OSFI’s Annual Risk Outlook – Fiscal Year 2022-23

Publication type
Annual risk outlook


The risk landscape has evolved since the release of OSFI’s Annual Risk Outlook (ARO) in April of 2022. While the risks identified in OSFI’s spring publication continue to remain a focus, OSFI has observed a material shift in its risk environment. Higher inflation, and consequent monetary policy tightening, has triggered a material rise in interest rates. Rising cost of debt, given a relatively robust level of private sector indebtedness, has altered OSFI's analysis of its risk environment. Adding to this are current geopolitical tensions that have the potential to continue to impact trade and the overall global economy, further exacerbating inflationary pressure.

This document provides an update to OSFI’s 2022-2023 ARO to include these environmental factors and OSFI’s Regulatory and Supervisory responses.  The annex also notes modifications to policy releases.

Text Description

Risk environment

The seven financial risks that OSFI views as most pressing:

  • Significant cyber attack
  • Housing market downturn
  • Digital innovation
  • Climate change
  • Third party
  • Commercial real estate downturn
  • Fragile corporate debt funding

Overview of Changes to the Risk Environment

Higher Inflation and Rapid Interest Rate Hikes:

Tighter monetary policy, in response to high inflation, has produced rapidly rising interest rates across the yield curve.  This puts pressure on both retail and corporate/commercial borrowers in terms of their ability to service debt, as well as on asset valuations. To date, lending institutions have been adequately capitalized and have proven to be financially resilient in previous downturns. However, further rate hikes and a house price correction could lead to increased borrower defaults, credit losses and broader housing-led softening of the economy.

Global geo-political uncertainties such as the Ukraine/Russia conflict and ongoing tension in other parts of the world could lead to further volatility in financial markets, put pressure on supply chains, and slow economic activity while at the same time adding inflationary pressure in specific markets. 

Supervisory Responses

Supervisors continue to engage with financial institutions to ensure appropriate margins of safety in capital management practices given the increasing risk of credit losses. Supervisors are also monitoring credit account management practices, as well as robustness of financial institutions’ stress testing and credit reserving practices to ensure resiliency to potentially increasing levels of borrower default.

Second order impacts include higher funding costs reflecting thinner market liquidity due to retrenched risk appetite of market participants, quantitative tightening, as well as the impact of excess pandemic related deposit levels running off. In reaction to these impacts, supervisors are engaged with financial institutions to ensure prudent management of funding and liquidity needs as well as monitoring financial institutions’ strategies related to the management of interest rate risk in the banking book in a dynamic rate environment.

Regulatory Responses

OSFI recently issued an advisory that applies to all Canadian mortgage insurance companies. It implements administrative interpretations to the Mortgage Insurer Capital Adequacy Test (MICAT) with respect to the determination of requirements for variable rate mortgages (VRMs) and adjustable-rate mortgages (ARMs). In a rising interest rate environment, the amortization of these loans could temporarily extend until the payment amount is reset to align with the original amortization period. OSFI adapted its interpretation given MICAT's design and calibration constraints.

In response to heightened inflationary pressures and the rising interest rate environment, OSFI will continue to assess whether mortgage underwriting standards are well-adapted and sufficient. This includes debt serviceability measures such as the minimum qualifying rate (MQR) for residential mortgages, whose next scheduled announcement is December 2022, and other actions, such as the Clarification on the Treatment of Innovative Real Estate Secured Lending Products Advisory under Guideline B-20 released in June 2022.  As part of this ongoing work, OSFI plans to conduct a general policy review of residential mortgage and underwriting practices as set out Guideline B-20 in 2023. 

Additionally, federally regulated financial institutions (FRFIs) and federally regulated pension plans (FRPPs) faced difficult operating conditions during the COVID-19 pandemic. Meanwhile, headwinds have intensified in the current economic environment. As a result, OSFI will defer some of its non-financial risk regulatory initiatives. Respective timelines for issuance of draft and final guidance on third party risk, operational risk and resilience, and culture risk management will be extended until early-to-mid 2023.  A planned consultation on revisions to Guideline E-23 on model risk management is deferred to mid-2023.

While OSFI expects to release the final Guideline B-15 on Climate Risk Management in Q1 2023, we continue to review the feedback received during the consultation on the draft Guideline.  The Guideline will also align with the International Sustainability Standards Board standards, which are not yet final. These factors, among others, could result in a delay to the release of the final Guideline.

For deposit-taking institutions, a planned consultation on Guideline B-11 on unencumbered assets and pledging is delayed to early 2024. Finally, OSFI will postpone a planned discussion paper on liquidity risk for insurers until early 2024.  OSFI will continue to evaluate its demands on the industry and will adjust accordingly.

As we adapt our strategies to contribute to public confidence in the Canadian financial system, OSFI will continue to focus on FRFI risks and resilience regarding operations, governance, and culture. As earlier noted by the Superintendent, boards of directors have a special responsibility and duty to protect their institutions as risks intensify.  OSFI will count on boards to continue to play their crucial role in risk governance within the financial system by exercising effective challenge, oversight and decision making in support of overall market confidence.

Significant cyber attack

Risk Overview

Cyber-attacks are increasing in sophistication and severity.

This amplifies the need for federally regulated financial institutions to have measures in place that promote resilience to cyber events and technology disruptions. Recent geopolitical events, such as the tactics used by Russia in its conflict with Ukraine, have brought heightened attention to cyber risks given the interconnectivity of the global financial system and technology-based infrastructures. We work closely with the institutions we oversee to monitor and adapt proactively to the cyber threat environment.

We expect institutions to be prepared for extreme but plausible cyber scenarios. A cyber incident, including a ransomware attack, could significantly impact critical functions at one or multiple institutions. These could consequently result in system unavailability, data loss and/or the loss of public confidence, potentially leading to both the deterioration of an institution’s reputation and financial loss. Threat actors continue to seek to exploit software vulnerabilities in trusted software and third-party technology suppliers. Correspondingly, institutions continue to significantly invest to maintain their overall cyber posture, knowing that threats to the financial system continue to evolve and materialize.

Supervisory Responses

The widespread use and rapid adoption of new technologies, as well as recent geopolitical developments such as the tactics used by Russia in its conflict with Ukraine, have amplified the need for active monitoring and supervision of federally regulated financial institutions’ technology and cyber resilience.

Intelligence-led cyber security testing (or red teaming/penetration testing) is currently employed globally by financial regulators. It is utilized to assess a financial institution’s cyber resilience to withstand and respond to a sophisticated cyber-attack. Consistent with other leading regulatory bodies, we are piloting our own “intelligence-led cyber resilience testing” (I-CRT) to help institutions identify weaknesses in technology and cyber security controls and to test their overall cyber resiliency. Additionally, we published an updated cyber security self-assessment tool and enhanced the Technology & Cyber Incident Advisory reporting requirements. Since the update, we have been receiving reports and information that have shown to be valuable and provide insights into areas of concern and risk at the industry level.

Finally, we continue exploring ways to enhance resiliency by looking to share and distribute timely and actionable sector-focused intelligence amongst federally regulated financial institutions, other government stakeholders and our most trusted international partners.

Regulatory Responses

The heightened threat of cyber-attacks, as manifested by the interconnectivity of the global financial system and technology-based infrastructures, as well as the tactics used by Russia in its conflict with Ukraine, have created urgency for enhanced regulatory guidance.

In response to rising technology and cyber threat risks, we recently issued for consultation Draft Guideline B-13, Technology and Cyber Risk Management. This draft Guideline sets out our expectations for sound technology and cyber risk management. It requires federally regulated financial institutions to have in place measures that promote resilience to cyber events and technology disruptions. The final version of Guideline B-13 is expected to be released in 2022.

In the spring of 2023, we plan to consult on a draft revised Guideline E-21, Operational Risk Management, with revisions focusing on operational resilience while reinforcing operational risk management.

Housing market downturn

Risk Overview

The unprecedented run-up in the Canadian housing market, driven by very low interest rates and imbalances in housing supply/demand, have increased Real Estate Secured Lending (RESL) exposures for institutions.

At the same time, the heightened housing market activity and historically unprecedented price increases across Canada are leading to increasingly leveraged borrowers, that increases the systemic exposure to a housing price correction. While lending institutions are currently well-capitalized and appear to be financially resilient, such a sequence of events could lead to borrower defaults, a disorderly market reaction and broader economic uncertainty and volatility.

Supervisory Responses

Work on the application of Guideline B-20, Residential Mortgage Underwriting Practices and Procedures, and supervisory expectations and new product assessments continues.

Recent supervisory reviews identified several common issues around underwriting, specifically income verification in areas that have been raised as being problematic in the past including business for self, rentals, exceptions to income sustainability as well as collateral management.

We are also looking at the application of Guideline B-20 to other mortgage products such as reverse mortgages, mortgages with shared equity, and combined loans plans (CLPs) as these products have become more prevalent. We have extensively engaged with industry on CLPs to clarify the application of Guideline B-20 and supervisory expectations given the gaps observed in practice among primary lenders. As well, we have been clarifying communication on transitional arrangements related to CLPs and the applicable timelines. Finally, we held an industry session for all residential mortgage lending financial institutions in spring 2022.

This work is in addition to ongoing supervisory reviews and monitoring. We also continue to monitor mortgage delinquency rates closely, for signs of borrower vulnerability following the end of COVID-related government support programs.

Regulatory Responses

We will continue to act in response to persistent housing market vulnerabilities by strengthening our regulatory guidance for sound residential mortgage underwriting through adjustments where necessary to Guideline B-20, Residential Mortgage Underwriting Practices and Procedures.

Recent growth in such lending has amplified risk for lenders. Supervisory review work has revealed that lenders need additional guidance to ensure their underwriting policies align with the principles of Guideline B-20. CLPs carry the risk of persistent, outstanding consumer debt that can make borrowers, and their lenders, more vulnerable to negative shocks. Prudent limits and other tailored risk management approaches for these products will ensure that lenders can sustainably address borrowers’ credit needs. We issued a supplementary advisory to Guideline B-20 in spring 2022 to clarify expectations in respect of CLPs and other non-traditional loans secured by residential property.

We plan to conduct a holistic assessment of Guideline B-20 to ensure it remains clear and fit for purpose. This review will assess existing policy and supervisory insights obtained over the decade that Guideline B-20 has been in force. New and emerging risks and issues will also be considered.

As mortgage rates edge upward on expectations of tightening monetary policy, and as the severe-but-plausible risk of a housing market downturn remains, home buyers and lenders alike will have greater confidence to weather negative shocks with the minimum qualifying rate (MQR) “stress test.” While we have committed to reviewing the MQR for uninsured mortgages at least annually, we are prepared to make changes at any time if conditions warrant. The next planned MQR announcement date is December 15, 2022.

Lastly, as part of the domestic implementation of the Basel III reform package in banks’ fiscal Q2-2023, we are increasing the risk weights, and thus capital required, for investor mortgages compared to the risk weights for owner-occupied properties.

Digital innovation

Risk Overview

The rapid rise in digital innovation brings both valuable opportunities and emerging risks.

Technology-driven disruptive forces continue to pose significant threats to financial institutions’ business models, in virtually all aspects of their activity and value chain. Risks and impacts emanating from digitalization of money (i.e., stablecoins, unbacked crypto currency, and decentralized finance) and consumer directed finance, such as open banking, remain uncertain but potentially significant. Digitalization, already rapidly altering the way financial services are delivered, has accelerated throughout the COVID-19 pandemic.

Supervisory Responses

We have been engaged with institutions as they digitize and innovate with a focus on strategic execution, data governance, model, third party and technology risks.

Through discussions with regulated institutions, and the monitoring and conducting of reviews about technology risks, we are exploring any institutional vulnerabilities associated with digital innovations including cloud adoption, artificial intelligence/machine learning, and other technologies. We will continue conducting supervisory reviews of practices around data, risk management and transformative initiatives of selected institutions.

Regulatory Responses

We are working with various government partners and international organizations to assess the implications of digital money innovations, such as cryptocurrencies, on our regulatory frameworks.

We are engaged with the Basel Committee on Banking Supervision (BCBS) around the prudential treatment of crypto asset exposures. We plan to publish an advisory later this year that will clarify the capital and liquidity requirements to be applied to FRFIs’ crypto asset exposures. We are working with the Department of Finance and other federal partners on the development of a Government of Canada-endorsed data mobility framework to address the rise of open banking and other consumer directed finance arrangements. We are also considering ways to facilitate entry into the regulated federal financial system by non-traditional financial services providers.

Stablecoins are an important part of the emerging set of digital money innovations. Financial sector organizations and governments are advancing work on regulatory frameworks for digital assets, including stablecoins. We are currently reviewing the extent to which stablecoin activities that federally regulated financial institutions might wish to pursue are permissible under the relevant federal legislation to ensure appropriate federal prudential oversight. We plan on providing additional clarity to federally regulated financial institutions in 2022 on areas of risk management and governance that are specific to stablecoin arrangements. We are also working closely with our federal and provincial partners ensuring an appropriate and coordinated Canadian regulatory response to stablecoin arrangements.

Climate change

Risk Overview

Federally regulated financial institutions and private pension plans face physical risks (i.e., from climate change-related weather events) and transition risks (i.e., transition to a low greenhouse gas emitting or “low carbon” economy.)

These risks are considered “transversal” in nature because they drive more traditional risks, including credit, market, insurance, operational and legal risks, which could exacerbate over time, impacting the safety and soundness of individual financial institutions, and the Canadian financial system more broadly.

The Bank of Canada-OSFI scenario analysis pilot reportFootnote 1 describes how a disorderly transition to a low carbon economy, through delayed action and abrupt global policy changes, will increase the probability of financial stress from transition risks. The decision on the global path to reduce greenhouse gas emitting energy sources, whether it be an orderly 30-year pathway, or a delayed, disorderly accelerated pathway, is outside Canada’s control, and is certainly outside our control. Therefore, federally regulated financial institutions and private pension plans must be prepared and build resilience to withstand an accelerated and abrupt pathway to the reduction of greenhouse gas emitting energy sources.

Supervisory Responses

We will supervise climate risk while developing principles-based regulatory expectations.

This includes ensuring institutions are advancing their climate-related governance and risk management capabilities and are increasingly resilient to physical and transition risks. OSFI and the Bank of Canada will conduct two climate analysis exercises with financial institutions. The first will assess the financial impact of flood risk on the 2021 residential mortgage portfolios. The second will leverage the findings from the 2021 pilot on climate transition risk to assess the impacts of repricing of securities portfolios and the probability of a price-mediated contagion to the financial system through a rebalancing of the financial institution balance sheets. As data analytics, risk quantification and scenario analysis capabilities evolve, we will leverage insights to inform both micro-prudential and macro-prudential assessments.

Regulatory Responses

Building on OSFI’s 2021 discussion paper on climate-related financial risks and the joint Bank of Canada-OSFI pilot project on transition risk scenarios, we will issue guidance to set out our expectations of institutions’ climate risk management and climate-related financial disclosures in 2022/23.

Our principal objective is to support institutions’ efforts to build awareness and capability in managing climate-related financial risks. Furthermore, given the potential threat to financial stability associated with delayed global policy action, we will assess whether current internal targets at institutions and capital buffers sufficiently incorporate related risks. Improving financial institutions’ readiness to manage climate-related financial risks enhances the safety and soundness of these institutions and strengthens public confidence in Canada’s financial system.

In addition, we will continue our work on other policy initiatives including enhancing our climate data and analytics capabilities, developing a standardized climate scenario analysis exercise for institutions, and assessing the need to reflect the unique features of climate-related risks in the regulatory capital framework.

Lastly, we will actively look for opportunities to broaden stakeholder engagement, within and outside the financial industry, domestically and internationally; to collaborate, coordinate, and share insights on a range of best practices.

Third party

Risk Overview

The financial services industry has long made use of third-party arrangements to introduce efficiency, drive innovation, manage shifting operational needs, and improve service. Increasingly, financial institutions are relying on an expanded third-party ecosystem to execute and deliver more of their critical activities. This has increased the risk of financial loss at institutions and the risk of institutions being unable to deliver critical services due to disruption at a third party (or at subcontractors on which a third party relies). The emergence of a concentrated number of dominant service providers in key segments of the economy amplifies this risk. Disruption at one or more such service providers could potentially result in a systemic event if multiple institutions were unable to deliver services to their customers on a timely basis. This could impact institutions’ financial resilience and reputations.

Supervisory Responses

We will gather data from financial institutions to improve our understanding of third-party relationships including the existence of, and vulnerabilities associated with, dominant service providers.

We will continue to monitor third-party incidents, especially those events involving dominant service providers. We will conduct supervisory reviews focused on third-party risk management practices of selected institutions.

Regulatory Responses

We expect to release draft revisions to Guideline B-10 for public consultation in Q2 2022 to Q1 2023.

We are repositioning current Guideline B-10 on Outsourcing of Business Activities, Function and Processes to a Guideline on Third-Party Risk Management to better reflect a more comprehensive set of third-party risks within an expanded third-party ecosystem. The revised guideline will place greater emphasis on governance and risk management programs. It will set outcomes-focused, principles-based expectations for institutions supporting the sound management of third-party risk. It will call upon institutions to identify, assess, monitor, and manage all third-party arrangements, in proportion to the criticality and risk of the arrangement.

Commercial real estate market downturn

Risk Overview

Office and retail assets are facing uncertainty considering COVID-related changes to workplaces and consumer shopping habits.

In addition, a protracted sharp increase in unemployment and adaptation of work-from-home policies could further impact the value of office and retail assets. Conversely, industrial properties are seeing material increases in valuation, which may not be sustainable in an increasing interest rate environment, this may lead to refinancing challenges. Stress-to-asset performance and/or valuation could lead to increased losses to institutions given that commercial real estate is a systemic exposure across the financial sector.

Supervisory Responses

We are finalizing the results of the credit integrated plan “drop-in” reviews of specific small and medium sized financial institutions.

Preliminary observations include shortcomings in the prudent assessment and management of COVID-related risks at adjudication (e.g., debt service capacity assessment, sensitivity analysis and sponsor guarantee assessment) and ongoing monitoring of exposures (i.e., active collateral valuations). Many of the deficiencies observed were identified in work conducted in 2019-20 and since the onset of the pandemic. We will consider developing supervisory expectations for Commercial real estate. This work is in addition to on-going supervisory reviews and monitoring. We will monitor delinquency rates closely, for signs of borrower vulnerability following the end of COVID-related government support programs.

Regulatory Responses

As part of the implementation of the Basel III reform package, we are better aligning the capital required for commercial real estate exposures (including those related to financing land acquisition, development, and construction projects) with their risk. This is accomplished by having more risk-sensitive rules where varied risk weights are used under the Standardized Approach to credit risk instead of a flat risk charge as is currently applied, which will result in higher risk weights for more leveraged exposures. This approach allows banks to make lending decisions that are more in line with their risk appetite.

Fragile corporate debt funding

Risk Overview

Corporate debt remains a significant exposure for Canadian banks and life insurers.

There has been increased reliance on high-yield debt and leveraged loans, including covenant-lite loans, which contain fewer protections for lenders. These assets are vulnerable to a large global repricing and constrained access to liquidity and capital. The uncertain and volatile environment could lead to an increase in financing costs and difficulties to issue or roll over debt, which could result in heightened credit losses for Canadian banks and life insurers.

Supervisory Responses

We have been engaging with institutions active in corporate debt funding and are conducting ongoing monitoring with a focus on the most leveraged transactions.

We are in discussions with regulated institutions about stress testing activities and vulnerabilities associated with leveraged lending. We will conduct supervisory reviews of corporate debt exposure and leveraged loan risk management practices of selected institutions.

Annex – 2022-2023 Planned Policy Releases

Guidance Priorities

This annex updates to our near-term plan of guidance priorities for FRFIs and FRPPs released in spring 2022. The references below reflect calendar quarters and cover the periods from Q4 2022 to Q2 2023.

Our guidance priorities are divided into three streams: (i) Risk Management Guidance for FRFIs, (ii) Capital and Accounting Guidance for FRFIs and (iii) Guidance for FRPPs.

The timelines indicated below reflect our strategic plans and risk priorities.  Plans may be changed or amended due to external factors causing us to reconsider the dates for the guidance impacted.

I. Risk Management Guidance for FRFIs

Deposit-Taking Institutions and Insurance Companies
Q4 2022
Guidance Initiative Purpose and Background
Letter on Operational Resilience Sets out high level steps for achieving operational resilience along with important definitions.
Final Revised IFRS 17 Memoranda to the Appointed Actuary Sets out OSFI’s requirements with respect to the 2023 Appointed Actuary’s Reports for Life and P&C companies. This version contains various enhancements incorporating the implementation of IFRS 17.
Q1 2023
Guidance Initiative Purpose and Background
Initial consultation on Guideline B-20 on Residential Mortgage Underwriting Sets out OSFI’s revised expectations on FRFI sound residential mortgage underwriting.
Final Guideline B-15 on Climate Risk Management Finalizes OSFI’s risk management expectations for FRFIs on climate-related financial risks.
Final Guideline B-10 on Third-Party Risk Management Finalizes OSFI’s expectations on FRFI third-party risk management.
Draft Culture Risk Guideline Sets out OSFI’s expectations on FRFI culture risk management.
Final Revised Guideline E-16 on Participating Account Management and Disclosure to Policyholders Finalizes OSFI’s expectations regarding the implementation of the requirements found in the Insurance Companies Act and Policyholders Disclosure Regulations.
Q2 2023
Guidance Initiative Purpose and Background

Draft Operational Risk and Resilience Guideline (Revised E-21)

Sets out OSFI’s expectations on FRFI operational resilience, while continuing to reinforce expectations on operational risk management.
Draft Guideline E-23 on Model Risk Management Sets out OSFI’s expectations pertaining to model risk management, including for models which use artificial intelligence and machine learning (AI/ML). 

II. Capital and Accounting Guidance for FRFIs

Deposit-Taking Institutions and Insurance Companies
Q4 2022
Guidance Initiative Purpose and Background
Final Guideline on assurance of capital, leverage and liquidity returns Finalizes OSFI’s expectations on assurance of DTI and insurance capital, leverage and liquidity returns.
Q1 2023
Guidance Initiative Purpose and Background
Consultative document on a stand-alone capital framework for large internationally active banks and insurance companies Seeks stakeholder feedback on the development of a solo capital framework to assess the sufficiency of capital that is available to domestic parent banks and insurance companies on a standalone basis
Insurance Companies
Q1 2023
Guidance Initiative Purpose and Background
Semi-annual IFRS 17 progress reporting Reflects insurers final reporting to OSFI on IFRS 17 implementation progress
Consultation on draft methodology for determining capital requirements for Segregated Fund Guarantee (SFG) Risk Seeks stakeholder feedback on draft Chapter 7 of the LICAT Guideline (i.e. the draft methodology), as well as related regulatory returns

III. Guidance for FRPPs

Private Pension Plans
Q4 2022
Guidance Initiative Purpose and Background
Industry letter on pension plan investment risk management Summarizes feedback received on OSFI’s pension plan investment risk management consultation paper issued in Q1 2022 and includes next steps for future initiatives.
Instruction guide for the preparation of actuarial reports for defined benefit pension plans Sets out OSFI’s expectations in the determination of the going concern discount rate used by actuaries in their actuarial reports.
Final instruction guide on buy-in annuity products Finalizes information to assist administrators of pension plans with defined benefit provisions with respect to considerations and reporting requirements for buy-in annuities.
Final instruction guide for authorizing benefit reductions Finalizes the factors that OSFI considers with respect to an application seeking the Superintendent’s authorization for a benefit reduction.
Q1 2023
Guidance Initiative Purpose and Background
Final instruction guide for defined contribution (DC) asset transfers Finalizes OSFI’s expectations related to DC asset transfers and the filing requirements related to transfers involving individuals whose pension benefits are subject to provincial pension legislation.
Technology and cyber incident reporting advisory and reporting form Provides information to assist administrators of pension plans to report technology and cyber incidents to OSFI.