Regulator launches consultation to understand usage and risk management in three main areas
As the COVID-19 pandemic effectively restricted many forms of in-person business, financial-service institutions found themselves relying more on digital platforms and remote-work arrangements to ensure their continuing ability to meet customers’ needs. That has created a climate of convenience as well as an environment of risks – which is what the Office of the Superintendent of Financial Institutions (OSFI) wants to address.
OSFI has kicked off a three-month consultation on the topic of cyber risks with a new discussion paper titled Developing financial sector resilience in a digital world. Specifically, the paper focuses on the threats and vulnerabilities developing as a consequence of rapid technological advancement and digitalization, especially their impact on operational risk.
"Digital technology continues to transform the financial sector. The pace of change has only increased since the pandemic began,” said Ben Gully, assistant superintendent, Regulation Sector at OSFI. “This consultation will help OSFI to refine its regulatory and supervisory framework in a complex, rapidly changing digital world.”
Aside from the rapid technological advancement accelerated by COVID-19, the report cited forces like fintech and globalization that are generating non-financial risks today as well as amplifying financial risks in traditional areas of prudential oversight.
Drawing from research, consultations, and its previous regulatory work, OSFI identified three priority risk areas with respect to technology: cyber security, advanced analytics (including artificial intelligence and machine learning models), and the third-party ecosystem.
For each area, it proposed core principles to guide regulation – confidentiality, availability, and integrity in the case of cyber security, for example – though it also asked for feedback on whether principles-based regulation would represent the best approach.
The report also underscored the importance of data as a foundational element, devoting a discussion to the management of data risks. Aside from reputational, legal, and compliance risks faced by financial institutions collecting and using consumer data, OSFI pointed to the potential impact of financial consumer data exposure or misuse.
“The contributions received and the discussions that will occur will support effective risk management and enhance resilience in the Canadian financial sector," Gully said.