Each year the Office of the Superintendent of Financial Institutions (OSFI) holds a seminar in Toronto to update both in-house lawyers and outside counsel on recent activities undertaken by its legislation and approvals division. In addition to administering applications for approvals under the Bank Act, the Trust and Loan Companies Act and the Insurance Companies Act, the division is responsible for developing much of the guidance that is published by OSFI, including guidelines, advisories and rulings. The most recent seminar was held on November 25 2015; this update looks at the highlights.

New deposit-taking institutions

OSFI noted that it currently has applications for 19 new deposit-taking institutions under review. This seems like a big number considering that there are less than 100 active federally regulated deposit-taking institutions. However, a review of the notices of intention to apply published over the last three years indicates that many of these applications have been filed by foreign banks that have a Schedule II subsidiary in Canada and are now looking either to add a Schedule III branch or to convert their subsidiary to a branch. The net number of new applicants is actually much lower.

OSFI indicated that between 2014 and 2015 two applications for deposit-taking institutions were approved: one for a new domestically owned institution and one for an institution associated with a foreign bank. Given the large number of applications that OSFI stated were under review, this suggests that applications are continuing to take a long time to process. Earlier in 2015, OSFI released an update of its Guide for Incorporation of a Deposit-Taking Institution. One of the stated purposes for the update was to streamline the application process; next year's statistics will show whether the new process is resulting in more applications being successfully completed. OSFI's review process is not the only factor that affects the time that it takes to successfully complete the application process.

Leasing activities

Recently, there have been some important transactions involving the transfer of lease portfolios, and OSFI reviewed the peculiar rules applicable to federally regulated institutions with respect to leasing. In addition to being restricted to "financial leasing", leasing of motor vehicles is restricted to large vehicles (over 21 tonnes) and leasing of personal household property is prohibited. However, OSFI noted that institutions are prohibited from "entering into" such leases. This means that the prohibition does not apply if an institution is acquiring an existing lease, such as when it is acquiring a portfolio of leases. OSFI did caution that when an institution acquires leases that would not otherwise be permitted, issues can arise later if the lease is renewed. Depending on the changes that are made to the terms of the lease on renewal, the institution could be considered to be entering into a new lease – which may not be permitted.

OSFI also noted that all leases – even those that an institution acquires through a portfolio transfer – must be financial leases. In OSFI's view, a financial lease is one that is a loan substitute. To determine whether a lease is a loan substitute, OSFI stated that it considers the residual value of the leased property under the lease. A lease that has an unguaranteed residual of 25% or more would generally not be considered to be a financial lease. Further, OSFI indicated that if the aggregate unguaranteed residuals for a portfolio of leases exceeds 10%, the portfolio would generally not be considered to be a portfolio of financial leases.

Finally, OSFI provided guidance on its interpretation of the exemption from the 21-tonne rule for motor vehicles that are utility trucks. In this regard, OSFI stated that a 'utility truck' is a vehicle with special equipment that cannot be easily removed, and that is used at a particular destination to carry out particular tasks (OSFI's example was the familiar "chip wagon").

Disclosure of supervisory information

OSFI discussed the recent amendments made to the legislation to provide greater protection from disclosure for "prescribed supervisory information". The information, such as OSFI examination results, is now protected by evidentiary privilege. When asked whether there was any thought being given to extending protection for institutions that self-report regulatory issues, OSFI responded that it did not feel that it could do anything further in this regard without the support of the provinces.

Final operational risk guidance

In August 2014 OSFI issued the draft Guideline E-21, under which it set out its expectations for operational risk management. At the seminar, OSFI confirmed that it intends to issue a final guideline either in December 2015 or January 2016. As with most OSFI guidelines, the draft guideline essentially set out OSFI's view of best practices in operational risk management. Therefore, institutions that have robust operational risk-management frameworks in place may not have to make major changes to conform those practices to the guideline. Others that have not formalised their frameworks will face a bigger burden. OSFI did not indicate if there will be transitional relief to allow institutions to bring their practices into conformity over time.

International capital reform

OSFI reviewed the areas currently under review by the Basel Committee for Bank Supervision. According to OSFI, the areas under review include:

  • the risk-weighted assets framework;
  • the calibration of capital floors;
  • the standardised and internal ratings-based approaches to credit risk;
  • the trading book rules for market risk;
  • operational risk;
  • interest rate risk in the banking book;
  • the calibration of the leverage ratio; and
  • sovereign risk.

Essentially, it would appear that nearly every aspect of the Basel Capital Rules is still open for further review.


OSFI devoted an entire portion of the seminar to cybersecurity risk. In 2013 OSFI issued a self-assessment template that it expected institutions to use to assess their current practices in this area. OSFI indicated that it will be focusing on cyber-risk management as part of its examinations and encouraged institutions that have not completed an assessment based on the template to do so. Four areas that OSFI mentioned as needing improvement based on its reviews to date were:

  • implementation of data loss-prevention measures;
  • implementation of advanced analytic tools enterprise wide to mitigate against new malware and cyber threats;
  • central management of the deployment of security patches, including all types of mobile device in use;
  • implementation of tighter controls over the use of elevated system privileges;
  • enhanced security checks on information technology specialists with elevated privileges;
  • enhanced due diligence and monitoring of third-party arrangements, including parent organisations and subcontracting arrangements; and
  • development of test programmes for all external cybersecurity mitigating services.

For further information on this topic please contact John Jason at Norton Rose Fulbright Canada by telephone (+1 416 216 4000) or email ( The Norton Rose Fulbright Canada website can be accessed at

This article was first published by the International Law Office, a premium online legal update service for major companies and law firms worldwide. Register for a free subscription.