Financial institutions regulator sees elevated risks compared to the spring
Two key risks have been flagged up by Canada’s financial institutions regulator as being potentially more of a problem for the country’s financial system than it previously stated.
In an update to its Annual Risk Outlook (ARO) for 2024-2025, the Office of the Superintendent of Financial Institutions (OSFI) says that the four risks it identified in the spring all remain as concerns: real estate secured lending and mortgage risks; wholesale credit risks; funding and liquidity risks; and integrity and security amidst geopolitical uncertainty.
However, two integrity and security risks have intensified: risks to operational resilience and risks related to artificial intelligence.
The regulator acknowledges the benefits to the financial services industry that AI offers, including enhancements to efficiency, customer service, and decision making. But it also highlights risks including increased cybersecurity and third-party risks, heightened fraud and money laundering activities, potential bias and discrimination in decision making, data privacy and quality concerns, elevated model risk, and reputational risk.
The OSC recently warned that AI-enhanced scams pose greater risks to investors than conventional scams.
Regarding operational resilience the update notes Canadian FI’s reliance on “a complex network of third parties and technology,” which are typically global in reach and increases the potential for exposure to incidents outside Canada.
Addressing the risks
OSFI publishes its annual risk report in the spring but updates in the fall are provided where risks in the financial system substantially evolve.
There are six actions that the regulator will take in response to the rising risks:
- assess institutions' preparedness to manage third-party risks and technology and cyber-related risks
- assess the strength of institutions' business continuity plans, disaster recovery plans, and internal third-party contingency plans
- collect third-party data to increase understanding of systemic concentration risk
- conduct thematic reviews and monitor cyber resilience and third-party risk management of critical outsourced functions
- assess the impact of AI adoption on the risk landscape and strengthen existing guidelines to decrease AI-related risks
- issue an updated Model Risk Management guideline in summer 2025
"OSFI will adapt and respond to intensifying integrity and security risks within the Canadian financial system in a manner consistent with the 2023 change in OSFI's mandate,” said Peter Routledge, Superintendent of Financial Institutions. “With the semi-annual update to our 2024-25 Annual Risk Outlook, OSFI announces our supervisory and regulatory responses to intensifying risks related to operational resilience and artificial intelligence."
