Audit of Supervision Small and Medium Sized Banks (SMSBs)

1. Background

1.1 Overview

Small and Medium‑Sized Banks (SMSBs) form a key segment of Canada’s financial system and are supervised by the Office of the Superintendent of Financial Institutions (OSFI). Due to their size and operating models, SMSBs are subject to tailored supervisory expectations distinct from larger Domestic and Global Systemically Important Banks. The SMSB portfolio includes smaller domestic and foreign banks, credit unions, trust companies, and loan companies.

1.2 Why We Did This Engagement

There has been no audit coverage of SMSB supervisory activities in the past three years. This engagement provides timely assurance over the design and operating effectiveness of key supervisory controls over the SMSB portfolio. Further details on the engagement and team structure are included in Appendix D - About the Engagement and Appendix B – Operational Structure.

2. Summary of Engagement Results and Findings

2.1 Overview of Results

Overall, the monitoring and intervention processes for SMSBs are designed and operating effectively. Supervisory activities are conducted in adherence to the Supervisory Framework and respective guidance. Risk assessment and ratings are supported, documented, approved, and communicated to institutions timely, clearly, and consistently. Additionally, there is effective challenge through the Group Rating Committee (GRC) and Entity Rating Panel (ERP) processes where required. These processes are supported by accurate and consistent materials and tracking of action items.

However, opportunities exist to strengthen controls over the following risk areas:

• Safeguarding sensitive supervisory information;
• Supervisory training;
• Monitoring assessments and communication;
• Intervention guidance and tracking mechanisms.

While recommendations in this audit report are directed to Domestic Banking supervision teams, all OSFI supervision teams are encouraged to review the findings for applicability.

Management Gold Stars

Internal Audit (IA) recognizes the Domestic Banking (DB) Group, including Responsive Monitoring and Oversight Group’s (RMOG) banking supervision team, for:

• Developing supplementary guidance and examples for the Monitoring Template aligned with the new Supervisory Framework.
• Providing effective on‑the‑job coaching, including pairing less‑experienced supervisors with senior supervisors, which was noted positively in survey responses.

2.2 Management Response

Management agrees with the findings and recommendations contained within this report and has identified Management Action Plans with associated timelines for each recommendation as outlined in the relevant sections.

3. Key Findings

3.1 Sensitive Supervisory Information

In executing its supervisory mandate, OSFI obtains, creates and stores sensitive supervisory information (SSI), which includes prescribed supervisory information (PSI) as well as other market-moving and proprietary information. The Chief Information Security Officer (CISO) is currently in the process of rolling out a new Protected B – Financial information security classification for this category of information.

What We Found

While most SSI reviewed were well organized and appropriately safeguarded, improvements are needed in guidance and oversight tools.

Guidance

Guidance and procedures have been established for handling SSI. However, resources reviewed are outdated or incomplete. Specifically:

• There are instructions on the initial set up of isolation pods, but they do not clarify the ongoing ownership, maintenance, and monitoring requirements.
• The importance, principles and processes related to safeguarding SSI were communicated to supervisors by the former Corporate Services Division via email in July 2023 and reiterated by the Superintendent in October 2025. However, the existing guidance was not periodically updated to reflect the latest safeguard measures.

The Tools and Technology Team (TTT) and the Supervision Methods, Standards, and Controls (SMSC) group are currently developing new guidance for isolation pods and PSI disclosure, with targeted rollout in Q4 of fiscal 2025-26.

User Access Oversight Tools

Access to Vu and Espace (supervisory record repositories) is assigned by cost center’s, with controls through restricted document sets, isolation pods, and data export limitation. Exceptions noted include:

• Signed supervisory letters or related emails sent to the institutions were not retained in a restricted document set as required.
• Users no longer needing access to restricted document sets were not removed in a timely manner.
• SSI was inadvertently saved in an incorrect reporting period document set.

The Crisis Readiness Unit (CRU) is currently supporting the new eSpace monitoring process led by Enterprise Information Management (EIM). This new monitoring process that will be rolled out across Risk Assessment and Intervention Hub (RAIH) in Q4 2025-26 will serve as a detective control to identify unauthorized and/or unnecessary access to sensitive information. Previously, this was only pursued on an exception basis via coordination between the Security team and a senior RAIH leader.

Why It Matters

Clear, relevant guidance and effective oversight tools are critical to safeguarding SSI in line with OSFI’s risk appetite. Gaps increase the risk of improper access, misinterpretation of requirements, and unauthorized disclosure of sensitive information, exposing OSFI to legal and reputational risks.

3.2 Supervisory Training

Supervisors should be supported by training that equips them with the skills, knowledge, and confidence to supervise and communicate with institutions effectively.

What We Found

Foundational supervision training, including soft skill development, is currently available through the Supervision Institute, with additional learning opportunities offered by external providers to meet individual needs. Our results, however, highlight areas where further lift and development are needed. Specifically:

• Supervision-wide learning offerings continue to be developed and do not meet all of the supervisors’ needs, particularly for banking specific training (e.g. credit risk, BASEL, small and mid-size business banking).
• Through interviews and testing, competencies and responsibilities for supervisors at different classification levels are captured in the Supervision Key Responsibilities Matrix and job descriptions. However, it is unclear how it is being used and feeds into the identification of skills and knowledge gaps.

Key success factors focused on supervision culture and building supervisory confidence have been developed by Supervision Institute (SI). Also, SI is currently developing a progressive supervision training program, including training related to the key success factors, which is targeted to be launched in fiscal 2026-27.

Why It Matters

A clear understanding of current skill and knowledge gaps is essential for guiding individual and team learning plans. Ongoing SI-led consultations will help define core supervision learning curriculum priorities for 2026–27.

3.3 Monitoring Assessments and Communication

Monitoring is foundational to the supervisory process as it enables timely identification and assessment of risks. The Monitoring Standard and related guidance require assessments to be well supported and documented, aligned with Vu records, and communicated to institutions in a timely and consistent manner.

What We Found

Overall, monitoring assessments adhered to the Monitoring Standard and related guidance. Monitoring conclusions and Overall Risk Rating (ORR) were approved, supported, and communicated to institutions in a timely manner. However, exceptions were identified from sample testing. Specifically:

• Monitoring assessments and conclusions for certain risk categories (i.e., operational resilience) were sometimes missing or insufficiently documented, the linkage between the ORR rationale, supervisory outcomes, and monitoring assessment was not always clear. Monitoring documentation did not demonstrate the key elements assessed or contains the level of detail to support conclusions as per Monitoring Refresh Guidance and Documentation Standard.
• Some sections within the monitoring templates were not always filled out.
• The existing guidance is not clear on how ‘Related FRFIs’ supervisory ratings and results should be communicated when they are supervised together with the parent. There wasn’t always evidence of communication of supervisory results either individually or together with its parent.
• The outcome statements were not always updated in Vu to align with the Annual Supervisory Letter (ASL) and monitoring template.

Why It Matters

Insufficient, unclear, or inconsistent monitoring documentation or guidance can weaken the support for risk ratings and expectations, communication to institutions, and limit traceability across supervisory outputs.

3.4 Intervention

The intervention process allows supervisors to identify areas of concern and intervene at an early stage to reduce or prevent loss to depositors. Clear internal guidance and efficient monitoring enable supervisors to intervene effectively and consistently to ensure remediation is timely and complete.

What We Found

The current intervention processes are generally effective. There are existing intervention resources within the external OSFI website and the SI portal. Intervention measures and de-stage actions are communicated to institutions via supervisory letters. However, there are opportunities to improve the internal guidance and the monitoring of intervention measures’ progress. Specifically:

• Existing Intervention Guides on OSFI external website contain outdated references and do not incorporate the supervisory implication of the new OSFI mandate for integrity and security.
• Internal guidance on the operational steps for intervention is lacking (e.g., intervention phases and corresponding activities, common tools and measures, definition, and expectations for key concepts).
• Currently, intervention measures and de-stage actions are not centrally tracked or monitored. Progress is manually updated quarterly in the internal intervention reports. Some teams manually developed internal tracking spreadsheets or used Vu to track them. Lastly, survey responses indicate a consistent mechanism to track measures and actions would be beneficial.

SMSC is currently updating the external and internal guides to clarify the intervention processes, and TTT is developing a new Vu function to centralize the tracking of intervention measures and de-stage conditions.

Why It Matters

Unclear guidance or the lack of centralized tracking can hinder intervention effectiveness, efficiency, continuity, or consistencies.

Appendix A – Recommendation Ratings

Recommendations are ranked in order to assist management in allocating resources to address identified weaknesses and/or improve internal controls and/or operating efficiencies. These ratings are for guidance purposes only. Management must evaluate ratings in light of their own experience and risk appetite.

Recommendations are ranked according to the following definitions:

• High Risk: should be given immediate attention due to the existence of either a significant control weakness (i.e. control does not exist or is not adequately designed or not operating effectively) or a significant operational improvement opportunity.
• Medium Risk: a control weakness or operational improvement that should be addressed in the near term.
• Low Risk: non-critical recommendation that could be addressed to either strengthen internal control or enhance efficiency, normally with minimal cost and effort. Individual ratings should not be considered in isolation; and their effect on other objectives should be considered.

Appendix B – Operational Structure

OSFI’s supervision sector consists of the Risk Assessment & Intervention Hub (RAIH) and Risk Advisory Hub (RAH). RAIH covers the banking, insurance, and pension industries and is led by the executive director who reports to the Deputy Superintendent of Supervision. At the time of the fieldwork of this audit, SMSBs, as part of the RAIH, are supervised by:

• Domestic Banking Group: A total of 52 individuals, with three managing directors (of which one is a split resource between the insurance and domestic banking supervision teams) and six directors, all report to one senior director.
• Responsive Monitoring Oversight Group – Banking Supervision Team: A total of 7 individuals, with one senior manager and one manager, both report to a director.

Appendix C – Key Acronyms

ASL

Annual Supervisory Letter

DB

Domestic Banking

CISO

Chief Information Security Officer

CRU

Crisis Readiness Unit

EIM

Enterprise Information Management

ERP

Entity Rating Panel

FRFIs

Federally Regulated Financial Institutions

GRC

Group Rating Committee

ORR

Overall Risk Rating

OSFI

Office of the Superintendent of Financial Institutions

PSI

Prescribed Supervisory Information

RAH

Risk Advisory Hub

RAIH

Risk Assessment & Intervention Hub

RMOG

Responsive Monitoring Oversight Group

SI

Supervision Institute

SSI

Sensitive Supervisory Information

SQAD

Supervision Quality Assurance Division

SMSB

Small and Medium Sized Banks

SMSC

Supervision Methods, Standards, and Controls

TTT

Tools and Technology Team

Appendix D – About the Engagement

D.1 Objective

Assessed whether controls related to high-risk supervisory processes are designed and operating effectively to ensure alignment with OSFI’s Supervisory Framework and support risk assessments and responses.

D.2 Scope

The audit covered the most significant risk supervisory activities for SMSBs across both Domestic Banking and Responsive Monitoring Oversight Group for banking (RMOG), between April 1, 2024, to June 30, 2025 (refer to D.3 Approach and Methodology for details).

Controls related to SMSB’s activities for reviews and issues management, and the Supervision Central Office’s performance metrics reporting were out of scope for this audit as activities share a similar design that were covered in the June 2025 Supervision of Insurance audit portfolio, with open recommendations. Supervisory planning activities were also out of scope to align with the development of substantive tools changes that support planning (i.e., resource methodology and tool approved in August 2025 and time reporting system that is underway).

D.3 Approach and Methodology

The engagement consisted of document reviews, interviews, and process walkthroughs. Data analytics were employed, and IA leveraged Supervision Quality Assurance Division (SQAD) work, where appropriate, to support the sampling approach and extent of work. A sample-based testing was conducted to assess the operational effectiveness of processes.

The engagement structure included two sprints with distinct criteria, but the audit also included broader themes (refer to D.4 Engagement Criteria for details).

• Sprint I: Monitoring including impact to Scorecard Ratings.
• Sprint II: intervention including impact to Scorecard Ratings, GRC and ERP processes.

D.4 Engagement Criteria

The following criteria were established for this engagement (based on the scope outlined above):

D.5 Statement of Conformance

This audit was conducted in conformance with the Institute of Internal Auditors’ International Standards for the Professional Practice of Internal Auditing, consistent with the Treasury Board’s Policy on Internal Audit, and as supported by the results of the Quality Assurance and Improvement Program.