En raison de la grève de Postes Canada, il y aura un délai dans la livraison des livres.

FREE Membership Sign in

JavaScript is disabled in your browser.

In order visualise this page, please follow these steps.

Superintendent publishes two draft guidelines for comment

By Kate McCaffery | Oct. 16, 2023, 10:46 a.m.

Photo: Freepik

After its mandate was expanded June 22, 2023, when new legislation received Royal Assent, the Office of the Superintendent of Financial Institutions (OSFI) has published two new guidelines for comment which set expectations and prescribe certain actions to achieve operational resilience and effective risk management.

Applicable to federally regulated financial institutions (FRFIs), foreign bank branches and foreign insurance company branches, the first guideline, Integrity and Security Guideline, discusses integrity and security, including protection against foreign interference. Meanwhile, an enhanced version of Guideline E-21 looks at operational resilience and operational risk management.

“The draft Integrity and Security Guideline provides clarity on what integrity and security entail for financial institutions, how they relate to one another and where they are already reflected in our current guidelines,” OSFI states in an announcement about the guidelines’ publication. (Each document discusses the relevant principles and provides references to existing relevant and related guidelines, drafts and regulations.) “It also signals new expectations in risk areas not covered in our existing guidelines.”

Enhanced Guideline E-21, meanwhile, modernizes OSFI’s guidance and includes new expectations for business continuity management, crisis and change management and data risk management.

OSFI says both guidelines are an incremental but critical step in clarifying the regulator’s expectations.

Integrity and Security Guideline

In the draft guideline, OSFI says “public confidence in the Canadian financial system depends on financial institutions acting with integrity and security and not being subject to foreign interference. Under Bill C-47, FRFIs must have adequate policies and procedures in place to ensure this.”

Integrity, they say is related to good character, culture, governance and compliance while security is related to operations, premises, people, assets, data and third-party arrangements. “The guideline explains how integrity and security are related to one another and shows the way these concepts are captured within current OSFI guidelines. It also sets new expectations in risk areas not currently governed by OSFI.”

The guideline’s contents include discussions about character – senior leaders are expected to be of good character – background checks, cultures with ethical norms that are deliberately shaped, evaluated and maintained, governance, codes of conduct, security and compliance.

In compliance, the guideline states that firms should establish an effective, enterprise-wide regulatory compliance management framework. “This should accurately and expediently validate actions, omissions and decisions against applicable standards, laws and regulations, both in letter and intent,” they write.

The document also discusses physical premises security and third-party risks. Notably, as is the case in other areas of insurance regulation, the superintendent states that “accountability for the security of physical premises, people, technology assets and data and information cannot be contracted out.”

Also notably, the guideline states that threats stemming from undue influence, foreign interference and malicious activity should be detected and reported and OSFI be made aware of communications with law enforcement.

The consultation period on the Integrity and Security Guideline is six weeks, ending November 24, 2023.

Guideline E-21: Operational Resilience and Operational Risk Management

First in effect in June 2016, Guideline E-21 is a foundational guideline, OSFI says. Until further notice, the current guideline remains in effect.

The revised guideline sets expectations for operational resilience to strengthen FRFI’s ability to prepare for and recover from severe disruptive events, they add. The guideline looks at the relationship between operational risk management and resilience – effective operational risk management involves the identification, assessment, monitoring and reporting of operational risks and implementing appropriate risk responses, they say.

Among the stated outcomes FRFIs are expected to achieve, OSFI says companies need to demonstrate that they can deliver critical operations through disruption. The guideline discusses governance expectations – senior management is responsible for managing resilience and operational risks. It also calls for independent oversight. “The FRFI should subject the judgement and risk management practices of the business and central functions to a documented process of independent and effective challenge by the risk and compliance oversight function. While the size and structure of the risk and compliance oversight function may vary according to the FRFI’s nature, size, complexity and risk profile, it should in all cases be able to challenge the risk management practices and decisions of the business lines and central functions without fear of reprisal.”

The guideline also outlines requirements to identify and assess critical operations, map operations and identify tolerances for disruption, accounting for both internal and external dependencies. Scenario testing, metrics and reporting, business continuity management, impact analysis and disaster recovery are discussed, as are crisis and change management, technology risk and third-party risks.

The Guideline E-21 consultation period is four months long, ending February 5, 2024.

The most popular in Society

Stronger operational risk management needed