Publication date: April 17, 2024

This supervisory policy outlines what records payment service providers should keep and retain to comply with their record-keeping obligations under the Retail Payment Activities Act and the Retail Payment Activities Regulations

For terminology about retail payment supervision, refer to the glossary.

Introduction

Payment service providers (PSPs) must keep and retain records that are sufficient to demonstrate their compliance with the Retail Payment Activities Act (RPAA) and Retail Payment Activities Regulations (RPAR).1

This supervisory policy is intended to assist PSPs in complying with their obligations related to record keeping under sections 40 to 42 of the RPAR). 

Subject to any undertakings provided for the purpose of section 42 or any condition imposed under section 43 of the RPAA2, when a record is no longer used to demonstrate a PSP’s compliance with requirements, it must be retained for five years from that point.

Records to be kept and retained

The Bank expects PSPs to keep and retain all records related to their compliance with:

  1. operational risk management and incident response requirements in accordance with subsection 17(1) of the RPAA3
  2. incident notification requirements, pursuant to sections 18 and 19 of the RPAA4
  3. holding funds requirements in accordance with paragraphs 20(1)(a), (b) or (c) of the RPAA5
  4. all requirements to provide information to the Bank, including as it relates to:
    1. annual reports6
    2. notice of significant change or new activity7
    3. form, manner and information of registration application8
    4. notice of change in information of registration application9
    5. notice of change in information of a PSP10
    6. notice of change in prescribed information in relation to a PSP or its retail payment activities for the purpose of a national security review of a registration application11
    7. information request12
    8. special audit13
    9. information request related to assessment fees14
    10. instances in which all end-user funds or equivalent insurance or guarantee proceeds would not have been payable to end users, including results of investigations, and measures taken15

Examples

This section provides illustrative examples of some of the materials that PSPs should keep and retain as records. Some sections of the RPAR set out specific record-keeping obligations (e.g., Risk Management and Incident Response, Safeguarding of Funds, etc.) that form only part of a PSP’s requirement to keep records and do not represent a PSP’s full obligation.

Refer to the guidelines related to operational risk and end-user funds safeguarding.

Risk management and incident response framework

As per section 17 of the RPAA and sections 5 to 10 in the RPAR:

  1. a written risk management and incident response framework as referred to in section 5 of the RPAR and records of any reviews or approvals of the framework as described in subsection 5(6) of the RPAR
  2. documented policies and procedures for identifying and categorizing assets and business processes as well as descriptions of the PSP’s assets and business processes and their criticality and sensitivity
  3. documentation related to systems, policies, procedures, processes, controls and other means used to:
    • mitigate operational risks and protect assets and business processes
    • detect incidents, anomalous events and lapses in implementation of the framework
    • respond to incidents
  4. documented objectives, reliability targets and indicators
  5. inputs, outputs, methodology, templates and processes related to operational risk management and incident response
  6. documented roles and responsibilities, including reporting lines and escalation procedures, approval arrangements and delegation of authority
  7. records of the PSP’s identification and investigation of each incident and measures taken to mitigate the impact and address the root cause, including but not limited to specific records required by subsection 5(1)(i)(viii) of the RPAR
  8. in terms of third-party service providers, agents and mandataries:
    • assessments and methodologies for due diligence
    • contractual arrangements and any other documentation related to the products/services provided and the roles and responsibilities of each party
    • communications between the PSP and third-party service providers, agents and mandataries that pertain to the management of operational risks and identification and response to incidents
  9. records of the date of each review of the PSP’s risk management and incident response framework and the scope, methodology and findings of each review
  10. the PSP’s testing methodology and records of the date of each test of the PSP’s risk management and incident response framework, the results of the tests and any measures taken or to be taken to address those results
  11. records of independent reviews of the PSP’s compliance with the operational risk requirements, including the reviewer’s name, the date of the review and the review’s scope, methodology and findings
  12. any other document that will demonstrate how the PSP has met the requirements of the RPAA, including to show how it has established, implemented and maintained its framework

Safeguarding of end-user funds

As per section 20 of the RPAA and sections 13 to 17 of the RPAR:

  1. the PSP’s legal agreement with its account provider(s) and any associated documentation
  2. where the PSP holds end-user funds in trust in a trust account, documentation regarding the PSP’s in-trust arrangement(s) with its end users
  3. where the PSP safeguards end-user funds using insurance or a guarantee, the PSP’s legal agreement with its insurance or guarantee provider(s) and any associated documentation
  4. the PSP’s written safeguarding-of-funds framework and records of any reviews or approvals of the framework as described in section 15 of the RPAR
  5. any records pertaining to the PSP’s ledger of end-user funds
  6. any records of the PSP’s evaluation of insolvency protection measures, including details of any identified instances, root causes and measures taken to prevent recurrence as described in section 16 of the RPAR
  7. any records of independent reviews of the PSP’s compliance with the end-user fund safeguarding requirements conducted on behalf of the PSP, including the reviewer’s name, the date of the review and the review’s scope, methodology and findings as described in section 17 of the RPAR
  8. if the PSP makes use of the exception under subsection 20(2) of the RPAA, documentation demonstrating that the PSP accepts deposits that are insured or guaranteed under a provincial deposit insurance regime and that the PSP is a member of that deposit insurance regime

Incident notifications

As per sections 18 and 19 of the RPAA and sections 11 and 12 of the RPAR:

  1. all copies of incident notifications, including notifications to the Bank, as well as to end users, PSP and clearing houses16
  2. any copies of follow-up notifications17
  3. all supporting materials related to the incident that the notification relates to and the impact of that incident

Reporting

Any copies of reports or information provided to the Bank, including:

  1. annual reports submitted to the Bank, including the prescribed information reported18
  2. notice of significant change or new activity the PSP submits to the Bank, including the prescribed information19
  3. application for registration submitted to the Bank, including the prescribed information and any additional information requested by the Bank in relation to the application20
  4. notice of change in information of registration application submitted to the Bank21
  5. notice of change in information submitted to the Bank22
  6. notice of change in prescribed information submitted to the Bank that is in relation to the PSP or its retail payment activities23
  7. information provided to the Bank under the Bank’s information request powers24
  8. results of a special audit the PSP has undergone that are provided to the Bank25
  9. any other material or report provided to the Bank pursuant to the RPAA

All supporting materials related to or referred to in those reports or that were used to support the production of those reports. This includes but is not limited to:

  1. underlying data used to compile quantitative measures of the PSP’s activities that are reported to the Bank
  2. materials related to or referred to in a special audit as per section 67 of the RPAA or prepared as part of such an audit

Duration and triggers for retention

If the records referred to above become dated or are no longer applicable, PSPs must still retain them for five years after the day on which the records no longer demonstrate the PSP’s current compliance with the obligations under the RPAA and RPAR, even if there are changes to the PSP’s business. For example, these records could be:

  1. documents such as policies, procedures, system and control documentation, and legal agreements and contracts
    1. For example, if a version of the PSP’s risk management framework document is no longer applicable to the PSP’s organization as of December 31, 2024, the document must be retained until January 1, 2030.
  2. other materials, such as approvals; results of testing, audits and reviews; or entries into logs and ledgers
    1. Each item in the log or ledger must be retained. For example, the record of the amount of funds that the PSP held for an end user on December 31, 2024, must be retained until January 1, 2030.

PSPs may retain these records for longer than the five-year period, such as for their own purposes or to meet requirements of other regulators or authorities. However, the retention period must not be less than five years.

Form of retention and other responsibilities regarding record keeping

PSPs must hold records in such a way that the records can be provided in a form and manner that is understandable to the Bank. Records must be kept in either English or French. PSPs must be able to provide them in a format deemed acceptable by the Bank (i.e., according to the Bank’s instructions).

PSPs may be required to submit records in the form and manner that the Bank has prescribed using the electronic system or other forms provided by the Bank for that purpose, in accordance with the requirement:

  1. to notify the Bank of an incident that has a material impact on an end user, PSP or a clearing and settlement system26
  2. to submit an annual report to the Bank27
  3. to notify the Bank before making a significant change or new activity28
  4. for an applicant to submit a registration application29
  5. to notify the Bank of any changes to information30
  6. to provide access to records that may be required for a special audit31
  7. to provide access to records that the authorized person examining the PSP’s records and business may require32

Records must be kept in such a way that they can be:

  1. provided to the Bank if requested within the prescribed timeline to verify compliance with the RPAA and RPAR33
  2. examined by an authorized person to verify compliance with the RPAA and RPAR (the authorized person must be able to reproduce any record, or cause it to be reproduced from the PSP’s data, in the form of a printout or other understandable output and remove the printout or other output for examination or copying)34
  3. available for use in a special audit to verify compliance with the RPAA, during which PSPs must provide any documents or information and access to any data specified by the individual or entity appointed to conduct the special audit35

PSPs must take reasonable measures with respect to all records to:

  1. prevent their loss or destruction
  2. prevent their falsification
  3. detect and correct any inaccuracies contained in them
  4. prevent unauthorized persons from accessing or using the information contained in them

PSPs should refer to Operational Risk and Incident Reporting guidelines regarding tools that could be used to identify how loss, destruction, falsification or unauthorized access to records could arise; and protect records from those risks.

PSPs retain responsibility for the keeping and retention of records by agents, mandataries and third-party service providers, if applicable, that are relevant to the PSPs’ compliance with the RPAA. PSPs must ensure that any such records are kept and retained by such parties are accessible to the PSP.

As part of complying with this requirement, the PSP is expected to ensure that it has access to any records kept or retained by an agent, mandatary, or third-party service provider relating to their compliance with the RPAA after its contractual arrangement with that party ends, in line with the five-year retention period.

  1. 1. PSPs may also be subject to record-keeping requirements set out by the Department of Finance Canada to support national security, through the RPAR) or through undertakings (individual arrangements) as defined in the RPAA.[]
  2. 2. Sections 42 and 43 of the RPAA, related to undertakings and conditions, were put in place by the Minister of Finance for reasons relating to national security.[]
  3. 3. See requirements in sections 5 to 10 of the RPAR.[]
  4. 4. See requirements in sections 11 and 12 of the RPAR.[]
  5. 5. See requirements in sections 13 to 17 of the RPAR.[]
  6. 6. See requirements in section 21 of the RPAA and section 19 of the RPAR.[]
  7. 7. See requirements in section 22 of the RPAA and subsection 20(1)(c) of the RPAR.[]
  8. 8. See requirements in subsections 29(1) and 29(3) of the RPAA and section 24 of the RPAR.[]
  9. 9. See requirements in section 30 of the RPAA.[]
  10. 10. See requirements in subsection 59(1) of the RPAA.[]
  11. 11. See requirements in subsection 60(1) of the RPAA and subsection 36(1) of the RPAR.[]
  12. 12. See requirements in subsection 65(1) of the RPAA.[]
  13. 13. See requirements in section 67 of the RPAA.[]
  14. 14. See requirements in subsection 100(1) of the RPAA.[]
  15. 15. See requirements in section 16 of the RPAR.[]
  16. 16. See requirements in section 18 of the RPAA and sections 11 and 12 of the RPAR.[]
  17. 17. See requirements in section 19 of the RPAR.[]
  18. 18. See requirements in section 21 of the RPAA and sections 18 and 19 of the RPAR.[]
  19. 19. See requirements in section 22 of the RPAA and section 20 of the RPAR.[]
  20. 20. See requirements in subsections 29(1) and 29(3) of the RPAA and section 24 of the RPAR.[]
  21. 21. See requirements in section 30 of the RPAA.[]
  22. 22. See requirements in subsection 59(1) of the RPAA.[]
  23. 23. See requirements in subsection 60(1) of the RPAA and subsection 36(1) of the RPAR.[]
  24. 24. See requirements in sections 65 and 100 of the RPAA.[]
  25. 25. See requirements in subsection 67(3) of the RPAA.[]
  26. 26. In accordance with subsection 18(2) of the RPAA.[]
  27. 27. In accordance with section 21 of the RPAA.[]
  28. 28. In accordance with paragraph 22(1)(b) of the RPAA.[]
  29. 29. In accordance with subsections 29(1) and 29(3) of the RPAA.[]
  30. 30. In accordance with subsection 59(1) of the RPAA.[]
  31. 31. In accordance with section 67 of the RPAA.[]
  32. 32. In accordance with section 69 of the RPAA.[]
  33. 33. In accordance with section 65 of the RPAA.[]
  34. 34. In accordance with section 69 of the RPAA.[]
  35. 35. In accordance with section 67 of the RPAA.[]

On this page
Table of contents