On January 31, 2024, the Office of the Superintendent of Financial Institutions (OSFI) issued its final Integrity and Security Guideline (the "Guideline"). This follows an expedited six-week consultation on the draft guideline, which was discussed in our prior bulletin, "OSFI Releases Two Draft Guidelines Addressing Non-Financial Risks". The new Guideline is applicable to all federally regulated financial institutions ("FRFIs"), including banks, insurance companies and foreign branches carrying on business in Canada.

Key Requirements and Guideline Changes

The new Guideline supports recent changes to OSFI's mandate concerning non-financial risk, which was expanded in the 2023 federal budget Bill C-47 to include a requirement to supervise FRFIs concerning whether they have "adequate policies and procedures to protect themselves against threats to their integrity or security, including foreign interference". The Guideline sets out OSFI's expectations for FRFI's integrity and security across multiple areas, while tying into OSFI's existing related guidelines.

Several key new and expanded requirements for FRFIs that were anticipated from the draft guideline include:

  • There will be higher expectations for FRFI leaders and responsible persons to demonstrate ethical integrity through their actions, behaviours and decisions, and to shape, evaluate and maintain sound culture.
  • FRFI's behavioural expectations of its personnel should be documented in codes of conduct and conflict of interest policies, with effective procedures to help identify non-compliance, such as whistleblowing programs.
  • Standards and controls should be in place for physical buildings, office spaces, and physical file storage, with processes for technical security inspections.
  • Expanded background checks on employees and contractors should be completed, as appropriate to the role.
  • Data classification should consider vulnerability to malicious activity, undue influence, or foreign interference, with additional clarity on what constitutes malicious actions towards Information Technology (IT) infrastructure and an expectation that personnel access will be restricted appropriately.
  • FRFIs should have transparent and objective procurement processes, which consider a third party's access to the FRFI's premises, people, technology assets, and data.
  • Incidents or events relating to undue influence, foreign interference, or malicious activity are to be reported to appropriate law enforcement authorities and OSFI. Detected incidents that may not meet these criteria for external reporting should still be documented as part of risk management reporting within the FRFI.

The final Guideline is generally similar to the consultation draft, although some changes were made to address concerns raised by stakeholders, in particular regarding the regulatory burden associated with the new requirements and terminology. OSFI incorporated several changes to confirm that FRFIs may take a risk-based approach to the Guideline – notably that security sweeps (how often and where), personnel background check standards and assessment criteria for possible incidents should align with the FRFI's risk environment.

At the same time, OSFI declined to follow its usual approach to proportionality, as reflected in other guidelines. While it clarified that a risk assessment should consider factors such as ownership structure, business arrangements, scope and location of operations, OSFI confirmed in its media briefing that its different approach in the Guideline was intentional since the nature of the risks relating to integrity and security apply regardless of the size of an FRFI.

Looking Ahead

Several elements of the Guideline are linked to other guidelines that continue to be under development. This includes culture expectations that are outlined in the draft Culture and Behaviour Risk Guideline and updates to Guideline E-21: Operational Resilience and Operational Risk Management.

Since there are many new requirements for FRFIs in the Guideline and its related guidelines have not all landed yet, OSFI is taking a phased approach to implementing the Guideline:

  • Effective from the Guideline's release, FRFIs must report incidents or events relating to undue influence, foreign interference, or malicious activity to appropriate law enforcement authorities and OSFI.
  • FRFIs must complete a related information request, concerning their existing policies and procedures to protect against threats to integrity or security, and return it to OSFI by April 2, 2024.
  • By July 31, 2024, all FRFIs must submit a comprehensive action plan for OSFI's review, outlining how they will meet the new and expanded expectations, which includes interim deliverables to achieve compliance.
  • The full Guideline will come into effect on January 31, 2025, except for the new expectations on background checks, which will take effect on July 31, 2025. The additional time for background checks likely takes into consideration OSFI's intent to require background checks for both new and existing personnel.

FRFIs' response to the information request and action plans will contribute to OSFI's new obligation to report annually to the Minister of Finance on the existence and adequacy of FRFI policies and procedures protecting against threats to integrity or security.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.