For payment service providers in Canada, March 31, 2026 is not just another date on the calendar, but a moment of truth that will reveal companies’ readiness for a new era of regulation. This deadline will split market participants into two camps: those who built compliance systems in advance, and those who will face serious consequences for failing to plan ahead.
According to section 18 of the Retail Payment Activities Regulations, March 31, 2026 is the deadline for all registered PSPs to submit their first annual report. The report must cover data for the 2025 calendar year, except for financial metrics, which are submitted based on the company’s most recent financial year. This distinction creates the first critical point: many PSPs confuse the calendar year with the financial year, which leads to incorrect document preparation.
The mechanics of annual reporting are built through the PSP Connect portal, where the reporting form becomes available in early 2026. The Bank of Canada applies a risk-based approach — an approach based on risk assessment, in which the provider’s operational scale, its interconnectedness with other market participants, and ubiquity of services are analyzed. These criteria determine how detailed the oversight applied to a specific company will be.
The Bank of Canada has a broad range of enforcement tools, from warnings to administrative penalties of up to 10 million dollars and cancellation of registration. Failure to submit the annual report by March 31 qualifies as a violation of section 61 of the RPAA, which prohibits providing false or misleading information, with the absence of information being treated as concealment.
The second level of consequences is reputational. After September 8, 2025, the Bank publishes the register of registered PSPs and the list of companies whose registration has been cancelled. Missing the deadline triggers an investigation process that may end with a public finding of non-compliance. For companies working with institutional clients or seeking to attract investment, such a mark becomes a toxic asset.
The annual report form requires detailed activity metrics: the number and volume of electronic funds transfers, the number of end users served, and the number of other PSPs to which services are provided. For PSPs without a physical presence in Canada, only transactions with end users actually located in Canada are counted, which creates difficulties in determining client jurisdiction.
Financial indicators include current data as of the end date of the company’s financial year — here a trade-off arises between the timeliness of information and its consistency. Companies whose financial year ends in December will provide fresh data, while PSPs whose financial year closes in summer will report using outdated indicators. The Bank of Canada made this assumption deliberately, prioritizing process uniformity over the currency of all data.
Section 20 of the RPAA establishes two ways to safeguard end-user funds: holding them in a trust account or in a segregated account with insurance or a guarantee for the full amount. The annual report must document the chosen mechanism, including details of the custodian financial institution and insurer.
A critical requirement is documentation of the procedures for returning funds in the event of PSP insolvency. This includes the mechanism for notifying the insurer of an insolvency event and the protocol for returning funds to each end user. MapleBiz specialists regularly encounter situations where companies formally comply with insurance requirements but have not worked out the operational mechanics of repayment, which creates serious risks during inspections.
The report includes questions about compliance with the operational risk management and incident response framework. PSPs must describe changes to their frameworks during the reporting period, testing of their effectiveness, and any incidents that occurred during the year, including not only material incidents requiring notification within 48 hours, but also all events affecting the integrity of payment activities.
Special attention is paid to the use of third-party service providers. It is necessary to describe changes in relationships with them, annual risk assessments conducted, and documented allocation of responsibilities. This aspect is often underestimated: even if a PSP outsources functions, regulatory responsibility remains with the provider.
An incident is considered material if it results in or may result in a significant impact on end users, PSP operations, or reputation. The Operational Risk and Incident Response Guideline defines several categories of materiality: irrecoverable loss of end-user funds in any amount, unavailability of payment services, breach of data confidentiality, and system compromise.
A typical mistake is assessing materiality by scale rather than by the nature of the impact. The loss of even a small amount of user funds qualifies as a material incident, whereas a brief technical failure that did not affect users may not require immediate notification. This nuance requires companies to have developed incident classification procedures, preferably with the involvement of legal specialists.
The parallel notification system creates operational complexity: the PSP must notify all materially affected end users, other providers, and clearing houses no later than 48 hours after determining the incident’s materiality. At the same time, a notification must be submitted to the Bank of Canada through the PSP Connect portal within the same timeframe.
The sequence of actions matters: first identify the incident, then assess materiality, and only then launch parallel notifications. The Bank expects not a complete investigation within 48 hours, but timely initial notification with subsequent interim updates as the facts become clear. The final notification is submitted after the incident is fully resolved, with details of root causes and measures taken.
The first common mistake is waiting for the full investigation to be completed before notifying. This violates the 48-hour rule and creates the impression that information is being concealed. The second is excessive caution, when any technical failure is treated as a material incident, creating information noise and diluting the regulator’s attention.
The third mistake is insufficient documentation of the decision-making process regarding materiality. During inspections, the Bank of Canada analyzes not only the fact of notification, but also the logic by which the company classified events. The absence of records explaining why a particular incident was not recognized as material creates regulatory risk.
Proactive data collection begins not in January 2026, but from the moment of registration. It is necessary to keep records of all metrics required in the report: monthly snapshots of the number of end users, transaction logs with breakdowns by transaction type, and records of all testing of the risk management framework.
Incident tracking is critical — even for those that do not qualify as material. This demonstrates the maturity of risk management processes and provides context for trend analysis. Documentation of interactions with third-party providers, including the results of annual assessments, contractual changes, and incident reports from counterparties, should be accumulated systematically.
Financial data require synchronization between financial and operational accounting. If the company’s financial year does not coincide with the calendar year, it must be possible to extract indicators for any date. Many companies underestimate the amount of preparatory work required to prepare the first report. MapleBiz recommends conducting a trial data collection in mid-2025 to identify gaps in information systems and adjust processes before the critical deadline.
PSP Connect is a centralized platform for all interactions with the Bank of Canada: registration, information updates, incident notifications, and annual reporting. The annual report form becomes available in early 2026, giving several weeks to complete it before March 31.
The portal requires authorization by the company’s authorized representatives. It is necessary to determine in advance who will have access to the system and ensure they are technically prepared. The form consists of many sections with conditional logic — answers to some questions open additional fields. Attempting to complete the entire report at the last minute often leads to the discovery of data requirements that were not collected during the year.
The portal’s technical infrastructure allows document uploads in PDF and JPG formats. If the company prepares supporting documentation, files must be converted to the required format in advance and identifying information about affected parties must be removed from incident notifications.
Navigating the new RPAA regulatory landscape requires not only understanding the letter of the law, but also the ability to interpret it in relation to each company’s unique business model. MapleBiz specializes in legal support for fintech companies and payment service providers, offering comprehensive support at all stages of compliance with the requirements of the Retail Payment Activities Act.
Our legal services cover the preparation and review of operational risk management frameworks, expert assessment of end-user funds safeguarding mechanisms, audits of incident classification processes, and the development of notification procedures. We help companies not merely comply formally with the requirements, but build effective systems that minimize regulatory risks and operating costs.
When preparing the annual report, our specialists conduct a gap analysis — an analysis of discrepancies between the current state of documentation and the Bank of Canada’s requirements, help structure the data, and provide legal review of the information submitted. For companies providing Money Service Business services, we offer an integrated solution that takes into account both RPAA requirements and obligations to FINTRAC.
The critical advantage of working with MapleBiz is an understanding of the context of Canadian financial regulation. We help companies determine the optimal strategy for interacting with the regulator, prepare procedures for responding to requests for additional information, and build a long-term compliance system that scales with the business. Contacting our specialists at an early stage helps avoid costly mistakes and build a trusting relationship with the Bank of Canada from the outset.
Checklist of actions before March 31, 2026:
Meeting the March 31, 2026 deadline is not only a regulatory obligation, but also an opportunity to demonstrate the maturity of operational processes and a serious attitude toward supervisory requirements. Companies that treat the first annual report as a strategic task rather than an administrative formality lay the foundation for successful long-term relations with the regulator and for strengthening client trust.
