What the XTM Orders Mean for PSPs in Canada

Why People Are Paying Attention to the XTM Orders

Payment service providers in Canada are now operating in a different environment than they were a year ago.

The reason is not only that the RPAA is now active in practice. The more important point is that the Bank of Canada has shown it is willing to intervene publicly where it believes serious issues exist.

On February 17, 2026, the Bank of Canada issued a temporary order to XTM Inc. requiring it to immediately cease performing retail payment activities. The Bank said it had serious concerns that XTM had failed to safeguard client funds in its possession and that continued retail payment activity could be prejudicial to the public interest. The Bank’s temporary-order PDF states that the order was made under subsection 94(4) of the RPAA.

It authorized XTM to recommence retail payment activities under the supervision of the Monitor appointed by the Ontario Superior Court of Justice under the Companies’ Creditors Arrangement Act, and subject to terms and conditions set out in the revised order.

This is why the XTM matter is important. It is one of the clearest public signs so far that RPAA compliance in Canada has moved beyond registration into active supervision.

AMLI Analysis: The practical significance of the XTM orders is not limited to one firm. They suggest that Canadian PSPs should now think in terms of supervisory resilience, not only registration readiness.

What Is the RPAA and Why Does It Matter Here?

The Retail Payment Activities Act is Canada’s federal framework for the supervision of payment service providers. The regime is supervised by the Bank of Canada and covers areas including operational risk and incident response, safeguarding end-user funds, reporting, and enforcement. The Bank’s retail payments supervision framework makes clear that PSP oversight is not limited to the act of registration itself.

That matters because many PSPs still think of RPAA work as a registration exercise. In practice, registration is only the opening phase. The harder task is maintaining an operating model that can withstand follow-up questions, evidence requests, control testing, and supervisory scrutiny over time.

The Bank has also made clear that annual reporting is part of this live supervisory environment. Registered PSPs must file annual reports, and the first annual report is due by March 31, 2026. That reporting covers areas including operational risk and incident response, safeguarding end-user funds where applicable, and retail payment activity metrics.

Legal fact: The Bank of Canada said the February 17, 2026 temporary order to XTM was made under subsection 94(4) of the RPAA.

Regulatory signal: The XTM matter shows that safeguarding concerns can become public supervisory events.

Operational implication: PSPs should assume that the quality of their control environment may matter as much as the fact of their registration.

What Do the XTM Orders Mean for PSPs in Canada?

The most important lesson is simple.

A PSP can be registered and still be unprepared.

That is because registration does not automatically prove that a firm can:

• safeguard end-user funds in a robust and reviewable way

• assign clear ownership for critical control decisions

• escalate incidents properly

• manage third-party risk effectively

• document exceptions and remediation clearly

• produce evidence quickly when concerns arise

This is where many firms overestimate their readiness. They may have policy documents, process maps, vendor relationships, and reporting routines in place, but still lack the control discipline needed to operate confidently under stress.

The XTM orders make that gap more visible. The initial order was tied to concerns about safeguarding funds and public-interest risk. The revised order then introduced supervision and conditions as part of the path forward.

AMLI Analysis: The question for PSPs is no longer only whether the framework exists. It is whether the framework can hold up when operational pressure, regulatory concern, or customer impact increases.

Does RPAA Registration Mean a PSP Is Ready?

Not really.

Registration may allow a PSP to begin operating. It does not prove that its safeguarding, operational risk, governance, and incident-response structures are mature enough for real supervisory scrutiny.

This distinction matters because compliance programs often look strongest on paper at the moment of registration. The real weaknesses tend to appear later, when:

• the business grows faster than expected

• third-party dependencies deepen

• transaction flows become more complex

• reconciliation and exception handling become harder

• incidents span multiple teams

• ownership becomes blurred

• documentation is spread across tools and people

These are practical execution risks rather than a quoted regulator checklist, but they are exactly the kinds of pressures that make a framework harder to defend in practice.

AMLI Analysis: Operational readiness begins where registration ends.

Why Safeguarding Is the Core Issue

The Bank of Canada’s February 17 announcement specifically referred to serious concerns that XTM had failed to safeguard client funds in its possession. That is the most important fact for other PSPs to focus on.

Safeguarding should not be understood too narrowly.

It is not only about where funds are held. It also touches:

• account structure

• segregation mechanics where applicable

• reconciliation discipline

• exception handling

• control over withdrawals or disbursements

• third-party dependencies

• escalation when customer funds are affected

• senior oversight when the business model changes

The Bank’s supervision framework also makes clear that PSPs that hold end-user funds must have measures to safeguard those funds until they are withdrawn or transferred. The Bank says PSPs must either hold the funds in trust in a trust account, or hold them in a segregated account and have insurance or a guarantee for those funds.

A PSP may believe its safeguarding model is sound because it made sense at launch. But a model that was workable at one stage can become fragile later if the product mix, vendor stack, or transaction profile changes faster than the control environment.

AMLI Analysis: Safeguarding often weakens gradually, through fragmented ownership and weak review discipline, before it fails visibly.

Why the Revised Order Matters Too

The revised order is just as instructive as the initial one.

It shows that once a regulator loses confidence, the path forward is unlikely to rely on informal reassurance. It is more likely to involve oversight, structured conditions, and evidence-backed remediation. The Bank of Canada’s February 27 announcement explicitly allowed XTM to recommence retail payment activities only under the supervision of a court-appointed Monitor and subject to terms and conditions.

That matters because many firms think about remediation too late. They assume remediation begins only after an examination or enforcement event. In reality, remediation readiness should exist earlier, in the form of:

• clear issue ownership

• documented corrective action

• reviewable timelines

• governance visibility

• evidence of follow-up

• realistic escalation

AMLI Analysis: Once trust weakens, firms usually need more than updated language. They need visible control recovery.

What Usually Breaks First Inside a PSP

This is where the practical lesson becomes clearer.

In many firms, the first real weakness is not the total absence of controls. It is the inability to use those controls consistently across real situations.

Common examples include:

• safeguarding logic that exists in policy but is not mapped clearly to day-to-day operations

• incident-response language without clear escalation thresholds

• critical vendor dependence without enough challenge or oversight

• exception handling that relies on judgment but is poorly documented

• senior review that focuses on growth metrics more than control strain

• reconciliations that exist, but where breaks, delays, or unusual patterns are not escalated consistently

• control evidence stored across inboxes, chats, spreadsheets, and human memory

This is what execution risk looks like in practice. It is usually understated at first. It often looks manageable until scrutiny increases.

AMLI Analysis: Firms usually do not fail because they have never heard of safeguarding or incident response. They struggle because the control environment becomes harder to retrieve, explain, and defend as operations become more complex.

What PSPs Should Review After the XTM Orders

A practical internal review should include at least six areas.

1. Safeguarding design

Confirm whether your safeguarding model still matches your current products, funds flow, operating partners, and transaction reality.

2. Governance ownership

Identify who owns safeguarding, incident response, vendor oversight, remediation, and reporting. Shared responsibility without clear decision ownership often creates control weakness.

3. Incident response

Review how incidents are identified, escalated, documented, and resolved. Make sure serious operational issues cannot remain stuck between teams.

4. Third-party dependencies

Review vendors, processors, banking partners, and external service providers whose failure or weakness could affect customer funds, continuity, or control execution.

5. Documentation and evidence

Test whether someone outside the daily workflow could understand what happened, who decided what, and why. If not, the evidence standard is likely too weak.

6. Remediation discipline

Confirm whether identified weaknesses are tracked to completion with clear ownership, review dates, and proof of implementation.

These review areas are practical recommendations rather than a quoted Bank of Canada checklist, but they are grounded in the XTM facts and the type of control pressure the orders imply.

What Evidence a PSP Should Be Able to Produce

A PSP that wants to be review-ready should be able to retrieve more than policy language.

A stronger evidence set usually includes:

• safeguarding design records

• funds-flow and account-structure mapping

• reconciliation and exception logs

• incident records and escalation notes

• third-party oversight records

• governance review records

• remediation plans and progress evidence

• records showing who approved material decisions and when

This is one reason effectiveness reviews matter. It is not enough for a framework to exist on paper. It should also be testable, understandable, and defensible when reviewed later.

The Bank’s record-keeping policy reinforces the importance of retaining records needed to demonstrate compliance with RPAA obligations.

AMLI Analysis: In regulated payments, undocumented control logic becomes hard to defend quickly.

A Practical Example

Consider a PSP that completed RPAA registration and launched with a sensible operating model.

Over time, it adds a new processing partner, grows transaction volume, introduces new exception paths, and begins relying more heavily on one vendor for an operationally critical function.

Nothing about that automatically means the firm is non-compliant.

But it does increase the need to revisit:

• whether safeguarding assumptions still hold

• whether incidents would be identified early enough

• whether governance oversight is still proportionate

• whether documentation remains review-ready

• whether senior management is seeing the right risk signals

This is how supervisory exposure often grows. Not through one dramatic design flaw, but through a gradual mismatch between the current business model and the original control environment.

What Boards and Senior Management Should Ask Now

For PSP leadership, the most useful response is not panic. It is disciplined self-assessment.

Questions worth asking now include:

• Does our safeguarding model still match our actual funds flow?

• Can we explain our account structure, reconciliation logic, and exceptions clearly?

• Are escalation thresholds defined well enough to work under pressure?

• Do we rely too heavily on one processor, banking partner, or service provider?

• Could we produce evidence quickly if the Bank asked for it?

• Do our remediation records show progress, ownership, and follow-through?

Those are the kinds of questions that move a compliance framework from paper readiness to operational readiness.

Getting Support

The XTM orders do not mean every PSP is in immediate difficulty. They do mean that the Canadian supervisory environment is becoming more concrete and more operational.

The public orders do not tell the market everything about XTM’s internal control history or remediation process. But they do provide a clear supervisory signal about the Bank of Canada’s willingness to act publicly where it believes safeguarding concerns and public-interest risk exist.

For PSPs, the important question is no longer only whether registration has been completed. It is whether safeguarding, governance, vendor oversight, incident response, and remediation can stand up when the regulator’s focus turns from what was filed to what is actually happening.

AML Incubator supports PSPs through:

• RPAA Registration

• CAMLO & MLRO Services

• Effectiveness Review

• AML Regulatory Remediation Services.

Book a free consultation to review your RPAA readiness, safeguarding framework, governance ownership, and remediation priorities.