The Department of Finance has published draft regulations under the Retail Payment Activities Act (RPPA) proposing significant and, in some cases, fairly prescriptive requirements that are intended to apply to all payment service providers (PSPs), regardless of the overall size and complexity of the PSP.
Addressing the potential national security risks posed by presently unregulated PSPs is among the policy objectives of the RPAA. The draft regulations set out the timelines and information requirements to support the national security review (NSR) framework established under the RPAA. National security has become an area of increased focus by the Canadian government. The publication of the draft regulations follows a series of recent developments to modernize the NSR regime under Canada’s principal foreign investment legislation, the Investment Canada Act (ICA).
In addition to the general heightened sensitivity around access to data about Canadians and Canadian businesses, the rationale for a national security screen for the PSP sector may also relate to a PSP’s potential access to critical payment infrastructure. The Department of Finance and the Bank of Canada have signaled that certain PSPs which are registered under the RPAA may be granted access to the Real-Time-Rail, Canadian’s new payment system. This may also help to explain why the NSR under the RPAA will cover all PSPs, regardless of whether or not they are Canadian-controlled.
PSPs will be required to establish, implement and maintain a robust risk management and incident response framework (Risk Management Framework) that includes the following, as among its objectives:
- ensuring the PSP can perform retail payment activities without reduction, deterioration or breakdown, including by ensuring the availability of its systems, data and information, and
- preserving the integrity and confidentiality of those activities, systems, data and information.
The draft regulations set out a detailed list of prescribed requirements that must be included in the Risk Management Framework, which include the identification of the PSP’s operational risks and the processes and controls in place to protect its retail payment activities from those risks. The Risk Management Framework must also detail the processes and controls the PSP has to detect incidents and anomalous events that could indicate emerging operations risks and an incident response and recovery plan.
As part of its Risk Management Framework, a PSP will be required to conduct detailed operational assessments of its third-party service providers at least annually and prior to renewing or entering into any significant amendments to its third-party servicing contracts. Furthermore, the RPAA requires that a PSP which becomes aware of an incident with a material impact on an end user, another PSP, or a clearing house, must notify that individual or entity and the Bank of Canada.
Read the full Update posted on March 2, 2023
Lire dans son intégralité le bulletin d’actualités publié le 2 mars 2023