What records must my financial services firm retain?

BCFSA, OSFI, FINTRAC, and securities regulators all set retention obligations that vary by sector. CRA requires six-year retention of books and records. Confirm specific durations with each regulator applicable to your business.

Compliance Reference · Financial Services · BC

Financial Services Compliance in British Columbia: Prudential, Conduct, AML, and IT Security Requirements

Q: Who enforces financial services compliance in BC?

BCFSA regulates provincially authorised credit unions, insurers, mortgage brokers, trust companies, pension plans, and real estate in BC. OSFI regulates federally authorised banks, insurers, and trust and loan companies. FINTRAC enforces anti-money laundering. The BC Securities Commission and the Canadian Securities Administrators oversee investment dealers and advisers. FCAC oversees consumer protection in federally regulated financial institutions.

Q: Does Hexafusion provide legal advice?

No. Hexafusion is an IT services provider, not a law firm or compliance advisory firm. We implement and document technical controls that support your regulatory obligations. Consult qualified counsel and your firm's chief compliance officer for compliance advice.

Q: How do IT controls map to financial services compliance rules?

Client records, transaction data, books and records, audit trails, third-party risk assessments, and incident response all need reliable retention, strong access control, encryption, and tested backups aligned to BCFSA, OSFI, FINTRAC, and securities regulator expectations.

Q: How does financial services compliance overlap with cyber insurance?

Cyber insurance underwriters require multi-factor authentication, endpoint detection and response, tested backups, phishing training, incident response plans, and patching. Regulators increasingly expect the same controls via technology and cyber risk guidelines, so insurance and prudential supervision converge.

Q: Is the BC Financial Institutions Act being modernised?

The Financial Institutions Act has been going through modernisation over several years, with amendments and regulation updates rolling in on a phased basis. Status as of early 2026, verify current wording and in-force provisions with BCFSA and qualified counsel.

This is a reference guide for BC financial services firms, including credit unions, insurers, mortgage brokers, trust companies, investment dealers, and money services businesses, summarising the federal, provincial, and sector-specific regulatory frameworks. Hexafusion is an IT services partner, not a legal advisor. Confirm current obligations with BCFSA, OSFI, FINTRAC, BCSC, and qualified counsel.

Federal regulatory framework

Area	Statute or Regulator	IT relevance
Privacy (federal)	PIPEDA, OPC	Applies to federally regulated financial institutions and cross-border data.
Prudential (federal)	Bank Act, Insurance Companies Act, Trust and Loan Companies Act, OSFI	OSFI Guideline B-13 on technology and cyber risk management informs IT controls.
Consumer protection (federal)	Financial Consumer Protection Framework, FCAC	Complaint handling, disclosure, and record-keeping.
Anti-money laundering	Proceeds of Crime (Money Laundering) and Terrorist Financing Act, FINTRAC	Client identification, beneficial ownership, transaction reporting, compliance programme.
Cybercrime	Criminal Code, ss. 342.1 and 430(1.1)	Unauthorised computer access and mischief to data.
Tax records	Income Tax Act, s. 230, CRA	Six-year retention.

BC provincial framework

Area	Statute or Regulator	IT relevance
Provincial prudential and conduct	Financial Institutions Act (BC), BCFSA	Authorisation, conduct, and prudential supervision of BC-authorised entities.
Credit unions	Credit Union Incorporation Act (BC), BCFSA	Core banking, member records, deposit insurance records.
Mortgage brokers	Mortgage Brokers Act (BC), BCFSA	Application, suitability, and disclosure records. Note ongoing modernisation with the Mortgage Services Act framework; verify current wording.
Pension plans	Pension Benefits Standards Act (BC), BCFSA	Member records and actuarial data retention.
Privacy (provincial)	BC PIPA, OIPC BC	Applies to provincially regulated financial firms and BC-held personal information.
Securities (provincial)	Securities Act (BC), BC Securities Commission	Registration, disclosure, and record-keeping for investment dealers and advisers.
Employment and HR	BC Employment Standards Act, BC Human Rights Code	Payroll and accommodation records.
Premises liability	Occupiers Liability Act	Branch access control.

Financial services regulators and statutes

BCFSA. The BC Financial Services Authority is the integrated provincial regulator for credit unions, insurance companies, mortgage brokers, pension plans, trust companies, and real estate in BC, operating under the Financial Institutions Act and sector-specific statutes.
OSFI. The Office of the Superintendent of Financial Institutions is the federal prudential regulator for banks, federally authorised insurers, and federally regulated trust and loan companies. OSFI's technology and cyber risk management guideline sets out expectations for governance, third-party risk, cyber resilience, and incident reporting.
FCAC. The Financial Consumer Agency of Canada enforces consumer protection provisions for federally regulated financial institutions.
FINTRAC. Enforces the Proceeds of Crime (Money Laundering) and Terrorist Financing Act for reporting entities, including money services businesses, life insurance, and real estate brokers, among others.
Canadian Securities Administrators and BC Securities Commission. The BC Securities Commission regulates investment dealers, portfolio managers, investment fund managers, and exempt market dealers in BC. National Instruments, including NI 31-103 on registrant obligations, set record-keeping and conduct rules.
CIRO. The Canadian Investment Regulatory Organization (formed from the merger of IIROC and the MFDA) supervises investment and mutual fund dealers and their registered individuals.
Financial Institutions Act modernisation. The BC FIA has been going through modernisation over multiple phases. Status as of early 2026, verify current wording and in-force provisions with BCFSA.
Mortgage Services Act framework. BC has moved towards a modernised mortgage regulation regime. Status as of early 2026, verify current wording, in-force status, and which statute governs current licensees.

Cross-cutting frameworks

PCI DSS for card acceptance and processing.
NIST Cybersecurity Framework, CIS Controls, and ISO 27001 as common reference points.
SOC 2 for cloud third-party risk assessments.
Cyber insurance underwriter expectations. Multi-factor authentication, endpoint detection and response, tested backups, phishing training, incident response plans, patching, and additional questions about privileged access, logging, and cloud configuration.

Financial services firms sit under the most detailed technology and cyber guidance of any industry in Canada. OSFI's technology and cyber risk management expectations set a high bar for governance, operational resilience, third-party risk, and incident reporting at federally regulated institutions, and those expectations cascade into provincial regulator supervisory practice and into counterparty due diligence. Even a smaller BCFSA-supervised credit union or a provincial registrant inherits much of this baseline because counterparties, auditors, and insurers ask the same questions regardless of which regulator the firm sits under. Multi-factor authentication, endpoint detection and response, tested backups with offline copies, phishing training, written incident response, documented patching, privileged access management, centralised logging, and third-party risk monitoring together form the assumed baseline.

How IT controls map to the regulatory stack

Retention schedules aligned with BCFSA, OSFI, FINTRAC, CSA, and CRA obligations. Record durations vary by instrument and registrant category.
Access logs on core banking, policy administration, client relationship, and dealer systems, with fine-grained role separation.
Encryption at rest and in transit, with key management practices that support regulator and assessor review.
Written breach response plan that meets PIPEDA, BC PIPA, and sector-regulator incident reporting requirements, including OSFI technology incident reporting for federally regulated institutions.
Tested backups and disaster recovery supporting operational resilience expectations.
MDR, EDR, MFA, and patching, plus third-party and cloud risk assessment aligned with OSFI third-party risk guidance.

Firms that handle these controls well run them as a programme rather than a project. They document their technology estate, map controls against a recognised framework (often NIST CSF for cross-mapping to OSFI guidance, ISO 27001, or CIS Controls), assign named owners for each control, test periodically, and keep a short written rationale for any deviations. They treat third-party risk as an ongoing activity rather than a one-time intake question, with periodic reassessment of cloud and core vendors. They run tabletop exercises for incidents that test not only the IT response but the regulator and customer communications path, because the reporting obligations in financial services are often tighter than in other industries. And they keep the evidence artefacts in a form that can be handed to a regulator, auditor, or insurer without reassembly.

BCFSA examinations, OSFI supervisory reviews, FINTRAC compliance audits, BCSC and CIRO examinations, and insurer underwriting all ultimately probe the same underlying architecture. Can the firm evidence its controls, does it know where its data lives, does it monitor privileged access, does it patch, does it train its people, and can it recover after an incident. A firm that invests in these controls as one programme rather than as a series of responses to individual regulators reduces duplicated effort and avoids the fragile situation where a finding in one examination becomes a finding across all of them.

Where Hexafusion fits

Hexafusion operationalizes the IT controls that support BC financial services firms' prudential, conduct, AML, and privacy obligations. That includes Microsoft 365 hardening for confidential client data, privileged access management, backup and disaster recovery for dealer and broker systems, third-party risk documentation, and the written evidence package that supports BCFSA examinations, OSFI reviews, FINTRAC compliance audits, and insurer underwriting. Our founder's PCI DSS Internal Security Assessor background informs how we structure control evidence for third-party review.

We do not interpret the Financial Institutions Act, do not run your AML compliance programme, and do not give legal or securities advice. Those roles belong to qualified counsel, your chief compliance officer, and your MLRO.

Related compliance resources

Frequently Asked Questions

Who enforces financial services compliance in BC?
BCFSA for provincially authorised entities. OSFI for federally authorised institutions. FINTRAC for AML. BCSC and the CSA for securities. FCAC for federally regulated consumer protection.

Does Hexafusion provide legal advice?
No. We are an IT services provider. Compliance interpretation belongs to counsel and your chief compliance officer.

How do IT controls map to financial services compliance rules?
Client records, transaction data, audit trails, third-party risk assessments, and incident response need reliable retention, access control, encryption, and tested backups.

How does financial services compliance overlap with cyber insurance?
Insurers require MFA, EDR, backups, training, IR plans, and patching, which also map to OSFI technology and cyber risk expectations and BCFSA conduct supervision.

What records must my firm retain?
BCFSA, OSFI, FINTRAC, and securities regulators each set retention rules. CRA requires six-year retention. Confirm durations with each applicable regulator.

Is the BC Financial Institutions Act being modernised?
Yes, over multiple phases. Status as of early 2026, verify current wording and in-force provisions with BCFSA and qualified counsel.

Disclaimer

This reference guide provides general regulatory context for BC-based financial services firms. It is not legal, securities, or compliance advice. Confirm current requirements with BCFSA, OSFI, FINTRAC, BCSC, and qualified counsel. Hexafusion is an IT services provider and does not provide legal advice. Administrative monetary penalties apply up to statutory maximums; confirm current amounts with the regulator.

Other compliance reference pages

Reviewed by Alex Barari, Founder, former PCI DSS Internal Security Assessor (ISA).

Need help with the IT side of compliance?

Request a scoped assessment. We review your technical safeguards against the evidence an assessor, regulator, or insurer expects, and deliver a written report.

Request a scoped assessment