Retail Payment Activities Act — Canada
What Payment Service Providers Need to Know
The Retail Payment Activities Act (RPAA) came into force in September 2025, creating a new federal regulatory regime for payment service providers (PSPs) in Canada. Supervised by the Bank of Canada, the RPAA requires registered PSPs to implement risk management frameworks, safeguard end-user funds, report operational incidents, and maintain operational practices that can withstand supervisory scrutiny.
Compliance training is not a peripheral obligation under this regime — it is built into the risk management standard. A risk management framework that exists only on paper, without staff who understand it and apply it, does not meet the Bank of Canada’s supervisory expectations.
This guide explains what the RPAA requires, who it applies to, what compliance training must cover, and how Tamlo supports PSPs in building the training program their registration demands.
The RPAA is federal legislation enacted to bring PSPs — businesses that process electronic payments on behalf of others — under a national supervisory framework for the first time. Prior to the RPAA, PSPs in Canada operated without a dedicated federal regulator. The Act changes that.
The Bank of Canada is the supervisory authority. Registration with the Bank of Canada is mandatory for PSPs that perform retail payment activities as defined in the Act. The registration framework launched in late 2024, and the risk management and funds safeguarding frameworks came into force on September 8, 2025. PSPs subject to the Act were required to have compliant frameworks in place as of that date. The first annual compliance report was due to the Bank of Canada by March 31, 2026.
Important distinction: The RPAA is a separate regulatory regime from the PCMLTFA (FINTRAC). Being registered as a PSP under the RPAA does not automatically make a business a FINTRAC reporting entity. PSPs that also conduct money transfer, foreign exchange, or virtual currency activities are required to register with FINTRAC as money services businesses (MSBs) and carry the full PCMLTFA compliance program obligations in addition to RPAA requirements. Many PSPs carry obligations under both regimes.
The RPAA applies to businesses that perform one or more retail payment activities in the ordinary course of business and that are not otherwise excluded. The Act’s definition covers a wide range of electronic payment functions:
Excluded entities include banks and authorized foreign banks regulated under the Bank Act, and clearing houses regulated under the Payment Clearing and Settlement Act. Note that provincial credit unions and caisses populaires are not automatically excluded from the RPAA — PSPs uncertain about their scope status should review the Bank of Canada’s published registration guidance or seek legal advice.
The Bank of Canada’s supervisory framework under the RPAA is organized around four categories of obligations:
PSPs must be registered with the Bank of Canada before performing retail payment activities in Canada or for Canadian end users. Performing retail payment activities while unregistered is a violation of the Act.
This is the operational heart of RPAA compliance. PSPs must maintain a written risk management framework that identifies, assesses, and mitigates:
The framework must be documented, implemented, and reviewed regularly. It cannot be a static document — the Bank of Canada expects evidence that it is actively used to govern operational decisions. Staff at all levels with payment processing responsibilities must understand the framework and their role within it. This is where compliance training becomes essential.
PSPs that hold end-user funds must safeguard those funds in accordance with the Act’s requirements — segregated accounts, restrictions on how funds can be used, and clear governance around the funds safeguarding process. Staff who handle client funds or manage the accounts that hold them must understand the safeguarding obligations and the consequences of non-compliance.
PSPs must report operational incidents to the Bank of Canada within prescribed timeframes under the RPAA. This is a standalone regulatory obligation, not simply a best practice. Staff responsible for operations, technology, and compliance must understand what constitutes a reportable incident, how to escalate it internally, and what information must be provided to the Bank of Canada.
The Bank of Canada has not published a prescriptive training curriculum for the RPAA in the same way FINTRAC publishes compliance program guidance. What the Bank of Canada expects — consistent with supervisory norms for operational risk and financial stability regulators — is that the risk management framework is understood and applied by the people responsible for executing it. That requires training.
At a minimum, PSP compliance training under the RPAA should cover:
All staff should have a baseline understanding of:
Staff with payment processing responsibilities — operations, technology, compliance, finance, and customer-facing teams — should be trained on:
This is not awareness training — it is operational training, tied to the specific processes the employee executes. Generic content about “cyber risk” or “operational resilience” that is not anchored to the PSP’s own framework and procedures does not meet the supervisory standard.
The RPAA’s risk management framework must specifically address technology and cyber risks. Training for technology, IT, and product teams should cover:
Staff who manage, move, or report on end-user funds must be trained on:
Operations and technology staff should understand:
PSPs subject to the RPAA submitted their first annual compliance report to the Bank of Canada by March 31, 2026. The annual report covers the PSP’s risk management framework, funds safeguarding arrangements, and operational performance for the prior year. Supervisory engagement may follow, including information requests and examinations.
A well-documented training program is part of what the Bank of Canada will expect to see as evidence that the risk management framework is operationally embedded — not just written down. Training records, curriculum content, and assessment results are the same kind of documentation that satisfies FINTRAC examiners for AML/ATF training, and they matter equally in a Bank of Canada supervisory review.
Many PSPs carry compliance obligations under both the RPAA and the PCMLTFA. If your PSP is also registered as an MSB with FINTRAC because it provides money transfer, foreign exchange, or virtual currency services, you need two distinct compliance frameworks:
These frameworks overlap but are not interchangeable. Training content must address both sets of obligations, and the programs must be maintained separately, as each regulator has its own examination methodology and reporting requirements.
Tamlo builds compliance training for both regimes. If your organization is navigating dual obligations, we can help you design a coordinated training program that satisfies both the Bank of Canada’s supervisory expectations and FINTRAC’s compliance program requirements.
Tamlo International develops compliance e-learning for regulated financial services businesses in Canada and the United States. Our team builds SCORM-compatible training that can be deployed across your organization through your own LMS or through Tamlo’s hosted RapidLMS platform.
For PSPs under the RPAA, we offer:
All courses are available in English and French and can be customized to reflect the specific products, processes, and risk profile of your organization.
What is the Retail Payment Activities Act (RPAA)?
The RPAA is federal Canadian legislation that created a supervisory regime for payment service providers. The Bank of Canada is the supervisory authority. Registration is mandatory for PSPs performing retail payment activities. The risk management and funds safeguarding requirements came into force on September 8, 2025.
Does the RPAA require compliance training?
The RPAA does not contain a standalone training mandate equivalent to the PCMLTFA’s training pillar. However, the Bank of Canada’s supervisory expectations for the risk management framework assume that staff understand and can implement it. A risk management framework that is documented but not operationally understood will not satisfy a Bank of Canada supervisory review. Training is essential to making the framework functional.
Is a PSP also subject to FINTRAC if it is registered under the RPAA?
Not automatically. RPAA registration and FINTRAC registration are separate obligations. A PSP is subject to FINTRAC’s PCMLTFA requirements only if it also performs activities that qualify it as an MSB — such as money transfer, foreign exchange, or dealing in virtual currency. Many PSPs carry dual obligations and must maintain separate compliance programs for each regulatory regime.
When was the first annual report due under the RPAA?
PSPs subject to the RPAA were required to submit their first annual compliance report to the Bank of Canada by March 31, 2026.
What happens if a PSP does not comply with the RPAA?
The Bank of Canada has the authority to issue compliance orders and impose financial penalties under the RPAA for violations of the Act’s requirements. Performing retail payment activities without registration is itself a violation of the Act.
Can Tamlo build RPAA training for our organization?
Yes. Tamlo develops SCORM-based compliance training for PSPs and financial services businesses. We can build foundational RPAA awareness training or role-specific operational modules tied to your organization’s risk management framework. Contact us to discuss your requirements.
Tamlo works with payment service providers, financial institutions, and MSBs across Canada. Whether you need RPAA operational training, FINTRAC AML training, or a coordinated program that addresses both regulatory regimes, we can help.
[Get a Quote] [Contact Us] [Browse Our Courses]
