Canada’s banking regulator issued a warning to banks, identifying Claude Mythos.

Canada’s banking regulator issued a warning to banks, identifying Claude Mythos.

      An email from April addressed to bank technology leaders, made public through access-to-information regulations, indicates that OSFI has identified Anthropic’s frontier model as a factor in the diminishing timeframe for addressing vulnerabilities. Typically, regulators do not specify products by name; instead, they refer to “emerging technologies” and “advanced capabilities,” leaving it to the audience to infer which vendor they are discussing. Thus, it is notable that when Canada’s banking regulator communicated with the nation’s major financial institutions in April, it explicitly named one: Anthropic’s Claude Mythos.

      The email, dispatched on April 29 by the Office of the Superintendent of Financial Institutions to chief technology officers, chief information security officers, and chief risk officers across Canada's banking and insurance sectors, was acquired by Reuters via an access-to-information request. OSFI stated, “Advanced artificial intelligence models, such as Anthropic Claude Mythos, significantly compress the timeframe for effective risk mitigation.” The bulletin outlined “sound practices that institutions can adopt to enhance the speed and effectiveness of risk identification, mitigation, and response.”

      Some portions of the email were redacted in accordance with the Access to Information Act, leaving some recommendations from OSFI undisclosed. However, the assessment made is clear. The conventional patching cycle assumes that defenders have days or weeks to address a flaw before it can be exploited. Mythos, described by cybersecurity researchers as highly capable of detecting and exploiting software vulnerabilities, disrupts that expectation, especially since banks often utilize some of the oldest software in existence.

      The timing is significant. In early April, Canadian bank executives met with regulators to discuss Mythos, shortly after U.S. Treasury Secretary Scott Bessent and then-Federal Reserve Chair Jerome Powell gathered bank CEOs regarding the same model. Three weeks later, OSFI sent out its email. This trend has since been observed with the European Central Bank, the Bank of England, and in Australia, where ASIC has also confirmed scrutiny of the model.

      After Reuters queried OSFI last week, the regulator released a public statement concerning generative and agentic AI. This sequence is not subtle. OSFI officially states that it does not regulate models, asserting, “Our focus is not the technology itself, but how federally regulated financial institutions govern and manage the risks associated with its use.” This standard, technology-neutral position is conveyed in a document that specifically names a particular technology from a specific company twice.

      OSFI’s jurisdiction stretches from the six major banks to pension funds and insurers, tasked with identifying risks stemming from geopolitics, foreign interference, and new technology. It is uncommon for all three categories to converge on the same subject simultaneously. Access to Mythos is limited, with Eurozone banks seemingly excluded, and the model is provided through Anthropic’s controlled-access initiative, Project Glasswing. The Canadian government claims to have access.

      It remains unclear if any Canadian bank has access, as those contacted declined to comment. Many redirected inquiries to the Canadian Bankers Association, which stated that its members have significantly invested in safeguarding the financial system and adhere to OSFI's cyber risk management and incident reporting requirements, a response that doesn’t directly address the inquiry.

      Canada’s major banks are not passive in this context. Royal Bank of Canada, TD Bank, and BMO have each announced strategies to capitalize on AI, transitioning from trials to chatbots and internal tools while decreasing reliance on third-party suppliers. Scotiabank, CIBC, and National Bank have also revealed their own initiatives.

      Bruce Ross, RBC’s group head of AI, remarked in June that Mythos signifies a shift in the threat landscape, as exploits may arise immediately upon the discovery of vulnerabilities. “Our approach is to build our own AI defenses,” he stated. “We will continue to do that.” Consequently, the defense is effectively another instance of the very issue it seeks to counter.

      The broader concern in Ottawa transcends the issue of merely applying patches. Prime Minister Mark Carney has likened an excessive dependence on a small number of frontier models to the concentration risks that led up to the 2008 crisis, a significant assertion for a prime minister to make regarding a chatbot entity. OSFI’s email implies that regulators have ceased treating this as merely a metaphor.

Other articles

The upcoming AI energy commitment from the White House focuses on utility companies. The upcoming AI energy commitment from the White House focuses on utility companies. The White House intends to request that utilities, data center operators, and governors commit to ensuring that the demand for AI power will not increase residential electricity costs. Nvidia creates a whitelist: over fifty percent of its Asian clients are excluded from it. Nvidia creates a whitelist: over fifty percent of its Asian clients are excluded from it. Nvidia has reduced its roster of Asian clients authorized to purchase AI chips by more than 50%, implementing a whitelist and stricter screening processes in Singapore, Malaysia, and Japan. The Pentagon has temporarily halted the cyber audit regulation that was driving small suppliers away. The Pentagon has temporarily halted the cyber audit regulation that was driving small suppliers away. The Pentagon has halted CMMC Phase 2 cybersecurity audits, citing high costs and a lack of assessors as factors pushing small contractors out of the process. Canada's banking regulator issued a warning to banks regarding Claude Mythos. Canada's banking regulator issued a warning to banks regarding Claude Mythos. An email from April, made public through access-to-information regulations, reveals that Canada’s OSFI has cautioned bank technology leaders regarding Anthropic’s Claude Mythos. The next AI energy commitment from the White House focuses on utility companies. The next AI energy commitment from the White House focuses on utility companies. The White House intends to request utilities, data center operators, and governors to commit to ensuring that the demand for AI power does not increase residential electricity costs. Thomson Reuters is reducing its engineering staff while bringing in engineers who are skilled in AI. Thomson Reuters is reducing its engineering staff while bringing in engineers who are skilled in AI. Thomson Reuters is reducing its engineering workforce as it implements AI in its legal and tax offerings. They mention that it is a small number of positions. Employees were informed that the cuts could affect up to 500 roles.

Canada’s banking regulator issued a warning to banks, identifying Claude Mythos.

An email from April disclosed through access-to-information regulations reveals that Canada’s OSFI cautioned bank technology leaders regarding Anthropic’s Claude Mythos.