OSFI’s Consultation on Technology: Understanding the risks inherent in the technologies that power the financial industry – Lexology

INTRODUCTION

On September 15, 2020, the Office of the Superintendent of Financial Institutions (OSFI) released a discussion paper regarding technology risks in the financial sector. The paper, Developing financial sector resilience in a digital world: Selected themes in technology and related risks, focuses on digital risks arising from cybersecurity, data analytics, third party ecosystems and data. Today, technology and data are central to the operations of federally regulated entities (FREs). In the paper, OSFI focuses on some of them including quantum computing, artificial intelligence, cloud computing, and data. OSFI poses questions in areas that it wishes to investigate further, potentially signaling OSFIs interest in collaborating with stakeholders to develop guidance that balances the safety and soundness of the Canadian financial sector against the needs of the sector to innovate.

The paper is something that should not be taken lightly or ignored. OSFI has requested stakeholder comments on the paper by December 15, 2020. These comments will likely form the basis for further consultations before OSFI tables any firm proposals. Any new guidance from OSFI purporting to regulate technology and related risks could therefore have wide ranging impacts on the financial sector, including in connection with the following:

Financial institutions have long been seen to be powered-by and dependent on a vast array of digital technologies. The ability of financial institutions to reliably deliver critical products and services during the COVID-19 pandemic is but one recent example of how financial institutions are successfully harnessing the power of digital technologies to deliver flexible, reliable and powerful products and services. With that said, this increasing reliance on digital technologies could trigger or amplify operational and financial risks to financial institutions. OSFI indicates that it is assessing the merits of a focus on operational resilience objectives with respect to technology and related risks and believes that a holistic view of operational risk management and operational resilience is warranted.

This consultation is a continuation of earlier work by OSFI to identify and mitigate risks presented from digital technologies, including:

PRIORITY TECHNOLOGY RISK AREAS IDENTIFIED BY OSFI

The discussion paper focuses on principles related to three priority areas: cyber security, advanced analytics and third party ecosystems. As data is foundational to each of these areas, the discussion paper also includes a separate discussion on data risk. OSFI intends on using these principles as a basis for building out more specific regulatory expectations in these areas going forward.

Cyber Security

The cyber security principle focuses on the confidentiality, integrity and availability of information. This builds on the existing work from OSFI related to cyber security, including the 2013 Cyber Security Self-Assessment Guidance, the 2019 advisory regarding cyber incident reporting and the ongoing circulation of Intelligence Bulletins and Technology Risk Bulletins that are intended to complement OSFIs guidelines and advisories. OSFI notes that it continues to observe gaps in many financial institutions cyber security policies, procedures and capabilities and many opportunities exist for improvement.

As part of this principle, OSFI flags two specific points of focus:

Advanced Analytics

OSFI notes that advanced analytics, and in particular the use of artificial intelligence (AI) and machine learning (ML) models, present a novel set of opportunities and risks. OSFI intends on using the stakeholder feedback received from this discussion paper to inform the development of regulatory and supervisory frameworks that address the risks resulting from the use of AI and ML. OSFI has identified soundness, explainability and accountability as being core principles to manage elevated risks associated with advanced analytics, including AI and ML. Through the consultation, OSFI seeks feedback on whether these three principles appropriately capture such elevated risks or whether there are any additional principles or risks that should be considered.

Third Party Ecosystems

OSFI has long sought to manage the risks presented by reliance by financial institutions on third party ecosystems, most notably though Guideline B-10. OSFI notes that while the existing principles in Guideline B-10 remain relevant, those guidelines and expectations require review. Areas of specific interest that are noted include:

OSFI will be undertaking a separate consultation process related to the expectations contained in Guideline B-10 which will be informed by the findings of this consultation.

Data

The overarching concept of data is the final area covered by the discussion paper, and in particular how to maintain sound data management and governance throughout the data lifecycle. The areas of focus highlighted are:

Originally posted here:
OSFI's Consultation on Technology: Understanding the risks inherent in the technologies that power the financial industry - Lexology

Related Posts

Comments are closed.