As of September 8, 2025, the Retail Payment Activities Act (RPAA) has officially entered a pivotal phase. The Bank of Canada (BoC) has begun its supervisory mandate over payment service providers (PSPs), and the requirements for managing operational risks and safeguarding end-user funds are now in force. While the BoC has started publishing the official Registry of registered PSPs on a rolling basis, many applicants are still awaiting final approval due to ongoing reviews and national security screenings coordinated by the Department of Finance. If you’re a PSP applicant anticipating registration, this is a critical moment to ensure you’re fully prepared.
Even if your approval hasn’t been confirmed yet, the RPAA expects you to act as if you are registered and compliant. Applicants on the published list are legally required to adhere to core RPAA obligations, including keeping your information current via PSP Connect and responding promptly to any BoC requests for additional details. Non-compliance at this stage could jeopardize your application or lead to immediate enforcement actions once registered. In this post, we’ll recap the essential policies and procedures you must have in place, offer advice on getting up to speed, and outline the risks of falling short.
Understanding Your RPAA Obligations: Key Policies and Procedures
The RPAA, supported by the Retail Payment Activities Regulations (RPAR) and detailed in the Retail Payment Activities Guideline (RPAG), sets out clear standards to promote the safety and integrity of Canada’s retail payments sector. Once registered (or even as an applicant post-September 8), you must establish and maintain robust frameworks in these areas.
Here’s a breakdown of the core requirements:
1. Operational Risk Management Framework
What it entails: Develop a comprehensive framework to identify, assess, and mitigate risks that could disrupt your retail payment activities. This includes risks from technology, processes, people, and external factors.
Key procedures:
– Conduct regular risk assessments and implement controls to prevent, detect, and minimize impacts.
– Ensure business continuity planning to handle disruptions.
– Maintain records of your risk management activities for BoC review.
RPAG guidance: The guideline emphasizes a “three lines of defense” model—operational management, risk oversight, and internal audit—to ensure proactive risk handling. PSPs must tailor this to their size and complexity but demonstrate proportionality.
2. Incident Management and Reporting
What it entails: Prepare for and respond to operational incidents, such as system outages, cyber attacks, or data breaches that affect payment services.
Key procedures:
– Establish an incident response plan, including detection, containment, recovery, and post-incident reviews.
– Report significant incidents to the BoC within strict timelines (e.g., material incidents within 24 hours).
– Notify affected end-users as required to maintain transparency.
RPAG guidance: Focus on resilience, with requirements for testing incident plans annually and integrating lessons learned into your overall risk framework. The goal is to minimize harm to end-users and the broader payments ecosystem.
3. Technology and Cyber Security Controls
What it entails: Protect your systems and data from cyber threats, unauthorized access, and failures.
Key procedures:
– Implement access controls, encryption, and multi-factor authentication.
– Regularly test and update security measures, including vulnerability assessments and penetration testing.
– Monitor for threats in real-time and have contingency plans for cyber incidents.
RPAG guidance: Adopt industry best practices like those from NIST or ISO 27001. PSPs must ensure third-party providers (e.g., cloud services) meet equivalent standards, with contractual safeguards in place.
4. Safeguarding End-User Funds
What it entails: Protect funds held on behalf of end-users from loss, misappropriation, or operational failure.
Key procedures:
– Segregate end-user funds in dedicated accounts (e.g., trust or custodial accounts) separate from your operational funds.
– Maintain adequate liquid reserves to cover end-user balances at all times.
– Obtain insurance or other protections against insolvency or theft, and report fund balances regularly to the BoC.
RPAG guidance: Emphasizes “ring-fencing” funds to ensure they are not used for your business purposes. PSPs must reconcile funds daily and have wind-down plans to return funds safely if you cease operations.
5. Ongoing Reporting and Record-Keeping
What it entails: Provide accurate, timely information to the BoC to support supervision.
Key procedures:
– Use PSP Connect for annual attestations, incident reports, and updates to registration details (e.g., changes in control, activities, or senior officers).
– Retain records for at least five years to demonstrate compliance during BoC assessments.
RPAG guidance: Reporting must be reliable and verifiable, with senior management accountability for accuracy.
These requirements apply proportionally based on your operations—smaller PSPs may simplify frameworks, but all must be effective and documented. The BoC expects you to integrate these into your governance structure, with board/senior management oversight.
Advice: If You Haven’t Prepared Yet, Start Now!
If your policies and procedures aren’t fully implemented, time is of the essence. Here’s actionable advice:
Conduct a Gap Analysis: Review your current operations against the RPAA and RPAG using the BoC’s self-assessment tools and guidelines available on their website. Identify weaknesses in risk management, fund safeguards, or incident response.
Seek Expert Guidance: Engage legal, compliance, or fintech consultants familiar with RPAA. The BoC offers resources like supervisory policies and FAQs, but third-party audits can provide tailored insights. If you’re part of an industry association, leverage their RPAA working groups.
Ready to simplify payments for your business?
Discover how Apaylo can help you streamline transactions, reduce costs, and stay compliant with ease.
Test and Document: Roll out internal testing of your frameworks (e.g., simulated incidents) and document everything. Ensure your team is trained—compliance is a cultural imperative.
Update PSP Connect: Log in regularly to confirm your applicant information is current. Respond to any BoC queries immediately to avoid delays in approval.
Plan for Supervision: Once registered, expect BoC assessments, which could include on-site reviews or information requests. Proactively align with the supervisory framework to build a strong compliance record from day one.
The BoC’s transition period ended on September 7, 2025, but compliance is non-negotiable now. Delaying could mean rushed implementations that invite scrutiny.
The Risks of Non-Compliance: Don’t Get Caught Off Guard
If you receive registration approval without these measures in place, the consequences can be severe. The RPAA empowers the BoC with a robust enforcement toolkit to protect end-users and the payments system:
Administrative Monetary Penalties (AMPs): Fines for violations, calculated based on harm caused (actual or potential), intent, history, and ability to pay. These can reach significant amounts and are public, damaging your reputation.
Revocation or Refusal of Registration: Non-compliance can lead to immediate revocation, barring you from performing retail payment activities. You’d need to wind down operations and return funds, potentially at great cost.
Compliance Agreements and Investigations: The BoC may require corrective actions under a formal agreement. Failure to comply escalates to notices of violation (NOVs) or full investigations, with court orders possible for egregious issues.
Broader Impacts: Loss of end-user trust, operational disruptions, or even criminal referrals in extreme cases (e.g., fund misappropriation). Foreign PSPs face additional hurdles, like mandatory de-registration until penalties are paid.
In short, the risks extend beyond fines—they threaten your business viability and market standing. Early compliance not only avoids these pitfalls but positions you as a trusted player in Canada’s evolving payments landscape.
Final Thoughts
The RPAA marks a new era of oversight for PSPs, aimed at fostering innovation while ensuring safety. As approvals roll out, treat this as your cue to finalize preparations. Check the BoC’s website for the latest on the PSP Registry and guidelines, and stay tuned to PSP Connect for personalized updates. If you’re in doubt, reach out to compliance experts or the BoC’s resources—proactive steps today will pay off tomorrow.