Regulatory Environment & Risk Management

Regulatory environment

The Payment Clearing and Settlement Act assigns the Bank of Canada responsibility for overseeing clearing and settlement systems for the purpose of controlling systemic risk and payment system risk.

Lynx has been designated as systemically important under this Act and, as a result, Payments Canada is subject to oversight from the governor of the Bank of Canada for Lynx. The Bank of Canada adopted the Principles for Financial Market Infrastructures as part of its risk-management standards for systemic FMIs. The standards apply to the management and operation of Lynx.

Regulatory requirements in Canada are evolving in line with international best practices. In 2015, the Bank of Canada released Criteria and Risk-Management Standards for Prominent Payment Systems. The ACSS has been designated as a prominent payment system in 2016, resulting in enhanced oversight by the Bank of Canada.

The Lynx Disclosure and the ACSS Disclosure offer Payments Canada Members, Lynx and ACSS participants, and the public a high-level understanding of Payments Canada’s governance, operation, risk-management framework and approach to observing the Bank of Canada risk management standards.

Cyber security

There is heightened attention on cyber security. Internationally, there is heightened awareness of the risks from cyber attacks. Given the role financial market infrastructures play in promoting stability in the financial system, the Committee on Payments and Market Infrastructures (CPMI) and the Board of the International Organization of Securities Commissions (IOSCO) released a consultation paper in December 2015 with guidance for cyber resilience for financial market infrastructures. Payments Canada has been working closely with the Bank of Canada over the past year on the relevant standards for FMI cyber resilience and has initiatives planned to improve its cyber approach. As well, in 2015, the Government of Canada announced its intention to consider further regulation of certain infrastructures, including Payments Canada systems, which are considered “vital cyber systems.” Payments Canada will continue to work with the government as this initiative moves forward.

Cyber Resilience Strategy 2022-2024

Risk management

Payments Canada has a sound risk-management framework for comprehensively managing its risks. Risk is the uncertainty that surrounds future events and outcomes. As such, it is inherent in all we do and, therefore, risk management is critical to Payments Canada fulfilling its core purpose, vision, and strategic plan.

It is Payments Canada policy to manage risk in accordance with a risk appetite approved by the Board of Directors. To do this, Payments Canada develops strategies to mitigate risk — probability, impact and velocity — and maximizes the positive effects of strategic opportunities.

Payments Canada’s formal risk management process is overseen by its Board, implemented by management, and executed by all employees. The Board-approved Enterprise Risk Management (ERM) Policy sets out the roles and responsibilities for risk management and governance. Payments Canada follows a “Line of Defence” approach, which distinguishes among three groups or “lines” required to support effective risk management. The first line of defence is the business units that perform day-to-day risk management — the functions that own and manage risks of relevance to their area of responsibility. The second line performs oversight functions and includes risk management oversight and compliance. The third line provides independent assurance, and includes internal and external audit and other independent assurance providers.

The objective of the Payments Canada’s ERM is to support decision-making in achieving our core purpose, vision and strategic plan by managing all key risks across the organization in a comprehensive and integrated way.

The type of risks faced by Payments Canada are classified into four risk categories: operational, strategic, financial and settlement.

  • Operational risk results from inadequate or failed processes, systems and IT, people or policies, or from external events. Payments Canada considers operational risk from all sources, internal and external.
  • Strategic risk affects, or is created by, the Payments Canada’s business strategy and strategic objectives.
  • Financial risk relates to financial reporting, market, liquidity and credit risks.
  • Settlement risk is the risk that settlement in Payments Canada operated payment systems will not take place as expected and may result in credit and/or liquidity risk contagion for Payments Canada members.

And since many risks can impact the Payments Canada’s reputation, all risks must be evaluated in terms of the potential impact on our reputation.

With respect to the Lynx, risk management is implicit in the system; payments must pass risk controls before they are approved. Additionally, to manage risk, the Lynx By-law and Lynx Rules impose requirements on participants, provide default rules and procedures and establish a Lynx Emergency Committee to manage operational events.

In terms of the organization itself, the Payments Canada continues to mature its risk management practices as set out in the ERM Policy, approved by the Board in early 2015 and reviewed every two years.