OSFI’s Annual Risk Outlook – Fiscal Year 2025-2026

Integrity and security risk

Heightened geopolitical tensions, rapid technological advancements, and increased reliance on a complex network of third parties create vulnerabilities to the integrity and security of Canadian institutions and the financial system. The number of threats to integrity and security, as well as the complexity of managing those threats has made this risk our top priority.

Criminals and state-linked actors engaging in activities such as money laundering, fraud, and cyber-attacks are becoming more advanced and difficult to detect. We expect these activities to continue to accelerate driven by advancements in AI, digitalization, and increasing reliance on third-party service providers. In a more volatile political climate, state actors and state-sponsored actors may target Canadian institutions not just for financial gain but to further their political objectives and disrupt the smooth functioning of Canada’s financial infrastructure and broader economy.

Increased global regulatory actions targeting financial crimes highlight the risk from threats to integrity and security. Institutions that have weaknesses in their integrity and security policies, procedures, and governance could face significant pressure and penalties in foreign jurisdictions, particularly if those breaches facilitate money laundering, drug trafficking, or other illicit and prohibited activities or are deemed intolerable by foreign regulators.

We observe elevated levels of ransomware, exploited software vulnerabilities, and data breaches globally. Cyber-attacks are constant and require institutions to be highly vigilant to protect their operational resilience and safeguard their stakeholders.

Increased reliance on third-party service providers and the absence of robust regulatory frameworks in many third-party industries create new channels for cyber-attacks or insider threats. Financial institutions will have to engage in due diligence to ensure their complex network of service providers is secure and that they have the operational resilience to withstand business disruptions.

The many threats to integrity and security require financial institutions to ensure they have robust controls around compliance, risk, and governance while being committed to continuous maintenance of their risk frameworks.

OSFI response

Given the rapidly changing threat landscape, we have begun a broad range of activities to address integrity and security risks and will advance those activities further in the year ahead. Our National Security Sector (NSS) is strengthening relationships with security and intelligence partners to better assess integrity and security risks during approval processes and supervisory examinations and to enhance institutions’ resilience to national security threats. Our intelligence teams within NSS are now conducting holistic assessments of security risks posed by individuals and entities influencing institutions, with a particular focus on foreign jurisdictions. Recently, we co-hosted a classified national security threat forum where specialists from the Canadian security and intelligence community provided insights to help attendees assess geopolitical, cyber, and insider threats to their institutions. Senior representatives from Canadian institutions attended the inaugural event that we will repeat at least annually in the years to come.

The information we received from institutions following the release of our Integrity and Security Guideline in January 2024 informed our views of the adequacy of policies and procedures against threats to integrity and security. Our first Annual Report on the Integrity and Security of Federally Regulated Financial Institutions was issued to the Minister of Finance in December 2024. We will communicate specific themes from our analysis to the industry in March 2025. In addition, we will reach out to specific institutions to address areas of weakness relative to expectations.

To assess institutions’ management of the risks that underpin integrity and security, we engage in direct discussions, targeted reviews, and analyze data related to operational, third party, technology, compliance, governance, and cyber risks. We plan to develop enhanced expectations on corporate governance, including the suitability and accountability of boards and senior management. We plan to consult on a draft Corporate Governance and Accountability Guideline in the fall.

Our focus on AI and its impact to institutions’ integrity and security has increased. We are working together with the private sector, Department of Finance, the Financial Transactions and Reports Analysis Centre of Canada (FINTRAC), and the Financial Consumer Agency of Canada (FCAC) to understand how AI impacts a broad range of risks related to integrity and security as well as conducting supervisory work to assess AI risks and institutions’ preparedness.

Additionally, we enhanced the incident reporting process used by institutions to report cyber and technology incidents to OSFI. Improvements to this process support timely risk identification, peer comparisons, and supervisory actions.

Wholesale credit risks

Corporate and commercial borrowers continue to face economic challenges. Despite recent interest rate cuts, businesses remain vulnerable to macroeconomic uncertainties, elevated debt servicing costs, and weakening consumer demand that can lead to refinancing challenges. Geopolitical events, including increased trends of trade protectionism, can negatively impact industries and lead to greater vulnerabilities in the institutions we supervise.

While significant credit losses have not occurred, negative credit migration may continue as delinquencies and defaults are trending higher. Private credit firms are increasing their presence and interactions with federally regulated financial institutions. This can introduce additional risks to the industry such as more lenient deal terms with potentially less stringent underwriting standards.

Commercial real estate (CRE), especially both the office and the construction and development sub sectors, is experiencing weakness driven by reduced demand and interest rates that remain elevated despite recent reductions. High vacancy rates are driving declines in office property values. Many companies continue with work-from-home arrangements and may downsize their office space at lease renewal. Older buildings and less desirable locations are under the most stress. Additional equity may be required from owners to refinance negatively impacted office properties. The industrial CRE sector, which had been performing well, is softening and giving rise to concerns about valuations sustainability. Due to lower demand and higher deliveries, available supply in the CRE industrial sector is growing, which can accelerate in a slowing economy.

High-rise condo construction is undergoing a significant slowdown with some developers facing increased stress. Lower demand, lower valuations, and higher construction costs are creating near-term challenges for developers. Pre-sales are taking much longer to reach thresholds necessary for projects to move forward, which is causing delays and cancellations. Valuation declines and interest rate levels are contributing to walkaway risk.

CRE sector risks can impact multiple industries, including banking through direct and indirect lending, life insurance companies given their material exposures to the sector, including investments in commercial mortgages and property ownership, particularly in the office subsegment, and pension funds through their investments.

OSFI response

As the credit landscape becomes more volatile and less certain, we are focussing our supervisory efforts on assessing developments, both domestically and internationally, that could negatively impact the credit environment for our institutions. We perform continuous research and analytics to help identify wholesale credit risks trends and appropriate responses.

We continue to assess credit risk management practices and loan loss provisioning as well as borrower and portfolio vulnerabilities at institutions. We are conducting supervisory reviews on account management practices, risk ratings, and downturn readiness. Institutions can expect follow-up questions and information requests arising from our monitoring and review efforts.

An expanded, loan level, non-retail data call that collects detailed data from institutions on wholesale credit risk exposures enhances our supervisory efforts. This data call provides timely information on credit exposures across the financial system and enhances our ability to identify vulnerabilities and assess potential impacts from stress scenarios. Additionally, the data supports monitoring of institutions’ alignment with our supervisory expectations as outlined in our regulatory guidance, which helps us compare peers and take a targeted approach to supervisory work on this risk.

Funding and liquidity risks

Market confidence and conditions drove a stable liquidity and funding environment for financial institutions over the past year. Renewed uncertainty within financial markets, driven by heightened geopolitical risk, could challenge this stability if it drives market participants to reassess their risk appetites.

Deposit flows have remained stable for banks, supported by retail customer confidence in the banking system. Wholesale funding markets are operating effectively as central banks around the globe continue their pivot from higher policy rates to more accommodative monetary policies. Institutions continue to be met with strong investor appetite when going to market for funding. However, renewed geopolitical uncertainty transmitted through to financial markets could create liquidity shocks. These can occur quickly if there is a change in sentiment among depositors or counterparties as they react to macroeconomic volatility and/or bank specific risk events.

If geopolitical and macroeconomic uncertainty worsen and trigger material levels of interest rate, foreign currency, or credit volatility, wholesale funding markets could tighten quickly, with reduced access and increased issuance spreads and hedging costs. Dysfunctional capital markets would have detrimental effects on the global financial system.

The interconnected nature of funding and liquidity markets makes them highly susceptible to rapid transmission of risk events. For example, intraday liquidity is inherently vulnerable due to the increasingly near real-time nature of payment flows as digitalization continues to increase, potentially reducing reaction time and thoughtful responses to stress events. A disruption can rapidly exacerbate liquidity stress across payment counterparties and the system as a whole. Additionally, institutions relying on foreign currency funding may encounter unexpected disruptions amid foreign currency volatility or retrenchment of counterparty appetite. Similarly, liquidity and funding intersect with credit markets. Institutions that rely on securitization markets for funding, could face considerable challenges if economic conditions negatively influence credit risk appetite.

OSFI response

In 2025, we plan to assess institutions’ liquidity risk arising from complexities of operating in multiple jurisdictions and currencies. The plan will consist of the following:

• We will assess institutions’ preparedness for addressing potential frictions arising from cross-border liquidity flows and currency mismatch. In doing so, we will consider aspects related to exposures, risk appetite and policy limits, mitigation strategies, and contingency planning.
• We will continue to deepen our line of sight into liquidity risk management at institutions’ material foreign operations. We will assess the effectiveness of the management programs that reflect host market conditions and regulatory expectations while maintaining alignment with the enterprise framework.

In conjunction with these supervisory plans, we will also continue with targeted updates to liquidity guidance. Specifically, we plan to consult on revisions to the Liquidity Adequacy Requirements Guideline, introducing new funding categories to better reflect emerging funding sources. We also plan to consult on a more structured approach to supervising liquidity risk with a discussion paper describing an Internal Liquidity Adequacy Assessment Process, which will require Holistic Liquidity Plans with a strategic approach to risk management and mitigation.

Real estate secured lending and mortgage (RESL) risks

Recent interest rate cuts of 200 basis points since June 2024, are providing some relief to residential mortgage borrowers. However, many borrowers still face rates that will be higher than their original mortgage rate upon renewal.

As of November 2024, 36% of all outstanding mortgages that have yet to experience a payment increase since origination will be up for renewal by the end of 2026. These are fixed rate mortgages (FRM) and variable rate mortgages with fixed payments (VRMFP) originated when rates were at historic lows. VRMFPs are expected to experience the largest increase in mortgage payments upon renewal. While lower interest rates may help to address this size of the increase in payments, it could also lead to an increase in new VRMFP originations.

At a national level, delinquencies increased from their historic lows but continue to be below pre-pandemic levels. We expect delinquencies to continue their rise as mortgage holders make higher mortgage payments after renewing at higher interest rates. Regional differences exist across Canada, with the Greater Toronto Area and the Greater Vancouver Area exhibiting the greatest signs of stress.

As mentioned earlier, the condominium market is under pressure due to the 2024 completion of a backlog of condo construction projects leading to oversupply in a soft market. At the same time, there has been a significant drop in demand from investors and owner-occupied borrowers due to negative carrying costs without offsetting capital appreciation as well as economic pressures.

Changes to the economic environment, such as increases in unemployment rates and uncertainty driven by potential U.S. trade protectionism, could lead to more vulnerable segments of the market being unable to service their mortgage debts. These developments could hamper the recovery of the housing market and stabilization of RESL risks.

OSFI response

We continuously monitor the risk profiles of institutions’ residential mortgage lending activities though advanced analytics and a robust examination framework to ensure mortgage lenders adhere to prudent underwriting standards, portfolio and account management practices outlined in OSFI’s Guideline B20.

The number of VRMFP mortgages in negative amortization, or paying interest only, decreased by 60% from peak levels in 2023 as a result of proactive actions taken by banks and borrowers, as well as a decline in interest rates. However, we continue to promote active management of the risks posed by VRMFP mortgages through adequate loan loss reserves and early intervention with borrowers vulnerable to payment shock.

In 2024, we clarified expectations of sound practices when granting forbearance to borrowers experiencing financial difficulty in anticipation of substantial mortgage renewals at higher rates amid a backdrop of increased cost of living and high household indebtedness. We also introduced institution-specific limits on the proportion of uninsured mortgage originations that exceed a 4.5x loan-to-income ratio to prevent excessive household leverage, especially during periods of low interest rates. This effort has improved OSFI’s supervisory acuity into risk concentrations in the mortgage lending space, as well as our ability to mitigate those risk concentrations. We will continue to press forward these responses over the next year.

Additionally in 2024, we removed the need to apply the Minimum Qualifying Rate to uninsured stand-alone mortgage borrowers when it is a straight-switch from one federally regulated financial institution to another.