OSFI developing technology risk guidelines

Oct.5, 2020 — THE FEDERAL regulator is looking to nail down solid guidelines for risks to the financial sector that could arise from rapidly developing technology. 

The Office of the Superintendent of Financial Institutions has laid out new proposals in a paper titled ‘Developing financial sector resilience in a digital world,’ which delves into the risk areas of cyber security, advanced analytics and the use of third-party services such as cloud and how they might impact the stability of Canada’s financial sector. 

OSFI is seeking input by Dec. 15 from financial sector participants, technology experts, academics and other stakeholders to help guide its regulatory and supervisory approaches to technology-related risks. While the recommendations are not regarded as groundbreaking for most p&c insurers, the guidance has been welcomed as a timely benchmark. 

“The consultative nature of the process is great,” said Chris Cornell, partner, audit and national sector leader, insurance at KPMG in Toronto. 

“It will allow industry participants to respond and give them the opportunity to make sure that (the OSFI guidance) is aligned with what they’re envisioning and how they had hoped to manage things going forward. I think the time is right and it makes sense from that perspective.” 

Adil Palsetia, a partner in KPMG’s cyber security and privacy practice, said the new paper addresses issues that have come up over the past few years and is intended to clarify guidance that is already widely available. He noted that Canada has traditionally tended to look to risk guidelines from other jurisdictions and he welcomed a more local perspective. 

“What’s interesting for p&c insurers is that OSFI is giving them time and guidance to be able to respond to these requirements.  

“It’s such a broad-ranging paper with three of the key topics of our time from a risk perspective,” Mr. Palsetia said, referring to cyber security, advanced analytics and the technology third-party eco-system.

Among the subsets of the OSFI paper is defining technology risk for regulatory purposes. OSFI has developed a working definition for technology risk that draws upon existing practice and guidance and which is aligned with operational risk frameworks in the financial sector. 

It says: “Technology risk is the risk arising from the inadequacy, misuse, disruption or failure of information technology systems, infrastructure or data to meet business needs.” 

Along with the risk implications for the financial services sector from advanced analytics and quantum computing and cloud computing and third-party risk management, the paper also addresses topics such as ‘explainability.’ It notes that for the insurance industry, explainability is crucial for artificial intelligence/machine-learning pricing models in jurisdictions that require regulatory approval to increase premiums. 

Conversely, it says, explainability is less crucial for a similar model that helps a sales team identify policyholders with a lower likelihood of renewing their policies.  

The paper also touches on open banking, which has been a lobbying point for Canada’s p&c brokers and mutual insurers. 

Open banking would allow customers to share data held by their banks with third parties such as other financial institutions or financial technology companies, who could combine it with data from other sources to yield new benefits for consumers. 

Both the Insurance Brokers Association of Canada and the Canadian Association of Mutual Insurance Companies have appeared before federal government committees in the interest of maintaining the traditional separation of insurance and banking services. 

CAMIC’s main concern has been that bank-owned fintech companies could share information and contravene the prohibition on banks selling insurance in their branches. 

The Senate committee on banking, trade and commerce released a report last year that said any framework on open banking should prohibit the use of consumer banking data for insurance purposes. 

The OSFI paper notes that many jurisdictions, including Canada, have either implemented or are contemplating open application programming interface frameworks through which ‘consumer-permissioned’ data can be leveraged by third-party developers to build innovative applications and services. 

The regulator said an advisory committee has been examining the issue and will continue to work with stakeholders to examine issues such as governance, consumer control of personal data, privacy and security with respect to the adoption of open application programming interface frameworks and the implications for insures and other federally regulated financial institutions. 

(For more independent coverage of Canadian p&c industry news and trends, please choose the ‘Subscribe’ tab on our main page or email mpub@rogers.com for more information).