June 11, 2024Calculating...

Foreign interference regulation in Canada: financial institutions

Financial institutions are at the forefront of the growing threat posed by foreign interference in Canada, and recent legislative initiatives by the federal government, along with the release of an Integrity and Security Guideline by the Office of the Superintendent of Financial Institutions (OSFI) are attempting to address and mitigate this threat.

This article sets out recent legislative and regulatory efforts to combat foreign interference within the Canadian financial sector.

What is foreign interference?

As defined in OSFI’s Integrity and Security Guideline (the Guideline), “foreign interference” consists of activities that are (1) within or relating to Canada, detrimental to the interests and security of Canada, and (2) are clandestine, deceptive or involve a threat to any person, including attempts to covertly influence, intimidate, manipulate, interfere, corrupt, or discredit individuals, organizations, and governments to further the interests of a foreign state or non-state actor.

Foreign interference challenges public confidence in Canada’s financial system. Examples of foreign interference in the financial system include the use by foreign actors of Canadian financial institutions’ networks to steal sensitive financial data and the use of individuals as proxies to conduct illicit financing activities or to donate to a political party or candidate for purposes of foreign interference.

Efforts to combat foreign interference in the financial sector

The federal government’s legislative efforts to remediate and prevent foreign interference in the Canadian financial system is fairly recent. In June 2023, parliament passed Bill C-47, which, among other things, expanded the Minister of Finance (the Minister) and OSFI’s supervisory powers over federally regulated financial institutions (FIs), leading to OSFI’s publication of the Guideline. In addition, Bill C-70, An Act respecting countering foreign interference, tabled in May 2024, introduced a new Foreign Influence Transparency and Accountability Act which will also apply to the financial services sector. Security threats are also addressed in Canada’s new Consumer-Driven Banking Framework, details of which were released as part of the federal budget in April 2024.

Bill C-47

Bill C-47 creates an increased mandate for OSFI and provides new powers for the Minister relating to national security and foreign interference through amendments to the Bank Act, the Insurance Companies Act, the Trust and Loan Companies Act, the Office of the Superintendent of Financial Institutions Act and the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (the PCMLTFA).

The key provisions of Bill C-47 dealing with foreign interference are as follows:

  • Integrity and security policies: As of January 2024, FIs are required to prepare and maintain policies and procedures to protect themselves against threats to their integrity and security, including foreign interference.
  • Annual examinations: OSFI must review the adequacy of each FI’s integrity and security policies and procedures annually, and report its findings to the Minister. If such policies and procedures are insufficient, the Superintendent of Financial Institutions (the Superintendent) can require an FI to take any remedial measures that he sees fit.
  • Power to take control of FIs: The Minister has been granted the power to direct OSFI to take control, for an enumerated period, of an FI or its assets for “reasons related to national security”. This includes managing the business and affairs of the FI, and the powers and functions of directors and officers of the FI will be suspended.
  • Disposition of shares: If the Minister believes that a shareholder of an FI poses a threat to the integrity or security of Canada’s financial system, including as a means to effect foreign interference, the Minister may issue an order to direct that person and any person controlled by that person to dispose of shares of such FI held or beneficially owned, and suspend any voting rights attached to such shares until such shares are disposed of.
  • Information gathering and sharing: OSFI may require any person who controls an FI or its affiliates to provide any information that the Superintendent believes is necessary to ensure that the FI has adequate integrity and security policies and procedures. Bill C-47 also amends the PCMLTFA to facilitate information sharing between the Minister, OSFI and the Financial Transactions and Reports Analysis Centre of Canada (FINTRAC) for the purpose of assessing risks to the integrity of the Canadian financial system.

OSFI’s Integrity and Security Guideline

As a result of OSFI’s increased mandate in Bill C-47, OSFI released its Guideline in January 2024, which sets out expectations and standards regarding the integrity and security policies and procedures that FIs must implement to combat threats to their integrity and security, including foreign interference. OSFI believes that FIs can protect against risks to their security1 if they act with integrity2, as a lack of integrity can lead to vulnerability to security threats, such as foreign interference.

According to the Guideline, FIs can strengthen their integrity through the following four principles:

  • directors and senior management should be of good character and demonstrate integrity through their actions, behaviours, and decisions;
  • culture should value compliance, honesty, and responsibility and reflect a commitment to norms that encourage ethical behaviour;
  • governance structures should subject actions, behaviours, and decisions to appropriate scrutiny and challenge in order to build trust with all stakeholders, and should be clearly communicated and codified; and
  • FIs should establish a Regulatory Compliance Management (RCM) framework which includes effective mechanisms to identify and verify compliance with regulatory expectations, laws and codes of conduct.

The Guideline also sets a standard of necessary and effective security measures to thwart foreign interference. Proper security, according to the Guideline, should include (1) the physical security of premises (i.e., buildings and servers), (2) data security through data classification and restricted access to sensitive data through its life cycle, and (3) screening directors, senior management, employees and contractors to ensure they are not subject to undue influence, foreign interference and malicious activities, through background checks. The Guideline also stresses the importance of preventing third party risks through objective due diligence which is proportional to the level of involvement of a third party. This should include determining the location of operations, corporate headquarters, connection to foreign governments and ownership structure of a third party or its subcontractors.

In addition, the Guideline formalizes reporting requirements if foreign interference is detected or suspected. Specifically, FIs must report to OSFI, the Canadian Security Intelligence Service and the Royal Canadian Mounted Police when there are reasonable grounds to believe that an incident or event has occurred related to undue influence, foreign interference, or malicious activity.

OSFI notes that FIs should consider their susceptibility to undue influence, foreign interference, and malicious activity when applying the expectations of the Guideline. OSFI also expects FIs to evaluate their existing processes and procedures against the Guideline, as well as to develop ongoing monitoring, control, and reporting systems to ensure the efficacy of their policies and procedures relating to integrity and security.

The Foreign Influence Transparency and Accountability Act

The Foreign Influence Transparency and Accountability Act proposes to create a foreign influence registry, overseen by an independent Foreign Influence Transparency Commissioner, which will require individuals or entities that enter into arrangements with a foreign principal, or undertake activities to influence Canada’s government or political process, to publicly register. This act broadly defines “foreign principal” to include foreign entities (including economic entities), foreign powers or foreign states, which will capture a wide range of businesses such as financial institutions, energy companies, and sovereign wealth funds, among others.

Financial institutions, and other entities that work within the financial services sector, including fintechs and money services businesses, will be required to register if they enter into an arrangement where they carry out, under the direction or in association with the foreign principal, any of the following activities in relation to a political or government process:

  • communicating with public office holders;
  • communicating or disseminating information that is related to the political or governmental process; or
  • distributing money or items of value or providing a service or the use of a facility.

Entities working in the financial services sector will have to carefully consider whether their activities fall within the range of activities that would require registration.

Canada’s consumer-driven banking framework

Budget 2024 revealed new details on the establishment of a consumer-driven banking framework (the Framework)3. Specifically, legislation will empower the Minister to refuse, suspend, or revoke access to the Framework for national security reasons, and allow the Minister to direct FCAC to take measures related to the Framework for reasons related to national security, to safeguard the integrity or security of Canada’s financial system, or in the best interest of the financial system. Details on the Minister’s powers with respect to national security will be revealed in the Budget Implementation Act, No. 2, which is to be introduced this fall.
 

Learn more in our overview of foreign interference regulation in Canada.


  1. “Security” is defined in the Guideline to include protection against malicious or unintentional internal and external threats to real property, infrastructure, and personnel, which OSFI refers to as "physical threats", and technology assets, which OSFI refers to as “electronic threats”.
  2. “Integrity” is defined by OSFI as “actions, behaviours and decisions consistent with the letter and intent of regulatory expectations, laws, and codes of conduct”.
  3. The Framework will focus on data security to protect sensitive financial information. Specifically, it will set standards and security requirements for data protection that will apply to both voluntary and mandated participants applicable to all the people, processes, technology, and infrastructure that interact with in-scope data that is collected through the Framework, and will include reporting obligations which will be monitored by the Financial Consumer Agency of Canada (FCAC).

To discuss these issues, please contact the author(s).

This publication is a general discussion of certain legal and related developments and should not be relied upon as legal advice. If you require legal advice, we would be pleased to discuss the issues in this publication with you, in the context of your particular circumstances.

For permission to republish this or any other publication, contact Janelle Weed.

© 2024 by Torys LLP.

All rights reserved.
 

Subscribe and stay informed

Stay in the know. Get the latest commentary, updates and insights for business from Torys.

Subscribe Now