PSP Risk Management Programs: What the Bank of Canada Actually Expects
With the first annual report cycle now behind us, one thing has become clear from our experience working through submissions on behalf of clients: the Bank of Canada's (BoC) expectations around risk management programs are not theoretical. They are practical, documented, and subject to scrutiny.
What the Bank of Canada Requires
Under the Retail Payment Activities Act (RPAA), registered PSPs are required to establish, implement, and maintain a formal operational risk and incident response framework. BoC's expectations go beyond simply having a program on paper. The framework must be fully operational, meaning that risk assessment documents, incident response procedures, and supporting records must exist, be current, and be readily available in the event of a BoC inspection.
The framework is expected to address several core areas, including the identification and assessment of operational risks across all aspects of the business such as technology systems, third-party service providers, cybersecurity, and fraud. Documented incident response procedures are required, covering how incidents are detected, escalated, managed, and reported. BoC also expects clear roles and responsibilities for individuals accountable for risk management within the organization, evidence of ongoing monitoring and regular review with internal reviews required annually and an independent review at least every three years, and resource allocation sufficient to support the execution of the program.
What the Bank of Canada Requires
Under the Retail Payment Activities Act (RPAA), registered PSPs are required to establish, implement, and maintain a formal operational risk and incident response framework. BoC's expectations go beyond simply having a program on paper. The framework must be fully operational, meaning that risk assessment documents, incident response procedures, and supporting records must exist, be current, and be readily available in the event of a BoC inspection.
The framework is expected to address several core areas, including the identification and assessment of operational risks across all aspects of the business such as technology systems, third-party service providers, cybersecurity, and fraud. Documented incident response procedures are required, covering how incidents are detected, escalated, managed, and reported. BoC also expects clear roles and responsibilities for individuals accountable for risk management within the organization, evidence of ongoing monitoring and regular review with internal reviews required annually and an independent review at least every three years, and resource allocation sufficient to support the execution of the program.
What We Saw in Practice
Our team processed dozens of annual reports this cycle, and the risk management section was consistently one of the most involved parts of the filing. The Bank of Canada's questions in this area are detailed and specific. PSPs are asked to confirm not only that a framework exists, but to provide granular information about how risks are identified, what controls are in place, and how incidents have been managed. Businesses that had not fully implemented their programs, or that lacked the underlying documentation to support their answers, faced significant challenges completing the report accurately.
This is an important signal. The annual report is BoC's primary tool for assessing compliance, and incomplete or inconsistent answers in the risk management section are the kind of thing that can prompt BoC to seek additional information or escalate its review.
What PSPs Should Do Now
If your risk management program has not yet been fully implemented, or if you are uncertain whether your existing documentation meets the BoC’s expectations, this is the time to address it. BoC has the authority to conduct inspections at any time, and the annual report is not the only opportunity it has to assess compliance.
At minimum, PSPs should ensure that a written framework is in place and approved at the appropriate level within the organization, that risk assessments have been conducted and documented across all relevant areas of the business, that incident response procedures are clearly defined and tested, and that all records are organized and accessible for review.
How Approved MSB Can Help
Our team has developed practical, hands-on experience with the Bank of Canada's risk management expectations through our work on the annual report cycle. We work with PSPs to develop and implement compliant operational risk frameworks, prepare the underlying documentation, and ensure that programs are structured to withstand regulatory scrutiny. If you would like support building or reviewing your risk management program, we encourage you to reach out.
Our team processed dozens of annual reports this cycle, and the risk management section was consistently one of the most involved parts of the filing. The Bank of Canada's questions in this area are detailed and specific. PSPs are asked to confirm not only that a framework exists, but to provide granular information about how risks are identified, what controls are in place, and how incidents have been managed. Businesses that had not fully implemented their programs, or that lacked the underlying documentation to support their answers, faced significant challenges completing the report accurately.
This is an important signal. The annual report is BoC's primary tool for assessing compliance, and incomplete or inconsistent answers in the risk management section are the kind of thing that can prompt BoC to seek additional information or escalate its review.
What PSPs Should Do Now
If your risk management program has not yet been fully implemented, or if you are uncertain whether your existing documentation meets the BoC’s expectations, this is the time to address it. BoC has the authority to conduct inspections at any time, and the annual report is not the only opportunity it has to assess compliance.
At minimum, PSPs should ensure that a written framework is in place and approved at the appropriate level within the organization, that risk assessments have been conducted and documented across all relevant areas of the business, that incident response procedures are clearly defined and tested, and that all records are organized and accessible for review.
How Approved MSB Can Help
Our team has developed practical, hands-on experience with the Bank of Canada's risk management expectations through our work on the annual report cycle. We work with PSPs to develop and implement compliant operational risk frameworks, prepare the underlying documentation, and ensure that programs are structured to withstand regulatory scrutiny. If you would like support building or reviewing your risk management program, we encourage you to reach out.
