Background
On January 31, 2024, the Office of the Superintendent of Financial Institutions (Canada) (OSFI) released the final version of the Integrity and Security Guideline (IS Guideline). The IS Guideline incorporates the feedback OSFI received through a public consultation held between October 13, 2023, and November 24, 2023, on the draft IS Guideline. Please refer to our prior article for additional information: “OSFI releases drafts for Guideline E-21 and the Integrity and Security Guideline.”
The principles and expectations proposed by OSFI in the draft IS Guideline remain largely the same; however, revisions were made to the final version of the IS Guideline to align expectations and terminology with existing OSFI guidance, including Guideline B-13: Technology and Cyber Risk Management (Guideline B-13).
OSFI subsequently released amendments to Guideline B-10: Third-Party Risk Management (Guideline B-10) and Guideline B-13 on February 20, 2024, which are discussed in greater detail below.
Integrity and Security Guideline
The IS Guideline supports OSFI’s expanded legislative mandate to supervise federally regulated financial institutions (FRFIs) in order to determine whether they have adequate policies and procedures to protect themselves against threats to their integrity or security, including foreign interference.
The IS Guideline is applicable to all FRFIs, including foreign bank branches and foreign insurance company branches, to the extent it is consistent with applicable requirements and legal obligations related to their business in Canada.
The new and expanded expectations include the following:
- Responsible persons and leaders of FRFIs are expected to demonstrate elements of good character through their actions, behaviours, and decisions.
- An FRFI’s culture should reflect a commitment to norms that encourage ethical behaviour.
- Behavioural expectations should be codified in normative documents such as codes of conduct and conflict of interest policies and procedures and communicated clearly to employees, contractors and stakeholders.
- An FRFI’s compliance risk management system should focus on adherence to all applicable legal and regulatory requirements as well as the intent of such requirements, given the associated impacts on reputation and public trust.
- FRFIs should have effective channels, such as whistleblowing programs, to raise concerns over non-compliance.
- FRFIs should conduct risk-based background checks on all employees and contractors, as appropriate to the role.
- When classifying data, FRFIs should consider the data’s vulnerability to malicious activity, undue influence, or foreign interference.
- FRFIs should implement personnel access requirements to prevent undue influence and foreign interference.
- Due diligence should be conducted on third parties in a manner that is proportional to the third party’s access to the FRFI’s physical premises, people, technology assets and data and information. Procurement and selection processes for third parties should be transparent and objective in order to reduce the potential for bias, undue influence or foreign interference.
- FRFIs are expected to notify OSFI of any reports made to law enforcement authorities (RCMP, CSIS) regarding incidents or events that have occurred related to undue influence, foreign interference or malicious activity.
OSFI has indicated that the expectations in the IS Guideline will be applied on a proportional basis, and that proportionality will be assessed through the ownership structure (including parent-subsidiary or home office-branch relationships and relationships with related parties and large shareholders), business arrangements, strategy and risk profile and the scope, nature and location of operations.
FRFIs are expected to assess risk exposure and take appropriate mitigating actions whenever they face obstacles to meeting expectations in the IS Guideline.
Amendments to Guideline B-10 and Guideline B-13
Concurrent with the implementation of the IS Guideline, OSFI recently published amendments to Guideline B-10 and Guideline B-13 to clarify that the aforementioned guidelines also apply to foreign bank branches and foreign insurance company branches to the extent it is consistent with applicable requirements and legal obligations related to the branch’s business in Canada. This is an important development for Canadian branches of foreign banks and foreign insurers as Guideline B-10 previously contained an exemption for branches. Branches have until March 31, 2025 to adhere to Guideline B-10 in the manner described above.
Next steps
Questionnaires relating to the IS Guideline have been distributed to FRFIs and must be completed by April 2, 2024.
FRFIs must submit a comprehensive plan to OSFI relating to the new and expanded expectations in the IS Guideline, which should include interim deliverables to achieve compliance by July 31, 2024.
By January 31, 2025, FRFIs must observe all new or expanded expectations, except those related to background checks, which must be observed by July 31, 2025.
For more information, please do not hesitate to contact a member of Dentons Canada’s Corporate and Regulatory Insurance group.