Amid growing concerns about meddling foreign governments, lax security and a lack of integrity at financial firms, the Office of the Superintendent of Financial Institutions (OSFI) has released proposed new guidance.
The federal financial regulator issued two sets of draft guidance for public comment — a new guideline that sets out OSFI’s expectations regarding the security and integrity of financial institutions, and proposed revisions to existing guidance on firms’ operational resilience and risk management.
On the security and integrity front, OSFI details the kinds of measures firms should be taking to guard against both criminal activity and efforts to corrupt, intimidate or manipulate financial institutions and their employees. In particular, OBSI warns of schemes that would serve the interests of foreign governments and would damage domestic interests.
Among other things, it includes new requirements to report suspected foreign interference attempts to OSFI, the RCMP and CSIS. It also calls for background checks and security screenings on senior leaders of “vulnerable third parties” and background checks on all employees and contractors.
The proposed new guidance also addresses the culture and integrity of financial firms and their employees.
“A lack of [integrity] can damage reputation, result in fraud, cause legal issues, and increase vulnerabilities to undue influence, foreign interference, and malicious activity,” the proposals said.
“Financial risks also often find their root cause in failures of integrity. Thus, enhancing integrity reduces risks to solvency and supports the overall safety and stability of an institution, and consequently the financial system,” OSFI said.
The new guidance follows the passage of legislation in June, which expanded OSFI’s mandate to include ensuring that financial institutions are adequately prepared to guard against foreign interference, and other threats to their security, as part of maintaining public confidence in the financial system.
That legislation also requires OSFI to assess firms’ security preparations annually, and to report its findings to the federal Finance minister.
“In many cases, [financial institutions] are already adhering to expectations for integrity and security as these concepts are broadly captured in current OSFI guidelines,” the regulator noted — the new guidance will help clarify clarify and cement expectations in this area.
The new guidance on security is out for comment until Nov. 24, and OSFI said it intends to finalize the new guidance by the end of January 2024.
The proposed revisions to OSFI’s existing operational risk guidance — which aims to modernize the regulator’s policies in this area and sets new expectations for business continuity, crisis, change and data risk management — will be open for comment until Feb. 5, 2024.
In a letter accompanying the proposed revisions, the regulator said financial institutions operate in a “complex risk environment, with increasing threats posed to their critical operations from events such as control failures, pandemics, natural disasters, third-party disruptions, and cyber-attacks.”
It said the updated guidance aims to strengthen firms’ ability to prepare for, and recover from these kinds of severe disruptive events.
The two sets of guidance are being issued jointly, given the close connections between security issues and operational resilience and risk management, OSFI noted.
“Public confidence in financial institutions depends, not only on sound financial management, but also their integrity and security. These guidelines represent an incremental but critical step in clarifying our expectations of them. We hope they help financial institutions identify how to be more secure and more resilient,” said Peter Routledge, superintendent of financial institutions, in a release.