Most Canadian businesses don't know who actually regulates their payment processor. And many of the biggest names in Canadian payments operate in regulatory grey zones. Here's why that should worry you — and what changed in 2024–2026.
Quick test. Without looking it up, can you answer these about your current payment processor?
If you can't answer those, you're not alone — and that's actually the problem. For decades, payment service providers in Canada operated under a patchwork of provincial securities rules, FINTRAC anti-money-laundering rules, and card network rules — but no single federal regulator looked at the actual safety and operational soundness of the processor itself. That changed.
The Retail Payment Activities Act (RPAA) is Canada's first dedicated federal supervisory regime for payment service providers. It was passed into law in 2021, and the registration regime came into effect in November 2024. As of 2026, the Bank of Canada actively supervises registered PSPs.
Under the RPAA, any business that performs retail payment activities in Canada — including merchant acquiring, money transfers, holding funds for users, and FX in connection with payments — must register with the Bank of Canada and meet specific operational, financial, and risk-management standards.
This is the part most coverage skips. Registration under the RPAA isn't a sticker you put on your website — it imposes substantive ongoing obligations on the registered entity:
Registered PSPs must safeguard end-user funds. In practical terms, that means your customers' money — between when their card is charged and when it lands in your operating account — must sit in segregated accounts at federally regulated Canadian banks, ring-fenced from the PSP's operational funds. If the PSP becomes insolvent, those funds can't be touched by general creditors.
Why this matters: Without a safeguarding obligation, in-flight funds at an unregulated processor are general creditor claims. If the processor fails, your customers' money is gone, and you may be on the hook to make them whole.
Registered PSPs must maintain documented operational risk management frameworks — incident response plans, business continuity plans, third-party risk management, technology resilience standards, and documented controls. The Bank of Canada reviews these and can require improvements.
Why this matters: An unregulated processor can have whatever level of operational maturity they want — including very little. A registered PSP has a baseline, externally enforced, and audited.
Registered PSPs must report material operational incidents to the Bank of Canada within strict timelines. This includes outages, data breaches, fraud events above thresholds, and any incident that materially affects payment flows.
Why this matters: Regulator-mandated incident reporting drives prevention. PSPs that have to report are more incentivized to invest in not having incidents.
Registered PSPs must notify the regulator of material changes in ownership or control — preventing unsupervised acquisitions of payment infrastructure by parties who shouldn't be operating it.
Registered PSPs file annual reports with the Bank of Canada disclosing transaction volumes, safeguarded fund balances, incident summaries, and risk management updates. The Bank of Canada uses this for ongoing supervision and can examine PSPs at any time.
Separately, payment providers that handle cross-border transfers, FX, or virtual currency must also register as Money Services Businesses with FINTRAC — Canada's anti-money-laundering and anti-terrorist-financing regulator. This brings additional obligations: customer due diligence, ongoing monitoring, suspicious transaction reporting, and large-cash-transaction reporting.
RPAA + FINTRAC together is the Canadian equivalent of the regulatory standing you'd expect from a bank — minus the legacy infrastructure of a bank.
Here's the question worth asking your finance and legal team: what protection do we lose if our payment processor is unregulated?
Novobill Ltd. is a registered Payment Service Provider with the Bank of Canada under the Retail Payment Activities Act.
You can verify this independently in the Bank of Canada's public registry of registered PSPs.
Whether you ultimately choose Novobill or not, your finance and legal team should be asking your payment processor — current or prospective — the following:
If your current processor can't or won't answer these, that's the answer.
For most Canadian businesses, payment processing is the largest operating expense after payroll, and the largest single concentration of customer trust. It's the wrong place to optimize for "I've heard of them" or "the salesperson was nice." It's the right place to optimize for who's regulated, where the funds are, and what protection you have if something goes wrong.
Novobill is built around the answer being: yes, we're regulated; here's exactly where the funds are; here's the protection you have. That's the foundation. Everything else — the API, the pricing, the support — sits on top of that.