On October 13, 2023, the Office of the Superintendent of Financial Institutions (OSFI) released two draft guidelines for consultation, aimed at addressing non-financial risks for financial system resiliency:

This reflects the next step in OSFI's continuing focus on non-financial risks, and will require federally regulated financial institutions ("FRFIs") to develop new policies and procedures, and review existing policies and procedures.

Integrity and Security Guideline

The Integrity and Security Guideline sets out OSFI's expectations regarding integrity and security of FRFIs. This is further to Bill C-47, the Budget Implementation Act, 2023, No. 1, which expanded OSFI's mandate in relation to integrity and security and introduced a requirement for FRFIs to have and adhere to adequate policies and procedures to protect themselves from threats to their integrity and security, including foreign interference. OSFI will be examining the adequacy of the policies and procedures adopted by FRFIs and reporting to the Minister of Finance on these examinations.

TheIntegrity and Security Guideline applies to all FRFIs, including foreign branches to the extent it is relevant to their ability to meet applicable requirements and legal obligations in Canada.

The anticipated outcomes of the Integrity and Security Guideline are that:

  • actions, omissions, and decisions are consistent with the letter and intent of ethical standards, regulations, and the law; and
  • operations, physical premises, people, technology assets, and data and information are resilient and protected against threats.

The Integrity and Security Guideline provides that adequate policies and procedures to protect against threats to integrity or security must be established, implemented, maintained and adhered to, that existing policies and procedures should be assessed against expectations set out in the guideline, that gaps or deficiencies should be promptly identified and addressed, and that the effectiveness of the policies and procedures should be demonstrable and assessed on a regular basis.

Integrity

The Integrity and Security Guideline suggests that the likelihood that people's behaviour will demonstrate integrity can be increased by:

  1. Ensuring people are of good character – In particular, senior leaders (i.e., the board of directors and senior management) should behave in a way that demonstrates integrity through their words, actions and decisions.
  2. Promoting a culture conducive to ethical behaviour – Culture should be deliberately shaped, evaluated and maintained.
  3. Subjecting actions, omissions and decisions to sound governance - Ethical expectations and standards should be codified in documents such as codes of conduct and conflict of interest policies and procedures, which are assessed for effectiveness and reviewed and updated on a regular basis.
  4. Verifying compliance of actions, omissions and decisions with relevant standards, regulation and law – Compliance risk management should include the establishment of an effective, enterprise-wide Regulatory Compliance Management (RCM) Framework that validates actions, omissions, and decisions against applicable standards, laws and regulations, and provides effective channels to raise concerns over non-compliance and provide constructive feedback.

Security

OSFI's expectations regarding FRFI security focus on six key areas:

  1. Physical premises – Standards and controls should be adopted to govern access-control and monitoring of physical buildings, office spaces, physical technology assets, physical file storage and other sensitive areas, and technical security inspections should be conducted to protect physical and digital assets.
  2. People – Security standards and controls should be put in place to protect people from undue influence, foreign interference and malicious activity, including subjecting people to appropriate background checks and security screening, and putting strategies in place to manage risk.
  3. Technology assets – Technology assets should be secure, with weaknesses identified and addressed, effective defences in place, and issues identified accurately and promptly. FRFIs should guard against disruption, destruction, damage, access, modification and malicious use of IT infrastructure by threat actors.
  4. Data and information – Data should be identified, classified and protected based on a consideration of vulnerability to malicious activity, undue influence, or foreign interference. Personnel access requirements, including mechanisms to identify and escalate unauthorized data access, to prevent undue influence and foreign interference should be implemented.
  5. Third-party risks – Accountability for the security of physical premises, people, technology assets, and data and information cannot be contracted out, and accountability for business functions outsourced to third-parties should remain with the financial institution. Assessments of third-party arrangements from the lens of security should be conducted at the outset and on an ongoing basis.
  6. Undue influence, foreign interference, and malicious activity – Threats stemming from undue influence, foreign interference, and malicious activity should be promptly detected and reported to law enforcement authorities. OSFI should also be notified when such a report is made.

The Integrity and Security Guideline provides that policies and procedures governing all types of threats should be established and maintained, and should be assessed for effectiveness, reviewed, and updated on a regular basis. The threat environment, including as it relates to third-parties, should also be assessed and reported on regularly, with security precautions implemented to protect physical premises, people, technology assets, and data and information.

Enhanced Guideline E-21

Guideline E-21 builds upon a consultation held in 2021, and modernizes OSFI's expectations for operational resilience and managing operational risks. The revised Guideline E-21 is positioned by OSFI as a foundational guideline that is connected to other areas of risk management, such as third-party risk management, technology and cyber risk management, business continuity management, disaster recovery, crisis management, change management and data risk management.

The anticipated outcomes of Guideline E-21 are that:

  • FRFIs can deliver critical operations through disruption;
  • operational risk management is integrated within FRFIs' enterprise-wide risk management programs and supports operational resilience;
  • operational risks are managed withinFRFIs' risk appetites; and
  • operational resilience is underpinned by operational risk management subject areas.

Guideline E-21 is divided into four key sections:

  1. Governance – Operational resilience and management of operational risks should be integrated into the FRFIs' enterprise risk management program and reporting, and senior management should be responsible for operational resilience and managing operational risks.
  2. Operational resilience –FRFIs should:
    1. identify and assess critical operations and engage in a holistic, end-to-end mapping of these critical operations;
    2. establish tolerances for the disruption of each of the identified critical operations, accounting for internal and external dependencies;
    3. engage in forward-looking scenario testing and analysis that assesses the impact of severe risk events, is holistic and enterprise-wide in scope, and is proportionate to risk and criticality (and metrics should be implemented to monitor the level of disruption, and reports on scenario testing and analysis should be provided to senior management); and
    4. continue to strengthen operational resilience.
  3. Operational risk management – FRFIs should:
    1. implement an enterprise-wide operational risk management framework that includes (i) an operational risk appetite statement, (ii) operational risk management policies and procedures, (iii) a standard operational risk taxonomy, (iv) operational risk assessment tools and methodologies, and (v) operational risk monitoring tools;
    2. set an operational risk appetite that articulates types of risks and sets qualifiable limits for risk acceptance and is regularly reviewed; and
    3. identify, assess, monitor and report on potential operational risks utilizing risk and control assessments, key risk indicators and operational risk event data analysis.
  4. Operational risk management subject areas that strengthen operational resilience – FRFIs should focus on the following key areas that strengthen operational resilience by emphasizing preparation, responsiveness, recovery, learning and adaptation: (i) business continuity management, (ii) disaster recovery, (iii) crisis management, (iv) change management, (v) technology and cyber risk management, (vi) third-party risk management, and (vii) data risk management.

Looking Forward

The consultation on the draft Integrity and Security Guideline will run until November 24, 2023, with a view to a finalIntegrity and Security Guideline being issued in January 2024. OSFI will be publishing frequently asked questions about the draft Integrity and Security Guideline every Friday, starting October 20. Comments on the draft Integrity and Security Guideline or questions about the consultation can be sent to IS@osfi-bsif.gc.ca.

The consultation on Guideline E-21 will run until February 5, 2024. Comments can be submitted to resilience@osfi-bsif.gc.ca.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.