On September 6, 2023, the Office of the Superintendent of Financial Institutions ("OSFI") issued a letter to industry describing the steps OSFI intends to take to implement new provisions that expand its mandate to the supervision of emerging non-financial risks.

The legislative updates were alluded to in OSFI's Risk Appetite Statement published earlier this year. OSFI's proposed implementation steps align with OSFI's goal of responding more proactively to emerging risks, as noted in OSFI's 2022-25 Strategic Plan.

Updates to Legislative Framework

In June 2023, Bill C-47, the Budget Implementation Act, 2023, No. 1 ("Bill C-47"), received Royal Assent, expanding OSFI's mandate to include:

  1. Supervision of Federally Regulated Financial Institutions (FRFIs): an ability to conduct assessments to determine whether FRFIs have adequate policies and procedures in place to protect themselves against threats to their integrity or security, including foreign interference (effective June 22, 2023).
  2. Annual Examinations: a requirement to conduct annual examinations of FRFIs to determine the sufficiency of their policies and procedures in safeguarding against threats to their integrity or security, including foreign interference (effective January 1, 2024).
  3. Annual Reporting: a requirement to provide an annual report to the Minister of Finance detailing the results of the examinations described in item 2 above (effective January 1, 2024).

Bill C-47 also expands OSFI's powers (as of June 22, 2023) to issue directions to, and to take control of, FRFIs for reasons related to national security or if the continued operation of an FRFI by its directors or by the officers responsible for its management would be materially prejudicial to its integrity or security.

The modifications are aimed at advancing OSFI's commitment to maintaining public confidence in the Canadian financial system. However, the changes introduce broad powers that will require OSFI to interpret and apply their judgment to subjective terms such as "national security" "integrity" and "security".

OSFI's Implementation Steps

In the letter to industry, OSFI outlines the following steps for implementation of the updated legislative framework:

  1. Engagement with Stakeholders (September 2023): OSFI will commence discussions with key stakeholders to gather insights and feedback, ensuring a collaborative approach to addressing integrity and security concerns.
  2. Revised Draft Guideline on Operational Risk and Resilience (E-21) (September 2023 to February 2024): OSFI will release a revised draft guideline for a six-month consultation period. This consultation will allow stakeholders to provide input on operational risk and resilience measures.
  3. Draft Guideline on Integrity or Security (October 2023 to November 2023): OSFI will release a draft guideline specifically addressing integrity and security for a six-week consultation period. This will provide a platform for stakeholders to contribute their expertise and perspectives.
  4. Final Guideline on Integrity or Security (January 2024): OSFI aims to release the final guideline on integrity or security in January 2024, reflecting the insights and feedback received during the consultation period.

It will be interesting to see how the discussions with stakeholders unfold and what language OSFI will ultimately include in the proposed new guidance. Without an adequate definition of subjective terms such as "national security" "integrity" and "security", FRFIs will no doubt find it challenging to expand their regulatory compliance programs to ensure ongoing compliance.

The foregoing provides only an overview and does not constitute legal advice. Readers are cautioned against making any decisions based on this material alone. Rather, specific legal advice should be obtained.

© McMillan LLP 2021