Annual Risk Outlook – Semi-annual update – Fiscal Year 2024-2025
Canada’s risk environment continues to evolve. In our Annual Risk Outlook released in the spring, we highlighted 4 top risks:
Real estate secured lending and mortgage risks
Wholesale credit risks
Funding and liquidity risks
Integrity, security, and foreign interference
While these four risks remain, integrity and security risks continue to intensify and multiply. In particular, two risks linked to integrity and security have risen in significance since the release of the Annual Risk Outlook: risks to operational resilience and risks related to artificial intelligence (AI). These risks can often be connected and can materialize simultaneously.
Overview of intensifying integrity and security risk landscape
The Superintendent articulated OSFI’s approach to its new integrity and security mandate in a speech on May 8, 2024. This speech highlights the close linkage between non-financial and financial risks, and the effects that non-financial risks can have in undermining the rights of depositors, policyholders, and creditors of financial institutions.
OSFI has implemented an Integrity & Security guideline that structures and clarifies our approach to non-financial risks. We advise readers to consider our views on operational resilience and artificial intelligence within OSFI’s broader approach to operational resilience and integrity and security.
Operational resilience
Integrity and security risks were discussed in the spring Annual Risk Outlook, and we continue to focus on those risks as a key component of operational resilience. We are increasingly concerned with the operational resilience of institutions, particularly with respect to third-party, cyber, technology and integrity and security risks, including fraud and anti-money laundering.
Integrity and security risk
Good governance and risk oversight of non-financial risks at our institutions is essential to ensuring regulatory compliance and maintenance of integrity and security. The approaches used by financial criminals for cyber, money laundering, and fraud have become more complex and increased in sophistication. Mitigating these threats should be a priority for the institutions OSFI supervises. Financial crime activities require financial institutions to continuously accelerate efforts to enhance controls and compliance. Governance gaps at institutions related to integrity and security pose operational, financial, compliance and reputational risks.
Third-party risk
Canadian institutions are highly reliant on a complex network of third parties and technology. The dominance and global reach of some third-party service providers creates concentration risk that could cause a third-party incident to affect multiple institutions at once as well as exposure to incidents outside of Canada.
While concentration and global exposure are most notable in cloud service providers, financial market infrastructure entities, and payment systems, other service providers such as utilities, credit bureaus, market information and records management also expose financial institutions to concentration risk. The absence of robust regulatory frameworks in many third-party industries could lead to inconsistent risk management controls and makes institutions vulnerable to risks such as data breaches and disruption of services through cyber-attacks or failed information technology changes.
Cyber risk
Cyber incidents continue to accelerate across all industries, affecting Canadian institutions and their third-party networks. Elevated levels of ransomware and data breaches continue to be reported globally. The speed and scale of technological innovation as well as technology interconnectivity continue to create or uncover vulnerabilities. While advancements are being made in technology, legacy systems, and an absence of robust security control frameworks also present vulnerabilities. With new technologies such as AI advancing rapidly, new innovations could act as accelerants to current risk, making it more challenging to counter threats.
Artificial Intelligence
Rapid developments in Generative AI (GenAI) have resulted in an increased adoption of AI tools in finance, which is expected to continue to expand at a rapid pace. The use of AI in finance has the potential to deliver significant benefits through:
- enhanced efficiency
- improved decision making
- better customer experience
At the same time, these advancements in Gen AI can transform and amplify existing risks and give rise to new risks and challenges. For example:
- increased cybersecurity and third-party risks
- heightened fraud and money laundering activities
- potential bias and discrimination in decision making
- data privacy and quality concerns
- elevated model risk
- reputational risk
Ultimately, the availability of GenAI tools has the potential to challenge institutions’ operational resilience, integrity and security. The availability of open-source GenAI tools have also simplified threat actors’ ability to undertake fraudulent and criminal activities, further worsening the AI-related risks.
Overview of our actions
We continue to assess institutions’ preparedness to address integrity and security risks, third-party risks, and technology and cyber-related risks. In addition, we will continue to assess the effectiveness of institutions’ business continuity, disaster recovery plans, and internal third-party contingency plans. These assessments will enhance our understanding of the effectiveness of financial institutions’ preparedness for disruption and their ability to recover rapidly from such disruptions and external threats. Through our collection of third-party data, we are enhancing our understanding of systemic concentration risk and risk trends. We continue to conduct thematic reviews and monitoring on cyber resilience and third-party risk management of critical outsourced functions.
Our assessment of the impact and interrelation of AI adoption on the risk landscape is ongoing, and we plan to strengthen existing guidelines to support mitigation of AI-related risks. As a first step, we will issue our updated Model Risk Management guideline in the summer of 2025 including greater clarity on expectations around AI models.
Annex I
This annex provides an update to our list of guidance priorities for calendar quarters Q4 2024 to Q1 2025. Our policy planning for 2025 continues. We will issue an announcement in early 2025 listing expected policy releases for the first two quarters of calendar 2025. The spring 2025 ARO will provide a list of policy releases expected for the full calendar year. As noted in the Annual Risk Outlook, plans may be changed or amended due to external factors causing us to reconsider policy releases and their timing. In all instances, our regulatory expectations reflect our strategic plans and risk priorities, and help institutions focus on the right risks.
Risk management guidance for FRFIs
| Timing (calendar) | Initiative | Purpose |
|---|---|---|
| Q4 2024 | Regulatory Notice on Culture Risk Management | Finalizes expectations for managing culture risk. |
| Q1 2025 | Consultation on regulatory compliance management | Public consultation on regulatory compliance management. |
Capital and accounting guidance for FRFIs
| Timing (calendar) | Initiative | Purpose |
|---|---|---|
| Q4 2024 | Final International Financial Reporting Standards 17 (IFRS 17) Guideline | Replaces IFRS 17 Advisory. |
| Q4 2024 | Final revised LAR Guideline | Finalizes updates to the LAR Guideline. |
| Q4 2024 | Final revised Mortgage Insurance Capital Adequacy Test (MICAT) Guideline | Finalizes updated MICAT Guideline on the capital requirements for multi-unit residential exposures. |
| Q4 2024 | Final revised Life Insurance Capital Adequacy Test (LICAT) Guideline | Finalizes updated LICAT Guideline on the new segregated fund guarantee capital requirements, and other minor adjustments. |
| Q1 2025 | Final revised guidance on capital and liquidity treatment of crypto assets | Finalizes updated guidance for the capital and liquidity treatment of crypto asset exposures. |
| Q1 2025 | Final Guideline on public disclosure of crypto assets | Finalizes Guideline on crypto asset exposure disclosures. |
| Q1 2025 | Draft revisions to the Capital Adequacy Requirements (CAR) Guideline | Public consultation on revisions to the capital requirements for deposit-taking institutions. |