OSFI Updates Technology Risk Consultation

Last Fall, Canada’s Office of the Superintendent of Financial Institutions (OSFI) published a discussion paper on the risks presented by the rising prevalence of digital technologies. OSFI supervises federally regulated financial institutions (FRFIs) and pension plans to determine whether they are in sound financial condition. However, non-financial risks carried by cloud data storage, advanced analytics, data, and increasing third party access now lay within their purview. As these risks become increasingly complex and widespread in financial services, OSFI has taken on the role of providing best practices and guidelines informed by the experience and knowledge of the industry.

OSFI’s discussion paper welcomed comments until the end of 2020 and recently published an update summarizing some of the comments they received in response. The original discussion paper is segmented into four areas of focus: cybersecurity, advanced analytics, the technology third party ecosystem, and data. Each area of focus lays out principles that serve as a foundation for Canadian regulatory guidance as well as the unique considerations of technologies and practices that fall under their respective scopes. Some of our discussion on this topic can be found in Outlook 2021. In OSFI’s most recent update, they indicated “There was broad support for OSFI’s emerging principles-based and technology-neutral perspectives on technology risk management, as presented in the Discussion Paper.”

With that in mind, most commentary seems to reflect a general consensus that many existing frameworks already exist that address the risks and considerations of new technologies. One clear example is the technology third party ecosystem where existing guidance does exist in Guideline B-10. Though it was last revised in 2009, most respondents feel that this guidance extends across all third parties—whether a ‘fintech’ or a custodian that they’ve worked with for decades. In particular, the question of whether to have separate guidance for cloud risk management seemed unnecessary as most managers take cloud security into account as part of their existing vendor risk management practices.

Having advised our clients on issues of vendor risk management, governance, oversight, and security for decades, we can attest that most large managers have a nuanced understanding of security, BCP, and vendor risk across all contracted third parties in Canada and globally. That said, we’d echo OSFI’s concern that certain areas of advanced analytics are not yet understood thoroughly and could pose unforeseen threats in the future.

In particular, OSFI suggested that artificial intelligence and machine learning be governed by three main principles: soundness, explainability, and accountability. While some respondents felt that existing guidance accounts for these technologies, we would challenge that these new principles put forth by OSFI are necessary to ensure powerful advanced analytics are understood in a nuanced way and properly governed in Canada before reaching a point of ubiquity (a possibility of which would merit its own paper!).

This is an evolving discussion with broad-reaching impacts that we’ll continue to watch closely. In terms of timelines, OSFI has offered a glimpse into when we might expect additional draft guidance (summarized in the table below). If you missed the boat on commentary this first round, there will be additional opportunities to join the conversations and help shape the regulatory landscape in Canada over the coming years.