As part of the regulatory changes introduced under the Retail Payment Activities Act (RPAA), all Payment Service Providers (PSPs) subject to RPAA are required to implement a formal operational risk and incident response framework by September 8, 2025. This framework is not just another compliance checklist, it's a fundamental shift in how operational risks must be assessed, managed, and responded to.

At its core, the Bank of Canada’s guideline outlines a proactive, tailored approach to identifying and mitigating operational risks that could disrupt payment services. It also ensures that PSPs are well-equipped to respond effectively when incidents do occur.

A Risk-Based Framework Designed for Each Business

The Bank of Canada emphasizes that every PSP’s framework must reflect the unique nature of its operations. This means MSBs need to conduct a thorough self-assessment, taking into account their size, complexity, technologies, and service models. A small remittance-focused MSB using third-party platforms will have a very different operational risk profile compared to a more integrated provider offering a broader suite of services. Rather than adopting generic controls, the framework should be proportionate to the potential risks your business faces. This risk-based approach ensures that MSBs allocate resources efficiently, build appropriate safeguards, and develop practical response strategies aligned to their specific needs and customer impacts.

What Should Be Included in Your Framework?

While the content of each PSP’s program will differ, the Bank expects to see certain key components included in all frameworks:

• Written documentation that clearly outlines your approach to risk management and response.
• Roles and responsibilities for employees involved in identifying risks and responding to incidents.
• Detailed Risk Analysis of all aspects of your business operations, including physical premises, cloud storage, payment processing facilities and more.
• Resource allocation to ensure there are enough people and tools to execute the plan effectively.
• Processes for managing third-party risks, particularly for vendors and agents that support your retail payment functions.
• Ongoing reviews and updates to ensure the framework evolves with your business and technology. Internal reviews must happen annually, and an independent review is required at least every three years.

Looking Ahead: Your Road to Compliance

Now – Q2 2025
🔍 Assess your current state: Identify operational risks across your payment services and evaluate any existing procedures for risk management and incident response. Begin drafting a framework tailored to your business structure and risk exposure.

Q2 – Q3 2025
🛠 Build and formalize your framework: Define clear responsibilities, document incident detection and recovery protocols, and build procedures for third-party oversight. Ensure the framework reflects the scale and complexity of your operations.

August 2025
✅ Final internal review: Test the framework internally and make any necessary adjustments. Confirm that staff are trained, documentation is complete, and the framework is ready for implementation.

September 8, 2025
🚨 Compliance deadline: Your operational risk and incident response framework must be fully implemented by this date.
Building a framework that fits your business is not just about meeting the Bank’s deadline, it’s about strengthening your ability to handle disruptions, protect customers, and maintain trust. For more detailed guidance, refer to the Bank of Canada’s Operational Risk and Incident Response Guideline.

Supporting You Through the Transition

We specialize in helping companies navigate the complexities of launching and operating an MSB in Canada. With deep experience supporting both new market entrants and established international firms, we provide the insight and execution support needed to meet regulatory expectations with confidence and efficiency.