R P A A E X P E R T S E R I E S

Appointment of Responsibilities and the Senior Officer

By Deanna Ladouceur 


INTRODUCTION

Your Company has determined that it has to comply with the Retail Payments Activities Act/Regulations (“RPAA/RPAR”) and you’ve applied for registration with the Bank of Canada (the “Bank”). You may be asking yourself, what comes next?

This series is the Payment Service Provider’s (PSPs) rough guide to establishing and implementing an RPAA program. In it, we’ll clarify requirements, responsibilities and provide insight into how a PSP can effectively manage their obligations.  

If you missed our first article that provided a quick overview of the RPAA and PSP obligations, you can read it here  

In this article, we describe a PSPs obligations regarding the appointment of certain responsibilities under RPAA/RPAR, for example who is responsible for incidence response, maintenance and oversight of the program, as well as the role of the Senior Officer.

APPOINTMENT OF RESPONSIBILITIES

One of the first things to consider is the appointment of responsibilities for the RPAA program. The PSP must ensure responsibilities are specific to its structure, size, complexity and activities.

Some of the Responsibilities that must be determined include:

  • The allocation of the responsibilities of the establishment, implementation and maintenance of the risk management and, if applicable, the safeguarding of funds programs;

  • The allocation of the responsibilities for detecting, responding to, and recovering from incidents, for both day-to-day events as well as for bigger incidents that would require extra time and resources;

  • Identifying who is responsible for challenging and overseeing all roles and responsibilities specific to RPAA/RPAR; and

  • Identifying of a Senior Officer who is responsible for overseeing compliance with the RPAA/RPAR as well as for making material decisions that relate to the program.



APPOINTMENT OF THE SENIOR OFFICER

Now that we have covered how to allocate responsibilities within your PSP, let’s focus on the role of the Senior Officer.

Guidance from the Bank outlines that the role of the Senior Officer must be clearly defined and documented, occupy a specific position, or report directly to certain persons within the PSP.

The Senior Officer must be senior enough and have sufficient authority to hold the role. Furthermore, the PSP must document the skills and training required to be sufficiently skilled to hold the role of Senior Officer.

Example

In larger PSPs the COO or CEO might oversee operational risk management, while a CFO could be responsible for overseeing safeguarding end user funds. In smaller PSPs, the same individual might take on both responsibilities.

Depending on the PSP structure an individual trained in AML and currently identified as the AML compliance officer might not have the skills required to sufficiently oversee the operational risk program. In this case the AML compliance officer may assist and aid in the implementation and establishment of the program as one of the roles identified but may not be identified as the Senior Officer who oversees the requirements of the RPAA/RPAR and makes material decisions.

While in another PSP a particular individual identified as the AML compliance officer may also hold sufficient authority and seniority and be appropriately skilled and suited to be identified as the Senior Officer. 

PSPs need to determine within, if any individual who is trained in AML has enough authority and skill to also be named the Senior Officer.

OTHER FACTORS TO BE CONSIDERED

Once the PSP has identified the roles and responsibilities other factors that need to be considered are but are not limited to:

  • Ensuring all roles and responsibilities have documented reporting lines, including for escalation of events or issues;

  • Ensuring the separation of duties so that an individual does not have control of a process from start to finish.

  • Documenting what roles the board of directors (if any) will play, in addition to approvals of the program;

  • Documenting the human and financial resources that are needed to establish, implement and maintain the RPAA program;

  • Documenting the skills and training required to be sufficiently skilled in a particular role; and

  • Ensuring that roles and responsibilities are clearly defined and documented in circumstances where the PSP has allocated responsibilities to a third party, including an affiliate, a third-party service provider, an agent, or mandatary, as well as a plan for how the PSP will oversee the fulfillment of the obligations.

Stay tuned for the next topic in the series, that will continue to dive into next steps of your RPAA program. If you need help getting started, or if you require guidance in implementing your RPAA obligations, please reach out to an expert at contactus@theamlshop.ca

 

Deanna Ladouceur CAMS
AML and RPAA Advisor

Marcelle Dadoun CAMS, CAMS-RM
Principal, Program Design and Advisory

For more information about the Retail Payment Activities act or to reach a RPAA expert, please contact us via the form below.

 


QUICK LINKS