Office of the Superintendent of Financial Institutions
Public confidence in the Canadian financial system depends on the integrity and security of financial institutions. In addition to undermining public confidence, failures in integrity or security can impact the safety and soundness of financial institutions, putting at risk the interests of depositors, policyholders, and creditors. Accordingly, financial institutions must take steps to ensure they are managing risks associated with integrity and security by putting in place appropriate and effective policies and procedures.
Set expectations for integrity and security and highlight expectations in existing OSFI guidelines.
This Guideline applies to all federally regulated financial institutions (FRFIs), including foreign bank branches and foreign insurance company branches in relation to their business in Canada, to the extent the expectation is relevant for Branches.
These expectations are to be applied on a proportional basis according to:
"Integrity" includes actions, omissions, and decisions consistent with the letter and intent of ethical standards, regulations, and the law.
"Security" includes protection against malicious or benign internal and external threats to:
“Foreign interference” includes activities that are within or relating to Canada, detrimental to the interests of Canada, and are clandestine or deceptive or involve a threat to any person, including attempts to covertly influence, intimidate, manipulate, interfere, corrupt or discredit individuals, organizations, and governments to further the interests of a foreign country.
“Responsible Persons” are directors, senior management as defined in the
Corporate Governance Guideline, and branch management of foreign entities operating in Canada on a branch basis.
"Undue influence" includes situations where a person or entity engages in actions, behaviours, deception, or the use of power to impact actions, decisions, or behaviours in their own or another’s interests. Undue influence can originate from foreign or domestic actors.
"Malicious activity" includes actions taken with the intent of causing harm including theft, coercion, manipulation of information, or disruption or that are otherwise illegal, malicious, clandestine, coercive, or deceptive in nature. Malicious activity can originate from foreign or domestic actors.
While integrity and security are distinct concepts, they can be interrelated. Failure to comply with ethical standards, regulations, and the law may increase the risk of a physical or electronic security breach. In turn, failure to appropriately protect physical or electronic security may be rooted in a lack of integrity and constitute not only a security failure, but breach of ethical standards, regulations, or the law. Also, security threats that materialize, in addition to leading to other undesirable outcomes, can compromise integrity.
Adequate policies and procedures to protect against threats to integrity or security, including foreign interference, must be established, implemented, maintained, and adhered to.
Existing policies and procedures should be assessed against expectations in this Guideline and related guidelines. Any gaps or deficiencies should be promptly identified and addressed. The effectiveness of policies and procedures should be demonstrable and assessed on a regular basis.
Outcome: Actions, omissions, and decisions are consistent with the letter and intent of ethical standards, regulations, and the law.
Integrity is demonstrated in actions, omissions, and decisions that are consistent with the letter and intent of ethical standards, regulations, and the law. It is people within organizations that take actions, omit to do things, and make decisions. Increasing the likelihood their behaviour demonstrates integrity can be achieved in several different ways, including by:
Integrity is an important value in and of itself. A lack of it can damage reputation, result in fraud, cause legal issues, and increase vulnerabilities to undue influence, foreign interference, and malicious activity. Financial risks also often find their root cause in failures of integrity. Thus, enhancing integrity reduces risks to solvency and supports the overall safety and stability of an institution, and consequently the financial system.
Principle 1: Senior leaders are of good character and demonstrate integrity through their words, actions, and decisions.
The way people behave depends to an extent on their character. Character is often observed through past behaviour. People who behave in a way that is honest, responsible, and forthright demonstrate good character.
The more senior someone is in an organization, the more power and influence they typically wield. It is, therefore, important that senior leaders behave in a way that demonstrates integrity through their words, actions, and decisions. This especially applies to boards of directors and senior management.
Refer to Guideline
E-17 Background Checks on Directors and Senior Management.
Principle 2: Culture consistent with ethical norms is deliberately shaped, evaluated, and maintained.
Culture influences behavioural norms, which send signals throughout an organization about what is, and is not, valued, important, and acceptable. This impacts actions, omissions, and decisions relating to management, compliance, risk taking, issue response, and learning and growth.
Culture should be deliberately shaped, evaluated, and maintained. This said, there is no ideal culture; sound culture depends to some extent on context. All cultures, however, should reflect a commitment to norms that encourage ethical behaviour.
Refer to draft
Culture and Behaviour Risk Guideline.
Principle 3: Governance structures subject actions, omissions, and decisions to appropriate scrutiny and promote ethical behaviour.
Sound governance subjects actions, omissions, and decisions to appropriate scrutiny and challenge. Effective governance builds trust with stakeholders, including shareholders, the public, staff, and regulators; it provides a sound basis for navigating issues that arise.
Accordingly, important decisions around business plans, strategies, risk appetite, culture, internal controls, and oversight of senior leaders should be subject to effective governance.
Oversight of senior leaders includes setting out responsibilities and providing for accountability mechanisms.
Ethical expectations and standards should be codified in normative documents such as codes of conduct and conflict of interest policies and procedures. It is important to communicate expectations clearly to staff, senior leaders, and stakeholders, including how ethical issues will be addressed, resolved, and disclosed.
At minimum, codes of conduct should include content emphasizing the importance of:
Codes of conduct should apply to all staff and be accompanied with regular training.
Conflict of interest policies and procedures should include content on:
Codes of conduct, conflict of interest policies and procedures, and other related documents should be assessed for effectiveness and reviewed and updated on a regular basis. Conflicts of interest should be monitored based on risk, considering individual roles, functions, and potential exposure to undue influence, foreign interference, and malicious activity.
Refer to the
Corporate Governance Guideline.
For branches of foreign banks and insurance companies, refer to Guideline
E-4 Foreign Entities Operating in Canada on a Branch Basis.
Principle 4: Effective mechanisms to identify and verify compliance with standards, regulations, and the law exist.
Compliance risk management is essential to maintaining integrity. It should ensure that people have effective channels to raise concerns over non-compliance with standards, regulations, and law. It should also ensure that compliance can be accurately and expediently verified. Compliance includes not just adherence to the letter of such requirements, but also upholding their intent given associated impacts on reputation and public trust.
Appropriate compliance risk management includes establishing an effective, enterprise-wide Regulatory Compliance Management (RCM) Framework. This should accurately and expediently validate actions, omissions, and decisions against applicable standards, laws, and regulations, both in letter and intent.
An RCM Framework should also provide effective channels to raise concerns and provide constructive feedback: for example, through regular reporting and anonymous whistleblowing programs. What constitutes effective channels depends on the organization and its context. In all cases, channels should be regularly reviewed, updated, and brought to the attention of staff.
Refer to Guideline
E-13 on Regulatory Compliance Management.
Outcome: Operations, physical premises, people, technology assets, and data and information are resilient and protected against threats.
Security means protection from threats to physical premises, people, technology assets, and data and information. These threats may come from outside or from within. They may be benign in intention or the result of undue influence, foreign interference, or other malicious activity.
Integrity helps to reduce vulnerability to threats. In other words, security is strengthened by people with appropriate character and culture, sound governance, and an appropriate RCM Framework.
Sound operational risk management and operational resilience also reduce underlying vulnerability to threats, particularly to threats that might disrupt operations. This said, some threats, especially those arising from undue influence, foreign interference, or other malicious activities, may not cause disruption. Non-disruptive threats may require additional methods of detection and prevention to complement current operational risk management and operational resilience practices.
Accountability for the security of physical premises, people, technology assets, and data and information cannot be contracted out. Services performed by third parties should be subject to appropriate risk management measures.
Policies and procedures governing all types of threats, internal and external, should be established and maintained, and also consider threats associated with undue influence, foreign interference, or malicious activity. They should be assessed for effectiveness, reviewed, and updated on a regular basis.
The threat environment, including as it relates to third parties, should be assessed, and reported on regularly, with security precautions implemented to protect physical premises, people, technology assets, and data and information.
Refer to draft Guideline
E-21 Operational Resilience and Operational Risk Management.
Principle 5: Physical premises are safe and secure and monitored appropriately.
Standards and controls should be adopted to govern access-control and monitoring of:
Based on the threat environment, technical security inspections should be conducted to protect physical and digital assets. These should include periodic sweeps for covert devices.
Refer to Guideline
B-13 Technology and Cyber Risk Management and draft Guideline
E-21 Operational Risk Management and Operational Resilience.
Principle 6: People should be subject to appropriate background checks and security screening, and strategies should be put in place to manage risk.
Security standards and controls to protect people from undue influence, foreign interference, and malicious activity should be established and maintained. Subjecting people to appropriate background checks and security screening can identify vulnerabilities to these factors, helping to develop strategies to minimize risks. Standards and controls should consider factors such as authority, seniority, and access to sensitive information.
All Responsible Persons, employees, and contractors should undergo background checks that are:
Background checks should include, at a minimum:
Principle 7: Technology assets should be secure, with weaknesses identified and addressed, effective defences in place, and issues identified accurately and promptly.
Malicious threat actors can disrupt, destroy, damage, access, modify, and maliciously use technology assets. Such incidents may result in financial loss and reputational damage and harm to depositors and policyholders.
Refer to Guideline
B-13 Technology and Cyber Risk Management.
Principle 8: Data and information should be subject to appropriate standards and controls ensuring its confidentiality, integrity, and availability.
Data security, including confidentiality, integrity, and availability, should be maintained. Requirements and protections should be defined and established throughout the data lifecycle, with controls in place for data at rest, in transit, and in use.
Structured and unstructured data should be adequately identified, classified, and protected based on personnel access requirements. When classifying data, its vulnerability to malicious activity, undue influence, or foreign interference should be considered. Standards and controls for data protection should define personnel access requirements to sensitive data. Mechanisms to identify and escalate unauthorized access to data by people or systems should be put in place.
Refer to Guideline
B-13 Technology and Cyber Risk Management and Guideline
E-21 Operational Resilience and Operational Risk Management.
Principle 9: Third parties should be subject to equivalent and proportional measures to protect against threats.
Accountability for the security of physical premises, people, technology assets, and data and information cannot be contracted out. Accountability for the business functions outsourced to third parties, including security, should remain with the financial institution. This includes threats posed by undue influence, foreign interference, or malicious activity.
Transparent procurement processes with objective selection and decision-making processes as well as adequate oversight help reduce such threats. The following should be assessed when engaging a third party and on an ongoing basis:
This assessment should be proportional to the third party’s:
In relation to foreign interference, the following information about the third party’s and its subcontractors should be considered:
Refer to Guideline
B-10 Third-Party Risk Management.
Principle 10: Threats stemming from undue influence, foreign interference, and malicious activity should be promptly detected and reported.
Where a threat finds its root in undue influence, foreign interference, or malicious activity, additional considerations apply.
Measures should be put in place for the prompt detection of such threats and their careful investigation, ensuring, among other things, appropriate limits on access to information, confidentiality, and the independence and integrity of the investigation.
If, at any time, there is any suspicion of undue influence, foreign interference, or malicious activity, law enforcement authorities should be advised immediately. For foreign interference, both the Canadian Security Intelligence Service and the Royal Canadian Mounted Police should be informed. OSFI should be informed of any such communications with law enforcement.
E-17 Background Checks on Directors and Senior Management
Character of boards of directors and senior management as demonstrated through their past and current behaviour.
Draft Culture and Behaviour Risk Guideline
Culture that reflects norms of ethical behaviour.
Corporate Governance Guideline
E4 Foreign Entities Operating in Canada on a Branch Basis
Governance that provides oversight of ethical behaviour.
E-13 Regulatory Compliance Management
Compliance that focuses on not just the letter of requirements but also the intent.
Effective channels, such as whistleblowing programs, to raise concerns over non-compliance.
B-13 Technology and Cyber Risk Management
Draft E-21 Operational Resilience and Operational Risk Management
Standards and controls for physical buildings, office spaces, physical file storage, and technical security inspections.
Background checks on all employees and contractors.
Enhanced description of what constitutes malicious actions towards IT infrastructure.
Data classification consideration of vulnerability to malicious activity, undue influence, or foreign interference.
Personnel access requirements to prevent undue influence and foreign interference.
B-10 Third-Party Risk Management
Assessment of third-party arrangements from the lens of security and susceptibility to undue influence, foreign interference, and malicious activity.
Background checks and security screening of senior leaders of vulnerable third parties.
Transparent and objective procurement processes.
Notification to OSFI when a report is made to RCMP, CSIS, or other authorities regarding undue influence, foreign interference, or malicious activity.