On November 13 2014 the Office of the Superintendent of Financial Institutions (OSFI) issued the final version of Guideline E-13 – Regulatory Compliance Management (RCM). The RCM guideline sets out OSFI's expectations for compliance risk management at all federally regulated financial institutions, including all Canadian banks. The RCM guideline replaces the former Legislative Compliance Management Guideline issued in 2003. Since the 2003 guideline was issued, OSFI has reissued both its Guideline on Corporate Governance and its description of its supervisory framework, both of which make reference to aspects of OSFI's expectations for compliance risk management. OSFI stated that one of the primary purposes of reissuing the guideline was to ensure that it was aligned with the guidance expressed in these more recent documents.
OSFI also maintains that the RCM guideline creates no new regulatory requirements. In the broadest sense, this is true, as OSFI's expectations for the general framework used to manage regulatory risk has not changed. The 2003 guideline clearly required that institutions adopt the three lines of defence model, with responsibility shared between operational management, an independent compliance function and an internal audit. However, the RCM guideline elaborates considerably on the various aspects of the RCM framework. Institutions will need to assess their existing practices to determine whether any gaps exist between their present RCM frameworks and the newly elaborated expectations.
One notable change from the draft RCM guideline that was previously circulated for comment is the removal of "ethical standards" as one of the sources of regulatory compliance risk. In a complete reversal from the draft guideline, the RCM guideline now expressly states that regulatory compliance risk does not include the risk arising from non-conformity with ethical standards. Of course, this exclusion does not mean that institutions need not consider the risk of non-compliance with ethical standards. Indeed, the failure to meet ethical standards can lead to significant reputational damage for a firm. For this reason, there is a growing body of literature that recommends that firms consider broadening the mandate of their chief compliance officers to include the role of chief ethics officer. Indeed, some commentators have said that the true first line of defence for a compliance programme is the ethical culture of an organisation. An organisation that has a high ethical standard will tend to do the right thing even if its compliance programme is not particularly robust. Meanwhile, the most robust compliance programme may not head off problems if the ethical culture is weak. It will be interesting to see whether OSFI chooses other means to raise ethics and ethical standards with institutions.
The RCM guideline's definition of 'regulatory requirements' has been broadened somewhat to include "rules" and "prescribed practices". In the wake of the 2008 financial crisis, regulators have been seeking out more flexible tools, such as guidelines, advisories and notices, to communicate their expectations to financial institutions. By broadening the list of potential sources of regulatory requirements in the RCM guideline, OSFI is communicating an expectation that compliance programmes deal comprehensively with all potential sources of requirements. While OSFI expects compliance programmes to be comprehensive, this can present challenges for compliance teams in areas that require a high degree of expertise, such as those respecting capital or corporate tax. Institutions will have to consider whether their compliance programmes deal comprehensively with all sources of requirements and, if they do not, what additional arrangements can be put in place to address the gaps.
While the 2003 guideline referred to monitoring as an element of a compliance programme, the RCM guideline contains considerably more commentary with respect to monitoring, and explicitly refers to testing as a distinct programme element. While it may seem obvious today that a compliance function must carry out independent testing of the controls established by operational management, until recently many compliance functions viewed themselves more as business partners helping operational management to develop their controls. This day-to-day relationship with the business side of an organisation allowed for close monitoring of compliance and compliance developments, but did not incorporate a formal testing programme. The direct reference to testing in the RCM guideline appears to confirm that these types of monitoring activity are insufficient. Institutions will have to look at ways to incorporate a testing element into their compliance programmes.
At a recent Canadian Institute conference on regulatory compliance at financial institutions, the role of the internal audit under the RCM guideline's new compliance framework was a focus of some panel discussions. It was apparent from the audience questions that many people were struggling to understand how the compliance testing function and internal audit differ. While compliance and audit testing appear to be similar concepts, the RCM guideline states that testing in the second line of defence is not intended to duplicate the work of the internal audit. While OSFI representatives and several other commentators attempted to draw a distinction between the two roles, it was apparent that much confusion remained. Institutions will have to see how practice in this area develops and adjust their compliance programmes accordingly.
While the RCM guideline is not supposed to create any new regulatory requirements, institutions have been given until May 1 2015 to implement it. Benchmarking existing practices against the RCM guideline will have to begin immediately.
For further information on this topic please contact John Jason at Norton Rose Fulbright by telephone (+1 416 216 4000), fax (+1 416 216 3930) or email (firstname.lastname@example.org). The Norton Rose Fulbright Canada website can be accessed at www.nortonrosefulbright.com/ca/en/.
This article was first published by the International Law Office, a premium online legal update service for major companies and law firms worldwide. Register for a free subscription.