On September 15, 2020, the Office of the Superintendent of Financial Institutions (“OSFI”) published a discussion paper, Developing financial sector resilience in a digital world. The paper examined the risks arising from increased technological advancement and digitalization, in light of its potential effect on Canada’s financial sector. OSFI invited feedback regarding a variety of technology-related risk areas, with an emphasis on cyber security, advanced analytics, and the technology third party ecosystem. A diverse range of stakeholders including federally regulated financial institutions (“FRFIs”), industry associations, technology companies and consulting firms submitted their feedback. OSFI provided a brief summary of responses by stakeholders and plans to release draft guidance in the future. The full text of OSFI’s results summary publication can be found here.
A brief summary of the responses by the stakeholders includes the following:
Operational Risk & Resilience
Within the larger sphere of non-financial risk and operational risk management, technology risks are effectively managed when included in a firm’s enterprise risk management program. Effective operational risk management (“ORM”) leads to operational resilience, and technology is fundamental for such operations. However, while existing ORM approaches are appropriate, there are still opportunities to bolster practices.
Technology and Cyber Security
Emerging principles-based and technology-neutral perspectives in which definitions, concepts, and expectations comport with existing guidance and accepted international standards is most suitable for technology risk management. However, there is room to improve OSFI’s existing guidance. In general, emerging risks can be effectively managed within the larger sphere of technology risk and management. This requires quantum readiness through collective action by government, industry, and academia, and OSFI needs to continue engaging in these efforts.
Advanced Analytics
OSFI’s proposed principles of soundness, explainability and accountability are suitable for addressing emerging model risks, including those posed by artificial intelligence (“AI”) and machine learning (“ML”). However, there are areas where OSFI should deliberate modification to bolster its principles. Moreover, human review and oversight of AI and ML models is important. In any event, “[a]ny new model of risk guidance should remain risk- and principles-based, technology agnostic, and aligned with other jurisdictions and existing industry standards.”
Third Party Risk
Technology-related Risk
Technology-related third party arrangements should be deliberated as part of OSFI’s planned review of Guideline B-10 rather than as separate guidance. Likewise, any cloud risk management provisions could be integrated into Guideline B-10 rather than as a separate guidance. However, certain expectations regarding technology-related third party arrangements should be replaced with more outcome-based principles.
Proposed Principles
There was a split in the feedback regarding the additional principles as many respondents suggested changes to the descriptions or proposed additional principles, while other respondents believed that the proposed principles sufficiently depict current and emerging risks.
FinTech Arrangements
OSFI should consider FinTech arrangements like other third party arrangements because of the consistency between the inherent risks posed by these firms and other third party providers. However, OSFI should wait until the regulations pursuant to FRFI statutes on FinTech networking are completed to avoid overlap.
Data
Existing regulations offer adequate coverage on data risk guidance for FRFIs, so OSFI need not create additional data risk guidance. However, OSFI should consider the Basel Risk Data Aggregation and Risk Reporting (“RDARR”) principles as a foundation for any additional expectations that could pertain to all FRFIs, outside of systemically important banks.
Key aspects of data risk include quality, security and privacy, and data risk intersects with other risk areas including cyber security and models. Material data risks can occur from utilizing poor quality data, data misuse, outages or breaches – all of which cause operational disruption or reputational damage and financial loss.
Watch for any further updates on OSFI’s website, which can be accessed here.
