Are you consultants or advisors?

Not in the traditional sense. DM Strategy sits between strategy and execution — we help founders make the right structural and regulatory decisions before committing capital or legal resources.

What does DM Strategy actually do?

DM Strategy helps with decision readiness, then structuring, licensing, and banking — in that order. We ensure founders understand their options before choosing a path.

Why not just hire a lawyer or consultant?

Because the problem usually is not a document — it is choosing the right path. Lawyers execute. Consultants advise. DM Strategy helps you decide what to execute before you engage either.

How do we start working with DM Strategy?

Engagements typically begin with a readiness assessment to clarify the best path forward across structure, licensing, and banking. Reach out via the contact form to start a conversation.

How much does an EMI license in Latvia cost?

An EMI license in Latvia starts from €80,000 in advisory and structuring fees, plus the regulatory minimum share capital of €350,000 set by the FCMC. Total costs depend on business complexity.

How long does it take to get a CASP registration?

A CASP registration in Latvia typically takes 3 to 6 months from submission, depending on the completeness of the application and the regulator's review timeline.

What is the difference between an EMI license and a CASP registration?

An EMI license authorizes a business to issue electronic money and provide payment services. A CASP registration covers crypto-asset service providers under MiCA. They serve different business models and are often complementary.

Do you work with early-stage crypto startups?

Yes. DM Strategy works with crypto founders at various stages — from pre-incorporation through licensing and into scale. Early-stage engagements typically begin with a structural readiness assessment.

Which jurisdictions does DM Strategy cover?

Europe (Latvia EMI, CASP, MiCA/VASP), Switzerland, North America (US MSB, state-level licensing), and the Middle East (ADGM, VARA, DIFC).

What is the minimum capital requirement for an EMI license in Latvia?

The minimum share capital requirement is €350,000, as set by the FCMC (Financial and Capital Market Commission of Latvia).

Canada MSB and PSP Compliance in 2026: FINTRAC, RPAA, and the Stablecoin Act

Last updated: June 2026 | Based on CMSBA Annual Conference, May 2026 | By DM Strategy
‍

The regulatory framework for money services businesses (MSBs) and payment service providers (PSPs) in Canada has changed materially in 2025 and 2026. Three overlapping regimes now govern the sector: FINTRAC under the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA), the Retail Payment Activities Act (RPAA) administered by the Bank of Canada, and the newly enacted Stablecoin Act (Bill C-15). Each carries distinct registration, operational, and reporting obligations. Failing to understand how they interact is one of the most common and costly compliance mistakes in the market.

This guide covers the key requirements across all three frameworks as of 2026, based on materials presented at the Canadian MSB Association (CMSBA) Annual Conference in May 2026.
‍

At a glance

Three separate regimes: FINTRAC (AML/KYC), RPAA (payment operations), and the Stablecoin Act (stablecoin issuance). Many businesses need registration under more than one.

RPAA: PSPs must register with the Bank of Canada and maintain frameworks for operational risk, end-user fund safeguarding, and three categories of mandatory reporting.

FINTRAC 2025 updates: Expanded criminal record checks in force since October 1, 2025. Virtual office addresses no longer accepted. Registration does not automatically grant web reporting access.

Stablecoin Act: Enacted March 26, 2026 as part of Bill C-15. Not yet in force. Requires 1:1 asset reserves, monthly Bank of Canada reporting, and registration for non-financial institution issuers.

FINTRAC posture: Increased penalties, enforcement without formal examination, and Bill C-12 expanding regulatory powers are all in progress.
‍

1. The RPAA: what PSPs need to know
‍

What is the RPAA? The Retail Payment Activities Act (RPAA) is a Canadian federal law that requires payment service providers to register with the Bank of Canada and meet operational risk management, end-user fund safeguarding, and reporting obligations. It came into force in 2024.

The RPAA establishes the Bank of Canada as the supervisor for payment service providers operating in Canada. Any business that performs retail payment activities, meaning the execution of fund transfers and payment processing for end users, falls within scope.

The Bank of Canada's role under the RPAA:

Register and supervise PSPs
Promote compliance across the industry
Monitor and evaluate trends and systemic issues

Three core obligations apply to every registered PSP:

Obligation	Description
Operational risk management	Establish, implement, and maintain a framework to mitigate operational risk and respond to incidents
Safeguarding of end-user funds	Maintain a safeguarding framework that protects end-user funds held by the PSP
Reporting	Submit three categories of mandatory reports through PSP Connect

‍

2. Operational risk management requirements
‍

What does operational risk management require under the RPAA? A PSP must establish, implement, and maintain a documented risk management framework covering objectives, staffing, roles, risk identification, controls, monitoring, incident response, and third-party provider risks. The framework must be approved internally and available to the Bank of Canada on request.

The framework must be tailored to the PSP's specific circumstances, including the potential impact on end users and other PSPs.

Required framework components:

Component	Requirement
Objectives	Define specific operational risk and incident response goals
Human and financial resources	Allocate adequate staffing and budget
Roles and responsibilities	Assign accountability clearly across the organization
Identify	Identify operational risks and potential incidents
Protect	Implement controls to prevent incidents and reduce risk exposure
Detect	Monitor systems to detect anomalies and potential incidents
Respond and recover	Define procedures to respond to and recover from incidents
Third-party providers	Manage risks from agents, mandataries, and service providers

Review and testing requirements:

Independent review of the framework
Regular internal review
Testing of controls and procedures

Note: The framework must be approved internally and made available to the Bank of Canada upon request.
‍

3. Safeguarding end-user funds
‍

What are the PSP safeguarding requirements under the RPAA? PSPs that hold end-user funds must either hold those funds in a dedicated trust account, or hold them in a segregated account backed by insurance or a guarantee. Funds must be held at a Canadian or equivalent foreign financial institution.

The safeguarding framework has two central objectives: ensuring end users can access their funds without delay, and protecting funds against loss in the event of PSP insolvency.

Two permitted methods of safeguarding:

Option	Description
Option 1	Hold funds in trust in a dedicated trust account
Option 2	Hold funds in a segregated account and maintain insurance or a guarantee

‍

Key elements of the safeguarding framework:

Element	Requirement
Ledger	Maintain records including name, contact details, and amount held for each end user
Liquidity approach	Ensure end users can reliably access their funds without delay
Procedures for insolvency	Document how funds would be returned to end users in the event of PSP insolvency
Risk analysis	Identify and mitigate legal and operational risks to the safeguarding objectives

‍

Important: PSPs must also identify and report any instances of shortfalls in safeguarded funds.

4. PSP reporting obligations

What are the PSP reporting requirements under the RPAA? PSPs must submit three types of mandatory reports through PSP Connect: incident notifications (within 48 hours), significant change notifications (at least 5 business days before implementation), and an annual report due by March 31.

All submissions use standardized forms through PSP Connect.

1. Notification of incidents with material impact

Notify the Bank of Canada and all materially affected parties without delay
Notification must occur no later than 48 hours after the incident is deemed material
Respond to any follow-up notices from the Bank

2. Notification of significant changes and new activities

Notify the Bank at least 5 business days before implementation
Include an assessment of the risk implications

3. Annual report

Submit by March 31 each year
Covers the previous calendar year
Must address: operational risk and incident management, safeguarding, and significant changes
Safeguarding reporting must include details of trust or insured accounts and any instances of shortfalls
PSPs are strongly encouraged to begin internal preparation well in advance of the March 31 deadline

The supervisory assessment process follows six steps: PSP selection, a Request for Information (RFI) through PSP Connect, ongoing communication, assessment of documentation, sharing of findings, and a remediation phase. PSPs have 15 days to respond to an RFI.
‍

5. FINTRAC registration: 2025 and 2026 updates
‍

What is FINTRAC? FINTRAC (Financial Transactions and Reports Analysis Centre of Canada) is Canada's anti-money laundering regulator. Money services businesses (MSBs) and foreign money services businesses (FMSBs) must register with FINTRAC and comply with AML, KYC, and transaction reporting obligations under the PCMLTFA.

FINTRAC has introduced several material changes to MSB and FMSB registration requirements. Two are in force now.

Criminal record checks (effective October 1, 2025)

Expanded criminal record check requirements now apply to MSBs, FMSBs, and their agents and mandataries.

Entity type	When required
MSB	(1) New registration; (2) renewal or change request where there has been a change in director or ownership information. Not required for renewals with no changes
FMSB	Always required: (1) new registration; (2) renewal; (3) any change request
Agents and mandataries	Same triggers as the MSB or FMSB they act on behalf of

Criminal checks are required for: CEO, president, directors, and any person owning or controlling 20% or more of the entity — directly or indirectly.

Important: The 20% threshold applies both directly and indirectly. Spousal shareholdings and holding company structures can trigger obligations that are not obvious at first glance. FINTRAC assesses control in fact, not only what appears on paper.

Validity and renewal cycle:

Checks expire 6 months from issuance
Renewal required every 2 years within a 30-day window
Only original checks issued by law enforcement where the individual resides are accepted
Translations must come from a certified translator with a statement of certification

Shared office spaces (effective immediately)

FINTRAC no longer accepts a shared office or co-working space as a standalone business address. Applications must include a copy of the lease. Applications relying solely on a virtual office will face delays or rejection.

Access to FINTRAC web reporting (FWR)

Registration approval does not automatically grant access to FINTRAC's web reporting system. Newly registered MSBs and FMSBs must email FINTRAC directly to request FWR access before submitting any required reports.

FINTRAC FWR access requests: F2R@fintrac-canafe.gc.ca

6. Legislative developments: Budget 2025 and Bill C-12

What regulatory changes are coming for MSBs in Canada? Budget 2025 proposes bans on large cash transactions and third-party cash deposits. The Spring 2026 Economic Update adds measures to expand FINTRAC's ability to refuse or revoke MSB registration, crack down on shelf MSBs, and criminalize unauthorized crypto ATM operation.

Measure	Description	Status
Large cash bans	Proposed ban on large cash transactions	Budget 2025 — not yet in Bill C-12
Third-party deposits	Proposed ban on third-party cash deposits	Budget 2025 — not yet in Bill C-12
Information sharing	Broader public-private AML information sharing powers	Budget 2025 — not yet in Bill C-12
Registration control	Expand FINTRAC's ability to refuse or revoke MSB registration	Spring 2026 Economic Update
Shelf MSBs	Prevent re-registration of non-compliant MSBs	Spring 2026 Economic Update
Crypto ATMs	Criminal offence to operate a crypto ATM without authorization	Spring 2026 Economic Update

FINTRAC as a more assertive regulator:

Increased penalties for non-compliance
Enforcement actions without requiring formal examinations
Voluntary Self-Declarations of Non-Compliance (VSDONCs) no longer guarantee immunity
Greater willingness to revoke registration
Greater penalties under Bill C-12

7. The Canadian Stablecoin Act

What is the Canadian Stablecoin Act? Canada's Stablecoin Act (enacted March 26, 2026, not yet in force) requires non-financial institution stablecoin issuers to register with the Bank of Canada, maintain a 1:1 fiat asset reserve in segregated custody, redeem stablecoins at par, and submit monthly reports including accountant and legal compliance statements.

Element	Detail
Regulator	Bank of Canada
Who must register	Non-financial institution stablecoin issuers
Model	Largely modelled after the RPAA framework
National security	National security review by the Department of Finance
Status	Enacted March 26, 2026; not yet in force

Asset reserve requirements

1:1 reserve — value equal to or greater than the par value of outstanding stablecoins
Reserve must consist exclusively of the reference fiat currency
Reserve assets may be invested in eligible high-quality liquid assets in the reference currency
Issuers may not pledge, encumber, or use reserve assets
Reserve must be held by qualified custodians, segregated from the custodian's and issuer's own assets

Redemption

Redeem stablecoins in the reference currency at par value
Redemption policy must be made publicly available

Restrictions

No interest or yield may be paid to stablecoin holders, in any form.
Issuers may not represent a stablecoin as a deposit or as deposit-insured.

Reporting

Monthly reports to the Bank of Canada must include:

Certified accountant statement: financial condition, outstanding stablecoins, reserve composition and fair market value, and reserve compliance
Lawyer statement: confirming compliance with the Act
Incident reports
Notices of significant changes

Provincial law: a critical nuance

Note: Compliance with the Stablecoin Act does not exempt issuers from provincial securities law. Fiat-backed stablecoins may still be treated as securities or derivatives by provincial regulators. Issuers must assess obligations under both federal and provincial law.

8. Frequently asked questions

What is the difference between FINTRAC registration and RPAA registration?

FINTRAC and RPAA are separate regimes with different supervisors and obligations. FINTRAC covers AML, KYC, and transaction reporting under the PCMLTFA. The RPAA covers operational risk, safeguarding, and payment reporting under the Bank of Canada. Many payment businesses operating in Canada need both registrations.
‍

Who needs to register under the RPAA?

Any business that performs retail payment activities in Canada must register with the Bank of Canada under the RPAA. This includes businesses that execute fund transfers or provide payment processing services to end users.
‍

What changed for FINTRAC registration in 2025?

Two changes took effect in 2025. First, expanded criminal record check requirements came into force on October 1, 2025. Second, FINTRAC no longer accepts virtual offices as a standalone address; a copy of the lease is now required for all application types.
‍

Do I need to register under the Canadian Stablecoin Act?

The Stablecoin Act applies to non-financial institution issuers of fiat-based stablecoins in Canada. It was enacted on March 26, 2026 but is not yet in force. Businesses planning stablecoin issuance should begin preparatory work on asset reserve structures and redemption policy now.
‍

Can I use a virtual office for my FINTRAC registration?

No. FINTRAC requires a copy of the lease demonstrating direct access to the premises. Applications relying solely on a virtual office or co-working address face delays or rejection.
‍

What happens after FINTRAC registration is approved?

Registration approval does not grant access to FINTRAC's web reporting system. Newly registered MSBs must separately email F2R@fintrac-canafe.gc.ca to request FWR access before submitting any required reports.
‍

What are the safeguarding options for PSPs holding end-user funds?

Two options under the RPAA: hold funds in a dedicated trust account, or hold funds in a segregated account and maintain insurance or a guarantee. Accounts must be held at a Canadian financial institution or a foreign institution subject to comparable regulation.

How is the Canadian Stablecoin Act different from the RPAA?

The Stablecoin Act is modelled on the RPAA but applies to stablecoin issuers rather than payment processors. Key differences: the 1:1 fiat asset reserve requirement, the prohibition on yield payments to token holders, and monthly reporting including certified accountant and legal statements.

What is an MSB in Canada?

A money services business (MSB) in Canada provides foreign exchange, money transfer, money orders, virtual currency dealing, or cryptocurrency ATM operation. MSBs must register with FINTRAC and comply with AML and KYC obligations under the PCMLTFA.

What is FINTRAC registration and how do I apply?

Steps: (1) confirm you meet the MSB definition; (2) gather criminal record checks and a business premises lease; (3) submit through the FINTRAC registration portal at www.fintrac-canafe.gc.ca; (4) after approval, email F2R@fintrac-canafe.gc.ca to request web reporting access.

9. Key resources

Resource	Contact
Bank of Canada (RPAA/PSP)	www.bankofcanada.ca
PSP Connect portal	Submissions via PSP Connect (standardized forms)
FINTRAC	www.fintrac-canafe.gc.ca
FINTRAC FWR access	F2R@fintrac-canafe.gc.ca
Key legislation	Retail Payment Activities Act, Retail Payment Activities Regulation, PCMLTFA, Stablecoin Act (Bill C-15)

This article is for informational purposes only and does not constitute legal or regulatory advice. The regulatory landscape is changing rapidly. If you are assessing your obligations under FINTRAC, the RPAA, or the Stablecoin Act, the analysis must be specific to your structure, business model, and operating jurisdictions.

DM Strategy advises fintech and crypto founders on structure, licensing, and banking as one interconnected decision. To discuss your situation, contact info@dmstrategy.io.

‍

Author:

Dionisijs Markovs