OSFI has issued a draft revised Guideline E-13 - Regulatory Compliance Management (RCM) (the Draft Guideline). The Draft Guideline would take the place of the current Guideline E-13 - Legislative Compliance Management (LCM), which was issued in 2003. The stated objectives of the revisions are to:
- outline OSFI's expectations with respect to the control frameworks of federally regulated financial institutions (FRFIs) for mitigating regulatory risk;
- promote industry best practices in regulatory compliance risk management;
- be more consistent with OSFI's Supervisory Framework and Corporate Governance Guideline (both of which have been revised in recent years) and the upcoming draft Operational Risk Guideline (which OSFI is currently working on); and
- be more consistent with international risk management standards.
The Guideline Impact Analysis Statement that accompanies the Draft Guideline states that since the revised Guideline E-13 will align with other guidance already in place, full implementation of the revised Guideline by FRFIs would be expected no later than six months from the date that it becomes effective. Given this, it is important that FRFIs assess whether their practices meet the expectations set out in the Draft Guideline and develop a plan to address any gaps.
Comments on the Draft Guideline are to be provided by June 20, 2014.
RCM Framework - Overview
The Draft Guideline defines RCM framework as the structures, processes and other key control elements though which a FRFI and its subsidiaries manage and mitigate regulatory compliance risk on an enterprise-wide basis. The Draft Guideline states that OSFI expects the RCM framework to enable a FRFI to identify, risk-assess, communicate, manage and mitigate regulatory compliance risk.
The Draft Guideline states that OSFI assesses the quality of RCM at two levels of control: (1) operational management for a given business activity, which has day-to-day responsibility for managing regulatory compliance risks within an activity; and (2) ongoing enterprise-wide oversight of day-to-day compliance controls by individuals or oversight functions that are independent of the activities they oversee and led by the Chief Compliance Officer (CCO).
OSFI expects Internal Audit or other independent review function to regularly assess the work of both operational management and the Compliance oversight function.
OSFI also expects the RCM framework to be reviewed regularly to address changing regulatory risks, new business activities and any changes to corporate structure. The idea of RCM addressing changes is raised several times in the Draft Guideline.
The Draft Guideline reflects the "three lines of defence" approach to operational risk management as articulated in the Basel Committee on Banking Supervision Principles for the Sound Management of Operational Risk (i.e., business line management, an independent corporate operational risk management function, and an independent review).
The roles and responsibilities of all individuals involved in the assessment and management of regulatory compliance risk are expected to be clearly documented. The Draft Guideline recognizes that FRFIs may have different RCM practices depending on size, complexity, risk profile and other factors and notes that regardless of where RCM roles and responsibilities reside in a FRFI or how they are constructed, OSFI will focus on the FRFI's ability to manage regulatory compliance risk and the control effectiveness upon implementation.
Key Control Elements
At a minimum, OSFI expects the RCM framework to be implemented by Senior Management and include the following key control elements:
- Procedures for Identifying, Risk Assessing, Communicating, Managing and Mitigating Regulatory Compliance Risk and Maintaining Knowledge of Applicable Regulatory Requirements - Information should be updated when there is change in regulatory requirements and in products, services, strategic plans, activities and corporate structure.
- Day-to-Day Compliance Procedures
- Independent Monitoring and Testing Procedures - Monitoring and testing methodology should be sufficiently consistent enterprise-wide to enable aggregation of information to identify any patterns, themes or trending in compliance controls that may indicate weaknesses.
- Internal Reporting - This would include: (a) reporting procedures; (b) compliance reports to Senior Management and the Board or Board Committee(s); and (c) reporting by Internal Audit or other independent review function to Senior Management and the Board or Board Committee(s).
- Adequate Documentation
Role of CCO
The Draft Guideline provides that overall responsibility for compliance should be assigned to a member of Senior Management who should be designated as the CCO. OSFI recognizes that the CCO may have other responsibilities as well, especially in the case of smaller FRFIs. Key points made in the Draft Guideline regarding the CCO are:
- the CCO should not be directly involved in a revenue-generating function or in management of any business line or product;
- the CCO should have sufficient stature and authority within the FRFI to influence its activities; and
- the CCO should have a clearly defined and documented mandate, sufficient resources, unfettered access, and a direct reporting line to the Board or a relevant Board Committee.
The Draft Guideline states that where an institution lacks an oversight function, OSFI will look to other oversight functions or compensating controls. In the absence of other independent oversight functions or compensating controls, OSFI would expect Senior Management to be responsible for oversight.
Role of Internal Audit or Other Independent Review Function
The Draft Guideline provides that the activities carried out by the Compliance oversight function should be subject to periodic review by Internal Audit or another independent review function. OSFI expects such review to verify and validate the design and operating effectiveness of, and adherence to, the RCM framework. The Draft Guideline addresses the expected scope of the work undertaken by Internal Audit or another independent review and states that internal audit methodologies need to be supplemented by effective challenge and an attitude of "professional skepticism" by internal auditors. This echoes comments in the Financial Stability Board's paper "Guidance on Supervisory Interaction with Financial Institutions on Risk Culture" (see our summary here), which states that "A sound risk culture promotes an environment of effective challenge in which decision-making processes promote a range of views, allow for testing of current practices, and stimulate a positive, critical attitude among employees and an environment of open and constructive engagement."
Role of Senior Management
The Draft Guideline states that OSFI expects Senior Management to implement the RCM framework and to ensure, among other things, that:
- the RCM framework is designed, implemented and maintained in a manner that is tailored to the needs of each business activity;
- compliance policies, procedures and practices are regularly reviewed to ensure they remain applicable in light of changing circumstances and regulatory compliance risks;
- findings and recommendations made by the CCO or Internal Audit or other independent review function are acted on in a timely manner; and
- staff understands their responsibilities for complying with policies, procedures and processes and are held to account for performance of their responsibilities.
Role of the Board of Directors
Consistent with the Corporate Governance Guideline, the Draft Guideline notes that the Board has ultimate responsibility for effective enterprise-wide regulatory compliance management. In this regard, the Draft Guideline states that OSFI expects the Board to review and understand:
- the FRFI's exposure to material regulatory compliance risk;
- significant RCM policies;
- the RCM framework and its overall effectiveness; and
- remedial actions taken with respect to instances of material non-compliance or control weakness;
The Draft Guideline states that the Board must approve the mandate, resources and budget for the Compliance oversight function and approve, where appropriate, the appointment, performance review and compensation of the CCO.
The Draft Guideline also states that the Board should regularly, among other things, reassess the effectiveness of the Compliance oversight function and RCM framework.
The Draft Guideline notes that OSFI expects the Board to think critically about and challenge CCO reports and Internal Audit or other independent review function reports, as appropriate, and satisfy itself that the Board receives the information required to perform its RCM oversight responsibilities.
Consistent with other OSFI guidance, the Draft Guideline notes that branches of foreign banks and foreign insurers should read references to the Board as references to the Principal Officer or Chief Agent. OSFI's corporate governance and risk management expectations vis-à-vis branches are expected to be further clarified in forthcoming revised guidance regarding the role of Principal Officers and Chief Agents.
OSFI's Supervisory Assessment
The Draft Guideline notes that OSFI conducts supervisory work and monitors the performance of FRFIs to assess safety and soundness, the quality of control and governance processes, and regulatory compliance and in this context assesses FRFI's RCM frameworks against Guideline E-13. The Draft Guideline also notes that such assessments may be made in the case of applicants who seek Ministerial approval to incorporate or register new FRFIs.