Common Pitfalls MSBs Face With RPAA Safeguarding of Funds Rules

Many MSBs fail RPAA safeguarding rules by misclassifying accounts, skipping daily reconciliations, or missing Bank notifications.

Safeguarding customer money is one of the most important obligations under the Retail Payment Activities Act (RPAA). The Bank of Canada supervises these rules to ensure that end-user funds are always protected and accessible. For money services businesses (MSBs) and payment service providers (PSPs), small mistakes in safeguarding can create big compliance problems. In practice, many firms stumble over the same issues: misunderstanding what qualifies as an eligible account or provider, failing to perform and document daily reconciliations, and overlooking the notification rules when insurance or guarantee coverage changes.

Understanding these pitfalls will help MSBs strengthen compliance programs, build trust with customers, and avoid corrective measures from the regulator.

Misunderstanding what qualifies as an eligible account or provider

One of the first steps in safeguarding is placing end-user funds into the right kind of account. The RPAA and Retail Payment Activities Regulations require funds to be held in a safeguarding account at an eligible Canadian financial institution. Eligible providers include Schedule I banks, licensed trust companies, and certain credit unions.

Where firms often run into trouble is assuming that any operating account at their regular bank qualifies. Unless the account is formally designated as a safeguarding account, kept separate from business funds, and confirmed in writing by the financial institution, it does not meet the requirements. Similarly, providers outside of the eligible categories cannot be used, even if they are reputable.

To avoid this pitfall, MSBs should:

Obtain written confirmation from their financial institution that the account is a safeguarding account
Ensure the account is clearly labeled as holding customer funds in trust
Review provider eligibility regularly, and transfer funds promptly if a provider becomes ineligible

The Bank of Canada’s supervisory guide on safeguarding funds makes clear that eligible accounts are the foundation of compliance. Getting this wrong can undermine the entire safeguarding framework.

Forgetting to perform or document daily reconciliations of end-user funds

The RPAA requires daily reconciliation of end-user funds. This means that every business day, the total balance of safeguarded funds must exactly match the ledger of customer entitlements. If a shortfall is identified, the MSB must immediately top it up with its own money.

A common pitfall is treating reconciliation as a monthly or weekly exercise, or performing it informally without keeping proper records. The Bank of Canada expects evidence of daily reconciliations, including timestamps, staff responsible, and proof that any discrepancies were corrected.

To stay compliant, MSBs should:

Maintain a ledger of end-user balances updated at least daily
Document reconciliation results and keep records for at least five years
Establish dual controls so one staff member performs reconciliation and another reviews it

Skipping this step exposes firms to enforcement action and undermines the trust of customers who expect their money to be safe.

Overlooking the need to notify the Bank 30 days before insurance or guarantee cancellation

For some PSPs, safeguarding takes the form of insurance or guarantee coverage from an eligible financial institution rather than a safeguarding account. The rules are clear: the coverage amount must always equal or exceed the total end-user funds held, and the Bank of Canada must be notified at least 30 days before the cancellation or material change of a policy.

A frequent pitfall is forgetting this notification requirement when coverage is set to expire or when changing providers. The Bank expects proactive communication, not after-the-fact explanations. Failing to give proper notice can result in supervisory findings and forced corrective measures.

To prevent this, MSBs should:

Track insurance and guarantee renewal dates in a compliance calendar
Assign responsibility to a senior officer for regulatory notifications
Use the Bank’s official form for notice of significant change when modifying coverage

Notifying the Bank on time demonstrates good governance and prevents disruptions in safeguarding coverage.

Strengthening compliance with a structured approach

Avoiding these pitfalls requires a structured safeguarding program that integrates governance, operational risk, and compliance oversight. Under the RPAA, MSBs must designate a senior officer responsible for safeguarding, conduct independent reviews at least every three years, and report annually to the Bank of Canada.

Firms that view safeguarding as more than a technical requirement but as a core part of protecting customers will be better prepared for regulatory reviews. Strong documentation, regular training, and proactive oversight are the best ways to demonstrate compliance.

Conclusion

Safeguarding mistakes may seem small in the day-to-day running of a payments business, but they carry significant risks under the RPAA. Misunderstanding eligible accounts, skipping daily reconciliations, or missing a notification deadline can all lead to compliance failures. By learning from these common pitfalls and building robust processes, MSBs can protect customers, satisfy the Bank of Canada, and maintain a strong reputation in the market.

If you want to ensure your business has a competitive edge in RPAA compliance, visit Comply North’s pricing page to see flexible options for MSBs and PSPs. For personalized guidance, reach out through the contact page to speak with experts who can help strengthen your safeguarding framework.