Record keeping is one of the most important compliance obligations for money services businesses (MSBs) and payment service providers (PSPs) under the Retail Payment Activities Act (RPAA). The rules are clear: every PSP must maintain accurate, accessible, and secure records to demonstrate compliance with the law and to provide evidence when requested by the Bank of Canada. In practice, this means building systems that not only keep records for the required time but also protect them from loss, falsification, or unauthorized access.
This article will explain the minimum five-year retention requirements, what types of records must be kept, the protective measures PSPs need to take, and how third-party and agent records are handled under the RPAA framework.
For reference, the full RPAA can be found here: Retail Payment Activities Act. The detailed regulations are here: Retail Payment Activities Regulations.
The five-year minimum rule for compliance records
The RPAA and its regulations require PSPs to keep records for at least five years. This aligns with the Bank of Canada’s supervisory guidelines, which emphasize that evidence must be available to confirm that compliance frameworks are not just written but actively used in practice.
Examples of records that must be retained include:
- Governance and oversight records, such as Board approvals and senior officer certifications (Bank of Canada – Governance and Oversight Guidance)
- Risk assessments, incident logs, and post-incident reviews (Bank of Canada – Operational Risk and Incident Response)
- Safeguarding of end-user funds ledgers, reconciliations, and shortfall coverage documentation (Bank of Canada – Safeguarding End-User Funds)
- Business continuity testing records, disaster recovery plans, and updates after significant changes (Notice of Significant Change)
- Annual reporting submissions and supporting schedules (Bank of Canada – Annual Reporting)
Keeping these records for at least five years ensures PSPs can demonstrate to regulators that they have followed the RPAA requirements consistently over time.
Protective measures against loss, falsification, or unauthorized access
Keeping records is not enough. The RPAA also requires PSPs to protect them so they remain accurate, reliable, and secure. According to Bank of Canada expectations, this means companies must have safeguards in place to prevent tampering or unauthorized changes to records.
Protective measures include:
- Encryption and access controls on electronic records
- Segregation of duties so that no single individual can create, approve, and store critical records alone (Risk and Incident Management Guidance)
- Regular backups and secure storage for disaster recovery purposes (Business Continuity Guidance)
- Independent reviews every three years to confirm that safeguarding and record-keeping frameworks are working as intended
The Bank of Canada expects PSPs to keep records in a way that preserves their integrity and allows them to be produced quickly upon request. This means businesses cannot simply rely on basic storage systems; they must adopt methods that ensure evidence is both accessible and trustworthy.
Third-party and agent records under RPAA
Many MSBs and PSPs work with agents, contractors, or third-party service providers to deliver parts of their payment services. The RPAA makes clear that the responsibility for compliance remains with the PSP, even if a third party is performing the activity.
This means that records created by third parties or agents must meet the same standards as internal records. The Governance and Oversight framework requires PSPs to conduct due diligence, set clear contractual obligations, and monitor third-party compliance (Governance Oversight Guidance).
Examples include:
- Transaction logs maintained by agents processing payments
- Reconciliation reports from banks holding safeguarding accounts
- System uptime and incident logs from cloud providers
All of these must be retained for at least five years and must be available to the PSP and the Bank of Canada on request.
Why record keeping matters for compliance and trust
The RPAA record keeping requirements are not just administrative. They are designed to give the Bank of Canada confidence that PSPs are managing risks, protecting customer funds, and ensuring resilience in the payments system. For customers, strong record keeping practices help maintain trust, ensuring their money and payment services remain safe. For PSPs, records provide the evidence needed to demonstrate compliance and avoid costly supervisory actions.
By treating record keeping as a core part of operational resilience, MSBs and PSPs can reduce regulatory risk, strengthen customer confidence, and ensure long-term business stability.
Final thoughts
The five-year minimum record retention rule under the RPAA is only the starting point. PSPs must also ensure records are accurate, protected, and accessible, even when maintained by agents or third parties. With clear policies, strong controls, and oversight mechanisms, MSBs can meet regulatory expectations and safeguard their operations.
If your business needs help setting up an RPAA-compliant record keeping framework, visit Comply North’s pricing page to see how compliance tools can give you a competitive edge, or contact our experts for tailored guidance.
