In advance of the upcoming deadline, the Bank of Canada PSP reporting requirements are a key focus for payment service providers (PSPs) preparing to submit their first annual report under the Retail Payment Activities Act (RPAA). To support this process, the Bank of Canada recently held an information session and released a comprehensive compliance guide outlining expectations.
Registered PSPs must submit an annual report detailing their adherence to operational risk management and safeguarding frameworks, along with transaction volume metrics and any significant business changes or incidents, in line with RPAA compliance requirements and the Retail Payment Activities Regulations.
#Reporting Deadlines for PSP Annual Reporting in Canada
For the 2025 reporting year, the Bank has established the following deadlines:
- All PSPs registered before March 9, 2026, must submit their PSP annual report in Canada by March 31, 2026
- PSPs registered between March 9 and March 30, 2026, are granted an extension until April 28, 2026
- Entities still in the application phase as of March 31, 2026, are exempt from the 2025 filing
#Key Reporting Components Under Bank of Canada Requirements
The reporting form available through the PSP Connect portal is divided into five main sections reflecting Bank of Canada reporting requirements for PSPs:
1. Operational Risk and Incident Management
Registered PSPs must provide detailed data on the effectiveness of their operational risk management frameworks, including oversight processes and key risk categories such as cybersecurity, fraud, and third-party risk.
The report also requires disclosure of system reliability targets, including availability and confidentiality standards, as well as the human and financial resources allocated to risk mitigation. PSPs must confirm their ability to respond to and recover from incidents, including those involving third-party service providers, aligning with broader payment service provider compliance in Canada.
2. Safeguarding of End-User Funds
This section applies to PSPs performing the payment function of holding funds on behalf of users. The Bank requires detailed reporting on safeguarding frameworks for end-user funds in Canada.
PSPs must indicate whether funds are protected through trust accounts, insurance-backed accounts, or guarantees. They must also document any instances of insufficient safeguarded funds, including causes such as system failures, and outline corrective measures taken to maintain RPAA compliance.
3. Significant Changes and Incident Reporting
PSPs are required to disclose all significant changes that may impact operational risk or safeguarding measures. Examples include outsourcing arrangements, expansion into new markets, or technology changes affecting risk exposure.
Additionally, a full log of incidents must be included, even if not previously reported, such as cyberattacks or system disruptions. This reflects the growing importance of incident reporting requirements for PSPs under Canadian regulations.
#4. Ubiquity and Interconnectedness Metrics
To assess the role of PSPs within the financial ecosystem, the Bank requires detailed quantitative reporting, including:
- Volume and value of electronic funds transfers (EFTs), categorized by currency
- Total number of end users and funds held on their behalf
- Services provided to other PSPs
These metrics support broader oversight of payment services regulation in Canada.
#5. Financial Information and Record-Keeping
PSPs must report key financial metrics, including total revenue, operating expenses, and equity. While financial reporting may align with the fiscal year, most other data must correspond to the calendar year.
Accurate record-keeping is essential to meet Bank of Canada PSP reporting requirements and avoid compliance risks.
#Preparing for PSP Reporting Obligations Under the RPAA
The annual reporting form will be available on the PSP Connect portal starting February 2, 2026. PSPs can begin and update submissions until the March 31 deadline.
Given the complexity of PSP reporting obligations under the Retail Payment Activities Act, including monthly EFT data and detailed incident logs, organizations are encouraged to begin data collection early to ensure timely and accurate reporting.
#Compliance Risks and Regulatory Consequences
Failure to meet Bank of Canada PSP reporting requirements—whether through missed deadlines or inaccurate submissions—constitutes a violation of the RPAA and may result in administrative monetary penalties.
Ensuring accurate, complete, and timely reporting is essential for maintaining compliance and avoiding regulatory enforcement actions within Canada’s evolving payment services landscape.
