Financial fraud is increasing in Canada, and the banking sector is under increasing pressure to strengthen its defenses. In an effort to mitigate these threats, Canada’s Office of the Superintendent of Financial Institutions (OSFI) has introduced OSFI Guideline B-13 - a regulatory framework that sets new expectations for federally regulated financial institutions (FRFIs). Effective from January 1, 2024, Guideline B-13 provides a roadmap for improving technology and cyber risk management, including stricter requirements for multi-factor authentication (MFA).

In this post, we’ll answer the following questions regarding Guideline B-13:

• Why is Guideline B-13 so important?
• What are the areas Guideline B-13 is focusing on?
• What are the practical steps Canadian banks and fintech organizations can take to meet B-13 standards?

Fraudsters are becoming increasingly sophisticated, and recent statistics underscore the need for tighter security protocols:

• 25% of Canadians reported experiencing fraud within a three-year window, according to a September 2022 survey.
• Phone-based schemes are particularly rampant. Between January and September 2022, there were 2,769 reported scam phone calls claiming to originate from financial institutions , as recorded by the Canadian Anti-Fraud Centre (CAFC).

Compounding this problem is the fact that many Canadian banks still rely on inferior authentication methods, such as SMS-OTP (one-time passcodes sent via text). These codes are vulnerable to interception, social engineering, and phishing attacks, making them a weak link in Canada’s digital security chain.

Although some Canadian financial institutions have already embraced MFA, the common approach of sending an SMS OTP remains prevalent. However, SMS-OTP-based authentication:

• Requires users to manually enter a code from one channel (SMS) into another (a browser or banking app).
• Leaves room for human error and opens the door for phishing attempts, where criminals trick victims into sharing their verification codes.
• Has limited resilience against more advanced scam tactics, including SIM swapping and unauthorized access to text messages (SMS OTP were simply not designed for authentication when SMS became a thing).
• Leads to high costs for the company since every send SMS must be payed for

To counter these vulnerabilities, Guideline B-13 stipulates the adoption of more secure authentication methods. This requirement marks the first formal regulatory directive in Canada that mandates safer, more reliable MFA.

Released in July 2022 by OSFI, Guideline B-13 sets forth principles for how FRFIs should handle technology and cyber risk. Beyond safeguarding against data breaches and outages, it emphasizes the need for risk-based identity and access controls - including multi-factor authentication and privileged access management.

According to the Office of the Superintendent of Financial Institutions OSFI:

Guideline B-13 is built around three main pillars, each of which encompasses various strategies to enhance technology and cyber risk management:

• Focus: Leaders and decision-makers must establish clear structures, strategies, and frameworks for overseeing technological and cyber risks.

• Why It Matters: Effective governance not only supports accountability but also provides the necessary oversight to ensure technology initiatives and risk controls are properly implemented.

• Focus: Establishes the defensive measures needed to safeguard an institution’s technology assets.

• Why It Matters: By implementing stronger preventative and detective controls, organizations are better equipped to protect sensitive data and respond effectively to potential cyber threats.

Begin by auditing your existing authentication methods and map out their vulnerabilities. Compare these findings against B-13’s risk-based requirements to prioritize improvements. Aim for scalable solutions that can adapt to new threats and regulatory shifts.

Transition away from SMS-based authentication to more secure alternatives, such as phishing-resistant MFA with passkeys. This and other methods significantly reduce the risk of intercepted codes and SIM swap attacks.

Clearly define roles and responsibilities to foster accountability. Integrate cyber risk management into strategic planning, and regularly review policies on vendor risk, data privacy, and incident response. Cultivate a security-first culture through ongoing staff education, phishing simulations, and shared best practices.

Upgrade outdated infrastructure to minimize downtime, improve system stability, and support advanced security tools. For example, migrating mission-critical applications to secure cloud platforms can lower the risk of data. Regular disaster-recovery drills simulating ransomware attacks help pinpoint weaknesses and train your response teams.

Corbado specializes in secure, high-performance authentication with passkeys that designed to meet strict regulatory requirements and provide phishing-resistant MFA. By adopting passkey logins, Canadian banks can:

• Enhance security and provide phishing-resistant MFA.
• Comply with Guideline B-13’s MFA and privileged access mandates.
• Improve the user experience for the customers, who never have to remember a password again
• Save up to 90% of SMS costs by replacing SMS-OTP

Whether you’re a large bank or an emerging fintech, Corbado can support your transition from SMS OTP to a passkey authentication model, enabling you to stay compliant while significantly your organization’s cyber resilience and cutting costs. It’s already becoming the standard, as big tech is pushing hit. Don’t lag behind.

Guideline B-13 represents a decisive step forward in fortifying Canada’s financial sector against escalating cyber threats. By addressing governance, operational resilience, and advanced cybersecurity measures, OSFI is sending a clear message that outdated authentication methods and lax oversight are no longer acceptable.

In this article, we answered the initial questions as follows:

• Why is Guideline B-13 so important?

  Guideline B-13 is critically important because it establishes a clear framework for Canadian financial institutions to manage technology and cyber risks, ensuring operational resilience, regulatory compliance, and protection against increasing cyber threats.

• What are the areas Guideline B-13 is focusing on?

  Guideline B-13 primarily focuses on enhancing governance structures, strengthening risk management practices, improving the security of technology operations, ensuring robust cybersecurity measures, and developing effective incident response and recovery processes.

• What are the practical steps Canadian banks and fintech organizations can take to meet B-13 standards?

  To meet B-13 standards, Canadian banks and fintech organizations can adopt comprehensive cybersecurity frameworks, conduct regular risk evaluations, improve board-level oversight on cyber risks, enhance third-party risk management, and establish well-defined protocols for responding to and recovering from cyber incidents.