Folio 06 News Update

Bank of Canada restates the RPAA reporting calendar for PSPs

Registered payment service providers now have a concise Bank of Canada reminder covering every major RPAA reporting rail. The practical message is to classify a change before implementation: one project can trigger an incident notice, a significant-change filing, a registration update or a new registration application for an acquisition of control.

Development date
Published by SKY7
Canada · FINTRAC jurisdiction photo

What happened

The Bank consolidated ongoing reporting expectations

On 29 June 2026, the Bank of Canada issued a reminder to all payment service providers registered under the Retail Payment Activities Act. It brought the main reporting obligations into one operational summary and updated its supervisory policy on changes to registration information. It consolidates the existing reporting channels, explains how they work together and directs PSPs to submit through PSP Connect.

That interaction matters for delivery teams. Updating a third-party provider, adding a payment function, moving data, changing directors or preparing a share acquisition may look like one commercial project, but the RPAA can attach different notices and timing rules to each element.

Regulator facts

The core reporting clocks

Material incidents

Notify without delay and no later than 48 hours after determining that the incident is material, then provide the final notice when cause and impact are known.

Significant change or new activity

Notify at least 5 business days before a change that may materially affect operational risk or safeguarding, or before a new retail payment activity.

Registration information

Update addresses, third parties, directors, major shareholders, data and other filed information within the applicable period; some changes require 30 or 60 days' advance notice.

Acquisition of control

Submit a new registration application and complete re-registration before the control change or other prescribed structural change takes place.

Annual report

File by 31 March following each reporting year, covering risk management, incidents, safeguarding and the required financial and activity metrics.

Who is affected

Operators and transaction teams need the same change map

The reminder applies to registered PSPs, but its commercial relevance extends to applicants, acquirers and investors. Product teams adding a new payment function, operations teams replacing a critical provider, data teams moving storage locations and corporate teams changing ownership all need to feed one reporting calendar. For a buyer, the target's current PSP Connect records and open reporting obligations become part of the transaction baseline.

What changes for the business

A single project may need parallel filings

The updated policy gives a useful example: adding the holding-of-funds function through a new third-party provider can require both an update to registration information and a separate significant-change or new-activity notice. Each filing remains a separate requirement. The same discipline applies to ownership. Where section 24 requires a new application, all relevant changes can be reflected in that application, covering the information that would otherwise sit in sections 59 and 60 change notices.

SKY7 view

Turn the reminder into a board-level change control

Build RPAA classification into the company's normal product, vendor, data and transaction approvals. Every change request should identify the payment function, effect on operational risk and safeguarding, registration data affected, required notice, owner and submission date before implementation is approved.

For acquisitions, start the section 24 workstream early enough for the target to be re-registered before closing. The deal timetable, ownership disclosures, operating model and safeguarding plan should describe the same post-completion business.

What to do now

Build one evidence-backed reporting matrix

  • Reconcile PSP Connect information

    Compare the filed entity, owners, providers, geographies, activities and data arrangements with the live business.

  • Add RPAA gates to change approval

    Classify each product, provider, safeguarding, data and corporate change before its implementation date is fixed.

  • Confirm incident ownership

    Give named teams the authority and evidence needed to assess materiality and meet the 48-hour outer limit.

  • Align acquisition and annual-report plans

    Place section 24 re-registration, closing conditions and the 31 March reporting cycle on one transaction calendar.

Primary evidence

Official sources

Sources checked .

Tell us what you need

Put the RPAA reporting calendar into the operating plan

SKY7 can reconcile the live PSP file, classify planned changes and align reporting, re-registration and transaction milestones around one delivery plan.

Editorial note

Editorial disclaimer

Sources checked by the SKY7 team on 18 July 2026. The Bank's 29 June communication is a reminder of ongoing RPAA obligations. Exact reporting periods depend on the type of information and change; the current supervisory policy and PSP Connect guidance should be checked for each filing.