Compliance crosswalk · OSFI B-13
OSFI Guideline B-13 (Canada) - email + domain controls, mapped to Wiredepth
Framework version: Final guideline issued July 2022, in force since January 2024
Who this is for. Federally-regulated financial institutions (FRFIs) in Canada: Schedule I, II, and III banks; federal trust + loan companies; federal insurance companies; co-operative credit associations. Provincial credit unions follow provincial guidelines but many align voluntarily.
Where email + domain controls fit. B-13 organizes expectations into five domains: governance, technology operations, cyber security, third-party technology + cyber risk, and resilience. Email-auth and domain-posture controls show up across all five but most heavily under Domain 3 (Cyber Security) and Domain 4 (Third-Party Technology and Cyber Risk Management). Domain 4 in particular - every authorized email-sending vendor is a B-13 third-party-risk concern.
Why now. The guideline came into force January 2024 with OSFI signaling examination cycles through 2024-2026. Most FRFIs are mid first- or second-cycle assessments right now, with internal audit teams testing the controls before OSFI shows up. Email controls are an under-tested surface relative to network controls; the gaps tend to be obvious once you measure.
Clause-by-clause mapping
Each row maps a specific OSFI B-13requirement to the Wiredepth surface that addresses it. The clause ids are the framework's own naming - verify them against the official text. We use precise language: "addresses" (the tool directly satisfies the control), "supports" (the tool contributes evidence the auditor will need), and "evidence for" (the artifact is part of the attestation package).
| Clause | Requirement | Wiredepth response |
|---|---|---|
Principle 6 (Cyber Security) Authentication | The FRFI should implement appropriate cyber security controls to safeguard against, detect, respond to, and recover from cyber incidents. Email is one of the primary cyber-incident vectors for Canadian FIs. | DMARC + SPF + DKIM analyzer scores email-auth posture. Spoofability checker gives a yes / maybe / no verdict an internal auditor can cite directly in the testing workpaper. |
Principle 6 - Identity + Access Management Authentication | Identity + access management controls should authenticate users, systems, and devices accessing the FRFI's technology assets. By extension - sender authentication for any system emailing customers about their accounts. | DKIM checker validates outbound message signing. Email forensics replay analyzes received-message authentication results for evidence sampling. |
Principle 6 - Threat + Vulnerability Management Monitoring | Identify, prioritize, manage, and mitigate cyber threats and vulnerabilities. Includes phishing and brand-impersonation risks targeting customers. | Brand-watchlist monitoring (Pro+) plus continuous threat-intel scoring on monitored apexes provide the proactive impersonation-domain surveillance OSFI examiners ask about. |
Principle 7 (Third-Party Technology and Cyber Risk) Inventory | The FRFI should manage technology and cyber risks associated with its third-party arrangements. Includes risks introduced by vendors authorized to send mail as the FRFI's domain. | Vendor consolidation audit inventories every third party authorized in SPF / DKIM / MX / DMARC. Blast-radius rating quantifies the per-vendor risk a B-13 third-party-risk assessment is designed to surface. |
Principle 7 - Due Diligence Inventory | Conduct appropriate due diligence on third-party providers, including their cyber controls. Documented assessment of the vendor + its controls. | Vendor-scoring tool batch-grades supplier domains for the diligence step. De-authorization guides at /docs/deauthorize cover the offboarding side of the third-party lifecycle. |
Principle 7 - Ongoing Monitoring Monitoring | Monitor third-party performance and risk on an ongoing basis. Includes posture changes in vendors that handle FRFI customer data or send mail as the FRFI. | Wiredepth Pro continuous monitoring tracks DMARC / SPF / DKIM / MTA-STS posture and alerts on regressions across vendor + owned domains. Change-history snapshots cover the "ongoing" evidence expectation. |
Principle 5 (Technology Resilience) Transport | Implement controls to safeguard the confidentiality, integrity, and availability of technology assets. Email transmission integrity is part of this. | MTA-STS + TLS-RPT checker validates enforce-mode transport encryption. Together with DKIM, this evidences the "encrypted + authenticated" transmission story for B-13 audits. |
Principle 1 (Governance and Risk Management) Reporting | The Board and senior management should establish, communicate, and oversee the FRFI's approach to managing technology and cyber risks. Reported via periodic posture summaries. | Email-auth scorecard PDF is the kind of timestamped, attestable artifact the Board risk committee + internal audit committee actually read. Watermarked + revisitable URL for governance records. |
What auditors actually look at
From OSFI examination patterns in 2024-2025 (and what internal audit teams have been testing ahead of them), here's what comes up most often when email + domain posture is in scope:
- Documented DMARC posture across owned domains. Schedule I + II banks frequently have 50-200 domains in their portfolio (acquisitions, subsidiary brands, legacy marketing). p=none on a forgotten subsidiary domain is a finding waiting to happen.
- Third-party vendor inventory. Principle 7 is the heaviest-tested clause. Examiners want to see which vendors send as you, what they receive, when the relationship was last reviewed, and what the off-ramp looks like. The vendor- consolidation report + de-authorization guides together cover this.
- Phish-reporting workflow with an audit trail. Principle 6 incident response expects a clear "here's what to do when you see one" path. A clickable workflow in the mailbox (vs "forward to abuse@") demonstrates the awareness loop is closed.
- Cyber resilience to brand-impersonation attacks. Canadian banks are heavily targeted for customer-side phishing (CRA / bank-impersonation fraud is the #1 reported scam to the Canadian Anti-Fraud Centre). Brand-watchlist alerts with demonstrated response history is direct B-13 evidence.
- Continuous monitoring tied to material change. Principle 7 ongoing-monitoring expectation. An alert-on-regression history tied to a documented remediation cycle is the gold-standard evidence here.
- Bilingual considerations. Quebec-based FRFIs and FRFIs serving Quebec face both OSFI B-13 AND Law 25 (Quebec privacy). Email-data controls show up in both - documenting once and citing twice is the efficient pattern.
Generate a OSFI B-13-tagged evidence pack (Wiredepth Prove)
Prove subscribers can generate a ZIP of all five workpapers + a OSFI B-13 README in one click. Single domain, single click, ready to file in your audit binder. See pricing at /pricing#prove ($499/mo standalone, bundled in Enterprise).
Other compliance crosswalks
Disclaimer. This crosswalk is provided for informational purposes. It is not legal advice, audit guidance, or a substitute for engagement with a qualified assessor (QSA for PCI, accountant or QSA for SOC 2, lawyer for HIPAA / NIS2 / SEC). Framework clause ids and language may have been updated since publication; verify against the official text. Wiredepth does not guarantee compliance based on the use of any tool or page on this site.