ARTICLE
14 November 2025

Safeguarding End-User Funds Under The Retail Payment Activities Act

ML
McMillan LLP

Contributor

McMillan LLP logo
McMillan is a leading business law firm serving public, private and not-for-profit clients across key industries in Canada, the United States and internationally. With recognized expertise and acknowledged leadership in major business sectors, we provide solutions-oriented legal advice through our offices in Vancouver, Calgary, Toronto, Ottawa and Montréal. Our firm values – respect, teamwork, commitment, client service and professional excellence – are at the heart of McMillan’s commitment to serve our clients, our local communities and the legal profession.
Explore Firm Details
Lexpert Firm Profile
As of September 8, 2025, the ongoing compliance obligations outlined in the Retail Payment Activities Act (Canada) (the "RPAA") came into force.
Canada Finance and Banking
Shahen A. Mirakian,Robert C. Piasentin,Michael Christ
+2 Authors
 Your Author LinkedIn Connections
McMillan LLP are most popular:
  • within Transport and Insolvency/Bankruptcy/Re-Structuring topic(s)
  • with Senior Company Executives, HR and Finance and Tax Executives
  • with readers working within the Accounting & Consultancy, Banking & Credit and Business & Consumer Services industries

As of September 8, 2025, the ongoing compliance obligations outlined in the Retail Payment Activities Act (Canada) (the "RPAA") came into force. Registered payment service providers and parties that have applied for registration as payment service providers whose applications are in process (collectively, "PSPs") must now comply with various regulatory obligations, one of which requires PSPs that hold end user funds to establish a safeguarding framework (the "Safeguarding Framework"). To support compliance, the Bank of Canada (the "BOC") recently updated its Frequently Asked Questions about retail payments supervision ("FAQs"), which address questions asked by PSPs and their service providers regarding the BOC's expectations for the Safeguarding Framework and other regulatory obligations.

For more information on the regulatory framework of the RPAA, please read our previous bulletins titled Who is Caught by Canada's New Retail Payment Systems Regulation and Prepare for Regulation: Bank of Canada Introduces New Retail Payments Supervisory Framework.

The Safeguarding Framework

The purpose of the Safeguarding Framework is to ensure the protection of end-user funds held by a PSP from the moment such funds are received until they are withdrawn or transferred. The Safeguarding Framework also protects end-users from financial loss in the event a PSP becomes insolvent, while ensuring that end-users continue to have reliable and timely access to their funds. Under the RPAA, a compliant Safeguarding Framework requires PSPs to implement measures to safeguard end-user funds by:

  • segregating end-user funds from all other funds by using a safeguarding account not used for any other purpose; and
  • either holding end-user funds in trust in the safeguarding account; or using an insurance or a guarantee in respect of the end-user funds held in the safeguarding account.

Trust Accounts and Legal Opinions

One of the BOC's key updates pertains to the use of trust accounts in safeguarding end-user funds. To hold end-user funds in trust, PSPs must establish a trust arrangement that constitutes a valid express trust under Canadian law. It was previously understood that PSPs had to obtain legal advice confirming that the trust arrangement (i) is a valid express trust under Canadian law and (ii) meets the safeguarding objectives under the RPAA. The BOC's recent update takes this obligation one step further. During its periodic assessments of a PSP's regulatory compliance, the BOC will request a written legal opinion obtained by the PSP that must include the following:

  • a description of how the trust arrangement complies with either Canadian common law or the Civil Code of Québec;
  • a description and an assessment of risks and challenges associated with the PSP's trust arrangement and the PSP's compliance with the RPAA; and
  • how such risks and challenges were or will be addressed by the PSP.

Additional Updates to the Safeguarding Framework

The updated FAQs also provide the following additional guidance with respect to the Safeguarding Framework:

  • Insufficiency of Deposit Insurance Program. Merely holding end-user funds in an account at a financial institution that is a member of a federal or provincial deposit insurance program does not satisfy the safeguarding requirements under the RPAA. The purpose of the Safeguarding Framework is to ensure that end-users can access their funds as soon as feasible in the event of a PSP's insolvency. Relying solely on deposit insurance does not achieve this purpose since deposit insurance is not paid out when the PSP itself becomes insolvent. Deposit insurance is paid out in the event of insolvency of the financial institution.
  • Using Trust Accounts for Settlement Purposes. To preserve the integrity of a trust arrangement under the Safeguarding Framework, PSPs must avoid paying non-trust-related expenses from the trust account. Rather, PSPs should settle its obligations to payment networks or financial institutions from a separate account and ensure that the end-user funds are not used for ancillary purposes. As a best practice, PSPs should seek legal advice to ensure that the PSP's compliance with the RPAA is not compromised by the way in which the PSP uses the trust account.
  • Retaining Interest on End-User Funds. PSPs may retain the interest earned on end-user funds in an interest-earning account, provided that the PSP continues to meet all obligations and requirements under the RPAA and the Retail Payment Activities Regulations (the "RPAR"). However, where the end-user funds are held in trust accounts, the BOC expects PSPs to seek legal advice to confirm that retaining the interest earned does not jeopardize or invalidate the trust arrangement. The BOC also noted that interest-earning trust accounts raise tax issues that are currently being dealt with by the Department of Finance and tax authorities. Much like the case for trust accounts, where insurance or guarantee products are used to safeguard end-user funds, PSPs must ensure retaining interest does not impact the validity of the insurance or guarantee product.
  • Using Insurance and Guarantee Products. The BOC will not develop, design, or pre-approve specific insurance or guarantee products for PSPs, nor will the BOC provide a list of insurance or guarantee providers that PSPs may use as part of their Safeguarding Framework. The responsibility falls on the PSPs wholly to use insurance or guarantee products that meet all applicable requirements of the RPAA and the RPAR, one of which includes the requirement that the insurance or guarantee provider be independent from the PSP. Further, while the RPAA does not specify the form a guarantee must take, the BOC expects each guarantee to be a legal agreement between the PSP and the guarantee provider that includes terms demonstrating the satisfaction of the conditions outlined in the RPAR. The term insurance has purposely been left broad to allow for the development of multiple products that meet the RPAA requirements for end user funds protection. The main products currently available in the Canadian market that meet RPAA requirements are surety bonds.
  • Adequate Value of Insurance and Guarantee Products. The BOC recognizes that the amount held in a safeguarding account may fluctuate daily. Accordingly, the BOC expects PSPs to develop a methodology for determining the value of the insurance or guarantee that would account for daily fluctuations in the amount of end-user funds held. PSPs should additionally have systems and measures in place to detect instances where the coverage value of the insurance or guarantee is less than the amount of end-user funds safeguarded through such insurance or guarantee.
  • Insolvency Processes Involving PSPs. The BOC will not administer claims during or following a PSP's insolvency, nor will it provide notices to insurance or guarantee providers following a PSP's insolvency event. Each PSP must remain compliant with the RPAA with respect to the insolvency process to ensure timely payout of funds. To remain compliant, the Safeguarding Framework must include, among other things, procedures for how the provider of the insurance or guarantee product will be informed that an insolvency event triggering the payout of the insurance or guarantee has occurred.
  • Periodic Assessments by the BOC. As part of its periodic assessments, the BOC will determine whether there are any clauses or conditions in insurance and guarantee contracts, including those related to the termination of the contract, that will impede PSPs from complying with the safeguarding requirements under the RPAA.

Other Clarifications to the Regulatory Obligations

In addition to the updates to the Safeguarding Framework, the BOC also provided the following clarifications to the regulatory obligations of PSPs:

  • Documenting Risk Management and Incident Response Framework. PSPs must also maintain a risk management and incident response framework to identify and mitigate operational risks while ensuring effective responses to incidents. The BOC clarified in its FAQs that there is no one-size-fits-all structure, nor a standard way of documenting such a framework. Further, the BOC does not currently intend to publish an example of such framework. While there may not be a uniform structure or a standard documentation method, the BOC did note that a PSP may use its existing risk management and incident response framework, or a framework of its parent entity, to comply with regulatory obligations, provided that the framework complies with the requirements under the RPAA and the RPAR.
  • Role and Responsibility of Senior Officers. Senior officers of a PSP are responsible for overseeing the practices of the PSP and for ensuring that such practices comply with the regulatory obligations of the PSP. Accordingly, when appointing a senior officer, PSPs must be sure that the appointee has the necessary seniority, authority, and competence to fulfill their oversight responsibilities. Further, the BOC noted that senior officers do not need to be direct employees of the PSP, nor do they have to be located in Canada, so long as they satisfy the definition of senior officers under the RPAR. Under the RPAR, senior officers include officers who are not direct employees of a PSP but report directly to a PSP's board of directors, chief executive officer, or chief operating officer.
  • First Annual Report. The first annual report for PSPs will be due by March 31, 2026, and the BOC will provide the reporting form in PSP Connect in early 2026. PSPs are expected to provide information regarding their retail payment activities in 2025. The BOC has indicated that PSPs can provide their annual report in respect of their own fiscal year even if their fiscal year is not January to December as stated in the reporting form.

With all provisions of the RPAA now in force, PSPs should be especially cautious and mindful of their obligations under the RPAA and the RPAR. This bulletin provides a general overview of these compliance obligations. For tailored advice, please contact a member of McMillan's Financial Services or Technology Groups.

The foregoing provides only an overview and does not constitute legal advice. Readers are cautioned against making any decisions based on this material alone. Rather, specific legal advice should be obtained.

© McMillan LLP 2025

Authors
Photo of Shahen A. Mirakian
Shahen A. Mirakian
Photo of Robert C. Piasentin
Robert C. Piasentin
Photo of Isabelle Guevara
Isabelle Guevara
Photo of Michael Christ
Michael Christ
Photo of Brandon Hsu
Brandon Hsu
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More