PROCESSING...

Anti-Money Laundering
Consulting Services & Strategies

0 Items - Total: $0.00 CAD

RPAA Annual Reporting – Reminder and Key Requirements

Background

Under the RPAA and the Retail Payment Activities Regulations (RPAR), Payment service providers (PSPs) must submit an annual report through the Bank of Canada’s (BoC) online portal using the prescribed reporting form. Reports must be filed annually by March 31 and must cover retail payment activities conducted during the prior calendar year.

Who Must Comply

All PSPs that are on the registration list with BoC must complete the annual report. For clarity, BoC has established the following deadlines:

  • PSPs registered before March 9, 2026, must submit their report by March 31, 2026.
  • PSPs registered between March 9 and March 30, 2026, have until April 28, 2026.

PSPs on the application list as of March 31, 2026, are not required to file a report for the 2025 year and will report in 2026.

The annual report is now available through PSP Connect. It includes mandatory sections and does not permit structural or formatting changes. It is set up similarly to what PSPs saw as part of registration. All required fields must be completed, and any omissions must be explained in accordance with BoC guidance.

What to Report

The following are the reporting elements of the annual report.

1. Operational Risk and Incident Management

In this section, PSPs must provide information on the governance, design, and effectiveness of their operational risk management and incident response frameworks. This includes confirming whether the framework, and any material updates to it, were approved during the reporting year by the senior officer.

In this section, PSPs must identify the operational risk categories monitored during the year and must outline what protective and detective measures were in place. Importantly, this action requires PSPs to provide quantitative staffing and resourcing information.

PSPs must also explain how operational risks arising from third-party service providers and agents or mandataries are managed. PSPs must also indicate whether agreements with third-party service providers were entered into, amended, extended, or renewed. Where agents or mandataries are used, PSPs are expected to confirm that responsibilities are clearly defined, operational risk criteria are established, and assessments are performed to evaluate whether those criteria are met.

Some key requirements for this section are:

  • Did the PSP classify assets and business processes by sensitivity and criticality?
  • Were sufficient human and financial resources available to implement and maintain the framework?
  • Did the framework set out operational reliability objectives, targets, and indicators?
  • Which measures were in place to mitigate technology risks and protect assets and processes?
  • Did the framework include incident response and recovery plans, including third-party incidents?
  • Which elements were included in the incident response plan?

2. Safeguarding of End-User Funds

In this section, PSPs that perform the payment function of holding funds on behalf of end-users must identify whether they safeguard funds through a trust account or through an account supported by insurance or a guarantee, and whether the safeguarding method changed during the reporting year.

PSPs must report whether end-user funds are placed into a safeguarding account upon receipt and, where processing constraints exist, whether funds are placed into the safeguarding account by the next business day. PSPs must identify whether safeguarding accounts are held with Canadian or foreign financial institutions and, where applicable, identify those institutions and their regulators.

PSPs must describe the liquidity approach used to ensure end-users have reliable access to their funds and outline the procedures in place for returning those funds in the event of the PSP’s insolvency.

Some key requirements for this section relate to shortfall reporting. PSPs must report instances during the reporting year where safeguarded funds were insufficient, including:

  • the date the shortfall occurred and the date it was resolved,
  • the maximum daily shortfall amount (in CAD),
  • the root cause (selected from prescribed categories), and
  • the measures taken to prevent recurrence.

3. Significant Changes and Incidents

In this section, PSPs must identify all significant changes that occurred during the reporting year. A change is considered significant where it could reasonably be expected to materially affect operational risk or the safeguarding of end-user funds. The annual report requires each change to be reported separately, including the month and year in which the change took effect.

Examples of reportable significant changes include new or amended outsourcing arrangements, changes to third-party service provider relationships, material technology changes, geographic expansions, new products or market segments, changes in participation in payment systems, and material changes to organizational structure or staffing levels.

It is important to note that the report must also include a complete inventory of incidents experienced during the year, including incidents that were not required to be reported to the Bank under the RPAA at the time they occurred.

PSPs must also identify any retail payment activities that the PSP began or ceased to perform during the reporting year.

4. Ubiquity and Interconnectedness Metrics

In this section, PSPs must provide quantitative metrics as it relates to end-user funds used by the Bank to assess a PSP’s footprint and interconnectedness within the Canadian payments ecosystem.

These metrics must capture transactions where the PSP performed a payment function directly or indirectly, and must be reported separately for all end-users and end-users in Canada, where applicable.

PSPs must also report the total number of distinct end-users served during the reporting year, including users receiving services directly and indirectly, and provide information on services performed for other registered PSPs.

Some key metrics that must be reported include:

Value of End-User Funds Held

  • The maximum Canadian Dollar (CAD) equivalent value of end-user funds held at any time during the year.
  • For each month, report the average daily value (in CAD) at month-end.
  • Both the total of all funds held, and a breakdown by currency held.

End-Users

  • Total number of distinct end-users, and
  • Number of users receiving direct vs. indirect services (via third-party PSPs).

Number and Value of Electronic Funds Transfers (EFTs)

  • Monthly Count and Total Value
    • Report the monthly count and total value of EFTs.
    • Values in CAD (as both a total of all currencies combined, and a breakdown by currency of the EFT).
  • Value by Payment Type
    • Report an estimate of the total value of EFTs by payment type as a share of total value.

PSP with a place of business in Canada must report values for end-users in Canada and end-users outside of Canada as separate amounts.

5. Financial Information

In this section, PSPs must report key financial information, including total revenue, operating expenses, and total equity. Financial information may be reported using the PSP’s fiscal year-end, whereas most other reporting elements must align with the calendar year.

6. Record-Keeping

In this section, PSPs must confirm whether they maintain records sufficient to demonstrate compliance with the RPAA and the Retail Payment Activities Regulations. PSPs must indicate whether record-keeping is complete, partially complete, or not in place, and should be prepared to support these responses if requested by the Bank.

Preparing for Report

The annual reporting form is available through PSP Connect as of February 2, 2026. We suggest that PSPs may begin gathering the needed information for submission at any time prior to the applicable deadline. To help make this a bit easier, Outlier has put together a spreadsheet that will help in compiling the needed information. Please note that this spreadsheet does not replace formal BoC guidance. The system does allow organizations to save and continue where you left off.

We’re Here To Help

If you would like assistance in understanding what has to be reported or if you need help with RPAA requirements in general, please get in touch.

CMSBA 2025 Fall Conference

The Canadian MSB Association 2025 Fall Conference brings together industry professionals from MSBs, payment service providers, fintech, armoured car services, regtech and more. Over two days, attendees will engage in sessions exploring:

  • Implementation of the March 2025 PCMLTFA amendments
  • RPAA supervision go-live and lessons learned so far
  • New reporting expectations for STRs, EFTRs, sanctions, and beneficial ownership
  • Operational risk frameworks and incident response under RPAA/R
  • Approaches to safeguarding end-user funds via trust, insurance, or guarantees
  • Challenges around financial access, de‑risking, and bank onboarding in the evolving landscape

Attendees can expect a mix of insights, best practices, and peer networking across both in-person and virtual formats. Join over 200+ professionals from across MSBs, fintech, regtech, armoured car services, and more.

Registration/More Info: Buy your ticket here

60 Days to RPAA: Are You Prepared?

With only 60 days left, the Bank of Canada (BoC)’s operational framework for payment service providers (PSPs) will come into force under the Retail Payment Activities Act (RPAA) and Retail Payment Activities Regulations (RPAR) – collectively referred to as Retail Payments Supervision (RPS) on September 8, 2025. If your business performs any of the following five payment functions, RPS apply to you, and you should already be registered with the BoC:

  • The provision or maintenance of a payment account;
  • The holding of end-user funds until withdrawn or transferred;
  • The initiation of a payment at the request of an end-user;
  • The authorization of an electronic funds transfer, transmission, reception, or facilitation of a payment message; 
  • The clearing or settlement of payment transactions.

With the deadline approaching, PSPs should be close to finalizing their operational risk and incident response policy frameworks which must include mapping all operational risk factors to BoC guidance. Key areas to focus on include

  • Identifying the human and financial resources that are required to implement and maintain the framework;
  • Allocating specific roles and responsibilities in respect of the implementation and maintenance of the framework;
  • Identifying the assets (systems, data, and information) and business processes that are associated with the PSPs performance of retail payment activities; 
  • Identifying operational risks, which must cover: 
    • business continuity and resilience,
    • cybersecurity,
    • fraud,
    • information and data management,
    • information technology,
    • human resources,
  • Identifying process and product design and implementation related to operational risk;
  • Establishing measures for protecting payment activities from identified risks;
  • Reviewing and testing of the framework; and
  • Managing its risks from third-party service providers, agents, and mandataries.

Additionally, PSPs that hold end-user funds must adhere to the safeguarding requirements under RPS. To safeguard funds on behalf of end-users, PSPs must utilize one of the following methods:

  1. Hold the funds in trust in a trust account used solely for that purpose; or
  2. Hold the funds in a segregated account backed by eligible insurance or guarantee in an amount equal to or greater than the funds held.

As a reminder, RPS requirements are in addition to your existing AML obligations under the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA). We’re advising clients every day to align their policies, controls, and documentation to meet the BoC’s expectations. This often means creating and implementing new frameworks for many organizations.  If you haven’t finalized your framework yet, now is the time to act.

Outlier is here to help, so please get in touch.

Are You BOC Registration Ready?

By now, you have likely heard of the Retail Payment Activities Act (RPAA) and associated incoming requirements, which includes the requirement to register with the Bank of Canada (BOC). To help make this a bit easier, Outlier has put together a spreadsheet that will help if you are an organization that needs to register. The RPAA (including registration) generally applies to PSPs that perform any of the following five payment functions: 

  • the provision or maintenance of a payment account;
  • the holding of end-user funds until withdrawn by the end user or transferred to another individual or entity;
  • the initiation of a payment at the request of an end user;
  • the authorization of an electronic funds transfer, transmission, reception, or facilitation of a payment message; or
  • clearing or settlement.

The requirements apply to businesses with payment activities with a place of business in Canada, or those that provide services to end users in Canada. This includes activities that many Money Services Businesses (MSBs) provide. The BOC has provided a tool to determine if an organization must register with the BOC. For organizations that do register, the registration provisions of the RPAA will take place between November 1, 2024 to November 15, 2024. It should be noted that this is different from your MSB registration under AML requirements.

The registration application itself consists of 18 sections and comprises over 200 questions. While a substantial amount of information and data is needed, the majority of information relates to business and corporate information. This includes: 

  • Ownership structure and financial information;
  • Information related to your product services and flow of funds;
  • Information related users;
  • Value/volumes related to transactions;
  • Geographic perimeter; and
  • Information related to 3rd party vendors.

It is not a requirement to provide your operational risk management and incident response framework (policy and procedures) as part of the application process.

To help aid in the registration process, we have put together a spreadsheet that will allow you to keep needed data and information organized. It will also allow you to determine if you need  assistance with sections of the registration, or understanding what these changes mean to your business. The spreadsheet is a tool to assist with registration and not meant to replace the registration guidance the BOC has published. 

Note: requirements that introduce prescribed operational risk management standards under this new regime come into force at a later date on September 8, 2025.

Outlier is here to help, so please get in touch.

Return to Blog Listing