Integrity and Security – Frequently Asked Questions

Background

1. Why did OSFI create a separate guideline instead of updating existing guidelines?

A standalone guideline allows us to clarify new terms and expectations and demonstrate how existing guidelines support integrity and security. As our work regarding our new mandate evolves, the draft Integrity and Security guideline will be updated, with some of the new expectations incorporated into existing guidelines.

2. Why is OSFI issuing this guideline now?

On June 22, 2023, Parliament passed Bill C-47, the Budget Implementation Act (BIA), which expands OSFI’s mandate. Under Bill C-47, which comes into force on January 1, 2024, federally regulated financial institutions (FRFIs) must have adequate policies and procedures in place to ensure they are managing risks associated with integrity and security. This guideline sets outs OSFI’s expectations in this area to support its new mandate.

3. Are these FAQs expectations?

No. Expectations are in the draft Integrity and Security guideline. These FAQs help provide clarity on this consultation process and certain elements in this draft guideline.

Connection with other Guidelines

1. Some of the guidelines referenced in the draft Integrity and Security guideline are in draft or have varying implementation dates in 2024. Should FRFIs adopt these guidelines early?

No. Previously communicated implementation dates for existing guidelines that have yet to come into effect are not being moved forward. Those dates will also be considered when determining implementation dates for the Integrity and Security guideline. Furthermore, implementation dates for guidelines currently in draft will be established based on consultation feedback and their relationship to the Integrity and Security guideline.

Implementation

1. The legislation is effective from January 1, 2024. What does OSFI expect of FRFIs on January 1st?

The legislative requirement for January 1, 2024, is that FRFIs should have adequate policies and procedures in place to protect against threats to their integrity and security.

The draft Integrity and Security guideline engages several new risk areas or existing risk areas in a different way. We do not expect financial institutions to take steps to implement all elements of the draft guideline immediately.

In the near term FRFIs should:

• Meet existing expectations in currently applicable guidelines, referenced in this new guideline (for example, E-17 on background checks, E-13 on regulatory compliance management, and our Corporate Governance guideline)
• Meet specific expectations in the Integrity and Security guideline, for example, our expectation that undue influence, foreign interference, or malicious activity be reported promptly to law enforcement

In line with our usual practice, we will provide more details on these expectations after the close of the consultation period.

We will not expect FRFIs to:

• Meet expectations in existing guidelines in advance of effective dates
• Meet new, anticipated expectations associated with risk areas for which we do not yet have sufficiently specific guidance; for example, around character beyond expectations in E-17 on background checks.

2. What expectations are new in the draft Integrity and Security guideline?

New expectations can be found in Appendix: Summary of expectations in draft Integrity and Security guideline of the draft Integrity and Security guideline.

3. How will OSFI approach setting timelines for implementation for the Integrity and Security guideline, especially expectations in new risk areas where there is no standalone guideline?

When setting implementation periods, OSFI considers many things, including feedback from the industry during the consultation process.

Anticipated expectations in new risk areas where we do not yet have sufficiently specific guidance will likely be followed by further guidance, in due course, that will be subject to their own implementation periods.

4. Will OSFI apply the Integrity and Security guideline on a proportional basis?

Yes. We will apply the expectations in the draft Integrity and Security guideline on a proportional basis. For this guideline, we assess proportionality through:

• Ownership structure
• Strategy and risk profile
• Scope, nature, and location of operations

5. In terms of proportionality, what does “ownership structure” include?

Ownership structure includes, for example, the relationships between a FRFI and its parent company, the influence of parent and affiliated companies, and the location of their operations.

6. Will the Integrity and Security guideline apply to foreign branches of banks and insurers?

Yes. Bill C-47 extends to all FRFIs including branches. This guideline, therefore, applies to foreign branches to the extent that it is relevant to their ability to meet applicable requirements and legal obligations in Canada. For example, maintaining the security of branch records is critical. As well, branch management should undergo the necessary background checks.

7. (New) Is the guideline applicable on a consolidated basis?

Yes. The Integrity and Security guideline will be applied on a consolidated basis for the global operations of Canadian firms.

8. Do background checks need to have been conducted for all employees, Responsible Persons, and contractors by January 1, 2024?

No. We will consider feedback received in consultations before establishing implementation timelines for this and other expectations articulated in the draft Integrity and Security guideline.

In line with our usual practice, our implementation expectations will be communicated with the release of the final guideline in January 2024.

9. How does OSFI define the term “contractor”?

A contractor is, for example, a self-employed person or entity contracted to perform work or carry out services for the FRFI.

10. What does acquiring “enhanced reliability” status entail? Do FRFIs need to carry out background checks in-house?

As written in the draft Integrity and Security guideline, a background check equivalent to the Government of Canada’s enhanced reliability includes, at minimum: 

• Verification of identity and background,
• Verification of education and professional credentials,
• Personal and professional references,
• Criminal records check, and
• Financial inquiry (credit check)

FRFIs can develop their own approach to performing background checks that include, at a minimum, these elements. Certain portions of the background checks, such as for example criminal records checks, can be performed by third parties.

Learn more about the Government of Canada’s enhanced reliability status:

• Standard on security screening
• Security clearance request process

11. How will the requirement for background checks interact with other regulations or laws, for example in areas like privacy, consumer protection, or human rights?

As with all our expectations, FRFIs are responsible for ensuring they perform background checks in compliance with all other legislation and regulations to which they are subject.

Most FRFIs already gather some or all of the information required to meet this expectation, such as verification of identity, background, and education as part of their hiring processes.

12. Is it OSFI’s intent to require background checks for all new and current employees, and contractors, regardless of role or seniority?

Yes. FRFIs should implement this expectation on a risk-basis by prioritizing, for example, employees in positions of authority or in senior roles, or employees that have access to sensitive information. We welcome feedback on the background check requirement during the consultation period ending on November 24, 2023.

13. (New) Do all background checks need to include fingerprinting?

No. FRFIs may choose to use fingerprinting in certain high-risk cases for positive identification, but it is not required for all background checks.

14. Does this guideline prohibit FRFIs from operating in certain countries?

No. This guideline does not prohibit FRFIs from operating in any country. Consistent with our mandate, we allow FRFIs to compete effectively and take reasonable risks. We do, however, expect FRFIs to assess the risks to their integrity and security of operating in certain countries and to manage those risks appropriately.

15. Will you be asking FRFIs for information on their conformity with the Integrity and Security guideline in the near future?

Yes. We are required to report to the Minister of Finance on the adequacy of, and adherence to, FRFI policies and procedures relating to integrity and security by the end of 2024.

To do this, we will need information from FRFIs on the policies and procedures they have in place and their efficacy as well as risk-based plans to implement needed policies and procedures, even as it relates to new risk areas outlined in the Integrity and Security guideline.

16. Are FRFIs expected to have adequate policies and procedures in place for all new risk areas from this time forward?

Many FRFIs will already have policies and procedures in place for some or all the new risk areas identified in the Integrity and Security guideline. Others may not. To the extent they do not, or to the extent their existing policies and procedures do not align with the outcomes or principles in the guideline, they need to immediately develop risk-based plans to achieve alignment.  

17. Why are both the letter and intent of ethical standards, regulations, and the law incorporated into the draft Integrity and Security guideline?

FRFIs need to go beyond pure compliance and the letter of the law. Creative compliance, regulatory arbitrage and any other measures designed to circumvent the intent of standards, laws or regulations can put into question or jeopardize the integrity of a FRFI.

18. How does OSFI define “norms of ethical behaviour” or “ethical standards”?

FRFIs should define the ethical norms of behaviour and ethical standards they wish to uphold in their organization. We welcome feedback on this topic during the consultation period ending on November 24, 2023.

Further Questions

1. How do I contact OSFI if I have additional questions?

Please e-mail questions to IS@osfi-bsif.gc.ca.