Integrity and Security Guideline

Document properties

• Type of publication: Draft guideline
• Category: Sound Business and Financial Practices
• Date: October 2023
• Audiences: Banks / FBB / T&L / CRA / P&C / Life

A. Overview

Public confidence in the Canadian financial system depends on the integrity and security of financial institutions. In addition to undermining public confidence, failures in integrity or security can impact the safety and soundness of financial institutions, putting at risk the interests of depositors, policyholders, and creditors. Accordingly, financial institutions must take steps to ensure they are managing risks associated with integrity and security by putting in place appropriate and effective policies and procedures.

A1. Purpose

Set expectations for integrity and security and highlight expectations in existing OSFI guidelines.

A2. Scope

This Guideline applies to all federally regulated financial institutions (FRFIs), including foreign bank branches and foreign insurance company branches in relation to their business in Canada, to the extent the expectation is relevant for Branches.

A3. Application

These expectations are to be applied on a proportional basis according to:

• Ownership structure
• Strategy and risk profile
• Scope, nature, and location of operations

A4. Key terms

• "Integrity" includes actions, omissions, and decisions consistent with the letter and intent of ethical standards, regulations, and the law.

• "Security" includes protection against malicious or benign internal and external threats to:

  • Real property, infrastructure, and personnel (“Physical threats”)
  • Technology assets (“Electronic threats”)

• “Foreign interference” includes activities that are within or relating to Canada, detrimental to the interests of Canada, and are clandestine or deceptive or involve a threat to any person, including attempts to covertly influence, intimidate, manipulate, interfere, corrupt or discredit individuals, organizations, and governments to further the interests of a foreign country.

• “Responsible Persons” are directors, senior management as defined in the Corporate Governance Guideline, and branch management of foreign entities operating in Canada on a branch basis.

• "Undue influence" includes situations where a person or entity engages in actions, behaviours, deception, or the use of power to impact actions, decisions, or behaviours in their own or another’s interests. Undue influence can originate from foreign or domestic actors.

• "Malicious activity" includes actions taken with the intent of causing harm including theft, coercion, manipulation of information, or disruption or that are otherwise illegal, malicious, clandestine, coercive, or deceptive in nature. Malicious activity can originate from foreign or domestic actors.

A5. Outcomes

1. Actions, omissions, and decisions are consistent with the letter and intent of ethical standards, regulations, and the law.
2. Operations, physical premises, people, technology assets, and data and information are resilient and protected against threats.

A6. Related guidelines

• Corporate Governance Guideline
• Guideline B-10: Third-Party Risk Management
• Guideline B-13: Technology and Cyber Risk Management
• Guideline E-4: Entities Operating in Canada on a Branch Basis
• Guideline E-5: the Retention of Records
• Guideline E-13: Regulatory Compliance Management
• Guideline E-17: Background Checks
• Draft Guideline E-21: Operational Resilience and Operational Risk Management (issued October 13, 2023)
• Draft Culture and Behaviour Risk Guideline (issued February 28, 2023)

1. Relationship between Integrity and Security

While integrity and security are distinct concepts, they can be interrelated. Failure to comply with ethical standards, regulations, and the law may increase the risk of a physical or electronic security breach. In turn, failure to appropriately protect physical or electronic security may be rooted in a lack of integrity and constitute not only a security failure, but breach of ethical standards, regulations, or the law. Also, security threats that materialize, in addition to leading to other undesirable outcomes, can compromise integrity.

2. Policies and procedures

Adequate policies and procedures to protect against threats to integrity or security, including foreign interference, must be established, implemented, maintained, and adhered to.

Existing policies and procedures should be assessed against expectations in this Guideline and related guidelines. Any gaps or deficiencies should be promptly identified and addressed. The effectiveness of policies and procedures should be demonstrable and assessed on a regular basis.

3. Integrity

Integrity is demonstrated in actions, omissions, and decisions that are consistent with the letter and intent of ethical standards, regulations, and the law. It is people within organizations that take actions, omit to do things, and make decisions. Increasing the likelihood their behaviour demonstrates integrity can be achieved in several different ways, including by:

1. Ensuring people are of good character
2. Promoting a culture conducive to ethical behaviour
3. Subjecting actions, omissions, and decisions to sound governance
4. Verifying compliance of actions, omissions, and decisions with relevant standards, regulation, and law

Integrity is an important value in and of itself. A lack of it can damage reputation, result in fraud, cause legal issues, and increase vulnerabilities to undue influence, foreign interference, and malicious activity. Financial risks also often find their root cause in failures of integrity. Thus, enhancing integrity reduces risks to solvency and supports the overall safety and stability of an institution, and consequently the financial system.

3.1 Character

The way people behave depends to an extent on their character. Character is often observed through past behaviour. People who behave in a way that is honest, responsible, and forthright demonstrate good character.

The more senior someone is in an organization, the more power and influence they typically wield. It is, therefore, important that senior leaders behave in a way that demonstrates integrity through their words, actions, and decisions. This especially applies to boards of directors and senior management.

Refer to Guideline E-17 Background Checks on Directors and Senior Management.

3.2 Culture

Culture influences behavioural norms, which send signals throughout an organization about what is, and is not, valued, important, and acceptable. This impacts actions, omissions, and decisions relating to management, compliance, risk taking, issue response, and learning and growth.

Culture should be deliberately shaped, evaluated, and maintained. This said, there is no ideal culture; sound culture depends to some extent on context. All cultures, however, should reflect a commitment to norms that encourage ethical behaviour.

Refer to draft Culture and Behaviour Risk Guideline.

3.3 Governance

Sound governance subjects actions, omissions, and decisions to appropriate scrutiny and challenge. Effective governance builds trust with stakeholders, including shareholders, the public, staff, and regulators; it provides a sound basis for navigating issues that arise.

Accordingly, important decisions around business plans, strategies, risk appetite, culture, internal controls, and oversight of senior leaders should be subject to effective governance.

Oversight of senior leaders includes setting out responsibilities and providing for accountability mechanisms.

Ethical expectations and standards should be codified in normative documents such as codes of conduct and conflict of interest policies and procedures. It is important to communicate expectations clearly to staff, senior leaders, and stakeholders, including how ethical issues will be addressed, resolved, and disclosed.

At minimum, codes of conduct should include content emphasizing the importance of:

• Exhibiting ethical norms and behaviours
• Demonstrating integrity and good character
• Following the law, relevant regulations, policies, procedures, and processes
• Avoiding bribery, as well as perceived and actual bias
• Maintaining security and confidentiality of assets, communications, and information

Codes of conduct should apply to all staff and be accompanied with regular training.

Conflict of interest policies and procedures should include content on:

• Disclosing, avoiding, or managing conflicts of interest
• Detecting, disclosing, avoiding, or mitigating perceived conflicts of interest

Codes of conduct, conflict of interest policies and procedures, and other related documents should be assessed for effectiveness and reviewed and updated on a regular basis. Conflicts of interest should be monitored based on risk, considering individual roles, functions, and potential exposure to undue influence, foreign interference, and malicious activity.

Refer to the Corporate Governance Guideline.

For branches of foreign banks and insurance companies, refer to Guideline E-4 Foreign Entities Operating in Canada on a Branch Basis.

3.4 Compliance

Compliance risk management is essential to maintaining integrity. It should ensure that people have effective channels to raise concerns over non-compliance with standards, regulations, and law. It should also ensure that compliance can be accurately and expediently verified. Compliance includes not just adherence to the letter of such requirements, but also upholding their intent given associated impacts on reputation and public trust.

Appropriate compliance risk management includes establishing an effective, enterprise-wide Regulatory Compliance Management (RCM) Framework. This should accurately and expediently validate actions, omissions, and decisions against applicable standards, laws, and regulations, both in letter and intent.

An RCM Framework should also provide effective channels to raise concerns and provide constructive feedback: for example, through regular reporting and anonymous whistleblowing programs. What constitutes effective channels depends on the organization and its context. In all cases, channels should be regularly reviewed, updated, and brought to the attention of staff.

Refer to Guideline E-13 on Regulatory Compliance Management.

4. Security

Security means protection from threats to physical premises, people, technology assets, and data and information. These threats may come from outside or from within. They may be benign in intention or the result of undue influence, foreign interference, or other malicious activity.

Integrity helps to reduce vulnerability to threats. In other words, security is strengthened by people with appropriate character and culture, sound governance, and an appropriate RCM Framework.

Sound operational risk management and operational resilience also reduce underlying vulnerability to threats, particularly to threats that might disrupt operations. This said, some threats, especially those arising from undue influence, foreign interference, or other malicious activities, may not cause disruption. Non-disruptive threats may require additional methods of detection and prevention to complement current operational risk management and operational resilience practices.

Accountability for the security of physical premises, people, technology assets, and data and information cannot be contracted out. Services performed by third parties should be subject to appropriate risk management measures.

Policies and procedures governing all types of threats, internal and external, should be established and maintained, and also consider threats associated with undue influence, foreign interference, or malicious activity. They should be assessed for effectiveness, reviewed, and updated on a regular basis.

The threat environment, including as it relates to third parties, should be assessed, and reported on regularly, with security precautions implemented to protect physical premises, people, technology assets, and data and information.

Refer to draft Guideline E-21 Operational Resilience and Operational Risk Management.

4.1 Physical premises

Standards and controls should be adopted to govern access-control and monitoring of:

• Physical buildings and office spaces
• Physical technology assets
• Physical file storage
• Any other sensitive areas

Based on the threat environment, technical security inspections should be conducted to protect physical and digital assets. These should include periodic sweeps for covert devices.

Refer to Guideline B-13 Technology and Cyber Risk Management and draft Guideline E-21 Operational Risk Management and Operational Resilience.

4.2 People

Security standards and controls to protect people from undue influence, foreign interference, and malicious activity should be established and maintained. Subjecting people to appropriate background checks and security screening can identify vulnerabilities to these factors, helping to develop strategies to minimize risks. Standards and controls should consider factors such as authority, seniority, and access to sensitive information.

4.2.1 Background checks

All Responsible Persons, employees, and contractors should undergo background checks that are:

• Appropriate for the position held
• Conducted prior to commencement of employment for new employees
• Renewed on a regular basis, with processes and criteria in place to trigger off-cycle checks
• Equivalent to the Government of Canada’s Enhanced Reliability Check minimum standard

Background checks should include, at a minimum:

• Verification of identity and background
• Verification of education and professional credentials
• Personal and professional references
• Criminal records check
• Financial inquiry (credit check)

Refer to Guideline E-17 Background Checks on Directors and Senior Management.

4.3 Technology assets

Malicious threat actors can disrupt, destroy, damage, access, modify, and maliciously use technology assets. Such incidents may result in financial loss and reputational damage and harm to depositors and policyholders.

Refer to Guideline B-13 Technology and Cyber Risk Management.

4.4 Data and information

Data security, including confidentiality, integrity, and availability, should be maintained. Requirements and protections should be defined and established throughout the data lifecycle, with controls in place for data at rest, in transit, and in use.

Structured and unstructured data should be adequately identified, classified, and protected based on personnel access requirements. When classifying data, its vulnerability to malicious activity, undue influence, or foreign interference should be considered. Standards and controls for data protection should define personnel access requirements to sensitive data. Mechanisms to identify and escalate unauthorized access to data by people or systems should be put in place.

Refer to Guideline B-13 Technology and Cyber Risk Management and Guideline E-21 Operational Resilience and Operational Risk Management.

4.5 Third-party risks

Accountability for the security of physical premises, people, technology assets, and data and information cannot be contracted out. Accountability for the business functions outsourced to third parties, including security, should remain with the financial institution. This includes threats posed by undue influence, foreign interference, or malicious activity.

Transparent procurement processes with objective selection and decision-making processes as well as adequate oversight help reduce such threats. The following should be assessed when engaging a third party and on an ongoing basis:

• The likelihood of threats
• The ability and action to address threats
• The existence and efficacy of policies and procedures protecting against threats
• The conduct of background checks and security screening, especially of senior leaders
• The transparency, objectivity, and oversight of procurement processes

This assessment should be proportional to the third party’s:

• Access to financial institution’s systems, data, and facilities
• Security vulnerabilities
• Security threats

In relation to foreign interference, the following information about the third party’s and its subcontractors should be considered:

• Location of operations
• Location of corporate headquarters
• Connections to foreign governments, including those of its senior leaders
• Ownership structure

Refer to Guideline B-10 Third-Party Risk Management.

4.6 Undue influence, foreign interference, and malicious activity

Where a threat finds its root in undue influence, foreign interference, or malicious activity, additional considerations apply.

Measures should be put in place for the prompt detection of such threats and their careful investigation, ensuring, among other things, appropriate limits on access to information, confidentiality, and the independence and integrity of the investigation.

If, at any time, there is any suspicion of undue influence, foreign interference, or malicious activity, law enforcement authorities should be advised immediately. For foreign interference, both the Canadian Security Intelligence Service and the Royal Canadian Mounted Police should be informed. OSFI should be informed of any such communications with law enforcement.

Appendix: Summary of expectations in draft Integrity and Security guideline