1. Home
  2. About
  3. Governance & risk
  4. Risk management

Regulatory environment

The Payment Clearing and Settlement Act assigns the Bank of Canada responsibility for overseeing clearing and settlement systems for the purpose of controlling systemic risk and payment system risk.

Lynx has been designated as systemically important under this Act and, as a result, Payments Canada is subject to oversight from the governor of the Bank of Canada for Lynx. The Bank of Canada adopted the Principles for Financial Market Infrastructures as part of its risk-management standards for systemic FMIs. The standards apply to the management and operation of Lynx.

Regulatory requirements in Canada are evolving in line with international best practices. In 2015, the Bank of Canada released Criteria and Risk-Management Standards for Prominent Payment Systems. The ACSS has been designated as a prominent payment system in 2016, resulting in enhanced oversight by the Bank of Canada.

The Lynx Disclosure and the ACSS Disclosure offer Payments Canada members, Lynx and ACSS participants, and the public a high-level understanding of Payments Canada’s governance, operation, risk-management framework and approach to observing the Bank of Canada risk management standards.

Cyber security

Payments Canada takes a comprehensive approach to securing the payment systems and infrastructure that underpin Canada’s financial ecosystem. Our cyber resilience strategy is designed to proactively address current and future cyber threats. Payments Canada is committed to providing secure and resilient payment systems that support our economy.

Canada faces a rapidly evolving threat landscape where cyber attacks target critical infrastructure and financial institutions. Payments Canada actively collaborates with public and private stakeholders to enhance our ability to protect against known and emerging threats.

Payments Canada’s current Cyber Resilience Strategy highlights five strategic objectives:

  • Deliver secure payment systems. 
  • Evolve security operations capabilities. 
  • Build a culture of security. 
  • Ensure secure and adaptive infrastructure.
  • Secure our technology evolution.

Risk management

Payments Canada has a sound risk-management framework for comprehensively managing its risks. Risk management is critical to Payments Canada fulfilling its core purpose, vision, and strategic plan.

It is Payments Canada policy to manage risk in accordance with a risk appetite approved by the Payments Canada Board of Directors. To do this, Payments Canada develops strategies to mitigate risk and maximize the positive effects of strategic opportunities.

Payments Canada’s formal risk management process is overseen by its board, implemented by management and executed by all employees. The board-approved Enterprise Risk Management (ERM) Policy sets out the roles and responsibilities for risk management and governance. Payments Canada follows a “line of defence” approach, which distinguishes among three groups or “lines” required to support effective risk management. The first line of defence is the business units that perform day-to-day risk management — the functions that own and manage risks of relevance to their area of responsibility. The second line performs oversight functions and includes risk management oversight and compliance. The third line provides independent assurance, and includes internal and external audit and other independent assurance providers.

The objective of the Payments Canada’s ERM is to support decision-making in achieving our core purpose, vision and strategic plan by managing all key risks across the organization in a comprehensive and integrated way.

The type of risks faced by Payments Canada are classified into four risk categories: operational, strategic, financial and settlement. And as many risks can impact Payments Canada’s reputation, all risks must be evaluated in terms of the potential impact on our reputation.

Payments Canada continues to mature its risk management practices as set out in the ERM Policy, approved by the board in early 2015 and reviewed every two years.

Data Governance Policy

Payments Canada is committed to protecting and safeguarding all member data that is entrusted to the organization as part of its mandate. Payments Canada’s data and security management policies and practices comply with applicable laws and regulations and are aligned with industry best practices, and reflect our mandate of promoting the efficiency, safety and soundness of our clearing and settlement systems. 

The Data Governance Policy explains how Payments Canada collects, uses, shares, retains and safeguards member data.