Assistant Superintendent, Tolga Yalkin, delivers Media Briefing on the release of the final Integrity and Security Guideline

Good morning,

I would like to extend a warm welcome to everyone participating in this media briefing.

We are pleased to publish the final version of our Guideline on Integrity and Security, along with a summary of the public consultation launched in the fall.

Before diving into the details, I would like to acknowledge that here in Ottawa I am speaking to you from the traditional unceded territory of the Algonquin Anishnaabeg (ah-nish-naw-beg) people. I am grateful to be present in this territory.

I thought it would be helpful to cover a few key points in my remarks to you today:

• First, why we are doing this work.
• Second, what we have done.
• Third, how this changes things for financial institutions.
• And, lastly, where we plan on going from here.

So, first, why we are doing this work:

The bottom line is that, this past summer, Parliament amended our act to require us to supervise financial institutions to determine whether they have adequate policies and procedures to protect themselves against threats to their integrity or security, including foreign interference.

Issuing this guideline—any guideline for that matter—is a key step to us supervising financial institutions. They need to know what we view as the building blocks of adequate policies and procedures, against which we will ultimately measure their performance.

What have we done in response?

Well, we drafted, consulted on, and finalized the guidance that you all have before you today.

I want to thank everyone who fed into the consultation. The comments received were extremely useful.

Broadly speaking, they focused on

• making sure expectations are explicitly risk-based, especially with respect to background checks, physical premises, and reporting,
• using clearer and more consistent terminology, around language we had used like “omissions,” “ethical norms,” and “contractor,” and
• providing clarity around proportionality— how expectations vary based on different characteristics of financial institutions.

On proportionality, some pointed out the definition was different to other guidelines. This was intentional and remains in the final guideline, though we did, in my opinion, better define proportionality, focusing more clearly on aspects like ownership structure and risk profile. The reason we have to maintain this different definition is because the nature of the risks relating to integrity and security differ from some of our other guidelines.

To have a more detailed breakdown of the comments we received from our stakeholders in the consultation and how we chose to address them in the final version of the Guideline, I invite you to consult our What we heard report, available online.

So, how does this guideline change things for financial institutions?

In some ways, it is fundamental. In others, it reflects a continuation of work we had already been doing.

For example, other guidelines already articulate expectations around things like background checks and tech and cyber.

That said, this guideline is fundamental because, for the first time, we comprehensively define for financial institutions the concepts of integrity and security, with:

• Integrity relating to good character of directors and senior management, corporate culture, governance, and compliance; and
• Security relating to physical premises, people, technology assets, data and information, and third-party arrangements.

The defining of these concepts naturally comes with new expectations that I won’t recite chapter and verse because they are in the guideline, but when you read it, you’ll see net new expectations like

• creating and promoting a culture that underscores the importance of ethical behavior,
• ensuring physical premises and people are protected against threats, and of course,
• an expectation relating to reporting to appropriate law enforcement authorities’ incidents or events relating to undue influence, foreign interference, or malicious activity.

So, finally, where to from here:

The Guideline will be implemented on a staggered basis:  

• First, effective immediately, financial institutions are expected to report incidents to law enforcement authorities and notify us.
• Second, by Jan 31, 2025—that is, in exactly one year from today, they are expected to be compliant with all new and expanded expectations except those related to background checks.
• For background checks, they are expected to be compliant by July 31, 2025.

It goes without saying that any expectations in other guidelines—either in draft or final form—that we refer to in this guideline should follow their implementation timelines.

Naturally, financial institutions will be developing plans to meet these timelines. We’re asking to share these plans with us by July 31 of this year. OSFI will continue to engage institutions on integrity and security risks management throughout this implementation period in keeping with its expanded mandate.

So, that concludes what I had planned on saying to you all today.

Rather than repeat anything I’ve already said, I’ll leave you with a few key messages before we open it up to questions:

As the Superintendent indicated in his statement last June, this is an initial first step. I fully expect our approach to integrity and security will keep evolving over time.

With this in mind, we need folks to keep providing open and honest feedback as we continue to learn and refine our approach. Even if we don’t have a consultation on foot, please do not hesitate to share your thoughts with us.

And, finally, public confidence depends on the integrity and security of financial institutions. It really is the bedrock of our system. While many things are already being done, we can always do better. I’m hopeful this guideline helps us make progress in this direction.

Thank you, and I will now answer your questions.