The Retail Payment Activities Act Has Teeth Now

For years, Canadian payment service providers (PSPs) operated in a regulatory grey zone. That era is over. The Retail Payment Activities Act (RPAA) — administered by the Bank of Canada — moved from paper to enforcement in 2025, and 2026 is the year supervisory expectations come into sharp focus.

If your business performs payment functions in Canada — whether you process card payments, run a digital wallet, facilitate fund transfers, or operate a crypto on-ramp with fiat rails — the RPAA almost certainly applies to you. And the cost of getting compliance wrong has climbed considerably.

Who Is Captured, and What Counts as a Payment Function

The RPAA defines a PSP as any individual or entity that performs at least one of five payment functions as a service or business activity:

• Providing or maintaining an account held in the name of an end user
• Holding funds on behalf of an end user
• Initiating an electronic funds transfer at the request of an end user
• Authorizing an electronic funds transfer or transmitting, receiving or facilitating an instruction for such a transfer
• Providing clearing or settlement services

The threshold is intentionally broad. Fintechs that thought they were “just tech vendors” routing transactions are often, on closer reading, performing function three or four. A common mistake we see at ZillionStar: founders assume that because they partner with a regulated bank or a licensed acquirer, the RPAA does not apply to them. The Bank of Canada looks at the activity, not the partnership structure.

Three Compliance Pillars That Matter in 2026

1. Registration is non-negotiable. The initial registration window closed in late 2024, but new entrants and previously non-compliant PSPs must register before performing a payment function in Canada. Operating unregistered is a prohibited activity under the Act and carries administrative monetary penalties of up to 0 million per violation.

2. Risk management and incident response frameworks must be operational. Section 17 of the RPAA requires PSPs to establish, implement and maintain a risk management and incident response framework proportionate to the risks of their payment activities. The Bank of Canada has signaled that “proportionate” does not mean “informal.” Expect supervisors to ask for documented governance, identified risk owners, tested incident playbooks, and board-level oversight evidence — even at smaller PSPs.

3. Safeguarding of end-user funds. If you hold funds for end users, the RPAA requires those funds to be held in a trust account at a prudentially regulated financial institution, or covered by an equivalent safeguarding arrangement such as insurance or a guarantee. Commingling end-user funds with operating capital is one of the fastest paths to enforcement action, and one of the most common deficiencies we identify in pre-supervisory reviews.

How RPAA Intersects with FINTRAC, OSFI and Provincial Regimes

The RPAA does not replace existing obligations — it stacks on top of them. A crypto-fiat on-ramp that is registered as a money services business under the Proceeds of Crime (Money Laundering) and Terrorist Financing Act with FINTRAC still needs to assess whether it is a PSP under the RPAA. Provincial money transmitter rules in Quebec and other provinces continue to apply in parallel. And if your PSP touches retail deposits or extends consumer credit, OSFI or provincial consumer protection regimes may add a third layer.

The practical implication: 2026 compliance roadmaps need to be integrated. Treating RPAA, FINTRAC, and provincial obligations as separate workstreams produces overlapping documentation, conflicting policies, and supervisory inconsistency. We recommend a unified control library mapped to all applicable regimes, with a single risk register and one incident response plan that satisfies each supervisor.

Practical Next Steps

• Confirm your scope. Document which of the five payment functions your business performs, and where in your tech stack each function lives. This becomes the foundation of your risk framework.
• Audit your safeguarding posture. If you hold end-user funds, verify trust account structure, daily reconciliation procedures, and the legal opinions supporting your arrangement.
• Stress-test your incident response plan. Run a tabletop exercise against a realistic scenario — a payment processor outage, a cybersecurity breach, a settlement failure. Document the gaps.
• Align RPAA, FINTRAC and provincial controls. Map every control to every regime it satisfies. Retire duplicate or contradictory policies.
• Prepare for supervisory engagement. The Bank of Canada is in active oversight mode. Treat your first supervisory interaction as a graded exam, not a courtesy call.

The Bottom Line

Canada now has a dedicated retail payments supervisor, and PSPs are entering a regulatory environment that more closely resembles banking supervision than tech-sector self-governance. The firms that fared best in 2025 were the ones that treated RPAA as a strategic operating discipline — not a paperwork exercise. That posture will matter even more in 2026 as the Bank of Canada moves from registration administration into substantive supervision.

Need guidance? Reach out to our team — no pressure, no jargon.