OSFI’s new guideline “Integrity and Security Guideline” brings two different concepts together under one umbrella. Although, if examined in isolation Security and Integrity appear as separate concepts, OSFI asserts that failures in integrity and security can impact the safety and soundness of financial institutions. Adherence to sound integrity practices may improve an FRFI’s security posture and equally, a security failure may be rooted in a lack of integrity.
Integrity is introduced as a new definition in this guideline, defined as: “actions, omissions, and decisions consistent with the letter and intent of ethical standards, regulations, and the law.” Like many of OSFI’s guidelines, it is principles-based, and outcomes focused. It introduces four principles for Integrity and references proposed and existing guidance to assist with interpretation.
OSFI’s Proposed Integrity Principles.
Description of Principle
Senior leaders are of good character and demonstrate integrity, through their words, actions, and decisions
E-17 Background Checks on Directors and Senior Management
Culture consistent with ethical norms is deliberately shaped, evaluated and maintained
Draft Culture and Behaviour Risk Guideline
Governance structures subject actions, omissions and decisions to appropriate scrutiny and promote ethical behaviour
Corporate Governance Guideline
Effective mechanisms to identify and verify compliance with standards, regulations and the law exist
E-13 Regulatory Compliance Management
Given the velocity of business and the extent of technology use within financial institutions and by their customers, it makes sense that OSFI has put emphasis on people risk (referred to as behaviour risk in the guideline), as well as the need to promote ethical standards across the organization. But what really does this involve in practice? Culture is not easily shaped. It takes time and commitment. Ultimately, organizations will need use their existing culture as a baseline and draw on an align with –OSFI’s Draft Culture and Behaviour Risk Guideline.
Taken as written, the FRFIs are solely accountable for meeting the guideline as stated and have a need to not only define but encourage and maintain the “culture”. Culture, according to OSFI, is: “the commonly held values, mindsets, beliefs, and assumptions that guide both what is important and how people should behave in an organization.”
Culture is largely outlined in the strategy of the organization and expressed as part of the Vision, Mission and Objectives and aligned with the enterprise risk appetite and described in detail in the “principles” the organization holds and communicates through a “Code of Conduct”. These principles provide the specific behaviors to be measured and maintained and are supported by a rationale. The strategy therefore is a suitable place to serve as a foundation for cultural norms as it, in its best form, is:
· Known by all,
· Reviewed and measured, and
· Used by other departments, such as IT, to set their strategy.
The Draft Culture and Behaviour Risk Guideline guideline also speaks to behaviour, calling out behaviour risks as “Behavioural patterns that are misaligned to the expected behaviours and the desired culture of the FRFI and/or increase financial and non-financial risks.”
With the accessibility and pervasiveness of technology use, you can see the need for guardrails to protect the organization against unknown risks. As new technology is introduced, there is a learning period; currently we are in the learning period with Generative AI. We are still learning about intellectual property risks, data and ethical risks associated with large language models (LLM) and one thing is certain - LLM have the potential for irresponsible use of outputs by employees.
How do you control and measure culture and behaviour?
As with any risk factor, governance and suitable accountability mechanisms will be important to re-enforce the desired outcome. Senior leadership have an essential role in promoting and re-enforcing organizational culture, but their role extends beyond this. They must actively interface with IT and risk management to help measure, control, monitor, and manage “bad behaviour”.
· This starts with determining “bad behaviours.” The specific behavior practices that are not in alignment to your defined culture/integrity principles,
· Then setting thresholds of acceptable behavior that are stated and well understood across the organization. Training employees can take different forms, including online training, interviews, survey’s etc. but data and technology will be needed to help identify bad behaviour and to adequately respond and re-enforce.
IT can play a central role to help demonstrate compliance
IT plays a central role in protecting the organizations against threats to security or unsuitable behaviour patterns. CIO’s and their teams have many tools and techniques that can monitor behaviour. For example – tracking software and open-source intelligence tools.
· Senior leadership will need to work together to determine behaviour patterns considered as ‘high risk” (risks that will have widespread or substantial risk or negatively impact a FRFI’s resilience) and therefore require continuous measurement and reporting.
· IT will need to work with the business to put in place appropriate monitoring tools, supporting processes, and quantitative measurements.
· Accountable people will need to assess and document the outputs and determine if resilience has weakened and actions are needed.
Although these are not easy guidelines to implement, keep in mind that each FRFI already has a culture in place supported by a Code of Conduct. Yet the threat landscape continues to evolve, and culture must stay in step. There are no cultures which are preordained and then manifest exactly as stated in design documents as people will not be so easily confined. FRFIs will need to strike the right balance to ensure they have adequate resilience against behaviour risks while not being too constraining in their behavioral requirements that they undermine the organization.
The legislation for Integrity and Security is effective January 1, 2024, and the Culture and Behaviour Guideline is in draft form.
For the Integrity and Security Guideline, FRFI’s will be expected to have information on their conformity with the Integrity and Security Guideline as OSFI is required to report to the Minister of Finance on the adequacy and adherence to FRFI’s policies and procedures related to Integrity and Security by the end of 2024. See FAQ