Internal Audit Report on Insurance Supervision Sector - Mortgage Insurance Group

1. Background

Introduction

Internal Audit (IA) conducts assurance work to determine whether the Office of the Superintendent of Financial Institutions Canada’s (OSFI) risk management, control, and governance processes, as designed and represented by management, are appropriate and functioning in a manner to ensure risks are appropriately identified and managed, and to ensure compliance with such requirements as policies, plans, procedures and applicable laws and regulations.

The audit of the Mortgage Insurance Group (MIG) was recommended by the OSFI Audit Committee and approved by the Superintendent for inclusion in the OSFI 2015-16 Internal Audit Plan.  

MIG management has reviewed this report and provided their response along with action plans. The report will be presented at the OSFI Audit Committee June 30, 2016 meeting for review and approval by the Superintendent.

Background

The objective of OSFI’s supervisory process is to assess the safety and soundness of an institution on a consolidated basis, and to provide early warnings of issues to allow OSFI to intervene in a timely and effective manner where OSFI considers an institution’s practices to be, or likely to become, imprudent or unsafe.

The Mortgage Insurance Group (MIG) is part of OSFI’s Insurance Supervision Sector and is responsible for the supervision of all mortgage insurance companies (privately and publicly owned). Mortgage insurance is a class of insurance that provides protection to lenders against losses caused by borrower default on mortgage payment obligations, as well as to insure guarantee mortgage-backed securities issued by deposit taking institutions, conglomerates and non-conglomerates.

MIG supports OSFI’s mandate to protect policyholders from undue loss and to promote confidence in the financial system. MIG supervises and monitors the safety and soundness of mortgage insurers by focusing on elements such as governance, risk management practices and controls, capital adequacy, proper accounting of assets and liabilities, and liquidity. MIG’s supervisory activities also include verifying and enforcing mortgage insurers’ compliance with rules and regulations established by legislation and OSFI’s regulatory framework.

OSFI employs a disciplined, risk-based methodology to supervise both insurance and deposit taking institutions, irrespective of their size. OSFI’s supervisory methodology (‘methodology’) is described, at a high level, in the Supervisory Framework 2010, and in more detail in a number of Supervisory Guides. These documents provide the conceptual framework to support an effective supervisory process that all supervisory groups, including MIG, must apply.

2. About the Engagement

Engagement Objectives

The objective of the audit was to assess whether the Mortgage Insurance Group (MIG) appropriately applies OSFI’s supervisory methodology when assessing the safety and soundness of mortgage insurers. Specifically, the audit assessed whether:

1. MIG’s planning activities clearly demonstrated their risk-based approach and allocation of resources;
2. The logic and flow of MIG’s supervisory documentation clearly supported their risk assessments, conclusions and supervisory actions taken; and
3. OSFI’s Supervisory Framework and related Guides were appropriately and consistently applied in the MIG’s supervisory process when identifying, assessing, reporting and following up on mortgage insurance risk related matters.

Engagement Scope

The audit focused on the mortgage insurance companies MIG supervises.

IA selectively examined the supervisory work carried out by MIG from April 1, 2014 to March 31, 2015. However, recognizing that the supervisory process is continuously evolving, IA reviewed documentation relating to events after the chosen audit period for evidence of improvements, as applicable.

Engagement Approach

The approach to conducting the audit included:

• A review of OSFI’s supervisory framework and related guides to refresh IA’s understanding of its requirements;
• Discussions with MIG’s staff to understand their supervisory mandate, process (i.e. planning, execution, monitoring, reporting and follow-up phases) and practices in place; and
• A review of selected mortgage insurers’ key supervisory documentation prepared by MIG’s staff to assess their application of OSFI’s methodology.

Statement of Conformance

The audit was conducted in conformance with the Institute of Internal Auditors’ International Standards for the Professional Practice of Internal Auditing, consistent with the Treasury Board Secretariat (TBS) Policy on Internal Audit and the Internal Auditing Standards of the Government of Canada, as supported by the results of the Quality Assurance and Improvement Program.

3. Observation Ratings

Observation Ratings

Observations are ranked in order to assist management in allocating resources to address identified weaknesses and/or improve internal controls and/or operating efficiencies.  These ratings are for guidance purposes only.  Management must evaluate ratings in light of their own experience and risk appetite.

Observations are ranked according to the following:

High priority - should be given immediate attention due to the existence of either a significant control weakness (i.e. control does not exist or is not adequately designed or operating effectively) or a significant operational improvement opportunity.

Medium priority – a control weakness or operational improvement that should be addressed in the near term.

Low priority - non-critical observation that could be addressed to either strengthen internal control or enhance efficiency, normally with minimal cost and effort.

Individual ratings should not be considered in isolation and their effect on other objectives and areas should also be considered.

4. Results of the Engagement

Conclusion

Application of OSFI’s methodology is complex and requires the use of a disciplined approach and the application of significant judgement by supervisory teams in conducting their assessments. OSFI’s supervisory methodology provides the conceptual framework and the foundation to support an effective supervisory process for all supervisory groups to follow. Effective implementation of OSFI’s methodology requires a thorough understanding of the principles of risk-based supervision and a consistent application of these principles.

While MIG’s staff demonstrated a good understanding of the business activities of the institutions, the logic and flow of the information and supervisory assessments were not always transparent to support conclusions reached and ratings assigned. Supervisory processes need to be strengthened to ensure effective and timely review of supervisory work is conducted at each step in the supervisory process to ensure OSFI’s supervisory risk is mitigated.

Enhancements have been made to the Mortgage Insurance Group’s (MIG) structure and monitoring activities, however, further strengthening is necessary with respect to MIG’s mandate, information methods and resources.  The direction and commitment of OSFI’s Senior Management is likely required as remedial action plans may impact groups other than MIG.  

5. Management Response

Response

MIG management wishes to express thanks to the audit team for the professional, clear and transparent way in which they conducted their audit.  We are in agreement with the findings of the audit and MIG management is committed to addressing the recommendations outlined in this report within the current fiscal year (2016-2017). 

6. Observations and Recommendations

1. MIG’s Role, Responsibility and Accountability

High Priority Observation

MIG’s mandate^{Footnote 1} is to:

• Supervise Federally Regulated Mortgage Insurers (FRMIs) to determine if FRMIs are in sound financial condition and complying with governing law and supervisory requirements; and
• Determine whether publicly owned insurer(s) is carrying on any or all of its commercial activities in a safe and sound manner, including whether  those activities are being carried on with due regard to its exposure to loss.   

In carrying out this mandate, MIG conducts supervisory assessments, examinations and enquiries on the activities of privately and publicly owned mortgage insurers, in accordance with OSFI’s methodology.

The audit revealed that the role and accountability of OSFI with respect to supervising publicly owned insurers is unclear. Lack of distinct and clear expectations on the exercise of OSFI’s powers and authorities to supervise a publicly owned mortgage insurer that is considered systemically important domestically, appear to have hindered MIG’s ability to supervise efficiently and effectively.

Recommendations:

Achieving clarity and developing and implementing an effective relationship between OSFI and the institutions it supervises will require OSFI’s Senior Management direction on how the interaction between different stakeholders is expected to work and the relative accountabilities that flow from it.  

The mechanisms to implement OSFI’s clarified accountabilities that align with legislative and policy requirements, should be documented in MIG’s formal mandate and communicated to all relevant stakeholders involved (i.e. internal and external).

Management Action Plan:

The current mandate has been effective in transitioning mortgage insurance into a supervisory focus distinct from property and casualty insurance.   However, with this transition complete, MIG management agrees that the mandate for mortgage insurance supervision should be reviewed. MIG will review and update its mandate in the 2016-2017 fiscal year, which will be approved by the Assistant Superintendent, Insurance Supervision Sector,  prior to the updated mandate being communicated to relevant stakeholders. 

2. MIG’s Data Collection 

High Priority Observation

As part of its supervisory mandate, OSFI requires all mortgage insurers to report quarterly on the risk characteristics of their new written and in-force insurance business. MIG requires adequate data collection methods to gather the insurers’ information and appropriate controls are needed to ensure that the information MIG collects and disseminates is reliable, accurate and properly safeguarded.

Existing MIG’s data collection methods are inefficient and labour intensive as the technology available does not support MIG’s information needs.

Mortgage insurers currently submit data to MIG via MS-Excel based spreadsheet forms requiring significant manual intervention and work-around procedures, which can compromise the integrity, quality and accuracy of the information being reported. This significantly limits MIG’s ability to collect, organize and work with large data calls and may not be suitable to support MIG’s reporting requirements to external stakeholders on the insurers’ compliance with applicable legislation and/or regulations (e.g. OSFI’s annual reporting on the “Aggregate Outstanding Principal Amount” of all mortgages or hypothecary loans insured under the Protection of Residential Mortgage or Hypothecary Insurance Act (PRMHIA) and the Sandbox Rules as per “The Eligible Mortgage Loan Regulations” issued by the government).

Additionally, with respect to MIG’s data collection, the group places significant reliance on a specializedstaff member to consolidate, correlate and validate (with limitations) the insurers’ breakdown of the aggregate outstanding principal amounts of insured loans. MIG could be vulnerable to key person dependency risks in the event of a departure.  The risk of exposure further increases with the fact that underlying processes, practices and procedures for data collection and management are not formally documented. 

Recommendations:

Enhancing MIG’s ability to collect and manage mortgage insurers’ data should be considered a priority.  A data centric approach with respect to the collection and analysis of industry data will better position MIG to discharge its supervisory responsibilities in identifying, evaluating, monitoring and reporting on mortgage insurers’ compliance with legislative and regulatory requirements, efficiently and effectively.

Direction and commitment from OSFI’s Senior Management is needed to ensure a solution that supports MIG’s information needs within an adequate control environment, is developed.

Management Action Plan:

While it has compensating controls to manage data risks, MIG management acknowledges the vulnerabilities referenced in the audit report.  MIG management will develop and submit for consideration an initiative to support improved mortgage insurance data governance and utilization in the planning process for the 2017-2018 year.  Recognizing that MIG’s data governance requirements are only one aspect of OSFI’s data governance framework, MIG’s initiative will support and work with the current and evolving OSFI wide data governance framework.

3. MIG’s Monitoring and Risk- Based Planning

High Priority Observation

The size and complexity of Canada’s mortgage insurance and securitization industry, combined with current economic conditions and concerns, heighten the importance for MIG to continuously monitor, identify and assess emerging risks in a timely and effective manner to facilitate an early identification of potential supervisory issues at institutions. 

OSFI’s risk-based methodology requires supervisors to understand the institution’s environment, industry and business profile in order to develop an inventory of the institution’s significant activities. This process enables supervisors to set the proper context for assessing the institution’s risk profile.

Once the institution’s significant activities are identified, based on both qualitative and quantitative factors, supervisors develop a multi-year Institution Supervisory Strategy (ISS) to determine the supervisory intensity and resources required to ensure OSFI’s assessment of the institution’s risk profile is accurate and remains current.

Although MIG’s monitoring and planning supervisory documentation reviewed contained relevant insurers’ business profile information, the following areas requiring enhancements were identified:

• The analysis of key environment and emerging risk factors and their potential impact to the mortgage insurers were not always clearly linked to the institutions’ multi-year supervisory strategies, work plans and the approach followed to perform supervisory assessments;

• Although the ISS documents indicated that, for the most part, appropriate priority was given to reviewing institutions’   higher net risk activities, the work plans were often not completed and/or postponed in part due to the unavailability of specialized resources (i.e. Supervision Support Groups);

• Existing MIG’s process/practices to ensure there is appropriate oversight when mortgage insurers’ work plans and priorities significantly change, were not consistently followed; and

• It was not always clearly demonstrated whether mortgage insurance risks/issues previously identified and reported as part of MIG’s quarterly integrated monitoring process were followed up and/or monitored for their resolution.

Recommendations:

Enhancing MIG’s monitoring and planning process will require that the linkages between emerging risks/issues, which can potentially impact the mortgage insurers, and the multi-year Institution Supervisory Strategies work plans and approach be clearly and appropriately demonstrated.

Risks/issues previously identified and reported as part of MIG’s quarterly monitoring process need to be fully integrated into MIG’s supervisory planning process and their resolution needs to be properly monitored and evaluated.  

Enhancing MIG’s execution of Institution Supervisory Strategies and work plans process will require the attention, direction and commitment of OSFI’s Senior Management to the solutions developed, as their implementation may impact groups other than MIG (i.e. specialized groups). Otherwise, MIG’s ability to achieve an appropriate level of coverage (including follow-up work) to support the assessment of the institutions’ risk profile and facilitate an early identification of supervisory issues may be hindered.

MIG’s management should conduct a capacity assessment and determine the anticipated level of specialized and skilled resources it must have available (that is, formally committed to MIG) to ensure MIG will have the necessary resources to achieve its objectives and meet its supervisory mandate.

Management Action Plan:

MIG management acknowledges that some operational processes developed under a property and casualty insurance operations framework are not necessarily as effective under the new mortgage insurance supervisory approach.  MIG management will enhance its operational monitoring by implementing an operational dashboard for the mortgage insurance group that will provide summary linkages between supervisory planning and execution of reviews identified in the supervisory strategies of the mortgage insurers. This operational dashboard will be implemented by the second quarter of the current fiscal year (2016-2017) and provided quarterly to the Assistant Superintendent and heads of the contracted SSG groups for the plan year.

Further, MIG management will conduct a detailed resource analysis during the annual plan process for the 2017-2018 fiscal year, considering the supervisory documentation requirements and other core supervisory work efforts.

4. MIG’s Supervisory Risk Assessments: Execution, Reporting and Follow-up

Medium Priority Observation

The Supervisory Framework requires the assessment of an institution’s key significant activities’ (SA) inherent risks as well as the effectiveness of the institution’s risk management and control practices to arrive at the Net Risk and the direction of risk for each activity. The risk assessment enables the supervisors to build expectations of the type and rigour of controls necessary to mitigate risks inherent to the activity.  Accordingly, the assessment of the institution’s quality of risk management involves a comparison of these expectations with what is in place at the institution.

The methodology also requires an assessment of each of the institution’s Quality Risk Management functions (QRMs) overall effectiveness. The results of the QRM assessments provide  insight into how much direct testing supervisors need to do to assess Operational Management effectiveness. Furthermore, leveraging off the QRMs’ work, as appropriate, can lead to scope coordination and minimize duplication of effort and focus supervisory resources on risks and controls of higher/critical interest to OSFI.

Once the Net Risk of all of the significant activities has been assessed, the ‘importance’ of each activity is taken into account to arrive at the institution’s Overall Net Risk. Once this is determined, the adequacy of the institution’s earnings, liquidity and capital is considered to arrive at the institution’s Composite Risk Rating (CRR). These assessments are summarized and reported in Section Notes (SNs), the Risk Assessment Document (RAD), the Risk Matrix, and other supervisory documents as required. Timely reviews of these documents should be conducted at each step of the supervisory process by the appropriate level of management (i.e. Guide G19) to ensure OSFI’s Supervisory Framework is appropriately and consistently applied, and to help identify areas that need to be improved and/or where additional staff training and coaching may be required.  

The methodology also requires that recommendations previously reported to the institutions are adequately and timely addressed.

MIG’s supervisory documentation reviewed contained relevant information with respect to mortgage insurers’ significant activities, however, the following areas requiring enhancements were identified:

• Although only significant activities’ key inherent risks had been rated, the analyses and rationale to support the ratings were not always transparent.
• The linkages between the SA’s key inherent risks and the assessment of how the institution’s risk management strategies effectively mitigated the identified risks and supervisory issues/concerns were not always transparent and/or lacked sufficient evidence to support conclusions.
• Although supervisors tracked OSFI’s recommendation reported to the institutions in the Follow-up Document, the process to ensure OSFI’s recommendations are adequately actioned and evaluated for effectiveness appears to not be achieving its intended purpose.

Recommendations:

Enhancing MIG’s supervisory process will require that the logic and flow of information and assessments contained in key supervisory documents clearly support conclusions reached, ratings assigned and supervisory actions taken.

Accordingly, timely and effective reviews of supervisory work carried out should be conducted at each step of the supervisory process to ensure OSFI’s methodology is appropriately applied and may help identify areas where additional staff training and coaching may be required.  

MIG’s management should consider reviewing its current operational manual to assess whether it aligns with MIG’s current and future needs and facilitates the assessment and reporting of insurers’ compliance with legislation and regulatory requirements. Tools and guidance should be developed, as appropriate.

MIG’s management may consider revisiting its current level of information coordination and communication with other OSFI groups performing supervisory assessments in areas where scope of work overlaps, to ensure there is an appropriate transfer and sharing of knowledge; for example, share the results of MIG’s monitoring or review work where risks/issues that could potentially impact both, lenders and insurers, have been identified.

Management Action Plan:

Many supervisory processes are OSFI wide and for these the current operational framework would remain appropriate.  However, MIG management acknowledges that some property and casualty specific operational processes under the current operations framework being used by MIG are not necessarily  as effective under the new mortgage insurance supervisory approach.   MIG management will review and update its current operational framework during the current year (2016-2017) to verify its alignment with the supervisory requirements of mortgage insurers.  

MIG management will also distribute its Quarterly Integrated Monitoring (QIM) report to internal groups performing supervisory assessments of mortgage insurers to ensure an appropriate sharing of knowledge on the status and progress of supervisory reviews.  

MIG management will undertake a panel review process for each of the mortgage insurers during the current year (2016-2017) to ensure supervisory assessments and ratings are adequately supported within the supervisory documentation.   Participation in the panel review process will also facilitate communication by the Lead Supervisor team of the thought processes leading to the ratings in the risk assessment.