Retail Payment Activities Act (RPAA)
The Bank of Canada’s formal supervision regime for payment service providers – registration, operational-risk-management, and end-user-funds safeguarding.
The Retail Payment Activities Act (RPAA) is a Canadian federal statute that brings payment service providers (PSPs) under formal supervision by the Bank of Canada. It received Royal Assent in 2021 and rolled out in phases: registration opened 2024-11-01, and the operational-risk-management and end-user-funds safeguarding obligations became enforceable on 2025-09-08. It is the most significant new Canadian payments regulation in a generation and a default scope item for any fintech moving end-user funds in or from Canada.
Who is in scope
Any payment service provider that performs one or more of the regulated payment functions for an end user as part of a service or business activity in Canada, OR that directs services to individuals or entities in Canada from outside Canada. The regulated functions include:
- Providing or maintaining an account
- Holding funds on behalf of an end user
- Initiating an electronic funds transfer
- Authorizing or transmitting an EFT
- Providing clearing or settlement services
Activities supervised by FINTRAC as money services businesses, and certain federally regulated financial institutions, are excluded. Most fintechs offering wallets, payment processing, money movement, BaaS, or remittance are not excluded and need to register.
Registration
An application to the Bank of Canada with prescribed information: identifying details, operating model, governance, risk-management framework, and end-user-funds safeguarding posture. The Bank reviews applications and may refuse registration on national-security or non-compliance grounds. Registered PSPs appear in a public registry and become subject to ongoing supervision. Operating without registration when registration is required is a criminal offence with significant penalties.
Operational-risk-management framework
The RPAA and Retail Payment Activities Regulations require a documented operational-risk-management framework approved by senior management, with an independent review. The framework covers people, process, and technology risks; identification, assessment, mitigation, monitoring; incident response; business-continuity planning; and third-party risk. Testing is required and the testing must be evidenced – the framework cannot exist only on paper.
End-user funds safeguarding
PSPs that hold end-user funds must safeguard them through one of the prescribed mechanisms:
- Holding them in trust on behalf of end users
- Holding them in a segregated account at a Schedule I or II Canadian bank or a regulated foreign bank
- A combination of segregated accounts plus a guarantee or insurance arrangement
The safeguarding posture must be documented, monitored, and capable of returning end-user funds promptly if the PSP fails. Co-mingling end-user funds with operating funds – the design failure that has driven multiple high-profile PSP failures historically – is squarely prohibited.
Incident notification
PSPs must notify the Bank of Canada of incidents that have or could have a material impact on the PSP's ability to perform a payment function, on end users, or on other PSPs. The notification expectation is "without delay" and follows the cadence pattern that has become standard across regimes. Notification expectations also exist toward end users and other affected counterparties.
Parallel regimes
RPAA registration and FINTRAC MSB registration are separate. A given PSP often needs both. The RPAA does not displace existing securities, banking, or consumer-protection regulation – it adds an operational-resilience layer on top. Provincial consumer-protection regulators retain their role over consumer-facing terms and conduct. Quebec's regime around money-services businesses (administered by the AMF) operates in parallel.
How FinQub supports RPAA compliance
Two angles for FinQub. First, as a service provider to PSPs, FinQub brings the operational-resilience posture PSPs require from third parties under their own RPAA framework: SOC 2 Type I in progress, hash-chained audit trail, sub-processor disclosure, incident-notification cadence, jurisdiction-aware residency.
Second, the orchestration layer gives the PSP itself the operational evidence the Bank of Canada examiners want. Every workflow, vendor call, decision, and incident timestamp lands in a tamper-evident chain. Incident chronologies, change-control records, third-party oversight evidence, and end-user-funds reconciliation become queries rather than reconstruction projects. Registration applications, examination responses, and annual attestations all draw from the same substrate.