Office of the Superintendent of Financial Institutions
Guideline E-13 sets out OSFI’s expectations for FRFIs with respect to the management of regulatory compliance risk inherent in FRFIs’ business activities enterprise-wide. A wide variety of laws and regulations apply to FRFIs in Canada, and for some, outside Canada. OSFI believes that adequate controls over the identification and mitigation of regulatory risk are key to a robust internal control framework.
The revised Guideline replaces the 2003 Guideline E-13 - Legislative Compliance Management to better align it with more recently updated OSFI GuidelinesFootnote 1 and complement OSFI’s Supervisory Framework and Assessment Criteria. The revised Guideline does not create new regulatory requirements. Rather, it communicates OSFI’s key expectations in respect of the need for FRFIs to establish and maintain an enterprise-wide framework of regulatory risk management controls. In developing the revised Guideline, OSFI has taken into account the fact that FRFIs vary in size, scope and complexity. As such, the principles-based nature of the Guideline recognizes that FRFIs will have different RCM practices.
The revised Guideline incorporates several revisions resulting from comments received during the public consultation process, which began in April 2014. The attached table summarizes comments received from industry stakeholders and provides an explanation of how these comments were dealt with. We thank all those who participated in the consultation process.
Implementation of the Guideline by FRFIs is expected by May 1st, 2015.
OSFI Response and Disposition
Such a statement is included in the cover letter.
Outside scope of E-13 therefore not addressed in E-13 – Comments received were dealt with separately.
The wording was added.
Definitions (ii) Regulatory Compliance Risk – P. 3
The definition of regulatory compliance risk was revised to indicate that, for the purposes of Guideline E-13, it does not include risk arising from non-conformance with ethical standards.
The definition of “regulatory directives” was removed.
Definitions (iii) RCM Framework – P. 3
No comments provided.
The definition of RCM Framework was moved to the Definitions section as (iii) for consistency.
To emphasize the risk-based approach, the sentence was changed to read “The RCM framework should enable a FRFI to apply a risk-based approach for identifying, risk-assessing, communicating, managing and mitigating regulatory compliance risk.”
The word “all” was removed. Refer also to the above response.
The comment was captured in the risk-based approach that was emphasized throughout the Guideline – refer to text boxes pages 1 and 4 and comment above.
The risk-based approach, which includes the assessment of risk and identification of material risk, was emphasized throughout the Guideline – refer to text boxes pages 1 and 4 and comment above.
“Material” is to be defined by each FRFI in consultation with the Board – refer to footnote 16.
The phrase “at least annually” was added after the word “regularly” for more flexibility. OSFI expects the RCM framework to assess whether new products, business lines, and other changes in business plans carry material regulatory risk; accordingly we do not necessarily agree that the RCM framework may not change much during the year.
This section was re-ordered to include all key controls, including oversight functions, as the basic elements of the RCM framework, and to place more prominence on the role of the CCO by moving it to the beginning of the section.
(i) Role of the CCO – p. 5
In the fourth paragraph, the standard articulated is not achievable and conflicts with the concept of the risk-based approach – suggest it be reworded as follows: “The CCO should be responsible for assessing the adequacy and effectiveness of the FRFI’s RCM framework, and for providing an opinion to the Board or a Board Committee whether, based on monitoring and testing performed by the Compliance oversight functions or other oversight functions, the FRFI is in compliance in all material respects with applicable regulatory requirements.”
The fourth paragraph seems to require active day to day management by the CCO, rather than supervision and oversight which conflicts with the requirement for the CCO to remain independent from the day to day management of the RCM.
The term “for functional purposes” should be clarified as to whether this means administratively or whether it means direct information reporting and discussion.
The paragraph was moved to the beginning of section and wording was changed to read, “The CCO should be responsible for assessing the adequacy of, adherence to and effectiveness of the FRFI’s day-to-day controls, and for providing an opinion to the Board whether, based on the independent monitoring and testing conducted, the RCM controls are sufficiently robust to achieve compliance with the applicable regulatory requirements enterprise-wide.”. OSFI considers that “compliance in all material respects” may not adequately address what OSFI means in a particular situation by “compliance”.
This paragraph was re-ordered and clarified accordingly. Refer to page 3 (RCM Framework Overview and page 5 (Role of the CCO). Refer also to footnotes 6 and 11.
The term “for functional purposes” is in the Corporate Governance Guideline in the text box on page 7.
The risk-based approach was clarified by various changes on pages 3 and 5. Refer also the text boxes on pages 1 and 4.
(ii) Procedures for Identifying, Risk Assessing, Communicating, Managing and Mitigating Regulatory Compliance Risk and Maintaining Knowledge of Applicable Regulatory Requirements – P. 5
The word “reasonable” was added to “procedures” and a definition of what is intended here was provided in footnote 9 for clarification.
(iii) Day-to-Day Compliance Procedures – P. 6
The risk-based approach was emphasized throughout the Guideline – Refer to text boxes on pages 1 and 4 and comments above.
The phrase, “using a risk-based approach” was added.
The original language “monitoring and testing” was left in but footnote 13 was added to clarify that independent testing in the second LOD is not intended to duplicate the work of Internal Audit or replace an Internal Audit standard. It was decided not to add the words “or other appropriate control” as this was somewhat vague and potentially confusing.
Refer to the three lines of defence model specifically as “the three lines of defense model” throughout the Guideline to provide more clarity and allow clear alignment with the RCM framework frequently used by FRFIs.
Ensure that OSFI has not mandated duplication of controls.
The first LOD should be able to implement compliance controls as appropriate in the circumstances, rather than a new requirement for ‘testing’.
Reference to the three lines of defence was added in footnotes 10, 12 and 14.
Footnote 13 was added to clarify that independent testing in the second LOD is not intended to duplicate the work of Internal Audit or replace an Internal Audit standard.
Language was added to clarify that the day-to-day compliance procedures should include monitoring and testing components using a risk-based approach. Further, risk-based approach was emphasized throughout the Guideline – Refer to text boxes on pages 1 and 4 and comments above.
(iv) Independent Monitoring and Testing Procedures – P. 6
The risk-based approach was emphasized throughout the Guideline – Refer to text boxes pages 1 and 4 and comments above.
The issue of potential duplication was addressed in footnote 13.
The phrase “monitored and tested” was changed to “overseen by the CCO, using a risk-based approach.” The next sentence was revised to address this and clarify as follows: “Where appropriate in the circumstances of the FRFI, independent monitoring and testing, wherever it is conducted within the FRFI, should be sufficiently consistent enterprise-wide to enable the aggregation of information to identify any patterns, themes or trending in compliance controls that may indicate weaknesses.”
Acknowledged. Not OSFI’s intention. Refer to footnote 13.
Acknowledged. Not OSFI’s intention. The phrase “rotational or other regular basis” is used in a sentence describing validation work, which is in a section titled “(iv) Independent Monitoring and Testing Procedures”. Reporting is addressed in a separate section titled “Internal Reporting”.
Clarifications of the risk-based approach emphasized throughout Guideline are intended to provide more guidance.
The risk-based approach was emphasized throughout the Guideline – refer to the text boxes on pages 1 and 4 and comments above. “Material” is to be defined by each FRFI in consultation with the Board – refer to footnote 16.
The phrase “in the circumstances of the FRFI” was added after the phrase “where appropriate”.
The dictionary definition of “ongoing” includes “continuing”. The risk-based approach was emphasized throughout the Guideline. As such, being more specific was considered to be overly prescriptive.
For consistency purposes, the wording was changed to “adequacy of, adherence to and effectiveness of” throughout where these words appeared. The risk-based approach was emphasized throughout Guideline. As such, being more specific regarding effectiveness was considered to be overly prescriptive.
(v) Internal Reporting – P. 7
(a) Reporting Procedures – P. 7
The sentence was changed to add “as determined by Senior Management within the FRFI.”
(b) Compliance Reports to Senior Management and the Board – P. 7
A sentence was added to say that “The opinion should be supported by sufficient pertinent information that can be reasonably verified.” Refer to footnote 6, which also addresses the comment.
It can be. However OSFI does not prescribe any particular approach to verification.
The wording was changed to what is intended for the CCO opinion and what it should provide.
The risk-based approach was emphasized throughout the Guideline – refer to the text boxes pages 1 and 4 and comments above.
(c) Internal Audit or Other Independent Review Function Reports to Senior Management and the Board – P. 8
The reference to “recommendations” was deleted.
(vi). Role of Internal Audit or Other Independent Review Function – P. 8
Language was added to clarify that the scope of work should consider the reliability of the RCM framework, which includes management’s identification of material regulatory compliance risks and their corresponding controls…”.
This function is referenced in the Corporate Governance Guideline.
Language was added to indicate that the scope of work should consider the reliability of the RCM framework, which includes management’s identification of material regulatory compliance risks and their corresponding controls…”.
The wording was clarified to read “an assessment of the effectiveness of the compliance oversight”.
The words were changed to provide for “periodic review by Internal Audit or other independent review function.” In addition, the risk-based approach was emphasized throughout the Guideline – refer to text boxes on pages 1 and 4.
(viii). Role of Senior Management – P. 9
This was considered to be addressed by the risk-based approach as emphasized throughout the Guideline.
This was considered to be addressed in footnotes 4 and 18.
Reference should be made to the Corporate Governance Guideline for a definition of “Senior Management”.
(ix) Role of the Board - P. 10
Removed reference to the Board’s responsibility to approve the mandate, resources and budget of the CCO as it is referenced in the Corporate Governance Guideline.
The wording in E-13 is consistent with the Corporate Governance Guideline.
The sentence was shortened to read “Supervision is carried out within a framework that is principles-based and focused on material risks.”
For example, OSFI’s Corporate Governance Guideline published January 2013.
Return to footnote 1 referrer