OSFI’s Assistant Superintendent, Regulatory Response Sector, Tolga Yalkin delivered remarks addressing non-financial risks

Good afternoon and welcome everyone.

Thank you for being here today on the launch of our draft guideline on integrity and security. We have also released today an updated draft guideline on operational resilience and operational risk management. The simultaneous launch of these two guidelines underscores the strong interrelationship between integrity and security and operational risk and resilience.

Before I begin, I would like to acknowledge the Indigenous Peoples of all the lands we are on today. I am on the traditional un-ceded territory of the Anishinaabe Algonquin Nation who have lived on and been caretakers of this land for millennia. I am grateful to be present in this territory.

To start, I’d like to share some context.

We view financial risks as fundamental. Directly and effectively addressing what we call the four Cs—capital, cash, credit, and contingency—is critical to prudent risk management for financial institutions.

This said, we have for some time recognized that risks that are not directly financial in nature—cyber and tech, third party, culture, compliance—can equally strike at the heart of the safety and soundness of financial institutions. 

And, critically, when these risks materialize, the response of financial institutions depends on the maturity of their operational resilience and operational risk management practices, helping them withstand, adapt to, and recover from disruptive events while delivering critical operations. Our enhanced Guideline E-21 directly addresses and reinforces these points.

Non-financial risks such as those that I have mentioned have been growing, and we, as a regulator, have been responding. Examples include climate change, with its physical and transition risks, and digitalization, with risks posed by stablecoin, cryptocurrency, artificial intelligence, and quantum computing.

The recent changes to our mandate, broadening it to include integrity and security, reflect a continuation of this trend.

“What is integrity and security?”, you may ask.

Integrity is the degree to which what an organization does—its actions, omissions, and decisions—is consistent, not just with the letter of ethical standards, regulations, and the law, but also their spirit.

Security is about protection. When we have security, we are protected from threats. Those threats can be physical, targeting property or people—or electronic, zeroing in on technology assets, data and information.

Like other non-financial risks, risks to integrity and security, when left unchecked, can threaten the safety and soundness of financial institutions.

While, to some extent, integrity and security includes new areas of risk for us as a regulator, to a large extent, they cover existing areas we already regulate and supervise. Examples include Guideline E-17 on background checks and B-13 on tech and cyber risk.

This said, recent changes to our mandate make it clear that we now are required to advance the management of these risks, irrespective of their link to the overall financial health of the institutions we regulate.

This represents a change for us as a regulator. While we will continue to consider the impacts of such risks on safety and soundness, going forward, we will also accept them as intrinsically important in and of themselves.

While representing a shift, this approach is consistent with our overarching reason for existence: to contribute to public confidence in the Canadian financial system.

Public confidence depends, not just on knowing that financial institutions are and will remain financially sound, but also in knowing that they conduct their business with integrity and that they are addressing threats that seek to undermine the services they provide or compromise the data they hold.  

You may ask what we expect financial institutions to focus on in addressing the risks associated with integrity and security.

When it comes to integrity, they should focus on:

• ensuring the good character of their board members and senior leaders
• promoting a culture that underscores the importance of ethical conduct
• subjecting decisions to appropriate governance
• ensuring the conformity of decisions with ethical standards, regulations, and laws

Security involves ensuring that physical premises, people, technology assets, and data and information are protected against threats. This includes threats to third parties and their sub-contractors.

Sound operational risk management and resilience programs that address the expectations outlined in our updated Guideline E-21 reduce an institution’s vulnerability to threats that can disrupt critical operations in both obvious and clandestine ways.

We group integrity and security together because they are intrinsically linked. Organizations that act with integrity are less vulnerable to threats to their security. Furthermore, security threats that materialize, in addition to leading to other undesirable outcomes, can compromise integrity.

As I have already alluded to, while the draft Integrity and Security guideline we are releasing today covers new risk areas, much of it links to existing non-financial risk management practices, meaning that financial institutions have a foundation to build from.

A good example of this is Guideline B-13 on technology and cyber risk management. Others include:

• E-17 on background checks
• B-10 on third party risk management
• E-13 on regulatory compliance management
• Our existing E-21 on operational risk management

In addition, many institutions will already have done things that move them in the direction of these new or evolving expectations. Take, for example, codes of conduct, which are already expected as part of our Corporate Governance Guideline.

This said, some of those things may not be entirely where we would want them to be. So, we have articulated expectations and will progressively be doing so with greater specificity going forward.

So, you might be asking, what is the net new? It won’t come as any surprise to you that there are several key areas where we will either be enhancing existing expectations or creating new ones:

• First, the character of boards of directors and senior management is a new area for us. The character of those with the most power and influence in financial institutions is directly linked to integrity.

• Second, while we have our draft guideline out on culture, we underscore that some element of any acceptable target culture should consider integrity.

• Third, our expectations on compliance are being expanded from ensuring conformity with the letter of requirements to the spirit as well.

• Fourth, while most organizations will already have policies and procedures in place relating to physical security, we articulate explicit expectations associated with such things as buildings, file storage, and security sweeps.

• Fifth, further to B-13, we added additional precision to the description of what constitutes malicious actions with an additional focus on undue influence and foreign interference.

• Sixth, we developed new data classification and personnel-access expectations.

• Seventh, we enhanced our expectations related to third parties to consider security and susceptibility to undue influence, foreign interference, and malicious activity and its mitigation.

• Finally, we explicitly embedded an expectation that law enforcement be notified of any suspicions of such activities.

As I previously mentioned, and inherent in the items I have raised, these changes cannot and will not happen all at once: Most of them will take time to develop and implement, and we will take this into consideration when we issue the final Integrity and Security guideline.

We are the first prudential regulator in the world to enter this domain so directly. So, we intend to take things at an ambitious but measured pace.

You are probably wondering how and when financial institutions will be evaluated on integrity and security. I can say a few words on this.

First, as I outlined, this new guideline engages several new risk areas or existing risk areas in a different way. We do not expect financial institutions to implement all elements of it immediately. What we do expect of them is to:

• Meet existing expectations in currently applicable guidelines, referenced in this new guideline; for example, E-17 on background checks, E-13 on regulatory compliance management, and our Corporate Governance Guideline.

• Meet specific expectations in this new guideline; for example, our expectation that undue influence, foreign interference, or malicious activity be reported promptly to law enforcement.

What we will not expect of them immediately is to:

• Meet new, anticipated expectations associated with risk areas for which we do not yet have sufficiently specific guidance; for example, around character beyond expectations in E-17 on background checks.

• Meet expectations in existing guidance in advance of effective dates.

Second, as part of our legislative requirements, we must report to the Minister of Finance on the state of integrity and security policies in financial institutions.

This will involve us asking financial institutions about a range of policies and procedures that they may or may not have in place.

Asking about this, though, is not about evaluating individual institutions on these new expectations at issuance: it’s information that we need for reporting purposes. It will also allow us to assess where the gaps are across the industry and how to advance our work in this area.

So, what are the key takeaways I would like to leave you with today?

There are three:

• First, while this new focus on integrity and security represents a shift for us as a regulator, it reflects a continuation and expansion of our previous focus on non-financial risk.

• Second, focusing on integrity and security goes to the core of our mandate and why we exist: to contribute to public confidence in the Canadian financial system.

• Third, advancing our shared work in this area will be an ongoing effort, and the draft guidance we are releasing today is really the start.

Thank you.