The compliance desk for registered payment service providers.
You're on the Bank of Canada's PSP registry. We build and run your RPAA frameworks so your team doesn't have to.
Operational compliance support, not legal advice. Bilingual, FR or EN.
Four obligations, live since September 2025.
Every registered PSP carries these. Most teams under 20 people have nobody assigned to them.
Operational-risk + incident-response framework
A documented framework to identify and manage operational risk, tested on a schedule, with the evidence to show it.
Safeguarding-of-funds framework
For PSPs that hold end-user funds: a segregated account, a daily fund ledger, a named senior officer, and an independent review every three years.
48-hour incident notification
A material incident means notifying affected parties and the Bank within 48 hours of determining it is material. That needs a runbook, not a scramble.
Annual report to the Bank
Every March 31, a report confirming your frameworks, activity metrics, and any significant incidents or changes during the year.
This is not a someday problem.
Registration was the easy part. Supervision is ongoing, and the penalties are real.
On February 17, 2026, the Bank of Canada issued a temporary order requiring XTM Inc. to immediately stop all retail payment activities, over concerns it had failed to safeguard client funds. It was the first time the Bank used that power against a PSP.
Source: Bank of Canada compliance order, Feb 17, 2026. Figures per the Bank's Administrative Monetary Penalties policy.
We build it, then we run it.
A done-for-you desk that turns the RPAA obligations into documents and a routine, so nobody on your side has to become the compliance department.
- 1Readiness audit. An obligation-by-obligation review of where you stand and what is missing, in priority order.
- 2Framework build. The ops-risk and incident-response framework, the 48-hour runbook, and the safeguarding framework if you hold funds.
- 3Annual report prep. We assemble and dry-run your PSP Connect report before the March 31 window.
- 4Ongoing desk. Reg-change monitoring, the annual review, and incident-response on call.
We're the ops arm, not a law firm.
Keep your lawyer for the legal opinion on scope. What they usually don't do is build and operate the framework, run the annual report, and sit on the incident clock month to month. That's the part we run, at a fixed fee, in French or English.
Most of this market is quote-only. Ours isn't.
A productized desk that sits under the five-figure BigLaw and consultancy quotes, built for the small businesses that are 95% of the registry.
Readiness Snapshot
A live look at where you stand across the four obligations. No legal opinion, just the operational picture.
Framework Build
The full framework set, the 48-hour incident runbook, notification templates, and an evidence pack. Safeguarding tier for holds-funds PSPs.
Compliance Desk
Framework maintenance, reg-change monitoring, annual-review prep, and incident-response on call. Growth adds safeguarding-ledger oversight.
Bundle anchor: a full build plus the first three months of the desk runs about $10,200, against a serious-violation penalty of up to $1M or an order to stop payments overnight. Built to be a fraction of a single enforcement action.
Questions we get on the first call.
We already have a law firm for this.+
We're too small for this to apply.+
Isn't this expensive?+
Can't we handle it internally?+
See exactly where you stand.
A free 15-minute RPAA Readiness Snapshot across the four obligations. No legal opinion, no obligation.
Book a free Snapshot