The Office of the Superintendent of Financial Institutions used a conference speech to describe how it has reshaped supervision and policy work to address evolving non-financial risks, and to summarise recent supervisory themes across compliance, technology and cyber, and third-party risk management. It highlighted a new operating model, including the creation of the Risk, Strategy and Policy Sector, updates to the non-financial risk function, and work to increase transparency on supervisory assessments and system-wide risk priorities. Recent supervisory work identified recurring weaknesses in regulatory compliance management (including gaps in Chief Compliance Officer opinions and compliance testing coverage, controls to keep compliance inventories current, and unclear Chief Risk Officer accountabilities) based on thematic reviews covering 20 financial institutions. Technology and cyber reviews against Guideline B-13 and intelligence-led cyber resilience testing pointed to issues such as identity and access management, network security, data loss prevention, security awareness, disaster recovery and change management, alongside limited Board and senior management visibility into key technology and cyber risks. Third-party risk management reviews found that exit and contingency plans often lacked executable detail, definitions of critical operations varied widely, and reliance on tabletop testing was insufficient; OSFI reiterated that institutions are expected to implement Guideline E-21 by September 2026 and noted that some mid-sized institutions had not defined their critical operations in early fall 2025. Next steps flagged in the speech include further work on Chief Compliance Officer opinions and Board reporting, expanded reviews on disaster recovery, vulnerability management and cloud governance, and joint Operational Risk Division and Technology Risk Division work on business continuity, change management and data protection, alongside additional focus on fraud and transaction processing risk management. OSFI also pointed to continued guidance rationalisation and streamlining of new entrant applications, an intended shift in supervisory focus toward credit risk, liquidity risk and corporate governance, and forthcoming work in 2026—via public consultation—on enhancing guidance for senior management suitability and accountability.
Office of the Superintendent of Financial Institutions 2025-11-26
Office of the Superintendent of Financial Institutions reports non-financial risk supervisory findings and foreshadows 2026 consultation on suitability and accountability guidance
The Office of the Superintendent of Financial Institutions outlined its reshaped supervision and policy work to address non-financial risks, highlighting a new operating model and updates to the non-financial risk function. Reviews identified weaknesses in regulatory compliance, technology, cyber, and third-party risk management across 20 financial institutions. Future efforts will focus on enhancing compliance officer opinions, disaster recovery, and fraud risk management, with a shift towards credit risk, liquidity risk, and corporate governance.