鶹ý

Regulatory Influencer: Canada Retail Payments Activities Act — Safeguarding of End-User Funds

June 5, 2025
<
Back
This report is the third installment in a four-part series analyzing the RPAA and identifying key components of the law that PSPs should consider when doing business in Canada. This report focuses on the requirement to safeguard end-user funds.

In June 2021, the  (RPAA) was enacted, granting the Bank of Canada supervisory authority over payment service providers (PSPs). According to the , the aim of the RPAA is to build confidence in the safety and reliability of PSP services while protecting end users from specific risks. 

The RPAA set forth a series of requirements for PSPs, including registering with the Bank of Canada, establishing and maintaining an operational risk and incident response framework, safeguarding end-user funds, and submitting mandatory reports, among other things. 

This report is the third installment in a four-part series analyzing the RPAA and identifying key components of the law that PSPs should consider when doing business in Canada. This report focuses on the requirement to safeguard end-user funds. 

Who does the RPAA apply to:

According to , the act applies to any retail payment activity that is performed by a PSP that has a place of business in Canada or any retail payment activity that is performed for an end-user in Canada by a PSP that does not have a place of business in Canada but directs retail payment activities at individuals or entities that are in Canada. 

defines a PSP as an individual or entity that performs payment functions as a service or business activity that is not incidental to another service or business activity.  also defines retail payment activity as a payment function that is performed in relation to an electronic funds transfer that is made in the currency of Canada or another country or using a unit that meets prescribed criteria.

Key considerations: 

Under the safeguarding provisions of the RPAA, PSPs must meet a range of regulatory requirements designed to protect customer funds. 

According to , if a PSP performs a retail payment activity that is the holding of end-user funds until they are withdrawn by the end user or transferred to another individual or entity, the PSP must either:

  • Hold the funds in trust in a trust account.
  • Hold the funds in a prescribed account.
  • Hold the funds in an account that is not used for any other purpose and hold insurance or a guarantee in respect of the funds that is an amount equal to or greater than the amount held in the account. 

states that the account in which the funds are held must be provided by an entity referred to in  or by a foreign financial institution that is regulated by a regulatory regime that imposes comparable standards to those that apply to the aforementioned entities. 

Additionally,  states that the insurance or guarantee on the funds held in a segregated account must be provided by an entity referred to in  or a foreign financial institution that is regulated by a regulatory regime that imposes comparable standards to those that apply to the aforementioned entities, and the entity is not affiliated with the PSP within the meaning of . 

According to , PSPs that hold end-user funds must establish, implement, and maintain a safeguarding of fund framework to ensure that end users have reliable and timely access to the end-user funds that are being held by the PSP and that, in the event of insolvency proceedings, the end-user funds or proceeds of the insurance or guarantee are paid to end users as soon as feasible. 

The safeguarding-of-funds framework must describe the PSP’s systems, policies, processes, procedures, and controls for ensuring end users have access to their funds and protect end-user funds if the PSP becomes insolvent. The framework must include:

  • Those systems, policies, processes, procedures, and controls in relation to the PSP’s use of liquidity arrangements and its holding of end-user funds in the form of secure and liquid assets.
  • A requirement to keep a ledger that sets out the name and contact information of each end user whose funds are held by the PSP and the amount of funds belonging to each of those end users that is held by the PSP at the end of each day.
  • The means by which it will be ensured that the insolvency or bankruptcy administrator or trustee or other person appointed to carry out insolvency proceedings, or the insurance or guarantee provider is able to access all relevant records and documentation in relation to end-user funds, contact end users as soon as feasible, and identify any errors or deficiencies in the PSP’s ledger of end-user funds and address any shortfall in the funds to be returned to each end user.
  • The procedures to be followed to return funds to end users.
  • The role of any of the PSP’s agents, mandataries or third-party service providers in facilitating the execution of the tasks referred to in the previous two paragraphs.

Furthermore, the safeguarding-of-funds framework must identify the legal and operational risks that could impede end users from having reliable access to their funds or getting paid the end-user funds or the proceeds of the insurance or guarantee in the event of insolvency. The framework must also identify a senior officer that is responsible for overseeing the PSP’s practices for safeguarding end-user funds and for ensuring the PSP’s compliance with the relevant provisions of the RPAA and the regulations. 

The framework must be approved by the senior officer at least once a year and following each material change that is made to the framework; and it must be approved by the PSP’s board of directors at least once a year. 

The framework must also be reviewed at the following times to ensure compliance with the requirements of the RPAA and the regulations:

  • At least once a year.
  • After any changes to the means by which the PSP safeguards end-user funds.
  • After any of the following changes, if they could reasonably be expected to have a material impact on the way PSPs safeguard end-user funds:
    • The opening or closing of any account in which the PSP holds end-user funds.
    • A change in the entity that provides any account in which the PSP holds end-user funds.
    • A change in the terms of the account agreement in respect to any account in which the PSP holds end-user funds.
    • In the case of a PSP that holds funds in a segregated account that has insurance or guarantee, a change in its insurance or guarantee providers or to the terms of the insurance policy or guarantee. 

The PSP must keep a record of each review and ensure that the findings are reported to the senior officer for approval. 

Lastly, according to , a PSP must ensure that an independent review of their compliance with the requirements regarding safeguarding of end-user funds is conducted once every three years. The PSP must obtain a record of the review and report, to the senior officer, any gaps and vulnerabilities that are identified by the independent review and any measure being taken to address them

Why should you care:  

According to the Bank of Canada, the safeguarding provisions under the RPAA are intended to protect end-user funds in the event of PSP insolvency and to ensure reliable, timely access to those funds. 

PSPs should consider the following as they assess their readiness for compliance:

  • The Bank of Canada will actively assess whether PSPs meet the safeguarding obligations. This may involve requests for information and supporting documentation, on-site examinations to observe operational practices, interviews with key subject matter experts, and, if necessary, the imposition of a special audit.
  • Non-compliance with the safeguarding requirements may result in enforcement actions by the Bank of Canada. These actions could include the issuance of a warning letter, a requirement to enter into a compliance agreement, or a notice of violation. Notices of violation may also carry an administrative monetary penalty or be accompanied by an offer to enter into a compliance agreement.
  • PSPs should take immediate steps to ensure their safeguarding practices are fully aligned with RPAA requirements in advance of the September 8, 2025, compliance deadline. Early preparation will help mitigate compliance risks and support continued trust with end users and regulators alike.
Kristin Rheins

Our premium content is available to users of our services.

To view articles, please Log-in to your account. Alternatively, if you would like to gain access to the tools that will help you navigate compliance risk with confidence please get in touch today.

To read more articles like this, along with gaining access to the tools that will help you navigate compliance risk with confidence, request a demo of our RegTech platform today.

Related articles

June 16, 2025

Automatic Pix Goes Live, Enabling Recurring Payments in Brazil

Pix, Brazil’s instant payments system, has introduced a recurring payments mechanism, aiming to simplify bill payments for consumers.
Read article
June 13, 2025

Pay.UK Sets Out Ideas For Reforming UK’s Payments Infrastructure

Payment system operator Pay.UK has unveiled a package of proposed reforms to the organisational framework for interbank payments, urging “radical” change to prevent the UK falling behind on infrastructure and innovation.
Read article

Opt in to hear about webinars, events, industry and product news

Gambling Compliance

Learn more

Payments Compliance

Learn more
Still can’t find what you’re looking for? Get in touch to speak to a member of our team, and we’ll do our best to answer.
Contact us
No items found.
Acquiring
Issuing
Mobile Payments
Payment Processors
Federal (Canada)
Canada

Please choose your preferred
service to log in to.

Don’t have an account?