Know your requirements as a registered payment service provider and find out how we will assess compliance.
- the final supervisory guideline for the safeguarding of end-user funds
- its responses to feedback from the consultation on safeguarding end-user funds
Payment service providers (PSPs) registered with us must mitigate their operational risks, respond to incidents and safeguard end-user funds under the Retail Payment Activities Act (RPAA). The Department of Finance Canada published regulations in Part II of the Canada Gazette on November 22, 2023 to clarify details of the RPAA.
The requirements to establish risk management and funds safeguarding frameworks will come into force on September 8, 2025.
Mitigating operational risk and responding to incidents
PSPs must have a framework to manage their operational risks and their response to incidents.
The framework should demonstrate how PSPs aim to preserve the integrity, confidentiality and availability of their payment activities and related systems, data and information.
To meet this requirement, PSPs need to:
- identify their operational risks, assets and business processes
- protect their retail payment activities, assets and business processes from those risks
- detect, respond to and recover from incidents
- set roles and responsibilities for managing operational risks and incident response
- have adequate resources to maintain their framework
- review and test their framework as required
- manage risks that could arise from third-party service providers and agents and mandataries related to their retail payment activities
PSPs should customize their framework to reflect:
- the nature of their business operations
- the services they offer
- their organizational structure
- any other relevant factors
PSPs must also report any incident that has a material impact on end users, other PSPs or certain clearing and settlement systems.
For further information on how we expect PSPs to meet their requirements related to mitigating operational risks and responding to incidents, refer to the Operational risk and incident response guideline.
Safeguarding end-user funds
PSPs that hold end-user funds must have measures to safeguard these funds until they are withdrawn or transferred. PSPs must either:
- hold funds in trust in a trust account
- hold funds in a segregated account and have insurance or a guarantee for those funds
This requirement aims to:
- protect end-user funds against financial loss if a PSP becomes insolvent
- ensure that end users have reliable and timely access to their funds
PSPs holding end-user funds must have a written framework that sets out:
- how the PSP will ensure that end users have reliable and timely access to their funds
- how the funds are paid to end users if the PSP becomes insolvent
For further information on how we expect PSPs to meet their requirements related to safeguarding end user funds, refer to the Safeguarding end-user funds guideline.
Mandatory reporting
PSPs must submit the following reports to support our monitoring and assessment of their alignment with our supervisory expectations.
Annual report
- Purpose: To provide us with up-to-date registration information and information about operational risk management, incident response and safeguarding practices for end-user funds, if applicable
- Due date: Required no later than March 31 of the year following the reporting year
Significant change or new activity report
- Purpose: To notify us before a significant change in the way the PSPs performs a retail payment activity or before it performs a new retail payment activity
- Due date: Required at least five business days before the significant change is made or the new retail payment activity is performed
For further information on how we expect PSPs to meet the requirements related to significant change or new activity notices, refer to the Notice of significant change or new activity guideline.
Incident notice
- Purpose: To notify us of incidents that have a material impact on end users, other PSPs or certain clearing and settlement systems
- Due date: Required without delay once an incident occurs
For further information on how we expect PSPs to meet the requirements related to incident notices, refer to the Incident notification guideline.
Our assessment
We will evaluate whether a PSP meets the requirements outlined in the RPAA and its associated regulations through information collected from various sources, including:
- responses to our information requests received from PSPs
- reports submitted by registered PSPs, including annual, significant change and incident reports
Our assessment may involve meetings and discussions with PSPs and could include:
- a desk assessment—We may ask PSPs to submit information and documents, such as policies and procedures, for our review.
- an on-site assessment—We may conduct onsite visits to PSPs’ offices to observe practices and hold meetings and discussions with key subject matter experts.
- a special audit—We may require PSPs to undergo an audit with a scope that we define.
PSPs are expected to respond to our information requests and submit supporting documents if required.
The regulations specify the timelines for responding to information requests. PSPs will typically have 15 days to respond to requests but may need to submit information within 24 hours in specific circumstances. In all cases, PSPs should provide the requested documents within the time frame specified in the regulations.
We may identify areas where PSPs do not meet our supervisory expectations following our assessment. In such cases, we will expect PSPs to take corrective measures to address these identified gaps. We will then verify that PSPs have implemented the necessary corrective actions.
What to expect
We will set a minimum frequency for assessing whether a PSP meets our supervisory expectations. This will allow us to:
- take a risk-based approach to our analysis
- work efficiently
- promote compliance
We recognize that PSPs have different business structures and operational processes. We will therefore consider the risk posed by each PSP and take a proportional approach when determining whether PSPs meet our supervisory expectations.
We will contact PSPs that do not meet our supervisory expectations to:
- inform them of compliance gaps
- take enforcement action where appropriate
Enforcement
We have a set of enforcement tools and actions to address violations of the RPAA and its regulations that we may take when the RPAA and its regulations come into force. These actions aim to promote compliance with the RPAA and support confidence in the Canadian retail payments sector.
Investigations
We may investigate PSPs to identify any gaps in their compliance with the RPAA and its regulations. If we have reasonable grounds to believe that a violation has occurred, we may take enforcement action against a PSP.
We can use any information gathered during our risk-monitoring and registration activities to identify a violation. We could use the following methods as part of our investigation:
We can take enforcement actions against PSPs that do not:
- apply for registration with us before performing retail payment activities
- submit their mandatory reports and notices
- respond to an information request
- comply with the required operational risk and incident response practices as stipulated in the RPAA
- comply with the required safeguarding practices for end-user funds as stipulated in the RPAA
Enforcement tools
We have a suite of tools available to promote compliance. We can use any of the following enforcement tools, depending on the violation.
Warning letter
We can issue a warning letter to PSPs to identify areas of non-compliance and seek corrective actions. The letter will include:
- the PSP’s violation or potential violation
- our expectations on corrective actions to address the violation
- any possible escalation of enforcement for future violations
Compliance agreement
We can enter into a formal compliance agreement with a PSP to rectify non-compliance, including concerns regarding the PSP’s operational risk or safeguarding practices for end-user funds.
If a PSP does not adhere to the terms of a compliance agreement, we may issue a notice of violation (NOV) with an administrative monetary penalty (AMP).
For further information on compliance agreements, refer to the Entering into a compliance agreement with the Bank of Canada policy.
Notice of violation
We can issue a NOV for violations of the RPAA. A NOV can be accompanied by an AMP or an offer to enter into a compliance agreement.
Specific criteria defined in the regulations determine the amount of the AMP. These criteria include:
- the actual harm caused by the violation
- the potential harm that the violation could have caused
- the history of previous violations
- the level of intention or negligence involved
PSPs that enter into a compliance agreement as part of an NOV and fail to meet the terms and conditions of the agreement are liable to pay the remaining half of the AMP as well as an additional prescribed penalty. The prescribed penalty is equal to the original amount of the AMP set out in the NOV.
Once we complete all proceedings of our enforcement action, we will publish information about NOVs on our website. This information will include:
- the name of the PSP
- the nature of the violation
- the amount of the AMP imposed, if applicable
- the reasons for the NOV
- a brief description of the compliance agreement, if applicable
For further information on AMP, refer to the Administrative monetary penalties policy.
For further information on compliance agreements, refer to the Entering into a compliance agreement with the Bank of Canada policy.
Compliance order
If the Governor of the Bank of Canada believes that a PSP is committing, or is about to commit, an act that could have a significant adverse impact on end users, other PSPs or certain clearing and settlement systems, the Governor may order a PSP to:
- stop the action
- refrain from taking the action
- remedy the situation
Since a compliance order can be issued when a PSP is about to commit an act, it can be initiated at any stage of supervision to prevent a significant adverse impact.
The Governor may assign a delegate to issue the compliance order. Information about the delegation of the Governor’s powers, duties and functions was published in the Canada Gazette on June 15, 2024.
For further information on significant adverse impact, refer to the Significant adverse impact policy.
Court enforcement
The Governor can apply to a superior court for an order requiring a PSP to:
- stop an action that violates the RPAA
- comply with a provision of the RPAA
- adhere to a compliance order
What to expect
We will take a graduated approach when applying enforcement actions. A graduated approach allows us to use an enforcement tool that is appropriate given the circumstances and the nature of the violation. For example, if the enforcement action did not result in a timely correction, we could choose to use another tool.
This approach aligns with the risk-based approach we follow throughout our supervision.
Our decisions are bound and supported by procedural fairness. We recognize that in making enforcement decisions, we must apply a process that is fair to the affected individual or entity. For example, we would give an individual or entity notice of an enforcement action and an opportunity to respond.
The goal of enforcement actions is to encourage a change in behaviour and act as a general deterrent.
Reviews and appeals
Individuals or entities who receive an NOV or a notice of default can request a review by the Governor within 30 days following the day on which the PSP receives the decision.
The Governor or a delegate analyzes the request along with the original decision and either confirms that decision or makes a different one.
Individuals and entities can appeal the Governor’s decision to the Federal Court.
The Governor may assign a delegate to issue a Governor’s decision. Information about the delegation of the Governor’s powers, duties and functions was published in the Canada Gazette on June 15, 2024.
For further information on significant adverse impact, refer to the Governor’s review policy.
Disclaimer
We may update this information before or after the RPAA comes into force to respond to:
- feedback from our public consultation on guidelines related to:
- operational risk management and incident response
- end-user funds safeguarding
- significant change reporting
- incident reporting
- changes in the retail payments sector
- lessons learned through the implementation of the framework