Managing third-party risk and conducting thorough background checks are among several regulatory guidelines for banks and insurers looking to protect themselves against ‘foreign interference,’ as outlined in the Integrity and Security Guideline released by Canada’s solvency regulator last week.
The guidance follows new federal government regulations designed to make sure federally regulated financial institutions “have adequate policies and procedures to protect themselves against threats to their integrity or security, including foreign interference.”
The federal government has given the Office of the Superintendent of Financial Institutions (OSFI) the legal authority to enforce compliance with the new mandate.
For the most part, OSFI’s existing guidelines cover off many aspects of an organization’s security and integrity.
But to make sure insurers and banks guard against the threat of foreign interference, the new guidelines emphasize the regulator’s expectations around managing third-party risks and background checks conducted on people hired into an organization (both of which are already covered off in existing guidelines).
On third-party risks, OSFI stated: “accountability for security of the financial institution rests with the financial institution, even as it relates to business outsourced to third parties. This includes threats posed by undue influence, foreign interference, or malicious activity.”
There was discussion during the consultation period about just how granular the ‘due diligence’ on a third party should be.
For example, during consultation insurers and other financial institutions told OSFI they have no control over the background checks that third parties conduct for their own employees and senior leaders.
In response, OSFI observed the due diligence expected is in proportion to the third party’s risk to the company’s security.
“Due diligence on the third party from an integrity and security perspective should be proportional to the third party’s access to the financial institution’s physical premises, people, technology assets, and data and information,” OSFI’s guidance stated.
“Based on that initial proportionality assessment, the following should be assessed before engaging a third party and on an ongoing basis thereafter:
- The likelihood of threats to the third party
- The ability of the third party to address threats
- The existence and adequacy of the third party’s policies and procedures protecting against threats
- The adequacy of the third party’s background check processes.”
OSFI’s new guidelines also address insurers’ and banks’ own background checks.
“Security standards and controls to protect people from undue influence, foreign interference, and malicious activity should be established and maintained,” OSFI’s new guideline stated. “Subjecting people to appropriate background checks can identify vulnerabilities to these factors, helping to develop strategies to minimize risks. Standards and controls should consider factors such as authority, seniority, and access to sensitive information.”
Company leaders, employees and contractors should all be “subject to appropriate, risk-based background checks that are conducted prior to employment, renewed on a regular basis, and reviewed off-cycle based on certain criteria,” OSFI’s new guidelines on foreign interference stated.
At a minimum, OSFI said, the checks should include verification of identity and background, education and professional credentials, personal and professional references, and, for higher-risk positions, criminal records checks and credit checks.
“OSFI may request that specific individuals of the financial institution obtain a higher level of security clearance, depending on roles and responsibilities.”
Feature image courtesy of iStock.com/Marco_Piunti