OSFI’s Consultation on Technology: Understanding the risks inherent in the technologies that power the financial industry
On September 15, 2020, the Office of the Superintendent of Financial Institutions (OSFI) released a discussion paper regarding technology risks in the financial sector. The paper, Developing financial sector resilience in a digital world: Selected themes in technology and related risks, focuses on digital risks arising from cybersecurity, data analytics, third party ecosystems and data. Today, technology and data are central to the operations of federally regulated entities (FREs). In the paper, OSFI focuses on some of them including quantum computing, artificial intelligence, cloud computing, and data. OSFI poses questions in areas that it wishes to investigate further, potentially signaling OSFI’s interest in collaborating with stakeholders to develop guidance that balances the “safety and soundness” of the Canadian financial sector against the needs of the sector to innovate.
The paper is something that should not be taken lightly or ignored. OSFI has requested stakeholder comments on the paper by December 15, 2020. These comments will likely form the basis for further consultations before OSFI tables any firm proposals. Any new guidance from OSFI purporting to regulate “technology and related risks” could therefore have wide ranging impacts on the financial sector, including in connection with the following:
- OSFI asks whether its approach of principles-based regulation continues to be appropriate in the area of technology risk management, or whether more prescriptive, rules-oriented guidance is desirable. The rapid rate at which emerging technologies are progressing raises questions not only about the appropriateness of prescriptive rules, but also the challenge of promulgating technologically neutral rules that can be operationalized, while not adversely stifling innovation in the financial sector. This is especially important as Canadian financial entities do business internationally. Canadian regulation has the potential to either help or hinder future competitiveness in the global market.
- OSFI notes other consultations affecting the use of digital technologies including the Digital Charter and proposed reforms of various privacy laws, including PIPEDA. British Columbia, Ontario and Quebec are also proposing to amend their privacy laws. The convergence to modernize laws targeting evolving technologies raises questions about whether reforms will be coordinated or result in a multiplicity of new and potentially inconsistent laws administered by multiple regulators.
- There is a growing plethora of new guidance documents, standards, and best practices with respect to the responsible uses of game changing technologies such as artificial intelligence. It is unclear how OSFI guidance would fit within or leverage all of the sometimes conflicting literature.
Financial institutions have long been seen to be powered-by and dependent on a vast array of digital technologies. The ability of financial institutions to reliably deliver critical products and services during the COVID-19 pandemic is but one recent example of how financial institutions are successfully harnessing the power of digital technologies to deliver flexible, reliable and powerful products and services. With that said, this increasing reliance on digital technologies could trigger or amplify operational and financial risks to financial institutions. OSFI indicates that it is assessing the merits of a focus on operational resilience objectives with respect to technology and related risks and believes that a holistic view of operational risk management and operational resilience is warranted.
This consultation is a continuation of earlier work by OSFI to identify and mitigate risks presented from digital technologies, including:
- cyber security incident reporting requirements released in 2019;
- OSFI’s Operational Risk Management guideline released in 2016 (which is relevant here as technology risk is a sub-category of operational risk);
- the Cyber Security Self-Assessment Guidance released in 2013; and
- the OSFI B-10 guideline on Outsourcing of Business Activities, Functions and Process which impacts outsourcing in the digital sphere, originally released in 2001.
PRIORITY TECHNOLOGY RISK AREAS IDENTIFIED BY OSFI
The discussion paper focuses on principles related to three priority areas: cyber security, advanced analytics and third party ecosystems. As data is foundational to each of these areas, the discussion paper also includes a separate discussion on data risk. OSFI intends on using these principles as a basis for building out more specific regulatory expectations in these areas going forward.
The cyber security principle focuses on the confidentiality, integrity and availability of information. This builds on the existing work from OSFI related to cyber security, including the 2013 Cyber Security Self-Assessment Guidance, the 2019 advisory regarding cyber incident reporting and the ongoing circulation of Intelligence Bulletins and Technology Risk Bulletins that are intended to complement OSFI’s guidelines and advisories. OSFI notes that it continues to observe gaps in many financial institutions’ cyber security policies, procedures and capabilities and many opportunities exist for improvement.
As part of this principle, OSFI flags two specific points of focus:
- enhancing cooperation with other authorities in connection with cyber resilience, including the Government of Canada’s National Cyber Security Strategy, the Canadian Financial Sector Resiliency Group and Canadian Centre for Cyber Security; and
- preparing for the broader adoption of quantum computing and managing quantum computing as an emerging risk, and in particular, the risk presented by quantum computing to traditional public-key cryptography, which might be broken by this technology.
OSFI notes that advanced analytics, and in particular the use of artificial intelligence (AI) and machine learning (ML) models, present a novel set of opportunities and risks. OSFI intends on using the stakeholder feedback received from this discussion paper to inform the development of regulatory and supervisory frameworks that address the risks resulting from the use of AI and ML. OSFI has identified soundness, explainability and accountability as being core principles to manage elevated risks associated with advanced analytics, including AI and ML. Through the consultation, OSFI seeks feedback on whether these three principles appropriately capture such elevated risks or whether there are any additional principles or risks that should be considered.
Third Party Ecosystems
OSFI has long sought to manage the risks presented by reliance by financial institutions on third party ecosystems, most notably though Guideline B-10. OSFI notes that while the existing principles in Guideline B-10 remain relevant, those guidelines and expectations require review. Areas of specific interest that are noted include:
- managing risks related to widespread adoption of cloud-based services;
- addressing concerns stemming from reliance on a small number of dominant and sophisticated cloud service providers; and
- the opportunities and risks associated with increasing partnerships with third party FinTech firms.
OSFI will be undertaking a separate consultation process related to the expectations contained in Guideline B-10 which will be informed by the findings of this consultation.
The overarching concept of data is the final area covered by the discussion paper, and in particular how to maintain sound data management and governance throughout the data lifecycle. The areas of focus highlighted are:
- ensuring strong information security and privacy controls, which dovetails with the federal government’s launch of Canada’s Digital Charter and modernization efforts for PIPEDA; and
- considering opportunities and risks presented by open API frameworks that enable consumers and businesses to authorize third parties to access their financial transaction data (which also dovetails with other consultations and efforts at the federal level).
To stay up-to-date on this consultation as it develops, subscribe to TechLex at the bottom of this page. For more information regarding the impact of this discussion paper on your business or organization, please contact the authors and see our Technology group page.