NNovobill
Book a demo
Compliance & Security

FINTRAC MSB. Bank of Canada RPAA. Compliance-first execution.

NovoBill operates only through licensed counterparties and every workflow is auditable. The compliance program is sized to the risk profile of the verticals NovoBill serves, with documented controls that pass scrutiny from partner banks and EMI underwriters.

Regulatory standing

Who supervises us, and what that means

Federal — primary

FINTRAC — MSB

Registered Money Services Business with the Financial Transactions and Reports Analysis Centre of Canada under PCMLTFA. Registration number C10001558.

Drives our KYC, AML/CTF, sanctions screening, and reporting obligations across cross-border transfers, FX, and virtual currency activities.

Federal — additional

Bank of Canada — RPAA

Registered Payment Service Provider under the Retail Payment Activities Act. Entity ID RPS0014803. Listed in the Bank of Canada's public registry of registered PSPs.

Imposes obligations on safeguarding, operational risk, incident reporting, and ongoing supervision.

What this means
Operational

Compliance program

Designated MLRO and dedicated compliance officer. Independent compliance program, AML policy, and risk-assessment framework — reviewed and updated continuously against PCMLTFA, FINTRAC, and partner-bank requirements.

Annual program effectiveness review by an independent third party. Card-data scope sits with the partner EMI/PSP — NovoBill is not the acquirer.

Safeguarding

Where your customers' money actually sits

The single most important question to ask any payment processor: where, exactly, are funds held between when a customer pays and when the money lands in my operating account?

Our safeguarding model

End-user funds at Novobill are held in segregated, designated accounts at federally regulated Canadian banks. These accounts are:

  • Legally ring-fenced from Novobill's operational funds
  • Held in trust for the benefit of end-users
  • Reconciled to the cent on a continuous basis
  • Subject to ongoing reporting to the Bank of Canada
  • Protected from general creditor claims in the event of insolvency

What this means for you

If Novobill becomes insolvent, your in-flight funds are not at risk. They are not part of the bankruptcy estate. They are held for your benefit and can only be released to you (or your customers, in the event of refunds) — not to Novobill's general creditors.

This is the protection that doesn't exist at unregistered processors. It's the single largest risk reduction RPAA registration provides.

Security architecture

Defense in depth, not just a checkbox

🔐 Encryption

  • TLS 1.3 in transit, everywhere
  • AES-256 at rest
  • HSM-backed key management
  • Certificate pinning on mobile SDKs

🛡️ Access controls

  • Mandatory MFA on all accounts
  • SSO with SAML 2.0 and OIDC
  • Role-based access control
  • Audit logs on every action

🚨 Monitoring

  • 24/7 security operations center
  • SIEM with anomaly detection
  • Automated incident response
  • Regulator-mandated reporting

🔍 Testing

  • Quarterly external penetration tests
  • Continuous static and dynamic code analysis
  • Bug bounty program for verified researchers
  • Annual red-team exercises

♻️ Resilience

  • Multi-region active-active architecture
  • 99.99% uptime SLA
  • Documented business continuity plan
  • Quarterly disaster recovery drills

🌐 Data residency

  • Primary data infrastructure in Canada
  • PIPEDA-compliant by default
  • Configurable data residency for enterprise
  • No customer data in US-only regions
AML and KYC

Anti-money-laundering, executed seriously

Our AML/KYC program is built around FINTRAC requirements with additional controls aligned to international best practice. Highlights:

  • Designated MLRO — In-house Money Laundering Reporting Officer with direct line to the executive team
  • KYC at onboarding — Identity verification, business verification, beneficial ownership identification, source-of-funds review
  • Ongoing transaction monitoring — Automated rules + human investigation for anomalies
  • Sanctions screening — OFAC, UN, Canadian Special Economic Measures, EU sanctions lists, screened on every payment
  • STR and LCTR reporting — Suspicious transaction and large cash transaction reports filed with FINTRAC per regulatory schedule
  • Annual AML assessment — Independent third-party review of program effectiveness
Documentation available

What we'll share with your team

Public documentation

  • RPAA registration entry (Bank of Canada public registry)
  • FINTRAC MSB registration confirmation
  • Privacy policy and terms of service
  • AML policy summary
  • Complaints and dispute resolution procedure
  • Status page with historical uptime

Available under NDA

  • PCI DSS Attestation of Compliance
  • Penetration test summary
  • Business continuity plan summary
  • Information security policy framework
  • Vendor due diligence questionnaire responses
For procurement teams: If you need security questionnaires (SIG, CAIQ, custom enterprise) completed as part of vendor due diligence, our security team turns these around in 5 business days. Get in touch.

Speak with our compliance team.

Have a procurement, security, or regulatory question? We'll connect you with the right person — not a generic sales rep.

Contact compliance Book a demo
FINTRAC Money Services Business — C10001558 Bank of Canada RPAA — RPS0014803 In-house compliance program