In February 2008, Canada’s Office of the Superintendent of Financial Institutions (OSFI) - the primary Canadian regulator of financial institutions - released a new guideline to be followed by federally regulated entities in the financial sector (including banks, trust and loan companies, cooperative credit associations, insurance companies, branches of foreign banks and branches of foreign insurance companies) operating in Canada. This new guideline will become effective January 31, 2009. Guideline E-17, “Background Checks on Directors and Senior Management of FREs (Federally Regulated Entities)” is a result of the OSFI emphasis on risk management. Specifically, Guideline E-17 is aimed at mitigating risks impacting the stability, financial soundness and reputation of the organization that may be posed by the leadership of an organization, by requiring assessments of the suitability and integrity of these individuals.
This risk management effort has created ongoing assessment and examination requirements of the corporate leaders of these institutions. In light of the global economic turmoil and what is likely to be a flight to regulation, other jurisdictions are likely to impose similar and enhanced requirements on key market sectors. Corporate actors in the Canadian market are required to abide by Guideline E-17; corporate actors outside of Canada are advised to keep an eye on the Canadian example, as other countries in which they operate may be next to impose additional regulation. In the near future, and in response to the credit crunch, regulators will be likely to “err on the side of regulation”. While other jurisdictions require assessments of responsible persons and a common benchmark has been set, in this instance OSFI’s approach appears to be one which takes some of the highest standards from regulators around the world.
Effective January 31, 2009, the federally regulated entities described above were required to establish written policies and procedures to conduct assessments of the suitability and integrity of the corporate leaders referred to in Guideline E-17 as ‘responsible persons’. This class of person includes directors, principal officers, chief agents and the senior management of the organization, which may include the chief executive officer, the chief financial officer and any other officer who has a functional reporting line directly to the board of directors or chief executive officer.
OSFI’s approach to ensuring the suitability and integrity of responsible persons is part principles-based and part risk-based. Guideline E-17 sets out various principles in the establishment of policies and procedures in the conduct of assessments of responsible persons. However, OSFI has also indicated that it will, where warranted, assess an entity’s processes based on risk factors. For example, OSFI will use a risk-based approach when reviewing how companies address situations where assessments of responsible persons reveal an enhanced risk to the company.
Effective January 31, 2009, financial institutions and branches were required to:
- determine which individuals and job categories should be considered responsible persons;
- design a policy for assessing these responsible persons;
- abide by this policy; and
- at regular intervals, assess each responsible person (as well as potential new responsible persons) to determine whether they are suitable or have the correct integrity, and to ensure that unsuitable people do not have positions of responsibility.
Companies and branches will need to be aware of the importance of their assessment policies and their proper implementation. In particular, they should:
- ensure that an appropriate schedule and timeline of assessments is designed, including assessment frequency;
- select appropriate jurisdictions and determine how far back verifications should be conducted, based on the responsible person, the position held and the circumstances;
- assess when attestations from responsible persons (or individuals being considered for a position that would make them a responsible person) will be sufficient and when independent verification will be necessary; and
- determine effective key practices to follow with respect to, for example, disclosing the organization’s assessment policy to responsible persons or potential new responsible persons, or deciding what to do if the assessment of a responsible person or a potential new responsible person reveals concerns with the person’s background.
With respect to the assessment process itself, companies and branches will need to address certain questions, such as the following:
- Who will conduct the assessment? Will the assessment be done internally or outsourced? How will the assessors be selected?
- What information will be sought by the assessors?
- What type or quantity of adverse information is material and sufficient to disqualify a person from a position as a responsible person?
- What additional information (if any) should be sought to follow up on this adverse information? Examples of additional information may include mitigating factors or circumstances that influenced or led to the adverse circumstances and information.
- How will decisions be reached? Will the company appoint a committee or will there be an ultimate decider? Who will assess the assessor(s)?
- How will the process be documented? Proper documentation will be essential to protect the institution where responsible persons, or potential responsible persons, later allege that they were treated unfairly during or after the process and possibly seek damages from the company, its board of directors or the assessors.
- Where a responsible person is not removed, what risk minimization and mitigation techniques will the company use? These could include more frequent assessments, more thorough assessments, the purchase of additional insurance, requiring additional approval for certain transactions and the shifting of certain sensitive responsibilities to a different responsible person.
Finally, the company or branch should address legal concerns in the employment and privacy areas, along with other issues that may arise as a result of assessments being conducted, to ensure that the process and assessment policy protect the company, the board of directors and the assessors as much as possible. These concerns include:
- referring to OSFI or Guideline E-17 in employment policies and contracts and obtaining any requisite consent (either expressly or by implication) from responsible persons;
- ensuring that personal information, including information relating to the results of assessments, of responsible persons or potential responsible persons is kept confidential; and
- ensuring that confidentiality is emphasized in any outsourcing agreement whereby the assessment of responsible persons is undertaken by a third party.