The Retail Payment Activities Act (RPAA) brought a category of business under federal oversight for the first time. The Bank of Canada is the regulator, and the threshold for being caught is functional — what you do — rather than what you call yourself. That trips up founders who think their product is "just" a wallet, a fintech tool, or an embedded feature.
What the Act actually targets
RPAA targets retail payment activities performed for end users in Canada. In practice, that means moving funds for someone else, holding funds for someone else in connection with moving them, providing or maintaining a payment account, initiating an electronic funds transfer at the user's direction, or authorizing or transmitting a funds transfer instruction.
If your product touches one of those activities — even briefly, even as one feature among many — you may need to register as a payment service provider (PSP). The Bank of Canada's view is that the activity, not the business model, controls.
What triggers it (common cases)
- Wallets that hold customer balances. Even if balances are intended for spending inside one ecosystem, holding funds on behalf of users is a regulated activity.
- Crypto on-ramps and off-ramps. Moving Canadian dollars in or out of a crypto wallet on a user's instruction is a payment activity. Whether the crypto-side activity also triggers a CSA registration is a separate question.
- Payment processors and payment facilitators. Aggregating merchant transactions, sub-merchant settlement, payout services — all caught.
- Embedded payments in vertical SaaS. A scheduling tool, marketplace, or property-management platform that processes payments for its customers is performing a regulated activity, even though the payment is "just a feature."
- Cross-border remittance, FX, and money transfer. Caught by RPAA in addition to FINTRAC's MSB regime — operators need both registrations.
What it doesn't trigger
The Act carves out activities that are already regulated elsewhere or fall outside its scope. The most relevant exclusions:
- Activities of banks, credit unions, trust companies, and other federally regulated financial institutions — they're regulated under their prudential frameworks, not RPAA.
- Securities-related transfers — when the activity is the settlement of a regulated securities transaction.
- Card-network and clearing-system activities performed by participants in designated payment systems.
- Internal transfers that don't involve a third party — moving your own money between your own accounts isn't a retail payment activity.
- Activities performed entirely outside Canada for non-Canadian end users — though if Canadian users are involved at either end, the Bank of Canada's view tends to widen.
The grey zones
A few patterns sit right at the edge of the perimeter and generate the most legal questions:
- Tokenized loyalty and rewards. If points or store credit can be converted to cash or transferred between users, the activity may be regulated even if the issuer thinks of it as a marketing feature.
- Crypto-only platforms with fiat off-ramps via partner banks. The platform might argue the bank is the PSP — the Bank of Canada often disagrees if the platform initiates the transfer instruction.
- API-only infrastructure. Selling payment infrastructure to other businesses can be regulated even if you never face an end user — depending on whether your platform initiates, transmits, or holds funds in the chain.
The right test
The clearest way to think about RPAA exposure: is there a moment when funds move on a Canadian end user's instruction, with our platform in the chain? If yes, registration is likely. If the only role is software — no funds touched, no instructions transmitted, no balances held — registration is unlikely.
Edge cases are not resolved by a self-assessment. The Bank of Canada publishes guidance and runs a registration assessment process. If you're not sure, the cheapest path is a scope review that maps the regulated activities against your architecture before you commit a launch date to a board or a series of investors.