The New Era of Payments Supervision in Canada

Canada’s financial technology sector is undergoing a profound regulatory transformation. While the Financial Transactions and Reports Analysis Centre of Canada (FINTRAC) has long anchored the system with Anti-Money Laundering (AML) and Counter-Terrorist Financing (CTF) oversight, a new, equally critical regime is now firmly established: the Retail Payment Activities Act (RPAA).

The RPAA, administered by the Bank of Canada (BoC), represents Canada’s federal commitment to enhancing the safety, reliability, and security of its retail payment ecosystem. Unlike FINTRAC, which focuses on illicit financial activity, the RPAA targets operational risk and consumer protection.

For Payment Service Providers (PSPs)—a group that includes many Fintechs, payment processors, and even certain Money Services Businesses (MSBs)—full compliance with the RPAA is non-negotiable. The crucial date for full operational compliance is September 8, 2025. Any unregistered or non-compliant PSP risks facing severe enforcement action, including fines and the complete prohibition of operations.

This expert guide provides a comprehensive roadmap for achieving RPAA compliance, covering registration requirements, key deadlines, the regulatory scope, and the two major compliance pillars: Operational Risk Management and the Safeguarding of End-User Funds.

Defining the Scope: Who is a Payment Service Provider (PSP)?

The first step in the RPAA compliance journey is determining if your entity falls under the Bank of Canada’s regulatory jurisdiction. The Act applies to any individual or entity performing “retail payment activities” directed at end-users in Canada, regardless of whether the provider has a physical place of business in the country (similar to FINTRAC’s FMSB concept).

The Five Core Payment Functions

Registration is required if a PSP performs any of the following five “payment functions” as a service or business activity that is not merely incidental to another core non-payment service:

Providing or maintaining an account that is held on behalf of one or more end-users.
Holding funds on behalf of an end-user until they are withdrawn or transferred.
Initiating an electronic funds transfer (EFT) at the request of an end-user (e.g., initiating a direct debit or credit).
Authorizing an EFT, or transmitting, receiving, or facilitating instructions in relation to an EFT.
Providing clearing or settlement services related to EFT transactions.

This broad scope captures a vast array of services, including digital wallets, prepaid card providers, merchant acquirers, payment gateways, and remittance services.

The RPAA vs. FINTRAC: A Dual Regulatory Framework

For many Fintechs, the RPAA is a second layer of federal regulation, running parallel to the existing FINTRAC requirements under the PCMLTFA.

Feature	Retail Payment Activities Act (RPAA)	FINTRAC (PCMLTFA)
Regulator	Bank of Canada (BoC)	Financial Transactions and Reports Analysis Centre of Canada (FINTRAC)
Primary Focus	Operational resilience, system safety, reliability, and end-user fund protection.	Anti-Money Laundering (AML) and Counter-Terrorist Financing (CTF).
Compliance Pillars	Risk Management & Incident Response (RMIR) and Safeguarding of Funds (SoF).	Compliance Officer, Risk Assessment, Written Policies, Training, and Independent Review.
Registration	Mandatory registration with the BoC.	Mandatory registration as an MSB or FMSB with FINTRAC.

Crucially, RPAA registration may be refused if the applicant is not registered as an MSB/FMSB under the PCMLTFA (where required). The Bank of Canada collaborates directly with FINTRAC and the Department of Finance during the registration review process.

The Registration and Transition Timeline for 2025

The registration process for the RPAA officially began in late 2024 and culminates in full compliance in late 2025. PSPs must meet these stringent deadlines to ensure uninterrupted operation.

The RPAA Transition Period

The period between November 16, 2024, and September 7, 2025, was the crucial transition window. Entities operating prior to this period who submitted a timely application are permitted to continue operating until the Bank of Canada issues a decision.

The September 8, 2025, Deadline: Full Compliance

This date marks the most critical milestone for all PSPs:

Full Compliance Activation: The requirements to establish and maintain the Risk Management and Incident Response (RMIR) Framework and the Safeguarding of Funds (SoF) Framework come into full effect.
Registration Decisions: The Bank of Canada is expected to publish its registration decisions.
No Operations Without Approval: PSPs planning to start operations after September 8, 2025, or those who failed to register during the transition window, must obtain registration approval before performing any retail payment activities. Continuing to operate without registration post-deadline will lead to immediate enforcement action.

Registration Requirements Overview

The registration application requires comprehensive disclosure, allowing the Bank of Canada to assess the provider’s fitness and the national security implications of its operations:

Entity and Ownership Information: Full legal name, corporate structure, address, and ownership details, including all entities that control the PSP.
Activity Details: A precise description of all payment functions performed, the jurisdictions served, and estimated volume and value of transactions.
Compliance Frameworks: Submission of initial documentation detailing the structure of the RMIR and SoF frameworks.
National Security Screening: The application information is shared with the Department of Finance Canada for a mandatory national security review.

Pillar One: The Operational Risk and Incident Response (RMIR) Framework

The primary objective of the RMIR framework is system safety. It mandates that PSPs must develop, implement, and maintain a robust framework to manage the various risks that could disrupt their retail payment activities. The framework must ensure that a PSP can perform its activities without “reduction, deterioration, or breakdown.”

Core Elements of the RMIR Framework

The framework is a comprehensive, risk-based methodology that must be proportionate to the size, complexity, and impact of the PSP’s operations. Key components include:

Risk Assessment Methodology: A formal, documented process to identify, assess, and mitigate risks across technological, operational, fraud, and third-party categories.
Defined Objectives and Targets: The framework must establish clear, measurable reliability targets (e.g., service level agreements, uptime guarantees) for payment services.
Asset Classification: Identification and classification of all critical assets (systems, data, information) and business processes based on their sensitivity and criticality to payment functions.
Resource Management: Identification of necessary human and financial resources, including defining the required skill levels and training for personnel involved in managing operational risk.

Addressing Key Operational Risks

Technology and Cybersecurity Risks

The framework must include controls to protect systems and data, adhering to industry best practices (e.g., NIST, ISO 27001). This includes:

Implementing strict access controls and multi-factor authentication.
Regularly conducting vulnerability assessments and penetration testing.
Establishing real-time monitoring to detect threats and cyber incidents.

Incident Management and Reporting

PSPs must have a robust plan to prepare for, respond to, and recover from operational incidents, such as system outages or cyber-attacks.

Incident Classification: Clear procedures for classifying incidents based on severity and impact.
Communication Plan: Protocols for communicating incidents internally, to end-users, and to the Bank of Canada in a timely manner.
Business Continuity: Well-documented business continuity and disaster recovery plans to ensure service availability and minimize downtime.

Third-Party Risk Management

Many PSPs rely on cloud providers, core banking systems, or other external vendors. The RPAA holds the PSP accountable for the compliance of its critical third-party service providers.

Due Diligence: Conducting thorough due diligence on all critical third parties.
Contractual Safeguards: Implementing contractual clauses that ensure third parties meet the PSP’s regulatory standards for security and resilience.

Pillar Two: Safeguarding of End-User Funds (SoF)

The second pillar is dedicated to consumer protection, specifically addressing the risk of financial loss due to a PSP’s insolvency. This requirement is paramount for any PSP that performs the function of “holding funds on behalf of an end user.”

Objectives and Methods of Safeguarding

The SoF framework is intended to achieve two core objectives:

Reliable Access: To ensure end-users have reliable access to their funds without delay.
Insolvency Protection: To protect end-user funds against financial loss in the event of the PSP’s insolvency, a restructuring, or creditor compromise.

The RPAA specifies two primary methods for PSPs to safeguard end-user funds:

Holding Funds in Trust: Placing end-user funds in a dedicated deposit trust account at a qualified Canadian financial institution (e.g., a bank, credit union, or trust company) that is not used for any other purpose.
Insurance or Guarantee: Holding end-user funds in a dedicated safeguarding account (not necessarily a trust account) and maintaining an insurance policy or guarantee that is equal to or greater than the amount of funds held. The insurance must be provided by an entity not affiliated with the PSP and must survive the PSP’s insolvency.

Operationalizing Fund Safeguarding

Implementing the SoF requirements demands rigorous internal controls:

Strict Segregation: End-user funds must be strictly segregated from the PSP’s own operational funds upon receipt. This “ring-fencing” prevents them from being claimed by the PSP’s creditors.
Daily Reconciliation: PSPs must conduct daily reconciliation of all end-user fund balances to ensure that the funds held physically or via guarantee align perfectly with the PSP’s recorded liabilities to end-users.
Insolvency Plan: The PSP must have a clear insolvency plan outlining the procedures for the immediate and safe return of end-user funds in the event that the PSP ceases operations.
Legal Validation: The Bank of Canada expects PSPs to seek external legal advice to validate the chosen safeguarding mechanism (trust arrangement or guarantee), ensuring it meets the spirit and letter of the RPAA requirements.

Strategic Compliance and the Dual Regulator Challenge (FINTRAC/RPAA)

For many Canadian Fintechs, the simultaneous compliance burden of RPAA (BoC) and FINTRAC (AML) requires a unified compliance strategy.

The Interplay of FINTRAC and RPAA

While the regulators target different risks, their requirements overlap significantly in terms of corporate governance and diligence:

Dual Vetting: The Bank of Canada shares RPAA registration data with FINTRAC and the Department of Finance. A history of non-compliance with FINTRAC’s AML rules (e.g., failing to report STRs or inadequate KYC) is a prescribed ground for the BoC to refuse RPAA registration.
Governance: Both regimes require strong internal controls, documented frameworks, senior management oversight, and periodic independent review. A well-resourced compliance department can streamline the documentation process for both regulators.

Ongoing RPAA Compliance Obligations

Registration is the beginning, not the end. Post-September 8, 2025, PSPs must adhere to continuous compliance requirements:

Annual Review: Both the RMIR and SoF frameworks must be formally reviewed and updated annually.
Security Assessments: Independent security assessments and penetration testing must be performed periodically to validate controls.
Reporting: PSPs must establish internal data collection systems to report operational performance metrics, incident statistics, and changes to their risk management frameworks to the Bank of Canada.

Future-Proofing Canadian Payment Activities

The Retail Payment Activities Act is a landmark piece of legislation designed to foster trust and stability in the rapidly expanding non-bank payment sector. For PSPs, the September 8, 2025, deadline is the inescapable marker for full operational readiness.

Compliance with the RPAA demands significant investment in governance, technology, and legal expertise. By implementing the robust RMIR framework and securing a verifiable Safeguarding of Funds mechanism now, PSPs can not only meet their regulatory obligations but also build a foundation of reliability and security that will future-proof their operations and enhance consumer confidence in Canada’s payment landscape. The path forward requires expert guidance to navigate the dual regulatory compliance landscape of the BoC and FINTRAC successfully.