Retail Payment Activities Act: What you need to know

If you’re a payment service provider (PSP) or fintech in Canada, circle September 8, 2025, in your calendar. That’s when the implementation obligation of the Retail Payment Activities Act (RPAA) officially comes into effect. And it’s going to change how your PSP operates.

Recently, a panel of industry leaders from MNP, PRL Insurance, and Bennett Jones sat down for a webinar, called Understanding the Retail Payment Activities Act: Compliance, Legal Risks, and Risk Mitigation, to discuss what’s changing, who’s affected, and what you need to do to stay compliant.

Here’s a recap of their key insights.

What are PSPs?

The RPAA describes PSPs as entities that perform payment functions as a service or business activity. The five key payment functions identified by the RPAA include:

• You provide or maintain an account that is held on behalf of a client (or end user) or more
• You hold funds on behalf of an end user
• You initiate an electronic funds transfer at the request of an end user
• You authorize an electronic funds transfer or transmission, reception, or facilitation of an instruction in relation to an electronic funds transfer
• You provide clearing or settlement services

PSPs enable businesses to accept electronic payments via credit or debit cards, digital wallets, and/or other online payment methods. Think of them as the middleman between merchants, customers, and financial institutions to make sure transactions are secure, seamless, and efficient.

What is the RPAA?

The RPAA is a federal law dedicated specifically to the supervision of non-bank PSPs. The Bank of Canada is responsible for its supervision, and the primary aim is to build confidence in the safety and reliability of the services provided by the PSPs while protecting end users from specific tasks.

This legislation is the first of its kind in the country, bringing Canada closer to other Western countries with similar, albeit more mature, frameworks. Consider this Canada’s turn to modernize the payments space.

The Act aims to protect end-user funds if your PSP becomes insolvent and ensure quick and reliable access to those funds.

To meet both these objectives, it’s critical to keep the following obligations in mind:

Operational risk and incident response framework

The most important aspect of the RPAA obligations for PSPs is the requirement to develop an operational risk and incident response framework to address relevant risks inherent to their business. Your operational risk and incident response framework should be risk based and consider proportionality. According to the regulations, this means ensuring objectives, targets, systems, policies, procedures, processes, and controls are proportionate to the impact that a reduction, deterioration or breakdown of your PSP’s retail payment activities could have on end users and on other PSPs you deal with.

Your PSP is required to establish, implement, and maintain all key elements required to sustain a robust program to mitigate operational risks and respond to incidents.

You may also want to consider identifying, documenting, and mitigating risks like system outages, cyber and privacy threats, fraud, and third-party risks that could result in a disruption or breakdown of retail payment activities. These critical components also need to be reviewed and updated annually.

From an incident response perspective, have clear plans in place for detecting, responding to, and recovering from disruptions. Remember to test your plans to make sure they work.

Safeguarding of end-user funds

Another key aspect of RPAA obligations is for PSPs to determine if they hold funds on behalf of an end user until they are withdrawn by the end user or transferred to another individual or entity. Once this is established, your PSP must put measures in place to safeguard those end-user funds. You’ll also be required to document how you’ll protect customer money through trust or guarantee agreements.

How do I protect end-user funds?

One of the big decisions PSPs will face under the Act will be figuring out how to safeguard end-user funds. There are two main methods, and which one you choose will depend on the structure of your PSP.

Trust account: This option allows your PSP to hold end-user funds in trust in a trust account that isn’t used for any other purpose. It is typically suggested to consider a third-party trustee to make sure funds are legally separate. If you plan to be your own trustee, it’s recommended to consult legal counsel.

Segregated account with an insurance product or a surety bond: This option allows your PSP to hold the end-user funds in an account that is not used for any other purpose. Additionally, your PSP must hold insurance or a guarantee in respect of the funds that is in an amount equal to or greater than the amount held in the account. This coverage will kick in if your PSP becomes insolvent and guarantees that end-user funds are accessible to the end user.

PSPs also have the option to select a combination of both safeguarding methods.

Additionally, under the RPAA, your PSP must develop a framework that includes:

• A ledger to track payments
• A liquidity plan, like a line or letter of credit
• An insolvency plan
• An insurance or guarantee product, or trust structure

Surety bonds or insurance

While the RPAA mentions insurance, the webinar panel discussed surety bonds as another option. From an underwriting perspective, both could be helpful in keeping your PSP compliant. But what’s the difference?

Unlike insurance, a surety bond is a three-party agreement between your PSP, the end users, and the insurance company that’s taking on the risk. Essentially, the insurance company guarantees the obligations of the PSP to the end users. You must qualify for it.

This surety bond, or guarantee, has a single trigger — insolvency — and will pay out directly to the benefit of end users.

Because insolvency is the trigger, creditworthiness is paramount. It’ll be hard for your PSP to obtain a surety bond or insurance policy if the insurer thinks there’s a risk there. To qualify for a bond, you’ll need to demonstrate your PSP is:

Proven: You have a proven track record.

Proactive: You have a detailed safeguarding plan in place.

Profitable: As a surety company will only pay out if a PSP goes insolvent, they tend to award bonds to those who will likely be around in 10 to 20 years.

Insurance, on the other hand, can be purchased. It will also have two triggers: insolvency, as well as some sort of error or negligence associated with the funds held in the segregated account.

It’s up to you to determine which option may be the best fit for the unique needs of your PSP.

Annual reporting to the Bank of Canada

According to the Act, PSPs are required to complete an annual report form for the Bank of Canada by the end of March. This includes providing key information about your business from the previous calendar year. The annual report form will be made available before the reporting deadline (March 31) to give you ample time to complete the form.

Independent review

Your PSP will also be required to undergo a review every three years to assess the design and operating effectiveness of their RPAA program to confirm that they have established, implemented, and maintained a robust RPAA program, and that the framework is working as intended.