The Office of the Superintendent of Financial Institutions (OSFI) issued the following two draft guidelines simultaneously on October 13, 2023, which address non-financial risks:
- Integrity and Security (Draft I&S Guideline), which sets out OSFI's expectations for the integrity and security of financial institutions, including protection against foreign interference. The Draft I&S Guideline is subject to a six-week public consultation period, ending on November 24, 2023.
- Guideline E-21: Operational Resilience and Operational Risk Management (Draft Guideline E-21), which outlines OSFI's expectations for operational resilience and operational risk management. Draft Guideline E-21 is subject to a four-month public consultation period, ending on February 5, 2024.
Both draft guidelines will apply to all federally regulated financial institutions (FRFIs), including branches of foreign institutions, to the extent they are relevant to their ability to meet applicable requirements and legal obligations in Canada. Affected FRFIs include banks, foreign bank branches, trust and loan companies, cooperative retail associations, property and casualty insurance companies and life insurance companies.
The two draft guidelines are related and are intended to provide an improved approach to operational resilience and operational risk management. These improvements should also bolster the integrity and security of FRFIs.
The issuance of these draft guidelines is part of OSFI's increasing focus on non-financial risks. This focus has thus far included a broader and more holistic conception of risks, such as those related to climate change, cyber security, technology, control and governance of third-party relationships, corporate culture and compliance.
Integrity and security
Changes in the Budget Implementation Act, 2023, No. 1 expanded OSFI's mandate to include supervision of FRFIs with respect to threats to their integrity or security, including through foreign interference. The Draft I&S Guideline provides insight into how OSFI intends to execute this new aspect of its mandate, and addresses both existing requirements and new expectations. The two topics of the Draft I&S Guideline are:
Integrity, which includes actions, omissions, and decisions consistent with the letter and intent of ethical standards, regulations, and the law.
Security, which includes protection against malicious or benign internal and external threats to: (i) real property, infrastructure, and personnel ("physical threats"), and (ii) technology assets ("electronic threats").
Many of OSFI's integrity and security related risk expectations are already addressed in other OSFI guidelines. The Appendix of the Draft I&S Guideline contains a summary of the expanded expectations that are not covered under the current matrix of OSFI guidance. Additionally, OSFI has organized a FAQ channel to support this consultation and will publish comments every Friday starting on October 20, 2023.
OSFI requests feedback on the draft guideline by Wednesday, November 24, 2023. The final version of the I&S Guideline is scheduled for release in January 2024. We expect that OSFI will allow time for FRFIs to implement the requirements of this guideline following the release of the final version.
Operational resilience and operational risk management
Draft Guideline E-21 is intended to reinforce operational risk management practices of FRFIs to respond to increasing threats posed by the complex risk environment in which FRFIs operate.
OSFI's concern is the risk of severe disruptive events, which OSFI maintains has increased since it published the existing Guideline E-21 in 2016. Such events include:
- Third-party disruptions
- Infrastructure outages
- Technology failures
- Cyber incidents
- Geopolitical incidents
- Natural disasters
The likelihood and severity of such events underscores the importance of FRFIs being able to respond and recover while continuing to deliver critical operations.
Draft Guideline E-21 represents a complete overhaul of the existing guideline featuring both a new organizational format and new substantive expectations. The first change is the introduction of the concept of "operational resilience," which is defined as an institution's ability to deliver operations (including critical operations) through disruption, including through severe disruptive events. OSFI describes operational resilience as the prudential outcome of effective operational risk management.
The changes in Draft Guideline E-21 are an attempt to modernize OSFI's approach to operational risk management and set out new expectations for business continuity management, disaster recovery, crisis management, change management, technology and cyber risk management, third-party risk management, and data risk management. In OSFI's view, a renewed focus on operational resilience and operational risk management will support the integrity and security of FRFIs, the oversight of which is crucial to OSFI's expanded mandate.
OSFI requests comments on Draft Guideline E-21 before Monday, February 5, 2024. In addition, OSFI will hold an information session on Draft Guideline E-21 on Wednesday, January 17, 2024.
We will continue monitoring developments from OSFI, including with respect to these draft OSFI guidelines. Our financial services regulatory professionals are available to assist stakeholders in the consultation process and advise any concerns or questions about implementing either guideline.
For any questions you may have about this article, the authors or members of our Financial Services Regulation Group would be pleased to assist.