Bank of Canada RPAA supervision

The compliance desk for registered payment service providers.

You're on the Bank of Canada's PSP registry. We build and run your RPAA frameworks so your team doesn't have to.

Operational compliance support, not legal advice. Bilingual, FR or EN.

RPAA Readiness Snapshot Sample
Ops-risk + incident frameworks.17, in force Sept 8 2025Not documented
Safeguarding-of-funds frameworks.15, if you hold fundsGap
48-hour incident runbooks.18 notificationNone
Annual report, PSP Connectdue March 31On file
Where you stand across the four obligations. No legal opinion.
What you're on the hook for

Four obligations, live since September 2025.

Every registered PSP carries these. Most teams under 20 people have nobody assigned to them.

s.17 RPAA

Operational-risk + incident-response framework

A documented framework to identify and manage operational risk, tested on a schedule, with the evidence to show it.

Required since Sept 8, 2025
s.15 RPAR

Safeguarding-of-funds framework

For PSPs that hold end-user funds: a segregated account, a daily fund ledger, a named senior officer, and an independent review every three years.

Holds-funds PSPs only
s.18 RPAA

48-hour incident notification

A material incident means notifying affected parties and the Bank within 48 hours of determining it is material. That needs a runbook, not a scramble.

48 hours from materiality
PSP Connect

Annual report to the Bank

Every March 31, a report confirming your frameworks, activity metrics, and any significant incidents or changes during the year.

Every March 31
The Bank is already supervising

This is not a someday problem.

Registration was the easy part. Supervision is ongoing, and the penalties are real.

up to $1M
per serious violation (up to $10M for a very serious one)
$500 / day
for a reporting or notification breach, up to 30 days
48 hours
to notify the Bank of a material incident

On February 17, 2026, the Bank of Canada issued a temporary order requiring XTM Inc. to immediately stop all retail payment activities, over concerns it had failed to safeguard client funds. It was the first time the Bank used that power against a PSP.

Source: Bank of Canada compliance order, Feb 17, 2026. Figures per the Bank's Administrative Monetary Penalties policy.

What the desk does

We build it, then we run it.

A done-for-you desk that turns the RPAA obligations into documents and a routine, so nobody on your side has to become the compliance department.

  • 1Readiness audit. An obligation-by-obligation review of where you stand and what is missing, in priority order.
  • 2Framework build. The ops-risk and incident-response framework, the 48-hour runbook, and the safeguarding framework if you hold funds.
  • 3Annual report prep. We assemble and dry-run your PSP Connect report before the March 31 window.
  • 4Ongoing desk. Reg-change monitoring, the annual review, and incident-response on call.

We're the ops arm, not a law firm.

Keep your lawyer for the legal opinion on scope. What they usually don't do is build and operate the framework, run the annual report, and sit on the incident clock month to month. That's the part we run, at a fixed fee, in French or English.

Published, fixed fees

Most of this market is quote-only. Ours isn't.

A productized desk that sits under the five-figure BigLaw and consultancy quotes, built for the small businesses that are 95% of the registry.

Start here

Readiness Snapshot

Free / 15 min

A live look at where you stand across the four obligations. No legal opinion, just the operational picture.

Then: Readiness Audit, $2,000, credited in full toward a build.
Build

Framework Build

$7,500 / $9,500 with safeguarding

The full framework set, the 48-hour incident runbook, notification templates, and an evidence pack. Safeguarding tier for holds-funds PSPs.

Annual Report Prep: $2,500 per cycle.
Run

Compliance Desk

$900 / mo, or $1,500 Growth

Framework maintenance, reg-change monitoring, annual-review prep, and incident-response on call. Growth adds safeguarding-ledger oversight.

BoC registration fee: $2,500 pass-through, at cost.

Bundle anchor: a full build plus the first three months of the desk runs about $10,200, against a serious-violation penalty of up to $1M or an order to stop payments overnight. Built to be a fraction of a single enforcement action.

Straight answers

Questions we get on the first call.

We already have a law firm for this.+
Good, keep them for the legal opinion. What most firms don't do is build and operate the framework, run the annual report, and hold the 48-hour incident clock month to month. That operational side is the part we run.
We're too small for this to apply.+
The rules have no small-business exemption. About 95% of the registry is small businesses under exactly the same obligations. And the Snapshot is free, so if you're already covered you walk away with documented proof.
Isn't this expensive?+
Compare it to the anchor. A build plus three months of the desk is roughly $10,200, against a serious-violation penalty up to $1M or an order that stops your revenue. And the $2,000 audit credits in full toward the build.
Can't we handle it internally?+
You can, the guidelines are public. The catch is doing it to evidence standard: the framework, the daily ledger, the runbook, the annual report, the independent review, all documented so you can demonstrate compliance on request. If your team has the hours, great. If not, that's the gap we fill.

See exactly where you stand.

A free 15-minute RPAA Readiness Snapshot across the four obligations. No legal opinion, no obligation.

Book a free Snapshot