On October 13, 2023, the Office of the Superintendent of Financial Institutions (“OSFI”) issued a draft Integrity and Security Guideline (the “Guideline”) further to recent changes enacted through Bill C-47, the Budget Implementation Act, to require federally regulated financial institutions (“FRFIs”) to “have and adhere to adequate policies and procedures to protect themselves from threats to their integrity and security, including foreign interference”, starting on January 1, 2024.

Comments on the Guideline are due November 24, 2023. The OSFI intends to issue a final Guideline by end of January 2024.

Expectations under the Guideline are to “are to be applied on a proportional basis” based on a FRFI’s ownership structure; strategy and risk profile; and scope, nature, and location of operations.

Definition of Key Terms

The Guideline defines certain key terms, including “integrity”, “security”, “foreign interference” and “undue influence.” Each of these terms is defined broadly, with the definitions only stating what each “includes” and not purporting to be a comprehensive definition.

  • Integrity” is defined as including “actions, omissions, and decisions consistent with the letter and intent of ethical standards, regulations, and the law.”
  • Security” is defined as including “protection against malicious or benign internal and external” physical threats and electronic threats.
  • Foreign interference” is defined as including “activities that are within or relating to Canada, detrimental to the interests of Canada, and are clandestine or deceptive or involve a threat to any person, including attempts to covertly influence, intimidate, manipulate, interfere, corrupt or discredit individuals, organizations, and governments to further the interests of a foreign country.”
  • "Undue influence"is defined as including “situations where a person or entity engages in actions, behaviours, deception, or the use of power to impact actions, decisions, or behaviours in their own or another’s interests. Undue influence can originate from foreign or domestic actors.”

The Guideline notes that while “integrity” and ”security” are “distinct concepts, they can be interrelated.”

Key Principles

The Guideline sets out 10 key principles:

Integrity (Principles 1-4)

  • Character - Principle 1: “Senior leaders are of good character and demonstrate integrity through their words, actions, and decisions.”

Principle 1 expands the current expectations under Guideline E-17 Background Checks on Directors and Senior Management, to require that FRFIs complete a review of the character of boards of directors and senior management as demonstrated through their past and current behavior, to ensure their integrity.

  • Culture - Principle 2: “Culture consistent with ethical norms is deliberately shaped, evaluated, and maintained.”

Principle 2 expands the current expectations under the draft Culture and Behaviour Risk Guideline to require FRFIs ensure that their culture reflects norms of ethical behaviour.

  • Governance - Principle 3: “Governance structures subject actions, omissions, and decisions to appropriate scrutiny and promote ethical behaviour.”

Principle 3 expands the current expectations under the Corporate Governance Guideline and Guideline E4 Foreign Entities Operating in Canada on a Branch Basis (where applicable), to require FRFIs ensure appropriate governance oversight of ethical behavior, including through their code of conduct and conflict of interest policies and procedures.

  • Compliance - Principle 4: “Effective mechanisms to identify and verify compliance with standards, regulations, and the law exist.”

Principle 4 expands the current expectations under Guideline E-13 Regulatory Compliance Management to more specifically require that FRFIs ensure compliance “focuses on not just the letter of requirements but also the intent”, and that there be effective channels, such as whistleblowing programs, to raise concerns over non-compliance.

Security (Principles 5-10):

  • Physical Premises - Principle 5: “Physical premises are safe, secure and monitored appropriately.”

Principle 5 creates new expectations that FRFIs put in place “[s]tandards and controls for physical buildings, office spaces, physical file storage, and technical security inspections”, including periodic sweeps for covert devices.

  • People - Principle 6: “People should be subject to appropriate background checks and security screening, and strategies should be put in place to manage risk.”

Principle 6 creates new expectations that FRFIs perform background checks (renewed on a regular basis and equivalent to at least the Government of Canada’s Enhanced Reliability Check) on all employees and contractors. In addition, there should be standards and controls that “consider factors such as authority, seniority, and access to sensitive information.”

  • Technology Assets - Principle 7: “Technology assets should be secure, with weaknesses identified and addressed, effective defences in place, and issues identified accurately and promptly.”

Principle 7 expands the current expectations under Guideline B-13 Technology and Cyber Risk Management (“Guideline B-13”) to require FRFIs create an “[e]nhanced description of what constitutes malicious actions towards IT infrastructure.”

  • Data and Information - Principle 8: “Data and information should be subject to appropriate standards and controls ensuring its confidentiality, integrity, and availability.”

Principle 8 creates new expectations to require that FRFIs engage in “[d]ata classification consideration of vulnerability to malicious activity, undue influence, or foreign interference” and also expands on expectations under Guideline B-13 and the draft Guideline E-21 Operational Resilience and Operational Risk Management to require that there be “[p]ersonnel access requirements to prevent undue influence and foreign interference.”

  • Third-Party Risk - Principle 9: “Third parties should be subject to equivalent and proportional measures to protect against threats.”

Principle 9 creates new expectations to require that FRFIs perform an “[a]ssessment of third-party arrangements from the lens of security and susceptibility to undue influence, foreign interference, and malicious activity”, engage in “[b]ackground checks and security screening of senior leaders of vulnerable third parties” and have in place “[t]ransparent and objective procurement processes.”

  • Reporting - Principle 10: “Threats stemming from undue influence, foreign interference, and malicious activity should be promptly detected and reported.”

Principle 10 creates new expectations that FRFIs notify the OSFI when a report is made to the Canadian Security Intelligence Service, the Royal Canadian Mounted Police, or other authorities regarding undue influence, foreign interference, or malicious activity.

On the whole, these Principles are expressed as high-level general guiding principles and should be considered by each FRFI based on the particular individual context of such FRFI and its particular vulnerabilities to integrity and security risks. In particular, as noted above, each FRFI should consider the Guidance and the principles based on the context of the FRFI’s ownership, strategy and risk profile, and scope, nature, and location of operations, and tailor its policies and compliance program accordingly.