OSFI Annual Risk Outlook: emerging risks in an evolving financial landscape

Canadian regulator, OSFI, has said that a culture of compliance is a “competitive advantage” in its 2023 Annual Risk Outlook. We take a look at four critical areas for the year ahead.

25 April 2023 7 mins read
by Jennie Clarke

The Office of the Superintendent of Financial Institutions Canada (OSFI) has published its Annual Risk Outlook (ARO) for Fiscal Year 2023-2024. The ARO looks to take stock of the current risk environment for federally regulated institutions (FRFIs) and serves as a useful guide of regulation to come in the next Fiscal Year.

This year, OSFI highlights that the risk environment continues to change, against the backdrop of turbulent markets and uncertain geopolitical events. As well as a high interest rate environment, OSFI has seen increased uncertainty across the gamut of financial services, with increasing risks from unregulated entities and emerging technology in particular.

Risk, OSFI says, should be tackled with strong governance and a clear risk culture, which is “critical to FRFI soundness”. It adds that the internal culture of a financial institution can be a “a competitive advantage or an accelerant for reputational risks in the evolving risk environment”.

With that in mind, we examine four of the critical areas that firms will need to tackle in the coming year, and highlight how Global Relay can help to mitigate risks.

Digital Innovation Risk

The risk

The rapid pace of technological innovation is changing the way that financial services operate, and are delivered. Over the past few years, the rise and subsequent fall of crypto has raised significant questions as to whether the turbulent crypto market could bleed into traditional finance (TradFi). More recently, sudden and considerable innovation for artificial intelligence (AI) has raised further possibilities for risk.

How is OSFI responding?

OSFI is working closely with industry bodies and other regulatory agencies, as well as research centers, on how best to enhance its approach to the supervision of new, technological risks.

In particular, it is working with Innovation, Science and Economic Development Canada (ISED) to ensure that any developments that it makes will be aligned with future legislation including the Artificial Intelligence and Data Act (AIDA) – Bill C27.

While legislative conversations are ongoing, OSFI will continue to conduct supervisory reviews, surveys, and industry scans to engage with and understand evolving FRFI business models and activities.

How can Global Relay help?

We pride ourselves on innovating with care. This means that, while we’re at the forefront of digital and technological innovation, we take the time to understand the technology that we’re harnessing – and that our end-users can understand it too.

Climate risk

The risk

While climate-related risks are not new for financial services, the regulatory arena for climate risk is still in its fledgling stages. These risks are both physical (i.e. risks posed by turbulent and changing weather events) and transitional (i.e. the risks that arise as businesses transition to a “low carbon” economy).

OSFI acknowledges that these risks have knock-on effects in myriad areas, including credit, insurance, and operational resilience, not to mention the reputational risks posed to those who fail to meet emerging climate standards.

How is OSFI responding?

OSFI continues to supervise climate risks, as was set out in its Guideline B-15: Climate Risk Management, which seeks to ensure that financial institutions are taking steps to tackle climate-related governance and risk management capabilities. Specifically, Guideline B-15 lays “foundational expectations” for financial organizations to:

+ Enhance their understanding and readiness to manage climate-related risks within plans and strategies

+ Adopt risk management and governance policies, as well as disclosure practices

+ Ensure they consider the operational and financial effects of climate-related risks

Climate-related risks will also be integrated into OSFI’s new Supervisory Framework. In addition, OSFI is coordinating with the Bank of Canada to develop a regulatory return to collect climate-related risk data from FRFIs.

In order to bolster its ability to assess climate risk, OSFI is seeking to “collect, analyze, and disclose new climate risk data” and is developing a standardized climate scenario analysis exercise, which all FRFIs will be expected to undertake in 2024. Later in 2023, OSFI plans to launch a Canadian-based Climate Risk Forum.

How can Global Relay help?

Climate-related risk has long been on our agenda, and we’ve taken bold steps to minimize our environmental impact. This is especially true of our private green data center, which we opened on Earth Day 2014. The facility uses alternative, eco-friendly data storage and management processes that reduce our environmental impact. So, you can rest assured that your data is stored securely, and without added environmental costs. As climate-related disclosures for third-party operations become increasingly prevalent, choosing Global Relay is a significant step in reducing your carbon outputs.

Cyber risk

The risk

As digital finance continues to enhance, so will the frequency, severity, and sophistication of cyber attacks. OSFI notes that “greater dependency on third-party technology providers” has also had a role to play in the emerging cyber security landscape.

Given the current geopolitical landscape, OSFI highlights that the “risks from either targeted cyber attacks and/or their fallout could become more prevalent”.

How is OSFI responding?

Last year, OSFI piloted “intelligence-led cyber resilience testing” (I-CRT) to help firms identify weaknesses in their technology and cyber controls. This year, it will publish another I-CRT as an implementation guide that will enable FRFIs to conduct periodic assessments for cyber resilience.

As well as this, OSFI’s Technology and Cyber Risk Management Guideline B-13 will come into effect on January 1, 2024, for which firms should be preparing now. The regulator “strongly encourages” firms to self-assess for this guideline and to ensure ongoing compliance with the expectations within.

How can Global Relay help?

Cyber risk is here to stay, as technology develops so too do the opportunities for innovative cyber criminals. While greater dependency on third-party providers may sometimes increase vulnerability, that isn’t true of Global Relay. We’re acutely aware of cyber and security risk and take nothing more seriously than the security of your data. Our record speaks for itself… we’ve been operating for over 20 years, managing millions of data points, and we’ve never lost a single one.

Third-party risk

The risk

The financial services industry is increasing reliant on the services of third parties, and increasingly those services concern critical operations. This poses numerous risks, as reflected in recent messaging from global institutions including the UK government and the US Securities and Exchange Commission. OSFI notes that the increased dependency on outsourced arrangements “heightens the risk that FRFIs could be unable to deliver critical services or that their data could be compromised”.

How is OSFI responding?

OSFI is drawing on the learnings of its third-party data submission pilot, which ran from 2022-2023, to develop enhancements to “expedite data aggregation, analysis and reporting processes, and improve the ability to identify trends and vulnerabilities” associated with outsourced third-party arrangements.

In April 2023, OSFI plans to publish its own guidance for third-party risk in the form of Guideline B-10: Third-party Risk Management. This Guideline will apply beyond outsourcing arrangements to encompass a “broad and comprehensive scope of third-party arrangements”. The new guidance will place an expectation on firms that they will manage their third-party arrangements in a way that is “proportionate to the level of risk and criticality of each arrangement”.

How can Global Relay help?

We understand that recordkeeping, archiving, supervision, and compliant communications are business-critical services for your organization, so we take our responsibilities seriously.

As well as being completely transparent about our enhanced security, cyber, and resilience policies, we also have the experience and resources needed to ensure that we can deliver effective solutions now, and into the future. We’ve been delivering compliance technology for 23 years, providing services to 22 of the 25 biggest banks in the world. We’re the trusted, secure, and scalable solution to ensure your outsourcing risks are mitigated.