C.D. Howe Institute speech on Integrity and Security

Thanks for the kind introduction, Stuart.

Before I begin, let me first acknowledge that we meet today on the traditional land of the Mississaugas of the Credit, the Anishinaabeg, the Chippewa, the Haudenosaunee, the Wendat peoples and the home to many diverse First Nations, Inuit, and Métis peoples.

I am grateful to have the opportunity to be present in this territory. I urge everyone to review the Truth and Reconciliation Commission of Canada’s 94 calls to action.

I am here today because I wanted to address in a public fashion the expanded mandate that Parliament assigned to the Office of the Superintendent of Financial Institutions (OSFI) last year. As you will recall, in the 2023 Budget Implementation Act, Parliament amended OSFI’s mandate to require OSFI to supervise federally regulated financial institutions to determine whether they have adequate policies and procedures in place to protect themselves against threats to their integrity or security, including foreign interference.

OSFI’s singularly-focused mandate

Historically, OSFI had a single overriding requirement in our mandate: to ensure institutions remained in sound financial condition and, when they strayed from that state, to direct their boards of directors to take prompt corrective actions to return their institutions to financial soundness.

This singularly focused mandate worked quite well for the first 20 years of OSFI’s existence, but its utility waned during the global financial crisis. Regulators realized that although financial condition indicators (e.g., capital and liquidity) were critical to institutional and systemic stability, they were too often lagging indicators. So, we in the financial institution regulatory profession began focusing on non-financial risks as the economy emerged from the financial crisis.

In Canada, my two immediate predecessors, Julie Dickson and Jeremy Rudin, ensured OSFI responded with urgency and care in building an array of non‑financial risk guidelines. I was blessed to have the benefits of their hard work when I began my term of service as Superintendent.

What does “prudential” mean?

And yet, until last year, we at OSFI had a tendency – a strong one in fact – to separate our non-financial risk guidelines (e.g., Corporate Governance, Third-Party Risk Management) from our financial risk guidelines (e.g., capital and liquidity adequacy). We tended to classify financial risk as “prudential” and non-financial risk as “non-prudential.” We had a separate and unequal approach to financial and non-financial risks.

Now, “prudential” is an interesting word. We at OSFI had tended to hear the word and associate it with financial stability and, in so doing, unconsciously sustained this separate and unequal approach to financial institution regulation and supervision. Then, we would encounter non-financial difficulties at financial institutions that did not always include financial shortcomings but always included a measure of uncertainty about institutional viability. Some of these institutions you heard and read about, most you did not.

We have learned over the past several years that our traditional definition of the word “prudential” was incomplete. We thought that solvency was king but that mindset has proven to be overly simplistic because we underappreciated the fact that non-financial risks can produce financial risks, often suddenly and abruptly. Solvency and liquidity risks are critical to focus on and manage but, as I stated earlier, they are usually lagging signals of financial instability. Experience teaches us that inadequate assessment of non-financial risks is usually the root cause of financial instability at an institution.

What a good financial institution regulator, or their legal counsel, will tell you is that the adjective “prudential” does not actually refer solely to protection against threats to financial stability. It refers to the protection of depositors, policyholders, and creditors. In fact, OSFI’s mandate was built around this true and complete definition of the adjective “prudential.” In the OSFI act, Section 4 Paragraph (3) directs OSFI to “… protect the rights and interests of depositors, policyholders and creditors of financial institutions.” With a more mature reading of OSFI’s act, one comes to the realization that non-financial risks can undermine the rights of depositors, policyholders, and creditors of financial institutions. And that financial risks often emerge as the final signals of that process. Therefore, non-financial risks are, in fact, prudential risks and OSFI must supervise and regulate them in a manner equivalent to its supervision and regulation of financial risks.

In fact, if one steps back and takes a common sense look at financial institutions, they will find this expanded definition of “prudential” is common sense. As a creditor or lender of a financial institution, ask yourself this: can I truly find comfort in my financial institution’s capital or liquidity ratios, if I have concerns about its cyber risk management, third-party risk management, the integrity of its leaders, the security of its physical and information assets, its fidelity in adhering to the laws in the jurisdictions in which it operates, the culture of the organization, and the strength of governance provided by its board of directors?

Financial history is littered by companies that failed on these dimensions even though their financial indicators did not signal the severity of their problems, near to or until the last day of their existence. If you are not persuaded by this argument, please solicit the points of view of those institutions’ former creditors … or … their former shareholders.

Interpreting OSFI’s Integrity and Security guideline

Thus, I have come to see the revisions to OSFI’s mandate as an appropriate and natural maturation of its supervisory and regulatory responsibilities to Canadians. Moreover, the Integrity and Security regime that we are building, rather than being new regulation, is in fact, a re-characterization of the supervisory and regulatory work we have advanced since the global financial crisis of 2008-2009.

In fact, if one reads OSFI’s recently published Integrity and Security guideline, I argue that one will conclude that rather than bringing new regulatory expectations into being, the guideline actually brings together pre-existing non-financial guidelines into a cohesive whole.

Nevertheless, I consider this forum a great opportunity to provide more colour to the Integrity and Security part of OSFI’s mandate and so, with my remaining time, I will answer the following question:

How should federally regulated financial institutions (FRFIs) interpret the Integrity and Security guideline and what should they expect from OSFI?

Relying on historically strong governance and OSFI’s principles-based approach

If we look objectively at the performance of Canada’s financial system this century, I think we can conclude that the system has outperformed many other financial systems on the dimensions of financial stability and resilience. Institutional failure has been quite rare, and our financial system has come through periods of serious to severe financial uncertainty without material disruption. This is quite a track record and one that informs OSFI’s approach to our Integrity and Security guideline.

I see two core contributors to our system’s resilience. First, Canadian FRFIs have benefited from strong board governance. And second, Canada’s principles-based regulatory approach has enabled OSFI to develop an agile, responsive, and collaborative array of regulatory guidelines.

And so OSFI will interpret our new Integrity and Security guideline by relying on those two core contributors. To that end, three broad strategies will characterize OSFI’s approach:

1. OSFI’s Integrity and Security guideline will rely on the active engagement and stewardship of boards of directors;
2. OSFI will focus its supervisory efforts on the principles and outcomes set out in the Integrity and Security guideline;
3. It is for boards of directors to define the right principles and outcomes for Integrity and Security at their institutions, not OSFI.

Integrity and Security relies on the active engagement and stewardship of boards of directors

At the start of this century, Canadian financial institutions, particularly the largest ones, led the way globally in splitting the positions of board chair and CEO. This may seem normal now, but only because those institutions took action to make their corporate governance practices more effective.

Despite the uncertainty and volatility of the last 25 years, Canadian federally regulated financial institutions, or FRFIs, have outperformed many of their global peers in capital resilience, liquidity resilience, and resilience to non-financial risks. These outcomes — effective corporate governance and extraordinary resilience — are not coincidental. Canadian boards deserve praise for this track record.

At OSFI, we rely on boards of directors to fulfil the important role as insightful, watchful stewards over their institutions’ franchise values, especially when risks intensify. And we will double down on our reliance on boards of directors as we fulfill our Integrity and Security mandate.

As noted earlier, Integrity and Security brings together many critical non-financial risk guidelines into a comprehensive, overarching guideline. In so doing, OSFI has elevated Integrity and Security stewardship to the board level. We expect boards to comprehensively examine their oversight of non-financial risks and synthesize them into an enterprise-wide approach to protecting their institutions from threats to their Integrity and Security. While the visibility and scrutiny of these activities will intensify, we do not think we are asking boards to do anything new or that they are not already tasked by their shareholders to do.

OSFI will focus its supervisory efforts on the principles and outcomes set out in the Integrity and Security guideline

Our guideline is built around two broad outcomes and ten broad principles.

With respect to Integrity and Security, we define an expected outcome for each.

For Integrity, we expect boards will mandate their management to take actions, behaviours, and decisions that are consistent with the letter and intent of regulatory expectations, laws, and their own codes of conduct.

For security, we expect boards will ensure that their institutions’ operations, physical premises, people, technology assets, and data and information are resilient and protected against threats.

We have also identified ten key principles that we expect boards to uphold.

Principle 1: Character

Responsible persons and leaders are of good character and demonstrate integrity through their actions, behaviours, and decisions.

Principle 2: Culture

Culture that demonstrates integrity is deliberately shaped, evaluated, and maintained.

Principle 3: Governance

Governance structures subject actions, behaviours, and decisions to appropriate scrutiny and challenge.

Principle 4: Compliance

Effective mechanisms to identify and verify compliance with regulatory expectations, laws, and codes of conduct exist.

Principle 5: Physical Premises

Physical premises are safe and secure and monitored appropriately.

Principle 6: People

People should be subject to appropriate background checks, and strategies should be put in place to manage risk.

Principle 7: Technology Assets

Technology assets should be secure, with weaknesses identified and addressed, effective defences in place, and issues identified accurately and promptly.

Principle 8: Data and Information

Data and information should be subject to appropriate standards and controls ensuring its confidentiality, integrity, and availability.

Principle 9: Third-party Risk

Third parties should be subject to equivalent and proportional measures to protect against threats.

Principle 10: Undue influence, foreign interference, and malicious activity

Threats stemming from suspected undue influence, foreign interference, and malicious activity should be promptly detected and reported.

It is for boards of directors to define the right principles and outcomes for the Integrity and Security of their institutions, not OSFI

Since we published our Integrity and Security guideline, an incorrect meme has arisen that OSFI is regulating core institutional values and culture. I disagree with this argument, and I point to the summary of the guideline I just recited.

In culture, for example, we do not articulate any expectations for the specific cultural values at any institution we regulate. In fact, we think institutional cultures are a product of their histories, industries, leadership, governance, and experience. More emphatically, institutional cultures are not a product of their regulators’ point-of-view or opinions. Our guideline only asks boards of directors to define their institutions’ own culture and underlying values and then take deliberate action to shape, evaluate, and maintain them.

We see this same approach in our guidance around character and people. We ask boards to define what those terms mean to their organizations and then take affirmative action to ensure those principles are upheld by management.

Conclusion

I hope I have persuaded each of you that the addition of Integrity and Security to OSFI’s mandate is another step in the maturation of Canada’s financial system. More importantly, I hope each of you have more comfort that our approach to this mandate change remains well within OSFI’s principles-based tradition and our dedication to sustaining a will to act.

And I would be remiss if I did not acknowledge that we have published a new guideline that adds some measure of additional regulatory load for boards and management teams. We will do our best to minimize that load.

I do think the pairing, within OSFI’s mandate, of an Integrity and Security component with our traditional Sound Financial Conditions component does present an opportunity to look critically at the array of OSFI’s guidelines. We have published many guidelines throughout our history and I think we would do well to ask ourselves if each guideline fits within either the Sound Financial Conditions or Integrity and Security buckets. If the answer to that question is no, then I do think that guidelines that do not relate to either buckets are due for a measure of scrutiny; a regulatory shark tank, if you will, in which we force ourselves to look for opportunities to reduce regulatory load. I look forward to engaging with the industry in the near-term on this.