The Payment Clearing and Settlement Act assigns the Bank of Canada responsibility for overseeing clearing and settlement systems for the purpose of controlling systemic risk and payment system risk.
Lynx has been designated as systemically important under this Act and, as a result, Payments Canada is subject to oversight from the governor of the Bank of Canada for Lynx. The Bank of Canada adopted the Principles for Financial Market Infrastructures as part of its risk-management standards for systemic FMIs. The standards apply to the management and operation of Lynx.
Regulatory requirements in Canada are evolving in line with international best practices. In 2015, the Bank of Canada released Criteria and Risk-Management Standards for Prominent Payment Systems. The ACSS has been designated as a prominent payment system in 2016, resulting in enhanced oversight by the Bank of Canada.
The Lynx Disclosure and the ACSS Disclosure offer Payments Canada Members, Lynx and ACSS participants, and the public a high-level understanding of Payments Canada’s governance, operation, risk-management framework and approach to observing the Bank of Canada risk management standards.
There is heightened attention on cyber security and the risks from cyber attacks. Given the role financial market infrastructures play in promoting stability in the financial system, the Committee on Payments and Market Infrastructures (CPMI) and the Board of the International Organization of Securities Commissions (IOSCO) released a consultation paper in December 2015 with guidance for cyber resilience for financial market infrastructures.
Payments Canada has been working closely with the Bank of Canada on the relevant standards for FMI cyber resilience and we continue to improve our cyber approach. Additionally, in 2015 the Government of Canada announced its intention to consider further regulation of certain infrastructures, including Payments Canada systems, which are considered “vital cyber systems.” Payments Canada continues to work with the government as this initiative moves forward.
Cyber Resilience Strategy 2022-2024
Payments Canada has a sound risk-management framework for comprehensively managing its risks. Risk management is critical to Payments Canada fulfilling its core purpose, vision, and strategic plan.
It is Payments Canada policy to manage risk in accordance with a risk appetite approved by the Board of Directors. To do this, Payments Canada develops strategies to mitigate risk and maximize the positive effects of strategic opportunities.
Payments Canada’s formal risk management process is overseen by its Board, implemented by management, and executed by all employees. The Board-approved Enterprise Risk Management (ERM) Policy sets out the roles and responsibilities for risk management and governance. Payments Canada follows a “Line of Defence” approach, which distinguishes among three groups or “lines” required to support effective risk management. The first line of defence is the business units that perform day-to-day risk management — the functions that own and manage risks of relevance to their area of responsibility. The second line performs oversight functions and includes risk management oversight and compliance. The third line provides independent assurance, and includes internal and external audit and other independent assurance providers.
The objective of the Payments Canada’s ERM is to support decision-making in achieving our core purpose, vision and strategic plan by managing all key risks across the organization in a comprehensive and integrated way.
The type of risks faced by Payments Canada are classified into four risk categories: operational, strategic, financial and settlement. And as many risks can impact Payments Canada’s reputation, all risks must be evaluated in terms of the potential impact on our reputation.
Payments Canada continues to mature its risk management practices as set out in the ERM Policy, approved by the Board in early 2015 and reviewed every two years.