Compliance crosswalk · OSFI E-21
OSFI Guideline E-21 (Canada) - email + domain controls, mapped to Wiredepth
Framework version: Final guideline August 2024, in force April 1 2026
Who this is for. Federally-regulated financial institutions (FRFIs) in Canada: Schedule I, II, III banks, federal trust + loan companies, federal insurers, and co-operative credit associations. E-21 replaces the prior E-15 (Operational Risk Management) guideline and sits alongside B-13 (Technology and Cyber Risk Management).
What changed from E-15. E-21 elevates operational resilience from a back-office process to a board-level outcome. FRFIs must identify critical operations, map their dependencies (people, processes, technology, third parties), set tolerances for disruption, and demonstrate the capability to stay within those tolerances during severe-but-plausible scenarios. Email infrastructure shows up explicitly as a mapped technology dependency for customer-communication critical operations.
Where Wiredepth fits. The interesting E-21 work for email is at the dependency-mapping layer (Principle 3): every authorised email-sending vendor in your SPF / DKIM / DMARC is a third-party dependency that E-21 requires you to identify, monitor, and recover from. Continuous monitoring of email-auth posture is the operational signal that proves you can detect a disruption fast enough to stay within the tolerance you committed to under Principle 4. See also OSFI B-13 for the technology + cyber risk crosswalk that pairs with E-21.
Clause-by-clause mapping
Each row maps a specific OSFI E-21requirement to the Wiredepth surface that addresses it. The clause ids are the framework's own naming - verify them against the official text. We use precise language: "addresses" (the tool directly satisfies the control), "supports" (the tool contributes evidence the auditor will need), and "evidence for" (the artifact is part of the attestation package).
| Clause | Requirement | Wiredepth response |
|---|---|---|
Principle 1 - Governance + Culture Reporting | The board approves the operational risk management framework, including tolerances for disruption to critical operations. Senior management reports periodically on risks and incidents. | Compliance PDF + scheduled email reports give the board the artefact they need without an internal write-up cycle. Wiredepth Prove turns every alert + workpaper into chain-of-custody evidence the audit committee can table without disclaimers. |
Principle 2 - Risk Taxonomy + Identification Inventory | Maintain a comprehensive taxonomy of operational risks including cyber, third-party, ICT, and people risks. Identify risks across the FRFI's products, processes, and external relationships. | Vendor consolidation audit + supply-chain watchlist generate the third-party email-sender register E-21 examiners will ask for. Brand watchlist enumerates lookalike-domain risks under cyber. |
Principle 3 - Critical Operations + Dependencies Inventory | Identify critical operations and map their internal + external dependencies. Including IT and ICT dependencies, third-party arrangements, data, and key personnel. | SPF / DKIM / DMARC parsing produces the third-party email-sender map E-21 dependency mapping requires. MX + nameserver tracking surfaces the upstream-service dependencies (transport providers, DNS hosts) that customer-communication operations rely on. |
Principle 3 - Critical-Operation Communications Transport | Customer communications (notices, statements, transaction confirmations) are typically classified as critical operations. Email infrastructure supporting them is a critical dependency. | Continuous TLS, DMARC, DNS, MTA-STS monitoring of every domain that sends customer mail. Alerts on regression. Compliance PDF as the periodic dependency-health evidence. |
Principle 4 - Tolerances for Disruption Monitoring | Set tolerances for disruption to critical operations (maximum tolerable outage, data loss, customer impact). Operations must be designed to stay within tolerances during severe-but-plausible scenarios. | Hourly cadence + immediate-on-regression alerting on email-auth posture demonstrates the continuous-monitoring control E-21 examiners expect to back a tolerance commitment for email-channel disruption. |
Principle 4 - Scenario Testing Monitoring | Test the FRFI's ability to deliver critical operations within tolerances during severe-but-plausible scenarios. Includes cyber, third-party failure, and concentration scenarios. | Incident-readiness workpaper documents the playbook a regulator can reference in a tabletop exercise. Spoofability checker gives a yes / maybe / no verdict for the 'can our email be impersonated' scenario. |
Principle 5 - Internal Controls + Monitoring Monitoring | Establish internal controls to manage operational risk. Monitor on an ongoing basis. Independent assurance over the framework. | Continuous monitoring with alert routing to Slack / Teams / SIEM webhooks gives internal audit the run-rate control evidence E-21 expects. Tamper-evident audit log + free public verifier at /verify let independent assurance teams validate without trusting the tool. |
Principle 5 - Third-Party Operational Risk Inventory | Third-party arrangements introduce operational risk that must be assessed at onboarding and monitored on an ongoing basis. Includes vendors providing email transport, marketing automation, transactional senders. | Vendor batch + scheduled rescans grade authorised email senders on the same posture criteria as in-house domains. De-authorisation guides at /docs/deauthorize cover the offboarding side of the lifecycle. |
Principle 5 - Incident Management Reporting | Maintain processes to detect, respond to, and recover from operational incidents. Notification to OSFI for technology / cyber incidents per the 2024 Technology and Cyber Incident Reporting Advisory: within 24 hours for material incidents. | Hosted DMARC report inbox catches authentication-failure spikes that often precede a phishing-driven incident. Incident-readiness workpaper documents the notification timeline + decision tree. |
Cross-reference to B-13 Authentication | E-21 does not duplicate B-13's technology + cyber controls; it references them. FRFIs implementing B-13 well are mostly home for E-21's cyber + ICT operational-risk content. | Every B-13 mapping at /compliance/osfi-b-13 satisfies the corresponding E-21 reference. Use B-13's crosswalk for the technology + cyber control surface; this E-21 crosswalk for the operational-resilience overlay. |
What auditors actually look at
An OSFI E-21 examiner reviewing email + domain controls would typically ask for:
- The third-party email-sender register (vendor inventory + last-reviewed dates)
- Tolerance commitments for customer-communication critical operations, with the monitoring signal that backs them
- Severe-but-plausible scenario walk-throughs covering brand-impersonation phishing + transactional-sender outage
- Continuous-monitoring run-rate evidence (alert volumes, time-to-detect, time-to-resolve trends)
Generate a OSFI E-21-tagged evidence pack (Wiredepth Prove)
Prove subscribers can generate a ZIP of all five workpapers + a OSFI E-21 README in one click. Single domain, single click, ready to file in your audit binder. See pricing at /pricing#prove ($499/mo standalone, bundled in Enterprise).
Other compliance crosswalks
Disclaimer. This crosswalk is provided for informational purposes. It is not legal advice, audit guidance, or a substitute for engagement with a qualified assessor (QSA for PCI, accountant or QSA for SOC 2, lawyer for HIPAA / NIS2 / SEC). Framework clause ids and language may have been updated since publication; verify against the official text. Wiredepth does not guarantee compliance based on the use of any tool or page on this site.