Many PSPs assume they are exempt from RPAA, but the law’s carve-outs are narrow. Understand exemptions, grey areas, and risks of misinterpretation.
Payment service providers (PSPs) across Canada are asking a crucial question: Does the Retail Payment Activities Act (RPAA) apply to my business?
The RPAA introduces a new oversight framework for non-bank companies handling retail payments in Canada. Confusion abounds over who exactly falls under its scope. Misunderstanding exemptions can lead to false confidence, missed registrations, and costly enforcement.
This article clarifies who must register, highlights legitimate exemptions, and addresses the grey areas where PSPs often get caught. If you are unsure, you are not alone — but the consequences of guessing wrong are serious.
Who Must Register Under the RPAA
The RPAA applies to businesses that
-
Transfer or hold funds for end users
-
Initiate or process payment instructions
-
Transmit payment messages
-
Provide clearing or settlement services for retail payments (Bank of Canada)
Typical In-Scope Businesses
-
Remittance and money transfer companies
-
Digital wallet providers
-
Payment processors and gateways
-
FinTech startups offering embedded payments
-
International PSPs serving Canadian users
FINTRAC vs RPAA
Many PSPs assume that being registered with FINTRAC as a Money Services Business (MSB) means they are covered. This is a misconception.
| FINTRAC (MSB Registration) | RPAA Registration |
|---|---|
| Anti-money laundering (AML) and anti-terrorist financing compliance | Safeguarding of funds, operational resilience, and user protection |
| Overseen by FINTRAC | Overseen by the Bank of Canada |
| Applies to money services businesses | Applies broadly to all PSPs offering retail payment services |
Key Point: Many PSPs will require dual registration — both FINTRAC and RPAA.
For support, see AMLI’s RPAA Registration and MSB Registrationb.
Common Misconceptions About RPAA Applicability
“We’re already registered with FINTRAC, so RPAA doesn’t apply.”
False. FINTRAC covers AML obligations; RPAA addresses operational resilience and safeguarding. Many PSPs must comply with both.
“We deal only in cryptocurrency, so we’re outside RPAA.”
Not always. Pure crypto-to-crypto transfers may fall outside today, but if your platform holds fiat balances, processes fiat-to-crypto transfers, or offers stored-value wallets, RPAA applies. The Bank of Canada has pointed to “services backed by cryptocurrencies” as scenarios requiring careful analysis.
See AMLI’s Token Due Diligence for crypto-specific compliance.
“Our payment feature is just incidental.”
The Act excludes truly incidental payment functions, but the line is blurry. If the payment feature generates revenue or is marketed separately, regulators may see it as a core PSP function.
“We’re an international PSP with no Canadian office.”
Wrong. If you direct services at Canadian users, you must register, even without a Canadian subsidiary. Marketing to Canadians, supporting CAD, or processing payments for Canadian customers all trigger RPAA obligations.
“We’re too small to matter.”
No. The RPAA has no size threshold. Startups and small PSPs must comply just as larger providers do. Assuming you can fly under the radar is a costly mistake.
Legitimate Exemptions Under RPAA
The Act excludes certain entities and transactions. These exemptions are narrow, and most fintechs or PSPs will not qualify.
Exemptions Table
| Exempt Entity/Activity | Why Exempt | Caution |
|---|---|---|
| Banks and credit unions | Already regulated under federal or provincial financial laws | Fintechs partnering with banks do not inherit this exemption |
| Incidental payment activities | Payment is only to support a non-payment primary business | If marketed separately or revenue-generating, not incidental |
| Internal transfers | Transfers within the same legal entity or corporate group | As soon as funds are moved for end users, exemption is lost |
| Closed-loop systems | Gift cards, loyalty points, or private-use payment instruments | If expanded beyond a closed loop, exemption no longer applies |
| Securities and derivatives | Payments incidental to regulated financial instruments | Narrow carve-out; other payment services still trigger RPAA |
Important: Partnering with a bank does not make a fintech exempt. The exemption applies to the bank itself, not its partners.
Grey Areas That Create Risk
Digital Wallets and Crypto Platforms
-
Custodial wallets holding fiat are clearly in scope
-
Non-custodial wallets may be out, but if fiat rails or stablecoins are involved, RPAA applies
-
Many crypto businesses mistakenly assume exemption; most should prepare for inclusion
Embedded Payments
Marketplaces and platforms that hold buyer funds or operate user balances are PSPs. If all payments are passed to licensed providers without holding funds, you may be exempt — but document this carefully.
International PSPs
If you market to Canadians, support CAD, or provide services to Canadian users, you are in scope, regardless of where your company is incorporated.
Small Startups
No de minimis rule exists. Even small fintechs must comply. Regulators expect readiness at all levels.
Risks of Misinterpreting Applicability
| Risk | Consequence |
|---|---|
| Monetary penalties | Up to $1M for individuals and $10M for corporations (Bank of Canada AMP policy) |
| Suspension of registration | Bank of Canada can refuse or revoke PSP status |
| Public naming | Being left off the PSP registry or refused is reputational damage |
| Loss of banking | Banks may refuse accounts for unregistered PSPs |
| Enforcement investigations | Costly, stressful, and distracts from business operations |
For remediation, see AMLI’s Regulatory Remediation and Effectiveness Review.
How to Determine if RPAA Applies to You
The Bank of Canada provides a self-assessment tool to help PSPs evaluate whether they fall under the scope of the RPAA. This tool walks through the key questions about your business model, the payment functions you perform, your geographic connection to Canada, and whether any exemptions apply.
You can access it here: Bank of Canada – Information for payment service providers.
Four-Step Applicability Test
-
Do you perform payment functions for end users (holding funds, initiating EFTs, transmitting instructions)?
-
Are these activities retail payment activities involving fiat EFTs?
-
Is there a Canadian connection (business presence or Canadian users)?
-
Do any exemptions apply (banks, incidental, closed-loop, etc.)?
If the first three are yes and the fourth is no, you must register.
For tailored support, AMLI offers RPAA Registration assessments and compliance programs.
Conclusion: Don’t Assume You’re Exempt
The RPAA casts a wide net. Most PSPs serving Canadian users must register, and only narrow exemptions apply. Grey areas — crypto, embedded payments, international PSPs, and startups — are exactly where businesses often get caught.
The cost of getting it wrong is high: multi-million-dollar fines, reputational damage, and operational disruption.
Your Trusted Partner in Regulatory Excellence. AML Incubator helps PSPs clarify scope, register properly, and build the frameworks regulators expect.
Next Steps
Further Reading
