OSFI’s response to the draft Integrity and Security Guideline consultation feedback
- Type of publication: Consultation response
- Date: January 31, 2024
We thank everyone who provided feedback as part of the public consultation on the draft Integrity and Security Guideline. Below is a non-attributed summary of the feedback and our responses.
Risk-basis
Feedback – Be clear that expectations in the guideline can be applied on a risk basis.
Response – We revised the Application section to make sure this is clear.
Feedback – Clarify that security sweeps, including how often and where they are conducted, should be carried out in a risk-based manner (4.1 Physical premises).
Response – We revised the guideline to clarify security sweeps should align with the risk environment.
Feedback - Align expectations for physical premises with the risk-based approach taken in Guideline B-13: Technology and Cyber Risk Management.
Response – We revised the guideline to align the language more closely with Guideline B-13.
Feedback - Section 4.2.1 Background checks:
- Note minimum standards do not permit for application on a risk basis
- Note possible unintended outcomes (for example, disadvantaging job applicants with poor credit scores)
- Remove language around "enhanced reliability"
- Clarify that minimum standards for background checks be risk-based and appropriate to the role
Response – We revised the guideline to clarify that minimum standards for background checks should be risk-based and appropriate for the role and removed language referencing "enhanced reliability."
Feedback – Note impracticality of application of some expectations (for example, federally regulated financial institutions (FRFIs) requesting or carrying out background checks on third parties’ senior leaders) (4.5 Third-party risks).
Response – We revised the guideline to clarify that these expectations are risk-based and proportional to the third party’s access to the FRFI’s physical premises, people, technology assets, data, and information.
Feedback – Align expectations for third-party risks with the risk-based approach taken in Guideline B-10: Third-Party Risk Management.
Response – We revised the guideline to align more closely with Guideline B-10.
Feedback – Clarify reporting requirements, given difficulties around investigating incidents and exercising judgment, and specify that requirements should be carried out on a risk basis (Section 4.6 Undue influence, foreign interference, and malicious activity).
Response – We revised the guideline to clarify that these expectations are risk-based and encourage reporting when there are reasonable grounds to believe that an incident or event has occurred.
Terminology
Feedback – Reconsider or clarify new or unfamiliar terms not commonly found in current guidelines (for example, "omissions," "contractor," "ethical norms") and apparent new uses of otherwise familiar concepts.
Response – We revised the guideline, clarifying, removing, and aligning terms (for example, "physical technology assets" is now "technology assets" to align with language in Guideline B-13).
Proportionality
Feedback – Clarify approach given different language regarding proportional application of expectations.
Response – We revised the guideline to clarify the approach to proportionality, including what is meant by "Ownership structure," "Strategy and risk profile," and "Scope, nature, and location of operations." Proportionality for this guideline remains different given the nature of the risks associated with integrity and security.