View Pricing
Split-screen image showing RPAA's focus on payment system safety and FINTRAC's focus on anti-money laundering.
September 23, 2025
RPAA

RPAA vs FINTRAC: How Retail Payment Rules Differ from AML Obligations

RPAA is not AML 2.0. Learn how Bank of Canada’s RPAA rules differ from FINTRAC’s AML/ATF obligations and how MSBs can meet both.

For many money services businesses and payment service providers in Canada, the Retail Payment Activities Act (RPAA) has raised the question: is this just another layer of anti-money laundering regulation? The short answer is no. While RPAA compliance and FINTRAC’s AML/ATF regime both demand robust controls, they have very different scopes, requirements, and evidence expectations. Understanding these differences is critical to avoid mistakes and to build the right compliance framework.

The RPAA, overseen by the Bank of Canada, is about the reliability, resilience, and safeguarding of payment services. FINTRAC, by contrast, focuses on detecting and preventing money laundering and terrorist financing. They complement each other, but they are not interchangeable.

The Scope of RPAA vs FINTRAC

The Retail Payment Activities Act is designed to protect end users and the wider payment ecosystem by ensuring that providers manage operational risks, maintain business continuity, and safeguard customer funds. For example, a PSP must demonstrate clear governance and oversight structures, daily reconciliation and segregation of end-user funds, tested business continuity plans, and an incident management framework. The Bank of Canada has also published detailed supervisory guidelines, such as its guidance on Operational Risk and Incident Response and Safeguarding End-User Funds.

FINTRAC’s requirements, under the Proceeds of Crime (Money Laundering) and Terrorist Financing Act, are focused on customer due diligence, transaction monitoring, reporting suspicious activity, and record keeping. It is about preventing criminals from using the financial system to launder money or finance terrorism.

Put simply, RPAA is about payment system safety and reliability, while FINTRAC is about fighting financial crime.

How the Frameworks Complement Each Other

Even though RPAA and FINTRAC obligations are distinct, they work together to create a safer financial system. A PSP must be able to demonstrate operational resilience to the Bank of Canada and AML/ATF compliance to FINTRAC. Both regulators expect separate policies, evidence, and reporting lines.

For example, under RPAA, a company must notify the Bank of Canada within 48 hours of a material incident using PSP Connect. Under FINTRAC, the same company must file a suspicious transaction report if it identifies unusual activity. These are two different triggers, two different regulators, and two different reporting requirements.

Both frameworks also rely on governance and accountability. The RPAA requires a named senior officer responsible for compliance. FINTRAC requires a designated compliance officer for AML. These roles often sit within the same leadership team, but their mandates are distinct.

Common Mistakes MSBs Make

A frequent mistake is treating RPAA compliance as “AML 2.0.” Many MSBs assume that because they already have a FINTRAC compliance program, they are covered. This is incorrect and risky. Here are some common pitfalls:

  • Believing that transaction monitoring satisfies RPAA obligations. In reality, RPAA requires evidence of risk assessments, business continuity testing, and daily reconciliations of safeguarded funds.
  • Assuming customer due diligence records can double as RPAA evidence. The Bank of Canada requires specific documentation, such as incident registers, board meeting minutes, and significant change notices, as explained in its Notice of Significant Change guidance.
  • Overlooking safeguarding requirements. FINTRAC does not regulate how customer funds are held. Under the RPAA, however, if a PSP holds customer funds, it must segregate them in a trust account or back them with insurance or a guarantee.
  • Forgetting about business continuity. FINTRAC does not require testing of recovery objectives. Under RPAA, a PSP must conduct a business impact analysis and test recovery time objectives to ensure resilience.

 

These mistakes happen when companies fail to recognize that RPAA compliance is about protecting the payment system, not detecting financial crime.

Building a Dual Compliance Framework

To stay compliant, MSBs and PSPs should think of RPAA and FINTRAC as two pillars of their compliance program. They need distinct policies and evidence trails, but integration at the governance level helps avoid duplication and gaps.

A practical way to align is to map requirements across both frameworks. For example, risk assessments can cover both operational and financial crime risks, but evidence must be documented separately for each regulator. Board reporting should distinguish between Bank of Canada supervisory requirements and FINTRAC AML obligations. Staff training should cover both operational resilience and AML/ATF detection.

By treating RPAA and FINTRAC as complementary but separate, businesses can demonstrate to regulators that they understand their obligations and are managing risks appropriately.

Conclusion

The RPAA is not just AML in a new wrapper. It is a separate regulatory framework focused on payments reliability and safeguarding. FINTRAC’s role is to fight money laundering and terrorist financing. Together, they strengthen the integrity and safety of Canada’s financial system. MSBs and PSPs that treat them as distinct, but integrated, pillars of compliance will be better positioned to succeed.

If you want to ensure your business meets both RPAA and FINTRAC obligations without duplication or gaps, explore Comply North’s pricing options for a competitive edge or reach out to our experts directly.

Most Recent

RPAA
November 4, 2025

How the Bank of Canada Supervises RPAA Compliance (and What They Expect to See)

Learn how the Bank of Canada supervises RPAA compliance and what PSPs must show during reviews.
RPAA
October 28, 2025

Common Pitfalls MSBs Face With RPAA Safeguarding of Funds Rules

Many MSBs fail RPAA safeguarding rules by misclassifying accounts, skipping daily reconciliations, or missing Bank notifications.
RPAA
October 21, 2025

PSP Connect and RPAA Compliance: How to Submit Reports and Notices Online

Learn how to use PSP Connect for RPAA submissions, from annual reports to incident notices, with accuracy tips for PSPs.
RPAA
October 14, 2025

RPAA Training Requirements: Who Needs to Be Trained and How Often

RPAA training is required at onboarding, annually, and after changes. Learn who needs it and how to document competence.
RPAA
October 7, 2025

How to Use a Compliance Checklist to Stay RPAA-Ready Year Round

A compliance checklist keeps RPAA obligations visible, organized, and audit-ready all year round.
FINTRAC
October 1, 2025

Stronger Rules Ahead: October 2025 FINTRAC Compliance Updates For Agents and Beneficial Ownership

FINTRAC’s October 2025 updates require MSBs to verify agents with criminal checks, file discrepancy reports, and search Corporations Canada’s database.
RPAA
September 30, 2025

Independent Reviews Under the RPAA: What You Need to Know Every Three Years

Independent reviews under the RPAA confirm your risk and safeguarding frameworks are effective. Here’s what PSPs need to know every 3 years.
RPAA
September 26, 2025

RPAA Explained in Plain English: A Beginner’s Guide for Payment Service Providers

The RPAA explained in plain English for payment service providers. Learn who it applies to, what it covers, and how to get compliant today.
RPAA
September 23, 2025

RPAA vs FINTRAC: How Retail Payment Rules Differ from AML Obligations

RPAA is not AML 2.0. Learn how Bank of Canada’s RPAA rules differ from FINTRAC’s AML/ATF obligations and how MSBs can meet both.
RPAA
September 19, 2025

RPAA Deadlines You Cannot Miss in 2025 (and How to Prepare Now)

Stay ahead of RPAA deadlines in 2025 with this guide to compliance dates and reporting obligations.
View Our Pricing