• Home
  • /Learn
  • /What is OSFI? Compliance for Canadian Banks
background image


What is OSFI? Compliance for Canadian Banks


OSFI stands for the Office of the Superintendent of Financial Institutions, an independent agency of the Government of Canada. OSFI was established in 1987 to contribute to the safety and wellness of the Canadian financial system. OSFI is a key entity in Canada that supervises and regulates: 

  • Federally registered banks and insurers;

  • Trust and loan companies; and 

  • Private pension plans that are subject to federal oversight.

OSFI has more than 400 federally regulated financial institutions (FRFIs) under its supervision. It also overlooks 1,200 pension plans, ensuring they are in sound financial condition and meeting their pre-defined regulatory requirements. 

OSFI is continually enhancing its regulatory and supervisory approaches related to technology and non-financial risks. In doing so, OSFI introduced the imperative for innovation in the Canadian financial sector. OSFI protects the interests of depositors, policyholders, creditors, and pension plan members and achieves these objectives by: 

  • Developing a regulatory framework that helps it manage and mitigate risks; 

  • Assessing the safety and soundness of FRIs and pension plans; and

  • Intervening promptly as and when corrective actions are required. 

OSFI recognizes the dire need for businesses to understand various issues surrounding technology, including:

  • The operational risk and resilience, and a holistic assessment of regulatory architecture meant for technology and other non-financial risks;

  • The technology risk and the role prudential regulators play in the management of technology and data risk; and

  • Core principles needed to guide future regulatory guidance development are specifically related to three priority areas: advanced analytics, cybersecurity, and the third-party technology ecosystem. 

OSFI Compliance for Canadian Banks 

Many banks in Canada are assessing technology risks within a broader framework for operational risk management (ORM). It suggests there is established guidance from international standard-setters and OSFI’s supervisory experience.

OSFI regulates and supervises both domestic and foreign banks operating in Canada. It regulates foreign bank subsidiaries under the Bank Act and controls them through eligible foreign institutions. Here are some of the restrictions on Canadian banks as per the Bank Act: 

  • The Bank Act presses ownership requirements on all the banks in Canada. For instance, a person cannot become a major shareholder of a bank if they have equity of $12 billion or more. 

  • Banks having equity between $2 billion and $12 billion must have at least 35% of their shares with voting rights. These rights must be listed and posted on a recognized stock exchange and must not be owned by a major shareholder.

  • Banks can only carry on the “business of banking” under limited activities, such as acting as a financial agent; providing financial services; issuing payment, credit or charge cards; providing investment counselling and so on. 

  • Banks are not allowed to “deal in goods, wares or merchandise, or engage in any trade or other business” unless the Bank Act permits such transactions.

  • Banks may invest in securities, but they cannot make substantial investments, such as acquiring more than 10% interest in a non-bank entity. 

  • Banks may acquire other banks, insurance companies, trust or loan companies, cooperative credit societies and entities primarily engaged in dealing in securities. 

Penetration Testing: The Most Important Parameter for OSFI Compliance

Other than the restrictions we just mentioned, all federally regulated financial institutions (FRFIs) or banks in Canada should carry out a penetration test to be OSFI compliant. What does it mean for FRFIs? 

It means that all banks must carry out penetration testing to proactively expose vulnerabilities, flaws, malicious content and risks in their IT infrastructure. OSFI has mandated penetration tests for Canadian banks because it allows them to see if hackers can compromise their bank’s applications to gain a foothold within their infrastructure. Measures must be in place, and banks must ensure no vulnerabilities or gaps within their IT infrastructure that could threaten their customer’s data. A penetration test will help create a strategy to protect sensitive data, critical systems and other critical resources.

So, to safeguard your sensitive data and information, you need penetration testing. The fact that the data owned by banks belong mostly to their customers makes penetration testing even more important because customers can file lawsuits if companies fail to safeguard their information. Loss of business through loss of trust is another big risk for banks to consider.


The urgency for conducting a penetration test for banks has arisen because of the increasing number of cyberattacks witnessed recently. OSFI has these regulations in place to maintain consumer confidence in the financial markets. It also has to guarantee deposits through the Canadian Deposit Insurance Corporation (CDIC) and review the pension plans of businesses to ensure they have adequate funding. Regulations make it easier for OSFI to achieve these goals, and Packetlabs makes it easier for you to conduct a penetration test.