On January 31, 2024, OSFI released its finalized Integrity and Security Guideline (“Guideline”). The Guideline is a result of the extension of OSFI’s mandate, as of January 1, 2024, to include the oversight of integrity and security-related policies and procedures of Federally Regulated Financial Institutions (“FRFIs”).^[1] This follow-up to our previous post summarizes the changes that were made in the final version and notes the implementation schedule that OSFI also announced on January 31.

As discussed in our earlier post, the Guideline is structured around ten integrity and security “principles”:

• Integrity principles: Character; Culture; Governance; Compliance.
• Security principles: Physical premises; People; Technology; Data/information; Third-party risks; Undue influence/foreign interference/malicious activity.

While the finalized Guideline maintains this structure, it has been significantly revised in light of comments received. OSFI’s response to this feedback notes that these changes fall into three categories:

• Terminology: Certain colloquial, uncommon and undefined expressions have been replaced by more standard terminology.
• Proportionality: The Guideline’s final version is clearer about the proportional application of certain expectations.
• Risk basis: OSFI has clarified that key expectations in the Guideline can be applied on a risk basis.

In addition to the above, we note that (i) the finalized Guideline relaxes several overly broad and/or unrealistic compliance expectations and (ii) it refers more explicitly to foreign interference risk, in keeping with the growing recognition of that issue in Canada generally.

Summary of the Significant Changes

Some of the more significant substantive changes from the draft version are as follows. These are found in the Guideline’s overview section as well as in the sections dedicated to integrity and security.

Overview

Application of the Guideline

The “Application” section now specifically states (i) that the Guideline applies on a risk basis and (ii) that the factors to be considered include:

• Business arrangements, such as joint ventures and strategic alliances; and
• Ownership structure, which is now specifically defined to encompass “parent-subsidiary or home office-branch relationships and relationships with related parties and large shareholders.”

Obstacles to meeting expectations

The finalized Guideline provides that, where a FRFI faces impediments to meeting an expectation, such as local laws or limitations associated with leased premises, it should “take appropriate mitigating actions” in keeping with the risks of the situation.

Key terms

The terms “contractor” and “leader” have been defined. In addition, several draft definitions have been revised, including a more flexible definition of “responsible persons” and a clearer definition of “integrity” that does not involve the concept of “ethical standards” (a term that commenters considered too vague). National security is now specifically referenced in the definitions of “malicious activity” and “undue influence”.

Outcomes

Actions, behaviours and decisions are now expected to be measured against “regulatory expectations, laws and codes of conduct” rather than against “ethical standards”.

Policies and procedures

The finalized Guideline provides more specifics about OSFI’s expectations for the maintenance and updating of policies and procedures, with an increased emphasis on regular review and updating in response to newly identified threats.

Integrity

Creative compliance

The general discussion of the concept of integrity now contains an explicit caution respecting “creative compliance, regulatory arbitrage, and any other measures designed to circumvent codes of conduct, regulatory expectations or laws”.

Culture

The finalized Guideline attempts to clarify what is meant by “culture”. While continuing to state that “there is no ideal culture”, the Guideline now specifies that a FRFI’s culture should be consistent with its “behavioural expectations of what is considered acceptable and unacceptable”.

Governance

Under the heading of “governance”, the Guideline now requires that behavioural expectations be communicated to “employees, contractors and stakeholders” rather than to “staff, senior leaders and stakeholders”. The recommendations for codes of conduct have been reworked, e.g. to allow for the incorporation of the conflict of interest code into the code of conduct document. The Guideline clarifies that a code of conduct should include “the detection, disclosure, avoidance, and management of real, potential, and perceived conflicts of interest” and that such codes should be reviewed and updated regularly.

Compliance

One significant substantive change to the compliance principle is the expectation that FRFIs will bring to their employees’ attention “external channels to raise concerns”, such as government whistleblower programs.

Security

Threat assessment period

The general discussion of the concept of security now states that security threat assessments should take place “at least annually”, rather than “regularly” as stated in the draft version.

Physical premises

The final Guideline clarifies that the scope and frequency of “periodic sweeps for covert devices” are to be proportional to the threat environment.

Background checks

The Guideline now states that background checks are to be “risk-based” and deletes the expectation that they be “equivalent to the Government of Canada’s Enhanced Reliability Check minimum standard”. The content of a background check is now stated in more flexible language, with credit checks and criminal record checks to be focused on responsible persons (e.g. directors and senior management) and “contractors occupying higher-risk positions”, although OSFI may request that specific individuals obtain a higher level of security clearance in view of their roles and responsibilities.

Technology assets, data and information

Proportionality qualifiers have been incorporated into OSFI’s expectations regarding the protection of a FRFI’s technology assets, data and information.

Third party risks

The finalized Guideline states that due diligence on a third party “should be proportional to the third party’s access to the financial institution’s physical premises, people, technology assets, and data and information” and removes what OSFI acknowledges were impractical expectations with respect to background checks of senior leaders of third parties.

Undue influence, foreign interference, and malicious activity

The expectation in the draft Guideline that any suspicion of undue influence, foreign interference, and malicious activity be reported immediately to law enforcement authorities has been reduced, in the finalized Guideline, to a statement that FRFIs are “encouraged” to report to such authorities (and to OSFI) when there are “reasonable grounds” to believe that an incident of this type has occurred. However, any such incident that the FRFI deems not to meet its reporting threshold “should be documented and inventoried … as part of the management reporting process to senior management.”

Implementation Schedule

On releasing the finalized Guideline, OSFI also published an implementation schedule that is intended to give institutions the time they require to adjust to the new regulations. The deadlines are as follows:

Immediately: Observe the expectation to notify OSFI with respect to reports that are made to CSIS or law enforcement.

July 31, 2024: Submission of a “comprehensive action plan” to OSFI with respect to the new and expanded expectations. This includes “interim deliverables to achieve compliance”.

January 31, 2025: All expectations must be observed by this date, with the exception of those relating to background checks.

July 31, 2025: Expectations relating to background checks must be observed.

^[1] The Guideline follows amendments to FRFI statutes in Division 33 of Bill C-47, the Budget Implementation Act, which received Royal Assent on June 22, 2023. In effect as of January 1, 2024, the amendments extend OSFI’s mandate to include the supervision of FRFIs to determine whether they have established policies and procedures adequate to protect against threats to integrity and security, including foreign interference.

[View source.]