Payment Service Providers (PSPs) — are organizations that perform payment functions related to electronic money transfers. Under Canadian law, a PSP may maintain end-user accounts, hold funds on their behalf, initiate transfers, authorize transactions, or provide clearing services. With the introduction of the Retail Payment Activities Act (RPAA) in 2024, companies carrying out such operations are required to register with the Bank of Canada and comply with strict security standards.
A PSP performs several key functions: managing users' payment accounts, temporarily holding funds until they are withdrawn or transferred to the recipient, processing payment instructions, and providing clearing. These operations are accompanied by significant risks — from cyber threats and operational failures to financial losses for end users. That is why the RPAA requires PSPs to create comprehensive risk management frameworks that include threat identification procedures, incident response, and business continuity.
Risk management for PSPs is not just a formal matter of compliance. The absence of reliable protection mechanisms can lead to loss of customer trust, financial penalties from the regulator, and loss of access to banking services. Administrative fines can reach 10 million Canadian dollars for particularly serious violations.
Many companies confuse FINTRAC requirements for Money Services Business (MSB) and obligations under the RPAA. MSB registration with FINTRAC focuses on combating money laundering and terrorist financing: customer verification, monitoring suspicious transactions, reporting large transactions. The RPAA, by contrast, focuses on operational reliability, protection of user funds, and risk management. For most payment providers, registration in both systems is required — FINTRAC and the Bank of Canada.
The key difference: MSB registration does not replace RPAA obligations. A company may comply with AML/CTF rules but still lack adequate mechanisms for protecting funds or responding to incidents. Understanding the difference between the two regimes is critical for properly structuring compliance processes. The specialists at MapleBiz help clarify the dual nature of the regulation and prepare documentation for both registrations.
Under the RPAA, every PSP is required to develop, implement, and maintain an operational risk management and incident response framework. This framework must identify all possible threats: technological failures, cyberattacks, human error, and third-party issues. The regulator expects the documentation to include policies, procedures, control mechanisms, a monitoring system, and a periodic review process.
The framework is approved by a senior officer at least once a year and after any material changes. Smaller companies may use simplified versions, but the effectiveness requirements remain the same. It is important to understand that the mere existence of a document does not guarantee compliance: the Bank of Canada checks the actual implementation of measures and the results of testing.
The main components of the framework include: identification and assessment of risks (including likelihood and potential harm), threat mitigation measures (technical safeguards, access control procedures, system redundancy), incident response plans (clear roles, action algorithms, communication protocols), and a testing program (attack simulations, vulnerability audits, annual reviews by independent experts).
The RPAA requires PSPs to immediately notify end users, other PSPs, or clearing houses when incidents occur that materially affect them. The regulator must be informed of any serious security breaches, system failures, or data leaks. The initial version of the regulations required full recovery before operations could resume, but the final version softened this condition: a PSP may continue operating while simultaneously addressing the consequences of the incident.
The Business Continuity Plan (BCP) must cover scenarios involving natural disasters, cyber incidents, and the bankruptcy of key service providers. The recovery strategy includes backup data centers, alternative communication channels, and failover procedures for backup systems. The regulator pays particular attention to how PSPs manage risks associated with third-party service providers: cloud platforms, processing centers, outsourced call centers.
One of the central elements of the RPAA is the requirement to safeguard end-user funds. PSPs that hold customer funds until withdrawal or transfer are required to use one of two mechanisms: trust accounts or insurance/guarantees. The trust model involves creating a valid trust structure under Canadian law, where the PSP acts as trustee. Funds are held in a separate account (safeguarding account) not used for other purposes, at a recognized financial institution (bank, credit union, trust company).
Segregation of funds occurs immediately upon receipt: if technical limitations prevent this from being done immediately, the funds must be placed in the safeguarding account no later than the next business day. The Bank of Canada expects the PSP to obtain a legal opinion on the correctness of the trust structure, as well as to conduct an independent compliance review. Critically, the trust model protects user funds from the PSP's bankruptcy: in the event of the provider's insolvency, client funds do not form part of the bankruptcy estate.
Indirect arrangements, where a PSP uses another PSP as an intermediary to access a financial institution, are viewed critically by the Bank of Canada. The regulator does not categorically prohibit such a model, but requires all participants in the chain to demonstrate compliance with the RPAA and provide legal justification. In practice, most companies are advised to establish direct relationships with a bank.
Instead of a trust account, a PSP may use a segregated account backed by insurance or a bank guarantee in an amount no less than the balance of client funds. It is important to understand that deposit insurance (for example, CDIC — Canada Deposit Insurance Corporation) is not suitable: it protects against the bank's bankruptcy, not the PSP's. A specialized policy or guarantee is required to ensure payment to end users in the event of the provider's insolvency.
Requirements for insurance mechanisms include: coverage must be equal to or greater than the amount of funds held, payments must be made as soon as possible after the incident, the policy must not contain clauses preventing payment in the event of the PSP's bankruptcy, and the funds must not form part of the company's bankruptcy estate. The Bank of Canada does not provide ready-made templates for insurance products, leaving PSPs to find an appropriate solution together with lawyers and insurers.
The trade-off between the trust model and insurance is clear: trusts provide more direct protection and are easier to recognize, but they require legal expertise and compliance with trust law (which differs between common law provinces and Quebec). Insurance may be more flexible from a liquidity management perspective, but finding an insurer willing to offer suitable terms remains difficult. MapleBiz provides legal support in selecting the optimal fund protection mechanism and preparing the necessary documentation.
Registered PSPs are required to submit a detailed report to the Bank of Canada annually, no later than March 31. The report form is available through the PSP Connect portal and covers information for the previous calendar year: data on the risk management framework, fund protection practices, transaction metrics, changes in activities, third-party management, and recordkeeping practices. The first report must be submitted by March 31, 2026.
In addition to the annual report, PSPs are required to notify the regulator of «material changes» before implementing them. A change is considered material if it may significantly affect operational risks or the method of protecting client funds: a change in corporate structure (merger, acquisition), a change in control (acquisition by a state-owned enterprise), the launch of new payment functions, changes in fund storage methods, or the transfer of data outside Canada.
The regulator conducts regular reviews and may request additional documents at any time. Late or inaccurate reporting entails administrative sanctions. False information in reports is a violation of the law and may have serious consequences, up to and including revocation of registration.
PSPs are required to inform the Bank of Canada of all incidents that materially affect end users, other providers, or clearing systems. Incidents include cyberattacks, data breaches, and system failures that interrupt payment services. The initial notification is submitted immediately, after which the PSP provides a detailed report on the causes, consequences, and remediation measures.
The Bank of Canada uses a risk-based approach to supervision: companies with large transaction volumes, complex models, or a history of violations are subject to more frequent and in-depth reviews. Inspections may include document requests, employee interviews, system testing, and on-site audits. The regulator also requires independent reviews of the fund protection framework every three years.
An important aspect: PSPs remain responsible for compliance even when using third parties. If a cloud provider, outsourcing company, or processing partner commits a violation, the PSP is accountable to the regulator. This creates a need for detailed due diligence of counterparties and for including provisions on compliance with RPAA standards in contracts.
Navigating the dual regulatory system — FINTRAC for MSBs and the Bank of Canada for PSPs — requires deep expertise and an understanding of the nuances of Canadian law. MapleBiz specializes in legal support for financial and payment companies, providing a full range of services for RPAA registration and compliance.
We help develop a comprehensive operational risk management and incident response framework tailored to the scale and specifics of your business. Our lawyers prepare legal opinions on the correctness of trust structures, analyze available insurance and guarantee options, and select the optimal mechanism for protecting client funds. We structure registration documents for the Bank of Canada and ensure that fund-holding procedures comply with segregation and liquidity requirements.
MapleBiz advises on reporting matters: preparation of annual reports, procedures for notifying material changes, and incident management protocols. We conduct compliance audits of third parties engaged by PSPs to perform critical functions and develop contractual mechanisms that ensure partners comply with RPAA standards. During regulatory inspections, our team represents clients' interests, prepares the necessary explanations, and ensures communication with the Bank of Canada.
For companies planning to enter the Canadian payment market, we offer full legal support: from registering the corporate structure to obtaining PSP and MSB status. Contact MapleBiz for a consultation — we will help structure your business in a way that minimizes regulatory risks and ensures sustainable compliance with Canadian payment services law.
