July 16th, 2025 | Sterling

What Should You Know about the OSFI’s New Integrity and Security Guideline?

Canada’s Office of the Superintendent of Financial Institutions (OSFI) has recently provided new guidance on integrity and security. In the latest episode of FA Live, we sat down with Chuck Walker, Senior Advisor for Public Safety at First Advantage, and former Director General of the Canadian Criminal Real Time Identification Services, to clarify what specifically OSFI’s new guideline entails and how financial institutions operating in Canada can manage its compliance requirements.

Over the last few years, new social and technological developments, such as the emergence of AI and the rise of new cybersecurity threats, have swept the world. Consequently, financial sector compliance and risk mitigation has been rapidly evolving.

Since banks and federally regulated financial institutions are part of Canada’s critical infrastructure, OSFI occasionally introduces new guidelines to help them navigate these changes and address any risks to business continuity, data security, and other aspects they may pose.

As Walker notes, people, whether inadvertently or deliberately, can pose considerable risks to organizations’ integrity. Many security incidents, such as data breaches and malware attacks, have a human component. For this reason, the new OSFI guideline prescribes a background check for individuals designated as “responsible persons.” Strictly speaking, this term includes managers and directors, although there is a case for treating anyone who accesses a bank’s financial systems, customers, or data as a responsible person.

According to OSFI, the mandatory background checks for responsible persons should include (at minimum) identity, criminal record, and credit checks. Financial institutions looking for a wider overview of their candidates’ background may complete an Enhanced Reliability Check, which includes, on top of the criminal record and credit checks, both education and credentials verifications and professional and personal references.

Concerning the criminal record check, how in-depth does the search have to be? While a standard background check is considered acceptable, financial institutions looking to minimize risk may want to complete an Enhanced Police Information Check, also known as a Criminal Record and Judicial Matters Check. This much more thorough search includes pending charges, arrest warrants, probation orders, conditional and absolute discharges, and other potentially relevant police information that can help organizations make an informed employment decision.

Many financial institutions have taken advantage of Canada’s recent surge in immigration to fill crucial positions. Since Canada’s main immigration law, the Immigration and Refugee Protection Act (IRPA), requires newcomers to pass a background check in order to be considered eligible, employers may be tempted to think that no further checks are necessary.

However, financial institutions that skip the background check may be exposing themselves to significant risks. The Government of Canada only considers criminal convictions whose equivalent in the Criminal Code of Canada would incur a sentence of ten years or more when determining an individual’s admissibility. But offences that are highly relevant to the financial industry, such as fraud, theft, falsification of documents, and insider trading, may not have been screened, since they rarely meet the ten-year threshold.

In addition to meeting the basic standards for thoroughness prescribed by OSFI, checks should be:

• Conducted prior to employment
• Renewed on a regular basis
• Reviewed off-cycle based on certain criteria

What does all this mean in practice for financial institutions?

Companies should rescreen their responsible persons at scheduled intervals. Organizations unsure how often to rescreen can discuss with their background screening provider. We are happy to provide some guidance to help you make an informed decision.

Financial institutions aren’t limited to worrying only about their own staff and management. They also need to confirm that their third-party service providers comply with security requirements as strict as the financial institution’s. Financial institutions should also ensure that their providers screen their own staff and ask them to complete regular training regarding corporate ethics, anti-corruption measures, and other relevant topics.

Non-compliance with OSFI requirements can have significant costs for financial institutions. The OSFI has the authority to take over their management if they fail to take the required steps to evaluate their employees’ background, promote a culture of integrity, and protect their data and assets. It’s worth noting that financial institutions can transfer their risk, but not their accountability. An experienced background screening provider like First Advantage can help you manage your accountabilities to minimize risk.

Compliance with OSFI involves defining which employees are considered “responsible persons,” designing a background screening package for each position, and determining an appropriate rescreening cadence.

Does the task seem daunting? First Advantage can provide you with support and guidance to help you navigate the challenge. Contact our experts to learn more.

This content is offered for informational purposes only. First Advantage is not a law firm, and this content does not, and is not intended to, constitute legal advice. Information in this may not constitute the most up-to-date legal or other information.

Readers of this content should contact their attorney or lawyer to obtain advice concerning any particular legal matter. No reader, or user of this content, should act or refrain from acting on the basis of information in this content without first seeking legal advice from counsel or lawyers in the relevant jurisdiction. Only your individual attorney or legal advisor can provide assurances that the information contained herein – and your interpretation of it – is applicable or appropriate to your particular situation. Use of, and access to, this content does not create an attorney-client relationship between the reader, or user of this presentation and First Advantage.