You hit submit on PSP Connect before the March 31 deadline. Now the waiting game begins — but what’s actually happening on the Bank of Canada’s end? The annual report isn’t just a box-ticking exercise. The Bank uses every submission as a live window into how each registered PSP manages operational risk, safeguards end-user funds, and handles changes to its retail payment activities. Here’s exactly what happens after you submit — and what it means for your compliance posture.
For most PSPs, the post-submission period feels like a black box. Understanding what the Bank actually does with your report — and what could draw supervisory attention — is essential for building a mature compliance program that’s ready for whatever comes next.
What the Bank Does With Your Report
After submission, the Bank of Canada’s Retail Payments Supervision team reviews your annual report as part of its risk-based supervision approach.[1] That means not every PSP gets the same level of scrutiny — the Bank allocates supervisory resources using a risk-based framework, though the specific criteria used to prioritize reviews are not formally codified in legislation or in published Bank of Canada guidance.
The data you submitted — your operational risk framework, safeguarding practices, retail payment activity metrics, and financial details — feeds into the Bank’s supervisory assessment processes.[1] It also updates your registration record. If your activities have changed since last year, the Bank now knows. And don’t assume silence means approval. The Bank may follow up with requests for additional information about specific compliance matters. The legislation does not prescribe timelines for such follow-ups.[2]
What Triggers Enforcement Attention
Supervisory attention may be drawn to patterns that signal potential compliance gaps. Factors that may draw supervisory attention include:
- Failing to submit on time
- Submitting inaccurate or misleading information — the RPAA’s Administrative Monetary Penalties (AMP) framework establishes consequences for non-compliance with reporting obligations; PSPs are responsible for ensuring the accuracy of what they submit[2]
- Significant gaps in the operational risk framework or safeguarding practices
- Changes to retail payment activities that weren’t properly notified
Note: No official list of the most common supervisory triggers has been published by the Bank of Canada. The factors above reflect the general compliance expectations set out in the RPAA.[2]
The Bank’s enforcement process begins with case selection, drawing from internal reviews, referrals from other regulators, or public complaints.[1] If your file is flagged, the Bank may request information and conduct examinations under the Act. The RPAA does not prescribe specific procedural steps, response timeframes, or escalation timelines for investigations.[2] Examinations may include desk reviews, formal information requests, interviews, on-site visits, and special audits.
Administrative Monetary Penalties (AMPs) may be published by the Bank; however, the RPAA does not require the Bank to publicly disclose all violations or their full details.[1][2]
The Pending Applicant Exception
If your registration application was still pending as of September 8, 2025 — when full RPAA requirements came into force — you were not required to file an annual report until registration was confirmed. This followed the Bank’s August 2025 announcement regarding the implementation timeline.[1]
On September 8, the Bank published a public registry of registered PSPs.[3] No separate publicly available lists of refused, revoked, or pending applications have been confirmed by the Bank of Canada. The number of applicants still awaiting registration has not been published by the Bank, and no verifiable figure is available.
Goodmans LLP has published legal commentary on the scope of obligations for pending applicants — including the interpretation that such PSPs remained subject to other RPAA operational requirements from September 8 onward.[4] This commentary represents law firm interpretation and is not binding regulatory guidance. The applicability of RPAA operational requirements to pending PSPs is a matter of statutory interpretation not directly addressed in the legislation itself.[2] The moment registration is confirmed, the annual reporting obligation kicks in fully.
What Smart PSPs Do Now
Don’t treat the annual report as a one-and-done. The post-submission window is exactly when proactive PSPs get ahead of the next cycle — and prepare for any Bank follow-up before it arrives.
- Review the accuracy and completeness of what you submitted while it’s still fresh
- Identify any significant changes coming in the next 12 months that will require a Significant Change Notification
- Audit your safeguarding practices and operational risk documentation — before the Bank does
- Keep compliance records current and accessible so you can respond quickly to any follow-up requests
How Tamlo Can Help
Tamlo International, through its strategic alliance with Sentinence, works with PSPs at every stage of RPAA compliance — from registration through annual reporting and ongoing readiness. If your team needs a compliance review, staff training, or help preparing for a Bank of Canada inquiry, reach out to us at mcosgrove@tamlo-rpaa.ca or angela@sentinence.com.
Sources
- Bank of Canada — Retail Payments Supervision (Risk-Based Supervision, Enforcement Process, Supervisory Policies)
- Retail Payments Activity Act (R-7.7) — Department of Justice Canada
- Bank of Canada — PSP Register (Registry of Registered Payment Service Providers)
- Goodmans LLP — Bank of Canada Issues Update and Reminder for PSPs (law firm commentary; not binding regulatory guidance)