Third-Party Risk Management Considerations for Canada's Retail Payment Activities Act

Retail payment activities have grown increasingly popular in recent years, and Canadian regulators have taken steps to ensure these transactions are safe for consumers and businesses. Starting November 1, 2024, payment service providers (PSPs) are required to comply with Canada’s Retail Payment Activities Act (RPAA), which are supplemented with the Retail Payment Activities Regulations (Regulations). The RPAA and accompanying Regulations is intended to address operational risks associated with PSPs and protect the end-users’ funds.

The RPAA is fairly broad in scope, applying to PSPs that are operating in Canada, as well as PSPs that are outside of Canada but service end users within the country. This blog will cover some of the key requirements of the RPAA, which includes implementing an incident management framework, and a few considerations for a PSP’s third parties. Third-party risk management (TPRM) may be less familiar to some PSPs, so we’ll provide some best practices to help keep your organization compliant.

Note: Regulatory text is from the Regulations and is noted in italics.

4 Key Third-Party Requirements of the Retail Payment Activities Act and Regulations    

The RPAA and Regulations contains many detailed requirements and it’s recommended to read through the regulation for a full understanding of what’s expected from your organization. The requirements listed below are focused specifically on how they apply to an organization’s third parties. 

Under the RPAA and Regulations, a payment service provider is required to do the following: 

• Register with the Bank of Canada – A PSP must submit an application with details including contact information, the quantity and value of its retail payment activities, the method in which it will safeguard its end-user funds, and a description of each third-party service provider that has or will have a material impact on the applicant’s operational risks.
• Implement a risk management and incident response framework – The risk management framework should identify, and describe the potential causes of, the payment service provider’s operational risks, including those relating to third parties. A PSP must also establish a plan to respond and recover from incidents, including those involving or detected by an agent or mandatary or a third-party service provider. The framework should also address how the PSP will evaluate the third party’s security and data protection capabilities, along with the manner in which the third-party service provider’s performance may be monitored.
•  Review safeguarding framework – This framework should be designed to protect the end-user’s funds by identifying legal and operational risks. Protecting these funds may include the use of third parties, in which case the framework should describe the role of any of the payment service provider’s agents, mandataries or third-party service providers.
• Submit annual reporting – Among many other details that a PSP must report, these should include a description of any change to the payment service provider’s use of third-party service providers. 

Third-Party Risk Management Best Practices for Retail Payment Activities Act Compliance 

Many organizations continue to rely heavily on third parties, so it’s understandable that third-party service providers are a key topic throughout the RPAA and Regulations. Here are three best practices to consider to help keep your organization compliant with the regulatory requirements:

1. Establish your criticality classification – Like many other TPRM regulations, the RPAA and Regulations focuses on third parties that can create “material impacts.” The term “material” is generally synonymous with “critical,” which refers to an activity that has a significant impact on your organization or customers. A third party is likely considered critical if it meets one or more of the following criteria:
   
   • The sudden loss of the third party would create a significant disruption to your organization.
   • The sudden loss of the third party would impact your customers.
   • A prolonged outage of the third party for more than 24 hours would cause a negative impact to your organization or customers. 
   Once you’ve established this criticality classification, remember to document it within your policy. You can then proceed with identifying and prioritizing your critical or material third parties.  
2. Review your incident management policy – Third-party incidents like cyberattacks or outages can significantly disrupt your operations, so it’s essential to determine how your organization will respond to these events. Your incident management policy should address how your organization will ensure the confidentiality, integrity, and availability of its information during a third-party incident.
3. Create a plan for third-party oversight – This will likely be the most labor-intensive activity, but the good news is that there’s an easy-to-follow strategy that can be applied to all third-party relationships. The third-party risk management lifecycle is essentially a regulatory-approved method of managing third-party relationships from onboarding to offboarding. The lifecycle contains various activities that are outlined in the RPAA and Regulations, such as assessing the third party’s risk management practices and monitoring the third party’s performance. Understanding and following this lifecycle will help ensure your third-party oversight activities are effective and compliant.

This recent regulation for payment service providers is further evidence that third-party risk management is an important business practice for all organizations. In general, regulators aren’t looking for perfection, but rather an intentional effort to identify and manage third-party risks. Following the TPRM lifecycle and continuing to learn about best practices will help satisfy regulators and protect your organization and customers.