OSFI, the federal regulator of financial institutions such banks and insurance companies (FI’s), just released a discussion paper Developing financial sector resilience in a digital world: Selected themes in technology and related risks. The paper signals that the Office of the Superintendent of Financial Institutions may eventually develop guidance to regulate digital risks such as cybersecurity, data analytics, artificial intelligence (AI), quantum computing, third party ecosystems and data.
OSFI’s decision to even study regulating the use of technologies by Canadian FIs is something that needs to be on people’s radar. When OSFI issues guidance, FI’s follow it. When it comes to technology, guidance can quickly become outdated, difficult to apply, and to keep current. For example, OSFI issued an outsourcing guideline (B-10) in 2003 (later updated in 2009). In a 2012 memorandum it confirmed that the guideline applies to cloud computing. OSFI re-confirmed this in the discussion paper, even though many aspects of the guideline are awkwardly suited to cloud architectures and business models and have slowed the transition of material workloads to the cloud. OSFI just announced in the discussion paper that it will have a separate consultation in relation to B-10 – which means it could be years until B-10 will be recalibrated to suit innovations in outsourcing technologies.
FIs are extremely reliant on technologies to bring innovative new products and services to market. Therefore, any new guideline that promulgates new principles or rules for the uses of technology could have major implications for our financial sector. Any guidance, should OSFI conclude it is necessary, would need to carefully balance the need to manage risks to the financial system without unduly hindering technological innovation. The plethora of diverse, evolving and emerging technologies – from AI to quantum computing to big data to the Internet of Things (IOT) – will create challenges to the development of a set of suitable framework principles or rules, especially if they are prescriptive. Further, there are looming and potentially overlapping legislative initiatives federally (the Digital Charter) and provincially (with proposals to amend privacy laws in Quebec, Ontario, and B.C.) which raises risks of multiple inconsistent rules and heightened compliance costs. There is also an important question as to whether special rules for the uses of technology are needed or desirable for regulated FIs and whether federal regulatory initiatives should apply to all sectors to maintain a level playing field, to the extent constitutionally permissible, especially as dominant technology companies and fintechs are, and are increasingly, becoming important players in the financial sector. Some of the guidance may also be unique to Canadian FIs if it is not in line with global evolving laws, regulatory frameworks, and standards, which could also make global competition more cumbersome.
OSFI has asked stakeholders to submit feedback no later than December 15, 2020 (to [email protected].)
For more information and details about the discussion paper, see the blog post OSFI’s Consultation on Technology: Understanding the risks inherent in the technologies that power the financial industry, written by McCarthy Tetrault lawyers Christine Ing, Mike Scherman, and Barry Sookman.