PROCESSING...

Anti-Money Laundering
Consulting Services & Strategies

0 Items - Total: $0.00 CAD

CMSBA 2025 Fall Conference

The Canadian MSB Association 2025 Fall Conference brings together industry professionals from MSBs, payment service providers, fintech, armoured car services, regtech and more. Over two days, attendees will engage in sessions exploring:

  • Implementation of the March 2025 PCMLTFA amendments
  • RPAA supervision go-live and lessons learned so far
  • New reporting expectations for STRs, EFTRs, sanctions, and beneficial ownership
  • Operational risk frameworks and incident response under RPAA/R
  • Approaches to safeguarding end-user funds via trust, insurance, or guarantees
  • Challenges around financial access, de‑risking, and bank onboarding in the evolving landscape

Attendees can expect a mix of insights, best practices, and peer networking across both in-person and virtual formats. Join over 200+ professionals from across MSBs, fintech, regtech, armoured car services, and more.

Registration/More Info: Buy your ticket here

60 Days to RPAA: Are You Prepared?

With only 60 days left, the Bank of Canada (BoC)’s operational framework for payment service providers (PSPs) will come into force under the Retail Payment Activities Act (RPAA) and Retail Payment Activities Regulations (RPAR) – collectively referred to as Retail Payments Supervision (RPS) on September 8, 2025. If your business performs any of the following five payment functions, RPS apply to you, and you should already be registered with the BoC:

  • The provision or maintenance of a payment account;
  • The holding of end-user funds until withdrawn or transferred;
  • The initiation of a payment at the request of an end-user;
  • The authorization of an electronic funds transfer, transmission, reception, or facilitation of a payment message; 
  • The clearing or settlement of payment transactions.

With the deadline approaching, PSPs should be close to finalizing their operational risk and incident response policy frameworks which must include mapping all operational risk factors to BoC guidance. Key areas to focus on include

  • Identifying the human and financial resources that are required to implement and maintain the framework;
  • Allocating specific roles and responsibilities in respect of the implementation and maintenance of the framework;
  • Identifying the assets (systems, data, and information) and business processes that are associated with the PSPs performance of retail payment activities; 
  • Identifying operational risks, which must cover: 
    • business continuity and resilience,
    • cybersecurity,
    • fraud,
    • information and data management,
    • information technology,
    • human resources,
  • Identifying process and product design and implementation related to operational risk;
  • Establishing measures for protecting payment activities from identified risks;
  • Reviewing and testing of the framework; and
  • Managing its risks from third-party service providers, agents, and mandataries.

Additionally, PSPs that hold end-user funds must adhere to the safeguarding requirements under RPS. To safeguard funds on behalf of end-users, PSPs must utilize one of the following methods:

  1. Hold the funds in trust in a trust account used solely for that purpose; or
  2. Hold the funds in a segregated account backed by eligible insurance or guarantee in an amount equal to or greater than the funds held.

As a reminder, RPS requirements are in addition to your existing AML obligations under the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA). We’re advising clients every day to align their policies, controls, and documentation to meet the BoC’s expectations. This often means creating and implementing new frameworks for many organizations.  If you haven’t finalized your framework yet, now is the time to act.

Outlier is here to help, so please get in touch.

Are You BOC Registration Ready?

By now, you have likely heard of the Retail Payment Activities Act (RPAA) and associated incoming requirements, which includes the requirement to register with the Bank of Canada (BOC). To help make this a bit easier, Outlier has put together a spreadsheet that will help if you are an organization that needs to register. The RPAA (including registration) generally applies to PSPs that perform any of the following five payment functions: 

  • the provision or maintenance of a payment account;
  • the holding of end-user funds until withdrawn by the end user or transferred to another individual or entity;
  • the initiation of a payment at the request of an end user;
  • the authorization of an electronic funds transfer, transmission, reception, or facilitation of a payment message; or
  • clearing or settlement.

The requirements apply to businesses with payment activities with a place of business in Canada, or those that provide services to end users in Canada. This includes activities that many Money Services Businesses (MSBs) provide. The BOC has provided a tool to determine if an organization must register with the BOC. For organizations that do register, the registration provisions of the RPAA will take place between November 1, 2024 to November 15, 2024. It should be noted that this is different from your MSB registration under AML requirements.

The registration application itself consists of 18 sections and comprises over 200 questions. While a substantial amount of information and data is needed, the majority of information relates to business and corporate information. This includes: 

  • Ownership structure and financial information;
  • Information related to your product services and flow of funds;
  • Information related users;
  • Value/volumes related to transactions;
  • Geographic perimeter; and
  • Information related to 3rd party vendors.

It is not a requirement to provide your operational risk management and incident response framework (policy and procedures) as part of the application process.

To help aid in the registration process, we have put together a spreadsheet that will allow you to keep needed data and information organized. It will also allow you to determine if you need  assistance with sections of the registration, or understanding what these changes mean to your business. The spreadsheet is a tool to assist with registration and not meant to replace the registration guidance the BOC has published. 

Note: requirements that introduce prescribed operational risk management standards under this new regime come into force at a later date on September 8, 2025.

Outlier is here to help, so please get in touch.

Return to Blog Listing