Retail Payment Activities Regulations (SOR/2023-229)
Full Document:
- HTMLFull Document: Retail Payment Activities Regulations (Accessibility Buttons available) |
- XMLFull Document: Retail Payment Activities Regulations [172 KB] |
- PDFFull Document: Retail Payment Activities Regulations [376 KB]
Regulations are current to 2024-08-18
Risk Management and Incident Response (continued)
Marginal note:Review
- The following provision is not in force.
8 (1) A payment service provider must review its risk management and incident response framework
- The following provision is not in force.
(a) at least once a year; and
- The following provision is not in force.
(b) before making any material change to its operations or its systems, policies, procedures, processes, controls or other means of managing operational risk.
- The following provision is not in force.
Marginal note:Scope
(2) The review must evaluate
- The following provision is not in force.
(a) the risk management and incident response framework’s conformity with section 5;
- The following provision is not in force.
(b) the payment service provider’s effectiveness at meeting the objectives referred to in paragraph 5(1)(a), having regard to the targets and indicators referred to in paragraph 5(1)(b); and
- The following provision is not in force.
(c) the adequacy of the payment service provider’s human and financial resources for ensuring implementation of the framework.
- The following provision is not in force.
Marginal note:Record
(3) The payment service provider must, in respect of each review, keep a record of the date on which it is conducted and its scope, methodology and findings.
- The following provision is not in force.
Marginal note:Report and approval
(4) The payment service provider must ensure that the findings of each review are reported to the senior officer referred to in subparagraph 5(1)(d)(ii), if any, for their approval.
Marginal note:Testing
- The following provision is not in force.
9 (1) A payment service provider must establish and implement a testing methodology, for the purpose of identifying gaps in the effectiveness of, and vulnerabilities in, the systems, policies, procedures, processes, controls and other means provided for in its risk management and incident response framework, that
- The following provision is not in force.
(a) is proportionate to the impact that a reduction, deterioration or breakdown of the payment service provider’s retail payment activities could have on end users and other payment service providers, having regard to factors including the payment service provider’s ubiquity and connectedness, as established using the information referred to in subparagraph 19(4)(a)(i) or paragraph 19(4)(b), as the case may be;
- The following provision is not in force.
(b) is designed taking into account both high-likelihood and high-impact operational risks;
- The following provision is not in force.
(c) provides for the use of tests that
(i) involve relevant internal stakeholders, including agents or mandataries, decision-makers and individuals responsible for the payment service provider’s operational risk management, and
(ii) take into account the payment service provider’s reliance on external stakeholders, including third-party service providers;
- The following provision is not in force.
(d) sets out the frequency and scope of testing; and
- The following provision is not in force.
(e) provides for testing before the adoption of any material change to the systems, policies, procedures, processes, controls or other means — or to any of the payment service provider’s operations that will affect them — for the purpose of evaluating the effects of the change.
- The following provision is not in force.
Marginal note:Record
(2) The payment service provider must, in respect of each test that it carries out, keep a record of
- The following provision is not in force.
(a) the date on which the test is carried out;
- The following provision is not in force.
(b) its methodology, including a summary of how the test satisfies the requirements of subparagraphs (1)(c)(i) and (ii);
- The following provision is not in force.
(c) its results; and
- The following provision is not in force.
(d) any measures taken or to be taken to address those results.
- The following provision is not in force.
Marginal note:Report to senior officer
(3) The payment service provider must ensure that the record is provided to the senior officer referred to in subparagraph 5(1)(d)(ii), if any.
Marginal note:Independent review
- The following provision is not in force.
10 (1) A payment service provider that has an internal or external auditor must ensure that, at least once every three years, a sufficiently skilled individual who has had no role in establishing, implementing or maintaining the payment service provider’s risk management and incident response framework carries out an independent review of
- The following provision is not in force.
(a) the conformity of each element of the payment service provider’s risk management and incident response framework with the applicable requirements of section 5; and
- The following provision is not in force.
(b) the payment service provider’s compliance with each of its obligations under sections 6 to 9.
- The following provision is not in force.
Marginal note:Record
(2) The payment service provider must obtain a record that sets out the independent reviewer’s name — or, if the independent reviewer carried out the review on behalf of an entity other than the payment service provider, that entity’s name — and the date of the review and describes the review’s scope, methodology and findings.
- The following provision is not in force.
Marginal note:Report
(3) The payment service provider must report any gaps and vulnerabilities that are identified by the independent review, and any measures being taken to address them, to the senior officer referred to in subparagraph 5(1)(d)(ii), if any.
Marginal note:Notice of incident — Bank
- The following provision is not in force.
11 (1) The notice that must be given to the Bank under section 18 of the Act must be submitted using the electronic system provided by the Bank for that purpose.
- The following provision is not in force.
Marginal note:Contents
(2) The notice must contain
- The following provision is not in force.
(a) the payment service provider’s name, the name of an individual who may be contacted regarding the incident and that individual’s telephone number and email address;
- The following provision is not in force.
(b) a description of the incident and its material impact on the individuals or entities referred to in paragraphs 18(1)(a) to (c) of the Act; and
- The following provision is not in force.
(c) the measures taken by the payment service provider to respond to the incident.
Marginal note:Notice of incident — individual or entity
- The following provision is not in force.
12 (1) The notice that must be given under section 18 of the Act to an individual or entity referred to in any of paragraphs 18(1)(a) to (c) of the Act must be
- The following provision is not in force.
(a) provided to each materially affected individual or entity using the most recent contact information provided by them to the payment service provider; and
- The following provision is not in force.
(b) posted on the payment service provider’s website if contact information is not available for every materially affected individual or entity.
- The following provision is not in force.
Marginal note:Contents
(2) The notice must include
- The following provision is not in force.
(a) the payment service provider’s name;
- The following provision is not in force.
(b) a description of the incident, including when it began, and the nature of its material impacts on the individuals or entities; and
- The following provision is not in force.
(c) any corrective measures that could be taken by the individuals or entities.
Safeguarding of Funds
Marginal note:Accounts
13 A payment service provider that holds end-user funds in accordance with paragraph 20(1)(a) or (c) of the Act must ensure that the account in which they are held is provided by an entity that is referred to in one of paragraphs 9(a) to (d) or (f) to (h) of the Act or by a foreign financial institution that is regulated by a regulatory regime that imposes standards in respect of capital, liquidity, governance, supervision and risk management that are comparable to those that apply to those entities.
Marginal note:Insurance or guarantee
- The following provision is not in force.
14 (1) A payment service provider that holds end-user funds in accordance with paragraph 20(1)(c) of the Act must ensure that the insurance or guarantee referred to in that paragraph is provided by an entity that
- The following provision is not in force.
(a) is referred to in one of paragraphs 9(a) to (h) of the Act or is a foreign financial institution that is regulated by a regulatory regime that imposes standards in respect of capital, liquidity, governance, supervision and risk management comparable to those that apply to those entities; and
- The following provision is not in force.
(b) is not affiliated with the payment service provider within the meaning of section 3 of the Act.
- The following provision is not in force.
Marginal note:Conditions
(2) The payment service provider must ensure that
- The following provision is not in force.
(a) the proceeds from the insurance or guarantee will not form part of the payment service provider’s estate;
- The following provision is not in force.
(b) the proceeds from the insurance or guarantee will be payable for the benefit of end users as soon as feasible following an event referred to in subsection (3);
- The following provision is not in force.
(c) the insurance or guarantee will survive the payment service provider’s insolvency, as well as any compromise or arrangement with the payment service provider’s creditors and any extinguishment of the payment service provider’s obligations to end users, including those resulting from restructuring; and
- The following provision is not in force.
(d) the Bank is notified at least 30 days before any cancellation or termination of the insurance or guarantee.
- The following provision is not in force.
Marginal note:Events
(3) For the purpose of paragraph (2)(b), the events are
- The following provision is not in force.
(a) the bringing by the payment service provider of an insolvency proceeding in respect of itself;
- The following provision is not in force.
(b) the consent by the payment service provider to the bringing of an insolvency proceeding in respect of it; and
- The following provision is not in force.
(c) the passage of 30 days after the day on which an insolvency proceeding is brought in respect of the payment service provider by another individual or entity, unless that insolvency proceeding is discontinued or dismissed in that time.
- The following provision is not in force.
Marginal note:Definition of insolvency proceeding
(4) For the purpose of subsection (3), insolvency proceeding means any proceeding, action, application, case or legal process relating to bankruptcy, insolvency, liquidation, dissolution or winding-up that is commenced in respect of a payment service provider under the law of any jurisdiction.
Marginal note:Safeguarding-of-funds framework
- The following provision is not in force.
15 (1) A payment service provider that holds end-user funds must establish, implement and maintain a written safeguarding-of-funds framework that conforms to subsections (2) to (5) for the purpose of ensuring that
- The following provision is not in force.
(a) end users have reliable access without delay to the end-user funds that are being held by the payment service provider; and
- The following provision is not in force.
(b) if an event referred to in subsection 14(3) occurs in respect of the payment service provider, those end-user funds, or proceeds of the insurance or guarantee referred to in paragraph 20(1)(c) of the Act, are paid to end users as soon as feasible.
- The following provision is not in force.
Marginal note:Contents
(2) The safeguarding-of-funds framework must describe the payment service provider’s systems, policies, processes, procedures, controls and other means for meeting the objectives referred to in subsection (1), including
- The following provision is not in force.
(a) those in relation to the payment service provider’s use of liquidity arrangements and its holding of end-user funds in the form of secure and liquid assets;
- The following provision is not in force.
(b) a requirement to keep a ledger, which is to be identified and classified as an asset in accordance with paragraph 5(1)(e), that sets out
(i) the name and contact information of each end user whose funds are held by the payment service provider, and
(ii) the amount of funds belonging to each of those end users that is held by the payment service provider at the end of each day; and
- The following provision is not in force.
(c) in respect of the objective referred to in paragraph (1)(b),
(i) the means by which it will be ensured that the insolvency or bankruptcy administrator or trustee or other person appointed to carry out insolvency proceedings as defined in subsection 14(4), or the insurance or guarantee provider, as the case may be, is able to
(A) access all relevant records or documentation in relation to end-user funds,
(B) contact end users as soon as feasible, and
(C) identify any errors or deficiencies in the payment service provider’s ledger of end-user funds and address any shortfall in the funds to be returned to each end user,
(ii) the procedures to be followed to return funds to end users, and
(iii) the role of any of the payment service provider’s agents, mandataries or third-party service providers in facilitating the execution of the tasks referred to in subparagraphs (i) and (ii).
- The following provision is not in force.
Marginal note:Legal risks and operational risks
(3) The safeguarding-of-funds framework must identify legal risks and operational risks that could hinder the meeting of the objectives referred to in subsection (1) and the means of mitigating those risks, including having regard to
- The following provision is not in force.
(a) the jurisdictions in which the payment service provider, its end users, the providers of the accounts in which it holds end-user funds and, if applicable, its insurance or guarantee providers are located;
- The following provision is not in force.
(b) the identity of the payment service provider’s account providers and, if applicable, its insurance or guarantee providers;
- The following provision is not in force.
(c) the terms of the payment service provider’s trust arrangements with its end users, if applicable; and
- The following provision is not in force.
(d) the terms of the payment service provider’s insurance policies or guarantees, if applicable.
- The following provision is not in force.
Marginal note:Identification of senior officer
(4) The safeguarding-of-funds framework must, unless the payment service provider is an individual, identify a senior officer who is responsible for overseeing the payment service provider’s practices for safeguarding end-user funds and for ensuring the payment service provider’s compliance with sections 13 to 17 of these Regulations and subsection 20(1) of the Act.
- The following provision is not in force.
Marginal note:Approval
(5) The safeguarding-of-funds framework must be approved
- The following provision is not in force.
(a) by the senior officer, if any, at least once a year and following each material change that is made to the framework; and
- The following provision is not in force.
(b) by the payment service provider’s board of directors, if any, at least once a year.
- The following provision is not in force.
Marginal note:Review of framework
(6) The payment service provider must review, at the following times, the safeguarding-of-funds framework to ensure the framework’s conformity with subsections (2) to (5) and its effectiveness at meeting the objectives referred to in subsection (1):
- The following provision is not in force.
(a) at least once a year;
- The following provision is not in force.
(b) after any change to the means, among those set out in paragraphs 20(1)(a) to (c) of the Act, by which the payment service provider safeguards end-user funds; and
- The following provision is not in force.
(c) after any of the following changes, if they could reasonably be expected to have a material impact on the manner in which end-user funds are safeguarded:
(i) the opening or closure of any account in which the payment service provider holds end-user funds,
(ii) a change in the entity that provides any account in which the payment service provider holds end-user funds,
(iii) a change to the terms of the account agreement in respect of any account in which the payment service provider holds end-user funds, or
(iv) in the case of a payment service provider that holds funds in accordance with paragraph 20(1)(c) of the Act, a change in its insurance or guarantee providers or to the terms of the insurance policy or guarantee.
- The following provision is not in force.
Marginal note:Record
(7) The payment service provider must, in respect of each review, keep a record of the date on which it is conducted and its scope, methodology and findings.
- The following provision is not in force.
Marginal note:Report and approval
(8) The payment service provider must ensure that the findings of each review are reported to the senior officer referred to in subsection (4), if any, for their approval.
- Date modified: