View Pricing
Modern compliance office desk with RPAA safeguarding documents and a digital ledger dashboard open on a laptop.
September 8, 2025
RPAA

Safeguarding End-User Funds Under RPAA: A Practical Guide for MSBs

A practical guide for MSBs on safeguarding funds under RPAA, from eligible accounts to daily reconciliations and independent reviews.

Keeping customer money safe is at the heart of Canada’s Retail Payment Activities Act (RPAA). For money services businesses (MSBs) and other payment service providers (PSPs), the rules on safeguarding funds are strict and detailed. The Bank of Canada supervises these obligations to ensure that customer funds are never at risk of being lost, delayed, or misused. This guide explains the approved safeguarding methods, the daily reconciliation requirements, and the role of independent reviews.

 

Approved methods of safeguarding

Under the RPAA and the Retail Payment Activities Regulations (RPAR), if a provider holds end-user funds, it must protect them right away using one of the permitted methods. According to the Bank of Canada’s safeguarding guidance (Safeguarding End-User Funds PDF and At-a-glance summary), there are three main ways to comply:

  1. Eligible accounts – Funds must be placed in safeguarding accounts with eligible Canadian financial institutions, such as Schedule I banks, licensed trust companies, or credit unions. These accounts must be separate from company operating accounts and clearly marked as holding customer money.
  2. Trust arrangements – Accounts can be structured as trust accounts, which make it clear that the funds legally belong to customers, not the business. This shields customer money from company creditors in the event of insolvency.
  3. Insurance or guarantee coverage – Instead of using accounts, providers may back customer funds with an insurance policy or guarantee from an eligible financial institution. The coverage must equal or exceed the total amount of funds held, and policies must remain in force at all times.

 

Providers can also use a combination approach, but whichever method is chosen, the safeguarding method must be documented, approved at senior levels, and reported to the Bank of Canada as part of annual reporting (Annual Reporting Guidance).

 

Daily ledger and reconciliation requirements

Safeguarding does not stop at opening an account or buying insurance. Every business day, MSBs and PSPs must complete a reconciliation to confirm that the total amount of customer funds owed matches the safeguarded balance (RPAA text, RPAR regulations).

 

Key steps include:

  • Maintaining a daily ledger that records each customer’s balance and contact details. This ensures that, at any time, a regulator or insolvency administrator can see exactly who owns what.
  • Performing a daily reconciliation between the ledger and safeguarding account(s) or insurance/guarantee coverage.
  • Covering shortfalls immediately with company funds to make sure no customer is left short.
  • Managing surpluses and excess balances so that safeguarded accounts only ever contain end-user funds, not company money or profits.

 

This daily discipline is not only a compliance requirement but also an important customer trust measure. If reconciliation shows discrepancies, companies must act without delay to correct them.

 

Independent safeguarding reviews every three years

In addition to daily reconciliations and annual reporting, MSBs and PSPs must undergo an independent safeguarding review at least once every three years (Bank of Canada guidance).

 

The review must be carried out by someone who is not involved in establishing or maintaining the safeguarding framework. The purpose is to give the Bank of Canada assurance that funds are being safeguarded as required under law.

 

To prepare for an independent review, MSBs should:

  • Keep complete records of safeguarding account agreements, trust deeds, or insurance policies.
  • Maintain evidence of daily reconciliations, including logs of shortfall corrections and surplus management.
  • Ensure that board and senior officer approvals of safeguarding frameworks are documented and up to date.
  • Confirm that training records show employees understand safeguarding duties.

 

Findings from independent reviews must be reported to senior officers and directors, with remediation tracked to completion. Records must be kept for at least five years and be available to the Bank of Canada on request.

 

Why this matters for MSBs

For MSBs, safeguarding obligations may seem like a heavy administrative burden. But in practice, these rules serve a simple purpose: making sure customers can always get their money back. Whether an MSB is holding funds for minutes or days, customers expect their funds to be safe and accessible.

 

By implementing eligible safeguarding methods, conducting daily reconciliations, and preparing for regular independent reviews, MSBs can show both regulators and customers that they are trustworthy and compliant. Beyond compliance, these practices reduce financial and reputational risks and strengthen resilience against disruption.

 

Conclusion

Safeguarding end-user funds is not optional under the RPAA. It is a daily, ongoing responsibility that requires discipline, oversight, and transparency. By putting in place strong safeguarding methods, daily reconciliation routines, and preparing for independent reviews, MSBs can meet regulatory expectations and build customer confidence.

 

If you want to see how simple compliance can be, check out Comply North’s pricing page for a competitive edge or reach out through the contact page to get expert guidance tailored to your MSB.

 

Most Recent

RPAA
September 19, 2025

RPAA Deadlines You Cannot Miss in 2025 (and How to Prepare Now)

Stay ahead of RPAA deadlines in 2025 with this guide to compliance dates and reporting obligations.
RPAA
September 17, 2025

How to Classify Assets and Processes for RPAA Compliance (Step-by-Step)

Step-by-step guide to classifying assets and processes for RPAA compliance with Bank of Canada expectations.
RPAA
September 14, 2025

Business Continuity and Disaster Recovery Under the RPAA: Key Requirements

All PSPs must meet RPAA continuity and recovery rules. Learn about recovery objectives, testing, and integrating incident response.
RPAA
September 12, 2025

Significant Change Notices: What PSPs Need to Tell the Bank of Canada (and When)

PSPs must notify the Bank of Canada of significant changes within five business days. Learn what qualifies and how to stay compliant.
RPAA
September 10, 2025

RPAA Record Keeping Rules: How Long Must MSBs Keep Compliance Records?

MSBs must keep RPAA compliance records for five years, protect them from loss, and ensure third-party records meet the same standards.
FINTRAC
September 9, 2025

ALERT: Private ABM Acquirer Services Must Register with FINTRAC and Comply by October 1, 2025

By Oct 1, 2025, private ABM acquirers must register with FINTRAC and meet PCMLTFA AML rules. Comply North helps operators build and maintain compliance.
FINTRAC
September 9, 2025

Title Insurers Must Register with FINTRAC by October 1, 2025 – AML Compliance Now Mandatory

By Oct 1, 2025, title insurers must register with FINTRAC and meet PCMLTFA AML obligations. Learn how Comply North helps ensure full compliance.
RPAA
September 8, 2025

What Is a Risk Management and Incident Response (RMIR) Framework Under RPAA?

Learn how the RPAA’s Risk Management and Incident Response framework helps PSPs protect confidentiality, availability, and integrity.
RPAA
September 8, 2025

Safeguarding End-User Funds Under RPAA: A Practical Guide for MSBs

A practical guide for MSBs on safeguarding funds under RPAA, from eligible accounts to daily reconciliations and independent reviews.
RPAA
September 8, 2025

RPAA Incident Reporting Explained: When and How to Notify the Bank of Canada

Learn what counts as a material incident under the RPAA, the 48-hour reporting rule, and when to notify customers.
View Our Pricing