OSFI Sets Compliance Expectations for Evolving Risk Environment
5 main points:
-
Expanded Supervisory Focus: OSFI is broadening its regulatory lens beyond solvency and capital adequacy to include institutional integrity, cyber resilience, and non-financial risks like geopolitical threats and foreign interference.
-
New Security Structures: Two new units—the National Security Sector and the Integrity and Security Risk Division—will assess institutions’ threat protection capabilities and support OSFI’s enhanced powers under Bill C-47.
-
Enhanced Engagement and Cyber Oversight: Financial institutions should prepare for deeper regulatory engagement on cybersecurity, insider threats, and integrity risks, which will now be integrated into the supervisory framework.
-
Continued Prudential Monitoring: OSFI will maintain existing measures, including loan-to-income ratio compliance and a review of its Supervisory Framework, while accelerating intervention in high-risk cases flagged through updated detection tools.
-
Cost Recovery and Institutional Readiness: As a cost-recovered agency, OSFI’s oversight enhancements may slightly raise assessments, reinforcing the need for institutions to strengthen governance and readiness in anticipation of broader regulatory expectations.
OSFI has announced its 2025–26 Departmental Plan, setting out a regulatory agenda that reflects a significant broadening of its supervisory scope. While solvency and capital adequacy remain core concerns, the focus is shifting toward institutional integrity, cyber resilience, and the capacity of federally regulated financial institutions to manage geopolitical and non-financial threats.
https://www.osfi-bsif.gc.ca/en/about-osfi/reports-publications/2025-26-Departmental-Plan
The regulator describes the current risk environment as intensifying, shaped by global instability and escalating cyber threats. In response, OSFI will increase investment in its own cybersecurity infrastructure and expand its supervisory capacity. It has established both a National Security Sector and an Integrity and Security Risk Division, tasked with assessing whether institutions have the policies and procedures necessary to protect against threats such as foreign interference. These units will also support expanded powers granted to OSFI under Bill C-47, which reinforce the regulator’s ability to intervene in cases of national security or institutional vulnerability.
Financial institutions should expect closer engagement on issues that previously sat outside the traditional prudential lens. OSFI has signaled it may begin offering threat briefings to select institutions and will incorporate integrity-related risk factors into its supervisory framework. Cyber preparedness and internal controls around insider threats will become increasingly relevant in compliance discussions.
The plan also confirms OSFI’s intention to follow through on existing prudential measures. The agency will monitor compliance with loan-to-income ratio reporting requirements, conduct a post-implementation review of its revised Supervisory Framework, and continue publishing its Annual and Semi-Annual Risk Outlooks. Notably, four institutions and four pension plans experienced rapid increases in risk classification in the past year. OSFI views this as a warning sign and has committed to faster intervention and better risk detection tools.
From a financial perspective, OSFI will continue to operate as a cost-recovered agency, with regulated institutions funding more than 99 percent of its budget. While it maintains that fees remain modest, the additional investment in oversight and cyber capability may result in slight increases to assessments over the coming year.
For lenders, the implications are clear. Regulatory expectations are evolving beyond financial soundness to include broader measures of institutional resilience. Governance frameworks, threat readiness, and data-driven supervision will increasingly determine the intensity of regulatory engagement. Institutions that are prepared for this shift will be better positioned to adapt as OSFI’s model moves steadily toward a more comprehensive view of systemic risk.
Sign up for the CLA Finance Summit Series