Skip Navigation

Bank of Canada Outlines Annual Reporting Requirements for Registered PSPs Under the Retail Payment Activities Act

By Liliane Langevin, Bonny Murray and Jacqueline D. Shinfield
January 27, 2026
Overview
More information

The Bank of Canada (Bank) recently conducted an information session and released a detailed guide in anticipation of the upcoming deadline for payment service providers (PSPs) to file their first annual report under the Retail Payment Activities Act (RPAA).

Under the RPAA and Retail Payment Activities Regulations, registered PSPs are required to file an annual report detailing their compliance with operational risk and safeguarding frameworks, comprehensive metrics on transaction volumes, and significant business changes or incidents experienced during the year.

The Bank has established the following deadlines for the 2025 reporting year:

  • All PSPs registered prior to March 9, 2026, must submit their annual report by March 31, 2026.
  • PSPs registered between March 9 and March 30, 2026, are granted an extension until April 28, 2026.
  • Entities still in the application phase on March 31, 2026, are exempt from the 2025 filing.

Reporting Elements

The reporting form available on the PSP Connect portal is divided into five primary sections:

1. Operational Risk and Incident Management

Registered PSPs must provide comprehensive data on the efficacy and oversight of their risk frameworks and identify specific risk categories such as cybersecurity, fraud and third-party risks monitored during the year. The report also requires granular disclosure of operational reliability targets for system availability and confidentiality, as well as evidence of the human and financial resources (including full-time equivalent counts) dedicated to risk mitigation. Furthermore, PSPs must confirm key elements of their incident response plans, specifically their ability to manage and recover from incidents caused internally or by third-party service providers.

2. Safeguarding of End-User Funds

This section is mandatory for any PSP that is performing the payment function of “holding funds” on behalf of end users. The Bank requires detailed reporting on the frameworks used to protect end-user funds. PSPs must specify whether they use a trust account or an account paired with insurance or a guarantee. PSPs must also log every instance in which safeguarded funds were insufficient, detailing the date, root cause (e.g., system failures or processing constraints), maximum daily shortfall amount and measures taken to prevent recurrence.

3. Significant Changes and Incidents

PSPs are required to identify all “significant changes” from the reporting year. The RPAA provides that a change is significant if it could reasonably be expected to have a material impact on operational risks or the manner in which end-user funds are safeguarded. Examples in the form include new outsourcing arrangements, geographic expansions or changes in technology that materially impact risk. Furthermore, the report must include a comprehensive log of all incidents, including those not previously reported to the Bank, such as cyberattacks or system failures.

4. Ubiquity and Interconnectedness Metrics

The Bank requires PSPs to submit granular quantitative data to assess a PSP’s impact on the Canadian financial ecosystem:

  • Number and volume of electronic funds transfers (EFTs), broken down by currency
  • Total number of end users and amount of funds held on behalf of end users
  • Services provided to other PSPs

5. Financial Information and Record-Keeping

PSPs must report core financial metrics, including total revenue, operating expenses and total equity. While financial metrics can follow the PSP’s fiscal year-end, most other report data must align with the calendar year.

Preparing for the Upcoming Report

The annual reporting form on the PSP Connect portal will be available on February 2, 2026. PSPs can start and amend their submissions at any time until the March 31 deadline.

Given the complexity of the data required, including monthly EFT metrics and detailed incident logs, it’s recommended that PSPs begin aggregating information well before the March 31, 2026, deadline.

Failure to submit a complete report by the deadline, or the submission of false or misleading information, are considered violations of the RPAA and may lead to administrative monetary penalties.

If you have any questions on the PSP annual report, please do not hesitate to contact the authors or any other member of the Financial Services Regulatory group.

Related Insights

Investment Canada Act Update: Canada Opens Door to Greater Investment From China and Expands Global Opportunities
Bulletins

Learn about new opportunities for foreign investment in Canada, including renewed economic ties to China and agreements...
Amendments to Ontario's Construction Act Now in Force
Bulletins
Have Foreign Public-Sector Clients? Consultation Open on Foreign Influence Transparency Draft Regulations
Bulletins

A public consultation is underway until February 2, 2026, on draft regulations for Canada’s foreign influence transparency...
More insights

Blakes and Blakes Business Class communications are intended for informational purposes only and do not constitute legal advice or an opinion on any issue. We would be pleased to provide additional details or advice about specific situations if desired.

For permission to republish this content, please contact the Blakes Client Relations & Marketing Department at [email protected].
© 2026 Blake, Cassels & Graydon LLP

Ask Our Lawyers

Practices

Sectors

Save as PDF