OSFI Guideline B-13 on Technology and Cyber Risk Management (Canada, federally regulated financial institutions) places obligations on organizations to demonstrate that operational controls were in place, that AI and automated decisions were governed, and that an audit trail exists for regulatory inquiry. Most existing audit-log architectures meet the letter of the requirement but produce evidence that is tied to the operator's current systems. If those systems change or fail, the evidence weakens.
H33-74 produces audit evidence that survives the system that produced it.
The receipt is cryptographically verifiable independent of the operator. The PQ signatures survive the quantum transition. The chain anchors survive any single chain's deprecation. The audit horizon is institutional, not application-bound.
What OSFI B-13 requires
OSFI Guideline B-13 sets expectations for technology and cyber risk management at federally regulated financial institutions. Domains include governance, technology operations, cyber security, and third-party technology risk. OSFI expects FRFIs to demonstrate ongoing control effectiveness, incident management, and resilience through evidence the regulator can review during routine supervision and after material incidents.
Why H33-74 fits
B-13 evidence is supervisory-grade: OSFI may request specific control records during examination or post-incident review years after the controls operated. H33-74 receipts give OSFI cryptographic confidence the records have not been altered since they were produced, even if the underlying systems have since been changed or decommissioned. The PQ signatures keep the receipts verifiable through Canadian regulatory horizons that may span the quantum transition. Chain-portable anchors keep evidence verifiable regardless of which notarization chain the FRFI chose at the time.
Control mapping
Governance and accountability
Each board and committee technology-risk decision, change approval, and risk appetite calibration emits an H33-74 receipt. Governance evidence is independently verifiable.
Technology operations
Production changes, incident response decisions, and operational risk events emit receipts. Operational evidence outlives the change-management system that produced it.
Cyber security
Security incident classifications, containment decisions, threat intelligence integrations, and remediation actions produce receipts. Cyber control effectiveness is auditable through chain-portable evidence.
Third-party technology risk
Third-party risk assessments, contractual controls, and ongoing monitoring decisions emit receipts. Third-party evidence survives vendor changes.
Resilience
Resilience testing outcomes, recovery exercise results, and remediation tracking emit receipts. Resilience evidence is reproducible to OSFI on demand.
What this changes for the audit team
- Each control's evidence is a cryptographic object the auditor verifies directly, not a log entry the auditor trusts because the operator says so.
- The audit horizon extends beyond the operator's current systems, vendors, or chain choices.
- Regulator inquiry years after a decision can be answered with the original PQ-signed receipt rather than reconstructed from operator memory.
- Independent third-party verification works without the operator's infrastructure being available.
How H33-74 is integrated
- For each control that produces a decision or outcome, the system emits an H33-74 receipt at the moment the decision is made.
- Receipts are signed with three independent post-quantum signature families and contain the structured computation result.
- Receipts are anchored on one or more chains as the audit policy requires (delayed or immediate, single-chain or multi-chain).
- The audit team is given the receipt store and the open-source verifier. They verify independently.
The OSFI B-13 audit trail becomes chain-portable evidence. Each control's record outlives the system that produced it, the vendor that hosts it, and the chains it was anchored to.
Related