RPAA

Understanding the Retail Payment Activities Act (RPAA): Key Changes and Their Impact on MSBs and PSPs in Canada

The Retail Payment Activities Act (RPAA) marks a significant shift in Canada’s regulatory landscape for payment service providers (PSPs) and money services businesses (MSBs). As the digital payments ecosystem expands, this legislation introduces robust measures to enhance transparency, safeguard customer funds, and align Canadian fintech regulations with international standards.

In this detailed guide, we’ll explore what the RPAA entails, highlight the most impactful regulatory updates, and explain how the changes affect both existing and new PSPs and MSBs operating within Canada.

What is the RPAA and Why Does It Matter?

The RPAA is a legislative framework enacted by the Canadian government to regulate retail payment activities, particularly those involving electronic funds transfers (EFTs) and other digital payment functions. As Canada’s fintech sector grows, the RPAA establishes a uniform compliance framework that applies to both domestic and international firms offering payment services in the country.

Objectives of the RPAA

The RPAA aims to:

• Enhance consumer protection by enforcing safeguards over user funds

• Strengthen national security through increased transparency of financial flows

• Prevent financial crimes like money laundering and fraud

• Create a level playing field for emerging fintech startups and legacy financial institutions

• Align Canada’s retail payments system with global regulatory standards

Who Is Affected by RPAA?

The RPAA primarily affects two groups:

1. Payment Service Providers (PSPs) – including e-wallet companies, online payment processors, and cross-border transfer platforms.

2. Money Services Businesses (MSBs) – businesses that already report to FINTRAC and offer remittance, currency exchange, or crypto transactions.

If your business performs any of the following regulated payment functions, you are considered a PSP under RPAA:

• Holding or maintaining payment accounts

• Holding customer funds

• Initiating EFTs

• Authorizing, receiving, or sending EFT instructions

• Providing clearing and settlement infrastructure

Key Dates to Know

Failure to meet the November 15, 2024 registration deadline means immediate cessation of retail payment activities in Canada.

Registration Requirements Under RPAA

To operate legally, all non-exempt organizations offering any of the five payment functions must register with the Bank of Canada. The registration process includes:

1. Four-Step Assessment:

   • Determine if payment activities fall under RPAA scope

   • Identify if any exemptions apply

   • Evaluate risks to end-user funds

   • Submit required documentation

2. Information Disclosure:

   • Details about corporate structure and key personnel

   • Description of payment services offered

   • Overview of operational and safeguarding processes

3. Impact Assessment:

   • Companies must assess how changes in their operations or structure affect fund protection and risk exposure.

Dual Registration: RPAA + FINTRAC

MSBs performing both payment services and money transfer functions must now comply with dual oversight:

• FINTRAC: Monitors anti-money laundering (AML) compliance.

• Bank of Canada: Supervises operational and consumer fund safety under RPAA.

Dual registration enhances accountability but also increases reporting obligations, making it critical for companies to implement RegTech solutions for automation.

Major Changes Introduced by RPAA

1. Event Recovery and Testing

Under the RPAA, PSPs are no longer required to halt all operations during a system disruption. Instead, they may resume services after internal verification of system functionality, adding flexibility while maintaining control.

2. Data Location Notifications

Firms are no longer required to re-register if they change where personal or financial data is stored. A 60-day notification to the Bank of Canada now suffices, easing operational constraints in cloud environments.

3. Safeguarding of Funds (SOF)

Only major changes to safeguarding mechanisms require re-evaluation. This reduces bureaucracy while ensuring customer funds remain protected at all times.

4. Customized Risk Management Testing

Rather than enforcing a rigid three-year risk testing cycle, PSPs may define test schedules that align with their own operational risk assessments.

5. Insolvency Requirements

Annual insolvency reviews are no longer mandatory. Now, reviews are only necessary if end-user fund risk emerges—less frequent, more targeted.

6. Audit Frequency

The requirement for external audits has changed from every two years to every three years, reducing audit costs for PSPs while still ensuring regulatory confidence.

7. Streamlined Fund Reporting

The historical look-back period for reporting on user fund balances is reduced from 24 months to 12 months, improving reporting agility.

New Annual Obligations for PSPs

Under the RPAA, licensed PSPs must now:

• Submit annual reports that include any identified risks to end-user funds

• Ensure the board of directors reviews and approves the safeguarding framework yearly

• Include in any regulatory notification an impact assessment of changes on user fund protection

• Maintain updated policies for incident response and operational risk

These requirements elevate the role of corporate governance in Canada’s payments sector.

Enforcement and Penalties

Non-compliance with RPAA obligations can trigger a series of regulatory actions by the Bank of Canada, including:

• Issuing Notices of Violation (NOV)

• Imposing Administrative Monetary Penalties (AMPs)

• Cancelling registrations for repeated offenses

• Entering court proceedings to enforce registration terms

Penalty Range:

• Serious violations: Up to $1 million CAD

• Very serious violations: Up to $10 million CAD

This underscores the importance of early and accurate registration, robust governance, and proactive compliance monitoring.

National Security Provisions

The Minister of Finance has sweeping powers under RPAA to act against entities posing national security risks, including:

• Denying applications from high-risk operators

• Cancelling registrations due to foreign ownership or data concerns

• Imposing operational restrictions, conditions, or fines

PSPs must be prepared to demonstrate the integrity and neutrality of their services.

How Advapay Helps PSPs with RPAA Compliance

Navigating RPAA requirements is complex, especially for international fintechs entering the Canadian market. Advapay offers end-to-end support for PSPs and MSBs, including:

• Business structuring to meet RPAA eligibility

• Preparation of registration documentation and risk assessments

• AML policy development

• Safeguarding fund structure advisory

• Liaison with the Bank of Canada and FINTRAC

Advapay’s legal, technical, and business experts help firms complete their registration by the November 15, 2024 deadline and ensure long-term regulatory readiness before the September 8, 2025 enforcement date.

Conclusion: The RPAA Reshapes the Future of Payments in Canada

The Retail Payment Activities Act is more than a regulatory update—it’s a transformative framework that defines the next decade of payment innovation in Canada. For fintech companies, PSPs, and MSBs, timely compliance with the RPAA is both a legal requirement and a strategic necessity.

By understanding the scope, preparing the right documentation, and partnering with experienced advisors like Advapay, firms can ensure they meet all requirements without disrupting their operations or losing market access.