On October 13, 2023, OSFI released its draft Integrity and Security Guideline (“Guideline”). The Guideline, which would layer new and expanded expectations over existing applicable guidance, would apply to all Federally Regulated Financial Institutions (“FRFIs”), including foreign bank and insurance company branches in relation to their Canadian business.

The consultation period is short, with responses due by November 24, 2023. OSFI will issue the final Guideline by January 31, 2024.

Background

The Guideline follows amendments to FRFI statutes in Bill C-47, the Budget Implementation Act, which received Royal Assent on June 22, 2023. In effect as of January 1, 2024, the amendments extend OSFI’s mandate to include the supervision of FRFIs to determine whether they have established policies and procedures adequate to protect against threats to integrity and security, including foreign interference. Among other things, this requires OSFI to assess FRFIs with respect to their adoption of adequate policies and procedures at least once per year.

Key Concepts

The concepts of integrity and security ground the 10 principles set out in the Guideline. As noted below, the subject matter of many of the principles is already considered in existing and pending OSFI guidelines: in those cases, the new Guideline is intended to complement the existing guidance rather than as a replacement for it.

Integrity Principles

1. Character

Senior leaders are of good character and demonstrate integrity through their words, actions, and decisions.

See also Guideline E-17: Background Checks on Directors and Senior Management.

2. Culture

Culture consistent with ethical norms is deliberately shaped, evaluated and maintained.

While this does not mean that there is one “ideal culture”, all organizations should strive for a culture that reflects a commitment to ethical behaviour.

See also OSFI’s draft Culture and Risk Behaviour Guideline, as discussed in our previous post.

3. Governance

Governance structures subject actions, omissions, and decisions to appropriate scrutiny and promote ethical behaviour.

This includes (among others) effective governance of all important decisions, oversight of senior leaders, conflict of interest policies and codes of conduct applying to all staff and backed up with regular training.

See also OSFI’s Corporate Governance Guideline and, in the case of foreign banks and insurers, Guideline E-4: Foreign Entities Operating in Canada on a Branch Basis.

4. Compliance

Effective mechanisms to identify and verify compliance with standards, regulations, and the law exist.

Key compliance requirements include (among others) the establishment of an enterprise-wide Regulatory Compliance Management (“RCM”) Framework to evaluate actions, omissions and decisions against applicable laws, regulations and standards, while also providing channels for feedback and whistleblowing.

See also Guideline E-13: Regulatory Compliance Management.

Security Principles

5. Physical premises

Physical premises are safe and secure and monitored appropriately.

This includes not only office space but other sensitive areas such as file storage locations and technology assets. Security inspections, including sweeps for covert devices, should be carried out at intervals appropriate to the “threat environment”.

See also Guideline B-13: Technology and Cyber Risk Management and draft Guideline E-21: Operational Risk Management and Operational Resilience.

6. People

People should be subject to appropriate background checks and security screening, and strategies should be put in place to manage risk.

Security controls should be established to ensure that individuals in the organization are not under undue influence, foreign interference or involved in malicious activity. The extent of security screening will depend on factors such as authority, seniority and access to sensitive information. The Guideline provides general guidance on the nature of the necessary background checks.

See also Guideline E-17: Background Checks on Directors and Senior Management.

7. Technology assets

Technology assets should be secure, with weaknesses identified and addressed, effective defences in place, and issues identified accurately and promptly.

See also Guideline B-13: Technology and Cyber Risk Management.

8. Data and information

Data and information should be subject to appropriate standards and controls ensuring its confidentiality, integrity, and availability.

Data security should be in place at all stages of the data life-cycle. Data should be classified with respect to its vulnerability and data access by personnel should be restricted accordingly, with mechanisms in place to detect unauthorized access.

See also Guideline B-13: Technology and Cyber Risk Management.

9. Third-party risks

Third parties should be subject to equivalent and proportional measures to protect against threats.

This principle requires consideration of potential security risks posed by third parties such as contractors and their subcontractors. It states, among other things, that accountability for outsourced business functions remains with the financial institution. It also recommends transparent procurement processes with objective selection and decision-making procedures.

See also Guideline B-10: Third-Party Risk Management.

10. Undue influence, foreign interference, and malicious activity

Threats stemming from undue influence, foreign interference, and malicious activity should be promptly detected and reported.

OSFI has additional expectations for threats involving undue influence, foreign influence or malicious activity. Measures should be in place to detect such threats promptly and to ensure that investigations are confidential and independent. Instances involving foreign interference should be reported to the RCMP, CSIS and OSFI.

Timing Issues

On October 20, 2023, OSFI published a FAQ document clarifying a number of issues, including some relating to timing. While the legislation is effective January 1, 2024, the Guideline may not be finalized until the end of that month. In the interim, FRFIs should ensure that they have adequate policies and procedures in place to protect against threats to their integrity and security, follow all relevant existing Guidelines, and meet specific expectations in the Guideline, such as the expectation that foreign interference, undue influence and malicious activity be promptly reported to law enforcement (see Principle 10, above).

FRFIs must immediately develop adequate policies and procedures for all new risk areas identified in the Guideline. However, they are not expected to meet expectations in the Guideline, prior to its finalization, other than those that are specific and actionable without further guidance. In other words, they must address the new risk areas but do not have to do so in accordance with expectations for which further guidance is required, some of which are referred to in remarks by OSFI Assistant Superintendent Tolga Yalkin, published on October 23, 2023, including character assessment of board members and senior management. The FAQs note that required background checks do not have to have been conducted by January 1, 2024. Timelines for the completion of background checks will be announced later.

The FAQs state that FRFIs are not expected to meet expectations in existing guidelines before their effective dates.

Foreign Operations

In addition, the FAQs state that nothing in the Guideline prevents a FRFI from operating in any foreign jurisdiction.