For payment service providers (PSPs) and money services businesses (MSBs) in Canada, the Retail Payment Activities Act (RPAA) sets the rules of the road. But writing policies is only part of the job. The real test comes when the Bank of Canada reviews your company’s compliance. The Bank’s role as regulator is not just about checking boxes. It is about making sure that payment providers are operating safely, protecting customer funds, and reducing risks in the payments system.

Understanding how the Bank supervises RPAA compliance can help your business avoid surprises, prepare for requests, and respond effectively if corrective measures are needed.

The Bank of Canada’s Supervisory Approach

The Bank of Canada’s supervision of PSPs is built on three pillars: evidence-based oversight, corrective measures, and ongoing monitoring.

Evidence-based oversight means that the Bank will expect companies to show proof of compliance, not just verbal assurances. This includes documented policies, independent testing, and records of how you handle incidents or risks. According to the RPAA and the Retail Payment Activities Regulations, PSPs must be able to demonstrate compliance at any time through complete and accessible evidence.

Corrective measures come into play if the Bank identifies gaps in your framework. For example, if your safeguarding arrangements or incident response processes are not sufficient, the Bank may require changes. Your company must implement those measures quickly and be able to show evidence that they were carried out.

Ongoing monitoring is part of the long-term picture. The Bank does not view compliance as a one-time exercise. It expects PSPs to adapt their frameworks as their business models, technologies, and risks evolve. This includes annual reviews of governance, incident management, safeguarding, and continuity policies.

You can find details of the Bank’s supervisory expectations in its guidelines on operational risk and incident response and safeguarding of end-user funds.

The Types of Evidence the Bank May Request

When the Bank of Canada inspects a PSP, it does not just ask high-level questions. It may request very specific forms of evidence to prove your company is meeting RPAA obligations. Examples include:

• Policies and governance documents that describe accountability for RPAA compliance, oversight of third-party providers, and how risks are managed
• Records of safeguarding such as daily reconciliations, ledgers of end-user funds, and agreements with financial institutions
• Incident registers and testing results that show how your business detects, reports, and recovers from disruptions
• Business continuity and recovery plans with recovery time objectives, recovery point objectives, and testing logs
• Training records and competence evidence to show that staff understand RPAA responsibilities

These records must be kept up to date, retained for at least five years in most cases, and be available to the Bank of Canada on request.

The Bank has also published detailed guidance on incident notification, significant change notices, and annual reporting. Each of these requires evidence to support filings.

How to Prepare Your Company for a Review

Being prepared for a Bank of Canada review is less about scrambling when you get a request, and more about embedding good compliance habits in your operations. Here are practical steps to consider:

1. Keep policies current and aligned
   Review your governance, safeguarding, risk management, and continuity policies at least annually. Update them after any significant change in your business model or technology.
2. Maintain complete records
   Records should cover training, reconciliations, incident logs, risk assessments, and board minutes. Keep them organized so they can be retrieved quickly during a review.
3. Test regularly and log results
   Incident response drills, continuity exercises, and reconciliation checks should be tested often. Keep logs of when tests were done, what was found, and how gaps were fixed.
4. Assign clear accountability
   A senior officer must be accountable for RPAA compliance. Their role is to coordinate across teams, report to the board, and respond to Bank of Canada requests .
5. Engage in proactive communication
   If you identify a material incident or significant change, notify the Bank through PSP Connect within required timelines. Being transparent reduces the risk of penalties and builds credibility .
6. Integrate with existing compliance
   Many PSPs are already registered with FINTRAC as MSBs. Linking your RPAA obligations with AML/ATF compliance helps streamline oversight and avoids duplication.

By following these steps, your company will not only be better prepared for a review but will also strengthen trust with customers and partners.

Final Thoughts

The Bank of Canada supervises RPAA compliance in a structured but practical way. They look for evidence, apply corrective measures if needed, and expect PSPs to keep improving. For MSBs and PSPs, this means building strong policies, keeping good records, and testing systems regularly.

If you want to gain an edge, Comply North makes it easier to stay on top of RPAA requirements. Check out our pricing page to see how affordable compliance support can be, or contact us to connect with experts who can guide you through Bank of Canada expectations.