Compliance

ASSESSMENT CRITERIAFootnote 1

ROLE OF COMPLIANCE

The Compliance function provides independent oversight of the management of the institution’s compliance with laws, regulations, and guidelines relevant to the activities of the institution in the jurisdictions in which it operates.

QUALITY OF COMPLIANCE OVERSIGHT

The following statements describe the rating categories for the assessment of the Compliance function’s oversight of the institution’s compliance with applicable laws, regulations and guidelines.

The overall rating of the Compliance function considers both the appropriateness of its characteristics and the effectiveness of its performance in executing its mandate in the context of the nature, scope, complexity, and risk profile of the institution. Characteristics and examples of performance indicators that guide supervisory judgement in determining an overall rating are set out below.

Strong

The characteristics of the Compliance function meet or exceed what is considered necessary, given the nature, scope, complexity, and risk profile of the institution. Compliance has consistently demonstrated highly effective performance. Compliance characteristics and performance are superior to supervisory expectations.

Acceptable

The characteristics of the Compliance function meet what is considered necessary, given the nature, scope, complexity, and risk profile of the institution. Compliance performance has been effective. Compliance characteristics and performance meet supervisory expectations.

Needs Improvement

The characteristics of the Compliance function generally meet what is considered necessary, given the nature, scope, complexity, and risk profile of the institution, but there are some significant areas that require improvement and may affect effectiveness in the future or under adverse conditions. Compliance performance has generally been effective, but there are some significant areas where effectiveness needs to be improved. The areas needing improvement are not serious enough to cause prudential concerns if addressed in a timely manner. Compliance characteristics and/or performance do not consistently meet supervisory expectations.

Weak

The characteristics of the Compliance function are not, in a material way, what is considered necessary, given the nature, scope, complexity, and risk profile of the institution and may affect effectiveness in the future or under adverse conditions. Compliance performance has demonstrated serious instances where effectiveness needs to be improved through immediate action. Compliance characteristics and/or performance often do not meet supervisory expectations.

COMPLIANCE CHARACTERISTICSFootnote 2

The following criteria describe the characteristics OSFI uses when assessing the quality of the Compliance function’s oversight of the management of the institution’s compliance with applicable laws, regulations and guidelines. The application and weighting of the individual criteria will depend on the nature, scope, complexity and risk profile of the institution and will be assessed collectively, together with the Compliance function’s performance, in rating its overall effectiveness.

Essential Elements Criteria
1. Mandate

1.1. Extent to which the function’s mandate establishes:

  1. Clear objectives and enterprise-wide authority for its activities;

  2. Authority to oversee effectiveness and consistency of operating units’ compliance practices;

  3. Authority to carry out its responsibilities independently;

  4. Right of access to the institution’s records, information and personnel;

  5. A requirement to opine on the adequacy and effectiveness of the compliance processes and status of compliance; and

  6. Authority to follow-up on actions taken by management in response to identified issues and related recommendations.

1.2. Extent to which the mandate is communicated within the institution.

2. Organization Structure

2.1. Appropriateness of the stature and authority of the function head within the organization for the function to be effective in fulfilling its mandate.

2.2. Extent to which the function head has direct access to the CEO, Senior Management and the Board (or a Board Committee).

2.3. Appropriateness of the function’s organizational structure and authority of the function head within the organization to enable the function to be effective in fulfilling its mandate.

2.4. Extent to which the function is independent of the institution’s business activities and day-to-day compliance processes and is not involved in revenue-generating activities or financial performance of a line of business or product line.

3. Resources

3.1. Adequacy of the function’s processes to determine the required:

  1. Level of resources necessary to carry out responsibilities and in response to changes in the institution’s business activities and strategies, as well as its operating environment;

  2. Qualifications and competencies of staff; and

  3. Continuing professional development programs to enhance staff competencies.

3.2 Adequacy of the function’s resources and appropriateness of its collective qualifications and competencies for executing its mandate.

3.3 Sufficiency of staff development programs.
4. Policies, Practices and Methodology

4.1 Adequacy of policies and practices to ensure that the function’s approach and practices align with industry and regulatory compliance practices and are appropriate for executing its mandate.

4.2 Adequacy of policies and practices to keep abreast of new and changing legislation and changes in the institution’s risk profile.

4.3 Adequacy of policies and practices to promptly develop or amend the institution’s compliance policies as legislation is introduced or amended or as new or changing business activities impose different legislative requirements on the institution.

4.4 Adequacy of policies and practices to document new or amended compliance policies and communicate them across the institution on a timely basis.

4.5 Adequacy of policies and practices to assist management in identifying, addressing and integrating significant legislative or regulatory requirements into their business activities through appropriate procedural controls.

4.6 Adequacy of policies and practices to monitor adherence to applicable laws, regulations and guidelines across the institution in order to ensure that significant issues are identified and brought to Senior Management’s attention for timely resolution, as well as to support Senior Management’s opinion on the status of compliance.

5. Reporting

5.1. Adequacy of policies and practices to report significant compliance findings and recommendations to management so that timely corrective action is taken.

5.2. Adequacy of policies and practices to monitor and follow-up on the effective implementation of management actions in response to compliance findings and recommendations.

6. Internal Audit Oversight

6.1 Extent to which the Internal Audit program includes reviews of the Compliance function and its key controls, it has the appropriate resources to carry out the reviews, and the scope and frequency of its review are sufficient to assess the effectiveness of the Compliance function.

6.2 Adequacy of Internal Audit’s communication of its recommendations and follow-up with respect to the Compliance function.

7. Senior Management Oversight

7.1 Adequacy of policies and practices for Senior Management to support the Board (or Board Committee) on the:

  1. Appointment and/or removal, performance review, compensation and succession plan of the function head;

  2. Function’s mandate, budget and resources (staffing and skill sets); and

  3. Function’s annual work plan including any material changes to that plan.

7.2 Adequacy of policies and practices to assess the effectiveness of the function, including communicating results to Senior Management and, as appropriate, the Board (or a Board committee).

7.3 Adequacy of policies and practices to report periodically to Senior Management on issues and recommendations with escalation to the Board, as appropriate.

7.4 Adequacy of the processes related to talent development and succession planning for function key roles.

8. Board (and Board Committee) Oversight

Adequacy of policies and practices for the Board (or Board Committee) to approve:

  1. The appointment, performance review, compensation and succession plan of the head of the oversight function;

  2. The function’s mandate, budget and resources (staffing and skill sets); and

  3. The function’s annual work plan including any material changes to that plan.

8.2 Extent to which the Board (or Board Committee) receives periodic reporting on trends or pervasive risk impacting the organization.

8.3 Extent to which the Board (or Board Committee) demonstrates an ability to act independently of Senior Management through practices such as regularly scheduled Board (or Board Committee) meetings that include sessions without Senior Management present.

9. Relationship with Other Oversight Functions

9.1 Adequacy of the formal integration of the Compliance function’s role and defined responsibility with other oversight functions as appropriate.

COMPLIANCE PERFORMANCE

The quality of the Compliance function’s performance is demonstrated by its effectiveness in overseeing management of the institution’s compliance with applicable laws, regulations and guidelines.

The assessment will consider the effectiveness with which the Compliance function actively promotes compliance with applicable laws, regulations and guidelines throughout the institution, ensuring that breaches are identified and resolved on a timely basis. OSFI will look to indicators of effective performance to guide its judgement in the course of its supervisory activities. These activities may include:

  1. discussions with directors and management, including the Chief Compliance Officer;

  2. review of practices to detect and dispose of breaches of compliance;

  3. review of reports of independent assessments of the function, the institution’s regulatory correspondence file, etc.

Examples of indicators that OSFI may use to guide its supervisory judgement include the extent to which Compliance:

  1. Develops, documents and actively communicates new and amended compliance policies or requirements to all impacted areas of the institution;

  2. Proactively assists management in identifying, addressing and integrating significant legislative or regulatory compliance requirements into its business activities;

  3. Actively monitors adherence to applicable laws, regulations and guidelines across the institution;

  4. Escalates significant breaches of compliance requirements to Senior Management and, as appropriate, the Board;

  5. Proactively follows up to ensure that significant issues are addressed on a timely basis; and

  6. Periodically reviews compliance practices for continuing effectiveness.

Footnotes

Footnote 1

The Assessment Criteria should be read in conjunction with OSFI’s Supervisory Framework

Return to footnote 1

Footnote 2

Examples of documentation that OSFI may review in formulating its assessment of the characteristics of the Compliance function include: mandate, policies, processes, standards of practice and planning; personnel’s curricula vitae; training programs; assessment reports; management committee minutes and related presentations; Board presentations; and Compliance self-assessment reporting.

Return to footnote 2