Retail Payment Activities Regulations (SOR/2023-229)
Full Document:
- HTMLFull Document: Retail Payment Activities Regulations (Accessibility Buttons available) |
- XMLFull Document: Retail Payment Activities Regulations [178 KB] |
- PDFFull Document: Retail Payment Activities Regulations [378 KB]
Regulations are current to 2024-11-26 and last amended on 2024-11-01. Previous Versions
Retail Payment Activities Regulations
SOR/2023-229
Registration 2023-11-03
Retail Payment Activities Regulations
P.C. 2023-1106 2023-11-03
Her Excellency the Governor General in Council, on the recommendation of the Minister of Finance, makes the annexed Retail Payment Activities Regulations under section 101 of the Retail Payment Activities ActFootnote a.
Return to footnote aS.C. 2021, c. 23, s. 177
Definitions
Marginal note:Definitions
1 The following definitions apply in these Regulations.
- Act
Act means the Retail Payment Activities Act. (Loi)
- senior officer
senior officer, in respect of an entity, means
(a) a member of its board of directors who is also one of its full-time employees;
(b) its chief executive officer, chief operating officer, president, chief risk officer, secretary, treasurer, controller, chief financial officer, chief accountant, chief auditor or chief actuary, or any person who performs functions similar to those normally performed by someone occupying one of those positions; or
(c) any other officer who reports directly to its board of directors, chief executive officer or chief operating officer. (cadre dirigeant)
Non-application of Act
Marginal note:Securities-related transactions
2 A transaction in relation to securities is a prescribed transaction for the purpose of paragraph 6(b) of the Act if it is performed by an individual or entity that is regulated, or exempted from regulation, under Canadian securities legislation as defined in National Instrument 14-101 Definitions, as amended from time to time, of the Canadian Securities Administrators.
Marginal note:Incidental retail payment activities
3 A retail payment activity that is performed as a service or business activity that is incidental to another service or business activity is, unless that other service or business activity consists of the performance of a payment function, a prescribed retail payment activity for the purpose of paragraph 6(d) of the Act.
Marginal note:SWIFT
4 The Society for Worldwide Interbank Financial Telecommunication (SWIFT) is a prescribed entity for the purpose of paragraph 9(k) of the Act.
Risk Management and Incident Response
Marginal note:Framework
- The following provision is not in force.
5 (1) The risk management and incident response framework required under subsection 17(1) of the Act must be in writing and must
- The following provision is not in force.
(a) set out the following among its objectives:
(i) ensuring that the payment service provider is able to perform retail payment activities without reduction, deterioration or breakdown, including by ensuring the availability of the systems, data and information involved in the performance of those activities, and
(ii) preserving the integrity and confidentiality of those activities, systems, data and information;
- The following provision is not in force.
(b) set out clearly defined and measurable reliability targets for the ability to perform the retail payment activities and for the availability of the systems, data and information referred to in subparagraph (a)(i), as well as indicators for assessing whether each of the objectives referred to in paragraph (a) is met;
- The following provision is not in force.
(c) identify the human and financial resources that are required to implement and maintain the framework, including, with respect to human resources, their skills and training, as well as the measures that the payment service provider must take to ensure timely and reliable access to those resources, whether from internal or external sources;
- The following provision is not in force.
(d) allocate specific roles and responsibilities in respect of the implementation and maintenance of the framework — both in the normal course of business and when detecting, responding to and recovering from incidents — including, unless the payment service provider is an individual,
(i) responsibility for challenging and overseeing the exercise of each of those roles and responsibilities, and
(ii) to a senior officer, responsibility for overseeing the payment service provider’s compliance with sections 6 to 10 of these Regulations and subsection 17(1), section 18 and subsection 19(3) of the Act and for overseeing material decisions that relate to the payment service provider’s identification and mitigation of, and response to, operational risks and incidents;
- The following provision is not in force.
(e) identify the assets — including systems, data and information — and business processes that are associated with the payment service provider’s performance of retail payment activities and classify them according to their sensitivity and their criticality to the performance of those activities;
- The following provision is not in force.
(f) identify, and describe the potential causes of, the payment service provider’s operational risks, including those relating to
(i) business continuity and resilience,
(ii) cybersecurity,
(iii) fraud,
(iv) information and data management,
(v) information technology,
(vi) human resources,
(vii) process design and implementation,
(viii) product design and implementation,
(ix) change management,
(x) physical security of persons and assets, and
(xi) third parties;
- The following provision is not in force.
(g) describe the systems, policies, procedures, processes, controls and any other means that the payment service provider must have in place to mitigate its operational risks and protect the assets and business processes referred to in paragraph (e);
- The following provision is not in force.
(h) describe the systems, policies, procedures, processes, controls and any other means that the payment service provider must have in place to ensure the continuous monitoring of the following for the purpose of promptly detecting incidents, anomalous events that could indicate emerging operational risks and lapses in the implementation of the framework:
(i) the payment service provider’s retail payment activities,
(ii) the systems, data and information involved in the performance of those activities, and
(iii) the systems, policies, procedures, processes, controls and other means referred to in paragraph (g);
- The following provision is not in force.
(i) set out a plan for responding to — including recovering from — incidents, including those involving or detected by an agent or mandatary or a third-party service provider, that
(i) contains clearly defined policies, processes and procedures for implementing the plan and for escalating the response to an incident, taking into account the incident response procedures of any third-party service provider from which the payment service provider receives services and the need to coordinate its response with that of the third-party service provider,
(ii) identifies the measures to be taken to mitigate the impact of an incident, including manual processes or other alternate solutions that the payment service provider could resort to if primary systems relating to the provision of retail payment activities were unavailable, and indicates how quickly those measures could be implemented,
(iii) requires the payment service provider, on becoming aware of an incident, to immediately investigate it to determine
(A) the incident’s root causes,
(B) its possible or verified impact on retail payment activities,
(C) its possible or verified impact on end users,
(D) its possible or verified impact on other payment service providers or on clearing houses of clearing and settlement systems that are designated under subsection 4(1) of the Payment Clearing and Settlement Act, as those expressions are defined in section 2 of that Act, and
(E) its possible or verified impact on systems, data or information involved in the performance of retail payment activities,
(iv) requires the payment service provider, while an investigation is underway, to take immediate measures to prevent or mitigate any further damage, including to the integrity, confidentiality or availability of systems, data or information,
(v) requires the payment service provider to take measures as soon as feasible to address the identified root causes of the incident,
(vi) sets out policies and procedures for reporting incidents to and coordinating incident response with relevant internal stakeholders — including any senior officer referred to in subparagraph (d)(ii) and relevant agents and mandataries — and relevant external stakeholders, that address, among other things,
(A) the timing of the reporting and coordination, and
(B) the information that is to be reported and shared for the purpose of coordination,
(vii) addresses how the payment service provider will promptly identify the status of all transactions at the time of any service reduction, deterioration or breakdown, recover lost or corrupted data and correct any data integrity issues, and
(viii) requires the payment service provider to keep, in respect of each incident, a record of
(A) the information referred to in clauses (iii)(A) to (E), as determined by the investigation,
(B) the measures taken in accordance with subparagraphs (ii), (iv) and (v),
(C) the manner in which it reported the incident and coordinated the incident response, and
(D) the status of all transactions identified, the manner in which the status of those transactions was identified and the manner in which the payment service provider recovered any lost or corrupted data and corrected any data integrity issues; and
- The following provision is not in force.
(j) set out a plan for responding to anomalous events or lapses referred to in paragraph (h).
- The following provision is not in force.
Marginal note:Proportionality
(2) All aspects of the risk management and incident response framework — including all objectives, targets, systems, policies, procedures, processes and controls — must be proportionate to the impact that a reduction, deterioration or breakdown of the payment service provider’s retail payment activities could have on end users and other payment service providers, having regard to factors including the payment service provider’s ubiquity and connectedness, as established using the information referred to in subparagraph 19(4)(a)(i) or paragraph 19(4)(b), as the case may be.
- The following provision is not in force.
Marginal note:Third-party service providers
(3) If a payment service provider receives services related to a payment function from one or more third-party service providers, the risk management and incident response framework must
- The following provision is not in force.
(a) address the means by which the payment service provider will — no less than once a year in respect of each of its third-party service providers and before entering into, renewing, extending or substantially amending a contract with a third-party service provider for the provision of a service related to a payment function — assess
(i) the third-party service provider’s ability to protect data and information that they obtain from the payment service provider or in the course of performing services for it,
(ii) the security of the third-party service provider’s connections to and from the payment service provider’s systems,
(iii) the manner in which the third-party service provider will consult or inform the payment service provider prior to making changes to the services that they provide, the manner in which they provide them or their practices for managing operational risk,
(iv) the manner in which the third-party service provider’s performance may be monitored, including the time and manner in which the third-party service provider will inform the payment service provider of any detected breach of the payment service provider’s or the third-party service provider’s data, information or systems and of any other deterioration, reduction or breakdown in the services provided to the payment service provider, and
(v) the third-party service provider’s risk management practices in relation to the services that they provide to the payment service provider;
- The following provision is not in force.
(b) require the payment service provider to keep a record of the dates, scope and findings of the assessments referred to in paragraph (a); and
- The following provision is not in force.
(c) clearly allocate responsibilities between the payment service provider and the third-party service provider, including in relation to the ownership, integrity, confidentiality and availability of data and information.
- The following provision is not in force.
Marginal note:Agents and mandataries
(4) If a payment service provider intends to have agents or mandataries perform retail payment activities, the risk management and incident response framework must
- The following provision is not in force.
(a) set out criteria in relation to the management of operational risk that those agents or mandataries must satisfy;
- The following provision is not in force.
(b) prohibit the payment service provider from having an agent or mandatary perform retail payment activities on its behalf if the agent or mandatary does not satisfy those criteria;
- The following provision is not in force.
(c) address the means by which the payment service provider must, at least once a year, assess the extent to which its agents and mandataries satisfy those criteria and the agents’ and mandataries’ practices for managing operational risk;
- The following provision is not in force.
(d) require the payment service provider to keep a record of the date and findings of each assessment referred to in paragraph (c); and
- The following provision is not in force.
(e) clearly allocate responsibilities between the payment service provider and its agents and mandataries, including in relation to the ownership, integrity, confidentiality and availability of data and information.
- The following provision is not in force.
Marginal note:Third party roles and responsibilities
(5) If the risk management and incident response framework allocates, under paragraph (1)(d), any roles or responsibilities to a third party, including a third-party service provider or an agent or mandatary, the framework must set out systems, policies, procedures, processes, controls or other means for overseeing the third party’s fulfillment of those roles and responsibilities.
- The following provision is not in force.
Marginal note:Approval
(6) The risk management and incident response framework must be approved
- The following provision is not in force.
(a) by the senior officer referred to in subparagraph (1)(d)(ii), if any, at least once a year and following each material change that is made to the framework; and
- The following provision is not in force.
(b) by the payment service provider’s board of directors, if any, at least once a year.
Marginal note:Availability of framework
6 A payment service provider must ensure that its risk management and incident response framework remains available to all persons who have a role in implementing or maintaining it and must take all reasonable precautions to prevent its unauthorized deletion, destruction or amendment.
Marginal note:Provision of information and training
7 A payment service provider must ensure that all employees and other persons who have a role in establishing, implementing or maintaining its risk management and incident response framework are provided with the information and training that are necessary to carry out that role.
Marginal note:Review
- The following provision is not in force.
8 (1) A payment service provider must review its risk management and incident response framework
- The following provision is not in force.
(a) at least once a year; and
- The following provision is not in force.
(b) before making any material change to its operations or its systems, policies, procedures, processes, controls or other means of managing operational risk.
- The following provision is not in force.
Marginal note:Scope
(2) The review must evaluate
- The following provision is not in force.
(a) the risk management and incident response framework’s conformity with section 5;
- The following provision is not in force.
(b) the payment service provider’s effectiveness at meeting the objectives referred to in paragraph 5(1)(a), having regard to the targets and indicators referred to in paragraph 5(1)(b); and
- The following provision is not in force.
(c) the adequacy of the payment service provider’s human and financial resources for ensuring implementation of the framework.
- The following provision is not in force.
Marginal note:Record
(3) The payment service provider must, in respect of each review, keep a record of the date on which it is conducted and its scope, methodology and findings.
- The following provision is not in force.
Marginal note:Report and approval
(4) The payment service provider must ensure that the findings of each review are reported to the senior officer referred to in subparagraph 5(1)(d)(ii), if any, for their approval.
Marginal note:Testing
- The following provision is not in force.
9 (1) A payment service provider must establish and implement a testing methodology, for the purpose of identifying gaps in the effectiveness of, and vulnerabilities in, the systems, policies, procedures, processes, controls and other means provided for in its risk management and incident response framework, that
- The following provision is not in force.
(a) is proportionate to the impact that a reduction, deterioration or breakdown of the payment service provider’s retail payment activities could have on end users and other payment service providers, having regard to factors including the payment service provider’s ubiquity and connectedness, as established using the information referred to in subparagraph 19(4)(a)(i) or paragraph 19(4)(b), as the case may be;
- The following provision is not in force.
(b) is designed taking into account both high-likelihood and high-impact operational risks;
- The following provision is not in force.
(c) provides for the use of tests that
(i) involve relevant internal stakeholders, including agents or mandataries, decision-makers and individuals responsible for the payment service provider’s operational risk management, and
(ii) take into account the payment service provider’s reliance on external stakeholders, including third-party service providers;
- The following provision is not in force.
(d) sets out the frequency and scope of testing; and
- The following provision is not in force.
(e) provides for testing before the adoption of any material change to the systems, policies, procedures, processes, controls or other means — or to any of the payment service provider’s operations that will affect them — for the purpose of evaluating the effects of the change.
- The following provision is not in force.
Marginal note:Record
(2) The payment service provider must, in respect of each test that it carries out, keep a record of
- The following provision is not in force.
(a) the date on which the test is carried out;
- The following provision is not in force.
(b) its methodology, including a summary of how the test satisfies the requirements of subparagraphs (1)(c)(i) and (ii);
- The following provision is not in force.
(c) its results; and
- The following provision is not in force.
(d) any measures taken or to be taken to address those results.
- The following provision is not in force.
Marginal note:Report to senior officer
(3) The payment service provider must ensure that the record is provided to the senior officer referred to in subparagraph 5(1)(d)(ii), if any.
Marginal note:Independent review
- The following provision is not in force.
10 (1) A payment service provider that has an internal or external auditor must ensure that, at least once every three years, a sufficiently skilled individual who has had no role in establishing, implementing or maintaining the payment service provider’s risk management and incident response framework carries out an independent review of
- The following provision is not in force.
(a) the conformity of each element of the payment service provider’s risk management and incident response framework with the applicable requirements of section 5; and
- The following provision is not in force.
(b) the payment service provider’s compliance with each of its obligations under sections 6 to 9.
- The following provision is not in force.
Marginal note:Record
(2) The payment service provider must obtain a record that sets out the independent reviewer’s name — or, if the independent reviewer carried out the review on behalf of an entity other than the payment service provider, that entity’s name — and the date of the review and describes the review’s scope, methodology and findings.
- The following provision is not in force.
Marginal note:Report
(3) The payment service provider must report any gaps and vulnerabilities that are identified by the independent review, and any measures being taken to address them, to the senior officer referred to in subparagraph 5(1)(d)(ii), if any.
Marginal note:Notice of incident — Bank
- The following provision is not in force.
11 (1) The notice that must be given to the Bank under section 18 of the Act must be submitted using the electronic system provided by the Bank for that purpose.
- The following provision is not in force.
Marginal note:Contents
(2) The notice must contain
- The following provision is not in force.
(a) the payment service provider’s name, the name of an individual who may be contacted regarding the incident and that individual’s telephone number and email address;
- The following provision is not in force.
(b) a description of the incident and its material impact on the individuals or entities referred to in paragraphs 18(1)(a) to (c) of the Act; and
- The following provision is not in force.
(c) the measures taken by the payment service provider to respond to the incident.
Marginal note:Notice of incident — individual or entity
- The following provision is not in force.
12 (1) The notice that must be given under section 18 of the Act to an individual or entity referred to in any of paragraphs 18(1)(a) to (c) of the Act must be
- The following provision is not in force.
(a) provided to each materially affected individual or entity using the most recent contact information provided by them to the payment service provider; and
- The following provision is not in force.
(b) posted on the payment service provider’s website if contact information is not available for every materially affected individual or entity.
- The following provision is not in force.
Marginal note:Contents
(2) The notice must include
- The following provision is not in force.
(a) the payment service provider’s name;
- The following provision is not in force.
(b) a description of the incident, including when it began, and the nature of its material impacts on the individuals or entities; and
- The following provision is not in force.
(c) any corrective measures that could be taken by the individuals or entities.
Safeguarding of Funds
Marginal note:Accounts
13 A payment service provider that holds end-user funds in accordance with paragraph 20(1)(a) or (c) of the Act must ensure that the account in which they are held is provided by an entity that is referred to in one of paragraphs 9(a) to (d) or (f) to (h) of the Act or by a foreign financial institution that is regulated by a regulatory regime that imposes standards in respect of capital, liquidity, governance, supervision and risk management that are comparable to those that apply to those entities.
Marginal note:Insurance or guarantee
- The following provision is not in force.
14 (1) A payment service provider that holds end-user funds in accordance with paragraph 20(1)(c) of the Act must ensure that the insurance or guarantee referred to in that paragraph is provided by an entity that
- The following provision is not in force.
(a) is referred to in one of paragraphs 9(a) to (h) of the Act or is a foreign financial institution that is regulated by a regulatory regime that imposes standards in respect of capital, liquidity, governance, supervision and risk management comparable to those that apply to those entities; and
- The following provision is not in force.
(b) is not affiliated with the payment service provider within the meaning of section 3 of the Act.
- The following provision is not in force.
Marginal note:Conditions
(2) The payment service provider must ensure that
- The following provision is not in force.
(a) the proceeds from the insurance or guarantee will not form part of the payment service provider’s estate;
- The following provision is not in force.
(b) the proceeds from the insurance or guarantee will be payable for the benefit of end users as soon as feasible following an event referred to in subsection (3);
- The following provision is not in force.
(c) the insurance or guarantee will survive the payment service provider’s insolvency, as well as any compromise or arrangement with the payment service provider’s creditors and any extinguishment of the payment service provider’s obligations to end users, including those resulting from restructuring; and
- The following provision is not in force.
(d) the Bank is notified at least 30 days before any cancellation or termination of the insurance or guarantee.
- The following provision is not in force.
Marginal note:Events
(3) For the purpose of paragraph (2)(b), the events are
- The following provision is not in force.
(a) the bringing by the payment service provider of an insolvency proceeding in respect of itself;
- The following provision is not in force.
(b) the consent by the payment service provider to the bringing of an insolvency proceeding in respect of it; and
- The following provision is not in force.
(c) the passage of 30 days after the day on which an insolvency proceeding is brought in respect of the payment service provider by another individual or entity, unless that insolvency proceeding is discontinued or dismissed in that time.
- The following provision is not in force.
Marginal note:Definition of insolvency proceeding
(4) For the purpose of subsection (3), insolvency proceeding means any proceeding, action, application, case or legal process relating to bankruptcy, insolvency, liquidation, dissolution or winding-up that is commenced in respect of a payment service provider under the law of any jurisdiction.
Marginal note:Safeguarding-of-funds framework
- The following provision is not in force.
15 (1) A payment service provider that holds end-user funds must establish, implement and maintain a written safeguarding-of-funds framework that conforms to subsections (2) to (5) for the purpose of ensuring that
- The following provision is not in force.
(a) end users have reliable access without delay to the end-user funds that are being held by the payment service provider; and
- The following provision is not in force.
(b) if an event referred to in subsection 14(3) occurs in respect of the payment service provider, those end-user funds, or proceeds of the insurance or guarantee referred to in paragraph 20(1)(c) of the Act, are paid to end users as soon as feasible.
- The following provision is not in force.
Marginal note:Contents
(2) The safeguarding-of-funds framework must describe the payment service provider’s systems, policies, processes, procedures, controls and other means for meeting the objectives referred to in subsection (1), including
- The following provision is not in force.
(a) those in relation to the payment service provider’s use of liquidity arrangements and its holding of end-user funds in the form of secure and liquid assets;
- The following provision is not in force.
(b) a requirement to keep a ledger, which is to be identified and classified as an asset in accordance with paragraph 5(1)(e), that sets out
(i) the name and contact information of each end user whose funds are held by the payment service provider, and
(ii) the amount of funds belonging to each of those end users that is held by the payment service provider at the end of each day; and
- The following provision is not in force.
(c) in respect of the objective referred to in paragraph (1)(b),
(i) the means by which it will be ensured that the insolvency or bankruptcy administrator or trustee or other person appointed to carry out insolvency proceedings as defined in subsection 14(4), or the insurance or guarantee provider, as the case may be, is able to
(A) access all relevant records or documentation in relation to end-user funds,
(B) contact end users as soon as feasible, and
(C) identify any errors or deficiencies in the payment service provider’s ledger of end-user funds and address any shortfall in the funds to be returned to each end user,
(ii) the procedures to be followed to return funds to end users, and
(iii) the role of any of the payment service provider’s agents, mandataries or third-party service providers in facilitating the execution of the tasks referred to in subparagraphs (i) and (ii).
- The following provision is not in force.
Marginal note:Legal risks and operational risks
(3) The safeguarding-of-funds framework must identify legal risks and operational risks that could hinder the meeting of the objectives referred to in subsection (1) and the means of mitigating those risks, including having regard to
- The following provision is not in force.
(a) the jurisdictions in which the payment service provider, its end users, the providers of the accounts in which it holds end-user funds and, if applicable, its insurance or guarantee providers are located;
- The following provision is not in force.
(b) the identity of the payment service provider’s account providers and, if applicable, its insurance or guarantee providers;
- The following provision is not in force.
(c) the terms of the payment service provider’s trust arrangements with its end users, if applicable; and
- The following provision is not in force.
(d) the terms of the payment service provider’s insurance policies or guarantees, if applicable.
- The following provision is not in force.
Marginal note:Identification of senior officer
(4) The safeguarding-of-funds framework must, unless the payment service provider is an individual, identify a senior officer who is responsible for overseeing the payment service provider’s practices for safeguarding end-user funds and for ensuring the payment service provider’s compliance with sections 13 to 17 of these Regulations and subsection 20(1) of the Act.
- The following provision is not in force.
Marginal note:Approval
(5) The safeguarding-of-funds framework must be approved
- The following provision is not in force.
(a) by the senior officer, if any, at least once a year and following each material change that is made to the framework; and
- The following provision is not in force.
(b) by the payment service provider’s board of directors, if any, at least once a year.
- The following provision is not in force.
Marginal note:Review of framework
(6) The payment service provider must review, at the following times, the safeguarding-of-funds framework to ensure the framework’s conformity with subsections (2) to (5) and its effectiveness at meeting the objectives referred to in subsection (1):
- The following provision is not in force.
(a) at least once a year;
- The following provision is not in force.
(b) after any change to the means, among those set out in paragraphs 20(1)(a) to (c) of the Act, by which the payment service provider safeguards end-user funds; and
- The following provision is not in force.
(c) after any of the following changes, if they could reasonably be expected to have a material impact on the manner in which end-user funds are safeguarded:
(i) the opening or closure of any account in which the payment service provider holds end-user funds,
(ii) a change in the entity that provides any account in which the payment service provider holds end-user funds,
(iii) a change to the terms of the account agreement in respect of any account in which the payment service provider holds end-user funds, or
(iv) in the case of a payment service provider that holds funds in accordance with paragraph 20(1)(c) of the Act, a change in its insurance or guarantee providers or to the terms of the insurance policy or guarantee.
- The following provision is not in force.
Marginal note:Record
(7) The payment service provider must, in respect of each review, keep a record of the date on which it is conducted and its scope, methodology and findings.
- The following provision is not in force.
Marginal note:Report and approval
(8) The payment service provider must ensure that the findings of each review are reported to the senior officer referred to in subsection (4), if any, for their approval.
Marginal note:Evaluation of insolvency protection
- The following provision is not in force.
16 (1) A payment service provider referred to in subsection 20(1) of the Act must take measures to ensure the identification of any instance, as soon as feasible after it occurs, in which the end-user funds held by the payment service provider — or equivalent proceeds from any insurance or guarantee referred to in paragraph 20(1)(c) of the Act — would not have been payable to end users had an event referred to in subsection 14(3) of these Regulations occurred.
- The following provision is not in force.
Marginal note:Obligations
(2) The payment service provider must, immediately after identifying such an instance, investigate its root cause and, as soon as feasible, take the necessary measures to prevent similar instances from recurring.
Marginal note:Independent review
- The following provision is not in force.
17 (1) A payment service provider referred to in subsection 20(1) of the Act must ensure that, at least once every three years, a sufficiently skilled individual who has had no role in establishing, implementing or maintaining the safeguarding-of-funds framework, in taking the measures referred to subsection 16(1) or in identifying the instances referred to in that subsection carries out an independent review of the payment service provider’s compliance with subsection 20(1) of the Act and sections 13 to 16 of these Regulations.
- The following provision is not in force.
Marginal note:Record
(2) The payment service provider must obtain a record that sets out the independent reviewer’s name — or, if they carried out the review on behalf of an entity other than the payment service provider, that entity’s name — and the date of the review and describes the review’s scope, methodology and findings.
- The following provision is not in force.
Marginal note:Report
(3) The payment service provider must report any gaps and vulnerabilities that are identified by the independent review, and any measures being taken to address them, to the senior officer referred to in subsection 15(4), if any.
Annual Report
Marginal note:Submission
- The following provision is not in force.
18 (1) For the purpose of section 21 of the Act, a payment service provider that performs retail payment activities in a calendar year must submit the annual report in respect of that year no later than March 31 of the following year.
- The following provision is not in force.
Marginal note:Form and manner
(2) The report must be submitted using the electronic system provided for that purpose by the Bank.
Marginal note:Contents
- The following provision is not in force.
19 (1) For the purpose of paragraph 21(a) of the Act, the prescribed information consists of
- The following provision is not in force.
(a) a description of any changes made to the payment service provider’s risk management and incident response framework during the reporting year and the payment service provider’s plans for the framework’s maintenance and implementation;
- The following provision is not in force.
(b) a description of the objectives referred to in paragraph 5(1)(a) and the targets and indicators referred to in paragraph 5(1)(b);
- The following provision is not in force.
(c) a description of the means by which the payment service provider carried out any assessments referred to in paragraph 5(3)(a) during the reporting year;
- The following provision is not in force.
(d) a description of the manner in which the payment service provider carried out any assessments referred to in paragraph 5(4)(c) during the reporting year, including the criteria used;
- The following provision is not in force.
(e) a description of the human and financial resources for implementing and maintaining the risk management and incident response framework that were available to the payment service provider during the reporting year;
- The following provision is not in force.
(f) a description of roles and responsibilities allocated by the payment service provider in respect of the implementation and maintenance of their risk management and incident response framework during the reporting year;
- The following provision is not in force.
(g) a description of the payment service provider’s operational risks in respect of the reporting year, their potential causes and the manner in which they were identified;
- The following provision is not in force.
(h) a description of the manner in which the payment service provider classified any assets and business processes for the purpose of paragraph 5(1)(e) during the reporting year;
- The following provision is not in force.
(i) a description of the systems, policies, procedures, processes, controls and other means referred to in paragraphs 5(1)(g) and (h) and subsection 5(5) that the payment service provider had in place during the reporting year;
- The following provision is not in force.
(j) a description of the plans referred to in paragraphs 5(1)(i) and (j) and the manner in which those plans were maintained and implemented during the reporting year;
- The following provision is not in force.
(k) a description of the means by which the payment service provider obtained the approvals required under subsection 5(6) during the reporting year;
- The following provision is not in force.
(l) a description of the means by which the payment service provider ensured the availability of its risk management and incident response framework and of the precautions that it took to prevent the unauthorized deletion, destruction or amendment of the framework, as required by section 6, during the reporting year;
- The following provision is not in force.
(m) a description of the information and training that the payment service provider ensured was provided under section 7 during the reporting year;
- The following provision is not in force.
(n) a description of all reviews under section 8, testing under section 9 and independent reviews under section 10 that the payment service provider carried out or ensured were carried out during the reporting year, as well as a description of the payment service provider’s testing methodology referred to in subsection 9(1); and
- The following provision is not in force.
(o) a description of any incidents that the payment service provider experienced during the reporting year.
- The following provision is not in force.
Marginal note:Accounts, insurance and guarantees
(2) For the purpose of paragraph 21(b) of the Act, the prescribed information consists of
- The following provision is not in force.
(a) information on any entity that has provided the payment service provider with an account referred to in subsection 20(1) of the Act, including the entity’s name and the name of the regulator responsible for supervising the entity with respect to its adherence to the standards referred to in section 13 of these Regulations;
- The following provision is not in force.
(b) the name of any other payment service provider through which the payment service provider has obtained the use of an account referred to in subsection 20(1) of the Act;
- The following provision is not in force.
(c) information on any entity that has provided the payment service provider with the insurance or guarantee referred to in paragraph 20(1)(c) of the Act, including the entity’s name and the name of the regulator responsible for supervising the entity with respect to its adherence to the standards referred to in section 14(1)(a) of these Regulations; and
- The following provision is not in force.
(d) a description of the terms of any insurance or guarantee referred to in paragraph 20(1)(c) of the Act that the payment service provider holds.
- The following provision is not in force.
Marginal note:Holding of end-user funds
(3) For the purpose of paragraph 21(c) of the Act, the prescribed information consists of
- The following provision is not in force.
(a) a description of all of the means, among those set out in paragraphs 20(1)(a) to (c) of the Act, by which the payment service provider safeguards end-user funds and, if applicable, a description of the payment service provider’s trust arrangement with its end users;
- The following provision is not in force.
(b) a description of the payment service provider’s safeguarding-of-funds framework referred to in section 15;
- The following provision is not in force.
(c) a description of any instance referred to in subsection 16(1) that was identified during the reporting year, its root cause and any measures taken to prevent similar instances from recurring; and
- The following provision is not in force.
(d) a description of any independent review that was conducted under section 17 during the reporting year, including the date on which it was conducted, its scope and the name that is set out in the record referred to in subsection 17(2).
- The following provision is not in force.
Marginal note:Other information
(4) For the purpose of paragraph 21(d) of the Act, the prescribed information consists of
- The following provision is not in force.
(a) in the case of a payment service provider that has a place of business in Canada,
(i) information establishing the payment service provider’s ubiquity and interconnectedness, including
(A) the maximum value, expressed in Canadian dollars, of end-user funds that the payment service provider held at any time during the reporting year for each of the following categories of end users:
(I) all end users, and
(II) end users in Canada,
(B) for each month of the reporting year,
(I) the average value, expressed in Canadian dollars, of the end-user funds that the payment service provider held at the end of each day for all end users,
(II) the average value, expressed in Canadian dollars, of the end-user funds that the payment service provider held at the end of each day for end users in Canada,
(III) the average value of the end-user funds, broken down by currency and expressed in that currency, that the payment service provider held at the end of each day for all end users,
(IV) the average value of the end-user funds, broken down by currency and expressed in that currency, that the payment service provider held at the end of each day for end users in Canada,
(V) the number of electronic funds transfers in relation to which the payment service provider performed a retail payment activity,
(VI) the number of electronic funds transfers in relation to which the payment service provider performed a retail payment activity for end users in Canada,
(VII) the number of electronic funds transfers, broken down by currency, in relation to which the payment service provider performed a retail payment activity,
(VIII) the number of electronic funds transfers, broken down by currency, in relation to which the payment service provider performed a retail payment activity for end users in Canada,
(IX) the total value, expressed in Canadian dollars, of all electronic funds transfers in relation to which the payment service provider performed a retail payment activity,
(X) the total value, expressed in Canadian dollars, of all electronic funds transfers in relation to which the payment service provider performed a retail payment activity for end users in Canada,
(XI) the total value, broken down by the currency in which the electronic funds transfers are made and expressed in that currency, of all electronic funds transfers in relation to which the payment service provider performed a retail payment activity, and
(XII) the total value, broken down by the currency in which the electronic funds transfers are made and expressed in that currency, of all electronic funds transfers in relation to which the payment service provider performed a retail payment activity for end users in Canada,
(C) the number of end users and end users in Canada for which the payment service provider performed a retail payment activity during the reporting year, and
(D) the number of other payment service providers for which the payment service provider performed a retail payment activity during the reporting year and, of those, the number that have a place of business in Canada, and
(ii) if the payment service provider holds end-user funds other than in accordance with subsection 20(1) of the Act, information establishing that those end-user funds are deposits accepted by the payment service provider that are insured or guaranteed under an Act of the province in which they are held;
- The following provision is not in force.
(b) in the case of a payment service provider that does not have a place of business in Canada, information establishing the payment service provider’s ubiquity and interconnectedness in Canada, including the information referred to in
(i) subclauses (a)(i)(A)(II) and (B)(II), (IV), (VI), (VIII), (X) and (XII),
(ii) clause (a)(i)(C), in relation only to the payment service provider’s end users in Canada, and
(iii) clause (a)(i)(D), in relation only to other payment service providers that have a place of business in Canada;
- The following provision is not in force.
(c) a description of any significant change referred to in subsection 22(1) of the Act that was made by the payment service provider during the reporting year and any retail payment activity that the payment service provider began or ceased to perform during that year;
- The following provision is not in force.
(d) a description of any change to the payment service provider’s use of third-party service providers during the reporting year;
- The following provision is not in force.
(e) a description of any change to the payment service provider’s use of agents or mandataries during the reporting year;
- The following provision is not in force.
(f) a description of the payment service provider’s record-keeping practices during the reporting year; and
- The following provision is not in force.
(g) a description of the payment service provider’s financial metrics for the reporting year, including its revenues, gross profits or losses, operating profits or losses, assets, liabilities and equity.
- The following provision is not in force.
Marginal note:Definition of reporting year
(5) In this section, reporting year means the calendar year in respect of which an annual report is submitted.
Significant Change or New Activity
Marginal note:Notice to Bank
- The following provision is not in force.
20 (1) The notice referred to in subsection 22(1) of the Act must
- The following provision is not in force.
(a) be given to the Bank at least five business days before the day on which the payment service provider makes a significant change in the way it performs a retail payment activity or the day on which it performs a new retail payment activity;
- The following provision is not in force.
(b) be submitted using the electronic system provided for that purpose by the Bank; and
- The following provision is not in force.
(c) include
(i) the payment service provider’s name,
(ii) the name, phone number and email address of an individual who may be contacted regarding the significant change or new activity,
(iii) a description of the change or new activity to be performed,
(iv) the reason for the change or new activity,
(v) the date on which the change is to be made or the new activity is first to be performed,
(vi) the payment service provider’s assessment of the effect that the change or new activity will have on its operational risks and on the manner in which end-user funds are safeguarded, both during and following implementation of the change or new activity,
(vii) a list and summary of all of the payment service provider’s documentation, including in relation to its risk management and incident response framework, that has been amended or created to reflect the change or new activity, and
(viii) if the payment service provider has senior officers, an indication that the change or new activity has been approved by a senior officer.
- The following provision is not in force.
Marginal note:Definition of business day
(2) For the purpose of paragraph (1)(a), business day means a business day of the Bank.
Registration
Marginal note:New application — acquisition of control
21 For the purpose of subsection 24(1) of the Act, an individual or entity acquires control of
- The following provision is not in force.
(a) a corporation once they, alone or in combination with any entities with which they are affiliated within the meaning of section 3 of the Act,
(i) hold — or have held for their benefit — directly or indirectly, otherwise than by way of security only, securities to which are attached one third or more of the votes that may be cast to elect directors of the corporation, or
(ii) acquire control of an entity that controls the corporation;
- The following provision is not in force.
(b) a limited partnership once they become a general partner in it; and
- The following provision is not in force.
(c) an entity other than a corporation or limited partnership once they, alone or in combination with any entities with which they are affiliated within the meaning of section 3 of the Act,
(i) hold — or have held for their benefit — directly or indirectly, an interest in the entity that entitles them to receive one third or more of the entity’s profits or one third or more of its assets on dissolution, or
(ii) acquire control of an entity that controls the entity.
Marginal note:New application — other change
22 The acquisition of any of the following by a state-owned enterprise, as defined in section 3 of the Investment Canada Act, is a prescribed change for the purpose of subsection 24(2) of the Act:
- The following provision is not in force.
(a) a power to appoint the Chief Executive Officer or other senior management officers of the payment service provider or members of its board of directors or a similar body;
- The following provision is not in force.
(b) if the payment service provider is a corporation, voting rights in respect of the election of its directors; or
- The following provision is not in force.
(c) if the payment service provider is an entity other than a corporation, ownership interests in the payment service provider.
Marginal note:Registry
23 The following is prescribed information for the purpose of section 26 of the Act:
- The following provision is not in force.
(a) any trade names of the payment service provider;
- The following provision is not in force.
(b) the date on which the payment service provider was registered;
- The following provision is not in force.
(c) the payment service provider’s civic address — or that of their head office, if applicable — and their primary mailing address;
- The following provision is not in force.
(d) the payment service provider’s telephone number;
- The following provision is not in force.
(e) the payment service provider’s email address;
- The following provision is not in force.
(f) the payment service provider’s website address, if any;
- The following provision is not in force.
(g) the payment functions performed by the payment service provider; and
- The following provision is not in force.
(h) the names of all agents and mandataries that perform functions on behalf of the payment service provider.
Marginal note:Application for registration
24 (1) An application under subsection 29(1) of the Act must be submitted to the Bank using the electronic system provided by the Bank for that purpose.
Marginal note:Contact information
(2) For the purpose of paragraph 29(1)(b) of the Act, the prescribed contact information consists of
(a) the applicant’s civic address — or that of their head office, if applicable — and their primary mailing address;
(b) the applicant’s telephone number;
(c) the applicant’s email address;
(d) the applicant’s fax number, if any;
(e) the applicant’s website address, if any; and
(f) the mailing address, telephone number and email address of an individual who may be contacted for inquiries related to the application.
Marginal note:Organization and structure
(3) For the purpose of paragraph 29(1)(d) of the Act, the prescribed information consists of
(a) if the applicant is an individual, their name and date of birth;
(b) if the applicant is an entity, the date, country and jurisdiction of its incorporation or other formation and, in the case of a corporation, its incorporation number and the legislation under which it is incorporated; and
(c) the following information in respect of each of the applicant’s affiliated entities, if any:
(i) its legal name and any trade names,
(ii) its mailing address, the civic address of its head office, its telephone number, its email address and, if applicable, its website address, and
(iii) a description of any retail payment activities that it performs.
Marginal note:Agents and mandataries
(4) For the purpose of paragraph 29(1)(e) of the Act, the prescribed information consists of, in respect of each agent or mandatary,
(a) their legal name and any trade names;
(b) their civic address — or that of their head office, if applicable — primary mailing address, telephone number, email address and, if applicable, website address; and
(c) a description of the retail payment activities that they perform on behalf of the applicant and the civic address of each location at which they perform them.
Marginal note:Volume and value of retail payment activities
(5) For the purpose of paragraph 29(1)(f) of the Act, the prescribed information consists of
(a) in the case of an applicant that has a place of business in Canada, for each of the previous 12 months,
(i) the number of electronic funds transfers in relation to which they performed a retail payment activity and the total value of those electronic funds transfers, expressed in Canadian dollars, and
(ii) the number of electronic funds transfers in relation to which they performed a retail payment activity for end users in Canada and the total value of those electronic funds transfers, expressed in Canadian dollars;
(b) in the case of an applicant that does not have a place of business in Canada, the information referred to in subparagraph (a)(ii); and
(c) in the case of an applicant that has not performed any retail payment activities in the last year, a projection for the first year in which they will perform retail payment activities of the information referred to in
(i) paragraph (a), if they have a place of business in Canada, or
(ii) subparagraph (a)(ii), if they do not have a place of business in Canada.
Marginal note:End-user funds
(6) For the purpose of paragraph 29(1)(h) of the Act, the prescribed information consists of
(a) for each of the previous 12 months, the average value, expressed in Canadian dollars, of end-user funds that the applicant held at the end of each day — or, if the applicant has not performed any retail payment activities in the previous year, the projected value, expressed in Canadian dollars, of end-user funds that they will hold at the end of each day in their first year performing retail payment activities — for
(i) end users in Canada, and
(ii) in the case of an applicant that has a place of business in Canada, all end users; and
(b) the currencies in which the applicant held end-user funds for each of the following categories of end users in the previous year — or, if the applicant has not performed any retail payment activities in the previous year, the currencies in which they plan to hold end-user funds for each of those categories of end users in their first year performing retail payment activities — and the share of funds held or to be held in each of those currencies:
(i) end users in Canada, and
(ii) in the case of an applicant that has a place of business in Canada, all end users.
Marginal note:Safeguarding of end-user funds
(7) For the purpose of paragraph 29(1)(j) of the Act, the prescribed information consists of
(a) a description of all of the means, among those set out in paragraphs 20(1)(a) to (c) of the Act, by which the applicant safeguards or plans to safeguard end-user funds;
(b) the name of any entity from which the applicant has obtained or plans to obtain an account referred to in subsection 20(1) of the Act or the insurance or guarantee referred to in paragraph 20(1)(c) of the Act and the name of the regulator responsible for supervising that entity with respect to its adherence to standards in respect of capital, liquidity, governance, supervision and risk management; and
(c) if the applicant holds or plans to hold end-user funds other than in accordance with subsection 20(1) of the Act, information establishing that those funds were or will be accepted by the applicant as deposits that are or will be insured or guaranteed under an Act of the province in which they are held.
Marginal note:Third-party service provider
(8) For the purpose of paragraph 29(1)(k) of the Act, the prescribed information consists of, in respect of each third-party service provider that has or will have a material impact on the applicant’s operational risks or the manner in which the applicant safeguards or plans to safeguard end-user funds,
(a) their legal name and any trade names;
(b) their civic address — or that of their head office, if applicable — primary mailing address, telephone number, email address and, if applicable, website address;
(c) a description of the services in relation to retail payment activities that they provide or will provide to the applicant; and
(d) the geographical location of the technologies that they use to provide services in relation to retail payment activities or to store end user data.
Marginal note:National security review
(9) For the purpose of paragraph 29(1)(p) of the Act, the prescribed information consists of
(a) the names of any foreign regulators that supervise the applicant’s retail payment activities in other jurisdictions and the statutes under which that supervision occurs;
(b) an indication of whether the applicant is publicly traded and, if so, the name of the exchanges on which it is traded;
(c) all countries of residence of the applicant and of any individual or entity with which they are affiliated within the meaning of section 3 of the Act;
(d) a corporate organization chart that identifies all individuals or entities that control or are controlled by the applicant within the meaning of section 21;
(e) the country of residence of each individual or entity that controls the applicant within the meaning of section 21 and, in the case of an individual, their countries of citizenship;
(f) if the applicant is a corporation, the name, countries of residence and citizenship, incorporation or other formation, as the case may be, of any individual or entity that holds — or for whose benefit are held — directly or indirectly, otherwise than by way of security only, securities to which are attached 10% or more of the votes that may be cast to elect the applicant’s directors;
(g) if the applicant is an entity other than a corporation or limited partnership, the name, countries of residence and citizenship, incorporation or other formation, as the case may be, of any individual or entity that holds — or for whose benefit is held — directly or indirectly, an interest in the applicant that entitles them to receive 10% or more of the applicant’s profits or 10% or more of its assets on dissolution;
(h) if the applicant has a board of directors, the name, countries of residence and citizenship, mailing address, telephone number and email address of each of its members, as well as an indication of whether they are a member of the board of directors of any other entities and, if so, the names of those entities;
(i) if the applicant has senior officers, the name, countries of residence and citizenship, mailing address, telephone number and email address of each of the five senior officers who were, for the last calendar year, the most highly compensated, having regard to all forms of compensation, including stock options, performance-based incentives and other benefits;
(j) the name, countries of residence and citizenship, incorporation or other formation, as the case may be, mailing address, telephone number, email address and, if applicable, head office address of each of the five creditors to which the applicant owed the greatest amount at any time during the last calendar year;
(k) an indication of whether a state-owned enterprise, as defined in section 3 of the Investment Canada Act, holds — or has held for its benefit — directly or indirectly, an ownership interest or voting interest in the applicant and, if so, the name of the state-owned enterprise and of the applicable foreign state and a description of the interest, including, in the case of a voting interest, whether it has a special veto or other decision-making right attached to it;
(l) an indication of whether a state-owned enterprise, as defined in section 3 of the Investment Canada Act, has the power to appoint the Chief Executive Officer or other senior management officers of the applicant, or members of its board of directors or a similar body, and, if so, the name of the state-owned enterprise and the applicable foreign state and a description of that power;
(m) a list of all categories of personal or financial information, including the following categories, that the applicant gathers or plans to gather in respect of their end users in Canada, employees or business partners and the purposes for which the information is gathered:
(i) personal identifying information,
(ii) financial data, including confidential account information,
(iii) private communications, and
(iv) geolocation data;
(n) all countries in which the applicant or their third-party service providers store or process, or plan to store or process, any information referred to in paragraph (m);
(o) the name, countries of residence and citizenship, incorporation or other formation, as the case may be, mailing address, telephone number, email address and, if applicable, head office address of every individual or entity that may be given access to any information referred to in paragraph (m), other than an employee or agent or mandatary of the applicant, an employee of a payment service provider referred to in section 9 of the Act or an employee of a registered payment service provider;
(p) in the case of an applicant that has a place of business in Canada,
(i) the name of any other payment service provider for which they performed a retail payment activity in the previous two years, and
(ii) the name of any other payment service provider for which they plan to perform a retail payment activity in the next two years; and
(q) in the case of an applicant that does not have a place of business in Canada,
(i) the name of any other payment service provider that has a place of business in Canada and for which the applicant performed a retail payment activity in the previous two years, and
(ii) the name of any other payment service provider that has a place of business in Canada and for which the applicant plans to perform a retail payment activity in the next two years.
Marginal note:Registration fee
25 (1) The prescribed registration fee for the purpose of subsection 29(2) of the Act is the amount determined by the formula
$2,500 × (A ÷ B)
where
- A
- is the September All-items Consumer Price Index for Canada, as published by Statistics Canada under the Statistics Act, for the calendar year immediately before the year in which the application is submitted; and
- B
- is the September All-items Consumer Price Index for Canada, as published by Statistics Canada under the Statistics Act, for the calendar year in which this section comes into force.
Marginal note:Exception
(2) Despite subsection (1), the fee to be included with an application for registration that is submitted in the calendar year in which this section comes into force is $2,500.
Marginal note:No decrease
(3) Despite subsection (1), if a fee determined under that subsection is less than the fee that was required to be included with an application submitted in the previous calendar year, the fee is instead equal to the fee applicable in that previous year.
Marginal note:Decision to review — prescribed period
- The following provision is not in force.
26 (1) The prescribed period for the purpose of subsection 34(1) of the Act is 60 days beginning on the day after the day on which the Minister is provided with a copy of the application for registration.
- The following provision is not in force.
Marginal note:Extension
(2) The prescribed period for the purpose of subsection 34(2) of the Act is 60 days.
Marginal note:Conduct of review — prescribed period
27 The prescribed period for the purpose of section 36 of the Act is 180 days beginning on the day after the day on which the Minister decides to review the application for registration.
Marginal note:Request for review of directive — prescribed period
28 The prescribed period for the purpose of subsection 41(1) of the Act is 30 days beginning on the day after the day on which the applicant is notified of the refusal to register.
Marginal note:Request for review of notice — prescribed period
29 The prescribed period for the purpose of subsection 46(1) of the Act is 30 days beginning on the day after the day on which the payment service provider is notified of the issuance of the notice of intent.
Marginal note:Refusal to register — prescribed period and reasons
30 For the purpose of subsection 48(1) of the Act,
- The following provision is not in force.
(a) the prescribed period within which the Bank may refuse to register an applicant is
(i) in the case of a refusal for the reason referred to in paragraph 48(1)(a) of the Act, 45 days beginning on the day after the day on which the period referred to in subsection 29(3) of the Act expires, and
(ii) in the case of a refusal for any other reason, 45 days beginning on the day after the day on which the Bank considers the application to be complete; and
- The following provision is not in force.
(b) the following are prescribed reasons for which the Bank may refuse to register an applicant:
(i) the applicant has failed to pay an assessment or interim assessment that was made against them under section 99 of the Act when they were a registered payment service provider, and
(ii) the Act does not apply to the applicant or in respect of any payment functions that they perform or plan to perform.
Marginal note:Review of refusal to register — prescribed period
- The following provision is not in force.
31 (1) The prescribed period for the purpose of subsection 50(1) of the Act is 30 days beginning on the day after the day on which the applicant is notified of the refusal to register.
- The following provision is not in force.
Marginal note:Decision
(2) The prescribed period for the purpose of subsection 50(3) of the Act is 90 days beginning on the day after the day on which the applicant requests the review.
Marginal note:Notice of intent to revoke registration — prescribed reasons
32 The following are prescribed reasons for the purpose of section 52 of the Act:
- The following provision is not in force.
(a) the payment service provider has failed to pay an assessment or interim assessment made against it under section 99 of the Act; or
- The following provision is not in force.
(b) the Act no longer applies to the payment service provider or in respect of any payment functions that it performs or plans to perform.
Marginal note:Review of notice of intent — prescribed period
- The following provision is not in force.
33 (1) The prescribed period for the purposes of subsection 53(1) and section 54 of the Act is 30 days beginning on the day after the day on which the payment service provider is notified of the intent to revoke its registration.
- The following provision is not in force.
Marginal note:Decision
(2) The prescribed period for the purpose of subsection 53(3) of the Act is 90 days beginning on the day after the day on which the payment service provider has completed making its representations or, if it does not make any, the day after the day on which its opportunity to do so ends.
Marginal note:Appeal — prescribed period
34 The prescribed period for the purpose of subsection 58(1) of the Act is 30 days beginning on the day after the day on which the applicant or payment service provider is notified of the decision under subsection 50(3) or 53(3) of the Act.
Marginal note:Notice of change in information — prescribed period
35 For the purpose of subsection 59(1) of the Act,
- The following provision is not in force.
(a) the prescribed period is 30 days beginning on the day after the day on which the change occurs; and
- The following provision is not in force.
(b) the notice must be given using the electronic system provided by the Bank for that purpose.
Marginal note:Notice of change in prescribed information
- The following provision is not in force.
36 (1) The prescribed information for the purpose of subsection 60(1) of the Act is the information referred to in subsection 24(9) of these Regulations, other than that referred to in subparagraphs 24(9)(p)(i) and (q)(i).
- The following provision is not in force.
Marginal note:Prescribed period
(2) The prescribed period for the purpose of subsection 60(2) of the Act is
- The following provision is not in force.
(a) in respect of the following changes, as soon as feasible after the payment service provider becomes aware of the change, even if the change has already taken effect:
(i) a change to the information referred to in any of paragraphs 24(9)(a) to (c) and (e) to (j) or in subparagraph 24(9)(p)(ii) or (q)(ii),
(ii) a change to a mailing address, telephone number or email address referred to in paragraph 24(9)(o), and
(iii) a change to the information referred to in paragraph 24(9)(k) or (l) of these Regulations;
- The following provision is not in force.
(b) in respect of the following changes, at least 30 days before the day on which the change takes effect:
(i) a change to the information referred to in paragraph 24(9)(d) or (m), and
(ii) a change to the information referred to in paragraph 24(9)(o), other than the information referred to in subparagraph (a)(ii); and
- The following provision is not in force.
(c) in respect of a change to the information referred to in paragraph 24(9)(n), at least 60 days before the day on which the change takes effect.
Prescribed Supervisory Information
Marginal note:Prescribed information
37 The following is prescribed information for the purpose of subsection 64(1) of the Act:
(a) any direction, notice, letter, plan, report or recommendation issued or prepared by the Bank in connection with its supervision of a payment service provider, including as a result of any assessment, testing, audit or investigation that it carries out in respect of the payment service provider;
- The following provision is not in force.
(b) a notice of refusal given under subsection 48(3) of the Act;
- The following provision is not in force.
(c) a notice of intent to revoke issued under section 52 of the Act;
- The following provision is not in force.
(d) a notice of decision given under subsection 53(3) of the Act;
- The following provision is not in force.
(e) a notice of revocation given under subsection 55(2) of the Act;
(f) a compliance agreement referred to in section 71 of the Act;
(g) a notice of violation issued under subsection 76(2) of the Act;
(h) a compliance agreement referred to in paragraph 76(2)(b) of the Act;
(i) a notice of decision issued under subsection 78(4) of the Act;
(j) a notice of compliance served under section 81 of the Act;
(k) a notice of default issued under section 82 of the Act;
(l) an order made under subsection 94(1) or (4) of the Act; and
(m) any correspondence to or from the applicant or payment service provider that relates to any of the items referred to in paragraphs (a) to (l).
Marginal note:Non-disclosure by payment service provider
38 (1) Subject to subsections (2) and (3), a payment service provider must not, directly or indirectly, disclose any information referred to in section 37.
Marginal note:Exception
(2) A payment service provider may disclose information referred to in section 37 to the following individuals and entities if it ensures that, subject to subsection (3), those individuals and entities do not further disclose the information to others:
(a) an individual or entity with which the payment service provider is affiliated within the meaning of section 3 of the Act; and
(b) the directors, officers, employees, auditors, securities underwriters or legal advisors of
(i) the payment service provider, or
(ii) an individual or entity referred to in paragraph (a).
Marginal note:Exception — securities laws
(3) A payment service provider may disclose information referred to in section 37, and need not ensure its further non-disclosure, to the extent that the disclosure is required by the securities laws of any jurisdiction.
Marginal note:Use of information
39 (1) For the purpose of subsection 64(3) of the Act, the Minister, the Governor, the Bank and the Attorney General of Canada may use the information referred to in section 37 of these Regulations as evidence in any proceeding.
Marginal note:Certain Acts
(2) For the purpose of subsection 64(4) of the Act, the payment service provider may use the information referred to in section 37 of these Regulations as evidence in any proceeding referred to in that subsection.
Record Keeping and Retention
Marginal note:Records
40 A payment service provider must keep, in a form that is intelligible to the Bank, sufficient records to demonstrate its compliance with the Act and these Regulations and, subject to any undertaking provided for the purpose of section 42 of the Act or any condition imposed under section 43 of the Act, must retain the records until the day that is five years after the day on which the payment service provider’s current compliance with the Act and Regulations ceases to be demonstrated by the records.
Marginal note:Protective measures
41 A payment service provider must take reasonable measures, with respect to all records that it is required to keep under the Act and these Regulations, to
(a) prevent their loss or destruction;
(b) prevent their falsification;
(c) detect and correct any inaccuracies contained in them; and
(d) prevent unauthorized persons from accessing or using the information contained in them.
Marginal note:Agents, mandataries and third-party service providers
42 A payment service provider must ensure that
(a) any record that is kept by an agent or mandatary or a third-party service provider that is relevant to the payment service provider’s compliance with the Act or these Regulations is
(i) accessible to the payment service provider, and
(ii) kept and retained in accordance with section 40; and
(b) the measures referred to in section 41 are taken in respect of that record.
Administration and Enforcement — Provision of Information
Marginal note:Prescribed period — payment service provider
43 (1) The prescribed period for the purpose of subsection 65(1) of the Act is 15 days beginning on the day after the day on which the request is made.
Marginal note:Exception — significant adverse incident
(2) Despite subsection (1), if the information requested by the Bank relates to an incident that is ongoing and that could have a significant adverse impact on an individual or entity referred to in subsection 94(2) of the Act, the prescribed period for the purpose of subsection 65(1) of the Act is 24 hours beginning when the request is made.
Marginal note:Prescribed period — individual or entity
44 The prescribed period for the purpose of subsection 66(2) of the Act is 15 days beginning on the day after the day on which the request is made.
Marginal note:Prescribed period — undertaking or condition
45 The prescribed period for the purpose of subsection 73(1) of the Act is 15 days beginning on the day after the day on which the request is made.
Administrative Monetary Penalties
Marginal note:Designation of violations
46 The following are designated as violations that may be proceeded with under Part 5 of the Act:
(a) the contravention of a provision of the Act set out in column 1 of Part 1 of the schedule, including in relation to a corresponding provision of these Regulations set out in column 2, if applicable;
(b) the contravention of a provision of these Regulations set out in column 1 of Part 2 of the schedule; and
(c) non-compliance with an agreement entered into under section 71 of the Act.
Marginal note:Classification
47 (1) Subject to subsection (3), each violation referred to in paragraph 46(a) or (b), other than one referred to in subsection 48(2), is classified as a serious or very serious violation, as set out in column 3 of Part 1 of the schedule or column 2 of Part 2 of the schedule, as the case may be.
Marginal note:Compliance agreement violation
(2) The violation referred to in paragraph 46(c) is classified as a very serious violation.
Marginal note:Series of violations
(3) If a notice of violation identifies two or more violations that are classified as serious violations and that arise from the contravention of the same provision of the Act or these Regulations, that series of violations is classified as a single very serious violation.
Marginal note:Penalties
48 (1) The range of penalties in respect of a violation, other than one referred to in subsection (2), is
(a) up to $1,000,000 in the case of a serious violation; and
(b) up to $10,000,000 in the case of a very serious violation.
Marginal note:Exceptions
(2) In the case of a violation in respect of section 21 or subsection 22(1), 59(1) or 60(1) or (2) of the Act,
(a) if the violation has continued for no more than 30 days, the amount of the penalty in respect of the violation is $500 for each day that it has continued; and
(b) if it has continued for more than 30 days, the range of penalties in respect of the violation is from $15,000 to $1,000,000.
Marginal note:Criteria
49 The amount payable as the penalty for a violation, other than one referred to in paragraph 48(2)(a), is to be established having regard to
(a) the harm that is done by the violation and the harm that could have been done by it;
(b) the history of the individual or entity that committed the violation with respect to any prior violation committed by them within the five-year period immediately before the violation; and
(c) the degree of intention or negligence on the part of the individual or entity that committed the violation.
Marginal note:Additional penalty
50 For the purpose of paragraph 82(1)(b) of the Act, the additional penalty is equal to the amount of the penalty set out in the notice of violation.
Marginal note:Service of documents
51 (1) Any notice that is to be served under Part 5 of the Act must be served by
(a) in the case of service on an individual,
(i) leaving a copy of it with the individual,
(ii) leaving a copy of it with someone who appears to be an adult member of the same household at the individual’s last known address or usual place of residence,
(iii) sending a copy of it by registered mail or courier to the individual’s last known address or usual place of residence,
(iv) sending a copy of it to the individual’s last known email address, or
(v) making a copy of it available to the individual through an electronic system maintained for that purpose by the Bank and advising the individual, by email to their last known email address, of the availability of the notice; and
(b) in the case of service on an entity,
(i) leaving a copy of it with an individual who appears to manage or be in control of the head office or place of business of the entity or of the entity’s authorized representative,
(ii) sending a copy of it by registered mail or courier to the head office or place of business of the entity or of the entity’s authorized representative,
(iii) sending a copy of it to the entity’s last known email address, or
(iv) making a copy of it available to the entity through an electronic system maintained for that purpose by the Bank and advising the entity, by email to its last known email address, of the availability of the notice.
Marginal note:Deemed service
(2) A notice is deemed to be served
(a) on the day on which it is left with an individual in accordance with subparagraph (1)(a)(i) or (ii) or (b)(i);
(b) on the 10th day after the date indicated in the receipt issued by the postal or courier service, in the case of service by registered mail or courier; or
(c) on the day on which the email referred to in subparagraph (1)(a)(iv) or (v) or (b)(iii) or (iv) is delivered.
Transition Period
Marginal note:National security review — prescribed periods
52 In respect of an application for registration that is submitted during the transition period as defined in section 103 of the Act,
(a) the prescribed period for the purpose of subsection 34(1) of the Act begins on the day on which the Minister is provided with the application and ends 60 days after the last day of the transition period; and
(b) the prescribed period for the purpose of section 36 of the Act begins on the day on which the Minister decides to review the application and ends on the later of 180 days after that day and 180 days after the last day of the transition period.
Marginal note:Application for registration — prescribed period
53 The prescribed period for the purpose of section 104 of the Act is the period that begins on the day on which section 29 of the Act comes into force and ends on the later of
(a) the day that is 14 days after the day on which section 29 of the Act comes into force, and
(b) the day that is 60 days before the first day during the transition period on which the payment service provider plans to perform retail payment activities.
Marginal note:Publication of application information
54 For the purpose of section 107 of the Act, the prescribed information is
(a) any trade names of the applicant; and
(b) the address, telephone number and email address of the applicant’s place of business, as well as their website address, if any.
Coming into Force
Marginal note:S.C. 2021, c. 23, s. 177
Footnote *55 (1) Subject to subsection (2), these Regulations come into force on the day on which section 29 of the Retail Payment Activities Act comes into force, but if they are registered after that day, they come into force on the day on which they are registered.
Marginal note:S.C. 2021, c. 23, s. 177
(2) Sections 5 to 23, 26, 27 and 29 to 36, paragraphs 37(b) to (e), items 1 to 10, 12 and 13 of Part 1 of the schedule and items 1 to 26 of Part 2 of the schedule come into force on the day on which subsection 25(1) of the Retail Payment Activities Act comes into force, but if these Regulations are registered after that day, those provisions come into force on the day on which these Regulations are registered.
Return to footnote *[Note: Regulations, except sections 5 to 23, 26, 27 and 29 to 36, paragraphs 37(b) to (e), items 1 to 10, 12 and 13 of Part 1 of the schedule and items 1 to 26 of Part 2 of the schedule, in force November 1, 2024, see SI/2023-70, sections 5 to 23, 26, 27 and 29 to 36, paragraphs 37(b) to (e), items 1 to 10, 12 and 13 of Part 1 of the schedule and items 1 to 26 of Part 2 of the schedule in force September 8, 2025, see SI/2023-70.]
SCHEDULE(Paragraphs 46(a) and (b) and subsection 47(1))Administrative Monetary Penalties — Designation of Provisions
Retail Payment Activities Act
Column 1 | Column 2 | Column 3 | |
---|---|---|---|
Item | Provision of Act | Corresponding Provision of These Regulations | Classification of Violation |
1 | 17(1) | 5 | very serious |
2 | 17(3) | – | very serious |
3 | 18 | 11 or 12 | very serious |
4 | 19(3) | – | serious |
5 | 20(1) | – | very serious |
6 | 21 | 18 or 19 | – |
7 | 22(1) | 20 | – |
8 | 23 | – | very serious |
9 | 24(1) | – | serious |
10 | 24(2) | 22 | serious |
11 | 30 | – | serious |
12 | 59(1) | 35 | – |
13 | 60(1) and (2) | 36 | – |
14 | 61 | – | serious |
15 | 65(2) | – | serious |
16 | 66(2) | 44 | serious |
17 | 67(2) | – | very serious |
18 | 67(3) | – | very serious |
19 | 69(2) | – | very serious |
20 | 104 | 53 | very serious |
Retail Payment Activities Regulations
Column 1 | Column 2 | |
---|---|---|
Item | Provision | Classification of Violation |
1 | 6 | very serious |
2 | 7 | very serious |
3 | 8(1)(a) and (2) | very serious |
4 | 8(1)(b) and (2) | very serious |
5 | 8(3) | serious |
6 | 8(4) | serious |
7 | 9(1) | very serious |
8 | 9(2) | serious |
9 | 9(3) | serious |
10 | 10(1) | very serious |
11 | 10(2) | serious |
12 | 10(3) | serious |
13 | 13 | very serious |
14 | 14(1) | very serious |
15 | 14(2) | very serious |
16 | 15(1) | very serious |
17 | 15(6)(a) | very serious |
18 | 15(6)(b) | very serious |
19 | 15(6)(c) | very serious |
20 | 15(7) | serious |
21 | 15(8) | serious |
22 | 16(1) | very serious |
23 | 16(2) | very serious |
24 | 17(1) | very serious |
25 | 17(2) | serious |
26 | 17(3) | serious |
27 | 38(1) | serious |
28 | 40 | serious |
29 | 41 | serious |
30 | 42(a) | serious |
31 | 42(b) | serious |
- Date modified: