Gain a 360-degree view of third-party risk by using our SaaS software to centralize, track, automate, assess and report on your vendors. 

Managed Services

Let us handle the manual labor of third-party risk management by collaborating with our experts to reduce the workload and mature your program. 

Document Collection
Policy/Program Template/Consulting
Virtual Vendor Management Office
Vendor Site Audit

Ongoing Monitoring

Let us handle the manual labor of third-party risk management by collaborating with our experts.

Venminder Exchange

As Venminder completes assessments for clients on new vendors, they are then made available inside the Venminder Exchange for you to preview scores and purchase as you need.


Use Cases

Learn more on how customers are using Venminder to transform their third-party risk management programs. 


Venminder is used by organizations of all sizes in all industries to mitigate vendor risk and streamline processes

Why Venminder

We focus on the needs of our customers by working closely and creating a collaborative partnership

Sample Vendor Risk Assessments

Venminder experts complete 30,000 vendor risk assessments annually. Download samples to see how outsourcing to Venminder can reduce your workload.



Trends, best practices and insights to keep you current in your knowledge of third-party risk.


Earn CPE credit and stay current on the latest best practices and trends in third-party risk management.  

See Upcoming Webinars

On-Demand Webinars



Join a free community dedicated to third-party risk professionals where you can network with your peers. 

Weekly Newsletter

Receive the popular Third Party Thursday newsletter into your inbox every Thursday with the latest and greatest updates.



Venminder Samples

Download samples of Venminder's vendor risk assessments and see how we can help reduce the workload. 

State of Third-Party Risk Management 2023!

Venminder's seventh annual whitepaper provides insight from a variety of surveyed individuals into how organizations manage third-party risk today.


Third-Party Risk Management Considerations for Canada's Retail Payment Activities Act

5 min read
Featured Image

Retail payment activities have grown increasingly popular in recent years, and Canadian regulators have taken steps to ensure these transactions are safe for consumers and businesses. Starting November 1, 2024, payment service providers (PSPs) are required to comply with Canada’s Retail Payment Activities Act (RPAA), which are supplemented with the Retail Payment Activities Regulations (Regulations). The RPAA and accompanying Regulations is intended to address operational risks associated with PSPs and protect the end-users’ funds.

The RPAA is fairly broad in scope, applying to PSPs that are operating in Canada, as well as PSPs that are outside of Canada but service end users within the country. This blog will cover some of the key requirements of the RPAA, which includes implementing an incident management framework, and a few considerations for a PSP’s third parties. Third-party risk management (TPRM) may be less familiar to some PSPs, so we’ll provide some best practices to help keep your organization compliant.

Note: Regulatory text is from the Regulations and is noted in italics.

4 Key Third-Party Requirements of the Retail Payment Activities Act and Regulations    

The RPAA and Regulations contains many detailed requirements and it’s recommended to read through the regulation for a full understanding of what’s expected from your organization. The requirements listed below are focused specifically on how they apply to an organization’s third parties. 

Under the RPAA and Regulations, a payment service provider is required to do the following: 

  • Register with the Bank of Canada – A PSP must submit an application with details including contact information, the quantity and value of its retail payment activities, the method in which it will safeguard its end-user funds, and a description of each third-party service provider that has or will have a material impact on the applicant’s operational risks.
  • Implement a risk management and incident response framework – The risk management framework should identify, and describe the potential causes of, the payment service provider’s operational risks, including those relating to third parties. A PSP must also establish a plan to respond and recover from incidents, including those involving or detected by an agent or mandatary or a third-party service provider. The framework should also address how the PSP will evaluate the third party’s security and data protection capabilities, along with the manner in which the third-party service provider’s performance may be monitored.
  •  Review safeguarding framework – This framework should be designed to protect the end-user’s funds by identifying legal and operational risks. Protecting these funds may include the use of third parties, in which case the framework should describe the role of any of the payment service provider’s agents, mandataries or third-party service providers.
  • Submit annual reporting – Among many other details that a PSP must report, these should include a description of any change to the payment service provider’s use of third-party service providers. 

third-party risk management considerations canada retail payment activities act

Third-Party Risk Management Best Practices for Retail Payment Activities Act Compliance 

Many organizations continue to rely heavily on third parties, so it’s understandable that third-party service providers are a key topic throughout the RPAA and Regulations. Here are three best practices to consider to help keep your organization compliant with the regulatory requirements:

  1. Establish your criticality classification – Like many other TPRM regulations, the RPAA and Regulations focuses on third parties that can create “material impacts.” The term “material” is generally synonymous with “critical,” which refers to an activity that has a significant impact on your organization or customers. A third party is likely considered critical if it meets one or more of the following criteria:
    • The sudden loss of the third party would create a significant disruption to your organization.
    • The sudden loss of the third party would impact your customers.
    • A prolonged outage of the third party for more than 24 hours would cause a negative impact to your organization or customers. 
    Once you’ve established this criticality classification, remember to document it within your policy. You can then proceed with identifying and prioritizing your critical or material third parties.  
  2. Review your incident management policy – Third-party incidents like cyberattacks or outages can significantly disrupt your operations, so it’s essential to determine how your organization will respond to these events. Your incident management policy should address how your organization will ensure the confidentiality, integrity, and availability of its information during a third-party incident.
  3. Create a plan for third-party oversight – This will likely be the most labor-intensive activity, but the good news is that there’s an easy-to-follow strategy that can be applied to all third-party relationships. The third-party risk management lifecycle is essentially a regulatory-approved method of managing third-party relationships from onboarding to offboarding. The lifecycle contains various activities that are outlined in the RPAA and Regulations, such as assessing the third party’s risk management practices and monitoring the third party’s performance. Understanding and following this lifecycle will help ensure your third-party oversight activities are effective and compliant.

This recent regulation for payment service providers is further evidence that third-party risk management is an important business practice for all organizations. In general, regulators aren’t looking for perfection, but rather an intentional effort to identify and manage third-party risks. Following the TPRM lifecycle and continuing to learn about best practices will help satisfy regulators and protect your organization and customers.

Subscribe to Venminder

Get expert insights straight to your inbox.

Ready to Get Started?

Schedule a personalized solution demonstration to see if Venminder is a fit for you.

Request a Demo