 |
| Darcy Ammerman |
 |
| Anna Holota |
 |
| Karin Mistlberger |
This article focuses on OSFI’s final Integrity and Security Guideline, its updates to Guideline E-23: Enterprise — Wide Model Risk Management, and its call for industry feedback on the adoption of AI and ML. Given the rise in the use of AI and ML within financial institutions and pension plans, we can expect that OSFI’s regulation of these technologies will increase in the coming years.
OSFI releases final Integrity and Security Guideline
On Jan. 31, OSFI released its final Integrity and Security Guideline. (See OSFI, “Integrity and Security Guideline” (Jan. 31 2024).) Although this guideline does not explicitly deal with AI and ML, OSFI’s reformed expectations with respect to security of technology assets may require federally regulated financial institutions (FRFIs) to adopt or bolster systems that defend against AI driven attacks.
Security is defined in the guideline as “protection against malicious or unintentional external or internal threats to real property, infrastructure, and personnel (physical threats) and technology assets (electronic threats).” FRFIs are expected to ensure that technology assets are secure, with weaknesses identified and addressed, effective defences in place, and issues identified accurately and promptly.
Moor Studio: ISTOCKPHOTO.COM
OSFI will implement the finalized guideline in stages (see OSFI “Integrity and Security – Letter” (Jan.31, 2024)). By Jan. 31, 2025, FRFIs must comply with all new or expanded expectations regarding technology assets. All aspects of the Guideline will be in force by July 31, 2025.
OSFI updates Guideline E-23: Enterprise-Wide Model Risk Management
On Nov. 20, 2023, OSFI released a revised draft of Guideline E-23 for consultation and is seeking feedback until Mar. 22, 2024 (see OSFI, “OSFI consults on draft guideline for model risk management” (Nov. 20, 2023)). The revised Guideline E-23 builds off the framework OSFI first issued in September 2017, expanding the scope of its application, and responding to the rapid growth in digitalization and model usage, including increased use of AI and ML in the financial services industry (see OSFI, “Draft Guideline E-23 – Model Risk Management” (Nov. 20, 2023)). Its main changes are outlined below.
First, draft Guideline E-23 expands the definition of “model” to explicitly include AI and ML methods. “Model” now means application of theoretical, empirical, judgmental assumptions and/or statistical techniques, including AI/ML methods, which processes data to generate results. This change recognizes the surge in AI and ML application in the financial services sector and the accompanying increases in risk from their use.
Second, the scope of Guideline E-23 will be expanded to apply to federally regulated insurers and federally regulated pension plans (FRPPs) in addition to deposit-taking institutions, given that these entities also use models to support decision-making.
Finally, expectations set out in the revised Guideline E-23 are principles-based, meaning that they will apply to all models regardless of whether they are used for non-financial risks, such as climate, cyber and tech, or financial risks, such forecasting economic conditions, pricing products, and developing business strategies (see “OSFI consults on draft guideline for model risk management”). This departs from the previous Guideline E-23, which focused on regulating models used for financial purposes (see OSFI, “Enterprise-Wide Model Risk Management Guideline – Letter (2017)” (Sept. 13, 2023)).
OSFI expects that relevant organizations will achieve the following outcomes:
(1) Models are adequately managed at each stage of their lifecycle;
(2) Model risks are managed proportionally to the organizations’ model risk profile, complexity and size; and
(3) Models are well understood within the organization and associated risks are managed through a well-defined, enterprise-wide risk management framework.
(2) Model risks are managed proportionally to the organizations’ model risk profile, complexity and size; and
(3) Models are well understood within the organization and associated risks are managed through a well-defined, enterprise-wide risk management framework.
The final guideline will take effect in July 2025.
OSFI and FCAC seek industry feedback on adoption of AI and ML technologies
On Dec. 20, 2023, OSFI and the Financial Consumer Agency of Canada (FCAC) released a questionnaire seeking feedback from FRFIs on how they are adopting AI and ML technologies. The deadline for providing responses was extended to March 4.
The purpose of the questionnaire is for OSFI and FCAC to better understand how ready institutions are for the emerging technology of quantum computing. Through the questionnaire, FRFIs are invited to share their uses, strategies, plans, challenges, governance, and risk management practices with respect to AI and ML technologies on a confidential basis.
The results of the questionnaire will be used to:
(1) Increase OSFI and FCAC’s understanding of financial institutions’ involvement in AI and ML and quantum computing;
(2) Inform policy and supervisory work; and
(3) Assess the current state of quantum readiness.
OSFI and FCAC will analyze the results of the questionnaire and share current practices with participating institutions. FRFIs that contributed should review the results once announced, as these could provide insight into future OSFI and FCAC policies and guidelines related to AI and ML technologies.(2) Inform policy and supervisory work; and
(3) Assess the current state of quantum readiness.
Conclusion
Recently, OSFI has taken steps to increase regulation of AI and ML technology used by FRFIs and FRPPs. We can expect further regulation of AI and ML in the future, as OSFI works to continue to ensure public confidence in the Canadian financial system amid a rapid proliferation of AI and ML tools. FRFIs and FRPPs should stay apprised of public questionnaires and consultations launched by OSFI so that they can adequately prepare for upcoming regulation.
Darcy Ammerman is the co-lead of the financial services group at McMillan LLP advising on all aspects of financial institution regulation and fintech, regulation of service contracts/warranties, insurance matters and secured lending transactions. She is recognized in Chambers and in the IFLR1000 Financial and Corporate Guide. Anna Holota is a member of the commercial real estate and financial services group in McMillan LLP’s Vancouver office. She is building a practice in financial services and commercial real estate. Her practice encompasses a broad range of financing and real estate matters, including mergers and acquisitions, real estate finance, and acquisition finance. Karin Mistlberger is an articling student at McMillan LLP. She completed her Juris Doctorate at the University of Victoria and will be called to the British Columbia bar in May. Mistlberger has an interest in financial services and business law.
The opinions expressed are those of the author and do not reflect the views of the author’s firm, its clients, Law360 Canada, LexisNexis Canada, or any of its or their respective affiliates. This article is for general information purposes and is not intended to be and should not be taken as legal advice.
Interested in writing for us? To learn more about how you can add your voice to Law360 Canada, contact Analysis Editor Yvette Trancoso at Yvette.Trancoso-barrett@lexisnexis.ca or call 905-415-5811.