On October 13, 2023, the Office of the Superintendent of Financial Institutions (Canada) (OSFI) released two draft guidelines: (1) an Integrity and Security Guideline (the draft IS Guideline), which sets out OSFI’s expectations for the integrity and security of financial institutions, including protection against foreign interference; and (2) an enhanced version of OSFI Guideline E-21: Operational Resilience and Operational Risk Management (draft Guideline E-21), which includes OSFI’s modernized expectations for operational resilience. This article provides an overview of these two guidelines and discusses their implications for federally regulated financial institutions (FRFIs).
Integrity and Security Guideline
The draft IS Guideline applies to all FRFIs, including foreign bank branches and foreign insurance company branches in relation to their business in Canada, to the extent the expectation is relevant.
FRFIs are expected to establish, implement, maintain and adhere to policies and procedures to protect against threats to integrity and security, including foreign interference. “Integrity” and “security” are defined as follows:
“Integrity” includes actions, omissions and decisions consistent with the letter and intent of ethical standards, regulations and the law.
“Security” includes protection against malicious or benign internal and external threats to: real property, infrastructure and personnel (collectively, Physical threats) and technology assets (Electronic threats).
Draft IS Guideline’s Ten Principles
The draft IS Guideline sets out ten principles, which are summarized below:
Principle 1: Senior leaders are of good character and demonstrate integrity through their words, actions and decisions.
Principle 2: Culture consistent with ethical norms is deliberately shaped, evaluated and maintained.
Principle 3: Governance structures subject actions, omissions and decisions to appropriate scrutiny and promote ethical behaviour.
Principle 4: Effective mechanisms to identify and verify compliance with standards, regulations and the law exist.
Principle 5: Physical premises are safe and secure and monitored appropriately.
Principle 6: People (e.g., all employees and contractors) should be subject to appropriate background checks and security screening and strategies should be put in place to manage risk.
Principle 7: Technology assets should be secure, with weaknesses identified and addressed, effective defences in place and issues identified accurately and promptly.
Principle 8: Data and information should be the subject of appropriate standards and controls ensuring its confidentiality, integrity and availability.
Principle 9: Third parties should be subject to equivalent and proportional measures to protect against threats. In particular, third party arrangements should be assessed from the lens of security and susceptibility to undue influence, foreign interference and malicious activity. OSFI expects background checks and security screening to be conducted for senior leaders of vulnerable third parties and for FRFIs to engage in transparent and objective procurement processes.
Principle 10: Threats stemming from undue influence, foreign interference and malicious activity should be promptly detected and reported. In this regard, OSFI expects to be notified when a report is made to the RCMP, CSIS or other authorities regarding undue influence, foreign interference or malicious activity.
Many of these principles relate to existing OSFI guidance, including OSFI Guideline B-10: Third-Party Risk Management, OSFI Guideline B-13: Technology and Cyber Risk Management, OSFI Guideline E-13: Regulatory Compliance Management and OSFI Guideline E-17: Background Checks.
Draft Guideline E-21
The existing OSFI Guideline E-21: Operational Risk Management was last revised in 2016 and relates primarily to the management of operational risks. Draft Guideline E-21 addresses OSFI’s expectations with respect to operational resilience as well as operational risk management, with a view to strengthening the ability of FRFIs to prepare for and recover from severe disruptive events. In OSFI’s view, draft Guideline E-21 will contribute to and foster the integrity and security of FRFIs. Draft Guideline E-21 outlines OSFI’s expectations with respect to business continuity management, crisis management, change management and data risk management.
OSFI expects the design and implementation of the FRFI’s operational resilience approach and operational risk management to be proportionate to the FRFI’s size, nature, scope, complexity of operations, strategy, risk profile and interconnectedness to the financial system.
While the definition of operational risk remains largely unchanged from the existing Guideline E-21, the concept of operational resilience (OR) has been introduced in draft Guideline E-21. OSFI defines OR, in part, as the ability of an institution to deliver operations, including critical operations, through disruption.
FRFIs would be expected to deliver critical operations through disruption and to integrate operational risk management within the FRFI’s enterprise-wide risk management program and support operational resilience. OSFI would also expect that operational risks be managed within the FRFI’s risk appetite and for operational risk to be underpinned by subject areas, including business continuity management, disaster recovery, crisis management, change management, technology and cyber risk management, third-party risk management and data risk management.
Draft Guideline E-21’s Eight Principles
Draft Guideline E-21 also sets out eight principles, described in greater detail below.
Principle 1: The operational resilience approach and operational risk management framework are implemented, governed and reported through the appropriate structures, strategies and frameworks. Although draft Guideline E-21 no longer expressly refers to the “three lines of defence” approach or model, OSFI’s expectations regarding the role of business lines, independent risk and compliance oversight and internal audit in this regard appear to be materially similar.
Principle 2: The FRFI should identify its critical operations and map internal and external dependencies. Such critical operations should be assessed for their capability to withstand disruption and operational losses. This identification and assessment process should occur regularly.
Principle 3: The FRFI should establish tolerances for the disruption of critical operations. Tolerances for disruption are separate from and should generally be set higher than, the operational risk appetite.
Principle 4: The FRFI should develop and regularly conduct scenario testing on critical operations to gauge its ability to operate within established tolerances for disruption across a range of severe but plausible operational risk events. OSFI expects scenario testing and analysis exercises for operational resilience to be forward-looking and to enable FRFIs to assess the potential impact of severe risk events and evaluate their ability to deliver critical operations within established tolerances for disruption.
Principle 5: The FRFI should establish an enterprise-wide operational risk management framework. The framework should include: an operational risk appetite statement, including measurable limits/thresholds for risk acceptance; operational risk management policies and procedures that are regularly reviewed and revised through continuous improvement; standard operational risk taxonomy to ensure consistent use of operational risk terms across the enterprise; operational risk assessment tools and methodologies, which include evaluation of inherent risk and the relative strength of controls and the estimation of residual risk; and operational risk monitoring tools.
Principle 6: The FRFI should set a risk appetite for operational risks. The risk appetite should be reviewed regularly and should articulate the nature and types of operational risk the FRFI is willing to accept within ordinary course circumstances and should include a measurable component with limits for risk acceptance.
Principle 7: The FRFI should ensure comprehensive identification and assessment of operational risk using appropriate operational risk management practices. Effective tools and practices should be implemented to understand and manage the FRFI’s day-to-day operational risk profile and exposure. Such tools include risk and control assessments (RCAs), key risk indicators (KRIs) and operational risk event (ORE) data analysis. RCAs are self-assessments that should reflect the current environment and be forward-looking in nature. They should be reassessed when there is a significant change or operational risk event. KRIs should be in place at appropriate levels to support the proactive operational risk management. They should also have associated escalation protocols to identify risk trends and warn when risk levels are approaching or will exceed any limits. With respect to ORE data analysis, OSFI expects FRFIs to identify the root cause as well as any required remedial action. Reporting and analysis should be subject to appropriate signoff and escalation, effective challenge and be based on the potential or observed impact of the event.
Principle 8: The FRFI should conduct ongoing monitoring of operational risk to identify control weaknesses and potential breaches of limits/thresholds, provide timely reporting and escalate significant issues.
By comparison, the existing Guideline E-21 contains four principles, the substance of which remain reflected in the principles in draft Guideline E-21. Draft Guideline E-21 also provides more detail for each of the principles than the existing guidance.
The existing Guideline E-21 includes as Annex 1 a list of operational risk management tools which are subject to the following caveat: “The following sound practices are primarily for consideration by larger, more complex FRFIs. However, some of the practices are more widely applicable and may be helpful as concrete examples of industry practice..” Certain tools have been incorporated into draft Guideline E-21. Although OSFI states that FRFIs should design their operational resilience approach and operational risk management to be proportionate to the FRFI’s size, nature, scope, operational complexity, strategy and risk profile, among other things, OSFI may expect certain tools and practices that would have previously only be utilized by larger, complex FRFIs to now be implemented, or at minimum considered, by smaller FRFIs.
In addition to enhancing OSFI’s expectations in respect of operational risk management, draft Guideline E-21 has a renewed focus on the management of, and tolerance for, the disruption of critical operations.
OSFI is accepting submissions on the draft IS Guideline by email at IS@osfi-bsif.gc.ca until November 24, 2023 and on draft Guideline E-21 by email at firstname.lastname@example.org until February 5, 2024. OSFI has also indicated that it intends to host an information session on January 17, 2024. Interested stakeholders can register until Tuesday, January 16 at 12:00 p.m. EST.