The Office of the Superintendent of Financial Institutions (OSFI) has published its final Integrity and Security Guideline (I&S Guideline). The I&S Guideline integrates feedback from a six-week public consultation to clarify OSFI’s expectations for all Federally Regulated Financial Institutions (FRFIs), including foreign bank branches and foreign insurance company branches related to their businesses in Canada.
All FRFIs are required to either develop new policies and procedures or assess whether their existing policies and procedures meet the expectations of the I&S Guideline. OSFI is taking a phased approach to implementation of the I&S Guideline. OSFI will apply the I&S Guideline on a consolidated basis for the global operations of Canadian FRFIs.
What you need to know
The I&S Guideline follows legislative amendments1 passed by the Parliament of Canada in Bill C-47, the Budget Implementation Act, 2023, No.1, on June 22, 2023. Effective as of January 1, 2024, the amendments expand OSFI’s mandate to contribute to public confidence in the Canadian financial system. The changes include the supervision and annual examination of FRFIs to determine the adequacy of their policies and procedures to protect themselves against threats to their integrity or security, including foreign interference. The results of these examinations are to be included in an annual report to the Minister of Finance.
What is integrity?
Integrity includes actions, omissions, and decisions consistent with the letter and intent of ethical standards, regulations, and the law. Integrity within an institution can be enhanced in several ways including:
- Ensuring people are of good character (particularly at the senior level).
- Promoting a culture conducive to ethical behaviour that is committed to norms that encourage ethical behaviour.
- Subjecting actions, omissions, and decisions to sound governance. To do this, trust should be built with stakeholders (ex. shareholders, public, employees and regulators) and institutions should provide a structured approach to managing important risks and decisions.
- Verifying compliance of actions, omissions, and decisions with relevant standards, regulation, and law. An enterprise-wide Regulatory Compliance Management (RCM) framework should be established, alongside avenues to voice concerns for non-compliance or provide constructive feedback.
What is an adequate security protocol?
Security measures should provide protection against malicious or benign threats to: (i) real property, infrastructure, and personnel (physical threats); and (ii) technology assets, data and information (electronic threats). Adequate security also includes protecting against threats to third parties and sub-contractors (i.e., non-employees).
What does risk-based application mean?
There is no one size fits all application of the I&S Guideline. Instead, institutions are encouraged to apply the I&S Guideline proportional to its ownership structure and relationships (including with large shareholders, between parent-subsidiaries, etc.); business arrangements (including joint ventures and strategic alliances); strategy and risk profile; and scope, nature, and location of operations.
When applying the expectations of the guidelines, all FRFIs are advised to consider their susceptibility to:
- Foreign interference – Activities, within or relating to Canada, that are detrimental to national interests and security, and are clandestine or deceptive or involve a threat to any person. This includes attempts to covertly influence, intimidate, manipulate, interfere, corrupt, or discredit individuals, organizations, and governments to further the interests of a foreign state or a non-state actor.
- Malicious activity - Actions taken by either foreign or domestic actors with the intent of causing harm including theft, coercion, fraud, manipulation of information or disruptions that are otherwise illegal, malicious, clandestine, or deceptive in nature. These actions could have national security consequences.
- Undue influence – Situations where a domestic or foreign actor or entity engages with malicious intent to impact actions, decisions, or behaviours in their own or another’s interest. This can include national security implications.
What are the key dates to remember?
Although the legislation came into force on January 1, 2024, OSFI is taking a phased approach to implementation of the I&S Guideline. Here are some key dates to remember:
- Now: Incidents or events relating to undue influence, foreign interference, or malicious activity, and related reports to law enforcement or the Canadian Security Intelligence Service (CSIS) must be notified to OSFI by FRFIs.
- April 2, 2024 – OSFI has shared an information request form that FRFIs must complete and return by this date. This information will assist OSFI in completing its mandated annual report to the Minister of Finance on the existing policies and procedures that FRFIs have to protect against threats to integrity or security.
- July 31, 2024 – FRFIs should submit a comprehensive action plan outlining how to meet the new and expanded I&S Guidelines expectations. The comprehensive action plan should also include interim deliverables to achieve compliance for OSFI’s review.
- January 31, 2025 – The Guideline, excluding new expectations on background checks, will be in full effect.
- July 31, 2025 – FRFIs will be expected to also observe the new or expanded expectations on background checks. Each FRFI is expected to create its own approach to performing background checks that include, at minimum, the verification of identity and background, education and professional credentials; personal and professional references; higher-risk positions should also be subject to criminal records checks and a financial inquiries (credit check).
Let us help you prepare for regulatory changes
For proactive strategies and tailored advice on managing compliance challenges for FRFIs, including with respect to the new I&S Guideline, please reach out to the key contacts listed below or any lawyer from BLG’s Banking & Financial Services Group.
1 See Bill C-47, Division 33 for the changes made to the Office of the Superintendent of Financial Institutions Act, Trust and Loan Companies Act, Bank Act, Insurance Companies Act and Winding-up and Restructuring Act.