Office of the Superintendent of Financial Institutions
The Information Technology Activities RegulationsFootnote11 (the Regulations) provide federally regulated financial institutions (FRFIs) with the flexibility to engage in information technology activities beyond those that pertain to the business of a FRFI, relate to providing information that is primarily financial or economic in nature, or relate to the business of a permitted entity.
This Instruction Guide sets out the information requirements and assessment factors that will be used by OSFI to evaluate applications to the Minister under section 2 of the Regulations.
The Instruction Guide does not provide advice on the interpretation of any other aspects or provisions of the financial legislation that pertain to the business of a FRFI, nor does it provide guidance on how legislative provisions might interact or overlap.
For the purpose of this Instruction Guide,
includes the FRFI and any of the entities referred to in subsection 464(2) of the Bank Act, subsection 449(2) of the Trust and Loan Companies Act, subsection 490(2) of the Insurance Companies Act, and subsection 386(2) of the Cooperative Credit Associations Act.
means activities to develop, design, hold, manage, manufacture, sell or otherwise deal with technology facilities.
(MRITAs) means information technology activities where the technology facility is used for a purpose or in a circumstance that is materially related to the provision of financial products or services by the FRFI group in a non-financial context.
means the use of a technology facility for a purpose or in a circumstance that does not appertain to the business of providing financial products or services.
means data transmission systems, information sites, communication devices or information platforms or portals.
OSFI will undertake the following sequential review when a FRFI applies to the Minister to engage in, or invest in an entity that engages in, MRITAs:
Step 1: OSFI will consider whether the proposal fits within the scope of the Regulations.
Step 2: OSFI will review the application to establish whether it fits within one of the examples listed in Annex 2. A positive recommendation for ministerial approval will generally be made in situations where OSFI determines that the proposal will not have significant negative implications for the safety and soundness of the applicant, and the proposed MRITA fits within one of the examples.
Step 3: Applications that do not fit within one of the examples will be considered in greater detail by assessing the proposal against each of factors A, B and C outlined in 4.1.
As a general rule, the degree of flexibility provided to the FRFI group to engage in MRITAs, or invest in an entity that engages in MRITAs, will depend on how closely linked the use of the technology facility is to the FRFI group’s provision of financial products and services. Greater flexibility will be given to the FRFI group when it can demonstrate that the use of the technology facility is inherent to the FRFI group’s provision of financial products or services (i.e., A.1 below). Undertakings restricting the FRFI group’s ability to engage in MRITAs, or invest in an entity that engages in MRITAs, may be required in circumstances where the use of the technology facility is less closely linked to the FRFI group’s provision of financial products or services (i.e., A.2 and/or A.3 below).
The relationship between the proposed MRITA and the provision of financial products and services by the FRFI group. This would include the proportion of the proposed MRITA to the financial activities of the FRFI group. Under factor A, FRFIs should demonstrate how the proposed MRITA fits within at least one of A.1, A.2 or A.3:
The advantages to the FRFI of engaging in the MRITA or investing in an entity that engages in a MRITA.
The potential impact of the proposal on the safety and soundness of the FRFI.
Under Step 2 of the Process for Assessing Applications, OSFI will assess whether an application fits within one of the examples described in this annex. OSFI will recommend that the Minister approve applications that will not have a significant negative impact on the safety and soundness of an applicant and are fully consistent with one of the examples.
The examples in this annex have been categorized according to the factors set out in Section 4.1. Additional examples may be developed and added to the annex. Proposed MRITAs that do not fit within one of these examples will be assessed under the factors described in Section 4.2.
Encryption technology is a method for ensuring that a customer’s assets are held securely, that customer information is protected and that customers are properly identified. It is essential to the provision of financial products and services. As the use of encryption technology is inherent to the provision of financial products or services, it is considered a MRITA even when it is used in a purely non-financial context.
MRITAs covered by this example could include offering encryption software and services to protect commercial information, and acting as a certificate authority in a public key encryption technology system. This example may also include:
Ministerial approval will be recommended when a FRFI seeks to engage in encryption technology activities in a non-financial context or invest in an entity that engages in such information technology activities.
A FRFI that hosts its own Web site may have excess capacity at certain points in time (e.g., due to efforts to ensure that servers have enough capacity to handle peak traffic). Providing excess capacity to a third party in a FRFI’s Web-hosting facility (e.g., servers) in a non-financial context will be considered a MRITA as long as the FRFI can demonstrate that the excess capacity was intended for the FRFI’s own use (i.e., for the delivery of its own financial products or services).
The types of MRITAs covered by this example may encompass:
To receive ministerial approval, a FRFI will be required to demonstrate that any excess capacity in its Web-hosting facility was acquired for the purpose of handling peak demand or handling future demand for access to the FRFI’s own Web site (or the Web site of a member of the FRFI group). Undertakings may be required to ensure that any limitations related to the MRITA apply on an ongoing basis.
Technology has expanded the scope of financial products offered by FRFIs and has led FRFIs to design new products. For example, a Web design service could allow small business clients to accept customer orders and online payments.
A Web design service that is offered as a component of a suite of other financial products or services (e.g., along with accounts or payment processing services) will be considered to be a MRITA.
The types of non-financial MRITAs covered by this example may encompass the following:
To receive ministerial approval, a FRFI must demonstrate that the proposed Web design activities are a component and a reasonable extension of a suite of other financial products or services (e.g., along with accounts, payment processing services). In such cases, undertakings limiting the scope of the MRITA may be required.
Information Technology Activities (Banks) Regulations; Information Technology Activities (Authorized Foreign Banks) Regulations; Information Technology Activities (Bank Holding Companies) Regulations; Information Technology Activities (Foreign Banks) Regulations; Information Technology Activities (Trust and Loan Companies) Regulations; Information Technology Activities (Cooperative Credit Associations) Regulations; Information Technology Activities (Life Companies) Regulations; and Information Technology Activities (Property and Casualty Companies) Regulations.
Return to footnote 1 referrer