Foreign Interference Regulation in Canada: Financial Institutions

Financial institutions are at the forefront of the growing threat posed by foreign interference in Canada, and recent legislative initiatives by the federal government, with the issuance of the Integrity and Security Guidelines by the Office of the Superintendent of Financial Institutions (OSFI), attempt to address and mitigate this threat.

This article highlights recent legislative and regulatory efforts to combat foreign interference in the Canadian financial sector.

What is foreign interference?

As defined in the OSFI Integrity and Security Guidelines (the “Guidelines”), “foreign interference” includes activities that (1) in or relating to Canada are harmful to the interests and security of Canada and (2) are secret in nature , fraudulent, or involves a threat to any person, including attempts to covertly influence, intimidate, manipulate, interfere, corrupt, or discredit individuals, organizations, and governments in furtherance of the interests of a foreign state or non-state entity.

Foreign interference undermines public confidence in the Canadian financial system. Examples of foreign interference in the financial system include foreign entities using the networks of Canadian financial institutions to steal sensitive financial data and the use of individuals as proxies to conduct illegal financial activities or donate to a political party or candidate for foreign interference purposes.

Efforts to combat foreign interference in the financial sector

Legislative efforts by the federal government to address and prevent foreign interference in the Canadian financial system are relatively recent. In June 2023, Parliament passed Bill C-47, which, among other things, expanded the powers of the Minister of Finance (Minister) and OSFI’s supervisory powers over federally regulated financial institutions, leading to the publication of the Guidelines by OSFI. Additionally, Bill C-70, Act on counteracting foreign interference, filed in May 2024, introduced a new one Foreign Influence Transparency and Accountability Act which will also apply to the financial services sector. Security risks are also addressed in Canada’s new consumer banking framework, details of which will be released as part of the federal budget in April 2024.

Bill C-47

Bill C-47 increases OSFI’s mandate and provides the Minister with new powers on national security and foreign interference through changes to the Act Banking Act, Act on insurance companies, Act on trust and loan companies, Act on the Office for the Supervision of Financial Institutions and Act on the proceeds of crime (money laundering) and terrorism financing (PCMLTFA).

The key provisions of Bill C-47 regarding foreign interference are:

Integrity and security policy: From January 2024, financial institutions are required to prepare and maintain policies and procedures designed to protect against threats to their integrity and security, including foreign interference.
Annual exams: OSFI must annually review the adequacy of each FI’s integrity and security policies and procedures and report its findings to the Minister. If such policies and procedures are found to be insufficient, the Superintendent of Financial Institutions (Superintendent) may require the FI to take any remedial measures it deems appropriate.
Authority to take control of the FI: The Minister was given the power to order OSFI to take control of an FI or its assets for a specified period “for national security reasons”. This includes the management of the FI’s business and affairs, and the powers and functions of the FI’s directors and officers will be suspended.
Sale of shares: If the Minister believes that a shareholder of an IF poses a threat to the integrity or security of the Canadian financial system, including for the purpose of fomenting foreign interference, the Minister may make an order requiring that person and any person controlled by him to divest any interest in such IF held or owned by the beneficiaries. and suspend all voting rights attached to such shares until such shares are disposed of.
Information collection and sharing: OSFI may require any person controlling an FI or its affiliates to provide any information that the Superintendent determines is necessary to ensure that the FI has adequate integrity and security policies and procedures. Bill C-47 also amends the PCMLTFA to facilitate the exchange of information between the Minister, OSFI and the Financial Transactions and Reporting Analysis Center of Canada (FINTRAC) for the purpose of assessing risks to the integrity of the Canadian financial system.

OSFI Guidelines for Integrity and Security

As a result of OSFI’s increased mandate under Bill C-47, OSFI published its guidance in January 2024, which sets out expectations and standards for integrity and security policies and procedures that financial institutions must implement to combat threats to their integrity and security, including foreign interference. OSFI believes that FIs can protect against threats to their security¹ if they act honestly²because lack of integrity can lead to vulnerability to security threats such as foreign interference.

According to the guidelines, financial institutions can strengthen their integrity by adhering to the following four principles:

directors and senior management should be of good character and demonstrate integrity in their actions, behavior and decisions;
the culture should value compliance, integrity and responsibility and reflect a commitment to standards that encourage ethical behavior;
governance structures should subject actions, behaviors and decisions to appropriate scrutiny and questioning to build trust with all stakeholders, and should be clearly communicated and codified; AND
Financial institutions should establish a regulatory compliance management (RCM) framework that includes effective mechanisms for identifying and verifying compliance with regulatory expectations, laws and codes of conduct.

The guidelines also establish standards for necessary and effective security measures to thwart foreign interference. Appropriate security in accordance with the Guidelines should include (1) physical security of facilities (i.e. buildings and servers), (2) data security through data classification and limited access to sensitive data throughout its lifecycle, and (3) security control of directors, management staff senior management, employees and contractors to ensure they are not subject to undue influence, foreign interference and malicious activity through background checks. The guidance also highlights the importance of preventing third-party risks through objective due diligence, commensurate with the level of third-party involvement. This should include identifying the location of the business, the company’s headquarters, affiliations with foreign governments, and the ownership structure of the third party or its subcontractors.

Additionally, the guidelines formalize reporting requirements when foreign interference is detected or suspected. In particular, FIs must report to OSFI, the Canadian Security Intelligence Service and the Royal Canadian Mounted Police when there are reasonable grounds to believe that an incident or event has occurred in connection with undue influence, foreign interference or malicious activity.

OSFI notes that when applying the expectations set out in the Guidelines, financial institutions should consider their vulnerability to undue influence, external interference and malicious activity. OSFI also expects financial institutions to assess their existing processes and procedures for compliance with the Guidelines and to develop ongoing monitoring, control and reporting systems to ensure the effectiveness of their integrity and security policies and procedures.

The Foreign Influence Transparency and Accountability Act

The Foreign Influence Transparency and Accountability Act Proposes the creation of a Foreign Influence Registry, overseen by an Independent Foreign Influence Transparency Commissioner, which will require persons or entities entering into arrangements with a foreign principal or taking actions intended to influence the Government of Canada or the Canadian political process to publicly register. This Act broadly defines a “foreign principal” to include foreign entities (including business entities), foreign powers or foreign states, which will cover a wide range of enterprises such as financial institutions, energy companies and sovereign wealth funds, among others.

Financial institutions and other entities operating in the financial services sector, including fintechs and money services companies, will be required to register if they enter into an arrangement under which they perform, under the direction of or in cooperation with a foreign principal, any of the following activities related to the political process or government:

communicating with persons performing public functions;
transmitting or disseminating information related to the political or governmental process; Or
giving away money or valuables, providing services or using a facility.

Entities operating in the financial services sector will need to carefully consider whether their activities fall within the scope of activities requiring registration.

Canada’s consumer-centric banking framework

Budget 2024 reveals new details on establishing a consumer-centric banking framework (the ‘Principles’)³. Specifically, the legislation would authorize the Minister to deny, suspend or revoke access to the Framework on national security grounds and would enable the Minister to order FCAC to take measures related to the Framework on national security grounds, to protect the integrity or security of Canada’s financial system or in the best interests of the financial system . Details of the Minister’s powers in the field of national security will be provided further Budget Implementation Act, No. 2which is scheduled to be introduced this fall.

Find out more in our overview of foreign interference laws in Canada.