Crypto Law Profile

Canada Retail Payment Activities Regulations (RPAR)

Canada’s SOR/2023-229 implements the RPAA through payment-service-provider registration, operational-risk and incident controls, end-user fund safeguarding, reporting, recordkeeping and administrative monetary penalties.

Canada Effective Regulation Sep 8, 2025
View official text Suggest correction

At a glance

Status Fully in force since Sept. 8, 2025, after an initial phase beginning Nov. 1, 2024.
Regulator The Bank of Canada registers and supervises covered payment service providers.
Core controls Written operational-risk, incident-response and end-user-fund safeguarding frameworks.
Crypto scope No crypto or stablecoin unit is currently prescribed under this regulation.

Overview

Canada’s Retail Payment Activities Regulations (RPAR), SOR/2023-229, are federal regulations made under the Retail Payment Activities Act (RPAA). As of June 23, 2026, the regulations are in force. The transition and initial application phase began on November 1, 2024, and the remaining operational-risk, safeguarding, reporting and related provisions took effect on September 8, 2025. The Bank of Canada administers the federal retail-payments supervision framework.

What the Retail Payment Activities Regulations cover

The RPAR supplies detailed rules for the RPAA regime governing payment service providers. The enabling Act applies to covered providers with a place of business in Canada and to certain foreign providers that direct retail payment activities at end users in Canada. Its definition of a retail payment activity is tied to a payment function involving an electronic funds transfer in Canadian or foreign currency, or in another unit that meets criteria prescribed by regulation.

The regulations also refine the perimeter. They exclude qualifying securities-related transactions performed by a person regulated or exempt under Canadian securities legislation, treat genuinely incidental payment activities as outside the Act in specified circumstances, and prescribe SWIFT as an excluded entity. Scope therefore depends on the activity, the provider, the payment instrument and the statutory exclusions rather than on a company’s label alone.

Key requirements for payment service providers

Registration and supervisory information

Covered payment service providers must be registered with the Bank before performing retail payment activities. The RPAR specifies information for applications and the public registry, ownership and control thresholds, national-security review information, prescribed changes that can require a new application, and a formula for the application fee. The Bank publishes its registry as screening decisions are completed.

Operational risk and incident response

Providers must maintain a written framework addressing business continuity, cybersecurity, fraud, information technology, data management, change management, physical security and third-party risk. The framework must assign oversight, set measurable reliability objectives, provide for training, monitoring, testing and recovery, and be reviewed at least annually. Material incidents trigger notice obligations to the Bank and materially affected parties without delay.

Safeguarding end-user funds

Where a provider holds end-user funds, the RPAA requires an authorized safeguarding method, such as a dedicated trust account or a separate account supported by qualifying insurance or a guarantee. The RPAR adds requirements for account and protection providers, insolvency treatment, liquidity arrangements, an end-user ledger, senior-officer oversight, annual review and periodic independent review. The objective is reliable access to funds and prompt return following an insolvency event.

Reporting, records and enforcement

A provider that performs retail payment activities during a calendar year must file its annual report by March 31 of the following year. Notice of a significant change or new retail payment activity is generally due at least five Bank business days before implementation. Providers must keep intelligible records sufficient to demonstrate compliance, protect those records, and retain them for the prescribed period, including when agents or third-party service providers hold them.

The RPAR designates contraventions that may be pursued as administrative monetary penalty violations. The prescribed maximum is C$1 million for a serious violation and C$10 million for a very serious violation, while specified late-reporting violations use separate daily or range-based amounts. These are statutory maximums, not automatic penalties.

Crypto and stablecoin relevance

The current RPAR text does not itself prescribe a cryptoasset, virtual currency or stablecoin as the additional “unit” contemplated by the RPAA definition. Finance Canada states that Bank of Canada supervision of payment functions performed in a fiat-backed stablecoin remains conditional on that stablecoin being prescribed by regulation. Supporting stablecoin regulations are under development, so this profile should not be read as treating the RPAR as a general crypto or stablecoin regime.

Status and review

The consolidated regulations are current through May 26, 2026 and record September 8, 2025 as the latest amendment and full commencement date. Future amendments, Bank supervisory publications and the proposed stablecoin prescription process remain relevant review points. This profile describes the federal framework at a high level and is not legal or compliance advice.

Key provisions

Scope and prescribed exclusions

The regime covers qualifying retail payment activities under the RPAA; the RPAR prescribes exclusions for certain securities transactions, incidental activities and SWIFT.

Regulatory perimeter Nov 1, 2024 Source

Registration and public registry

The transition regime opened applications on Nov. 1, 2024. Covered PSPs must be registered before operating after transition, with prescribed application and registry information.

Registration Nov 1, 2024 Source

Operational risk and incidents

PSPs must maintain, test and review a written framework covering resilience, cybersecurity, fraud, data, technology, change, physical security, third parties and incident response.

Operational resilience Sep 8, 2025 Source

Safeguarding end-user funds

PSPs holding end-user funds must use an authorized safeguarding method and maintain controls for access, liquidity, ledgers, insolvency treatment, oversight and review.

Funds safeguarding Sep 8, 2025 Source

Annual and change reporting

Annual reports are due by March 31 for the preceding calendar year. Significant changes and new activities generally require at least five Bank business days’ advance notice.

Reporting Sep 8, 2025 Source

Records and outsourced access

PSPs must keep intelligible compliance records, protect them against loss, falsification and unauthorized access, and ensure access to records held by agents or service providers.

Recordkeeping Nov 1, 2024 Source

Administrative monetary penalties

Designated violations may carry penalties up to C$1 million for serious violations and C$10 million for very serious violations, with separate amounts for specified delays.

Enforcement Nov 1, 2024 Source

Application fee and reviews

The application-fee formula began at C$2,500 and is CPI-indexed. The regulations also prescribe review, information and national-security process periods.

Fees and review Nov 1, 2024 Source

Timeline

  1. Retail Payment Activities Act received Royal Assent

    The enabling federal statute was enacted as S.C. 2021, c. 23, s. 177.

    Enacted Source

  2. Proposed regulations published

    Draft Retail Payment Activities Regulations were published in the Canada Gazette, Part I for consultation.

    Under consultation Source

  3. Final regulations registered

    SOR/2023-229 was made and registered by the Governor in Council under section 101 of the RPAA.

    Enacted Source

  4. Final regulations published

    The final regulation and commencement order were published in the Canada Gazette, Part II.

    Enacted Source

  5. Initial phase took effect

    The transition and application phase opened, including the initial 15-day application period.

    Partially effective Source

  6. Remaining provisions took effect

    Operational-risk, safeguarding, reporting and the other delayed provisions entered into force.

    In force Source

Who it affects

Actors

Bank of Canada, Department of Finance Canada, Payment service providers

Official sources

Retail Payment Activities Regulations — consolidated text Department of Justice Canada Consolidated regulation English Primary / high Retail Payment Activities Regulations — Canada Gazette, Part II Canada Gazette Official gazette Nov 22, 2023 English Primary / high Order Fixing Dates for RPAA Provisions — SI/2023-70 Canada Gazette Commencement order Nov 22, 2023 English Primary / high Retail Payment Activities Act — consolidated text Department of Justice Canada Enabling statute English Primary / high Retail payments supervision: Key milestones Bank of Canada Regulator implementation English Primary / high Annual reporting Bank of Canada Supervisory policy Oct 16, 2024 English Primary / high Canada’s Stablecoin Framework Department of Finance Canada Official policy page Mar 31, 2026 English Primary / high

Editorial note

This profile covers SOR/2023-229 rather than the enabling Retail Payment Activities Act. The enacted-date field uses the regulation’s registration and making date. As of June 23, 2026, the regulations do not prescribe a cryptoasset or stablecoin as a qualifying unit; Finance Canada states stablecoin payment coverage remains conditional on future prescription.