Cyber Risk and Banking Regulation

Remarks by Superintendent Peter Routledge to the BMO Capital Markets Digital Banking Summit, Toronto, Ontario September 20, 2022

CHECK AGAINST DELIVERY

Document PropertiesGood afternoon. Thank you, Sohrab (Movahedi, Managing Director, Equity Research, BMO), for that kind introduction and the invitation to speak here today.

I want to start by acknowledging that I am addressing you on the traditional territory of many nations including the Mississaugas of the Credit, the Anishnabeg, the Chippewa, the Haudenosaunee and the Wendat peoples. I mention this because I believe that recognition of and reconciliation with Indigenous peoples are important concepts that all Canadians should understand. These efforts are key to our healing and fulfillment as a nation. I urge you to read the Final Report of the Truth and Reconciliation Commission.

Despite the cooling effects on the economy of high inflation and rising interest rates, I want to assure you that we at OSFI believe our financial system remains robust and healthy. We haven’t had a bank failure in more than a quarter of a century. We also believe that the banking industry is successfully leveraging digitalization in innovative ways.

But technological developments are threatening to outrun all of us. New technologies like quantum computing, and new players in advanced technologies are arriving at a rapid pace, sometimes disrupting or rearranging the order of things in the banking industry. Some new products, services and technologies that have been— and are being—introduced, remain outside of the regulatory system. They represent new risks but have the potential to unlock greater customer value for Canadians.

At OSFI, our approach to our mandate is to make strengthening public confidence in Canada’s financial system the key driver of all we do. That said, we believe that Canadians expect us to temper - and not to unduly restrict – innovations, in a manner that fosters financial stability. Our objective, then, is to support innovative competition and reasonable risk-taking, but not at the expense of upsetting a stable financial system or, more importantly, eroding Canadians’ trust in that system.

Given these challenges, how is OSFI proceeding?

First, we are pursuing a response to digitalization based on the principle that the same activity merits the same risk and same regulation. We want more innovation in financial services because they bring value to customers. But it is safest to have the benefits and added value of new technologies develop within the regulatory perimeter. We want to avoid developing a new regulatory system for new technologies – we aim to have the regulatory environment evolve in lock-step with industry’s technological advancements. This, under the principle of same activity, same risk, same regulations.

For example, to further address how Federally Regulated Financial Institutions should manage Technology and Cyber risks; in July this year, OSFI issued guideline B-13 on sound practices of Technology and Cyber Risk Management. As we stated in the guideline, there is no one-size-fits-all approach for managing technology and cyber risks given the unique risks and vulnerabilities that vary with a FRFIs’ size, scope, and complexity and risk profile. This Guideline should be read, and implemented, from a risk-based perspective that allows FRFIs to compete effectively and take full advantage of digital innovation, while maintaining sound technology risk management.

Another initiative that OSFI is working on that will allow FRFI to proactively take steps to strengthen their cyber resilience as they innovate and execute their digital transformation plans is I-CRT. Consistent with other leading regulatory bodies OSFI is piloting its own “intelligence-led cyber resilience testing” or I-CRT to help FRFIs identify weaknesses in technology and cyber security controls and tests their cyber resiliency.

We are also repositioning our guideline on third-party outsourcing. We recognize that the financial services industry has long made use of third-party arrangements to achieve multiple goals, such as:

• Improving efficiency,
• driving innovation,
• managing shifting operational needs,
• and optimizing services.

Those third-party arrangements are rapidly evolving and expanding. The third-party ecosystem is being used to deliver more and more new services and critical activities. This has increased operational complexity and the risk of financial loss at financial institutions as well as the risk of institutions being unable to deliver critical services due to disruption at a third-party or at subcontractors on which a third-party relies. Recall the system failure at Rogers in July that affected millions of Canadians and caused the disruption of everything from 911 calls to ATM withdrawals.

The emergence of a concentrated number of dominant service providers in key segments of the economy amplifies this risk. Disruption at one or more such service providers could potentially result in a systemic event if multiple institutions were unable to deliver services to their customers on a timely basis. This could impact the financial resilience and reputations of your institutions.

In response, we are repositioning our current Guideline B-10 on Outsourcing of Business Activities, Function and Processes to a Guideline on Third-Party Risk Management. This enlarged scope better reflects a more comprehensive set of third-party risks such as cyber, data, supply chain and subcontracting within an expanded and evolving third-party ecosystem.

The revised guideline will place greater emphasis on governance and risk management programs introducing the concepts of risk and criticality as the basis of this risk-based approach to guide the intensity of an institution’s third-party risk management.

It will set outcomes-focused, principles-based expectations for institutions supporting the sound management of third-party risk throughout lifecycle of these arrangements.

Guideline B-10 is an important prudential risk-management tool for OSFI. It will make the system safer. But getting it right is going to take a lot of care. We are trying to find a balance between safe prudential standards and healthy competition. On the one hand we want incumbents to manage third-party risk prudentially and safely. On the other hand, we don’t want prudential risk management to become a barrier to entry for potential new entrants and third-party service providers. We want them adding value for customers in the system as soon as possible while at the same time understanding and appropriately mitigating associated risks. If they are performing an activity in financial services that is regulated, then they will have the same regulations as incumbents.

Second, to address the pace of digital innovation, we will refine our approval process so new entrants can join the regulatory system faster and more safely. Our aim is to manage risk, not stifle innovation and growth. As part of this initiative, we will assess the risks posed by technological innovations as players apply them to financial services. We will expand our understanding and appreciation of non-traditional business models because so many technological innovations arrive in financial services via non-traditional players. While the principle of same activity merits the same risk and same regulation holds true, we also want our approval process to take into account the size, complexity and risk profile of each individual institution. 

When we launched this B-10 consultation, we sought views from diverse stakeholders on the subject of our current process and how we can refine it. We will take this feedback into account as part of our ongoing work. Given that technological developments are not isolated to the Canadian financial system, we are also looking to our international counterparts. We would like to understand the similarities and differences to the Canadian environment and how other jurisdictions are addressing the digitalization of financial services. 

Ultimately, we aim to refine our approval process to make it fit for purpose, taking into account the appropriate measurement and management of risks within the business model, while allowing institutions and new entrants to compete and take risks in a rapidly evolving environment. We expect our process to keep pace and evolve as needed, so we are looking at potential test and learn approaches. We are striving to make our process clear, transparent, risk-based and efficient.

While we are in the early stages of this initiative, we will continue to work with stakeholders, including industry and our federal and provincial partners, as this work continues. 

Third, we are looking very seriously at so-called stablecoins, which are an important part of the emerging set of digital money innovations. Stablecoins differ from the expanding universe of cryptocurrencies in that their value is pegged to another currency, commodity or other financial instrument.

The pegs typically, though not always, are backed by traditional assets like currency, government bonds, commercial paper, and even other digital assets. Some have argued they look a lot like banks. And if they are like banks, shouldn’t these players be regulated like banks? 

We are working closely with our federal and provincial partners to ensure an appropriate and coordinated Canadian regulatory response to stablecoins. At the same time, we are also working with various government partners and international organizations to assess the implications of digital money on our regulatory frameworks. We plan on providing additional clarity to areas of risk management and governance that are specific to stablecoin arrangements.

These initiatives are important elements in our evolving response to the present risk environment. We want to ensure that our financial institutions are taking the long view, supporting their health and societal prosperity and stability.

While none of us can predict the future, we can shape it – or “build it” – to some extent by working together to lay a prudential foundation today that can withstand the shocks to follow in future years, from whatever provenance.

Thank you.