Crypto Law Profile

Retail Payment Activities Act

Canada’s RPAA creates a Bank of Canada registration and supervision regime for covered payment service providers, including operational-risk, incident-response, safeguarding and reporting duties.

Canada Partially effective Act Sep 8, 2025
View official text Suggest correction

At a glance

Status Core regime in force; sections 99–100 and 2026 scope amendments remain uncommenced.
Primary regulator The Bank of Canada registers and supervises covered payment service providers.
Territorial reach Covers Canadian PSPs and certain foreign PSPs directing payment activities at Canadian end users.
Crypto relevance Crypto-only activity may be outside scope; distinct fiat-linked payment services can be covered.

Overview

Canada’s Retail Payment Activities Act (RPAA), S.C. 2021, c. 23, s. 177, establishes a federal registration and supervisory framework for payment service providers (PSPs). Assented to on June 29, 2021, the Act entered into force in stages. Registration provisions began on November 1, 2024, while the core operational-risk, incident-response, safeguarding, reporting and supervision requirements became operative on September 8, 2025. As of June 23, 2026, the core regime is active, although sections 99 and 100 governing annual assessment fees remain uncommenced.

Scope of the Retail Payment Activities Act

The RPAA applies when an individual or entity performs one or more prescribed payment functions as a service or business activity that is not incidental to another activity. The five current functions cover providing or maintaining payment accounts, holding end-user funds, initiating electronic funds transfers, authorizing or transmitting payment instructions, and providing clearing or settlement services. The activity must relate to an electronic funds transfer made in Canadian currency, a foreign currency or a unit meeting prescribed criteria.

The Act reaches PSPs with a place of business in Canada and foreign PSPs that direct covered activities at individuals or entities in Canada for Canadian end users. Statutory and regulatory exclusions include certain merchant-limited instruments, securities-related transactions, cash withdrawals at automated teller machines, designated payment systems, qualifying intra-group transfers, incidental payment activities, and specified regulated financial institutions. Banks and authorized foreign banks are among the entity-based exclusions.

Covered PSPs must register with the Bank of Canada. The transition period ended on September 7, 2025; applicants entering the market after that date generally must receive a registration decision before performing retail payment activities.

Key obligations for payment service providers

The Bank of Canada supervises registered PSPs for compliance, while the Minister of Finance exercises national-security powers connected to registration and ongoing activity. Principal obligations include:

  • Operational resilience: PSPs must maintain a written risk-management and incident-response framework addressing availability, integrity and confidentiality, with controls for cybersecurity, fraud, business continuity, data, technology, personnel and third parties.
  • Incident reporting: Material incidents must be reported to the Bank and, where applicable, to materially affected end users, other PSPs and designated clearing houses.
  • Safeguarding funds: PSPs that hold end-user funds must use a permitted safeguarding method, maintain a written safeguarding framework and arrange required independent reviews.
  • Reporting and records: PSPs must report significant changes and new activities, retain compliance records, and submit an annual report by March 31 for the preceding calendar year.

The Act authorizes supervisory information requests, compliance orders, court enforcement and administrative monetary penalties. Under the Regulations, serious violations can attract penalties of up to C$1 million and very serious violations up to C$10 million. Registration applications may also be reviewed for national-security concerns, with powers to require undertakings or conditions or direct refusal.

Relevance to crypto and stablecoin services

The RPAA is technology-neutral and is not a general licensing statute for crypto trading or custody. Its application to a crypto business depends on the payment functions performed, the type of electronic funds transfer involved, whether payment activity is incidental, and whether an exclusion applies. Bank of Canada scenarios state that a crypto-only exchange handling no Canadian or foreign currency does not perform a retail payment activity under the current definition. A crypto-backed open-loop prepaid-card service, by contrast, can perform in-scope payment functions and require registration.

Amendments enacted in March 2026 would add the transmission or maintenance of an end user’s encrypted or tokenized payment instrument or private key to the statutory definition of a payment function. Those amendments are listed by Justice Laws as not in force and require an order in council to commence.

Status and implementation timeline

The Act received royal assent in 2021, its Regulations were registered in 2023, registration opened in 2024, and the main supervisory obligations commenced in 2025. The consolidated Act was last amended on March 26, 2026. Because annual assessment-fee provisions remain uncommenced and crypto-related scope amendments await commencement, this profile uses the status Partially effective while noting that the core supervisory regime is already in force. This profile is an editorial overview, not legal advice.

Key provisions

Registration and territorial scope

Covered Canadian PSPs and foreign PSPs directing services at Canadian end users must register with the Bank before operating, subject to statutory and regulatory exclusions.

Licensing & Registration Nov 1, 2024 Source

Operational risk and incident response

PSPs must maintain a written framework addressing resilience, cybersecurity, fraud, data, business continuity, third parties, incident detection, response and recovery.

Privacy & Cybersecurity Sep 8, 2025 Source

Safeguarding end-user funds

PSPs holding end-user funds must use a permitted safeguarding method, maintain a written safeguarding framework and arrange independent reviews.

Consumer protection Sep 8, 2025 Source

Reporting, records and changes

PSPs must notify material incidents and significant changes, keep compliance records, and submit an annual report by March 31 for the preceding calendar year.

Payments Sep 8, 2025 Source

National-security review and enforcement

The Minister may screen registration matters for national security, while the Bank can issue compliance measures and pursue administrative monetary penalties.

Enforcement & Asset Recovery Nov 1, 2024 Source

Crypto-linked payment services

Current application is functional: crypto-only exchange activity may be outside scope, while a distinct crypto-backed fiat payment-card service can require registration.

Payments Source

Timeline

  1. Royal assent and initial commencement

    The Act received royal assent, and its foundational provisions entered into force on assent.

    Enacted Source

  2. Retail Payment Activities Regulations registered

    SOR/2023-229 was registered, supplying detailed requirements and staged commencement rules.

    Enacted Source

  3. Registration phase begins

    Registration and most administrative and enforcement provisions began operating.

    Partially effective Source

  4. Core supervisory obligations commence

    Risk-management, incident-response, safeguarding, reporting and related supervision requirements became operative.

    In force Source

  5. AML cross-reference amendments take effect

    Consequential amendments updated registration refusal and revocation cross-references to federal AML law.

    In force Source

  6. Tokenized-instrument amendments enacted

    Sections 604–605 were enacted but remain uncommenced pending an order in council.

    Enacted Source

Who it affects

Actors

Bank of Canada, Minister of Finance

Asset classes

Crypto assets, Stablecoins

Official sources

Retail Payment Activities Act — consolidated text Department of Justice Canada Consolidated legislation Jun 29, 2021 English Primary — official Retail Payment Activities Regulations Department of Justice Canada Consolidated regulation Nov 3, 2023 English Primary — official Retail payments supervision: Key milestones Bank of Canada Regulator implementation page Jan 12, 2026 English Primary — official Frequently asked questions about retail payments supervision Bank of Canada Regulator guidance Jan 8, 2026 English Primary — official Criteria for registering payment service providers Bank of Canada Supervisory policy Oct 2, 2024 English Primary — official Case scenarios for cryptocurrency-backed service providers Bank of Canada Regulator case guidance Oct 2, 2024 English Primary — official Budget 2025 Implementation Act, No. 1 — sections 604–606 Department of Justice Canada Amending legislation Mar 26, 2026 English Primary — official Strengthening Canada’s Immigration System and Borders Act — sections 114–115 Department of Justice Canada Amending legislation Mar 26, 2026 English Primary — official

Editorial note

The RPAA is technology-neutral, not a general crypto licensing statute. Bank of Canada guidance applies it functionally: crypto-only activity may fall outside the current definition, while fiat-linked crypto payment services can be covered. Enacted 2026 scope amendments concerning tokenized payment instruments and private keys are not yet in force.