Compliance

The following statements describe the rating categories for the assessment of the Compliance function’s oversight of the institution’s compliance with applicable laws, regulations and guidelines.

The overall rating of the Compliance function considers both the appropriateness of its characteristics and the effectiveness of its performance in executing its mandate in the context of the nature, scope, complexity, and risk profile of the institution. Characteristics and examples of performance indicators that guide supervisory judgement in determining an overall rating are set out below.

The characteristics of the Compliance function meet or exceed what is considered necessary, given the nature, scope, complexity, and risk profile of the institution. Compliance has consistently demonstrated highly effective performance. Compliance characteristics and performance are superior to supervisory expectations.

The characteristics of the Compliance function meet what is considered necessary, given the nature, scope, complexity, and risk profile of the institution. Compliance performance has been effective. Compliance characteristics and performance meet supervisory expectations.

The characteristics of the Compliance function generally meet what is considered necessary, given the nature, scope, complexity, and risk profile of the institution, but there are some significant areas that require improvement and may affect effectiveness in the future or under adverse conditions. Compliance performance has generally been effective, but there are some significant areas where effectiveness needs to be improved. The areas needing improvement are not serious enough to cause prudential concerns if addressed in a timely manner. Compliance characteristics and/or performance do not consistently meet supervisory expectations.

The characteristics of the Compliance function are not, in a material way, what is considered necessary, given the nature, scope, complexity, and risk profile of the institution and may affect effectiveness in the future or under adverse conditions. Compliance performance has demonstrated serious instances where effectiveness needs to be improved through immediate action. Compliance characteristics and/or performance often do not meet supervisory expectations.

The following criteria describe the characteristics OSFI uses when assessing the quality of the Compliance function’s oversight of the management of the institution’s compliance with applicable laws, regulations and guidelines. The application and weighting of the individual criteria will depend on the nature, scope, complexity and risk profile of the institution and will be assessed collectively, together with the Compliance function’s performance, in rating its overall effectiveness.

1.1. Extent to which the function’s mandate establishes:

1. Clear objectives and enterprise-wide authority for its activities;

2. Authority to oversee effectiveness and consistency of operating units’ compliance practices;

3. Authority to carry out its responsibilities independently;

4. Right of access to the institution’s records, information and personnel;

5. A requirement to opine on the adequacy and effectiveness of the compliance processes and status of compliance; and

6. Authority to follow-up on actions taken by management in response to identified issues and related recommendations.

1.2. Extent to which the mandate is communicated within the institution.

2.1. Appropriateness of the stature and authority of the function head within the organization for the function to be effective in fulfilling its mandate.

2.2. Extent to which the function head has direct access to the CEO, Senior Management and the Board (or a Board Committee).

2.3. Appropriateness of the function’s organizational structure and authority of the function head within the organization to enable the function to be effective in fulfilling its mandate.

2.4. Extent to which the function is independent of the institution’s business activities and day-to-day compliance processes and is not involved in revenue-generating activities or financial performance of a line of business or product line.

3.1. Adequacy of the function’s processes to determine the required:

1. Level of resources necessary to carry out responsibilities and in response to changes in the institution’s business activities and strategies, as well as its operating environment;

2. Qualifications and competencies of staff; and

3. Continuing professional development programs to enhance staff competencies.

3.2 Adequacy of the function’s resources and appropriateness of its collective qualifications and competencies for executing its mandate.

4.1 Adequacy of policies and practices to ensure that the function’s approach and practices align with industry and regulatory compliance practices and are appropriate for executing its mandate.

4.2 Adequacy of policies and practices to keep abreast of new and changing legislation and changes in the institution’s risk profile.

4.3 Adequacy of policies and practices to promptly develop or amend the institution’s compliance policies as legislation is introduced or amended or as new or changing business activities impose different legislative requirements on the institution.

4.5 Adequacy of policies and practices to assist management in identifying, addressing and integrating significant legislative or regulatory requirements into their business activities through appropriate procedural controls.

4.6 Adequacy of policies and practices to monitor adherence to applicable laws, regulations and guidelines across the institution in order to ensure that significant issues are identified and brought to Senior Management’s attention for timely resolution, as well as to support Senior Management’s opinion on the status of compliance.

5.1. Adequacy of policies and practices to report significant compliance findings and recommendations to management so that timely corrective action is taken.

5.2. Adequacy of policies and practices to monitor and follow-up on the effective implementation of management actions in response to compliance findings and recommendations.

6.1 Extent to which the Internal Audit program includes reviews of the Compliance function and its key controls, it has the appropriate resources to carry out the reviews, and the scope and frequency of its review are sufficient to assess the effectiveness of the Compliance function.

6.2 Adequacy of Internal Audit’s communication of its recommendations and follow-up with respect to the Compliance function.

7.1 Adequacy of policies and practices for Senior Management to support the Board (or Board Committee) on the:

1. Appointment and/or removal, performance review, compensation and succession plan of the function head;

2. Function’s mandate, budget and resources (staffing and skill sets); and

3. Function’s annual work plan including any material changes to that plan.

7.2 Adequacy of policies and practices to assess the effectiveness of the function, including communicating results to Senior Management and, as appropriate, the Board (or a Board committee).

7.3 Adequacy of policies and practices to report periodically to Senior Management on issues and recommendations with escalation to the Board, as appropriate.

7.4 Adequacy of the processes related to talent development and succession planning for function key roles.

Adequacy of policies and practices for the Board (or Board Committee) to approve:

1. The appointment, performance review, compensation and succession plan of the head of the oversight function;

2. The function’s mandate, budget and resources (staffing and skill sets); and

3. The function’s annual work plan including any material changes to that plan.

8.2 Extent to which the Board (or Board Committee) receives periodic reporting on trends or pervasive risk impacting the organization.

8.3 Extent to which the Board (or Board Committee) demonstrates an ability to act independently of Senior Management through practices such as regularly scheduled Board (or Board Committee) meetings that include sessions without Senior Management present.

9.1 Adequacy of the formal integration of the Compliance function’s role and defined responsibility with other oversight functions as appropriate.