How Can Canadian Banks Achieve Compliance with Guideline B-13?

August 25, 2023
Smartphone displaying payment approval screen, with text about Guideline B-13 and multi-factor authentication becoming effective from January 1, 2024

In the current state of financial fraud and authentication in Canada, Guideline B-13 is set to be the regulatory framework that helps bolster the security of Canadian banks and financial institutions.

Financial fraud attacks are on the rise in Canada. In September 2022, a survey revealed that 25% of Canadians have experienced fraud during the past three years. 

Cybercriminals are now using more sophisticated, phone-based methods of scamming victims — this is demonstrated by increased financial fraud attempts reported to the Canadian Anti-Fraud Centre (CAFC) in 2022 alone. According to the CAFC, there were 2,769 reports of phone calls from scammers who claimed to be from a financial institution that took place between January and September 2022. Furthermore, there were over 500 reports of bank-related phishing text messages reported during 2022. 

While these attacks are troublesome in and of themselves, they’re exacerbated by the fact that many Canadian banks are still using inferior authentication mechanisms. 

Canadian Banks and Multi-Factor Authentication

During the past few years, a number of Canada’s banks have adopted multi-factor authentication to strengthen their security measures and protect customer accounts. However, even though a number of financial institutions have implemented multi-factor authentication, a large share of them still rely on SMS authentication PINs, otherwise known as SMS-OTP. 

Authentication via SMS-OTP is problematic for several reasons, one of them being its lack of security. When using SMS-OTP, users need to rewrite an authentication SMS code from a phone into a browser or mobile app — this leaves ample room for fraudsters to carry out some of the aforementioned social engineering and phishing techniques.

Up until recently, Canada had yet to introduce any regulatory requirement that enforces the use of multi-factor authentication. Now, Guideline B-13 is looking to help the Canadian financial industry step up its security and authentication.

What is Guideline B-13?

In July 2022, Canada’s Office of the Superintendent of Financial Institutions (OSFI) released its final version of Guideline B-13. This guideline lays down expectations for how Canada’s federally regulated financial institutions (FRFIs) should manage technology and cyber risks, including data breaches, technology outages, and more. Importantly, Guideline B-13 is highly relevant for banks and fintech companies looking to upgrade their authentication methods. 

Here’s how OSFI describes the need for Guideline B-13:

The widespread use of technology and the growing rate of cyber incidents has created an urgent need for enhanced regulatory guidance to FRFIs on technology and cyber risk management. OSFI’s final Guideline B-13 provides that guidance, while allowing FRFIs to compete effectively and take full advantage of digital innovation.

FRFIs still have some time to prepare for Guideline B-13 — the regulation will become effective on January 1, 2024. During the rest of 2023, these organizations will need to take the necessary steps to ensure their compliance with the guideline’s requirements.

Key Pillars of Guideline B-13

Guideline B-13 is organized into three main areas, each of which contain a variety of methods for achieving effective technology and cyber risk management:

1. Governance and Risk Management

Establishes the leadership, organizational structure, strategies, and frameworks used to support risk management and oversight of technology and cyber-security.

2. Technology Operations and Resilience

States expectations for the management and oversight of risks related to the design, implementation, management, and recovery of technology assets and services, which should result in technology environments that are stable, scalable, and resilient.

3. Cyber-Security

With the goal of achieving a secure technology posture that safeguards an FRFI’s technology assets, this component states how organizations should design, implement, and maintain preventive cyber-security controls and measures.

Within its cyber-security pillar, Guideline B-13 also regulates how identity and access management controls are implemented — more specifically, it mandates that FRFIs should implement risk-based identity and access controls, including multi-factor authentication and privileged access management.

Next Steps for Canadian Banks and Fintech Companies

As we’ve explained in this post, SMS-OTP isn’t enough for achieving secure multi-factor authentication. To get multi-factor authentication right, it’s necessary for Canadian financial organizations to adopt passwordless authentication, for example, via mobile token.

Wultra is here to support Canadian banks and fintech companies that are interested in implementing a stronger authentication mechanism. Our mobile token solution ensures compliance with Guideline B-13, and our team is available to supply banks and fintech companies with the right information on how to prepare for it.

Related articles


get in touch

Consider partnering with Wultra to meet compliance standards, deliver a secure and seamless user experience, and deliver additional value to your customers while improving your bottom line.

Ondřej kupka
Picture of Account Executive Ondrej Kupka
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.