Canada’s Retail Payment Activities Act (RPAA) establishes a national regulatory framework for Payment Service Providers (PSPs). Businesses that perform certain payment functions involving electronic funds transfers must register with the Bank of Canada before offering those services to Canadian end users.
For fintech startups, digital wallets, marketplaces, payment platforms, and SaaS companies with embedded payments, determining whether registration is required is often the first step in compliance planning.
This article provides a practical tips to help companies evaluate whether their business model may fall within the RPAA’s definition of a Payment Service Provider.
Step 1: Determine Whether Your Company Performs a Payment Function
The RPAA regulates businesses that perform retail payment activities involving electronic funds transfers (EFTs).
As an initial step, companies should assess whether they perform any of the payment functions defined under the Act.
Consider the following questions.
- Does your company initiate an electronic funds transfer at the request of an end user?
- Does your company authorize an electronic funds transfer?
- Does your company receive or transmit payment instructions related to an electronic funds transfer?
- Does your company receive funds for transmission to another party?
- Does your company provide or maintain a payment account on behalf of end users?
- Does your company hold funds on behalf of an end user?
- Does your company facilitate an instruction related to an electronic funds transfer?
- Does your company provide clearing or settlement services for payment transactions?
These questions correspond to the payment functions defined in the RPAA, which include:
- Maintaining a payment account.
- Holding funds on behalf of end users.
- Initiating electronic funds transfers.
- Authorizing or transmitting payment instructions.
- Providing clearing or settlement services.
If the answer to all of these questions is no, the company is unlikely to be performing a regulated payment function under the RPAA.
If the answer to one or more questions is yes, additional analysis is required.
The legislation establishing these payment functions can be reviewed here:
https://laws-lois.justice.gc.ca/eng/acts/R-7.36/
Step 2: Determine Whether the Payment Activity Is Incidental
Even when a company performs a payment function, the RPAA may not apply if the activity is incidental to the company’s primary business.
In this context, “incidental” means that the payment activity exists solely to support another primary service and is not itself the company’s core offering.
Examples include:
| Business Model | Core Function | Payment Activity |
|---|---|---|
| Online retailer | Selling products | Accepting payment for purchases |
| SaaS provider | Providing software services | Charging subscription fees |
| Airline | Transportation services | Processing ticket payments |
The Bank of Canada has issued guidance explaining how to determine whether payment activity is truly incidental.
Indicators that a payment function may not be incidental include:
- The company markets payment services as a standalone offering.
- The payment functionality could exist independently of the core product.
- Customers rely on the company primarily to facilitate payments.
If payment activity is incidental, the RPAA may not apply.
If the payment activity represents a core part of the service offering, the analysis should continue.
Relevant guidance from the Bank of Canada can be reviewed here:
https://www.bankofcanada.ca/2024/10/criteria-for-registering-payment-service-providers/
Step 3: Determine Whether the Activity Involves Electronic Funds Transfers
The RPAA regulates electronic funds transfers involving fiat currency, including:
- Canadian dollars
- foreign currencies
- prescribed units under the regulations
Some digital asset companies initially assume that crypto-to-crypto transactions fall outside the RPAA framework.
However, many digital asset platforms interact with traditional payment infrastructure through:
- fiat on-ramps and off-ramps
- custodial wallets
- merchant payment services
- settlement infrastructure
Once fiat currency enters the payment flow, RPAA obligations may apply.
Crypto businesses operating in Canada must therefore often evaluate two separate regulatory regimes:
- FINTRAC registration as a money services business (MSB)
- Bank of Canada registration as a Payment Service Provider
Step 4: Determine Whether Your Business Operates in Canada
The RPAA applies to companies that operate in Canada or maintain a place of business in Canada.
Indicators may include:
- Incorporation in Canada
- Employees or agents located in Canada
- A physical office in Canada
- Operational activities conducted within Canada
If a company maintains a place of business in Canada and performs payment functions, it may be required to register with the Bank of Canada as a PSP.
Step 5: Determine Whether You Serve Canadian End Users
Importantly, the RPAA can also apply to foreign companies providing payment services to Canadian users, even if those companies do not maintain a physical presence in Canada.
Indicators that a foreign company may be targeting Canadian users include:
- Canadian customers using the service
- Pricing denominated in Canadian dollars
- Marketing directed toward Canadian users
- Services accessible to Canadian consumers
- Payments initiated by Canadian residents
If a company provides payment services to Canadian end users, it may still fall within the scope of the RPAA.
Step 6: Determine Whether Your Company Holds End-User Funds
One of the most important distinctions under the RPAA is whether a payment provider holds funds on behalf of end users.
The Bank of Canada often distinguishes between funds that are:
- At rest, or
- In transit
Funds at Rest
Funds are considered at rest when they remain stored with the provider and are available for later withdrawal or transfer.
Example:
Digital wallet platforms that maintain user balances.
In these cases, PSPs are typically subject to end-user fund safeguarding obligations.
Bank of Canada Guide: Safeguarding of end user funds At a glance
Funds in Transit
Funds may be considered in transit when they are received with instructions to transfer them immediately to another recipient.
Example:
Remittance services where funds are sent to a recipient shortly after being received.
However, the distinction between funds held and funds in transit often depends on the technical architecture and operational design of the payment platform.
Step 7: Facilitating Payment Instructions
The broadest payment function under the RPAA is facilitating an instruction related to an electronic funds transfer.
Because this definition is broad, it can potentially apply to many fintech services, including:
- payment orchestration platforms
- embedded finance APIs
- payment gateways
- marketplace payment routing systems
- settlement infrastructure providers
Determining whether a company facilitates payment instructions often requires a detailed review of the platform’s technical architecture and operational role in the payment flow.
Technical discussions of payment infrastructure security and operational risk frameworks can be found in related industry analysis, such as:
Amicus Cyber Overview: RPAA Operational Risk Framework
What Happens If You Need to Register?
If a business determines that it qualifies as a Payment Service Provider, it must submit a registration application to the Bank of Canada before performing retail payment activities.
The registration process requires disclosure of operational information, payment activity metrics, and corporate details. PSPs must also implement operational risk and incident response frameworks once registered.
These requirements are designed to ensure the stability, reliability, and security of Canada’s retail payment ecosystem.
Additional technical considerations related to operational risk and cybersecurity frameworks are discussed in related industry resources.
Final Checklist: Are You Likely a PSP?
A company may need to register with the Bank of Canada as a Payment Service Provider if the following conditions apply.
- The company performs one or more payment functions.
- The payment activity is not incidental to the company’s core business.
- The activity involves electronic funds transfers involving fiat currency.
- The company operates in Canada or serves Canadian end users.
If these conditions apply, companies should evaluate the broader RPAA compliance framework, including:
- Bank of Canada registration requirements
- Operational Risk Management (ORM) frameworks
- Safeguarding of end-user funds
- Incident reporting procedures
A legal overview of the operational risk and incident response frameworks required under the RPAA can be found here:
Technical discussions of the cybersecurity and infrastructure controls supporting these frameworks can also be explored here:
Amicus Cyber: RPAA Cyber Security Requirements
Final Thoughts
The RPAA represents one of the most significant regulatory developments affecting payment infrastructure in Canada.
For fintech founders, digital asset companies, and payment platforms, determining whether PSP registration is required is often the starting point for regulatory compliance planning.
Because the RPAA applies broadly to businesses that facilitate electronic payments for Canadian users, companies should carefully review both their business model and technical architecture when assessing their regulatory obligations.
Walker Guidance 