In February of last year, the primary Canadian regulator of financial institutions, the Office of the Superintendent of Financial Institutions (“OSFI”), released a new guideline to be followed by federally regulated entities operating in the Canadian financial sector, including banks, trust and loan companies, cooperative credit associations, insurance companies, branches of foreign banks and branches of foreign insurance companies.
This new guideline, Guideline E-17, “Background Checks on Directors and Senior Management of FREs (“Federally Regulated Entities”),” is a result of the emphasis the OSFI places on risk management, and became effective at the beginning of this year. Specifically, Guideline E-17 is aimed at mitigating risks impacting the stability, financial soundness and reputation of the organization that may be posed by the leadership of an organization, by requiring assessments of the suitability and integrity of those individuals.
This risk management effort has created ongoing assessment and examination requirements of the corporate leaders of these institutions. In light of the global economic turmoil and what is likely to be a flight to regulation, other jurisdictions are likely to impose similar and enhanced requirements on key market sectors. Corporate actors in the Canadian market are required to abide by Guideline E-17, and corporate actors outside of Canada are advised to keep an eye on the Canadian example, as other countries in which they operate may be next to impose additional regulation. In the near future, and in response to the credit crunch, regulators will be likely to “err on the side of regulation.” While other jurisdictions require assessments of responsible persons and the setting of common benchmarks, in this instance OFSI’s approach appears to be one which takes some of the highest standards from regulators around the world.
Effective as of January 31, 2009, the federally regulated entities described above are required to establish written policies and procedures to conduct assessments of the suitability and integrity of the corporate leaders referred to in Guideline E-17 as “responsible persons.” This class of person includes directors, principal officers, chief agents and the senior management of the organization, which may include the chief executive officer, the chief financial officer and any other officer who has a functional reporting line directly to the board of directors or chief executive officer.
OSFI’s approach to ensuring the suitability and integrity of responsible persons is part principles-based and part risk-based. Guideline E-17 sets out various principles in the establishment of policies and procedures in the conduct of assessments of responsible persons. However, OSFI has also indicated that it will, where warranted, assess an entity’s processes based on risk factors. For example, OSFI will use a risk-based approach when reviewing how companies address situations where assessments of responsible persons reveal an enhanced risk to the company.
As of January 31, 2009, financial institutions and branches are required to:
- determine which individuals and job categories should be considered responsible persons;
- design a policy for assessing these responsible persons;
- abide by this policy; and
- assess, at regular intervals, each responsible person (as well as potential new responsible persons) to determine whether they are suitable or have the correct integrity, and to ensure that unsuitable people do not have positions of responsibility.
Companies and branches have to be aware of the importance of their assessment policies and their proper implementation. In particular, they should:
- ensure that an appropriate schedule and timeline of assessments is designed, including assessment frequency;
- select appropriate jurisdictions and determine how far back verifications should be conducted, based on the responsible person, the position held and the circumstances;
- assess when attestations from responsible persons (or individuals being considered for a position that would make them a responsible person) will be sufficient and when independent verification will be necessary; and
- determine effective key practices to follow with respect to, for example, disclosing the organization’s assessment policy to responsible persons or potential new responsible persons, or deciding what to do if the assessment of a responsible person or a potential new responsible person reveals concerns with the person’s background.
With respect to the assessment process itself, companies and branches will need to address certain questions, such as the following:
- Who will conduct the assessment? Will the assessment be done internally or outsourced? How will the assessors be selected?
- What information will be sought by the assessors?
- What type or quantity of adverse information is material and sufficient to disqualify a person from a position as a responsible person?
- What additional information (if any) should be sought to follow up on this adverse information? Examples of additional information may include mitigating factors or circumstances that influenced or led to the adverse circumstances and information.
- How will decisions be reached? Will the company appoint a committee or will there be an ultimate decision maker? Who will assess the assessor(s)?
- How will the process be documented? Proper documentation will be essential to protect the institution where responsible persons, or potential responsible persons, later allege that they were treated unfairly during or after the process and possibly seek damages from the company, its board of directors or the assessors.
- Where a responsible person is not removed, what risk minimization and mitigation techniques will the company use? These could include more frequent assessments, more thorough assessments, the purchase of additional insurance, requiring additional approval for certain transactions and the shifting of certain sensitive responsibilities to a different responsible person.
Finally, the company or branch should address legal concerns in the employment and privacy areas, along with other issues that may arise as a result of assessments being conducted, to ensure that the process and assessment policy protect the company, the board of directors and the assessors as much as possible.