The Retail Payment Activities Act (RPAA) is a federal regulatory framework enacted by the Canadian Parliament in June 2021 with the aim of creating a unified oversight system for payment service providers (PSPs). Before the RPAA came into force, Canada’s payments sector operated without specialized regulatory oversight, which created operational risks for end users and reduced the transparency of the fintech services market.
The RPAA’s main objective is to strengthen trust in Canada’s payment system by introducing mandatory standards for risk management and the protection of end-user funds. The Bank of Canada was granted authority to ensure that providers properly segregate client funds, report on their activities, and respond to incidents without delay. It is important to understand that PSP registration is not a license, but confirmation of compliance with basic operational standards.
The Act does not apply to banks, credit unions, and insurance companies, which are already subject to prudential regulation by federal and provincial authorities. This approach makes it possible to close gaps in oversight without creating excessive requirements for traditional financial institutions.
Persons and companies performing payment functions related to electronic funds transfers in Canadian or foreign currency fall under the jurisdiction of the RPAA. The obligation to register arises when four conditions are met simultaneously: performing payment functions as the primary activity, processing electronic funds transfers, having a presence in Canada or targeting services to Canadian users, and not being included in the list of exemptions.
Registrable functions include opening and maintaining clients’ payment accounts, holding users’ funds until withdrawal or transfer, authorizing transfers, receiving or processing transaction instructions, and performing clearing functions. Foreign providers without a physical presence in the country are required to register if they provide services to Canadian clients and deliberately target the Canadian market.
PSP registration opened from November 1 to November 15, 2024 for existing providers. Those who applied within that window were able to continue operations during the transition period, which lasted until September 7, 2025. As of September 8, 2025, the full RPAA requirements on risk management, protection of client funds, and mandatory reporting came into force.
The Bank of Canada began publishing lists of registered providers and refusals on September 8, 2025. Applicants whose documents had not been fully processed by that date are required to comply with the same regulatory requirements as registered providers, but receive a deferral for certain reporting obligations until the review is completed.
For businesses planning to enter the market after September 8, 2025, registration must be submitted at least 60 days before the start of payment activities. Operating without an application after the key date is considered a serious violation and may result in administrative penalties and a ban on operations.
Registered providers are required to submit detailed annual reports to the Bank of Canada, including a description of changes to the risk management framework, volumes and amounts of retail payments, information on third-party contractors, and plans for maintaining the funds protection system. This reporting allows the regulator to monitor the level of interconnectedness among providers and identify trends or threats in the payment ecosystem. Companies must regularly update their data in the PSP Connect system and pay an annual assessment fee.
The payment provider registration process is centralized through the PSP Connect web portal developed by the Bank of Canada. This tool serves as a single point of access for submitting an application, updating information, and paying registration fees.
Before creating an account in PSP Connect, companies need to gather a complete set of documents. The application includes: the full legal name in English or French, contact information, corporate structure indicating owners and key personnel, a description of payment functions and processes, information on third-party contractors and agents, financial information, and details of the method used to safeguard user funds (trust account, insurance, or guarantee).
One email address may be registered for only one application. The account creator automatically becomes the organization administrator. The application requires payment of a one-time non-refundable registration fee of CAD 2,500. The Bank begins reviewing the application only after payment is received. For foreign providers, it is mandatory to identify agents or representatives in Canada who will receive all notices and directives.
MapleBiz specialists help payment providers properly prepare the registration package, verify compliance with RPAA criteria, and support clients at every stage of interaction with the Bank of Canada, minimizing the risk of refusals and delays.
Once the application is deemed complete, the Bank of Canada forwards it to the Department of Finance for a national security review. This stage can significantly extend the review timeline. The Department may request additional information, impose conditions on registration, or refuse it if risks are identified related to ownership by state-owned enterprises in certain jurisdictions, data storage in specific countries, or other security factors.
The provider receives written notice of the decision. In the event of a refusal or withdrawal of registration, the applicant has 30 days to request a review of the decision by the Minister of Finance. Operating without approval after a refusal is prohibited and entails administrative sanctions.
As of September 8, 2025, all registered providers are required to implement and maintain a written risk management and incident response framework. This document must cover the entire lifecycle of operational risk: identification, assessment, monitoring, control, and recovery from disruptions.
The risk management framework includes details of roles and responsibilities, procedures for identifying and classifying risks, incident response plans with recovery timelines, and regular system testing. Providers must review and approve this document annually at senior management level, and the board of directors must do so once a year regardless of changes. If there are material changes to systems, the PSP must conduct a new risk analysis.
If a provider discovers an incident that has a material impact on an end user, another PSP, or a clearing house, it must immediately notify the affected parties and the Bank of Canada. Incidents are understood to mean events that deviate from standard operations: transaction failures, data breaches, payment routing errors. Delays in detection and notification are classified as a violation.
Providers that perform the function of holding funds on behalf of users are required to protect those funds by segregating them. The RPAA offers two mechanisms: holding them in a trust account or placing them in a segregated account covered by insurance or a guarantee. Accounts for safeguarding funds must be opened with prudentially regulated financial institutions — banks, credit unions, trust companies.
Client funds must be deposited into the safeguarded account no later than the end of the business day after receipt. The provider must maintain an accurate register of each user’s funds, including name, contact information, and amount. When insurance or a guarantee is used, the coverage amount must always be no less than the amount of funds held. Providers develop a methodology for accounting for fluctuations in fund volumes and ensuring adequate coverage.
An independent compliance review of the funds protection requirements is conducted every three years. Indirect arrangements, where the provider holds funds through another PSP intermediary, are not recognized as compliant with the RPAA because of the difficulty of returning funds to users in the event of bankruptcy and the lack of clarity regarding jurisdiction.
The Bank of Canada has been granted broad powers to apply administrative measures against violators. The sanctions system is graduated according to the severity of the violations.
Violations are classified as serious and very serious. Serious violations include failure to provide mandatory information, breaches of reporting deadlines, and procedural deficiencies. Serious violations are subject to fines of up to CAD 1 million for each violation. For violations lasting no more than 30 days, fines of CAD 500 per day apply, and for those lasting more than 30 days, the range is from CAD 15,000 to CAD 1 million.
Very serious violations are those affecting key RPAA requirements: operating without registration, failure to implement a risk management framework, failure to carry out mandatory testing and audits, and improper safeguarding of user funds. For such violations, fines can reach CAD 10 million for each violation. These sanctions are much stricter than those provided under anti-money laundering legislation, where the maximum fine is CAD 500,000.
In addition to monetary fines, the Bank of Canada may suspend or revoke a provider’s registration, enter into a compliance agreement with mandatory remedial measures, or issue an order to cease operations. Failure to comply with the terms of a compliance agreement results in a notice of default and additional sanctions.
The Bank publishes on its website a list of persons who have been refused registration or whose registration has been revoked, along with the reasons. Such public disclosure causes reputational damage and makes it harder to return to the market. For businesses, this means loss of clients, partnerships, and access to banking services.
By contacting MapleBiz, companies receive comprehensive support in RPAA compliance, from risk assessment to framework development and preparation for regulatory inspections.
It is important to understand that PSP registration under the RPAA and Money Services Business (MSB) registration with FINTRAC are two separate regimes with different purposes and requirements.
MSB registration with FINTRAC is mandatory for companies providing currency exchange, money transfer, virtual currency transactions, issuance of money orders, and similar services. This registration is aimed exclusively at combating money laundering and terrorist financing. FINTRAC requires MSBs to implement an AML/CFT compliance program, file reports on suspicious transactions, large cash transactions, international electronic funds transfers, and comply with customer identification rules.
The RPAA, by contrast, is aimed at oversight of operational risks and protection of user funds. PSP registration with the Bank of Canada means compliance with requirements for risk management, funds protection, reporting on payment metrics, and incident notification. Many providers are required to register under both regimes: as an MSB with FINTRAC and as a PSP with the Bank of Canada. Registration in one system does not cancel or replace registration in the other.
There are exceptions: physical currency exchange locations, non-custodial cryptocurrency exchanges, ATMs (including crypto ATMs), and cheque-cashing companies may not fall under the RPAA if they do not perform funds-holding or electronic transfer functions. But even for them, MSB registration remains mandatory.
The dual regulatory burden requires providers to create separate compliance programs, regularly report to both authorities, and develop internal policies and procedures for each regime. Errors in assessing the applicability of requirements or incomplete fulfillment of obligations lead to sanctions, public censure, and loss of bank accounts.
Professional legal support helps properly classify activities, prepare registration documents, build an effective internal control system, and respond promptly to regulator requests. Financial regulation specialists audit the business model, develop risk management and funds protection frameworks, and ensure compliance with both the RPAA and FINTRAC requirements.
