The Retail Payment Activities Act (RPAA) is Canada’s new law for payment service providers (PSPs). It was created to make sure payment companies operate safely, protect customer funds, and handle risks properly. If you are new to the world of payment services, the RPAA may seem complicated. This guide will break it down into simple concepts so you can understand who it applies to, what it covers, why it matters, and how to take the first steps toward compliance.

Who the RPAA Applies To

The RPAA applies to any company or person that provides retail payment activities in Canada. This includes money services businesses, fintechs, e-wallet providers, and other PSPs. If you move money for customers, process payments, or hold customer funds before transferring them, the RPAA likely applies to you. Even if your business is located outside Canada, you may still fall under the RPAA if you serve Canadian customers (Government of Canada RPAA Act).

The law does not apply to banks, credit unions, or certain provincially regulated entities, as they are already under strict financial oversight. But for most non-bank payment companies, registration with the Bank of Canada is mandatory.

What the RPAA Covers and Why It Matters

The RPAA is not just about registration. It sets out rules across five major compliance areas: risk, incidents, safeguarding, reporting, and governance. The Bank of Canada supervises PSPs under these rules to protect end users and ensure that Canada’s payments ecosystem stays stable. The requirements are also designed to make sure customers’ money is safe and that payment services continue to function even during disruptions.

Here is a plain English summary of the five main compliance areas.

1. Risk and Incident Management

Every PSP must manage operational risks like cyberattacks, system failures, fraud, or third-party breakdowns. The RPAA requires PSPs to identify risks, put controls in place, and prepare for incidents. If a material incident occurs, such as a system outage or data breach, the PSP must notify the Bank of Canada within 48 hours (Bank of Canada Incident Notification) and take steps to contain and recover from it (Operational Risk and Incident Response) .

2. Safeguarding of Funds

If a PSP holds customer money, even for a short time, it must keep those funds safe. This means segregating them from company money and placing them in safeguarding accounts with eligible financial institutions or backing them with insurance or guarantees (Bank of Canada Safeguarding Guidance) . Daily reconciliations are required to ensure balances match, and shortfalls must be covered immediately. These rules make sure customer money is never at risk of being lost or misused.

3. Business Continuity and Disaster Recovery

The RPAA requires PSPs to plan for disruptions. Companies must conduct a business impact analysis, define recovery objectives, and maintain a tested continuity plan so they can restore services quickly after an incident (Operational Risk and Incident Response At-a-glance) . This ensures customers can still access funds even if there is a cyberattack, power outage, or other crisis.

4. Governance and Oversight

Strong governance is at the core of the RPAA. PSPs must designate a senior officer accountable for compliance, ensure the board of directors sets risk appetite, and provide evidence of oversight and independent reviews (Bank of Canada Supervisory Guidance) . This makes compliance part of the company’s daily operations rather than a one-time exercise.

5. Reporting and Record Keeping

PSPs must submit annual reports to the Bank of Canada covering safeguarding methods, incidents, and compliance activities (Bank of Canada Annual Reporting). They must also file notices of significant changes before introducing new services or technologies (Significant Change Notice Guide). Record keeping is also required so PSPs can prove compliance during supervisory reviews.

Practical First Steps for PSPs

If you are a new payment service provider in Canada, here are practical steps to begin your RPAA compliance journey:

1. Register with the Bank of Canada as a payment service provider and confirm whether your services fall under the RPAA.
2. Appoint a senior officer who will be responsible for RPAA compliance and establish governance oversight with your board.
3. Build a risk and incident management framework to identify risks, track incidents, and prepare for notifications.
4. Set up safeguarding processes if you hold customer funds, including separate safeguarding accounts and daily reconciliations.
5. Develop a business continuity plan that outlines how you will maintain services during disruptions and test it regularly.
6. Prepare for reporting obligations, including annual reports, significant change notices, and incident notifications.
7. Maintain records and evidence to demonstrate compliance to the Bank of Canada on request.

These steps align with the Bank of Canada’s supervisory expectations and give PSPs a clear foundation for building a compliant operation from day one.

Conclusion

The RPAA brings Canada in line with international best practices for payments regulation. For PSPs, it may seem like a lot at first, but breaking it into the five main compliance areas makes it manageable. By starting early with risk management, safeguarding, continuity planning, governance, and reporting, your business can operate confidently in the Canadian payments ecosystem.

To learn more about affordable compliance solutions, visit Comply North’s pricing page or reach out to our experts for guidance tailored to your business.