Canada Regulations & Standards

Last updated December 2022

OSFI – Operational Resilience – Letter and Proposed Revisions to Guideline E-21

On July 6, 2021, the OSFI issued an industry letter to federally regulated financial institutions (FRFIs) on operational resilience and received feedback from the FRFIs.

Japan, Tokyo, Directly below view of bamboo groveBased upon the feedback, the OSFI is considering revising Guideline E-21 to shift toward the concept of operational resilience, while also continuing to reinforce the OSFI’s expectations in relation to operational risk management. The revised Guideline E-21 would be principles based, include programs that are aligned to other global requirements, and would be expected to be proportionate to FRFIs of different size, nature, scope, and complexity of operations.

The OSFI notes that operational resilience should be viewed as an outcome of effective operational risk management, including the management of technology, cyber, third-party, model, business continuity, compliance, people, and process risks.

Canada – Draft Revised Guideline B-10: Third-Party Risk Management

Canada’s primary financial services regulator, the Office of the Superintendent of Financial Institutions (OSFI), expects to issue new guidelines for the way in which financial institutions manage third-party risk. The open comment period on Draft Revised Guideline B-10 was extended through September 2022, and the OSFI will provide additional notice before it goes into effect.

The proposed changes mirror other new regulations such as the Digital Operational Resilience Act (DORA). Like other regulators, the OSFI has extended its definition of third-party risk to include everything from technology, cyber, and data security through to operational, business continuity, and supply chain risks.

Unlike other global requirements, the OSFI does not outline prescriptive guidance and instead outlines principles to ensure continuity of critical services in the face of third-party risk. 

As the guidance makes its way through the public comment and approval process, organizations can consider establishing clear program governance standards, including clear roles and responsibilities, compliance with cyber standards, and cloud-specific risk management requirements.