Payment service providers and money services businesses face a busy year ahead. The Retail Payment Activities Act (RPAA) and its regulations bring in new compliance obligations that will shape operations and oversight across Canada’s payment ecosystem. While some requirements are already in force, the most critical deadlines land in 2025. Missing them is not an option. The Bank of Canada has been clear that non-compliance can lead to corrective measures or enforcement action. This guide explains the key dates you need to track and what practical steps you can take today to prepare.

September 8, 2025: Core compliance obligations go live

The biggest milestone is September 8, 2025. On this date, payment service providers must be fully compliant with the RPAA’s operational risk, incident response, safeguarding, and governance requirements. These are set out in the Retail Payment Activities Act (full text), the Retail Payment Activities Regulations (full text), and the Bank of Canada’s supervisory guidelines.

By September, businesses need to show that they:

• Have a governance framework that assigns accountability for RPAA compliance to a senior officer, with oversight by the board (Bank of Canada operational risk and incident response guidance).
• Put in place safeguards for end-user funds, including daily reconciliations and trust or insurance arrangements if they hold customer money (safeguarding end-user funds guidance).
• Maintain tested business continuity and disaster recovery plans to restore payment services after disruptions (operational resilience at-a-glance).
• Follow incident notification rules, which include classifying events and reporting material incidents to the Bank of Canada within 48 hours (incident notification guidance).

For many firms, September is not the start of compliance, it is the deadline for proving they already meet these requirements in practice.

March 31, 2025: Annual reporting deadline

Another date that cannot be missed is March 31, 2025. This is the deadline for the first round of annual reporting under the RPAA. Each year by March 31, payment service providers must submit prescribed information to the Bank of Canada (annual reporting page).

Reports must include:

• Details of governance and risk management frameworks.
• The safeguarding method used for customer funds and results of reconciliations.
• Information on material incidents and remediation steps.
• Significant changes in operations, systems, or third-party arrangements.
• Evidence of internal reviews, training, and oversight by the board.

Annual reporting is not just paperwork. It is how the Bank of Canada monitors compliance and decides whether a provider is managing risks responsibly. Missing or incomplete submissions can raise red flags that lead to supervisory follow-up.

Ongoing deadlines: Incidents and significant change notices

The RPAA also creates ongoing reporting obligations that apply year-round. Two timelines are especially important.

First, material incidents must be reported to the Bank of Canada within 48 hours of being identified. This includes cyberattacks, system outages, fraud events, or third-party failures that could harm end users or disrupt payment services. The step-by-step guide on how to complete an incident report outlines the information required, including root cause, impact, and recovery measures.

Second, payment service providers must notify the Bank of Canada within five business days of making a significant change or starting a new activity. Significant changes include adopting new technology, outsourcing a critical function, or launching a new payment product. Guidance on submitting these notices is available in the Bank of Canada’s significant change guide.

These deadlines matter because regulators expect transparency and proactive communication. Failing to meet them could result in corrective measures or restrictions on business activities.

How to prepare now

Even though some of these deadlines are months away, preparation must start now. Businesses should review their compliance programs against the RPAA requirements and close any gaps before regulators ask for evidence. Practical steps include:

• Assigning a senior officer responsible for RPAA compliance and ensuring the board is engaged.
• Reviewing safeguarding arrangements to confirm funds are segregated, reconciled daily, and backed by eligible financial institutions.
• Updating business continuity plans and testing them with realistic scenarios.
• Training employees on incident detection, escalation, and reporting requirements.
• Establishing procedures for tracking and notifying the Bank of Canada of significant changes.
• Keeping detailed records of policies, training, reconciliations, incident logs, and reviews.

By embedding these practices into daily operations, payment service providers can avoid last-minute scrambles and demonstrate readiness when deadlines arrive.

Final thoughts

The RPAA deadlines in 2025 are more than dates on a calendar. They represent a shift to continuous oversight and accountability for payment service providers in Canada. September 8, March 31, the 48-hour incident window, and the five-day change notice are all hard requirements that the Bank of Canada will enforce.

If you are a money services business or payment service provider, now is the time to strengthen your compliance program and get ahead of the timeline. To explore how compliance tools and expert support can help you meet these obligations, visit Comply North’s pricing page or connect with our team through the contact page.