Canada RPAA & RPAR Safeguarding Update (effective 8 Sep 2025): What PSPs and MSBs Must Do Now

Intro - what changed and why it matters

On 8 September 2025 the Bank of Canada’s Retail Payment Activities Act (RPAA) and the associated Retail Payment Activities Regulations (RPAR) brought in mandatory safeguarding rules for payment service providers (PSPs) that hold end-user funds. The objective: protect customers from loss if a PSP becomes insolvent or operationally fails, and to raise resilience across Canada’s retail payments ecosystem.

Who must comply?

Any PSP that “holds funds on behalf of an end user” while providing retail payment services must comply with the safeguarding requirements. This captures many Payment Service Providers, payment processors, and money service businesses (MSBs) that custody customer balances as part of their payment flows. The Bank expects registered PSPs to demonstrate compliance or a clear remediation plan by the enforcement date.

Permitted safeguarding approaches (two primary options)

The RPAR provides PSPs with two alternative approaches to safeguarding end-user funds. Firms must choose one and maintain the chosen arrangement consistently unless they notify and obtain any required approvals:

1. Trust or prescribed account - Place end-user funds in a secured trust arrangement or a prescribed account structure that isolates customer monies from the PSP’s own assets (i.e., segregation). This is the traditional model used widely in payments and e-money regimes to protect clients from creditors in insolvency.

2. Insurance policy or guarantee - Hold an insurance policy or comparable guarantee that meets regulatory criteria and covers losses to end users up to the required thresholds. The insurance/guarantee option allows firms that prefer balance-sheet efficiency to maintain business liquidity while still protecting users via an insurer/guarantor.

Key practical point: whichever route is chosen, PSPs must document the arrangement in policy and operational procedures and ensure that the mechanism provides immediate, reliable protection for end-user funds in practice (not just in theory).

What the Bank of Canada expects from PSPs

The Bank’s supervisory guidance sets out concrete expectations around:

• Documentation & governance: formal safeguarding policy, roles and responsibilities, and board oversight.

• Operational controls: reconciliation, segregation controls, third-party oversight (e.g., custodial banks or insurers) and operational testing.

• Reporting & incident management: timely incident reporting and ongoing reporting obligations under RPAA/RPAR. Registered PSPs must also be prepared for supervisory assessments and information requests.

Timeline, enforcement & penalties

• The safeguarding and risk-management provisions came into force on September 8, 2025; PSPs should already be implementing or operating compliant arrangements. The Bank expects registered PSPs to either comply or have documented remediation plans.

• Non-compliance can attract supervisory measures and administrative monetary penalties. The Regulations contemplate significant fines for serious or very serious violations - making compliance a priority for any PSP handling client funds.

Practical checklist for PSPs / MSBs

1. Determine whether you hold end-user funds in scope of RPAA.

2. Select your safeguarding approach (trust/prescribed account OR insurance/guarantee).

3. Engage service providers (trustee bank, custodian, insurer) and negotiate needed agreements.

4. Update governance and policies - board approval, risk appetite, reconciliation cadence.

5. Test operational controls and perform dry runs for insolvency/claims scenarios.

6. Prepare reporting templates and internal incident escalation aligned with RPAA timelines.

7. Document remediation plans if any gaps remain, with clear milestones

Impact on business models & customer experience

Choosing trust/segregation provides the strongest legal isolation of funds (preferred by some regulators and custodians), but can require more capital or working-capital planning. Insurance/guarantee solutions can be more capital efficient but depend on insurer credit quality and the specific terms of cover. PSPs should perform a cost/benefit and legal insolvency analysis before deciding.

How Zitadelle AG can help

Zitadelle AG advises fintechs, MSBs and cross-border PSPs on regulatory compliance, structuring safeguarding arrangements, and preparing documentation for registration and supervision. We provide:

• Gap analyses vs. RPAA/RPAR and Bank of Canada guidance.

• Drafting trustee/prescribed-account agreements and insurer/guarantee specifications.

• Assistance with governance updates, reconciliation design, and supervisory responses.

Contact us for a RPAA readiness assessment tailored to your business model.

FAQs (short)

Q: When did the safeguarding rules take effect?
A: September 8, 2025.

Q: Can I mix trust and insurance across different client products?
A: The Bank expects clarity and consistency; mixing approaches is possible but requires careful documentation, segregation by product and clear customer disclosure. Consult legal counsel for product-level design.

Q: What are the biggest supervisory risks?
A: Weak segregation, poor reconciliation, inadequate documentation, and reliance on insurers with insufficient claims processes are common problem areas flagged by supervisors.