Language selection

Government of Canada

Search

Retail Payment Activities Regulations (SOR/2023-229)

Regulations are current to 2025-11-20 and last amended on 2025-09-08. Previous Versions

Risk Management and Incident Response (continued)

Marginal note:Independent review

  • 10 (1) A payment service provider that has an internal or external auditor must ensure that, at least once every three years, a sufficiently skilled individual who has had no role in establishing, implementing or maintaining the payment service provider’s risk management and incident response framework carries out an independent review of

    • (a) the conformity of each element of the payment service provider’s risk management and incident response framework with the applicable requirements of section 5; and

    • (b) the payment service provider’s compliance with each of its obligations under sections 6 to 9.

  • Marginal note:Record

    (2) The payment service provider must obtain a record that sets out the independent reviewer’s name — or, if the independent reviewer carried out the review on behalf of an entity other than the payment service provider, that entity’s name — and the date of the review and describes the review’s scope, methodology and findings.

  • Marginal note:Report

    (3) The payment service provider must report any gaps and vulnerabilities that are identified by the independent review, and any measures being taken to address them, to the senior officer referred to in subparagraph 5(1)(d)(ii), if any.

Marginal note:Notice of incident — Bank

  • 11 (1) The notice that must be given to the Bank under section 18 of the Act must be submitted using the electronic system provided by the Bank for that purpose.

  • Marginal note:Contents

    (2) The notice must contain

    • (a) the payment service provider’s name, the name of an individual who may be contacted regarding the incident and that individual’s telephone number and email address;

    • (b) a description of the incident and its material impact on the individuals or entities referred to in paragraphs 18(1)(a) to (c) of the Act; and

    • (c) the measures taken by the payment service provider to respond to the incident.

Marginal note:Notice of incident — individual or entity

  • 12 (1) The notice that must be given under section 18 of the Act to an individual or entity referred to in any of paragraphs 18(1)(a) to (c) of the Act must be

    • (a) provided to each materially affected individual or entity using the most recent contact information provided by them to the payment service provider; and

    • (b) posted on the payment service provider’s website if contact information is not available for every materially affected individual or entity.

  • Marginal note:Contents

    (2) The notice must include

    • (a) the payment service provider’s name;

    • (b) a description of the incident, including when it began, and the nature of its material impacts on the individuals or entities; and

    • (c) any corrective measures that could be taken by the individuals or entities.

Safeguarding of Funds

Marginal note:Accounts

13 A payment service provider that holds end-user funds in accordance with paragraph 20(1)(a) or (c) of the Act must ensure that the account in which they are held is provided by an entity that is referred to in one of paragraphs 9(a) to (d) or (f) to (h) of the Act or by a foreign financial institution that is regulated by a regulatory regime that imposes standards in respect of capital, liquidity, governance, supervision and risk management that are comparable to those that apply to those entities.

Marginal note:Insurance or guarantee

  • 14 (1) A payment service provider that holds end-user funds in accordance with paragraph 20(1)(c) of the Act must ensure that the insurance or guarantee referred to in that paragraph is provided by an entity that

    • (a) is referred to in one of paragraphs 9(a) to (h) of the Act or is a foreign financial institution that is regulated by a regulatory regime that imposes standards in respect of capital, liquidity, governance, supervision and risk management comparable to those that apply to those entities; and

    • (b) is not affiliated with the payment service provider within the meaning of section 3 of the Act.

  • Marginal note:Conditions

    (2) The payment service provider must ensure that

    • (a) the proceeds from the insurance or guarantee will not form part of the payment service provider’s estate;

    • (b) the proceeds from the insurance or guarantee will be payable for the benefit of end users as soon as feasible following an event referred to in subsection (3);

    • (c) the insurance or guarantee will survive the payment service provider’s insolvency, as well as any compromise or arrangement with the payment service provider’s creditors and any extinguishment of the payment service provider’s obligations to end users, including those resulting from restructuring; and

    • (d) the Bank is notified at least 30 days before any cancellation or termination of the insurance or guarantee.

  • Marginal note:Events

    (3) For the purpose of paragraph (2)(b), the events are

    • (a) the bringing by the payment service provider of an insolvency proceeding in respect of itself;

    • (b) the consent by the payment service provider to the bringing of an insolvency proceeding in respect of it; and

    • (c) the passage of 30 days after the day on which an insolvency proceeding is brought in respect of the payment service provider by another individual or entity, unless that insolvency proceeding is discontinued or dismissed in that time.

  • Marginal note:Definition of insolvency proceeding

    (4) For the purpose of subsection (3), insolvency proceeding means any proceeding, action, application, case or legal process relating to bankruptcy, insolvency, liquidation, dissolution or winding-up that is commenced in respect of a payment service provider under the law of any jurisdiction.

Marginal note:Safeguarding-of-funds framework

  • 15 (1) A payment service provider that holds end-user funds must establish, implement and maintain a written safeguarding-of-funds framework that conforms to subsections (2) to (5) for the purpose of ensuring that

    • (a) end users have reliable access without delay to the end-user funds that are being held by the payment service provider; and

    • (b) if an event referred to in subsection 14(3) occurs in respect of the payment service provider, those end-user funds, or proceeds of the insurance or guarantee referred to in paragraph 20(1)(c) of the Act, are paid to end users as soon as feasible.

  • Marginal note:Contents

    (2) The safeguarding-of-funds framework must describe the payment service provider’s systems, policies, processes, procedures, controls and other means for meeting the objectives referred to in subsection (1), including

    • (a) those in relation to the payment service provider’s use of liquidity arrangements and its holding of end-user funds in the form of secure and liquid assets;

    • (b) a requirement to keep a ledger, which is to be identified and classified as an asset in accordance with paragraph 5(1)(e), that sets out

      • (i) the name and contact information of each end user whose funds are held by the payment service provider, and

      • (ii) the amount of funds belonging to each of those end users that is held by the payment service provider at the end of each day; and

    • (c) in respect of the objective referred to in paragraph (1)(b),

      • (i) the means by which it will be ensured that the insolvency or bankruptcy administrator or trustee or other person appointed to carry out insolvency proceedings as defined in subsection 14(4), or the insurance or guarantee provider, as the case may be, is able to

        • (A) access all relevant records or documentation in relation to end-user funds,

        • (B) contact end users as soon as feasible, and

        • (C) identify any errors or deficiencies in the payment service provider’s ledger of end-user funds and address any shortfall in the funds to be returned to each end user,

      • (ii) the procedures to be followed to return funds to end users, and

      • (iii) the role of any of the payment service provider’s agents, mandataries or third-party service providers in facilitating the execution of the tasks referred to in subparagraphs (i) and (ii).

  • Marginal note:Legal risks and operational risks

    (3) The safeguarding-of-funds framework must identify legal risks and operational risks that could hinder the meeting of the objectives referred to in subsection (1) and the means of mitigating those risks, including having regard to

    • (a) the jurisdictions in which the payment service provider, its end users, the providers of the accounts in which it holds end-user funds and, if applicable, its insurance or guarantee providers are located;

    • (b) the identity of the payment service provider’s account providers and, if applicable, its insurance or guarantee providers;

    • (c) the terms of the payment service provider’s trust arrangements with its end users, if applicable; and

    • (d) the terms of the payment service provider’s insurance policies or guarantees, if applicable.

  • Marginal note:Identification of senior officer

    (4) The safeguarding-of-funds framework must, unless the payment service provider is an individual, identify a senior officer who is responsible for overseeing the payment service provider’s practices for safeguarding end-user funds and for ensuring the payment service provider’s compliance with sections 13 to 17 of these Regulations and subsection 20(1) of the Act.

  • Marginal note:Approval

    (5) The safeguarding-of-funds framework must be approved

    • (a) by the senior officer, if any, at least once a year and following each material change that is made to the framework; and

    • (b) by the payment service provider’s board of directors, if any, at least once a year.

  • Marginal note:Review of framework

    (6) The payment service provider must review, at the following times, the safeguarding-of-funds framework to ensure the framework’s conformity with subsections (2) to (5) and its effectiveness at meeting the objectives referred to in subsection (1):

    • (a) at least once a year;

    • (b) after any change to the means, among those set out in paragraphs 20(1)(a) to (c) of the Act, by which the payment service provider safeguards end-user funds; and

    • (c) after any of the following changes, if they could reasonably be expected to have a material impact on the manner in which end-user funds are safeguarded:

      • (i) the opening or closure of any account in which the payment service provider holds end-user funds,

      • (ii) a change in the entity that provides any account in which the payment service provider holds end-user funds,

      • (iii) a change to the terms of the account agreement in respect of any account in which the payment service provider holds end-user funds, or

      • (iv) in the case of a payment service provider that holds funds in accordance with paragraph 20(1)(c) of the Act, a change in its insurance or guarantee providers or to the terms of the insurance policy or guarantee.

  • Marginal note:Record

    (7) The payment service provider must, in respect of each review, keep a record of the date on which it is conducted and its scope, methodology and findings.

  • Marginal note:Report and approval

    (8) The payment service provider must ensure that the findings of each review are reported to the senior officer referred to in subsection (4), if any, for their approval.

Marginal note:Evaluation of insolvency protection

  • 16 (1) A payment service provider referred to in subsection 20(1) of the Act must take measures to ensure the identification of any instance, as soon as feasible after it occurs, in which the end-user funds held by the payment service provider — or equivalent proceeds from any insurance or guarantee referred to in paragraph 20(1)(c) of the Act — would not have been payable to end users had an event referred to in subsection 14(3) of these Regulations occurred.

  • Marginal note:Obligations

    (2) The payment service provider must, immediately after identifying such an instance, investigate its root cause and, as soon as feasible, take the necessary measures to prevent similar instances from recurring.

Marginal note:Independent review

  • 17 (1) A payment service provider referred to in subsection 20(1) of the Act must ensure that, at least once every three years, a sufficiently skilled individual who has had no role in establishing, implementing or maintaining the safeguarding-of-funds framework, in taking the measures referred to subsection 16(1) or in identifying the instances referred to in that subsection carries out an independent review of the payment service provider’s compliance with subsection 20(1) of the Act and sections 13 to 16 of these Regulations.

  • Marginal note:Record

    (2) The payment service provider must obtain a record that sets out the independent reviewer’s name — or, if they carried out the review on behalf of an entity other than the payment service provider, that entity’s name — and the date of the review and describes the review’s scope, methodology and findings.

  • Marginal note:Report

    (3) The payment service provider must report any gaps and vulnerabilities that are identified by the independent review, and any measures being taken to address them, to the senior officer referred to in subsection 15(4), if any.

Annual Report

Marginal note:Submission

  • 18 (1) For the purpose of section 21 of the Act, a payment service provider that performs retail payment activities in a calendar year must submit the annual report in respect of that year no later than March 31 of the following year.

  • Marginal note:Form and manner

    (2) The report must be submitted using the electronic system provided for that purpose by the Bank.

Marginal note:Contents

  • 19 (1) For the purpose of paragraph 21(a) of the Act, the prescribed information consists of

    • (a) a description of any changes made to the payment service provider’s risk management and incident response framework during the reporting year and the payment service provider’s plans for the framework’s maintenance and implementation;

    • (b) a description of the objectives referred to in paragraph 5(1)(a) and the targets and indicators referred to in paragraph 5(1)(b);

    • (c) a description of the means by which the payment service provider carried out any assessments referred to in paragraph 5(3)(a) during the reporting year;

    • (d) a description of the manner in which the payment service provider carried out any assessments referred to in paragraph 5(4)(c) during the reporting year, including the criteria used;

    • (e) a description of the human and financial resources for implementing and maintaining the risk management and incident response framework that were available to the payment service provider during the reporting year;

    • (f) a description of roles and responsibilities allocated by the payment service provider in respect of the implementation and maintenance of their risk management and incident response framework during the reporting year;

    • (g) a description of the payment service provider’s operational risks in respect of the reporting year, their potential causes and the manner in which they were identified;

    • (h) a description of the manner in which the payment service provider classified any assets and business processes for the purpose of paragraph 5(1)(e) during the reporting year;

    • (i) a description of the systems, policies, procedures, processes, controls and other means referred to in paragraphs 5(1)(g) and (h) and subsection 5(5) that the payment service provider had in place during the reporting year;

    • (j) a description of the plans referred to in paragraphs 5(1)(i) and (j) and the manner in which those plans were maintained and implemented during the reporting year;

    • (k) a description of the means by which the payment service provider obtained the approvals required under subsection 5(6) during the reporting year;

    • (l) a description of the means by which the payment service provider ensured the availability of its risk management and incident response framework and of the precautions that it took to prevent the unauthorized deletion, destruction or amendment of the framework, as required by section 6, during the reporting year;

    • (m) a description of the information and training that the payment service provider ensured was provided under section 7 during the reporting year;

    • (n) a description of all reviews under section 8, testing under section 9 and independent reviews under section 10 that the payment service provider carried out or ensured were carried out during the reporting year, as well as a description of the payment service provider’s testing methodology referred to in subsection 9(1); and

    • (o) a description of any incidents that the payment service provider experienced during the reporting year.

  • Marginal note:Accounts, insurance and guarantees

    (2) For the purpose of paragraph 21(b) of the Act, the prescribed information consists of

    • (a) information on any entity that has provided the payment service provider with an account referred to in subsection 20(1) of the Act, including the entity’s name and the name of the regulator responsible for supervising the entity with respect to its adherence to the standards referred to in section 13 of these Regulations;

    • (b) the name of any other payment service provider through which the payment service provider has obtained the use of an account referred to in subsection 20(1) of the Act;

    • (c) information on any entity that has provided the payment service provider with the insurance or guarantee referred to in paragraph 20(1)(c) of the Act, including the entity’s name and the name of the regulator responsible for supervising the entity with respect to its adherence to the standards referred to in section 14(1)(a) of these Regulations; and

    • (d) a description of the terms of any insurance or guarantee referred to in paragraph 20(1)(c) of the Act that the payment service provider holds.

  • Marginal note:Holding of end-user funds

    (3) For the purpose of paragraph 21(c) of the Act, the prescribed information consists of

    • (a) a description of all of the means, among those set out in paragraphs 20(1)(a) to (c) of the Act, by which the payment service provider safeguards end-user funds and, if applicable, a description of the payment service provider’s trust arrangement with its end users;

    • (b) a description of the payment service provider’s safeguarding-of-funds framework referred to in section 15;

    • (c) a description of any instance referred to in subsection 16(1) that was identified during the reporting year, its root cause and any measures taken to prevent similar instances from recurring; and

    • (d) a description of any independent review that was conducted under section 17 during the reporting year, including the date on which it was conducted, its scope and the name that is set out in the record referred to in subsection 17(2).

  • Marginal note:Other information

    (4) For the purpose of paragraph 21(d) of the Act, the prescribed information consists of

    • (a) in the case of a payment service provider that has a place of business in Canada,

      • (i) information establishing the payment service provider’s ubiquity and interconnectedness, including

        • (A) the maximum value, expressed in Canadian dollars, of end-user funds that the payment service provider held at any time during the reporting year for each of the following categories of end users:

          • (I) all end users, and

          • (II) end users in Canada,

        • (B) for each month of the reporting year,

          • (I) the average value, expressed in Canadian dollars, of the end-user funds that the payment service provider held at the end of each day for all end users,

          • (II) the average value, expressed in Canadian dollars, of the end-user funds that the payment service provider held at the end of each day for end users in Canada,

          • (III) the average value of the end-user funds, broken down by currency and expressed in that currency, that the payment service provider held at the end of each day for all end users,

          • (IV) the average value of the end-user funds, broken down by currency and expressed in that currency, that the payment service provider held at the end of each day for end users in Canada,

          • (V) the number of electronic funds transfers in relation to which the payment service provider performed a retail payment activity,

          • (VI) the number of electronic funds transfers in relation to which the payment service provider performed a retail payment activity for end users in Canada,

          • (VII) the number of electronic funds transfers, broken down by currency, in relation to which the payment service provider performed a retail payment activity,

          • (VIII) the number of electronic funds transfers, broken down by currency, in relation to which the payment service provider performed a retail payment activity for end users in Canada,

          • (IX) the total value, expressed in Canadian dollars, of all electronic funds transfers in relation to which the payment service provider performed a retail payment activity,

          • (X) the total value, expressed in Canadian dollars, of all electronic funds transfers in relation to which the payment service provider performed a retail payment activity for end users in Canada,

          • (XI) the total value, broken down by the currency in which the electronic funds transfers are made and expressed in that currency, of all electronic funds transfers in relation to which the payment service provider performed a retail payment activity, and

          • (XII) the total value, broken down by the currency in which the electronic funds transfers are made and expressed in that currency, of all electronic funds transfers in relation to which the payment service provider performed a retail payment activity for end users in Canada,

        • (C) the number of end users and end users in Canada for which the payment service provider performed a retail payment activity during the reporting year, and

        • (D) the number of other payment service providers for which the payment service provider performed a retail payment activity during the reporting year and, of those, the number that have a place of business in Canada, and

      • (ii) if the payment service provider holds end-user funds other than in accordance with subsection 20(1) of the Act, information establishing that those end-user funds are deposits accepted by the payment service provider that are insured or guaranteed under an Act of the province in which they are held;

    • (b) in the case of a payment service provider that does not have a place of business in Canada, information establishing the payment service provider’s ubiquity and interconnectedness in Canada, including the information referred to in

      • (i) subclauses (a)(i)(A)(II) and (B)(II), (IV), (VI), (VIII), (X) and (XII),

      • (ii) clause (a)(i)(C), in relation only to the payment service provider’s end users in Canada, and

      • (iii) clause (a)(i)(D), in relation only to other payment service providers that have a place of business in Canada;

    • (c) a description of any significant change referred to in subsection 22(1) of the Act that was made by the payment service provider during the reporting year and any retail payment activity that the payment service provider began or ceased to perform during that year;

    • (d) a description of any change to the payment service provider’s use of third-party service providers during the reporting year;

    • (e) a description of any change to the payment service provider’s use of agents or mandataries during the reporting year;

    • (f) a description of the payment service provider’s record-keeping practices during the reporting year; and

    • (g) a description of the payment service provider’s financial metrics for the reporting year, including its revenues, gross profits or losses, operating profits or losses, assets, liabilities and equity.

  • Marginal note:Definition of reporting year

    (5) In this section, reporting year means the calendar year in respect of which an annual report is submitted.

Table of Contents

 

Page Details

Date modified: