Office of the Superintendent of Financial Institutions
Check against delivery
Date: September 26, 2023
Good morning to all and thank you, Sonia (Baxendale, President and CEO, Global Risk Institute), for inviting me to this event.
Before I begin, let me first acknowledge that we meet today on the traditional land of the the Mississaugas of the Credit, the Anishnabeg, the Chippewa, the Haudenosaunee, the Wendat peoples and the home to many diverse First Nations, Inuit and Métis peoples.
I am grateful to have the opportunity to be present in this territory.
Today, I would like to talk about some recent changes to OSFI’s mandate. Specifically, I would like to give a brief overview of OSFI’s approach to integrity and security, which are at the core of the new changes to our mandate these will continue to promote confidence in Canada's financial system.
Throughout its history, and particularly since the global financial crisis of 2008, OSFI has focused primarily on prudential, financial risks and has worked to strengthen the regulation, supervision and risk management related to these risks.
This traditionally has included things like leverage ratios, reserve capital, and liquidity.
And while financial risks continue to be a significant focus for us, we also recognize the growing prevalence of non-financial risks that, if left unmitigated, could materialize as prudential risks.
For example, risks arising from climate change, digitalization as well as institutional culture, while primarily non-financial in nature, can have significant prudential impacts.
Similarly, geopolitical risks are also growing more prominent and can expose or exploit vulnerabilities here in Canada.
So, when we consider this risk landscape, it has become clear that mitigating threats to financial institutions’ integrity and security, including by foreign interference, is critical to maintaining the soundness of the financial system.
To provide OSFI with the necessary tools to do so, this past June, the Government of Canada modified our mandate.
Specifically, these new changes to our mandate charged us with:
Supervising federally regulated financial institutions (FRFIs) to determine whether they have adequate policies and procedures to protect themselves against threats to their integrity or security, including foreign interference
As part of this supervision, examining FRFIs at least annually to determine whether they have adequate policies and procedures to protect themselves against threats to their integrity or security, including foreign interference
And reporting to the Minister of Finance at least annually on these examinations.
These changes complement the strong oversight that OSFI already provides to the Canadian financial system and as such, they represent an evolution - not a sharp turn or a fundamental shift - in OSFI’s approach to integrity and security.
To begin, I want to start by saying that not only do failures in integrity and security undermine public confidence, they can also harm the safety and soundness of financial institutions. This in turn puts the interest of depositors, policyholders and creditors at risk.
Let’s start with integrity.
Integrity is demonstrated in actions, omissions and decisions that are consistent with letter and spirit of ethical standards, regulations and the law.
ensuring people – especially senior leaders – are of good character,
promoting an ethical culture,
creating sound governance frameworks that set out expectations,
and verifying compliance with standards, regulations and the law to maintain integrity.
Integrity is an important value in and of itself. A lack of it can damage reputation, result in fraud, cause legal issues and increase vulnerabilities to malicious influence.
Financial risks can often find their root cause in failures of integrity.
Ultimately, enhancing integrity reduces solvency and other prudential risks while safeguarding public confidence in the financial system – and these objectives are squarely in OSFI’s wheelhouse, so to speak.
Now let’s turn to security.
OSFI defines security as protection from threats to physical premises, people, technology assets, data and information.
Such threats may be benign or caused by undue influence, foreign interference, or other malicious activity.
Generally, in considering security, one thinks of the policies and processes that a FRFI has in place to support its operational resilience and operational risk management.
Again, these objectives are key elements of OSFI’s mandate.
And while they are distinct concepts, integrity and security are interrelated.
Failure to comply with ethical standards would result in a computer breach. Conversely, a failure to protect data could be rooted in a lack of integrity or effective policies and procedures.
That is why focusing on integrity and security together contributes to a foundation that makes financial institutions less vulnerable to threats.
And we must not leave out third parties.
Financial institutions engage with third-party service providers, and when they do so, it is at their own risk. As such, OSFI has detailed guidance about its expectations for third parties.
Financial institutions must ensure the third parties they do business with reflect integrity and security in proportion to the potential risk they pose to their operations.
Now, when one considers foreign-interference risk, we need to understand that Canada’s banks are not immune to threats from potential hostile actors.
While we do not see wide-spread evidence of this in FRFIs or the Canadian financial system, our mandate is to remain vigilant and act early to help ensure that a risk does not materialise and become a threat to their integrity or security.
Here I will quote the
CSIS Act to define what is a "threat to the security of Canada" in the context of our new mandate.
espionage or sabotage that is against Canada or is detrimental to the interests of Canada or activities directed toward or in support of such espionage or sabotage,
foreign influenced activities within or relating to Canada that are detrimental to the interests of Canada and are clandestine or deceptive or involve a threat to any person.
Some ways we may see foreign interference in the Canadian financial system include:
Risks of cybersecurity threats, where foreign actors could attempt to infiltrate Canadian financial institutions' networks to steal sensitive financial data, disrupt operations, or engage in espionage, therefore compromising the security and integrity of our financial system.
It also could manifest in the form of illicit financial activities, including money laundering and terrorism financing, wherein financial institutions could become conduits for foreign funds used in illegal activities.
Finally, ownership and control of Canadian financial institutions as well as third-party relationships could create vulnerabilities. Although, I would also note that this does not mean that there is opposition or bias towards foreign ownership.
As I have said before, we have a high appetite for early action to address risks, and that we would rather be criticized for taking action too soon than for waiting until the risk becomes problematic. For us, this area is no different.
When there are suspicions of undue influence, foreign institutions or malicious activity, we expect financial institutions to respond immediately.
This is good for Canada, good for them, and good for the depositors and creditors who rely on them to protect their interests.
Canadians rightly expect their financial institutions act with integrity, comply with laws and adequately protect themselves from threats – such as those stemming from integrity and security, including foreign interference.
Going forward, OSFI will continue our work in this area.
To begin, this approach will be codified in draft guidelines to be released in mid-October with a view to have final guidance in place in the new year.
It is likely we will refine the guidelines in the coming months and years. This will help to achieve a comprehensive approach to integrity and security that is on par with our approach in communicating our expectations through guidelines for other risks. Including both financial and non-financial.
Additionally, we are building our capability to measure foreign interference risk via the work done by partners within the federal government.
Finally, we are also ensuring that the work we are doing to update the Supervisory Framework takes into consideration how we will supervise these new risks.
To be clear, while we have not had a Canadian bank failure since 1996, OSFI’s role is not to prevent failures or to eliminate all risk. Our role is to ensure federally regulated financial institutions manage risk responsibly, and our new mandate will be to determine whether the policies and procedures they put in place are adequate to protect themselves against those types of threats.
And as a proactive regulator, we will continue to meet new and emerging risks head on.
We will remain vigilant, and we will take swift and decisive action where necessary.
At a time when the risk environment grows increasingly complex, OSFI’s new responsibilities ensure that we will continue doing our part in protecting Canadians’ confidence in the financial system.