- Type of Publication: Guideline
- Category: Sound Business and Financial Practices
- Date: February 2008
- No: E-17
- Audiences: Banks / BHC / FBB / T&L / Co-op / Life / P&C / IHC
I. Statement of Regulatory Principles
This Guideline builds upon the following:
Regulatory System: The federal prudential regulatory
system is based on a tripartite division of responsibilities involving:
- The Federally Regulated Entity’s (FRE) management and oversight processes;
- The use of independent external reviewers (i.e. the external
auditor, and in the case of insurance companies, the appointed
- Monitoring and supervision by OSFI.
The primary responsibility for ensuring FREs are soundly managed
and directed rests with the board of directors and senior management
of the FRE. Accordingly, the suitability and integrity of senior
management and members of boards of directors pose an important
concern for the FRE and OSFI, as the safety, soundness and reputation
of an FRE can be negatively affected by the actions of these individuals.
Supervisory Approach: While OSFI assesses competence
and experience of proposed directors and senior officers and verifies
criminal records at incorporation, OSFI relies
on the FRE’s own internal processes for assessing the ongoing suitability
and integrity of these individuals post authorization. Where warranted,
OSFI applies a risk-based approach to assessing the FRE’s processes.
II. Application of Guideline
This Guideline outlines a number of principles to assist FREs
in establishing policies and procedures regarding the conduct of
assessments of their Responsible Persons and indicates areas that
OSFI may focus on during supervisory reviews.
The Guideline recognizes that aspects of these assessments that
address the suitability of a person, such as expertise, require
assessment only upon initial appointment whereas regular assessments
would focus on particulars that can change over time – for example,
legal proceedings against an individual or changes in professional
While FREs already have various policies and procedures in place
to regularly assess the suitability and integrity of Responsible
Persons to satisfy their own internal requirements (e.g., hiring
policies or code of conduct) or to satisfy other statutory
or regulatory requirements (e.g., public listing requirements),
this guideline clarifies expectations with regard to fundamental
aspects of such policies and procedures across institutions to
minimize safety and soundness concerns, including prudential and
This Guideline should be considered prudent practices or standards
that can be considered by all FREs in developing their own practices
Individual FREs can adopt different approaches that suit their
circumstances with respect to conducting assessments of their
Responsible Persons having regard to their nature of business,
size, complexity, geographic location(s), risk profile, structure
and ownership. The supervisory process takes this into consideration
in the evaluation of individual FREs.
1. Federally Regulated Entity (FRE)
For the purposes of this Guideline, an FRE is defined as:
- a bank to which the Bank Act applies;
- a body corporate to which the Trust and Loan Companies
- an association to which the Cooperative Credit Associations
Act applies or a central cooperative credit society for which
an order has been made under subsection 473(1) of that Act;
- an insurance company or a fraternal benefit society incorporated,
formed or continued under the Insurance Companies Act,
the order of which is not restricted to the servicing of existing
- a bank holding company incorporated or formed under Part XV
of the Bank Act;
- an insurance holding company incorporated or formed under Part
XVII of the Insurance Companies Act;
- the Canadian branch of a foreign bank in respect of which an
order under subsection 524(1) of the Bank Act has been
- the Canadian branch of a foreign company in respect of which
an order under Section 574 of the Insurance Companies Act
has been made, which order is not restricted to the servicing
of existing policies.
2. Responsible Person
For the purposes of this Guideline, a Responsible Person is defined
- a director;
- senior management, i.e., any person who the FRE determines
plays a significant role in the management of the FRE. This could
include the chief executive officer, chief financial officer and
any other officer who has a functional reporting line directly
to the board of directors or chief executive officer;
- a principal officer, as defined in the Bank Act; and
- a chief agent, as defined in the Insurance Companies Act,
IV. Assessment Policy
OSFI expects every FRE to have a written policy regarding the
performance of assessments of the suitability and integrity of its
Responsible Persons (Assessment Policy).
FREs belonging to the same corporate group may have one umbrella
Assessment Policy for the entire group.
OSFI expects that the senior management of banks,
insurance companies, bank holding companies, insurance holding companies, trust and loan companies, co-operative credit associations and retail associations will approve these entities’ Assessment Policy (and any material amendments thereto). Chief agents and principal officers should approve or be aware of the Assessment Policy (and any material amendments thereto) in the case of branches. This is consistent with OSFI Guidelines
E-4A – Role of Chief Agent and Record Keeping Requirements
and E-4B – Role of the Principal officer and Record Keeping
OSFI expects that this Assessment Policy will consider the following
matters in a way that prudently minimises the risks that persons
who are not suitable or do not possess the required integrity do
not hold Responsible Person positions:
a) Identification of the Responsible Persons subject to Assessments
All FREs are expected to identify as Responsible Persons individuals who play a significant role in the management of the FRE. OSFI expects that senior management will approve the list of Responsible Persons subject to the assessments.
Where employment contracts are in place that preclude the FRE
from assessing Responsible Persons appointed to their positions
prior to the coming into force of this Guideline, such Responsible
Persons can be exempted from assessments until a notice of change
of contract can be provided, their employment contract is renewed
or their responsibilities change.
Only one assessment is necessary in respect of Responsible Persons
identified as being a Responsible Person in more than one FRE
of the same corporate group. Senior management may choose not to apply
the provisions of this Guideline to individuals in an FRE subsidiary
of a larger FRE in a corporate group where the management of the
FRE subsidiary is directed by Responsible Persons of the larger
FRE in the control chain.
Please refer to OSFI’s Corporate Governance Guideline for OSFI’s expectations of FRE Boards of Directors in regards to operational, business, risk and crisis management policies.
b) Timing of the Assessments
OSFI expects the Assessment Policy would require an assessment
to be conducted before a person is appointed to a Responsible Person
position unless it would be imprudent to delay the appointment.
In such cases, the assessment would occur as soon as practicable
and in any event within a number of days specified in the Assessment
Policy. The initial assessment would address all aspects of the
assessment including aspects that are not subject to change as well
as those that can change over time.
After the initial appointment, updated assessments of each Responsible
Person would be conducted at intervals specified in the Assessment
Policy, which should be no longer than five years. Updated assessments
can focus only on aspects that can change over time. FREs can rely
on attestations from Responsible Persons to conduct update assessments.
However, FREs areexpected to independently verify Responsible Persons’
criminal records at least every seven years.
Assessments should be undertaken between intervals if the FRE
acquires knowledge of material adverse information about a Responsible
c) Key Practices
OSFI expects that the Assessment Policy will indicate the key
practices that will be followed by the FRE in implementing the principles
of this Guideline, including the key practices relating to the FRE’s
decision-making process (discussed in greater detail in Part V c)
below). For example, the Assessment Policy could set out when and
how the Assessment Policy will be disclosed to Responsible Persons
and candidates for Responsible Person positions. OSFI also expects
the Assessment Policy to set out practices that will be followed
if the FRE concludes a Responsible Person is not suitable or does
not possess the required integrity, such as when and how the decision
will be escalated through the organization, how and when the Responsible
Person will be notified of adverse information as well as the steps
that will be taken to remove a Responsible Person. FREs should ensure
their practices comply with all applicable legal requirements, including
privacy and employment laws.
V. Assessment Procedures
FREs are expected to have written internal procedures outlining
how the Assessment Policy will be implemented.
Where assessment procedures similar to those described in this
Guideline are already in place within an FRE to satisfy its internal
policies (e.g., hiring or code of conduct) or to satisfy other
regulatory requirements (e.g., public listing requirements), FREs
can refer to the procedures used to meet the other requirements.
Each FRE will implement its own procedures taking into account
its nature, size, complexity and risk profile. FREs that belong
to the same corporate group may appoint one FRE member of the
group to implement the Assessment Procedures in respect of every
FRE in the group.
The Assessment Procedures would consider the following matters:
a) Persons or Groups that will Conduct Assessments
FREs can assign the responsibility for conducting assessments
of each Responsible Person to any person or group within the organization.
OSFI expects the Assessment Policy to be implemented by appropriately
qualified individuals and that procedures exist to allow such individuals
to escalate concerns about findings in respect of a Responsible
Person or the conduct of assessments.
Some branches may not have sufficient staff complement to implement
this Guideline entirely within the branch. Accordingly, it may be
inappropriate to apply the specific provisions of this Guideline
directly to certain branches. Implementation of the Guideline in
certain branches may require the branch to enter into arrangements
with the home office (for example, conducting assessments of the
chief agent or principal officer).
FREs can assign responsibility for various facets of the assessments
to different groups in the FRE. FREs can outsource some of the functions
related to conducting assessments, but OSFI expects that an appropriate
person within the FRE will make the ultimate determination about
whether a Responsible Person possesses the required suitability
and integrity. Any outsourcing should comply with OSFI Guideline
B-10 - Outsourcing of Business Activities, Functions and Processes
and all privacy laws, as applicable.
b) Information that will be Obtained
In their Assessment Procedures, FREs can identify the information
they will obtain to assess the suitability and integrity of their
Responsible Persons, upon initial appointment of the Responsible
Persons to their positions and during subsequent update assessments.
FREs that have procedures in place to comply with other regulatory
requirements relative to suitability and integrity (e.g., requirements
related to listing or securities regulations such as Ontario Securities
Commission Rule 41-501 and/or National Instrument 44-101, National
Policy 58-201, National Instrument 51-102 and National Instrument
52-110), can reference the procedures in place to meet these other
requirements. FREs that have procedures in place to meet
these requirements will be viewed as meeting the requirements
of this section of the Guideline.
When a Responsible Person is first appointed to his or her position,
FREs would obtain sufficient information to allow them to conclude
that the Responsible Person possesses the suitability and integrity
to perform properly the duties of the Responsible Person position.
Such information could include:
- Criminal records;
- Records of securities-related sanctions or disciplinary actions
by a professional regulatory body;
- Evidence that the Responsible Person possesses the required
education, skills, professional qualifications and experience;
- Attestation that the Responsible Person has not been held liable
in a civil proceeding in connection with financial or business
misconduct, fraud or mismanagement of an entity; and
- Attestation that the Responsible Person has no conflicts of
interests that could create a material risk that he or she will
be unable to discharge the duties of the Responsible Person with
integrity and in the best interests of the FRE.
When conducting assessments at initial appointment, FREs are expected
to verify information using searches of databases and information
made available by third parties when such independent sources are
available. Each FRE should determine in which jurisdictions and
how far back verifications should be conducted, based on the Responsible
Person’s history and circumstances. While attestations from Responsible
Persons about certain aspects of the assessments, such as civil
proceedings, are sufficient to meet the expectations of the Guideline,
OSFI encourages FREs to conduct their own independent verifications,
if they have grounds to believe that an attestation is insufficient
Subsequent to the initial appointment, the frequency at which
verifications are updated would reflect the specific circumstances
of each FRE and of each Responsible Person. Updates of assessments
can focus only on particulars that can change over time, such as:
- Criminal convictions, regulatory or civil proceedings against
the Responsible Person;
- Changes in status in professional organizations; and
- New or changes in conflicts of interest.
In update assessments, FREs can rely on an attestation of the
facts from Responsible Persons for all aspects of the assessment.
In addition, FREs are expected to independently verify a Responsible
Person’s criminal record at intervals specified in the Assessment
c) Decision-making Process
FREs should document the decision-making process they will follow
when an adverse finding is made with respect to a Responsible Person.
For example, each FRE can set its own threshold about the type of
adverse information it would consider material and the type of information
it would gather to follow-up on the adverse information, including
mitigating factors or circumstances. The decision-making process
can be tailored to the unique circumstances of each individual FRE.
An adverse finding would not necessarily render a person unsuitable
to hold a Responsible Person position. Each finding should be considered
in relation to all surrounding circumstances (e.g. seriousness of
the incident or time elapsed since incident). OSFI expects FREs
to use judgement and to weigh the findings on each factor, including
the materiality of the adverse information and the relevance of
the factor to the Responsible Person’s duties.
A Responsible Person may be found unsuitable for a particular
Responsible Person position because of a lack of qualifications
for that position or because of a conflict of interest related to
the duties of that position. In that case, the Responsible Person
may still be suitable for another Responsible Person position. The
FRE may also redefine the duties associated with a Responsible Person
position. Each FRE must determine whether a negative finding about
a Responsible Person permanently disqualifies that person (for example,
absent legislative or other requirements to the contrary, whether
a Responsible Person who has been suspended by a professional association
can remain in the position after serving the suspension). However,
where a Responsible Person is found to lack integrity because of
negative findings related to the Responsible Person’s character
or honesty (for example, conviction for offences relating to money
laundering or fraud), that Responsible Person will normally not
be suitable for any Responsible Person position.
OSFI expects that persons who do not possess the required suitability
and integrity for a particular Responsible Person position will
not be appointed to that position. OSFI and FREs may disagree about
whether a Responsible Person is suitable or possesses the required
integrity. OSFI will work with the FRE to address areas of concern.
However, if OSFI determines that an FRE has taken insufficient action
to resolve a situation OSFI deems to be of material risk, it has
legislative authority to take remedial action.
VI. Role of Senior Management
It is expected that senior management will:
- approve the Assessment Policy and significant amendments thereto;
- where it is inappropriate for another person in the FRE to
make the determination, determine whether a Responsible Person
is suitable or possesses sufficient integrity and, if not, ensure
such persons do not hold Responsible Person positions. If the
Responsible Person is not removed, ensure adequate measures are
taken to manage the risk arising from misconduct or mismanagement,
such as redefining the responsibilities of the position or removing
a conflict that applies to the duties of that position; and
- elevate concerns to the Board regarding the suitability and integrity of a Responsible Person or regarding the manner in which the Assessment Policy is implemented.
Consistent with OSFI’s Corporate Governance Guideline,
OSFI recognizes that branches do not have Boards of directors and
accordingly it would be inappropriate to apply the requirements
of this Guideline directly to branch operations. OSFI looks to the
principal officer or chief agent of a branch to oversee the management
of the branch, including matters of corporate governance. As noted
in Part V a) of this Guideline, implementation of this Guideline
may require branches to enter into arrangements with the home office.
In respect of the obligations in this guideline, FREs belonging to the same corporate group may appoint senior management of one FRE in the group to discharge the obligations of the senior management of all FREs in the group.
VII. Providing Information to OSFI
FREs are not required to provide their Assessment Policy or Assessment
Procedures to OSFI on a regular basis. However, OSFI expects that
the Assessment Policies, Assessment Procedures and information about
assessments conducted in respect of each Responsible Person will
be retained by the FRE for a reasonable length of time specified
in the Assessment Policy and that such information will be readily
available for examination by OSFI upon request. As part of its regular
supervisory practices, OSFI may periodically, where warranted, verify
the assessments conducted by the FRE in accordance with its risk-based
OSFI looks not only for evidence that FREs have appropriate
policies and processes in place but also for indicators that these
policies and processes are understood, are being followed and
that, as a result, they are effective.