Technology and digital innovation and transformation continues to persistently proceed at an accelerated pace. While critical to continued evolution and success in many business sectors, technology and digitalization can present significant business and operational risk.
Such risks remain particularly relevant to the financial services sector and federally regulated financial institutions (FRFIs), a fact that has been particularly underscored by the COVID-19 pandemic, which has emphasized the need for resilient technology and digital solutions.
In recognition that rapid technological advancement and digitalization continue to shape both the global and Canadian financial sector, on September 15, 2020, the Office of the Superintendent of Financial Institutions (OSFI) announced a three-month consultation on technology risks in the financial sector with the publication of a discussion paper: Developing Financial Sector Resilience In A Digital World: Selected Themes In Technology And Related Risks.
The paper canvasses a number of questions across a spectrum of themes related to the development of an understanding of technology risk and its relationship to operational risk, and provides OSFI’s perspective and guidance. This approach is in line with OSFI’s strategic plan to ensure that financially regulated financial institutions are better prepared to identify and develop resilience to so-called “non-financial risks,” before these risks negatively affect their financial condition. The paper and consultation are the latest efforts by OSFI to develop its regulatory and supervisory approaches to technology and related non-financial risks.
The paper invites relevant stakeholders to participate in the consultation by making submissions on the questions posed in the paper by December 15, 2020.
UNDERSTANDING TECHNOLOGY RISK
The paper sets the stage by exploring the relationships between operational risk, technology risk and operational resilience. Much of that discussion, while focused on OSFI’s requirements related to operational resilience, is also useful guidance and relevant to non-financial sector businesses that are already leveraging technology to conduct business or otherwise implementing digital transformation projects.
OSFI’s working definition for technology risk draws upon existing OSFI practice and guidance, and is aligned with operational risk frameworks in the financial sector: “Technology risk is the risk arising from the inadequacy, misuse, disruption or failure of information technology systems, infrastructure or data to meet business needs.”
The paper recognizes that technology risk comprises a spectrum of sub-domains and sub-risks and intersects with other operational and financial risks. By way of example, the paper notes that a data breach which exposes financial consumer records has the potential to damage a financial institution’s reputation and cause financial loss from lost business.
A FOCUS ON THREE KEY AREAS OF TECHNOLOGY RISK
The paper establishes core principles for three priority areas of technology related risk: cybersecurity, advanced analytics and third-party ecosystems.
OSFI’s intent is to utilize these principles as the basis for future specific regulatory guidance. In a recognition that, in addition to technology, data is the other key foundational aspect and is interconnected to all three priority risk areas, the paper separately includes a discussion on data risks.
Increasingly frequent and sophisticated cyber attacks and related incidents continue to jeopardize financial services sector participants’ information security and public confidence. Confidentiality, integrity and availability are identified as the core principles for managing technology and cyber risk. Collectively, these principles require that information — including personal information — is neither made available nor disclosed to unauthorized individuals, entities, processes or systems; that information is not improperly modified, or destroyed and remains authentic; and that information remains accessible and usable in a reliable and timely manner.
OSFI points to previously issued guidance in relation to helping to manage cyber risk in accordance with its 2013 Cyber Security Self-Assessment Guidance, which sets out guidelines on optimal cyber security practices and Technology and Cyber Security Incident Reporting guidelines, which mandates cyber incident reporting requirements.
In noting that cyber and technology risks continue to rapidly evolve, OSFI highlights quantum computing as an emerging area of potential technology risk, and asks stakeholders to consider both the risk implications of quantum computing, which threaten the security of existing information systems public-key cryptography technology, and whether there are gaps that might exist in OSFI’s current guidance that need to be addressed.
New technologies, including artificial intelligence (AI) and machine learning (ML), are transforming the ways in which, and the speed at which, data is analyzed. Advanced analytics which utilize AI and ML introduce new risks and amplify existing risks. OSFI identifies soundness, explainability and accountability as the core principles to manage the risks associated with advanced analytics and underlying technologies. These principles strive to ensure that AI/ML models are accurate, reliable, auditable and fair by design, that AI/ML models and their results can be explained and understood, that appropriate risk management frameworks include AI/ML and that appropriate roles and responsibilities are assigned across the FRFI.
OSFI recognizes that existing guidance may not be sufficient to address risks associated with advanced analytics and seeks the input of stakeholders to assist OSFI in the identification of additional risks and the development of potential future principles and guidance designed to managed the risks associated with advanced analytics.
Technology Third-Party Ecosystems
Third-party products and services are used extensively by FFRIs to conduct and operate their businesses, including through the outsourcing of business functions or operations to a third party, or through the use of services which leverage infrastructure and services operated by third parties.
The core principles utilized by OSFI to manage technology based third party risks are transparency, reliability and substitutability. FRFIs are accountable for their business activities and must have the appropriate visibility into the operations its third-party providers; third-party services must be available and reliable; and third-party technology services should be able to be effectively moved to and delivered by an alternative provider.
Since 2001, OSFI has maintained guidance on the outsourcing of business activities pursuant to its outsourcing Guideline B-10, as updated over time to reflect certain relevant developments, such as cloud computing.
Recognizing the continuous evolution of, and associated challenges and risks raised by, third-party service ecosystems and models, particularly in the area of cloud services, other “as a service” models, as well as relationships which are developing with third parties, including FinTechs to deliver financial products and services, OSFI will undertake a separate consultation process related to the expectations contained in Guideline B-10. That process will be informed by findings from this consultation, as well as other policy discussions at the international level and OSFI’s supervisory work.
Data is critical to the operation of a financial institution, and sound data management practices have always been a core requirement. Digital transformation and technology have served to accelerate both the volume and the ways in which data is used and processed, with the result of elevated data risks, including across the three risk areas canvassed in the paper.
OSFI highlighted two specific developments which will influence data risk management in the financial services sector.
The first developments are in the area of data security and privacy. The security of consumer personal financial information is essential in order to manage a FRFI’s reputational, legal and compliance risk. Recent federal government initiatives, such as Canada's Digital Charter: Trust in a digital world and its proposals to modernize the Personal Information Protection and Electronic Documents Act, together focus on both the security of personal information and data and enhancing individuals’ control over their personal information and privacy.
The second development is the introduction of open API frameworks which would allow for financial consumer permissioned data to be accessed and used by third-party developers to build applications and deliver services. Consultations and examinations are continuing as the Canadian government, OSFI and other governments and regulators around the world continue to examine the issues raised by open APIs, including in relation to privacy and security.