The Retail Payment Activities Act (RPAA) marks a significant regulatory milestone for Canada’s payments ecosystem. The RPAA, administered by the Bank of Canada, aims to enhance consumer protection and improve the operations of payment service providers (PSPs). The RPAA has introduced detailed compliance requirements, including registration obligations, anti-money laundering (AML) measures, and safeguarding client funds.
As PSPs, money services businesses (MSBs), and other stakeholders navigate this regulatory framework, understanding key timelines and preparing accordingly is vital. This blog provides a comprehensive overview of RPAA key dates for 2025, compliance timelines, and more.
Understanding the RPAA: A Quick Overview
The RPAA establishes a framework for regulating PSPs engaged in retail payment activities, as defined in the Act. It applies to businesses facilitating payment services such as:
● Transferring funds electronically.
● Clearing and settlement of payment transactions.
● Offering digital wallets or prepaid cards.
The RPAA’s core goals include ensuring operational risk management, protecting clients' funds through robust safeguarding measures, and enhancing AML and counter-terrorism financing compliance.
RPAA Key Dates for 2025: RPAA Implementation Timeline
While the RPAA received Royal Assent in June 2021, its implementation has been staggered to give PSPs time to adjust. Below are the RPAA key dates for 2025 that PSPs should circle on their calendars:
1. June 29, 2023: The Bank of Canada issued detailed guidance documents, including the registration process, operational risk requirements, and safeguarding measures.
2. Late 2024:
● Registration Portal Launch: PSPs must submit their applications via the Bank of Canada’s online portal.
● The registration process requires detailed disclosures about ownership structures, risk management policies, and operational frameworks.
3. Mid-2025 (Expected): Registration requirements will be enforced. PSPs who have not submitted their registration applications may face penalties.
4. September 8th, 2025: This marks when PSPs are expected to have complete compliance measures in place, as outlined in the RPAA. This is also the date the Bank of Canada will approve or reject PSP applications, and publicly disclose such decisions. PSPs must receive registration approval from the Bank of Canada before operating. Compliance obligations such as annual audits, risk reporting, and safeguarding reviews will require continuous attention.
What PSPs and MSBs Should Prepare For: Complying with RPAA Key Dates
To meet the RPAA’s rigorous compliance standards, PSPs and MSBs should focus on the following areas:
1. Registration Readiness
Registration with the Bank of Canada is the foundational compliance step. Key components include:
● Entity Information: Legal name, address, ownership details, and corporate structure.
● Activity Details: Description of payment services offered and transaction volumes.
● Compliance Policies: Safeguarding funds plans, and operational risk frameworks.
2. Operational Risk Management Frameworks
The RPAA emphasizes that PSPs must mitigate data breaches, service outages, and fraud risks. To comply, PSPs can conduct risk assessments to identify vulnerabilities in their systems and processes.
You can also develop a robust incident response plan outlining measures to address operational disruptions and implement cybersecurity protocols aligned with international best practices.
3. AML Compliance: Strengthening the Foundation
The RPAA aligns with Canada’s existing AML framework under the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA). PSPs must:
● Verify customer identities using compliant Know Your Customer (KYC) measures.
● Monitor transactions for suspicious activities and file reports with FINTRAC.
● Train employees on AML compliance policies and emerging trends in financial crime.
AML compliance is the foundation on which your PSP will operate. If you don’t know where to begin with AML and KYC compliance, you can contact our AML compliance officers for more information.
4. Safeguarding Client Funds
Protecting users' funds is a cornerstone of the RPAA. PSPs must segregate client funds from operational funds and ensure they are held with reputable financial institutions.
To segregate these funds, you can use trust accounts or surety bonds to isolate client funds. Periodic audits should be conducted to confirm effective safeguarding measures and provide transparent client disclosures regarding fund protection measures.
5. Continuous Compliance Monitoring
The RPAA requires PSPs to maintain ongoing compliance with evolving regulations. This includes submitting annual compliance reports to the Bank of Canada and adapting to updates in regulatory guidance or amendments to the RPAA.
Many businesses are leveraging RegTech tools to ensure they remain compliant. You can also outsource compliance monitoring to Fintech compliance officers at Renno & Co. Fintech.
Why RPAA Compliance Matters
Failure to comply with the RPAA can result in severe consequences, including fines, suspension of registration, or reputational damage. Beyond legal compliance, adhering to the RPAA enhances consumer trust and positions PSPs as reliable players in the Canadian payments ecosystem.
You can learn more about the fines and penalties of RPAA non-compliance here to understand this in detail.
Contact Renno & Co. AML Compliance Officers to Prepare for RPAA Key Dates for 2025
The Retail Payment Activities Act is a landmark regulation that reshapes Canada’s payments landscape. PSPs and MSBs must act now to align with its requirements, from registration to operational risk management and fund safeguarding.
Staying proactive and informed will ensure compliance while fostering growth in a competitive marketplace. For tailored advice on RPAA compliance or assistance with your PSP’s legal obligations, contact our AML compliance officers and law experts today.
