Free training Free 1-hour training on the new FINTRAC expectations under Bill C-12, followed by live Q&A. Available on-demand and virtually across Canada, or in person in the GTA.
BriteBase
Industry primer · PSPs

PSP compliance primer: AML and sanctions expectations in Canada

A payment service provider (PSP) is an entity that performs one or more payment functions (fund holds, transfers, electronic funds transmissions, currency conversions, or merchant acquiring) as a service for end users. Canadian PSPs sit under two regulatory regimes at once: the Retail Payment Activities Act for operational risk, and the PCMLTFA for AML and sanctions where the PSP qualifies as a money services business. This primer covers both and explains how to comply at scale.

By BriteBase Compliance Team · Published June 4, 2026 · 12 min read

Canadian PSPs operate under two regulatory regimes at once. The Retail Payment Activities Act (RPAA) governs operational risk, safeguarding of end-user funds, and Bank of Canada registration. The PCMLTFA governs AML and sanctions for any PSP that qualifies as a money services business, which most PSPs handling money transmission or currency conversion will. The two regimes are not the same, they are not redundant, and they have to be operated in lockstep.

This primer covers the AML and sanctions side of the picture, with explicit references to the RPAA where the two regimes intersect.

What is a payment service provider under Canadian law?

The RPAA defines a PSP as an entity that performs one or more retail payment activities as a service or business activity. The five payment functions captured by the RPAA are:

  1. Providing or maintaining an account that, in relation to an electronic funds transfer, is held on behalf of one or more end users.
  2. Holding funds on behalf of an end user until they are withdrawn or transferred.
  3. The initiation of an electronic funds transfer at the request of an end user.
  4. The authorization of an electronic funds transfer or the transmission, reception, or facilitation of an instruction in relation to an electronic funds transfer.
  5. The provision of clearing or settlement services.

The PCMLTFA, separately, captures PSPs as MSBs where they perform money transmission, foreign exchange dealing, or virtual currency activity for the public. Most PSPs handling cross-border or multi-currency flows fall under both regimes.

Two registrations, two obligations

Registration with the Bank of Canada under the RPAA is operationally separate from registration with FINTRAC as an MSB. A PSP that does both has to do both. Registrations renew on different cycles. Examinations come from different bodies. The compliance program documentation must reflect both regimes.

The Canadian AML framework that applies to PSPs

Where a PSP is also an MSB, the PCMLTFA framework applies in full. The five program pillars are the same as for any other reporting entity (see our Bill C-12 guide), but several PSP-specific operational realities shape how they are run.

1. The volume problem

PSPs typically run at much higher transaction velocity than traditional MSBs: tens of thousands to millions of transactions per day. Manual alert review at that scale is impossible; the program has to rely on layered detection (rule-based scenarios + ML-based anomaly detection) with human approval on regulated decisions, not on every event.

2. The on-behalf-of complication

PSPs frequently process on behalf of merchant clients, who in turn serve end consumers. The PCMLTFA requires the PSP to identify and risk-assess its customer (typically the merchant) and have visibility into the merchant’s end users where the PSP’s services touch identifiable individuals. This is one of the most-frequent examination findings for PSPs: incomplete visibility into end-user activity processed through merchants.

3. The merchant onboarding pipeline

For PSPs, KYC is also KYB (know your business). The merchant due diligence file has to include beneficial ownership, control persons, the nature of the merchant’s business, sanctions screening of the entity and its principals, expected processing volumes, and ongoing monitoring against actual volumes. A merchant whose actual processing diverges materially from declared expectations is a textbook examination talking point.

The PSP compliance stack

The three layers of a PSP compliance program, with PSP-specific items at each layer.

GOVERNANCE What the firm owns CAMLO appointment Risk assessment Policies RPAA risk framework Independent review OPERATIONS What the firm operates Merchant onboarding Sanctions and PEP Velocity monitoring STR / EFTR Incident response TECHNOLOGY What the firm runs on KYC and KYB platform Real-time screening Velocity rules Case workflow RPAA reporting

Reporting obligations specific to PSPs

PSPs file under both the PCMLTFA (where they are also MSBs) and the RPAA operational risk framework. The combined reporting picture:

Report Threshold Who files Deadline
Suspicious Transaction Report (STR)No dollar threshold; suspicion testPSP (where it qualifies as an MSB)As soon as practicable after reasonable grounds to suspect
Electronic Funds Transfer Report (EFTR)International EFT, CAD $10,000 or equivalentPSP sending or receivingWithin 5 working days
Large Cash Transaction Report (LCTR)CAD $10,000 in cash in 24 hours (where the PSP handles cash)PSPWithin 15 days
RPAA significant incident notificationMaterial operational incident affecting payment functionsRegistered PSPWithin 24 hours under Bank of Canada framework
RPAA annual reportAnnual report on operational risk and safeguardingRegistered PSPAnnually under Bank of Canada framework

The RPAA significant incident notification is distinct from a PCMLTFA STR. The first is operational (the payment function was disrupted), the second is suspicion-based (the activity looks like ML/TF). Both can be triggered by the same underlying event and the compliance program must specify the path for each.

Sanctions screening expectations

PSPs screen at three different levels of the value chain:

  • Merchant level. The legal entity, its directors, beneficial owners (25 percent threshold), and signing officers at onboarding and on a continuous basis.
  • Transaction level. Originator and beneficiary names on transfers crossing the PSP’s rails, especially international transfers under the Travel Rule. See the Travel Rule primer.
  • End-user level. Where the PSP’s services touch identifiable end users (account holding, money transfer initiation), screen those individuals as well.

The screening lists are the same as for MSBs: SEMA, JVCFOA, UN Act regulations, Criminal Code listed entities, and the OSFI Consolidated Lists. PSPs with US-jurisdiction processing should also screen against OFAC SDN.

The PSP technology stack

A defensible PSP technology stack covers seven capabilities:

  • Merchant onboarding (KYB). Legal entity verification, beneficial ownership capture, control person identification, document collection, risk scoring.
  • End-user KYC. Where the PSP touches identifiable end users, full identification, address verification, and beneficial ownership where applicable.
  • Sanctions and PEP screening. Real-time at every onboarding and every transfer above threshold. Continuous re-screening of customer book against list updates.
  • Transaction monitoring. Rule-based scenarios for PSP-specific patterns: merchant volume drift, BIN-level anomalies, velocity spikes, cross-border corridor risk, account takeover indicators. Often layered with ML.
  • Case management. One workflow that holds alerts, investigations, dispositions, STRs and the supporting evidence.
  • FINTRAC reporting integration. Automated population and filing of STRs and EFTRs via F2R, with reconciliation to case records.
  • RPAA operational risk controls. End-user fund safeguarding, third-party risk management, incident response, business continuity, and the operational risk reporting framework required by the Bank of Canada.

In-house expertise required

A Canadian PSP at meaningful processing volume needs:

  • CAMLO with payments background. Named compliance officer with current PCMLTFA knowledge and direct experience operating across payment rails and merchant ecosystems. Fractional CAMLO is the standard pattern for late-stage PSPs without in-house leadership; see the fractional CAMLO guide.
  • Merchant risk lead. Owns the merchant onboarding queue, the KYB risk model, and the periodic review of high-risk merchants.
  • Transaction monitoring analysts. Tune the rule library, review alerts, drive investigations, and own the STR filing pipeline.
  • Sanctions specialist. Owns the sanctions screening engine, list updates, disposition policy, and any escalations to the CAMLO.
  • RPAA operational risk lead. Owns the operational risk framework required by the RPAA, distinct from the PCMLTFA program.
  • Independent reviewer. A party with no operational involvement, engaged for the two-year PCMLTFA review and any RPAA-mandated review.

What FINTRAC examiners look for in a PSP

PSPs face examination questions that traditional MSBs do not. The most-frequent in current examinations:

  • How do you know what your merchants are actually processing through your rails, and how does that compare to their declared expected volumes?
  • Walk me through a sanctions hit on a merchant’s beneficial owner. What did your program do, and how long did it take?
  • Where is the audit trail for an alert generated by your ML-based monitoring layer that you closed without action?
  • How does your RPAA significant incident process interact with your STR pipeline when they overlap on the same event?
  • What does your training program show for the people approving merchant onboarding in the last quarter?

How BriteBase helps PSPs

BriteBase is built for the dual-regime reality of Canadian PSPs. The AML Operating Platform covers KYB, sanctions screening, transaction monitoring, case workflow, and FINTRAC reporting integration. Compliance-as-a-Service adds a fractional CAMLO with payments experience and the practitioner bench to run the program day to day. For PSPs running their own compliance team, the platform tier provides the system of record while the team retains operational ownership.

FAQ

What is a payment service provider (PSP) under Canadian law?

Under the Retail Payment Activities Act (RPAA), a PSP is an entity that performs one or more retail payment functions as a service or business activity, including account holding, fund holding, electronic funds transfer initiation, authorisation or transmission, or the provision of clearing and settlement. Under the PCMLTFA, a PSP that performs money transmission, foreign exchange, or virtual currency activity for the public is also a money services business.

Do PSPs have to register with both the Bank of Canada and FINTRAC?

Often yes. RPAA registration is with the Bank of Canada and covers operational risk and end-user fund safeguarding. PCMLTFA registration is with FINTRAC as a money services business and covers AML and sanctions obligations. A PSP that performs money transmission, FX, or VC activity for the public is required to register under both. The two regimes are operationally separate and the compliance program must reflect both.

What is the difference between RPAA obligations and PCMLTFA obligations?

RPAA obligations cover operational risk: end-user fund safeguarding, third-party risk management, incident response, and business continuity. PCMLTFA obligations cover AML and sanctions: customer identification, suspicion-based reporting, sanctions screening, the five program pillars, and FINTRAC examination. The same operational event can sometimes trigger reporting under both regimes.

What is the most common FINTRAC examination finding for Canadian PSPs?

Incomplete visibility into end-user activity processed through merchants. Where the PSP serves merchant clients who in turn serve end consumers, the program must have a documented approach for identifying and risk-assessing both the merchant and the end-user activity touching identifiable individuals. PSPs that treat merchant due diligence as a one-time onboarding step rather than an ongoing obligation tend to surface findings here.

What sanctions lists do Canadian PSPs have to screen against?

At minimum: Special Economic Measures Act regulations, Justice for Victims of Corrupt Foreign Officials Act listings, United Nations Act regulations, and Criminal Code listed entities. Operationally the OSFI Consolidated Lists are the most practical source. PSPs with US-jurisdiction processing should also screen against the OFAC SDN list. Screening applies at three levels: merchant entity, transaction parties, and end-users where the PSP touches them directly.

How does Bill C-12 affect Canadian PSPs?

Bill C-12 introduced the statutory standard that a Canadian compliance program must be reasonably designed, risk-based and effective. For PSPs operating at scale, the effectiveness test means examiners look at measured outcomes: false-positive rates on screening, STR quality and timing, merchant volume drift detection, and audit trail completeness. The standard applies regardless of whether the program uses traditional rules or modern AI.

What does a PSP compliance technology stack include?

Seven capabilities: KYB merchant onboarding, end-user KYC where applicable, real-time sanctions and PEP screening, transaction monitoring (rule-based scenarios layered with ML), case management workflow, FINTRAC reporting integration (F2R), and RPAA operational risk controls covering safeguarding, third-party risk, and incident response.

Sources

Back to all resources

Reading is useful. A conversation is faster.

Book a call and we'll tell you, plainly, where your program stands against Bill C-12 and what to fix first. No retainers. No hourly rates.

Prefer to talk now? Call 905-218-7088 or email info@britebase.ca

Cookies on britebase.ca

We use essential local storage to remember your preferences, such as this choice and whether you've dismissed our training notice. With your consent, we also use Google Analytics to understand how the site is used. We don't run advertising cookies.