Corporate Compliance Checklist Canada: What Businesses Need

September 2025 Playbook: What Canadian In‑House Counsel Should Expect on Cross‑Border Banking and Payments

Canadian corporate legal teams face a tight runway to September 2025. New payments supervision, tighter AML/EFT reporting, and enhanced third‑party risk expectations are converging. This guide shows what to do, why it matters, and how to get it done fast—so boards, CFOs, and auditors see a clean file and fewer delays in cross‑border flows.

What’s changing and why it matters now

- Retail Payments Activities Act (RPAA): By September 2025, many payment service providers must meet Bank of Canada oversight duties, from registration to risk management. See the Bank of Canada’s overview of retail payments supervision for scope and key dates via the page on Retail payments supervision under the RPAA.

- FINTRAC cross‑border EFT reporting: Expect sharper scrutiny of international wires, originator/beneficiary data, and timeliness. Review current rules and form updates through FINTRAC’s guidance on Reporting electronic funds transfers.

- Third‑party/correspondent banking risk: OSFI’s modernized third‑party risk framework increases expectations for vendor and correspondent due diligence touching foreign banks, payment processors, and sanctions screening utilities. For scope and control expectations, see OSFI’s Guideline B‑10: Third‑Party Risk Management.

Quick read: If your company touches cross‑border wires, card acquiring, wallets, or payment processing—even indirectly—assume your controls will be tested against RPAA, FINTRAC, and OSFI expectations in FY2025 audits.

Step‑by‑step: Build a cross‑border compliant flow before September 2025

Step 1. Map your money movement. Identify who initiates and who processes each cross‑border transaction. Capture the sending/receiving institutions, currencies (USD, EUR, CAD), corridors, and systems involved. Why it matters: you need to know whether activities trigger RPAA registration, FINTRAC reporting thresholds, or third‑party due diligence. How to do it: pull bank statements, payment processor contracts, and treasury workflows; diagram each route end‑to‑end.

Step 2. Classify activities under RPAA. Determine if the company or an affiliate is a payment service provider. Why it matters: RPAA registration and risk management obligations may apply by September 2025. How to do it: compare your services to Bank of Canada categories; confirm whether you rely on a PSP vendor’s registration or must register directly; document your role in client‑fund handling, transfer initiation, and payment messaging. Use the Bank of Canada’s page on Retail payments supervision under the RPAA as your starting point.

Step 3. Tighten cross‑border EFT reporting. Validate when you must file EFT reports (incoming/outgoing international wires ≥ CAD 10,000 and related transactions). Why it matters: late or incomplete EFT reports are a common exam finding. How to do it: run a 90‑day sample; test that originator/beneficiary fields are complete; confirm escalation for repeated data gaps; align your procedures with FINTRAC’s Reporting electronic funds transfers.

Step 4. Re‑paper third‑party and correspondent relationships. Refresh due diligence for foreign banks, payment processors, and KYC/sanctions utilities. Why it matters: OSFI expects clear oversight of third parties that touch financial transactions or sensitive data. How to do it: add OSFI B‑10 language on controls, audit rights, incident reporting, and subcontractor chains; require SOC reports or equivalent; set measurable SLAs for sanctions and screening.

Step 5. Upgrade sanctions and screening governance. Sanctions lists change fast. Why it matters: cross‑border wires in USD/EUR can be blocked if your data is incomplete or screening is stale. How to do it: implement daily list sync; enable fuzzy matching with calibrated thresholds; train finance ops on false positive clearance; establish a 24‑hour escalation path for urgent wire holds.

Step 6. Structure your data for ISO 20022. Many banks now expect structured remittance fields to reduce returns and delays. Why it matters: mis‑keyed addresses or free‑text fields cause sanctions and EFT reporting exceptions. How to do it: standardize beneficiary name, address, and LEI fields; require purpose‑of‑payment codes; embed controls in your ERP and treasury systems.

Step 7. Board and officer oversight. Put cross‑border compliance on the Q3/Q4 2025 board agenda. Why it matters: executives must certify controls and respond to incidents. How to do it: provide a one‑page heat map of RPAA status, EFT reporting error rate, sanctions match clearance time, and third‑party remediation. Target benchmarks: EFT reporting error rate under 1%, sanctions match clearance time under 2 hours, third‑party files 100% refreshed by month‑end.

Practical examples for Canadian teams

Example 1: U.S. payables via a PSP. A Toronto SaaS company pays U.S. contractors through a wallet provider. Counsel confirms the wallet provider’s RPAA registration path, adds OSFI B‑10 clauses to the MSA, and shifts onboarding to capture ISO‑compliant beneficiary data. Result: reduced returns and no EFT reporting gaps.

Example 2: Exporter receiving EUR wires. A Quebec manufacturer receiving EUR from distributors adds purpose‑of‑payment codes and a sanctions false‑positive playbook. Result: fewer holds by correspondent banks and faster cash application.

What to do this month

- Set a September 30, 2025 readiness checkpoint with treasury and compliance. - Run a 25‑transaction cross‑border sample to validate sanctions, EFT reporting, and data structure. - Confirm RPAA scope and registration posture with outside counsel.