Classifying your company’s assets and processes is one of the most important steps in meeting the requirements of the Retail Payment Activities Act (RPAA). The Bank of Canada expects payment service providers (PSPs) to know exactly which systems, data, and processes support their retail payment activities, and to demonstrate that these have been assessed for risk, sensitivity, and criticality. Done correctly, asset and process classification strengthens resilience, safeguards customer funds, and ensures regulatory compliance.
Step 1: Build an Inventory of Assets and Processes
The foundation of RPAA compliance is a complete and up-to-date inventory of all systems, data, and processes that support retail payment activities. This means identifying everything from payment platforms and databases to customer support tools and reconciliation processes.
The Bank of Canada guidance on operational risk and incident response explains that providers must be able to demonstrate which assets are essential to delivering payment services and how they are protected (Bank of Canada Operational Risk and Incident Response, 2024).
A useful starting point is to conduct a Business Impact Analysis (BIA), which is required under the RPAA and Retail Payment Activities Regulations (RPAR). The BIA helps you map out which services are most critical, what dependencies they have, and how long they can be disrupted before causing harm to customers or breaching regulatory obligations.
When building your inventory, consider:
- Core payment systems and settlement platforms
- Customer-facing applications and portals
- Data stores holding personal or transactional information
- Processes for reconciliations, compliance reporting, and fraud monitoring
- Third-party providers and cloud services that support payments
By documenting these assets, you lay the groundwork for classification and ongoing compliance monitoring.
Step 2: Assess Sensitivity and Criticality
Once your inventory is complete, the next step is to assess sensitivity and criticality. These assessments help determine which assets require the strongest controls and recovery measures.
Sensitivity classification focuses on the type of data or functions involved. For example:
- Personal data such as names, addresses, and identification information is highly sensitive
- Financial data and transaction records must be strictly protected
- Systems that handle the movement or safeguarding of end-user funds require the highest levels of confidentiality and integrity
Criticality classification considers the impact of a failure. The Bank of Canada requires PSPs to ensure the availability of payment services and to define recovery time objectives (RTOs) and recovery point objectives (RPOs) for critical systems (Bank of Canada Safeguarding of End-User Funds, 2024). For example:
- A payment processing engine may be classified as “critical” because payments cannot occur without it
- Customer support systems may be less critical but still important for trust and compliance
- Compliance reporting systems must be timely to meet Bank of Canada filing requirements
To make this assessment manageable, assign each asset and process a rating, such as:
- High sensitivity / high criticality
- Medium sensitivity / medium criticality
- Low sensitivity / low criticality
This ranking makes it easier to prioritize security controls, testing, and recovery planning.
Step 3: Document the Classification for Regulatory Review
The RPAA requires PSPs to maintain documented policies and evidence of compliance that can be provided to the Bank of Canada on request (Governance and Oversight Policy, 2024). This means your classification exercise cannot just live in an internal spreadsheet; it must be properly documented and integrated into your compliance framework.
Documentation should include:
- A clear inventory of assets and processes mapped to retail payment activities
- Classification of each asset by sensitivity and criticality
- Assigned recovery objectives (RTOs and RPOs) where applicable
- Notes on dependencies, such as third-party providers or cloud systems
- Evidence of testing, review, and updates to classifications
The Bank of Canada requires that continuity and risk frameworks be reviewed at least annually, and whenever there is a significant change, such as launching a new product or changing a core vendor (Bank of Canada Notice of Significant Change, 2024).
By maintaining structured records, your PSP will be able to demonstrate compliance during supervisory reviews. It also makes it easier to notify the Bank of Canada promptly if a material incident or significant change occurs.
Step 4: Integrate Classification into Risk and Continuity Frameworks
Classifying assets is not just a one-time compliance task. It must be integrated into broader operational risk management, incident response, and business continuity planning.
For example:
- Classified assets should appear in your incident response playbooks, so teams know which systems must be prioritized in a disruption
- Continuity testing should validate that recovery objectives for critical assets can be achieved
- Governance reporting should include classification updates so that the board and senior officer can exercise oversight
This ensures that classification remains a living part of your compliance framework, not a forgotten spreadsheet.
Conclusion
Classifying your assets and processes under the RPAA helps ensure that retail payment activities remain secure, resilient, and compliant. By building a full inventory, assessing sensitivity and criticality, documenting classifications, and integrating them into your compliance framework, you position your PSP to meet Bank of Canada expectations with confidence.
If you want to simplify compliance with asset and process classification, explore Comply North’s competitive pricing options at https://complynorth.com/pricing or reach out to our experts at https://complynorth.com/contact.
