What is an MSB and do I need to register with FINTRAC?

A Money Service Business (MSB) is any entity that provides financial services such as foreign exchange, money transfers, dealing in virtual currencies, or issuing/redeeming money orders. Under Canada's Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA), all MSBs — both domestic and foreign — must register with FINTRAC before operating in or from Canada.

How long does MSB registration take in Canada?

With proper preparation, the FINTRAC registration process can be completed within 30 days. This includes incorporating your company, preparing all required documentation, and submitting the MSB registration application. Delays typically occur when documentation is incomplete or the compliance program isn't properly structured.

Do I need a compliance program to register as an MSB?

Yes. Under the PCMLTFA, every registered MSB in Canada must implement a full AML/ATF compliance program. This includes appointing a Compliance Officer, developing written policies and procedures, conducting risk assessments, implementing KYC processes, providing staff training, and maintaining a two-year effectiveness review cycle. FINTRAC can examine your compliance program at any time.

Can a non-resident start an MSB in Canada?

Yes. Non-residents can incorporate a company and register an MSB in Canada. There are specific requirements around directors, registered addresses, and compliance infrastructure that must be met. We work with international founders regularly and can guide you through the entire process — from incorporation to FINTRAC registration and banking.

Why is it so difficult for MSBs to get a bank account in Canada?

Canadian banks consider MSBs high-risk clients due to money laundering and terrorist financing concerns. Many banks have strict de-risking policies. Success depends on having a strong compliance program, clear documentation of your business model, and approaching the right financial institutions with a properly prepared application.

Do crypto businesses need to register as MSBs in Canada?

Yes. Since June 2020, businesses dealing in virtual currencies are classified as MSBs under Canadian law. This includes crypto exchanges, crypto ATM operators, and any business that provides virtual currency exchange services. These businesses must register with FINTRAC, implement a full compliance program, and report transactions just like any other MSB. Foreign-based crypto platforms serving Canadian users are also required to register.

What is the RPAA and does my business need to register?

The Retail Payment Activities Act (RPAA) is a regulatory framework overseen by the Bank of Canada that applies to Payment Service Providers. If your business is involved in electronic funds transfers, holding funds for end users, or providing clearing and settlement services, you likely need to register under the RPAA. The RPAA applies to payment processors, fintech companies, crypto exchanges with payment functions, e-commerce platforms, and prepaid card issuers.

RPAA Registration in Canada

The New Reality

The RPAA changed the rules for payment businesses in Canada. If you process payments, hold client funds, or provide clearing and settlement services - you're now regulated by the Bank of Canada.

Before the RPAA, many payment service providers operated in a regulatory gap - registered as MSBs with FINTRAC for AML purposes, but with no oversight of their operational risk, fund safeguarding, or incident response capabilities. The Bank of Canada closed that gap.

The RPAA introduces a separate registration framework with its own requirements: risk management policies, safeguarding of end-user funds, incident response procedures, and ongoing reporting to the Bank of Canada. This is not an extension of your FINTRAC obligations - it's an entirely new compliance layer.

Many PSPs are discovering this too late. Some assumed FINTRAC registration was sufficient. Others didn't realize the RPAA applies to their specific activities. By the time they understand the scope, they've already missed deadlines or made structural decisions that complicate registration.

We guide payment businesses through the entire RPAA registration process - from initial assessment to Bank of Canada approval. No guesswork, no missed requirements, no delays.

What Goes Wrong

Why PSPs struggle with RPAA registration

Confusion with FINTRAC

Many payment businesses assume their existing MSB registration covers them. It doesn't. The RPAA is a completely separate regime, administered by the Bank of Canada - not FINTRAC. Different regulator, different requirements, different application. Treating them as the same thing leads to compliance gaps that can shut down your operations.

Unclear Scope

The RPAA covers electronic fund transfers, fund holding, and clearing and settlement - but the boundaries aren't always obvious. Does your platform hold funds in transit? Do you perform payment initiation? Many PSPs can't answer these questions definitively, which means they can't determine their own registration obligations without expert analysis.

No Risk Management Framework

The Bank of Canada expects a documented risk management framework covering operational risk, safeguarding of funds, and incident response - before you register. Most PSPs don't have this. Building one from scratch without understanding what the Bank of Canada actually looks for results in frameworks that fail review and delay registration.

Missed Deadlines

The RPAA rolled out in phases. PSPs that missed initial registration windows now face compressed timelines and heightened scrutiny. Playing catch-up under regulatory pressure is stressful, expensive, and creates operational risk that could have been avoided with timely action.

DIY Documentation

The RPAA requires specific policies, procedures, and disclosures that don't exist as off-the-shelf templates. PSPs that attempt to draft these internally - without understanding the Bank of Canada's expectations - produce documentation that's either too vague to satisfy reviewers or too disconnected from their actual operations to be useful.

Operational Disruption

Non-compliance with the RPAA can result in administrative monetary penalties, public disclosure, and - in severe cases - orders to cease payment activities. For a business whose revenue depends on processing transactions, even a temporary disruption can mean lost clients, damaged partnerships, and a reputation that's difficult to rebuild.

What's Included

Complete RPAA registration and compliance package

RPAA Applicability Assessment

We analyze your business model, payment flows, and operational structure to determine exactly which RPAA requirements apply to you - and which don't. No ambiguity, no over-compliance, no gaps.

Risk Management Framework

Development of a comprehensive risk management framework covering operational risk identification, mitigation controls, and ongoing monitoring - built to meet the Bank of Canada's specific expectations for PSPs.

Safeguarding of Funds Policy

Documentation of how end-user funds are protected throughout the payment lifecycle - segregation, insurance, trust arrangements, or other safeguarding mechanisms required under the RPAA.

Incident Response Procedures

A structured incident response plan covering detection, escalation, containment, and reporting of operational incidents - aligned with the Bank of Canada's notification requirements for PSPs.

Full Application Preparation

Every form, every supporting document, every disclosure - prepared, reviewed, and filed with the Bank of Canada. We manage the entire submission process and handle all correspondence on your behalf.

Ongoing Compliance Support

RPAA registration isn't a one-time event. We help you maintain compliance with ongoing reporting obligations, annual updates, and any regulatory changes as the RPAA framework evolves.

Start Your Registration

Who Needs to Register

Payment businesses covered by the RPAA

Payment Processors

Companies that initiate, authorize, or facilitate electronic fund transfers on behalf of merchants or consumers. If you move money electronically between parties, the RPAA likely applies to you.

Fintech Platforms

Digital platforms that enable peer-to-peer transfers, bill payments, or account-to-account transactions. The RPAA captures a wide range of fintech activities that were previously unregulated in Canada.

E-Commerce Payment Providers

Payment gateways and checkout solutions that process transactions for online merchants. If you handle payment initiation or fund settlement, RPAA registration is required.

Crypto Payment Services

Crypto businesses that facilitate payments or hold funds as part of a transaction flow. The RPAA extends to virtual currency payment functions alongside your existing FINTRAC MSB obligations.

Prepaid Card Issuers

Companies issuing prepaid cards, stored-value products, or digital wallets where end-user funds are held. Fund-holding activities are a core trigger for RPAA registration.

Clearing & Settlement Providers

Entities involved in the clearing or settlement of retail payment transactions. These activities fall squarely within the RPAA's scope regardless of transaction volume or business size.

Understanding the Difference

RPAA registration vs. FINTRAC MSB registration

RPAA - Bank of Canada

Regulator Bank of Canada
Focus Operational risk, fund safeguarding, incident response
Applies to Payment service providers (PSPs)
Key requirements Risk management framework, safeguarding policies, reporting
Legislation Retail Payment Activities Act (RPAA)

MSB - FINTRAC

Regulator FINTRAC
Focus Anti-money laundering, counter-terrorist financing
Applies to Money service businesses (MSBs)
Key requirements AML/ATF compliance program, KYC, transaction reporting
Legislation PCMLTFA

Many payment businesses require both registrations. The RPAA doesn't replace your FINTRAC obligations - it adds a second regulatory layer focused on operational resilience and consumer protection. We help clients navigate both frameworks simultaneously.

How It Works

From assessment to Bank of Canada registration

Applicability Review

We map your payment flows and business activities against the RPAA's scope to determine your registration obligations, applicable payment functions, and compliance requirements.

Framework Development

Risk management framework, safeguarding policies, incident response procedures, and all required documentation - built specifically for your operations and the Bank of Canada's expectations.

Application & Filing

Complete application preparation and submission to the Bank of Canada. We handle all correspondence, information requests, and follow-up communications throughout the review process.

Registration & Monitoring

Once registered, we support you with ongoing compliance - annual reporting, framework updates, and adapting to regulatory changes as the RPAA evolves.

Why BEMSB

The RPAA is new. Most consultants are still figuring it out. We're already filing applications.

We started preparing for the RPAA before it came into force - studying the legislation, analyzing the Bank of Canada's guidance, and building the frameworks that PSPs would need. While other advisors were reading about the RPAA, we were already helping clients register.

Our advantage is practical experience. We've operated MSBs ourselves and understand payment infrastructure from the inside - not just the regulatory text, but how payment flows actually work, where operational risks live, and what the Bank of Canada is really looking for when they review an application.

The RPAA is a moving target. New guidance, new interpretations, and evolving expectations from the regulator. We stay ahead of these changes so our clients don't get caught off guard.

When you work with us, your RPAA registration is handled by people who understand both the regulation and the business it applies to.

Frequently Asked Questions

RPAA registration and compliance

The Retail Payment Activities Act (RPAA) is a Canadian federal law that establishes a regulatory framework for payment service providers, overseen by the Bank of Canada. It was introduced to address the operational risks associated with retail payment activities - including electronic fund transfers, fund holding, and clearing and settlement. The RPAA requires PSPs to register with the Bank of Canada, implement risk management frameworks, safeguard end-user funds, and maintain incident response capabilities.

The RPAA applies to any entity that performs one or more retail payment activities in Canada: electronic fund transfers, holding funds on behalf of an end user as part of a payment transaction, or providing clearing or settlement services. This includes payment processors, fintech platforms, e-commerce payment gateways, prepaid card issuers, crypto payment services, and many other businesses that handle money movement. If you're unsure whether the RPAA applies to your specific activities, we provide a detailed applicability assessment as the first step of our engagement.

Possibly, yes. FINTRAC registration and RPAA registration serve different purposes and are administered by different regulators. Your MSB registration covers anti-money laundering and counter-terrorist financing obligations. The RPAA covers operational risk, fund safeguarding, and payment system integrity. If your MSB activities include electronic fund transfers, holding end-user funds, or clearing and settlement, you likely need to register under the RPAA as well. Many of our clients hold both registrations - and we help them manage compliance across both frameworks.

The RPAA requires PSPs to establish and maintain a risk management framework that identifies, assesses, and mitigates operational risks associated with their payment activities. This includes risks related to technology, information security, business continuity, third-party service providers, and fund safeguarding. The framework must be documented, reviewed regularly, and supported by policies and procedures that demonstrate how your business manages these risks in practice. We build these frameworks based on what the Bank of Canada actually expects - not generic risk management templates.

Operating as an unregistered PSP when the RPAA applies to your activities exposes you to enforcement action by the Bank of Canada. Consequences can include administrative monetary penalties, public disclosure of non-compliance, compliance orders requiring you to take corrective action, and - in serious cases - an order to cease your payment activities. Beyond regulatory penalties, non-compliance creates business risk: banking partners, payment networks, and commercial clients increasingly expect RPAA compliance as a baseline requirement for working with Canadian PSPs.

The timeline depends on the complexity of your payment activities and the current state of your internal documentation. For a well-prepared PSP, we can typically have the full application - including risk management framework, safeguarding policies, and all supporting documentation - ready for submission within 4 to 6 weeks. The Bank of Canada's review timeline varies, but a complete, professionally prepared application moves through the process significantly faster than one that triggers information requests and clarification rounds.

Yes. The RPAA's reach extends to foreign PSPs that perform retail payment activities for end users in Canada. If your platform processes payments, holds funds, or facilitates transactions involving Canadian end users - regardless of where your company is incorporated - you may be required to register with the Bank of Canada. The cross-border applicability mirrors the approach used for Foreign Money Service Businesses (FMSBs) under FINTRAC, but with its own set of requirements. We help international PSPs assess their RPAA obligations and manage the registration process from abroad.

RPAA Registration for Payment Service Providers in Canada