Keynote speech for Kathy Thompson, OSFI’s Assistant Superintendent, NSS Anti-money Laundering (AML) and Financial Crime Annual Canadian Forum
Speech - Toronto -
Introduction
Good afternoon.
Thank you for the kind introduction, Ana. It’s great to be here with all of you.
Before I begin, let me first acknowledge that I am joining you today from the traditional unceded territory of the Algonquin Anishnaabeg People and the home to many diverse First Nations, Inuit, and Métis peoples.
As Ana mentioned, my role is Assistant Superintendent of the National Security Sector at the Office of the Superintendent of Financial Institutions, or OSFI for short.
Unlike most of my colleagues at OSFI, my background is not as a financial regulator or working in the financial sector but rather my background is in security, law enforcement, and intelligence.
Turning to the topic of my remarks today, I want to highlight OSFI’s expanded mandate to address integrity and security risks, including those related to money laundering, and explain how we work together with our partners.
But before delving into that, let me provide some background for those who may be less familiar with our organization, to help understand why we were tasked with this new responsibility.
OSFI is an independent federal government agency dedicated to fostering public confidence in the Canadian financial system. Established in 1987, we report to Parliament through the Minister of Finance, and we work closely with the Bank of Canada, the Canada Deposit Insurance Corporation (CDIC), and other government financial agencies.
Our role is to regulate and supervise federally regulated financial institutions, which include banks, insurance companies, and pension plans.
We enable a healthy marketplace in which:
- banks can continue to give out loans and take deposits;
- insurance companies remain solvent and can pay out policyholders;
- and pension plans can continue to make payments to retirees.
Taken together, these functions help support financial stability in Canada.
For its first three decades, OSFI’s primary focus was on financial risks such as capital, liquidity, and credit.
However, since the 2008 global financial crisis, it has become clear that risks once considered “non-financial” in nature can produce serious financial risks, often suddenly and abruptly.
Evidence has shown that inadequate assessment of such non-financial risks associated with technology, corporate culture, and third-party risks are often the root cause of financial instability at an institution.
Our Superintendent, Peter Routledge recently acknowledged that until last year, OSFI had a tendency – a strong one in fact – to separate our non‑financial risk guidelines, such as those related to Corporate Governance and Third-Party Risk Management, from our financial risk guidelines, for example, our guidance on liquidity adequacy requirement.
We tended to classify financial risk as “prudential” and non-financial risk as “non-prudential” and by doing so, we had a separate and unequal approach to mitigating financial and non-financial risks.
Now, “prudential” is an interesting word. We at OSFI had tended to hear the word and associate it with financial aspects and, in so doing, unconsciously applied this separate approach to financial institution regulation and supervision.
Then, we would encounter non-financial difficulties at financial institutions that did not always include financial shortcomings but always included a measure of uncertainty about institutional viability. Some of these institutions you heard and read about, most you did not.
By learning from these experiences, we realized we needed to continue to sync up our approaches to financial and non-financial risk as our understanding of solvency was skewed. We thought that solvency was paramount – but prudential regulation is more than just solvency.
Solvency and liquidity risks are critical but can be lagging indicators of financial instability. We now understand “prudential” in a broader sense; that underestimated non-financial risk can trigger financial instability.
Experience teaches us that inconsistent assessment of non-financial risks is usually the root cause of financial instability at an institution.
OSFI’s mandate was built around the definition of the adjective “prudential” as described in the OSFI Act, (Section 4 Paragraph (3)). It directs OSFI to strive to “… protect the rights and interests of depositors, policyholders and creditors of financial institutions.”
When one steps back and thinks about this direction in OSFI’s act, one realizes that non-financial risks can undermine the rights of depositors, policyholders, and creditors of financial institutions.
And that financial risks often emerge as the final signals of that process. We see non-financial risks as prudential risks and we must supervise and regulate these risks as well.
Part of our work at OSFI is to ensure financial institutions manage their risks in this complex and interconnected risk environment. That’s why each spring we publish our Annual Risk Outlook (ARO), which highlights the significant risks facing Canada’s financial system and our responses to those risks.
We just published our third ARO two weeks ago, which is available on our website.
This year, we’re highlighting four key risks that we consider the most critical - and integrity and security, including foreign interference, is one of those four.
Supervising non-financial risk is not new to OSFI. In 2018, we released several guidelines on risk management, including our guidelines on Third-Party Risk Management, Technology and Cyber Risk Management, and Background Checks on Directors and Senior Management.
However, our role was formalized in June 2023, when the Government of Canada expanded OSFI’s mandate to specifically address integrity and security, including foreign interference.
By doing so, the Government effectively enshrined the importance of non‑financial risk to the overall safety and soundness of federally regulated financial institutions in legislation.
In doing so, it recognized the trend toward increased integrity and security risks over the past few years, reflecting the changing technological and geopolitical landscape.
The Budget Implementation Act of 2023 introduced legislative amendments to expand OSFI’s mandate and powers. In addition to supervising federally regulated financial institutions to ensure they are financially sound, OSFI’s mandate now includes:
- examining and supervising federally regulated financial institutions, also known as FRFIs, to determine whether they have adequate policies and procedures in place to protect themselves against threats to their integrity and security, including foreign interference; and
- requiring OSFI to report, at least annually, to the Minister of Finance on the adequacy of, and adherence to, FRFIs’ policies and procedures.
These changes have placed OSFI at the forefront of some of the most important emerging policy issues of the day.
This means OSFI now monitors threats and risks related to integrity and security, including foreign interference, within the industry, and will intervene when there are clear national security concerns.
These changes enhance the robust oversight that OSFI already provides and signify an evolution in our approach to managing non-financial risk.
Integrity and security are fundamentally linked. And from a regulatory perspective, focusing on these risks establishes a stronger foundation that makes financial institutions less vulnerable to threats.
To provide clarity on what this means for financial institutions, OSFI published the Integrity and Security Guideline this past January.
In the guideline, we defined these key concepts in the following manner:
- Integrity is the degree to which an organization demonstrates its actions, omissions, and decisions in a consistent manner, not just with the letter of ethical standards, regulations, and the law, but also their spirit.
and
- Security is about protection. When we have security, we are protected from threats. Those threats can be, for example, physical, targeting property or people, or electronic, zeroing in on technology assets, data, and information.
Like other non-financial risks, now more than ever, failing to address integrity and security risks can affect a FRFIs bottom line and viability.
With the guideline as a footing, OSFI takes a risk-based approach to supervising that is proportional to the financial institution’s ownership structure, strategy, risk profile, and location of operations.
Along with our enhanced supervisory role, we were also given new intervention powers. And, as mentioned earlier, we see the expansion to our mandate as an appropriate and natural maturation of our supervisory and regulatory responsibilities to Canadians.
In response, the Superintendent has established a new National Security Sector as well as an Integrity and Security Risk Division.
This expanded mandate has required us to make operational changes at OSFI. When considering the risks to financial institutions, we also need to consider that they are not immune to threats from foreign interference.
While some non-financial risks are better understood and managed, others, like foreign interference, require special attention because their scope is harder to determine. This is why OSFI has established a new National Security Sector.
What is this new sector’s role?
- We examine national security issues that could affect the financial institutions we oversee;
- We provide national security strategy, assessments, advice, and intelligence co-ordination within OSFI;
- We provide intelligence and advice to inform our supervision colleagues at OSFI and their oversight activities to help financial institutions to minimize their risks to integrity and security, which includes foreign interference; and
- We support the Superintendent in his evidence-based decision-making should a serious threat to national security present itself in the Canadian financial system.
And on the external side, my sector collaborates with Government of Canada security and intelligence partners.
This includes processes and channels to manage and disseminate routine intelligence within OSFI. We also have the task of developing strategies to detect malicious and illegal threats, including to national security.
All in all, we expect our work to mitigate risks, improve the use of intelligence, and increase OSFI’s agility.
Our sector will help OSFI become more responsive to evolving threats to the financial sector and support the Government’s broader mandate to prevent, detect, and deter national security threats, within the financial sector.
Let’s now take a closer look at foreign interference in the context of OSFI’s mission.
Foreign interference includes activities that are within or relating to Canada, are detrimental to the interests and security of Canada, and are clandestine, deceptive, or involve a threat to any person.
They may include attempts to influence, intimidate, interfere, or corrupt individuals, organizations, and governments to further the interests of a foreign state or non-state actor.
The recent Hogue inquiry characterized foreign interference activities as persistent, multifaceted, and targeting all aspects of Canadian society.
Moreover, Public Safety Canada has identified financial institutions as a critical infrastructure sector in Canada.
Our Superintendent has said it many times – OSFI would rather be criticized for acting too soon than for reacting too late. Threats related to foreign interference are no different.
If left unchecked, they can not only harm the safety and soundness of the Canadian financial system – they can affect the economy, our communities, and Canadians themselves.
As I’ve just mentioned, foreign interference risk requires special attention because determining its scope is much more challenging than other non‑financial risks.
While all sectors are at risk of foreign interference, whether through malicious actions, or through undue influence, we do not have information that the financial sector is more of a risk than other sectors.
In Foreign Interference like cyber security, ransomware, or insider threat – foreign actors may seek to impact broader Canadian society, not just the financial sector. Foreign interference is not just a financial sector issue, it’s a national security issue.
Also, foreign interference merits our attention: the Canadian Security Intelligence Service, or CSIS, has determined that Canada has been a prime target for foreign states aiming to acquire information, make sensitive investments, covertly influence people and communities, and exploit them to further their own national interests.
Regardless of scope, the risk is real.
Canada’s banks and insurers are not immune to threats from potential hostile actors. And OSFI considers foreign interference in the Canadian financial sector as a risk that needs to be examined. Let’s not forget how fast our world is changing.
The guidelines we have put in place should help financial institutions to bolster their ability to reduce the impact of those risks.
In return, we expect financial institutions to monitor regularly for any threats and respond accordingly when there are suspicions of foreign interference, undue influence, or malicious activity.
As a support function to OSFI, analysis from our sector will inform the instruments and tools that OSFI produces, such as the integrity and security guideline mentioned today. We will also inform supervisory decision-making to help harden financial sector defenses against threats.
We are also considering how we could, from time to time, provide threat briefings to financial institutions.
OSFI expects our approach to integrity and security will evolve, and we expect boards will ensure that their institutions define the right principles and outcomes for the integrity and security of their institutions.
OSFI and anti-money laundering (AML)
In the time remaining, let me turn to OSFI’s role in anti-money laundering and financial crime, and how we work with our partners.
As I mentioned earlier, geopolitical and technological factors are changing the landscape in which we operate. And as a result, the threat presented by money laundering is also increasing.
When a financial institution becomes entangled in money laundering activities, either through the complicit actions of a few employees or senior individuals, it indicates weaknesses in risk controls and causes breakdowns in the institution’s compliance culture.
If the practice is widespread in a jurisdiction, it can undermine trust and accountability, both of which are essential to a healthy financial institution and sector.
We have seen in the past that significant illicit activities related to money laundering can impact the reputation of financial institutions – and in turn negatively impact the integrity of our financial system.
That’s why OSFI considers money laundering and the financing of terrorism as a third party and foreign interference risk that could have significant negative effects on a financial institution’s safety or soundness.
We expect the institutions that we regulate to manage anti-money laundering and anti-terrorist financing risks appropriately, in line with other integrity and security risks.
OSFI is collaborating with its counterparts to tackle AML.
For example, we collaborate with the Financial Transactions and Reports Analysis Centre of Canada, also known as FINTRAC, to ensure that financial institutions have the required policies and procedures in place to protect them against integrity and security threats, including money laundering and terrorist financing.
If we suspect or see evidence of money laundering or terrorist financing at a financial institution, we will engage FINTRAC in accordance with respective statutory authorities.
Similarly, OSFI focuses on the prudential impact of FINTRAC’s findings. When we find weakness, we may engage with boards of directors to ensure they’re putting in place enhanced protections for their institutions’ integrity and security in the face of intensifying money laundering risk.
We may closely supervise implementation of measures to ensure an institution’s compliance. Finally, OSFI has legislative power to intervene in the operations of a financial institution if warranted to do so.
Both OSFI and FINTRAC's statutory authorities allow for the sharing of supervisory information for specific purposes associated with money laundering and terrorist financing.
In addition, FINTRAC can disclose transaction information to OSFI if it meets their national security threshold and is in keeping with OSFI's mandate.
Also, the same Budget Implementation Act that expanded our mandate gave FINTRAC the authority to disclose additional information to OSFI about threats to the security of Canada.
This will result in OSFI working as required, with Canada’s national security partners and the development of responses to national security threats to the financial sector.
When it comes to sharing of information, the NSS is looking at ways that it could directly benefit FRFIs by delivering for example, a collective ad hoc threat awareness briefing.
In my experience, the Government of Canada always works to find a way to work broadly with sectors at risk to help them to harden their operations, or with a specific institution to help them to safeguard their operations against a specific threat.
Closing
As we’ve seen, OSFI’s expanded mandate on integrity and security builds on work we’ve been doing for the past number of years.
Our new National Security Sector will help us become more responsive to evolving threats to the Canadian financial sector.
As for foreign interference, while the NSS’s work will be “behind the scenes,” informing our interactions with regulated entities, it does mean that OSFI will have an additional source of information on which to inform supervisory decisions, and in some cases, offer information that will help harden defenses against potential threats.
At a time when the risk environment is growing increasingly complex, our new responsibilities and growing collaboration in the national security space mean that OSFI will continue doing its part to protect Canadians’ confidence in the financial system.
Thank you. Enjoy the rest of the conference.