Retail Payment Activities Regulations (SOR/2023-229)

Marginal note:Availability of framework

6 A payment service provider must ensure that its risk management and incident response framework remains available to all persons who have a role in implementing or maintaining it and must take all reasonable precautions to prevent its unauthorized deletion, destruction or amendment.

Marginal note:Provision of information and training

7 A payment service provider must ensure that all employees and other persons who have a role in establishing, implementing or maintaining its risk management and incident response framework are provided with the information and training that are necessary to carry out that role.

Marginal note:Review

• The following provision is not in force.

  8 (1) A payment service provider must review its risk management and incident response framework

  • The following provision is not in force.

    (a) at least once a year; and

  • The following provision is not in force.

    (b) before making any material change to its operations or its systems, policies, procedures, processes, controls or other means of managing operational risk.

• The following provision is not in force.

  Marginal note:Scope

  (2) The review must evaluate

  • The following provision is not in force.

    (a) the risk management and incident response framework’s conformity with section 5;

  • The following provision is not in force.

    (b) the payment service provider’s effectiveness at meeting the objectives referred to in paragraph 5(1)(a), having regard to the targets and indicators referred to in paragraph 5(1)(b); and

  • The following provision is not in force.

    (c) the adequacy of the payment service provider’s human and financial resources for ensuring implementation of the framework.

• The following provision is not in force.

  Marginal note:Record

  (3) The payment service provider must, in respect of each review, keep a record of the date on which it is conducted and its scope, methodology and findings.

• The following provision is not in force.

  Marginal note:Report and approval

  (4) The payment service provider must ensure that the findings of each review are reported to the senior officer referred to in subparagraph 5(1)(d)(ii), if any, for their approval.

Marginal note:Testing

• The following provision is not in force.

  9 (1) A payment service provider must establish and implement a testing methodology, for the purpose of identifying gaps in the effectiveness of, and vulnerabilities in, the systems, policies, procedures, processes, controls and other means provided for in its risk management and incident response framework, that

  • The following provision is not in force.

    (a) is proportionate to the impact that a reduction, deterioration or breakdown of the payment service provider’s retail payment activities could have on end users and other payment service providers, having regard to factors including the payment service provider’s ubiquity and connectedness, as established using the information referred to in subparagraph 19(4)(a)(i) or paragraph 19(4)(b), as the case may be;

  • The following provision is not in force.

    (b) is designed taking into account both high-likelihood and high-impact operational risks;

  • The following provision is not in force.

    (c) provides for the use of tests that

    • (i) involve relevant internal stakeholders, including agents or mandataries, decision-makers and individuals responsible for the payment service provider’s operational risk management, and

    • (ii) take into account the payment service provider’s reliance on external stakeholders, including third-party service providers;

  • The following provision is not in force.

    (d) sets out the frequency and scope of testing; and

  • The following provision is not in force.

    (e) provides for testing before the adoption of any material change to the systems, policies, procedures, processes, controls or other means — or to any of the payment service provider’s operations that will affect them — for the purpose of evaluating the effects of the change.

• The following provision is not in force.

  Marginal note:Record

  (2) The payment service provider must, in respect of each test that it carries out, keep a record of

  • The following provision is not in force.

    (a) the date on which the test is carried out;

  • The following provision is not in force.

    (b) its methodology, including a summary of how the test satisfies the requirements of subparagraphs (1)(c)(i) and (ii);

  • The following provision is not in force.

    (c) its results; and

  • The following provision is not in force.

    (d) any measures taken or to be taken to address those results.

• The following provision is not in force.

  Marginal note:Report to senior officer

  (3) The payment service provider must ensure that the record is provided to the senior officer referred to in subparagraph 5(1)(d)(ii), if any.

Marginal note:Independent review

• The following provision is not in force.

  10 (1) A payment service provider that has an internal or external auditor must ensure that, at least once every three years, a sufficiently skilled individual who has had no role in establishing, implementing or maintaining the payment service provider’s risk management and incident response framework carries out an independent review of

  • The following provision is not in force.

    (a) the conformity of each element of the payment service provider’s risk management and incident response framework with the applicable requirements of section 5; and

  • The following provision is not in force.

    (b) the payment service provider’s compliance with each of its obligations under sections 6 to 9.

• The following provision is not in force.

  Marginal note:Record

  (2) The payment service provider must obtain a record that sets out the independent reviewer’s name — or, if the independent reviewer carried out the review on behalf of an entity other than the payment service provider, that entity’s name — and the date of the review and describes the review’s scope, methodology and findings.

• The following provision is not in force.

  Marginal note:Report

  (3) The payment service provider must report any gaps and vulnerabilities that are identified by the independent review, and any measures being taken to address them, to the senior officer referred to in subparagraph 5(1)(d)(ii), if any.

Marginal note:Notice of incident — Bank

• The following provision is not in force.

  11 (1) The notice that must be given to the Bank under section 18 of the Act must be submitted using the electronic system provided by the Bank for that purpose.

• The following provision is not in force.

  Marginal note:Contents

  (2) The notice must contain

  • The following provision is not in force.

    (a) the payment service provider’s name, the name of an individual who may be contacted regarding the incident and that individual’s telephone number and email address;

  • The following provision is not in force.

    (b) a description of the incident and its material impact on the individuals or entities referred to in paragraphs 18(1)(a) to (c) of the Act; and

  • The following provision is not in force.

    (c) the measures taken by the payment service provider to respond to the incident.

Marginal note:Notice of incident — individual or entity

• The following provision is not in force.

  12 (1) The notice that must be given under section 18 of the Act to an individual or entity referred to in any of paragraphs 18(1)(a) to (c) of the Act must be

  • The following provision is not in force.

    (a) provided to each materially affected individual or entity using the most recent contact information provided by them to the payment service provider; and

  • The following provision is not in force.

    (b) posted on the payment service provider’s website if contact information is not available for every materially affected individual or entity.

• The following provision is not in force.

  Marginal note:Contents

  (2) The notice must include

  • The following provision is not in force.

    (a) the payment service provider’s name;

  • The following provision is not in force.

    (b) a description of the incident, including when it began, and the nature of its material impacts on the individuals or entities; and

  • The following provision is not in force.

    (c) any corrective measures that could be taken by the individuals or entities.

Marginal note:Accounts

13 A payment service provider that holds end-user funds in accordance with paragraph 20(1)(a) or (c) of the Act must ensure that the account in which they are held is provided by an entity that is referred to in one of paragraphs 9(a) to (d) or (f) to (h) of the Act or by a foreign financial institution that is regulated by a regulatory regime that imposes standards in respect of capital, liquidity, governance, supervision and risk management that are comparable to those that apply to those entities.

Marginal note:Insurance or guarantee

• The following provision is not in force.

  14 (1) A payment service provider that holds end-user funds in accordance with paragraph 20(1)(c) of the Act must ensure that the insurance or guarantee referred to in that paragraph is provided by an entity that

  • The following provision is not in force.

    (a) is referred to in one of paragraphs 9(a) to (h) of the Act or is a foreign financial institution that is regulated by a regulatory regime that imposes standards in respect of capital, liquidity, governance, supervision and risk management comparable to those that apply to those entities; and

  • The following provision is not in force.

    (b) is not affiliated with the payment service provider within the meaning of section 3 of the Act.

• The following provision is not in force.

  Marginal note:Conditions

  (2) The payment service provider must ensure that

  • The following provision is not in force.

    (a) the proceeds from the insurance or guarantee will not form part of the payment service provider’s estate;

  • The following provision is not in force.

    (b) the proceeds from the insurance or guarantee will be payable for the benefit of end users as soon as feasible following an event referred to in subsection (3);

  • The following provision is not in force.

    (c) the insurance or guarantee will survive the payment service provider’s insolvency, as well as any compromise or arrangement with the payment service provider’s creditors and any extinguishment of the payment service provider’s obligations to end users, including those resulting from restructuring; and

  • The following provision is not in force.

    (d) the Bank is notified at least 30 days before any cancellation or termination of the insurance or guarantee.

• The following provision is not in force.

  Marginal note:Events

  (3) For the purpose of paragraph (2)(b), the events are

  • The following provision is not in force.

    (a) the bringing by the payment service provider of an insolvency proceeding in respect of itself;

  • The following provision is not in force.

    (b) the consent by the payment service provider to the bringing of an insolvency proceeding in respect of it; and

  • The following provision is not in force.

    (c) the passage of 30 days after the day on which an insolvency proceeding is brought in respect of the payment service provider by another individual or entity, unless that insolvency proceeding is discontinued or dismissed in that time.

• The following provision is not in force.

  Marginal note:Definition of insolvency proceeding

  (4) For the purpose of subsection (3), insolvency proceeding means any proceeding, action, application, case or legal process relating to bankruptcy, insolvency, liquidation, dissolution or winding-up that is commenced in respect of a payment service provider under the law of any jurisdiction.