Federal Financial Institutions Legislative and Regulatory Reporter - September 2025

Title and Brief Summary

Status (if applicable)

Office of the Superintendent of Financial Institutions (OSFI)

September 11, 2025

Guideline E-23 – Model Risk Management (2027)

Guideline E-23 sets out OSFI’s expectations for effective enterprise-wide model risk management (MRM) using a risk-based approach.  It is applicable to all federally regulated financial institutions (including foreign bank branches and foreign insurance company branches, insofar as this guideline is consistent with requirements and legal obligations related to their business in Canada as set out in Guideline E-4 on Foreign Entities Operating in Canada on a Branch Basis).

With the rise of digitalization and model applications (intensified by the rise of artificial intelligence and machine learning models), institutions are increasingly relying on such models to support or drive decision-making – including in business areas that traditionally did not rely on models.  As these models begin to use more diverse data sources and more complex techniques, the risk that accompanies such models (model risk) is heightened as a result.  The guideline states that institutions need to be aware of how using these models can impact their risk profile, and that effective risk management practices must be in place to mitigate the risks. 

The guideline sets out the following outcomes and expectations for model risk management:

• Model risk is well understood and managed across the enterprise.
• Model risk is managed using a risk-based approach.
• Model governance covers the entire model lifecycle.

See also Guideline E-23 – Model Risk Management (2027) – Letter.

Effective May 1, 2027

September 11, 2025

Capital Adequacy Requirements (CAR) – Guideline (2026)

OSFI has published the Capital Adequacy Requirements (CAR) 2026 guideline, with corresponding revisions to the Small and Medium-Sized Deposit-Taking Institutions (SMSB) Capital and Liquidity Requirements Guideline. The revised guideline includes updates and clarifications related to the treatment of United States Government Sponsored Entities, the identification of residential real estate exposures as income producing, and implementation considerations related to the treatment of Combined Loan Products. Revisions also include updates to the market risk capital rules to improve alignment with the credit risk capital treatment of sovereign exposures. The revisions include:

• How residential real estate exposures are identified as income-producing properties where repayment is materially dependent on cash flows generated by the property (for example, rental or leasing income, or from the sale of the property);
• The treatment of certain U.S. government-sponsored entities (GSE) to better align with their regulatory treatment in the U.S.;
• Implementation considerations related to the treatment of Combined Loan Products (CLP) where multiple lending products are secured by the same property, and are providing banks with 18 months to implement any required changes into their internal models;
• Market risk capital rules to improve alignment with the credit risk capital treatment of sovereign exposures. Sovereign exposures refer to a financial institution's exposure to a country's government or its central bank, for example through government bonds, treasury bills, or other loans made to a sovereign entity.

The guideline also notes that increases to the Basel III standardized capital floor level for Canadian banks are deferred until further notice, as announced by the Superintendent in February 2025.

Effective November 1, 2025 or January 1, 2026 for institutions with a fiscal year ending October 31 or December 31, respectively.

September 11, 2025

Small and Medium-Sized Deposit-Taking Institutions (SMSBs) Capital and Liquidity Requirements – Guideline (2026)

OSFI has published this guideline to explain the criteria it uses to segment small and medium-sized deposit-taking institutions (SMSBs) into three categories for the purposes of determining capital and liquidity requirements. Capital and liquidity requirements for SMSBs are detailed in the Capital Adequacy Requirements (CAR) Guideline, the Leverage Requirements (LR) Guideline and the Liquidity Adequacy Requirements (LAR) Guideline, which are referenced throughout. This guideline is a reference tool for SMSBs to clarify which parts of the CAR, LR and LAR are applicable to SMSBs in their category.

Effective November 1, 2025 or January 1, 2026, for institutions with a fiscal year ending October 31 or December 31, respectively.

September 11, 2025

Letter to Industry - Revision of OSFI’s Approach Regarding Administrative Monetary Penalties

This letter notifies Federally Regulated Financial Institutions and Foreign Bank Representative Offices of OSFI’s revised approach for assessing Administrative Monetary Penalties to align with its risk appetite, which favours early intervention to address risks that could jeopardize the public’s confidence in the soundness of the Canadian financial system.

Section 26 of the Office of the Superintendent of Financial Institutions Act sets out the criteria that the Superintendent must consider in determining the amount of an administrative monetary penalty.  OSFI is revising its approach to assessing these criteria to include:

• Incorporating additional indicia for assessing the statutory penalty criteria;
• A lower tolerance for contraventions such that penalties will be issued when we determine lower levels of negligence and harm; and
• A revised scaling factor to determine appropriate AMP amounts for small and mid-sized financial institutions.

A guide containing more information and instructions regarding the AMP assessment process will be published later in 2025.

Revised approach effective for violations that occur after September 11, 2025, with exceptions:

Contraventions occurring on or before September 11, 2025 but which are identified on or before December 31, 2026 will be captured by the pre-September 11, 2025 approach.

September 11, 2025

Backgrounder: Guideline E-15 - Appointed Actuary: Legal Requirements, Qualifications and Peer Review

OSFI is making major changes to Guideline E-15 – Appointed Actuary: Legal Requirements, Qualifications and Peer Review.  OSFI is:

• Removing all content from Guideline E-15 that unnecessarily repeats requirements that already exist in the Insurance Companies Act; and
• Eliminating the requirement for peer review of an appointed actuary's work.

The elimination of peer review of an appointed actuary's work will take effect on January 1, 2027.

September 10, 2025

Internal Capital Adequacy Assessment Process Expectations and Related Internal Audit Requirements

This communication from OSFI outlines its expectations with respect to:

• The 2025 internal capital adequacy assessment process (ICAAP) submission; and
• The internal audit review relating to ICAAP.

It is aimed at all small and medium-sized banks (SMSBs) including Category III institutions that are using the simplified risk-based approach. OSFI will not be requesting that all SMSBs submit their 2025 ICAAP documents and internal audit of the ICAAP for the year 2025.  Specific institutions, however, may be requested to submit their 2025 ICAAP and related internal audit as part of OSFI’s ongoing supervisory process in 2026.

OSFI stresses that the ICAAP is above all an important internal process; it should not be seen as a regulatory exercise.  It expects that SMSBs’ ICAAP should be updated as part of their annual planning process, and that all SMSBs complete their ICAAP data return annually and file the return within 90 days of their fiscal year-end date through the Regulatory Reporting System.

OSFI also commits to communicating to SMSBs, no later than September 30, 2025, specific risks and downturn severity for the prescribed single-factor stress tests that it expects institutions to undertake as part of the 2025 ICAAP and ICAAP data return.

Bank of Canada

September 8, 2025

Letter to Industry on Trust Tax Issue

The Bank of Canada has reminded stakeholders that its mandate to supervise Payment Service Providers (PSPs) under the Retail Payment Activities Act (RPAA) is now in effect, (as of September 8, 2025), including regulatory obligations related to operational risk and end-user funds safeguarding. The Bank of Canada also notes that it and the Department of Finance are aware that PSPs seeking to comply with the safeguarding requirements of the RPAA using the “in trust in a trust account” method may have unintended tax consequences. These tax consequences, or unintended administrative burden, may arise for PSPs that retain interest income on the end-user funds they hold in trust as required by the RPAA. The Bank of Canada will consider this matter when carrying out its supervisory activities. The Department of Finance and tax authorities are working with industry to try and resolve this issue.

Bank of Canada commenced its supervisory activities with respect to Payment Service Providers on September 8, 2025.

September 8, 2025

Payment Service Providers are now under Supervision – Registry to follow

This news release informs the public and stakeholders that the Bank of Canada’s mandate to supervise Payment Service Providers (PSPs) under the Retail Payment Activities Act (RPAA) is in place effective September 8, 2025.  As such:

• PSPs on the Applicant list are legally required to comply with RPAA obligations, including certain reporting requirements such as keeping information up to date on PSP Connect and replying to requests for information from the Bank.
• The Bank of Canada can use enforcement tools to ensure these obligations are met by PSPs.

The news release also notes that the Department of Finance continues to coordinate the screening of applicants for registration under the Act, and that the Bank of Canada will begin publishing the Registry of PSPs and update it on a rolling basis.

Bank of Canada commenced its supervisory activities with respect to Payment Service Providers on September 8, 2025.

Finance Canada

September 4, 2025

Deposit Insurance Review

Finance Canada, with the Canada Deposit Insurance Corporation, is undertaking  a review of the federal deposit insurance framework.  In general, it is seeking feedback about what changes to the deposit insurance framework are needed, but it is interested specifically in hearing views on:

• Increasing the deposit insurance limit to $150,000 per deposit category;
• Providing a deposit insurance limit of $500,000 per deposit category to non-retail depositors;
• Extending coverage for temporary high balances for depositors experiencing significant life events, for an enumerated list of life events; for a period of six months; and with a deposit insurance limit of $1 million;
• Streamlining the framework to four categories by merging the registered and tax-free categories and making coverage for the merged category unlimited; and
• Enhancing depositor understanding through improved disclosure to require that a CDIC member institution provide its customers with tailored information explaining the amount of insured deposits that are held at that member institution for that customer.

Deadline for comments or feedback was September 26, 2025

Financial Consumer Agency of Canada (FCAC)

Financial Transactions and Reports Analysis Centre of Canada (FINTRAC)

October 1, 2025

Reporting Listed Person or Entity Property to FINTRAC

This updated guidance, which explains the requirement to report terrorist and sanctioned property to FINTRAC, has been updated to note that it replaces previous guidance, entitled Reporting terrorist property to FINTRAC.  It has also been updated to remove information about the application of the guidance prior to October 1, 2025.  It explains:

• Who must comply;
• What is the Listed Person or Entity Property Report;
• What is considered to be property;
• What is a listed person or entity;
• When to submit a Listed Person or Entity Property Report;
• How a Listed Person or Entity Property Report differs from other reports submitted to FINTRAC;
• How to submit a Listed Person or Entity Property Report to FINTRAC;
• Other requirements associated with a Listed Person or Entity Property Report.

Updated October 1, 2025

September 9, 2025

FINTRAC’s Requirements: Acquirer Services in Relation to Private Automated Banking Machines

This guidance explains compliance requirements for entities engaged in the business of providing acquirer services in relation to a private automated banking machine under the Proceeds of Crime (Money Laundering) and Terrorist Financing Act and associated Regulations that apply to money services businesses and foreign money services businesses as applicable.

The guidance defines “acquirer” and “private automated banking machine”, and explains the requirements for acquirer services, which include:

• Register as a money services business;
• Implement a compliance program;
• Know your client;
• Report transactions;
• Keep records;
• Apply ministerial directives.

FINTRAC conducts compliance examinations to determine whether acquirer services are meeting their requirements under the law.

Effective October 1, 2025

September 9, 2025

FINTRAC’s Requirements: Title Insurers

This guidance explains compliance requirements for title insurers under the Proceeds of Crime (Money Laundering) and Terrorist Financing Act and associated Regulations. The guidance defines “title insurer” and “title insurance”, and explains the requirements for title insurers, which include:

• Implement a compliance program;
• Know your client;
• Report transactions;
• Keep records;
• Apply ministerial directives.

FINTRAC conducts compliance examinations to determine whether title insurers are meeting their requirements under the law.

Effective October 1, 2025

September 9, 2025

FINTRAC’s Compliance Guidance: Record Keeping Requirements for Title Insurers

This new guidance explains record keeping requirements for title insurers: it explains what records must be kept and what they must contain; title insurer responsibilities when maintaining records; exceptions to record keeping requirements.

Added September 9, 2025

September 9, 2025

FINTRAC’s Compliance Guidance: When to Verify the Identity of Persons and Entities — Title Insurers

FINTRAC has issued guidance that describes when title insurers must verify the identity of persons and entities as required by the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (the Act) and associated Regulations. The guidance identifies what persons or entities must be identified and specifies that steps to verify identify must be taken in the event of any suspicious transactions, and in the event of the provision of a title insurance policy.

Added September 9, 2025

September 9, 2025

FINTRAC’s Compliance Guidance: Business Relationship Requirements

FINTRAC has issued guidance that explains when reporting entities enter into a business relationship with a client, and related obligations under the Proceeds of Crime (Money Laundering) and Terrorist Financing Act and associated Regulations. It explains that it applies to all reporting entities, although some requirements and examples may only apply to certain reporting entities.

“Business relationship” is defined in the guidance as “a relationship established between a reporting entity and a client to conduct financial transactions or provide services related to financial transactions”. Further, it explains when, depending on the reporting entity sector, a business relationship has been entered into, and explains circumstances in which a business relationship has not been entered into. It specifies business relationship records that should be kept once the relationship has been entered into, and explains when a business relationship has ended.

Updated September 9, 2025

Payments Canada

Bank for International Settlements (BIS)

Financial Action Task Force (FATF)

Financial Stability Board (FSB)

International Association of Insurance Supervisors (IAIS)

September 9, 2025

IAIS relaunches the ICP Self-Assessment Tool (SAT)

IAIS has announced it has relaunched the ICP Self-Assessment Tool (SAT), which was previously hosted by the Access to Insurance Initiative (A2ii).  The SAT is intended to allow insurance supervisors to assess compliance with Insurance Core Principles (ICPs), receive instant feedback, identify improvement areas and track progress towards meeting global standards.  Using the SAT, self-assessments can be performed through structured questionnaires and scoring criteria, aligned with the methodology applied in the IAIS Peer Review Process (PRP).

Launch announced September 9, 2025

Legislation

October 3, 2025

Bill C-8, An Act respecting cyber security, amending the Telecommunications Act and making consequential amendments to other Acts

Bill C-8 received second reading in the House of Commons on October 3, 2025.  It amends the Office of the Superintendent of Financial Institutions Act in connection with a new Act, the Critical Cyber Systems Protection Act. The goal of the new Act is to provide a framework for the protection of the critical cyber systems of services and systems that are vital to national security or public safety and that are delivered or operated as part of a work, undertaking or business that is within the legislative authority of Parliament.
This new Act would be administered by the OSFI.

Act comes into force by proclamation.

September 10, 2025

Canada Deposit Insurance Corporation Differential Premiums By-law, SOR/2025-165

The Canada Deposit Insurance Corporation Differential Premiums By-law, SOR/2025-165 (the new By-law) repeals and replaces the current By-law, SOR/99-120.

The new By-law:

• Establishes a differential premiums system (DPS) that classifies member institutions into different categories;
• Sets out the criteria, factors or procedures the Canada Deposit Insurance Corporation (CDIC) will consider or follow in determining the category in which a member institution is classified; and
• Sets the amount of, or provides a manner of determining the amount of, the annual premium applicable to each category.

In force April 29, 2026, except section 14, which comes into force July 16, 2026