Retail Payment Activities Regulations (SOR/2023-229)

Marginal note:Definitions

1 The following definitions apply in these Regulations.

Act

Act means the Retail Payment Activities Act. (Loi)

senior officer

senior officer, in respect of an entity, means

• The following provision is not in force.

  (a) a member of its board of directors who is also one of its full-time employees;

• The following provision is not in force.

  (b) its chief executive officer, chief operating officer, president, chief risk officer, secretary, treasurer, controller, chief financial officer, chief accountant, chief auditor or chief actuary, or any person who performs functions similar to those normally performed by someone occupying one of those positions; or

• The following provision is not in force.

  (c) any other officer who reports directly to its board of directors, chief executive officer or chief operating officer. (cadre dirigeant)

Marginal note:Securities-related transactions

2 A transaction in relation to securities is a prescribed transaction for the purpose of paragraph 6(b) of the Act if it is performed by an individual or entity that is regulated, or exempted from regulation, under Canadian securities legislation as defined in National Instrument 14-101 Definitions, as amended from time to time, of the Canadian Securities Administrators.

Marginal note:Incidental retail payment activities

3 A retail payment activity that is performed as a service or business activity that is incidental to another service or business activity is, unless that other service or business activity consists of the performance of a payment function, a prescribed retail payment activity for the purpose of paragraph 6(d) of the Act.

Marginal note:SWIFT

4 The Society for Worldwide Interbank Financial Telecommunication (SWIFT) is a prescribed entity for the purpose of paragraph 9(k) of the Act.

Marginal note:Framework

• The following provision is not in force.

  5 (1) The risk management and incident response framework required under subsection 17(1) of the Act must be in writing and must

  • The following provision is not in force.

    (a) set out the following among its objectives:

    • (i) ensuring that the payment service provider is able to perform retail payment activities without reduction, deterioration or breakdown, including by ensuring the availability of the systems, data and information involved in the performance of those activities, and

    • (ii) preserving the integrity and confidentiality of those activities, systems, data and information;

  • The following provision is not in force.

    (b) set out clearly defined and measurable reliability targets for the ability to perform the retail payment activities and for the availability of the systems, data and information referred to in subparagraph (a)(i), as well as indicators for assessing whether each of the objectives referred to in paragraph (a) is met;

  • The following provision is not in force.

    (c) identify the human and financial resources that are required to implement and maintain the framework, including, with respect to human resources, their skills and training, as well as the measures that the payment service provider must take to ensure timely and reliable access to those resources, whether from internal or external sources;

  • The following provision is not in force.

    (d) allocate specific roles and responsibilities in respect of the implementation and maintenance of the framework — both in the normal course of business and when detecting, responding to and recovering from incidents — including, unless the payment service provider is an individual,

    • (i) responsibility for challenging and overseeing the exercise of each of those roles and responsibilities, and

    • (ii) to a senior officer, responsibility for overseeing the payment service provider’s compliance with sections 6 to 10 of these Regulations and subsection 17(1), section 18 and subsection 19(3) of the Act and for overseeing material decisions that relate to the payment service provider’s identification and mitigation of, and response to, operational risks and incidents;

  • The following provision is not in force.

    (e) identify the assets — including systems, data and information — and business processes that are associated with the payment service provider’s performance of retail payment activities and classify them according to their sensitivity and their criticality to the performance of those activities;

  • The following provision is not in force.

    (f) identify, and describe the potential causes of, the payment service provider’s operational risks, including those relating to

    • (i) business continuity and resilience,

    • (ii) cybersecurity,

    • (iii) fraud,

    • (iv) information and data management,

    • (v) information technology,

    • (vi) human resources,

    • (vii) process design and implementation,

    • (viii) product design and implementation,

    • (ix) change management,

    • (x) physical security of persons and assets, and

    • (xi) third parties;

  • The following provision is not in force.

    (g) describe the systems, policies, procedures, processes, controls and any other means that the payment service provider must have in place to mitigate its operational risks and protect the assets and business processes referred to in paragraph (e);

  • The following provision is not in force.

    (h) describe the systems, policies, procedures, processes, controls and any other means that the payment service provider must have in place to ensure the continuous monitoring of the following for the purpose of promptly detecting incidents, anomalous events that could indicate emerging operational risks and lapses in the implementation of the framework:

    • (i) the payment service provider’s retail payment activities,

    • (ii) the systems, data and information involved in the performance of those activities, and

    • (iii) the systems, policies, procedures, processes, controls and other means referred to in paragraph (g);

  • The following provision is not in force.

    (i) set out a plan for responding to — including recovering from — incidents, including those involving or detected by an agent or mandatary or a third-party service provider, that

    • (i) contains clearly defined policies, processes and procedures for implementing the plan and for escalating the response to an incident, taking into account the incident response procedures of any third-party service provider from which the payment service provider receives services and the need to coordinate its response with that of the third-party service provider,

    • (ii) identifies the measures to be taken to mitigate the impact of an incident, including manual processes or other alternate solutions that the payment service provider could resort to if primary systems relating to the provision of retail payment activities were unavailable, and indicates how quickly those measures could be implemented,

    • (iii) requires the payment service provider, on becoming aware of an incident, to immediately investigate it to determine

      • (A) the incident’s root causes,

      • (B) its possible or verified impact on retail payment activities,

      • (C) its possible or verified impact on end users,

      • (D) its possible or verified impact on other payment service providers or on clearing houses of clearing and settlement systems that are designated under subsection 4(1) of the Payment Clearing and Settlement Act, as those expressions are defined in section 2 of that Act, and

      • (E) its possible or verified impact on systems, data or information involved in the performance of retail payment activities,

    • (iv) requires the payment service provider, while an investigation is underway, to take immediate measures to prevent or mitigate any further damage, including to the integrity, confidentiality or availability of systems, data or information,

    • (v) requires the payment service provider to take measures as soon as feasible to address the identified root causes of the incident,

    • (vi) sets out policies and procedures for reporting incidents to and coordinating incident response with relevant internal stakeholders — including any senior officer referred to in subparagraph (d)(ii) and relevant agents and mandataries — and relevant external stakeholders, that address, among other things,

      • (A) the timing of the reporting and coordination, and

      • (B) the information that is to be reported and shared for the purpose of coordination,

    • (vii) addresses how the payment service provider will promptly identify the status of all transactions at the time of any service reduction, deterioration or breakdown, recover lost or corrupted data and correct any data integrity issues, and

    • (viii) requires the payment service provider to keep, in respect of each incident, a record of

      • (A) the information referred to in clauses (iii)(A) to (E), as determined by the investigation,

      • (B) the measures taken in accordance with subparagraphs (ii), (iv) and (v),

      • (C) the manner in which it reported the incident and coordinated the incident response, and

      • (D) the status of all transactions identified, the manner in which the status of those transactions was identified and the manner in which the payment service provider recovered any lost or corrupted data and corrected any data integrity issues; and

  • The following provision is not in force.

    (j) set out a plan for responding to anomalous events or lapses referred to in paragraph (h).

• The following provision is not in force.

  Marginal note:Proportionality

  (2) All aspects of the risk management and incident response framework — including all objectives, targets, systems, policies, procedures, processes and controls — must be proportionate to the impact that a reduction, deterioration or breakdown of the payment service provider’s retail payment activities could have on end users and other payment service providers, having regard to factors including the payment service provider’s ubiquity and connectedness, as established using the information referred to in subparagraph 19(4)(a)(i) or paragraph 19(4)(b), as the case may be.

• The following provision is not in force.

  Marginal note:Third-party service providers

  (3) If a payment service provider receives services related to a payment function from one or more third-party service providers, the risk management and incident response framework must

  • The following provision is not in force.

    (a) address the means by which the payment service provider will — no less than once a year in respect of each of its third-party service providers and before entering into, renewing, extending or substantially amending a contract with a third-party service provider for the provision of a service related to a payment function — assess

    • (i) the third-party service provider’s ability to protect data and information that they obtain from the payment service provider or in the course of performing services for it,

    • (ii) the security of the third-party service provider’s connections to and from the payment service provider’s systems,

    • (iii) the manner in which the third-party service provider will consult or inform the payment service provider prior to making changes to the services that they provide, the manner in which they provide them or their practices for managing operational risk,

    • (iv) the manner in which the third-party service provider’s performance may be monitored, including the time and manner in which the third-party service provider will inform the payment service provider of any detected breach of the payment service provider’s or the third-party service provider’s data, information or systems and of any other deterioration, reduction or breakdown in the services provided to the payment service provider, and

    • (v) the third-party service provider’s risk management practices in relation to the services that they provide to the payment service provider;

  • The following provision is not in force.

    (b) require the payment service provider to keep a record of the dates, scope and findings of the assessments referred to in paragraph (a); and

  • The following provision is not in force.

    (c) clearly allocate responsibilities between the payment service provider and the third-party service provider, including in relation to the ownership, integrity, confidentiality and availability of data and information.

• The following provision is not in force.

  Marginal note:Agents and mandataries

  (4) If a payment service provider intends to have agents or mandataries perform retail payment activities, the risk management and incident response framework must

  • The following provision is not in force.

    (a) set out criteria in relation to the management of operational risk that those agents or mandataries must satisfy;

  • The following provision is not in force.

    (b) prohibit the payment service provider from having an agent or mandatary perform retail payment activities on its behalf if the agent or mandatary does not satisfy those criteria;

  • The following provision is not in force.

    (c) address the means by which the payment service provider must, at least once a year, assess the extent to which its agents and mandataries satisfy those criteria and the agents’ and mandataries’ practices for managing operational risk;

  • The following provision is not in force.

    (d) require the payment service provider to keep a record of the date and findings of each assessment referred to in paragraph (c); and

  • The following provision is not in force.

    (e) clearly allocate responsibilities between the payment service provider and its agents and mandataries, including in relation to the ownership, integrity, confidentiality and availability of data and information.

• The following provision is not in force.

  Marginal note:Third party roles and responsibilities

  (5) If the risk management and incident response framework allocates, under paragraph (1)(d), any roles or responsibilities to a third party, including a third-party service provider or an agent or mandatary, the framework must set out systems, policies, procedures, processes, controls or other means for overseeing the third party’s fulfillment of those roles and responsibilities.

• The following provision is not in force.

  Marginal note:Approval

  (6) The risk management and incident response framework must be approved

  • The following provision is not in force.

    (a) by the senior officer referred to in subparagraph (1)(d)(ii), if any, at least once a year and following each material change that is made to the framework; and

  • The following provision is not in force.

    (b) by the payment service provider’s board of directors, if any, at least once a year.

Marginal note:Availability of framework

6 A payment service provider must ensure that its risk management and incident response framework remains available to all persons who have a role in implementing or maintaining it and must take all reasonable precautions to prevent its unauthorized deletion, destruction or amendment.

Marginal note:Provision of information and training

7 A payment service provider must ensure that all employees and other persons who have a role in establishing, implementing or maintaining its risk management and incident response framework are provided with the information and training that are necessary to carry out that role.