Publication date: June 17, 2024

This supervisory policy provides an overview of what the Bank of Canada will consider when determining whether a “significant adverse impact” is occurring or has occurred.

For terminology about retail payment supervision, refer to the glossary.

Introduction

This interpretation applies to both section 94 of the Retail Payment Activities Act (RPAA) and subsection 43(2) of the Retail Payment Activities Regulations (RPAR).

To measure significant adverse impact, the Bank will determine whether the act or incident in question could have an adverse impact and whether the potential adverse impact could be significant.

Examples of a potential adverse impact include:

  • loss of end-user funds (e.g., stolen funds, transaction processing errors or incorrect routing)
  • breach of confidential data (e.g., cyber or other information security incidents)
  • outage of retail payment activity (e.g., system failure)
  • compromised integrity of a payment service provider’s (PSP) retail payment activity (for example, misdirection of funds) 

To determine the significance of a potential adverse impact, the Bank may consider the following factors:

  • extent of the potential impact (e.g., the number of affected end users, the total amount of funds lost, the scale of the service interruption)  
  • duration of the potential impact
  • irreversibility of the potential impact (e.g., unrecoverable lost end-user funds, lasting data integrity issues).  

In addition to these factors, the Bank may consider other relevant factors depending on the circumstances.

Compliance order

Under section 94 of the RPAA, the Governor, or the Governor’s delegate, may issue a Governor’s order or temporary order if the Governor, or the Governor’s delegate, is of the opinion that a PSP that performs retail payment activities is committing or is about to commit an act that could have a significant adverse impact on one or more of the following individuals or entities:

  • an end user
  • a PSP, whether or not the RPAA applies to it
  • a clearing house of a clearing and settlement system that is overseen by the Bank under the Payment Clearing and Settlement Act

Information request

Under subsection 65(1) of the RPAA, the Bank may request, in writing, a PSP to provide any information that the Bank considers necessary to verify compliance with the RPAA.

In line with subsection 43(2) of the RPAR, the PSP has 24 hours to respond if the information requested by the Bank relates to an ongoing incident that could have a significant adverse impact on an end user; on a PSP, whether or not the RPAA applies to it; or on a clearing house of a clearing and settlement system that is overseen by the Bank under the Payment Clearing and Settlement Act.

On this page
Table of contents