Publication date: June 17, 2024

This supervisory policy provides an overview of the Bank of Canada’s administrative monetary penalties (AMPs) regime and how the Bank determines administrative monetary penalty amounts.

For terminology about retail payment supervision, refer to the glossary.

Introduction

The Bank of Canada is committed to promoting compliance with the Retail Payment Activities Act (RPAA) and the Retail Payment Activities Regulations (RPAR). A primary objective of the RPAA and the RPAR is to promote the safety and integrity of the financial system generally and of the Canadian retail payments sector in particular. Compliance with the RPAA and RPAR is key to achieving that objective. If a payment service provider (PSP) or other individual or entity is non-compliant, the Bank may use one or more of its enforcement tools to facilitate and encourage compliance.

One of the Bank’s enforcement tools is a notice of violation (NOV), which may be issued with or without an administrative monetary penalty (AMP). The RPAA provides the Bank the authority to issue NOVs and AMPs, and, in conjunction with the RPAR, establishes the framework for issuing NOVs and determining AMPs.

This supervisory policy provides an overview of the Bank’s AMP regime and how the Bank determines AMP amounts.

Read about the Bank’s enforcement and investigation process, as well as enforcement tools.

Objective of the AMP regime

The purpose of an AMP is to promote compliance with the RPAA and RPAR, not to punish non-compliance. AMPs are used to encourage a change in behaviour toward compliance and can act as a general deterrent.

The AMP regime supports the Bank’s retail payment supervision mandate by providing a measured and proportionate option for addressing instances of non-compliance. AMPs are not issued automatically in response to non-compliance, as the Bank possesses a range of compliance and enforcement tools depending on the severity of the case.

Application of this supervisory policy

This supervisory policy is a non-legally binding resource that provides information on how the Bank will exercise its discretion to determine the amount of an AMP, and it includes the Bank’s general AMP determination methodology.

The methodology offers a flexible assessment guide to assist the Bank in issuing AMPs that are proportionate to violations to encourage compliance and deter non-compliance. The methodology also facilitates consistent AMP determinations across different cases with similar facts. Examples provided within this supervisory policy are neither determinative nor exhaustive; they are meant to illustrate how the methodology is applied.

While this supervisory policy is an objective and practical resource for determining AMP amounts, it is not applied rigidly. AMP determinations are made on a case-by-case basis. Consequently, consideration of all the relevant facts and circumstances of a case may result in an AMP that is higher or lower compared to what might be expected if this supervisory policy were strictly applied. NOVs will describe how an AMP was determined.

Notice of violation

If the Bank has reasonable grounds to believe that a PSP (or other individual or entity) has contravened the RPAA or RPAR in a manner designated as a violation, the Bank may issue and serve a NOV with an AMP. The RPAA sets a time limit for the Bank to issue a NOV with an AMP—the Bank can issue the NOV with an AMP up to two years from when it became aware of the alleged violation.

If the Bank decides to proceed with an AMP, the NOV will include the following information:

  • the name and address of the individual, or entity that is subject to the NOV and the AMP
  • the designated violation(s) in issue, including references to relevant legislative and regulatory provision(s)
  • the AMP amount(s), including details of how it was calculated
  • AMP payment instructions
  • the individual’s or entity’s right to make representations to the Governor of the Bank regarding the violation(s) and the AMP(s)
  • instructions on how to make representations to the Governor
  • instructions on how to obtain additional information

For a PSP that is issued a NOV with an AMP, the Bank may decide to offer to reduce the AMP amount by half if the PSP enters into a compliance agreement.

Payment of an AMP

AMPs are payable to the Receiver General for Canada (not the Bank). Payments can be sent through an electronic funds transfer (from a Canadian financial institution only), or through a wire transfer (from a Canadian or non-Canadian financial institution). The NOV provides detailed payment instructions.

If the individual or entity pays the AMP, they are deemed to have committed the designated violation—paying the AMP ends the Bank’s proceedings regarding the violation. If the individual or entity does not pay the AMP, they are deemed to have committed the violation and are liable to pay the AMP unless they make representations to the Governor.

Non-payment and collection of AMPs

Unless otherwise specified, the AMP issued in a NOV must be paid within 30 days after the NOV is issued. Any AMP that becomes payable is an outstanding debt to the Crown. The Bank may take steps to have outstanding debts recovered through the courts.

If a registered PSP does not have a place of business in Canada and has not paid the AMP within 30 days of the end of any proceedings related to the violation, the Bank is required under the RPAA to revoke the PSP’s registration. In addition, the Bank must refuse to re-register the PSP until the AMP is paid. Performing any payment function specified in the RPAA without being registered is a violation in itself and may result in a separate AMP or other enforcement action(s), in addition to any outstanding AMPs.

Determining the amount of an AMP

The Bank generally follows four steps in determining the AMP amount:

  • confirming that the contravention is designated as a violation under the RPAR (designated violation)
  • identifying the proper classification of the designated violation
  • identifying the applicable AMP range or prescribed amount for that classification of violation
  • taking into account the three criteria set out in the RPAR and any other relevant factors given the circumstances of the case

The RPAR classifies designated violations by severity (e.g., serious or very serious). If a NOV identifies two or more designated violations that are classified as serious (and that arise from contravention of the same provision of the RPAA or the RPAR), that series of violations is classified as a single very serious violation.

AMP ranges

The RPAA and RPAR establish the following AMP ranges for serious and very serious designated violations:

  • serious violation: $0 up to a maximum of $1 million per violation
  • very serious violation: $0 up to a maximum of $10 million per violation

As per subsection 48(2) of the RPAR, designated violations involving contraventions of section 21, subsections 22(1), 59(1), 60(1) and 60(2) of the RPAA are not classified as serious or very serious. Instead, violations of the reporting and notification requirements in those provisions are subject to AMPs as follows:

  • $500 per day, up to 30 days, for each day the violation continues; and
  • $15,000 to $1,000,000 if the violation continues for more than 30 days

If multiple violations are identified in a NOV, the total AMP amount set out in the NOV may exceed the maximum AMP range per individual violation.

AMP criteria in the RPAR

The RPAR sets out three criteria that the Bank must consider in determining the amount of an AMP:

  1. Harm. The harm that could have been done by the violation (potential harm), as well as harm done by the violation (actual harm)
  2. Violation history. The history of the individual or entity that committed the violation with respect to any prior violation under the RPAA or RPAR committed within the five-year period immediately before the violation
  3. Intent or negligence. The degree of intent or negligence on the part of the individual or entity that committed the violation.

Generally, the consideration of harm will carry more weight in determining the total amount of an AMP because it is directly related to the objectives of the RPAA, such as promoting the safety and integrity of the retail payments sector in Canada. AMP amounts are proportional to the harm related to the violation.

AMP methodology

The following graphic summarizes how an AMP amount may be determined for each of these criteria, followed by a description of the details.

60 Potential harm Baseline penalty amount Extent of non-compliance Actual harm Baseline Extent of loss Generally up to % of the penalty range Up to $600,000 for a serious violation; $6 million for a very serious violation : retail payment market supervised by the Bank that could be harmed : retail payment market supervised by the Bank that was harmed in funds, confidentiality, service availability, any other relevant losses Generally up to 20% of penalty rangeUp to $200,000 for a serious violation; $2 million for a very serious violationBaseline: AMP amount for harmNumber and relevance of violations in the past five years resulting in an NOV Up to $1 million for a serious violationUp to $10 million for a very serious violation Generally up to 20% of penalty range Up to $200,000 for a serious violation; $2 million for a very serious violationBaseline: AMP amount for harmBehaviour that has caused the violation to take place or allowed the violation to persist Harm ViolationHistory Intent orNegligence TotalAMP At each step in the determination, the Bank considers other relevant factors, including mitigating and aggravating factors

Harm

The Bank defines harm as the negative repercussions, either potential or actual, stemming from a violation of the RPAA or RPAR. Actual harm is the impacts on the safety and integrity of the Canadian retail payments sector, especially on end users (e.g., loss of funds, confidentiality or availability of services). Potential harm is the vulnerabilities caused by a violation in a PSP’s operation or the Bank’s ability to supervise PSPs. The Bank ordinarily considers harm to be the most important criterion. The weight given to harm in determining an AMP reflects the fundamental importance of protecting end-user interests and maintaining confidence in the retail payments sector. This is why harm tends to be the primary criterion in determining an AMP and may account for up to 60% of the prescribed maximum AMP amount.

In determining the total AMP amount for harm, the Bank first determines the amount for potential harm, followed by determining the amount for any actual harm. When both types of harm are present, the Bank considers both amounts together to determine an AMP amount that is proportional to the overall harm caused by the violation and sufficient to encourage compliance. If the violation did not involve actual harm, the AMP amount for harm will be based only on the amount of potential harm before consideration of any additional factors.

Potential harm

In assessing harm, the Bank first considers potential harm. While a designated violation may not result in actual harm, such as the loss of end-user funds, it can create vulnerabilities in a PSP’s operations or undermine the Bank’s supervision mandate. These circumstances risk harm to end users and the Canadian retail payments sector.

To arrive at an AMP amount for potential harm, the Bank accounts for:

  • the relative proportion of the retail payments market supervised by the Bank that could be affected by the violation (used to determine a baseline amount)
  • the degree of risk that a violation could lead to actual harm due to the extent of non-compliance for the violation
Baseline

As a starting point, the Bank usually considers the size of the retail payments market supervised by the Bank that could potentially be affected by the violation. This size is generally determined to be the part of the market that the PSP serves, which is normally measured by the PSP’s retail payment activity (RPA) metrics. Metrics are data points that provide the Bank with quantitative information about a PSP and its operations. These metrics (e.g., the number of end users, volume of transactions, value of the transactions, value of end-user funds held) are reported by PSPs in their registration applications or annual reports.

The Bank then analyzes the size of the market that could potentially be affected as a proportion of the overall retail payments market supervised by the Bank. This analysis is done by comparing the PSP’s RPA metrics against those of the largest PSPs supervised by the Bank. From this comparison, the Bank determines a percentage that is representative of the magnitude of the retail payments market that could potentially be affected by the violation. The Bank applies this percentage determined from the metrics to the amount allocated to harm (i.e., generally 60% of the maximum AMP amount based on the classification of the violation), to arrive at a baseline penalty amount that is proportionate to the potential harm of the violation.

Extent of non-compliance

The Bank recognizes that some requirements under the RPAA and RPAR can be complied with in part. This means that there can be partial or different extents of non-compliance. Partial non-compliance can introduce different levels of vulnerabilities into the PSP’s operations and the Bank’s supervision. Consequently, it can result in different degrees of potential harm, and the Bank may adjust the baseline potential harm amount accordingly.

An assessment of the extent of non-compliance does not necessarily apply to all violations. Some requirements are either met or not met. In such cases partial compliance is not possible. For example, the obligation to register with the Bank before performing retail payment activities is something that is either done or not done. In these cases, the determination for potential harm starts with the baseline potential harm amount.

As another example, in the context of an information request made by the Bank under subsection 66(2) of the RPAA, partial compliance may occur, and the Bank could determine that:

  • The extent of non-compliance is high where a PSP does not respond to an information request because when such information is not available, the Bank’s ability to carry out its supervisory mandate is severely impacted, which greatly increases the risk of actual harm to end users.
  • The extent of non-compliance is low if a PSP provides most, but not all the documents or information requested by the Bank to assess compliance with requirements. While this limits the Bank’s ability to carry out its supervisory mandate, the risk of actual harm to end users is less.

Actual harm

In addition to potential harm, the Bank considers whether any actual harm resulting from the violation impacts end users or the Canadian retail payments sector.

To arrive at an amount for actual harm, the Bank may consider:

  • the relative proportion of the retail payments market supervised by the Bank that has been affected (baseline)
  • the extent of the loss(es) caused by the violation, including:
    • loss of end-user funds (e.g., number of transactions affected, amount of end-user funds lost)
    • loss of confidentiality of end-user information (e.g., nature of end-user information disclosed, amount of information disclosed, suspected level of criminality involved, length of time in exposure)
    • loss of availability of the PSP’s services (e.g., nature of services affected, duration of loss of services, frequency of interruption).
Baseline

As a starting point, the Bank considers the extent of the retail payments market supervised by the Bank that was actually affected by the non-compliance. Similar to potential harm, the Bank analyzes the relative proportion of the retail payments market that experienced the harm caused by the violation, through a comparison against the largest PSPs supervised by the Bank.

For example, the Bank may look at the actual number of affected end users, the number of affected transactions and the value of the affected transactions, and then compare them to PSP industry data held by the Bank. This proportion is then applied to the amount allocated to harm to establish a baseline AMP amount that is proportionate to the loss(es) caused by the violation (i.e., generally 60% of the maximum AMP amount based on the classification of the violation).

Extent of loss

Once the actual loss is identified, the Bank considers the extent of the loss(es), which may be based on quantitative (e.g., the amount of end-user funds lost) and qualitative (e.g., the nature of the information accessed without authorization) assessments of the facts of the case. After considering the extent of the loss(es), the Bank may adjust the amount for actual harm. Generally, the greater the loss(es) suffered by end users, and the greater the number of end users who suffered losses, the higher the AMP amount will be. However, if the violation did not result in any loss to end users, there is no actual harm and the AMP amount attributed to actual harm will be $0.

Violation history

The Bank must also consider the history of prior violations committed by the PSP (or other individual or entity) within the five-year period immediately before the violation that is the subject of the NOV. However, if the Governor decides that a violation identified in a NOV was not committed by the individual or entity (or when there is a similar court decision), the Bank does not include that violation in the history.

Generally, a violation history is an indication of conduct toward compliance with the RPAA. Multiple prior violations may indicate that an individual or entity has not taken sufficient measures to come into compliance.

To arrive at an amount for violation history, the Bank may consider:

  • the AMP amount determined under harm (baseline); and
  • the degree of violation history, including:
    • the number of past violations
    • the relevance of past violations

For the Bank to effectively encourage a change in compliance behaviour, a history of past violations will usually result in a higher total AMP amount.

Baseline

Generally, as a starting point, the Bank uses the amount previously determined for harm as a baseline for the AMP amount attributed to violation history, up to 20% of the prescribed maximum AMP amount (i.e., up to $200,000 for serious violations, and up to $2,000,000 for very serious violations). This allows the AMP to remain proportional to the impact of the non-compliance (i.e., harm).

Degree of violation history

The Bank assesses the degree of violation history to determine a penalty amount commensurate with the individual’s or entity’s past violations so that the AMP is sufficient to promote a change in compliance behaviour.

The Bank may consider the following factors to adjust the baseline amount:

  • the nature of past violations (i.e., which RPAA or RPAR requirement was contravened)
  • how many times a violation was committed
  • the degree of similarity of the past and current violation(s)
  • the extent of non-compliance in past violation(s)
  • the amount of any AMP issued with prior NOVs
  • the amount of time elapsed between the violations

If there is no previous record of violations, the amount assessed under the criterion of violation history will be $0.

Intent or negligence

In determining the amount of an AMP, the Bank must consider whether there is evidence of intent or negligence that contributed to or resulted in the violation. The degree of intent or negligence is an assessment of the behaviour that caused the violation to take place or allowed the violation to persist. Generally, evidence of intent or negligence will result in a higher total AMP amount to encourage future compliance.

To arrive at an amount for intent or negligence, the Bank may consider:

  • the AMP amount determined under harm (baseline)
  • the degree of intent or negligence, including behaviour or action(s) that has caused the violation to take place or allowed the violation to persist

Baseline

Generally, as a starting point, the Bank uses the amount previously determined for harm as a baseline for the AMP amount attributed to intent or negligence, up to 20% of the prescribed maximum AMP amount (i.e., up to $200,000 for serious violations, and up to $2,000,000 for very serious violations). This allows the AMP to remain proportional to the impact of the non-compliance (i.e., harm).

Degree of intent or negligence

Identifying the degree of intent involves a subjective assessment. For example, the Bank may look at the facts that the individual or entity was aware of, or actions taken by the individual or entity, at the time they committed the violation. The Bank may find intent where there is evidence that the individual or entity:

  • was aware that they were committing a violation (e.g., the Bank told them they were non‑compliant), and nonetheless pursued the same course of conduct
  • was reckless or willfully blind as to whether they were committing a violation (e.g., they deliberately ignored warnings from the Bank)

Identifying the degree of negligence involves an objective assessment. For example, the Bank might compare the individual’s or entity’s behaviour to what a reasonable individual or entity would have done in similar circumstances. Conduct that falls below that standard may constitute negligence. The following may, depending on the circumstances, be considered negligence:

  • employing insufficient oversight that would have otherwise prevented or stopped the violation
  • falling below industry standards that, if followed, would have prevented or stopped the violation
  • possessing information that, if in the hands of a reasonable individual or entity, would have caused it to either prevent or stop the violation

In addition, the Bank may consider the duration of a violation in examining the presence and degree of negligence. For example, the longer the duration of a violation, or the longer a violation is allowed to continue, the greater the likelihood of the Bank finding a higher degree of negligence.

If there is no intention or negligence, the amount assessed under this criterion will be $0.

Mitigating or aggravating factors

At each step in determining the amount of an AMP, the Bank may consider other factors in addition to the criteria set out in the RPAA and RPAR, such as mitigating and aggravating factors. The presence of mitigating or aggravating factors may reduce or increase the amount of an AMP. This may result when such factors are considered in relation to the actual or potential harm done by the violation, the violation history, the degree of intent or negligence, or the total AMP amount.

For example, in some circumstances, actions taken by a PSP after a violation could be considered as mitigating factors and may reduce the AMP amount (e.g., end-user funds were recovered, and end users were compensated or reimbursed for the funds lost after the violation; end-user personal or account information was compromised but efforts were made to restore end-user data security through credit-monitoring services). However, the Bank may consider aggravating factors (e.g., a history of committing the same violation or the existence of an egregious delay in correcting the non-compliance), which may nullify or reduce the impact of mitigating measures and can increase the AMP amount instead.

On this page
Table of contents