OSFI Issues Final Integrity and Security Guideline
On January 31, 2024, the Office of the Superintendent of Financial Institutions (“OSFI”) published the final Integrity and Security Guideline (the “Guideline”), setting out OSFI’s expectations for federally regulated financial institutions (“FRFIs”) to manage risks with integrity and security, and having policies and procedures to address such risks.
The Guideline is substantially similar to the draft guideline which was issued back in October 2023 (please refer to our previous article for a discussion on the draft guideline), but reflects some changes as a result of feedback received through consultation.
Consistent with the draft Guideline, the expectations under the Guideline apply on a risk and proportional basis based on a FRFI’s ownership structure, business arrangements (e.g. joint ventures and strategic alliances), strategy and risk profile, and scope, nature, and location of operations.
Definition of Key Terms
The Guideline defines certain key terms, including “integrity”, “security”, “foreign interference” and “undue influence.” Each of these terms is defined broadly, with the definitions only stating what each “includes” and not purporting to be a comprehensive definition. The definitions are fairly similar to the draft Guideline.
- “Foreign interference” is defined as including “activities that are within or relating to Canada, detrimental to the interests and security of Canada, and are clandestine or deceptive or involve a threat to any person, including attempts to covertly influence, intimidate, manipulate, interfere, corrupt, or discredit individuals, organizations, and governments to further the interests of a foreign state-or-non-state actor.”
- “Integrity” is defined as including “actions, behaviours, and decisions consistent with the letter and intent of regulatory expectations, laws, and codes of conduct.”
- "Responsible persons" is defined as including “directors and senior management of financial institutions as defined in the Corporate Governance Guideline and branch management of foreign entities operating in Canada on a branch basis. Others may be considered responsible persons, based on their roles, responsibility, or influence with respect to the financial institution.”
- “Security” is defined as including “protection against malicious or unintentional internal and external threats to: real property, infrastructure and personnel (“physical threats”) and technology assets (“electronic threats”).”
- "Undue influence"is defined as including “situations where a person or entity engages, with malicious intent, in actions, behaviours, deception or the use of power to impact actions, decisions, or behaviours in their own or another’s interests. Undue influence can originate from foreign or domestic actors and may have national security implications.”
The Guideline notes that while “integrity and security are distinct concepts and the outcomes of separate risk management practices, financial institutions can enhance their security by acting with integrity” as security is strengthened “by people with good character, a culture that is focused on sound governance and an appropriate and well-established RCM framework.”
Policies and Procedures
The Guideline notes that adequate policies and procedures to address risks and threats to a FRFI’s integrity or security, including foreign interference, “must be established, implemented, maintained, and adhered to” and existing policies and procedures must be reassessed against the expectations in the Guideline. OSFI also expects FRFIs to demonstrate and assess the effectiveness of such policies and procedures on a regular basis.
OSFI notes that it will be required to annually report to the Minister of Finance on the existence and adequacy of FRFIs’ policies and procedures. Accordingly, OSFI has sent an information request and instructions to FRFIs which are due to OSFI by April 2, 2024.
The Guideline sets out 10 key expectations which are fairly similar to those initially set out in the draft Guideline:
Integrity (Principles 1-4): The Guideline notes that integrity is “demonstrated in actions, behaviours, and decisions that are consistent with the letter and intent of regulatory expectations, laws, and codes of conduct.”
- Character - Principle 1: “Responsible persons and leaders are of good character and demonstrate integrity through their actions, behaviours, and decisions.”
Principle 1 expands the current expectations under Guideline E-17 Background Checks on Directors and Senior Management, to require that FRFIs complete a review of the character of boards of directors and senior management as demonstrated through their past and current behavior, to ensure their integrity.
- Culture - Principle 2: “Culture that demonstrates integrity is deliberately shaped, evaluated, and maintained.”
Principle 2 expands the current expectations under the draft Culture and Behaviour Risk Guideline to require FRFIs ensure that their culture reflects a commitment to norms that encourage ethical behaviour. Please refer to our previous article here for a discussion on the draft Culture and Behavior Risk Guideline.
- Governance - Principle 3: “Governance structures subject actions, behaviours, and decisions to appropriate scrutiny and challenge.”
Principle 3 expands the current expectations under the Corporate Governance Guideline and Guideline E4 Foreign Entities Operating in Canada on a Branch Basis (where applicable), to require FRFIs ensure appropriate governance oversight of ethical behavior, actions and decisions, including through their codes of conduct and conflicts of interest policies and procedures.
Codes of conduct should apply to all employees and include regular training, while compliance “should be monitored based on risk, considering individual roles, functions, and potential exposure to undue influence, foreign interference, and malicious activity.”
- Compliance - Principle 4: “Effective mechanisms to identify and verify compliance with regulatory expectations, laws, and codes of conduct exist.”
Principle 4 expands the current expectations under Guideline E-13 Regulatory Compliance Management (“Guideline E-13”) more specifically requiring that FRFIs ensure compliance focuses “not just adhering to the letter of such requirements, but also upholding their intent given the associated impacts on reputation and public trust”.
FRFIs can achieve this by establishing an effective, enterprise-wide Regulatory Compliance Management (“RCM”) framework that validates “actions, behaviours, and decisions against applicable regulatory expectations, laws, and codes of conduct, both in letter and intent” and by providing effective channels, such as regular reporting and anonymous whistleblowing programs, to raise concerns over non-compliance. FRFIs are also expected to make employees aware of external channels, such as whistleblowing programs run by government agencies or law enforcement.
Security (Principles 5-10): The Guideline notes that security is achieved by operations, physical premises, people, technology assets, and data and information being resilient and protected against threats.
- Physical Premises - Principle 5: “Physical premises are safe and secure and monitored appropriately.”
Principle 5 creates new expectations that FRFIs put in place standards and controls to govern access control and monitoring of “[p]hysical buildings and office spaces, including assets, storage, and equipment contained within those spaces” and “[a]ny areas where sensitive work or discussions may occur”, including periodic sweeps for covert devices.
FRFIs should also refer to Guideline B-13 Technology and Cyber Risk Management (“Guideline B-13”) and draft Guideline E-21 Operational Resilience and Operational Risk Management (“Guideline E-21”).
- People - Principle 6: “People should be subject to appropriate background checks, and strategies should be put in place to manage risk.”
Principle 6 creates new expectations that FRFIs perform appropriate risk-based background checks for responsible persons, employees, and contractors that are conducted prior to employment, renewed on a regular basis and reviewed off-cycle based on certain criteria. In addition, FRFIs should implement standards and controls that “consider factors such as authority, seniority, and access to sensitive information.”
- At a minimum, appropriate checks should include verification of identity and background (e.g. education and professional credentials and personal and professional references).
- Furthermore, responsible persons, employees and contractors with higher-risk positions should be subject to criminal record checks and financial inquiries (e.g. credit checks).
- The Guideline notes that OSFI may “request that specific individuals of the financial institution obtain a higher level of security clearance, depending on roles and responsibilities.”
FRFIs should also refer to Guideline E-17 Background Checks on Directors and Senior Management.
- Technology Assets - Principle 7: “Technology assets should be secure, with weaknesses identified and addressed, effective defences in place, and issues identified accurately and promptly.”
Principle 7 expands the current expectations under Guideline B-13 to require FRFIs create an “[e]nhanced description of what constitutes malicious actions towards IT infrastructure”, while implementing defences that are “proportional to the likelihood of threats and the severity of impact to the financial institution and their employees, clients, and other stakeholders should the technology asset be compromised.”
- Data and Information - Principle 8: “Data and information should be subject to appropriate standards and controls ensuring its confidentiality, integrity, and availability.”
Principle 8 creates new expectations to require that FRFIs engage in “[d]ata classification consideration of vulnerability to malicious activity, undue influence, or foreign interference” and also expands on expectations under Guideline B-13 and the draft Guideline E-21 to require that there be “[p]ersonnel access requirements to prevent undue influence and foreign interference.”
Similar to Principle 7, the intensity of the defences should be proportional to the likelihood of threats and severity of impact to the FRFI should its data be compromised.
- Third-Party Risk - Principle 9: “Third parties should be subject to equivalent and proportional measures to protect against threats.”
Principle 9 creates new expectations to require that FRFIs perform third-party risk management that “is conducted through an integrity and security lens and is proportional to the third party’s access to the financial institution’s physical premises, people, technology assets, and data and information” and have in place “[t]ransparent and objective procurement processes.”
In particular, OSFI expects FRFIs to assess the following factors before engaging or outsourcing a business to a third party, and on an ongoing basis thereafter:
- The likelihood of threats to the third party
- The ability of the third party to address threats
- The existence and adequacy of the third party’s policies and procedures protecting against threats
- The adequacy of the third party’s background check processes
- In relation to foreign interference, FRFI’s should consider the following information about the third party and its subcontractors: location of operations, location of corporate headquarters, connections to foreign governments and ownership structure
FRFIs should also refer to Guideline B-10 Third-Party Risk Management.
- Reporting - Principle 10: “Threats stemming from suspected undue influence, foreign interference, and malicious activity should be promptly detected and reported.”
Principle 10 creates new expectations that FRFIs notify OSFI when a report is made to the Canadian Security Intelligence Service (“CSIS”), the Royal Canadian Mounted Police, or other authorities regarding undue influence, foreign interference, or malicious activity.
Even detected incidents and events that are deemed not to meet the threshold of reporting to OSFI or other authorities should be documented and inventoried by FRFIs as part of their management reporting process to senior management.
FRFIs should also refer to Guideline E-13.
The final Integrity and Security Guideline is effective immediately but will be implemented in the following phases:
- Effective immediately, FRFIs will be expected to notify OSFI (via email at [email protected]) of reports to law enforcement or the CSIS.
- By July 31, 2024, FRFIs must submit a comprehensive action plan for OSFI’s review on how they will achieve compliance with the new and expanded expectations set forth in the Guideline.
- By January 31, 2025, FRFIs will be required to comply with all new or expanded expectations in the Guideline except those relating to background checks.
- By July 31, 2025, FRFIs will be required to comply with the new expectations on background checks.