Regulatory Influencer: Canada Retail Payments Activities Act — Mandatory Reporting and Recordkeeping

September 4, 2025
<
Back
This report is the last installment in a four-part series analyzing the RPAA and identifying key components of the law that PSPs should consider when doing business in Canada. Previous reports have discussed safeguarding, risk management, and registration requirements. This report helps PSPs make sense of the requirements regarding mandatory reporting and recordkeeping.

In June 2021, the Retail Payment Activities Act (RPAA) was enacted, granting the Bank of Canada supervisory authority over payment service providers (PSPs). According to the Bank of Canada, the aim of the RPAA is to build confidence in the safety and reliability of PSP services while protecting end users from specific risks. 

The RPAA sets forth a series of requirements for PSPs, including registering with the Bank of Canada, establishing and maintaining an operational risk and incident response framework, safeguarding end-user funds, and submitting mandatory reports, among other things. 

This report is the last installment in a four-part series analyzing the RPAA and identifying key components of the law that PSPs should consider when doing business in Canada. Previous reports have discussed safeguardingrisk management, and registration requirements. This report helps PSPs make sense of the requirements regarding mandatory reporting and recordkeeping. 

Who does the RPAA apply to:

According to Sections 4 and 5 of the RPAA, the act applies to any retail payment activity that is performed by a PSP that has a place of business in Canada or any retail payment activity that is performed for an end-user in Canada by a PSP that does not have a place of business in Canada but directs retail payment activities at individuals or entities that are in Canada. 

Section 2 of the RPAA defines a PSP as an individual or entity that performs payment functions as a service or business activity that is not incidental to another service or business activity. Section 2 of the RPAA also defines retail payment activity as a payment function that is performed in relation to an electronic funds transfer that is made in the currency of Canada or another country or using a unit that meets prescribed criteria.

Key considerations: 

PSPs are expected to submit three types of reports or notices: an annual report; a notice of significant change or new activity; and an incident report. 

According to Section 21 of the RPAA, a PSP that performs retail payment activities must submit an annual report to the Bank of Canada. The annual report must be submitted by March 31 of the year following the reporting year, and the report must be submitted using the electronic system provided by the bank for that purpose. 

Section 21 of the RPAA states that the report must include:

  • Information regarding the PSP’s risk management and incident response framework, as outlined in Section 19(1) of the Retail Payment Activities Regulations. This includes, but is not limited to:
    • A description of any changes made to the risk management and incident response framework during the reporting year and the PSP’s plans for the framework’s maintenance and implementation.
    • A description of the PSP’s operational risks during the reporting year, their potential causes and the manner in which they were identified.
    • A description of any incidents that the PSP experienced during the reporting year.
  • Information regarding any account holding end-user funds and the insurance or guarantee on end-user funds, as outlined in Section 19(2) of the Retail Payment Activities Regulations. This includes:
    • Information on any entity that has provided the PSP with an account to hold end-user funds, including the entity’s name and the name of the regulators responsible for supervising the entity.
    • The name of any other PSP through which the PSP has obtained the use of an account to hold end-user funds.
    • Information on any entity that has provided the PSP with insurance or guarantee, including the entity’s name and the name of the regulator responsible for supervising the entity.
    • A description of the terms of any insurance or guarantee that the PSP holds.
  • Information regarding the holding of end-user funds, as outlined in Section 19(3) of the Retail Payment Activities Regulations. This includes:
    • A description of all of the means by which the PSP safeguards end-user funds, and if applicable, a description of the PSP’s trust arrangement with its end-users.
    • A description of the PSP’s safeguarding-of-funds framework.
    • A description of any instance in which end-user funds held by the PSP, or equivalent proceeds from any insurance or guarantee, were not payable to end users due to insolvency proceedings; the root cause of the instance; and any measures taken to prevent similar instances from recurring.
    • A description of any independent review that was conducted during the reporting year.
  • Any other information outlined in Section 19(4) the Retail Payment Activities Regulations. This includes, but is not limited to:
    • Information establishing the PSP’s ubiquity and interconnectedness.
    • A description of any change to the PSP’s use of third-party service providers during the reporting year.
    • A description of the PSP’s financial metrics for the reporting year. 

In addition to the annual report, Section 22 of the RPAA states that a PSP must notify the Bank of Canada before it makes a significant change in the way it performs a retail payment activity or before it performs a new retail payment activity. A change is significant if it could reasonably be expected to have material impact on operational risks or the manner in which end-user funds are safeguarded. 

According to guidance published by the Bank of Canada, some examples of a significant change or new activity that could warrant a notice include:

  • Expanding retail payment activities to a new market segment or offering a new product.
  • Moving or expanding operations of a retail payment activity to a new geographic location.
  • Ceasing to perform a retail payment activity. 

According to Section 20(1) of the Retail Payment Activities Regulations, the notice must be given to the bank at least five business days before the day on which the PSP makes a significant change in the way it performs a retail payment activity or the day on which it performs a new retail payment activity. The notice must also be submitted via the form provided in PSP Connect. 

The notice must include:

  • The PSP’s name and the name, phone number and email address of an individual who may be contacted regarding the significant change or new activity.
  • A description of the change or new activity to be performed.
  • The reason for the change or new activity.
  • The date on which the change is to be made or the new activity is to be performed.
  • An assessment of the impact the change or new activity will have on the PSP’s operational risks and on the manner in which end-user funds are safeguarded, both during and following implementation.
  • A list and summary of all of the PSP’s documentation, including in relation to its risk management and incident response framework, that has been amended or created to reflect the change or new activity.
  • An indication that the change or new activity has been approved by a senior officer, if applicable.

Section 18 of the RPAA states that if a PSP that performs retail payment activities becomes aware of an incident that has a material impact on an end-user, a PSP that performs retail payment activities, or a clearing house of a clearing and settlement system, the PSP must, without delay, notify the individual or entity and the Bank of Canada of the incident.

According to Section 11 of the Retail Payment Activities Regulations, the notice must be submitted to the bank using the form provided and must contain the following:

  • The PSP’s name, the name of the individual who may be contacted regarding the incident and the individual's phone number and email address.
  • A description of the incident and its material impact on end-users, PSPs, and clearing houses of clearing and settlement systems.
  • The measures taken by the PSP to respond to the incident. 

PSPs also have to provide a notice to the affected individual or entity. Section 12 of the Retail Payment Activities Act states that the notice must be provided to each materially affected individual or entity using the most recent contact information provided by them to the PSP; and the notice must be posted on the PSP’s website if contact information is not available for every materially affected individual or entity. 

According to the Bank of Canada’s guidance, the notice must include:

  • The PSP’s name.
  • A description of the incident, including when it began, and the nature of its material impacts on the individuals or entities.
  • Any corrective measures that could be taken by the individuals or entities.

In addition to the mandatory reporting requirements, PSPs must adhere to the reporting requirements outlined in Sections 40, 41 and 42 of the Retail Payment Activities Regulations.

According to the Bank of Canada, PSPs will be expected to to keep and retain all records related to compliance with the requirements of the RPAA and the regulations. This includes, but is not limited to, the written operational risk management and incident response framework, the PSP’s legal agreement with its account providers and any associated documentation, and any copies of reports of information provided to the bank. 

Sections 41 and 42 of the Retail Payment Activities Regulations stipulate that a PSP must take reasonable measures to ensure that all records are retained in a way in which they will not be destroyed, falsified, accessed with authorization, among other things. PSPs must also ensure that any records kept by an agent, mandatory or third-party service provider are accessible to the PSP and kept in accordance with the requirements of Section 40 of the Retail Payment Activities Regulations. 

Lastly, PSPs must retain the records for a period of five years after the day on which the records cease to demonstrate the PSP’s current compliance with the RPAA and the regulations, pursuant to Section 40 of the Retail Payment Activities Regulations

Why should you care:

  1. Operational and Cost Impact: Implementation of new reporting systems, data retention processes, and internal controls require investment in technology and skilled compliance teams. Smaller PSPs in particular may face higher relative compliance burdens, while larger providers may need to adapt existing frameworks to align with Canadian standards. These obligations can place significant strain on day-to-day operations, potentially diverting resources away from growth initiatives if organizations are not adequately prepared.
  2. Risk Management Benefits: PSPs can strengthen operational resilience by formalizing incident response plans, fund safeguarding practices, and third-party oversight. Comprehensive reporting and recordkeeping can help PSPs mitigate the risks posed by fraud and money laundering. Over time, robust compliance can enhance consumer trust and position PSPs to compete more effectively in the market.
  3. Consistent Standards Across Payments Ecosystem: The RPAA creates a more level playing field by subjecting both domestic PSPs and foreign PSPs serving Canadian users to the same reporting and safeguarding requirements. It also ensures that all entities, including new entrants, are subject to the same transparency requirements. For PSPs, this reduces competitive disparities and creates a clearer, more predictable operating environment.
  4. Increased Supervisory Visibility: The Bank of Canada gains clearer insight into the retail payments ecosystem through annual reports, incident notices, and change notifications. This visibility allows the bank to identify systemic risks earlier and intervene when appropriate. For PSPs, increased transparency may lead to more supervisory engagement but also greater predictability in regulatory expectations.

Enforcement and Penalties: PSPs can also be subject to enforcement actions if they fail to meet these requirements. The Bank of Canada may issue, among other things, a warning letter, enter into a compliance agreement, or issue a notice of violation which can be accompanied by an administrative monetary penalty or an offer to enter into a compliance agreement. In short, non-compliance carries both financial and reputational risks that PSPs cannot afford to ignore.

Kristin Rheins

Our premium content is available to users of our services.

To view articles, please Log-in to your account. Alternatively, if you would like to gain access to the tools that will help you navigate compliance risk with confidence please get in touch today.

To read more articles like this, along with gaining access to the tools that will help you navigate compliance risk with confidence, request a demo of our RegTech platform today.

Related articles

September 15, 2025

Mapping EU Legislation: Regulation (EU) 2023/1114 (MiCA)

Regulation (EU) 2023/1114 (Markets in Crypto-Assets – MiCA) was published on June 9, 2023. It provides specific rules and requirements for crypto-assets, related services and activities that were previously not covered by Union legislative acts on financial services. This Mapping EU Legislation: MiCA page lays out the key dates, transition deadlines for member states, as well as any RTS, ITS, delegated regulation, implementing regulation or guideline issued and published. It will be updated in line with any MiCA update.
Read article
September 12, 2025

Crypto Regulatory Regime Edges Closer In US

A bill drafted by the Senate Banking Committee could transform the regulatory landscape for crypto-asset companies by providing the framework long sought by the industry.
Read article

Opt in to hear about webinars, events, industry and product news

Gambling Compliance

Learn more

Payments Compliance

Learn more
Still can’t find what you’re looking for? Get in touch to speak to a member of our team, and we’ll do our best to answer.
Contact us
No items found.
Acquiring
Issuing
Mobile Payments
Payment Processors
Federal (Canada)
Canada

Please choose your preferred
service to log in to.

GamblingCompliance
PaymentsCompliance
Don’t have an account?