Remarks by Assistant Superintendent Jamey Hubbs at the Canadian Regulatory Technology Association annual meeting, Virtual event on November 16, 2021

Thank you for that introduction, I am happy to have the chance to speak with you all today.

This group is very aware of the impact of digitalization on the financial sector. Digitalization is driven by many factors, such as firms seeking efficiencies and cost containment, broadening distribution channels, improving the customer experience, increasing analytical and decision making capabilities and competition from both within and outside the regulated space.

It seems there are as many business models and technology-based service offerings as there are institutions, and solutions are rarely one-size fits all. These are all the signs of a vibrant industry, but it is not without risks both technical and strategic that can result in many winners and potentially a few firms that will not able to adapt.

OSFI’s approach to digitalization is determined through our mandate. OSFI’s purpose as stated in the OSFI Act is “to ensure that financial institutions and pension plans are regulated by an office of the Government of Canada so as to contribute to public confidence in the Canadian financial system”. We see the potential to unlock greater value for Canadians who expect their regulators to temper, but not inhibit, innovations. Our approach is in finding that balance to foster financial stability and contribute to Canadians confidence in their financial system.

As we have all seen the acceleration of adoption of new technologies throughout the course of the pandemic, we at OSFI realize that transformation is occurring in the financial environment and that OSFI too must transform itself to continue to find that balance.

Today, I hope to cover our recent work related to technology risk as it pertains to institutions as well as OSFI’s own journey regarding digitalization. Both our internal and external efforts build on our history of effectively contributing to Canadians’ confidence in their financial sector.

Let me start with our view of technology risk as it pertains to the firms we regulate and supervise. As you would expect OSFI focuses heavily on the risk. The accelerated adoption of technology increases the sources and potential severity of technology and cyber-risks. Further, the rapid advances in AI, Machine Learning, and data storage and analysis in both the front and back offices create an ever changing landscape for institutions and regulators alike.

Our discussion paper on Technology risk covered the landscape of tech-related risks. Our consultative approach acknowledged that expertise outside of the traditional financial sector was required to find the best solutions for our regulatory course. We sought to capture a broad set of inputs to inform us in meeting our prudential mandate. We are also keenly aware that other regulators domestically and internationally have different mandates, different powers and are moving at different paces. It is great to see this much action and interest in the risks that we all share but it can create a complicated regulatory environment for institutions. When confronted with complexity OSFI is guided by its purpose and mandate to make decisions that fit the Canadian context.

As part of our consultations we sought feedback on the role that we can play in adding clarity to expectations for institutions. Over the summer we issued a letter on Operational resilience, updated our expectations on tech and cyber incident reporting and released a new cyber self-assessment document all in an effort to give institutions greater clarity as to OSFI’s expectations. Just last week we began consulting on a new draft guideline on technology and cyber risk management. This guideline will set out our expectations for sound risk management across five areas including governance, operations, cyber security, third party provider technology and cyber risk. The purpose of providing this clarity is to support institutions’ broader operational resilience. We look forward to all comments during the consultation period, which remains open till the end of January.

During the technology and cyber risk management draft guideline consultation period we are also preparing to issue a revised guideline on outsourcing and third party risk early in the New Year. Later this afternoon, you’ll be hearing from Romana Mizdrak, one of our expert colleagues on what is keeping us busy on the evolution of managing model risks. We are committed to actions that further resilience and the pace of work demonstrates our sense of urgency and how seriously we are engaged on these risks.

A lot of what I have covered so far is our recent outward facing work, they are the direction and focus we have to help support continued resilience in the face of a complicated environment. That is only part of the picture. I will now turn to what is happening inside OSFI. We are not immune to the same forces that are shaping the industry. If we as a regulator are not keeping up with the financial and business environment our own effectiveness as a regulator will diminish and we will be less effective in meeting our purpose of contributing to public confidence in the Canadian financial system. We will not allow this to happen.

OSFI has been taking steps towards enhancing our ability to respond to changes brought on by digitalization by pursuing our own SupTech. We have already adopted a series of structural changes to foster innovations at OSFI. We’ve built on lessons from other regulators and from our participation in international standard setting bodies to shape and refine our structure to be ready for the known and unknown risks that lie ahead.

This has meant focussing on three areas for development.

  1. people and culture, including staffing for the future, and building skills

  2. organizational design considerations, such as reorganizing sectors and specialists, and

  3. advances in technological infrastructure and innovation, particularly with the collection of data and leveraging that data to improve analytics at the micro and macro level.

Work in these three areas create reinforcing cycles to introduce and then accelerate a cultural transformation within OSFI. The first and second goals are enablers to ensure the changes undertaken in the third area are adopted across the organization. Meanwhile, transformations underway in all three areas foster a thriving workplace culture that exemplifies continuous improvement. This work continues today and we have increased our level of vigour.

OSFI has embarked transformation to change our operations to meet these challenges through a new Blueprint that was released internally earlier this month. The three foundational elements of our transformation are to:

  1. Refocus our mandate to put greater emphasis on contributing to public confidence in the Canadian financial system.

  2. Expand and fortify our risk management capabilities and risk appetite to support strategic and operational management.

  3. Enable our corporate values to enhance our culture so that individuals can flourish in an increasingly uncertain operating environment.

Enacting this Blueprint will allow us to speed up work on risks developing in the environment and will help build for a more resilient future.

These foundations are supported by a number of initiatives, two of which I will share with you today.

First, OSFI’s Supervisory Framework underpins our supervisory practices and is the central record of how we assess and respond to risk in regulated entities. However, the Framework is dated and needs an upgrade to ensure methods are fit for the risk environment. Our plans include:

  • A substantial investment in updating and ongoing maintenance of the Supervisory Framework to better reflect the assessment of financial risk, non-financial risks, and operational resilience for regulated entities.

  • Building greater risk appetite for earlier corrective actions into the Supervisory Framework.

  • Developing more differentiated risk ratings for institutions, particularly for Stage 0 institutions.

  • Implementing enhancements to our supervisory management system to achieve better data quality, effective reporting of risk and more insightful analyses.

Second, good data is essential to ensure strong regulation and supervision; it is also critical for operating OSFI effectively and efficiently. While OSFI has made good progress on executing against its enterprise data strategy work remains to truly embed digitalization at OSFI. To continue to up our analysis and risk analytics insights, data must become more usable, timely, credible, and granular. This will require more advanced skills and better data infrastructure to really drive gains across OSFI. We are:

  • Executing a restructuring of OSFI’s data environment, including in areas of data quality, data engineering, and advanced analytics.

  • Further promoting analytical innovation and user cases across sectors, assisting with analytics governance, while also creating a centre for analytical expertise and learning for staff.

  • Supporting all OSFI enterprise functions with improved data and analytics capabilities.

  • Providing training and support for all staff to enhance skills.

Those are the two that the institutions we oversee will observe changes first. However, there are other initiatives that those internal to OSFI will share and that the public will see and benefit from.

OSFI has been developing an internal “centre of excellence” for digital innovation, which builds supervisors’ confidence in assessing digital innovation risks at institutions. This centre also builds on our own understanding of the digital regulatory perimeter. Our goal is for supervisors to be in a stronger position to assess impacts of digitalization on institutions’ business models. Work to date is focused on a few emerging risk areas: open banking, third party risks, cyber risks and payments modernization.

However, we must increase the sophistication and speed of our risk responses to meet this goal. Among other things, policy innovation in this space will focus on advancing our analytical rigour and skillsets with respect to digitalization of business model disruption, societal changes, cyber risk, digital money, and third-party risk management. All of these enhancements will lead to operational and financial resilience of institutions.

Understanding the interplay between emerging digital issues, related policy measures, and industry trends, and what roles we all play, is essential to continued public confidence in the Canadian financial system.

The final report of the Minister’s Advisory Committee on Open Banking released in August contains a broad range of considerations and recommendations. As the Government contemplates those recommendations, we are positioning ourselves to be a constructive partner in the development of a new Open Banking system in Canada.

We recognize the many opportunities presented by Open Banking—for consumers, institutions and new challengers alike— our lens on these benefits is driven by our commitment to preserve financial stability and public confidence in the Canadian financial system. New business models are shifting the design, manufacturing, distribution, and consumption of financial services. These areas extend outside of OSFI’s regulatory perimeter, but not outside the scope of the risks that we must understand and to which we must adapt.

Given the increasing complexity of the financial ecosystem, and the variety of entities with whom institutions do business with, it is important that risks arising from interconnectedness, concentration in third party services, and technology risks—including cyber—be monitored and addressed appropriately. We will certainly have more to say as our work develops.

All of this internal and external facing work will be most effective when our own culture supports agile and innovative thinking. As the Superintendent said in his first speech, a healthy and diverse culture are not just the right thing to do, they are also the smart thing to do as they are part of making the best decisions in a complex environment. We are also reviewing our risk strategy and governance, our strategic stakeholder and partner engagement, our policy innovation.

This is a lot to take on for any organization, but the operating environment demands it of all of us. This is part of OSFI living up to the expectations that it has of institutions. But more to the point, it is about living up to the high expectations that Canadians have for the financial system.

While we see the financial industry being shaped by the technological, financial and competitive environment, we see the benefits for all involved in moving forward to advance our own practices and our expectations. These efforts and being more open about the risks we see and the direction we are headed are the best way we know how to contribute to public confidence in the financial system.

I am really looking forward to your questions, Thank you.