International PSPs — Canada market entry
We regularly support international payment businesses registering with both regulators for the first time — extraterritorial RPAA application, Canadian fund safeguarding, and FINTRAC AML program, all handled.
Fixed-scope pricing for both registrations
One engagement letter, one fixed price, both registrations covered. No separate billing for FINTRAC and RPAA work — the dual registration is the scope.
