Canadian Retail Payment Activities Act (RPAA): Registration Rules and Crypto Compliance

Executive summary

Canada’s Retail Payment Activities Act (RPAA) establishes a federal registration and supervisory regime for payment service providers (PSPs) that perform one or more defined payment functions in relation to electronic funds transfers (EFTs) denominated in Canadian or foreign currency – or a prescribed unit. PSPs that meet the statutory test must register with the Bank of Canada before performing retail payment activities and comply with risk-management and incident-response expectations, among other requirements.

For crypto businesses, the RPAA is activity-based. Purely crypto-to-crypto services with no fiat EFTs are generally out of scope, while crypto cards, fiat on/off-ramps, and wallets that store or handle fiat balances can bring an entity into scope as a PSP. The Bank’s case scenarios confirm that a cryptocurrency-backed prepaid card program typically triggers PSP registration (assuming the other criteria are met).

The registration application is filed through PSP Connect, and, during the transition period, applicants complete an initial registration phase. A CAD 2,500 non-refundable registration fee is payable on submission.

1) Statutory architecture and the four-step test

The Bank of Canada’s supervisory policy distills the RPAA’s scope into a four-part test. You must register if all are true:

1. you are a PSP;
2. you perform one or more payment functions (not merely incidental to a non-payment business);
3. those functions relate to an EFT in fiat currency or a prescribed unit; and
4. your activities fall within the Act’s geographic nexus and are not excluded.

What is a “payment service provider”?

A PSP is “an individual or entity that performs payment functions as a service or business activity that is not incidental to another service or business activity.”

The five payment functions

Section 2 of the RPAA recognizes five functions. Performing any one of them in relation to a covered EFT may trigger registration:

• Provision or maintenance of an account (e.g., storing end-user personal or financial data for future EFTs)
• Holding funds on behalf of an end user
• Initiation of an EFT at an end user’s request
• Authorization of an EFT, or transmission, reception, or facilitation of an instruction in relation to an EFT
• Provision of clearing or settlement services

Electronic funds transfers and currency

The RPAA focuses on EFTs – movements of money by electronic means rather than cash (e.g., card transactions, direct deposits, P2P payments). Covered EFTs must be in Canadian currency, foreign currency, or a prescribed unit.

Geographic scope

A PSP is in scope if it has a place of business in Canada, or if it directs services at, and performs services for, individuals or entities in Canada. Indicators include a Canadian incorporation, home or other physical presence, employees or agents in Canada, .ca domains, Canadian-facing marketing, or offering services in CAD.

Exclusions

The RPAA excludes certain entities (e.g., banks and certain provincially regulated trust companies) and activities (e.g., incidental activities, securities-related transactions, and internal/closed-loop transactions). If an entity is performing retail payment activities to give effect to securities transactions and is regulated or exempted under provincial securities law, those activities may be excluded; other activities by that same entity may still be captured.

2) Activities covered (and not covered) in practice

Because the RPAA is activity-based, the key question is: what exactly do you do in the payment chain?

• Providing/maintaining an account: Storing end-user personal or financial data for future EFTs qualifies – even if there’s no end-user portal.
  
• Holding funds: Keeping end-user fiat funds at rest for later withdrawal or transfer (e.g., prepaid balances, neobank accounts) can qualify.
  
• Initiation: Operating a front end that captures credentials and packages the first instruction to launch an EFT can qualify.
  
• Authorization / transmission / reception / facilitation: Requesting end-user consent, confirming available balance, debiting/crediting, or routing payment instructions through infrastructure and interfaces can qualify.

By contrast, cash-only transactions are not EFTs and are outside RPAA scope.

3) Crypto: when the RPAA applies (and when it doesn’t)

Out of scope: crypto-only with no fiat EFTs

If a business performs payment-like functions but all activity occurs in crypto, with no Canadian or foreign currency involved, the RPAA does not apply because there is no EFT in fiat or prescribed units.

Incidental to a non-payment activity or captured by the securities exclusion

A centralized crypto exchange that lets users buy/sell crypto and hold fiat balances might perform several payment functions (account provision, holding funds, initiation, authorization). Yet, where those functions only support trading and the platform is regulated or exempt under securities law, the activities can be incidental or excluded and therefore not trigger RPAA registration.

In scope: crypto-backed cards and fiat on/off-ramps

Where a crypto business offers a prepaid/debit card that allows users to spend at merchants in CAD or foreign currency, the activity typically crosses into RPAA scope. In the Bank’s scenario, the exchange (Company C) maintains user payment accounts, authorizes transactions, updates ledgers, and instructs its partner bank to fund the card in fiat following crypto conversion. Because the card service is marketed as payments, generates its own revenue (interchange), and executes fiat-denominated purchases, the functions are not incidental and PSP registration is required (assuming the other criteria are met).

Key takeaways for crypto operators

• Crypto-only rails: Outside RPAA unless/until fiat or a prescribed unit is involved.
• Crypto + fiat touchpoints (custody of fiat balances, card programs, banking rails): Strong RPAA signals – expect PSP registration unless an exclusion fits.
• Securities law interplay: If the retail payment function gives effect to securities transactions and the entity is regulated/exempt under securities law, the activity may be excluded; other payment activities could still be in scope.

4) The RPAA registration process (what to expect)

Timing and platform

During the transition period, PSPs that perform or plan to perform retail payment activities must apply to register. The process is completed online through PSP Connect.

Application structure and content

The Bank’s Step-by-Step Guide identifies the information you’ll be asked to provide, including:

• Applicant identification and operating status (published on the registry pursuant to RPAA s.26)
• Business structure (organization chart; control)
• Payment functions performed
• EFTs, currencies, exclusions
• Geographic perimeter
• Volumes/values and end-user interconnectedness
• Risk-management and incident-response framework (Section 11)
• Third-party service providers (TPSPs) and agents/mandataries (Sections 13–14)
• FINTRAC declaration and provincial/territorial registrations (Sections 16–17)
• Fee payment and submission (Section 18)

Practical note: the guide advises gathering materials in advance and confirms that the application can be saved and completed later.

Registration fee and payment method

• Fee: CAD 2,500, payable at submission.
• Payment methods: The Bank accepts Visa, Mastercard, Discover, UnionPay, Visa Debit, and Mastercard Debit for the registration fee.

After submission (via PSP Connect), the Bank sends a confirmation that the application was received.

5) How RPAA expectations intersect with crypto business models

Although the RPAA is not a prudential capital regime for PSPs, it emphasizes operational risk management, incident response, and governance. Applicants are expected to provide risk-management and incident-response frameworks and disclose interconnections with third-party service providers and agents – critical for crypto models involving card issuers, program managers, custodians, exchanges, liquidity providers, and compliance vendors.

For a crypto card proposition:

• The card issuer (typically a bank or card-issuing financial institution) may be entity-excluded under the RPAA; however, non-bank program managers and exchanges that provide or maintain accounts, authorize, or transmit instructions for EFTs in CAD/FX are likely in scope as PSPs.
  
• Marketing and revenue matter: when the payments service is marketed and monetized (e.g., interchange) and users expect fiat spend at merchants, the activity is not incidental and registration is required.
  
• Conversely, if fiat handling is incidental to a securities-regulated trading activity, RPAA may not apply to those particular functions – though any separate payments activity could still be captured.

6) Borderline questions and common pitfalls

1. “We only pass instructions; we don’t touch customer money.”
   Even if you don’t hold funds, authorizing EFTs or transmitting, receiving, or facilitating instructions can be a payment function in itself.
   
2. “Our users only pay in crypto.”
   If no fiat EFT is involved, RPAA is typically not engaged. Reassess if you introduce CAD/FX rails or a prescribed unit.
   
3. “We’re incorporated outside Canada.”
   You can still be captured if you direct services at and perform services for end users in Canada (e.g., Canadian marketing, .ca domain, CAD pricing).
   
4. “Our bank partner is regulated – so we’re excluded too, right?”
   No. Bank/authorized foreign bank exclusions do not automatically extend to partners. Each entity must assess its own activities.

7) The application workflow – practical guideposts

Create PSP Connect account → Complete form → Upload organization chart → Describe payment functions and EFT flows → Provide geographic and volume data → Provide risk & incident frameworks → Disclose TPSPs/agents → Make provincial/territorial disclosures → Pay CAD 2,500 → Submit and retain confirmation.

Tips to de-risk review

• Map your end-to-end payment chain, naming each participant (issuer, program manager, processor, card network, sponsoring FI, custodians, liquidity providers).
  
• Describe who stores end-user data (account provision), who touches fiat balances (holding funds), who captures/creates the first instruction (initiation), who requests consent or debits/credits (authorization), and who routes instructions (transmission/facilitation).
  
• If you believe an exclusion applies (e.g., securities-related), explain why and which activities remain in scope.

8) Fees

The RPAA regime currently requires payment of a registration application fee of CAD 2,500, payable by card through PSP Connect at the time of submission. The Bank’s materials describe accepted payment methods (Visa, Mastercard, Discover, UnionPay, Visa Debit, Mastercard Debit). After payment and submission, the Bank issues a receipt confirmation through PSP Connect.

9) Why this matters to crypto issuers and program managers

• A crypto card that enables merchant spend in CAD/FX is likely a retail payment service – not merely an incidental feature. Expect PSP registration for the program manager or exchange entity powering the card.
  
• If your exchange holds fiat balances, initiates or authorizes EFTs, or routes instructions for fiat leg settlement, you may be performing payment functions and must assess RPAA scope independently of your securities compliance position.
  
• If you remain crypto-native only, without fiat EFTs, RPAA may not apply – but confirm that your business doesn’t direct or perform retail payment activities for Canadians via other touchpoints.

The RPAA ushers in a comprehensive, technology-neutral regime for retail payment activities, focusing on what you do rather than what you call yourself. For crypto-enabled payments, the decisive factors are fiat involvement, which payment functions you perform, whether they are incidental to a non-payment activity, and whether an exclusion applies. Crypto card programs and fiat on/off-ramps typically sit squarely within the RPAA’s scope and should be planned with PSP registration in mind.

If you are contemplating a Canadian launch – or re-architecting your stack – the prudent path is to map your flows against the five payment functions, confirm geographic nexus, check exclusions, and prepare a PSP Connect application that clearly documents risk management, incident response, and third-party dependencies.

How Cryptoverse Legal Can Help

We help VASPs, Web3 founders, and institutions navigate crypto regulations in the UAE and across global hubs. From VARA and SCA to MiCA and MAS, we turn complex rules into clear, actionable licensing and compliance strategies.

We are specialist crypto and virtual assets lawyers based in Dubai. We advise startups, founders, and investors on blockchain, Web3, DeFi, dApps, payment services, and cryptocurrency transactions.

Our team provides end-to-end legal support – from VASP licensing to token structuring, AML/CTF compliance, and cross-border licensing support.

Whether you are launching in Dubai or expanding globally, we deliver regulator-ready solutions that help you build, scale, and stay compliant in the fast-moving crypto economy.

Disclaimer:

This article provides general information for founders and operators. It is not legal advice and should not be relied upon as a substitute for specific counsel on your facts.

FAQs: