View Pricing
Illustration of a PSP's crisis response team assessing a material incident and preparing regulatory notification within the 48-hour RPAA timeframe.
September 8, 2025
RPAA

RPAA Incident Reporting Explained: When and How to Notify the Bank of Canada

Learn what counts as a material incident under the RPAA, the 48-hour reporting rule, and when to notify customers.

If your business provides payment services in Canada, knowing how to handle incidents under the Retail Payment Activities Act (RPAA) is essential. The Bank of Canada expects payment service providers (PSPs) to respond quickly, classify incidents properly, and notify the right parties within strict timelines. This guide explains what counts as a material incident, the 48-hour notification rule, and when you must communicate with end users.

What counts as a “material incident” under the RPAA

The RPAA defines a material incident as an event that disrupts, degrades, or threatens retail payment activities in a way that could significantly impact end user funds, the availability of services, regulatory compliance, or your company’s reputation. The Bank of Canada’s Operational Risk and Incident Response Guideline expands on this, noting that materiality is tied to the severity of impact rather than the type of event.

 

Examples of material incidents include:

  • A system outage that prevents customers from accessing or sending money
  • A cyberattack that compromises payment data
  • A reconciliation failure that puts customer funds at risk
  • A fraud event that leads to significant financial loss or blocked transactions
  • Third-party service provider failures that cut off access to essential systems

 

In practice, PSPs must use a structured classification framework to determine severity. This ensures that minor technical glitches are not over-reported, while serious incidents are escalated immediately. According to the Bank’s Incident Notification Guidance, materiality is judged on customer impact, regulatory exposure, and potential systemic effects.

 

The 48-hour rule and how to notify the Bank of Canada

Once an incident is classified as material, PSPs must notify the Bank of Canada within 48 hours. This is clearly outlined in the Retail Payment Activities Regulations and reinforced in the Bank’s Step-by-Step Guide for Incident Notices.

 

Notifications are submitted through the PSP Connect system, the Bank of Canada’s secure online portal for regulated PSPs. The incident report must include:

  • A description of the incident and its impact
  • When and how it was detected
  • Steps taken to contain and recover
  • Whether end users or third parties were affected
  • Interim or planned next updates

 

The Bank may request additional details as recovery progresses, and PSPs are expected to provide both interim and final updates. A common mistake is waiting until the issue is fully resolved before reporting. The law requires notification within 48 hours of identifying materiality, even if investigations are ongoing.

 

Following this rule demonstrates compliance and builds supervisory trust. Late or incomplete reporting can draw scrutiny and potentially corrective measures.

 

Notifying end users and public communication

In addition to notifying the Bank, PSPs must communicate with affected customers. The Operational Risk and Incident Response at-a-glance document explains that end users must be informed without delay if their funds, data, or access to services are affected.

 

This notification may take different forms, depending on the scale and severity:

  • Direct communication such as email, text, or in-app messaging for impacted users
  • Public website postings when a broad group of customers is affected or when transparency is required for trust
  • Ongoing updates as the incident evolves and recovery milestones are reached

 

The Bank emphasizes that PSPs must balance timeliness and clarity. Customers need to know what happened, whether their funds are safe, and when services will be restored. Communication plans should be tested in advance as part of a broader business continuity framework.

 

Failing to notify customers appropriately can damage trust more than the incident itself. Transparency shows that your company takes its obligations seriously and prioritizes customer protection.

 

Building compliance into your operations

Incident reporting is just one part of the broader RPAA compliance framework. Governance, safeguarding of funds, and record-keeping all connect to how incidents are managed and reported. The Bank of Canada expects PSPs to:

  • Maintain an incident register with evidence of classification and reporting decisions
  • Conduct post-incident reviews to identify root causes and prevent recurrence
  • Keep complete records for at least five years for supervisory review
  • Integrate incident response with business continuity and disaster recovery planning

 

By embedding these practices into daily operations, PSPs reduce both the likelihood and impact of incidents. More importantly, they demonstrate readiness to the Bank of Canada and maintain the confidence of their customers.

 

Conclusion

Understanding RPAA incident reporting is about more than meeting deadlines. It is about protecting end users, showing regulators that you are in control, and maintaining trust in your business. By knowing what qualifies as a material incident, following the 48-hour rule for notification, and communicating clearly with both the Bank of Canada and your customers, PSPs can turn compliance into a strength.To make sure your policies and procedures are aligned with these requirements, explore Comply North’s pricing options or reach out to our experts here.

Most Recent

RPAA
September 19, 2025

RPAA Deadlines You Cannot Miss in 2025 (and How to Prepare Now)

Stay ahead of RPAA deadlines in 2025 with this guide to compliance dates and reporting obligations.
RPAA
September 17, 2025

How to Classify Assets and Processes for RPAA Compliance (Step-by-Step)

Step-by-step guide to classifying assets and processes for RPAA compliance with Bank of Canada expectations.
RPAA
September 14, 2025

Business Continuity and Disaster Recovery Under the RPAA: Key Requirements

All PSPs must meet RPAA continuity and recovery rules. Learn about recovery objectives, testing, and integrating incident response.
RPAA
September 12, 2025

Significant Change Notices: What PSPs Need to Tell the Bank of Canada (and When)

PSPs must notify the Bank of Canada of significant changes within five business days. Learn what qualifies and how to stay compliant.
RPAA
September 10, 2025

RPAA Record Keeping Rules: How Long Must MSBs Keep Compliance Records?

MSBs must keep RPAA compliance records for five years, protect them from loss, and ensure third-party records meet the same standards.
FINTRAC
September 9, 2025

ALERT: Private ABM Acquirer Services Must Register with FINTRAC and Comply by October 1, 2025

By Oct 1, 2025, private ABM acquirers must register with FINTRAC and meet PCMLTFA AML rules. Comply North helps operators build and maintain compliance.
FINTRAC
September 9, 2025

Title Insurers Must Register with FINTRAC by October 1, 2025 – AML Compliance Now Mandatory

By Oct 1, 2025, title insurers must register with FINTRAC and meet PCMLTFA AML obligations. Learn how Comply North helps ensure full compliance.
RPAA
September 8, 2025

What Is a Risk Management and Incident Response (RMIR) Framework Under RPAA?

Learn how the RPAA’s Risk Management and Incident Response framework helps PSPs protect confidentiality, availability, and integrity.
RPAA
September 8, 2025

Safeguarding End-User Funds Under RPAA: A Practical Guide for MSBs

A practical guide for MSBs on safeguarding funds under RPAA, from eligible accounts to daily reconciliations and independent reviews.
RPAA
September 8, 2025

RPAA Incident Reporting Explained: When and How to Notify the Bank of Canada

Learn what counts as a material incident under the RPAA, the 48-hour reporting rule, and when to notify customers.
View Our Pricing