Internal Audit Report on Regulation Sector - Approvals and Precedents Group

1. Background

Introduction

Internal Audit conducts assurance work to determine whether the Office of the Superintendent of Financial Institutions Canada’s (OSFI’s) risk management, control, and governance processes, as designed and represented by management, are adequate and functioning in a manner to ensure risks are appropriately identified and managed, and to ensure compliance with such requirements as policies, plans, procedures and applicable laws and regulations.

An audit of the Approvals and Precedents Group (APG) was recommended by OSFI’s Audit Committee and approved by the Superintendent for inclusion in the OSFI 2016-2017 Internal Audit Plan.

APG management has reviewed this report and provided their response along with action plans. The report will be presented at the OSFI Audit Committee’s February 15, 2017 meeting for review and approval by the Superintendent.

Context

The Bank Act, Trust and Loan Companies Act, Cooperative Credit Associations Act and Insurance Companies Act require federally regulated financial institutions (FRFIs) to seek regulatory approval for specific transaction types.

Within OSFI, responsibility for processing these applications falls under the purview of the Approvals and Precedents Group (APG), which is part of the Legislation and Approvals Division (LAD) of the Regulation Sector.

APG’s mandate involves evaluating and processing applications for regulatory consent; establishing positions on the interpretation and application of the federal financial institutions’ legislation, regulations and guidance; identifying precedential transactions that may raise policy or precedent-setting issues; and developing recommendations that recognize the need to allow institutions to compete effectively and take reasonable risk.

The Approvals and Precedents Group is organized such that the Deposit Taking Institutions (DTI) Approvals team and the Insurance Approvals team deal primarily with the processing of applications requiring regulatory approval as prescribed by federal financial institution statutes. The Precedents team deals with interpretations of the statutes, guidelines and regulations, and the issuance of guidance, including advisories, rulings and instruction guides, to support the approvals process.

The Case Management System (CMS), a custom designed software system implemented in 2001, is the main system used to support APG’s processes and workflows as well as to manage information related to applications received from organizations. CMS allows APG’s staff to manage every aspect of the approvals process and workflows in reaching a decision on an application seeking regulatory consent.

APG has established and published guidance on OSFI’s external website, including service standards for processing applications, to ensure transparency and effectiveness in the regulatory approvals process.

2. About the Engagement

Engagement Objective

The objective of the engagement was to assess the effectiveness of the Approvals and Precedents Group (APG) regulatory approval processes, procedures and practices followed in evaluating and approving applications seeking regulatory approval.

Engagement Scope

The scope of this engagement focused on:

• APG’s regulatory approvals framework, including core processes, formal guidance, procedures and system tools;
• APG’s oversight activities and controls built around the core processes to ensure the regulatory approval activity is appropriately monitored, transparent, timely, and effective;
• Applications processed during the period of January 2014 to December 2015; and
• Precedents’ scope of activities directly related to the regulatory approvals process. Accordingly, IA selectively examined key documentation prepared by Precedents, as required.

Engagement Approach

The approach to conducting the engagement included:

• A review of APG’s core processes, procedures and practices in place;
• A review of the Case Management System (CMS) guide and application of its rules;
• Walkthroughs and discussions with APG’s staff to understand their regulatory mandate, processes, procedures, system tools and practices in place;
• Discussions with other key contributors to APG’s regulatory approval process, i.e., Supervision sector; and
• A review of a sample of application cases, including examination of selected documentation, as required.

Statement of Conformance

The audit was conducted in conformance with the Institute of Internal Auditors’ International Standards for the Professional Practice of Internal Auditing, consistent with the Treasury Board Secretariat (TBS) Policy on Internal Audit and the Internal Auditing Standards of the Government of Canada, as supported by the results of the Quality Assurance and Improvement Program.

3. Observation Ratings

Observation Ratings

Observations are ranked in order to assist management in allocating resources to address identified weaknesses and/or improve internal controls and/or operating efficiencies. These ratings are for guidance purposes only. Management must evaluate ratings in light of their own experience and risk appetite.

Observations are ranked according to the following:

High priority - should be given immediate attention due to the existence of either a significant control weakness (i.e. control does not exist or is not adequately designed or operating effectively) or a significant operational improvement opportunity.

Medium priority – a control weakness or operational improvement that should be addressed in the near term.

Low priority - non-critical observation that could be addressed to either strengthen internal control or enhance efficiency, normally with minimal cost and effort.

Individual ratings should not be considered in isolation and their effect on other objectives and areas should also be considered.

4. Results of the Engagement

Executive Summary

Application of APG’s framework is complex and requires the application of sound judgement by APG’s staff in evaluating and processing applications for regulatory approval, within OSFI’s service standards, as developed and established in 2005. Overall, APG’s staff demonstrated a solid understanding of the framework and the requirements they need to follow. Enhancing APG’s current practices and controls around information security, however, should be a priority.

As part of promoting and sharing their knowledge across OSFI, APG has delivered several training sessions, which have been successful and well received. These sessions help OSFI staff understand APG’s role, scope of work and how APG can assist and/or support other OSFI groups as the subject matter experts on legislation, regulations, and its interpretation. These APG initiatives are viewed positively and should be supported as they may lead to enhanced working relationships with other OSFI groups, especially in areas where APG can play both a ‘rule-making’ and a ‘support’ group role.

Joint accountability exists within the approval process. While APG is responsible for leading and/or driving the process, APG will not generally recommend approval until Supervision management has confirmed their support for the transaction, as the process and outcome can impact the work and resources of OSFI supervisory teams. This impact is most notable for new entry cases. Due to the importance of this process, APG is developing additional internal guidance, tools and reporting to facilitate decision-making by OSFI stakeholders involved in the DTI new entry process. In view of the significant changes being developed, and given that this area was not the focus of this audit, Internal Audit recommends a future review of this process to assess whether the proposed changes will achieve enhanced transparency and clarity between APG and other OSFI stakeholders.

Given the importance of APG’s role in supporting OSFI’s mandate, APG should consider developing further links between departmental accountability, planning, and performance measurement activities. These efforts should include developing a formal process with clearly established responsibilities for the periodic review and update of OSFI’s service standards and associated internal targets to ensure their continued relevance.

5. Management Response

Response

APG would like to thank the audit team for its work and the professional manner in which it conducted its audit.

APG is committed to high standards of performance and is continually looking for ways to improve how it delivers on its responsibilities.

APG agrees with the observations and recommendations contained in this audit report (the Report). Included in the management responses of the Report are specific actions that APG will take to address each of the four themes of observations. It should be noted that actions related to the high priority recommendation are being implemented immediately.

6. Observations and Recommendations

1. Information Security

High Priority Observation

OSFI’s employees are often required to communicate sensitive information to external organizations via email. This information must be sent in a secure manner through the use of OSFI’s encrypted email channels so that only those authorized can read it. When a security protocol called Transport Layer Security (TLS) is in place at the target email domain(s), emails sent between OSFI’s employees and external email recipients are automatically encrypted. OSFI has a list of TLS enabled domains that have been configured to allow TLS communications, and is continually adding to that list. When the TLS option is not available at an organization, OSFI’s employees are required to find alternative methods of communication, such as using an OSFI secure USB drive. This secure practice is aligned with OSFI’s directive as well as with the Government of Canada’s policies on information security.

The audit revealed that APG predominantly communicated with external organizations using email throughout the approval process; however, during the audit period, there was minimal evidence to show that APG staff considered and/or used alternative secured communication methods, as per OSFI’s information security requirements.

Recommendations

Enhancing APG’s current practices and controls around information security should be considered a priority and will require:

• Staff be provided training on OSFI’s information security policy requirements; and
• Direction and commitment from OSFI’s Executive to ensure a solution that meets APG’s business needs with adequate controls built-in is developed and implemented with the support of other OSFI’s groups such as Information Management /Information Technology (IM/IT).

Management Action Plan

APG agrees with the above observations and recommendations on information security.

APG took immediate steps to strengthen information security in May 2016, by establishing the TLS security protocol with as many Applicants as possible. As the need for enhanced practices emerged during the course of the Audit, APG instigated additional actions for Applicants that are not TLS compliant. APG management can confirm that its communication practices are now in line with OSFI’s information security protocol.

APG management has discussed the option of alternative technologies that place less reliance on staff intervention with IM/IT. IM/IT advises that there are no immediate plans to explore alternative IT solutions to TLS given other more immediate and strategic priorities in the area of data security. APG supports this assessment of priorities and resource allocation.

There are a number of projects underway that will improve OSFI’s data management and security practices and APG will communicate its business process requirements as part of these initiatives. However, we also acknowledge that no technical solution will eliminate reliance on staff to manage and protect confidential data and therefore will place increased focus on ongoing training and awareness.

2. APG’s Planning, Monitoring and Reporting

Medium Priority Observation

APG’s core work focuses on evaluating and processing applications for regulatory consent, as well as producing guidance related to regulatory approvals and rulings and advisories concerning legislative and policy precedents and interpretations. The key driver of APG’s workload is the volume and complexity of applications submitted to OSFI for approval, where volume is generally stable year over year. OSFI has published service standards for the various types of regulatory approvals, with a few exceptions.

The audit revealed that APG’s approval work (its core responsibility) varies in complexity and workloads are driven by industry demand. These factors require APG to be ‘reactive’ and promotes informal approaches to APG’s planning activities, although it may be possible to leverage historical trends and environmental changes to anticipate peak periods in demand. In addition, processes to identify and assess risks to business objectives occur through numerous forums, but also on an informal basis.

The audit revealed a more structured approach to the monitoring and reporting of service standards was followed. APG’s service standards are currently based on the time from when an application is “receipted” until it is approved. The decision to “receipt” a case is based on the judgement of the case officer, in consultation with the manager. Applications are not ‘receipted’ until materially all documentation has been submitted by the external organizations, which is generally after the initial application has been ‘received’. As a result, this measurement approach does not reflect the total “end-to-end” processing time of an application. Although this approach was introduced to recognize that APG may not be able to control the completeness of the initial application, or the speed with which missing information is provided by the external organizations, it may lead to performance inefficiencies and/or delays in the approval process being concealed.

Case data is automatically generated by the Case Management System (CMS) and the process for validating data quality and accuracyrelies on manual work-around procedures. There is opportunity for error since procedures in place to calculate and measure actual performance against service standards may lead to inaccuracies in reporting to key stakeholders.

The audit also revealed that there is no formal process to periodically review and update the service standards for relevance and alignment with APG’s and OSFI’s business environment. OSFI’s service standards as well as the process to handle service complaints have not been reviewed since 2005, when they were first developed.

Recommendations

More alignment between APG’s accountabilities and planning activities, including the approach to measuring service standards, could improve APG’s ability to identify key areas for improvement and resource planning and allocation.

APG’s planning, monitoring, and reporting processes could be enhanced by:

• Strengthening links between APG’s accountabilities, planning and performance measurement activities, in the context of APG’s current business environment; and
• the implementation of a formal process with clearly established responsibilities for the periodic review and update of service standards and associated internal targets to ensure their continuing relevance and alignment with APG’s work activities.

In addition, APG may benefit from conducting a capacity assessment to ensure it has adequate resources to meet its mandate and business objectives.

Management Action Plan

APG agrees with the above observations and recommendations on the potential for enhancing its planning, monitoring and reporting processes.

As noted in the report, APG management's ability to plan its core work is constrained by uncertainty with regards to the volume and resource implications of future applications. This is because the number and type of applications under review by APG, as well as the number of requests for legislative interpretation, are largely driven by industry.

With regards to APG’s non-core work, APG management recognizes that an assessment of trends could be useful in a planning context. As such, in Q1 2017-18 APG management will assess historical application information (such as timing and volumes of certain types of approvals) with a view of identifying trends. During the fiscal year 2017-18, APG will consider more structured approaches to planning its non-core work (that incorporate these application trends, statistics on processing times, and other indicators such as priorities for the review and issuance of external guidance referred to under the next section), with a view to applying these new approaches in 2018-19. This information could also assist in identifying severe but plausible scenarios from a capacity perspective (e.g. multiple simultaneous resource intensive transactions) that might warrant resourcing contingency plans for core work.

APG management also commits to developing by end of Q2 2017-2018 a formal protocol for the periodic review of its service standards and associated internal targets. Finally, APG management will develop by end of Q4 2017-18, technical requirements to further automate the creation of its performance reports.

3. APG’s External Guidance

Medium Priority Observation

A formal framework, containing defined internal and external guidance, procedures, and templates/tools to address legislative approval requirements should be established and available to internal and/or external stakeholders. There should be a process in place to review and update the framework periodically for continued relevance. Roles and responsibilities to issue, maintain, and approve the regulatory framework and related guidance need to be clearly defined and established.

The Precedents team is primarily responsible for issuing, reviewing and approving externally published information.

Current Precedents’ review processes for developing and/or reviewing guides, advisories, rulings, transaction instructions and user fees were informal. During the audit time frame, several initiatives were delayed and/or not scheduled for a review due to potential limited capacity. Scheduling of reviews, prioritizing, and oversight activities around monitoring progress on such initiatives against plan appeared to have been done with minimal structure.

Recommendations

Enhancing APG’s current practices and controls around the issuance and/or review of external guidance will require APG to:

• Review its framework of external guidance to assess whether it aligns with its current and anticipated needs, as appropriate;
• Develop a formal process to plan and prioritize the issuance and/or the review of external guidance to ensure it continues to be relevant and reflect changes in the approvals environment; and
• Establish ownership and responsibilities for maintaining / updating guidance and accountabilities for their approval.

Management Action Plan

APG agrees with the above observations and recommendations on practices for the issuance and review of external guidance.

In particular, APG management recognizes that this process should be documented in greater detail. To this end, the Managing Director will oversee the development of a framework in Q4 2016-17 for prioritizing, planning and carrying out the issuance and review of external guidance by the Precedents team. This framework will be integrated into APG’s planning process starting with the 2017-18 fiscal year.

4. APG’s Quality Control and Training

Medium Priority Observation

Quality Control (QC) is a key component of a business process and active oversight is required at each key step to ensure work is carried out in an effective and efficient manner. Reviewing case work is a key responsibility of management and should be performed at each step in the approvals process to:

• ensure the consistent application of operational requirements and procedures;
• mitigate regulatory risk; and
• develop staff.

To achieve its mandate, APG requires resources with the specialized skills, knowledge, and experience. These resources need to have the ability to perform in-depth analyses and apply judgement on complex issues requiring specialized legislation and regulatory knowledge.

The audit revealed that, in general, there was sufficient documentation to support the logical flow of information in the application cases reviewed, with a few exceptions. Established standards on case documentation requirements to ensure information stored is consistent with operational procedures, and is limited to what is relevant and key to the decision-making process, were not always followed. In addition, the completion of the “Case Closing Checklist”, which focus on the permanent closure of a case to be completed within 30 days from the approval date, was often delayed and/or inconsistent.

APG’s quality control and oversight activities embed the concept of continual training, development and coaching of staff. A “Case Management Oversight Guide and Checklist” containing the specific procedures and/or staff accountabilities throughout the six steps of the approvals process, has been designed and implemented. Although these procedures / accountabilities were defined based on the required level of oversight on a case, they appear to provide minimal guidance on the application of judgment in identifying and assessing regulatory risks.

Furthermore, the current process to capture changes in the working environment to ensure components of APG’s internal guidance are kept relevant may not be adequately designed (for example, the Administrative Monetary Penalty Policy). APG’s Learning Guide is also an important internal document that guides APG’s staff and provides on-boarding training to new employees, which should be periodically reviewed for content relevancy.

The audit also revealed that although there were many training initiatives across APG, as supported by APG’s learning needs analyses, and most staff had formal “Goal Commitment Documents” (GCD) and Learning Plans in place, these documents did not appear to have been designed around training, developing and addressing required knowledge levels for its staff at varying levels over a broader time horizon.

Recommendations

APG may benefit from enhancing the effectiveness, efficiency, and timeliness of APG’s quality control review process to better ensure that:

• work quality issues and process inefficiencies are timely and effectively detected throughout the six steps of an application approval’s process;
• regulatory risk is mitigated;
• variations in staff interpretation and in the application of APG’s operational procedures are identified in a timely manner, as opportunities to develop and coach staff; and
• case documentation requirements are consistently done and follow established information management practices.

APG may also benefit from enhancing APG’s training approach by developing a strategy for learning and career advancement aimed at building technical knowledge, skills, and required competencies for all staff that links to APG’s overall business strategy. The appropriate mechanisms to measure effectiveness and efficiency of training initiatives (delivered and underway) also need to be developed and implemented.

Management Action Plan

APG agrees with the above observations and recommendations on quality control and training.

APG will consult with all staff of the DTI and Insurance approvals teams by Q1 2017-18 to seek feedback on how the recently introduced “Case Management Oversight Guide and Checklist” is being used. Management will use this forum to identify opportunities to enhance consistency, whether it is through more internal guidance or improved quality control mechanisms. The Directors responsible for Approvals (the Directors) will be accountable for developing an action plan by Q3 2017-18 to address any material findings identified during the consultations.

In terms of training, APG management will develop a framework in Q1 2017-18 to formalize the assessment of its needs both at the team and individual levels. The framework will be integrated into APG’s planning process during the 2017-18 fiscal year. APG management also recognizes that further cross-training initiatives between the Deposit Taking and Insurance