Technology Risk Consultation

Document Properties

  • Type of Publication: Result Summary
  • Revised: May 10, 2021
  • To: Federally Regulated Financial Institutions, Federally Regulated Private Pension Plans

On September 15, 2020, OSFI released Developing financial sector resilience in a digital world (Discussion Paper). OSFI sought feedback on a range of technology-related risk areas, with a focus on cyber security, advanced analytics, and the technology third party ecosystem.

In response to the consultation, which closed on December 15, 2020, OSFI received over 50 submissions from a diverse group of respondents including federally regulated financial institutions (FRFIs), industry associations, technology companies and consulting firms.

There was broad support for OSFI’s emerging principles-based and technology-neutral perspectives on technology risk management, as presented in the Discussion Paper. Respondents indicated that OSFI should first leverage its existing guidance, and align any additional guidance with existing international and IT standards. The attached Annex provides a brief summary of responses to the consultation.

In light of respondent feedback, OSFI plans to release draft guidance as per the schedule below by quarter and year. The timelines indicated below are reflective of the current OSFI strategic plans. Plans may be subject to change or amended due to external factors.

Guidance InitiativePlanned Release of Draft Guidance
Technology and Cyber Risk
  • New technology and cyber risk guideline
  • Q4 2021
Third Party Risk
  • Draft revised Guideline B-10 on third party risk
  • Q1 2022
Operational Risk and Resilience
  • Industry letter on operational resilience
  • Revised Guideline E-21 on operational risk management
  • Q3 2021
  • 2022-23
Model Risk
  • Industry letter on advanced analytics and model risk
  • Revised model risk guidance
  • Q1 2022
  • 2022-23

Respondents will have additional opportunities to provide feedback on specific OSFI proposals prior to the issuance of any final guidance. More information is available in OSFI’s Near-Term Plan of Prudential Policy.

Annex: Brief Summary of Respondent Feedback

Operational Risk & Resilience

  • Technology risks are effectively managed within a broader non-financial risk and operational risk management context, integrated in a firm’s enterprise risk management program.
  • Operational resilience is an outcome of effective operational risk management (ORM), and technology is a key enabler of operations.
  • Existing ORM tools and approaches are appropriate, but there are opportunities to strengthen practices.

Technology and Cyber Security

  • A principles-based, technology-neutral approach in which definitions, concepts, and expectations align with accepted global standards and existing guidance is most appropriate for technology risk management.
  • Most respondents offered a range of suggestions to improve existing guidance, while some felt that OSFI’s current guidance and tools (e.g., self-assessment tool, incident reporting advisory) are sufficient to address emerging risks.
  • In general, emerging risks can be managed effectively within a broader technology risk management framework. Quantum readiness requires collective action by government, industry, and academia. OSFI should continue to engage in such efforts.

Advanced Analytics

  • OSFI’s proposed principles – soundness, explainability and accountability – are appropriate for addressing emerging model risks, including those posed by artificial intelligence (AI) and machine learning (ML) technologies. Some respondents suggested areas where OSFI might consider adjustments to strengthen the principles; others stressed the importance of human review and oversight of AI/ML models.
  • Any new model risk guidance should remain risk- and principles-based, technology agnostic, and aligned with other jurisdictions and existing industry standards. Some respondents felt that OSFI Guideline E-23 (Enterprise-Wide Model Risk Management for Deposit-Taking Institutions) provides sufficient coverage of AI/ML risks.

Third Party Risk

  • Most respondents did not believe that separate guidance for technology-related third party arrangements was warranted, and that technology-related third party arrangements should be considered as part of OSFI's planned review of Guideline B-10.
  • While most respondents felt that Guideline B-10 generally captures technology-related third party arrangements, some suggested replacing certain expectations with more outcome-based principles.
  • Most respondents indicated that separate guidance on cloud risk management was not warranted, and that any cloud-related provisions could be incorporated into Guideline B-10.
  • Many respondents either suggested changes to the descriptions or proposed additional principles for consideration, while several others felt that the proposed principles adequately cover current and emerging risks.
  • OSFI should treat FinTech arrangements similar to other third party arrangements as many of the inherent risks posed by these firms are consistent with those presented by other third party providers. OSFI should also wait until the recently announced regulations pursuant to FRFI statutes on FinTech networking are finalized to avoid potential overlap.

Data

  • OSFI should not create additional data risk guidance, as existing law and standards provide sufficient coverage for FRFIs. Some respondents recommended that OSFI consider the Basel Risk Data Aggregation and Risk Reporting (RDARR) principles as a basis for any additional expectations that could apply to all FRFIs, beyond systemically important banks.
  • Data risk intersects many other risk areas (e.g., cyber security, models), and respondents highlighted key aspects of data risk itself (i.e., quality, security, privacy).
  • Material data risks tend to arise from using poor quality data (e.g., inadequate or inaccurate data), data misuse, outages or breaches that result in operational disruption or reputational damage and financial loss.