.svg)
In June 2021 the Canadian Parliament enacted the Retail Payment Activities Act (RPAA), granting the Bank of Canada supervisory authority over payment service providers (PSPs). According to the Bank of Canada, the aim of the RPAA is to build confidence in the safety and reliability of PSP services while protecting end users from specific risks.
The RPAA sets forth a series of requirements for PSPs, including registering with the Bank of Canada, establishing and maintaining an operational risk and incident response framework, safeguarding end-user funds, and submitting mandatory reports.
This report is part two of a four-part series analyzing the RPAA and identifying key components of the law that PSPs should consider when doing business in Canada. This report focuses on the requirement to establish and implement a risk management and incident response framework.
Who does the RPAA apply to:
According to Sections 4 and 5 of the RPAA, the act applies to any retail payment activity that is performed by a PSP that has a place of business in Canada, or by a PSP that does not have a place of business in Canada but directs retail payment activities at individuals or entities in Canada.
Section 2 of the RPAA defines a PSP as an individual or entity that performs payment functions as a service or business activity that is not incidental to another service or business activity. Section 2 of the RPAA also defines retail payment activity as a payment function that is performed in relation to an electronic funds transfer that is made in the currency of Canada or another country, or using a unit that meets prescribed criteria.
Key considerations:
Pursuant to Section 17 of the RPAA, a PSP that performs retail payment activities must establish and maintain an operational risk management and incident response framework that meets the criteria outlined in the Retail Payment Activities Regulations. The RPAA defines “operational risk” as a risk that any of the following will result in the reduction, deterioration or breakdown of retail payment activities performed by a PSP:
- A deficiency in the PSP’s information system or internal process.
- A human error.
- A management failure.
- A disruption caused by an external event.
PSPs will be expected to comply with this requirement by September 8, 2025. The Bank of Canada may assess the PSP’s risk management and incident response framework and provide PSPs with a list of corrective measures.
Section 5 of the Retail Payments Activities Regulations (RPAR) outlines the key components of a risk management and incident response framework. This includes:
- Setting out clear objectives objectives, which must include:
- Ensuring that the PSP is able to perform retail payment activities without reduction, deterioration or breakdown, including by ensuring the availability of the systems, data and information involved in the performance of those activities.
- Preserving the integrity and confidentiality of those activities, systems, data and information.
- Identifying and describing the potential causes of the PSP’s operational risks, including those related to:
- Business continuity and resilience.
- Cybersecurity.
- Fraud.
- Information and data management.
- Information technology.
- Human resources.
- Process design and implementation.
- Change management.
- Physical security of persons and assets.
- Third parties.
- Describing the systems, policies, procedures, processes, controls and any other means that the PSP must have in place to mitigate its operational risks and protect the assets and business processes.
- Describing the systems, policies, procedures, processes, controls and any other means that the PSP must have in place to ensure the continuous monitoring of the following for the purpose of promptly detecting incidents, anomalous events that could indicate emerging operational risks and lapses in the implementation of the framework:
- The PSP’s retail payment activities.
- The systems, data and information involved in the performance of those activities.
- The systems, policies, procedures, processes, controls and other means referred to in the previous paragraph.
As part of the risk management and incident response framework, PSPs must set out a plan for responding to and recovering from incidents, including those involving or detected by an agent or mandatory, or a third-party service provider. Pursuant to Section 2 of the RPAA, an incident is an event or series of related events that is unplanned by a PSP and that results in or could reasonably be expected to result in the reduction, deterioration or breakdown of any retail payment activity performed by the PSP.
The plan must:
- Contain clearly defined policies, processes and procedures for its implementation and for escalating the response to an incident.
- Identify the measures to be taken to mitigate the impact of an incident.
- Require the PSP, upon becoming aware of an incident, to immediately investigate it to determine the root cause and its possible or verified impact on retail payment activities, end users, other retail PSPs or clearing houses of clearing and settlement systems, and the systems, data or information involved in the performance of retail payment activities.
- Set out policies and procedures for reporting incidents to and coordinating an incident response with relevant internal stakeholders.
- Require the PSP to retain all relevant records.
In March 2025, the Bank of Canada released supplementary operational risk and incident response guidance for PSPs subject to the RPAA. According to the guidance document, the Bank of Canada expects PSPs to tailor their operational risk frameworks to reflect the types of operational risks they face, the nature and complexity of their operations, their size and structure, technology and any other relevant factors. Further, the guidance provides key questions to consider when setting objectives to ensure the integrity, confidentiality and availability of its retail payment activities and of the systems, data and information involved in the performance of those activities.
Section 18 of the RPAA stipulates that if a PSP that performs retail payment activities becomes aware of an an incident that has a material impact on an end-user, a PSP that performs retail payment activities, or a clearing house of a clearing and settlement system, the PSP must, without delay, notify the individual or entity and the Bank of Canada of the incident.
Section 9 of the RPAR states a PSP must also establish and implement a testing methodology for the purpose of identifying gaps in the effectiveness of, and vulnerabilities in, the systems, policies, procedures, processes, controls and other means provided for in its risk management and incident response framework. The PSP must retain all relevant records and ensure that the record is provided for to the senior officer responsible for overseeing the framework.
The risk management and incident response framework must be approved by the senior officer and the PSP’s board of directors, as outlined in Section 6 of the RPAR.
Pursuant to Section 8 of the RPAR, a PSP must review its risk management and incident response framework at least once a year and before making any material change to its operations or its systems, policies, procedures, processes, controls or other means of managing operational risk. The PSP must retain all relevant records and must ensure that the findings of each review are reported to the senior officer for their approval.
Lastly, according to Section 10 of the RPAR, a PSP that has an internal or external auditor must ensure that every three years an independent review of its risk management and incident response framework is conducted. The PSP must retain all relevant records and they must report, to the senior officer, any gaps and vulnerabilities that are identified by the independent review, and any measures being taken to address them.
Why should you care:
Although the provisions mandating the establishment and implementation of a risk management and incident response framework will not take effect until September 8, 2025, it is crucial that PSPs begin to familiarize themselves with these requirements well in advance, as implementing such a framework can be a substantial endeavor.
Once these provisions have taken effect, the Bank of Canada will assess and evaluate whether a PSP meets these requirements. The Bank of Canada may ask PSPs to submit information and documents, and/or require PSPs to undergo a special audit. The bank may even conduct on-site visits to the PSP’s offices to observe practices and hold meetings and discussions with key subject matter experts.
Additionally, enforcement actions for non-compliance could have significant financial and reputational repercussions. Depending on the violation, the Bank of Canada may, among other things, issue a warning letter, enter into a compliance agreement, or issue a notice of violation that can be accompanied by an administrative monetary penalty or an offer to enter into a compliance agreement.
By proactively addressing these requirements, providers can better safeguard their systems and build client confidence through demonstrating a strong commitment to security, risk management and regulatory compliance.
