January 6, 2015
On November 13, 2014, the Office of the Superintendent of Financial Institutions (OSFI) issued a revised Guideline E-13 (Guideline) (renamed Regulatory Compliance Management [RCM], formerly Legislative Compliance Management [LCM]), representing the first update to the Guideline in 11 years. The update followed a draft issued for comment in April 2014. The revised Guideline incorporates several revisions resulting from comments received during the public consultation process.
An update was deemed necessary to bring the Guideline into alignment with OSFI’s revised Supervisory Framework and Corporate Governance Guideline. Additionally, OSFI stated that it has, over the years, identified a number of issues within Federally Regulated Financial Institutions (FRFIs) that it believes would be well served by additional and clarified guidance. The revised Guideline now also aligns with the Basel Committee on Banking Supervision’s (BCBS) updated 2011 version of its Principles for the Sound Management of Operational Risk and with the International Association of Insurance Supervisors’ (IAIS) relevant Insurance Core Principles.
Implementation of the Guideline by FRFIs is required by May 1, 2015.
Definition of Regulatory Risk
In previous guidance, “regulatory risk” was defined as the “risk of non-compliance with applicable regulatory requirements.” For the purpose of the LCM Guideline, “applicable regulatory requirements” were defined to include those in:
- The FRFI’s governing federal legislation, regulations and regulatory directives, and
- Other legislation, regulations and regulatory directives applicable to the activities of the FRFI or its subsidiaries worldwide.
The term now used is “regulatory compliance risk,” which is the risk of a FRFI’s potential non- conformance with laws, rules, regulations and prescribed practices (“regulatory requirements”) in any jurisdiction in which it operates. The concept of “Governing” and “Other” legislation, which was present in the LCM Guideline, has been removed from the RCM Guideline, rendering all legislation of equal status.
The risk arising from non-conformance with ethical standards, although included in the draft, was removed following public consultation and therefore not included in this definition for the purpose of this Guideline.
The RCM Framework
A FRFI and its subsidiaries are expected to manage and mitigate regulatory compliance risk inherent in their activities throughout all business activities applicable to the FRFI and its subsidiaries worldwide.
- Operational management (day-to-day controls for regulatory compliance risk)
- Ongoing enterprise-wide oversight of day-to- day compliance controls
- Internal Audit or other independent review function
- Independent oversight
RCM Framework Elements
- Role of the Chief Compliance Officer (CCO)
- Procedures for identifying, risk assessing, communicating, managing and mitigating regulatory compliance risk and maintaining knowledge of applicable regulatory requirements
- Day-to-day compliance procedures
- Independent monitoring and testing procedures
- Internal reporting
- Reporting procedures
- Compliance reports to Senior Management and the Board or committee(s) of the Board
- Internal Audit or another independent review function reports to Senior Management and the Board or committee(s) of the Board
- Role of Internal Audit or other independent review function
- Adequate documentation
- Role of Senior Management
- Role of the Board
Key LCM Controls
- Identification, assessment, communication and maintenance of applicable regulatory requirements
- Compliance procedures
- Monitoring procedures
- Reporting procedures
- Compliance oversight function reports to the Board of Directors
- Internal Audit or other independent review function reports to the Board
- Regular review and improvement
The FRFI is expected to administer the key framework elements through a methodology that establishes clear lines of responsibility and a mechanism for holding individuals accountable. OSFI expects that the roles and responsibilities of all individuals involved in RCM shall be clearly documented. Day-to-day and independent oversight review levels of key control elements should be sufficiently documented to demonstrate how regulatory compliance risk is managed and supports the flow of information reported to the CCO, Senior Management, and the Board.
First Line of Defence Responsibilities
The RCM Guideline clarifies that there are two levels of compliance control, supplemented by a third line of defence. The first level of control resides with operational management in the first line of defence. Operational management for a given business activity is primarily responsible for those controls used to manage all the regulatory compliance risks within an activity on a day- to-day basis.
Operational management is responsible for ensuring that there is a clear understanding by the FRFI line staff of the regulatory compliance risks that are posed by its activities and must be managed, and that the policies, procedures and resources are sufficient and effective in managing those risks. Additionally, it reinforces that Senior Management is responsible for ensuring that the RCM framework is implemented.
Day-to-day compliance procedures should include monitoring and testing of the adequacy of, adherence to and effectiveness of compliance procedures in business operations. This is a new explicit requirement for testing in the first line of defence.
Second Line of Defence Responsibilities
The RCM Guideline reiterates the need for ongoing enterprise-wide oversight of day-to-day compliance controls by individuals or oversight functions that are independent of the activities they oversee (e.g., a compliance oversight function), led by a CCO.
According to the Guideline, the adequacy of, effectiveness of and adherence to day-to-day compliance procedures, including day-to-day monitoring and testing procedures, should be independently monitored and tested by the CCO and other oversight functions, as appropriate, on an ongoing basis using a risk-based approach.
When appropriate in the circumstances of the FRFI, wherever independent monitoring and testing is conducted within the FRFI, the monitoring and testing methodology should be sufficiently consistent enterprise-wide so that it enables aggregation of information to identify any patterns, themes or trending in compliance controls that may indicate weaknesses.
Verification of critical elements of pertinent information should be used in key reports, including CCO reports to Senior Management and the Board, and should be included as part of the monitoring and testing program.
Third Line of Defence Responsibilities
Internal Audit or another independent review function is expected to validate the effectiveness of and adherence to the RCM framework enterprise-wide by risk-based testing on a rotational or other regular basis. This includes both testing of operational and independent oversight levels of compliance controls. The Guideline also states that auditors or reviewers responsible for this third line of defence review must have the appropriate skills and knowledge of the business and regulatory environment to conduct the reviews.
Reporting procedures require that “pertinent and verifiable” information about RCM adequacy and effectiveness be communicated on a timely basis to “individuals with RCM responsibilities.” Previously, reporting was focused on Senior Management and the Board, and there was no requirement for “verifiability” of information. Additionally, there is now a requirement for aggregation of monitoring and testing results within and across areas of business activity pertinent to the RCM responsibilities of report recipients.
With respect to the nature of CCO reporting to Senior Management and the Board, the RCM Guideline provides additional guidance as to what is expected:
Content that the reports should cover includes:
- Results of enterprise-wide compliance oversight
- Material RCM framework weakness
- Instances of material noncompliance
- Material exposures to regulatory compliance risk
- Related remedial action plans
- Significant legislative and regulatory developments
- Industry compliance issues, emerging trends and regulatory risks
The Guideline confirms that “materiality” should be established in conjunction with the Board. Reports should provide an objective view on whether the FRFI is operating within the RCM framework and identify problems or issues to Senior Management and the Board, as appropriate.
The CCO should provide an “opinion” to the Board on a regular basis, but at least annually, on the adequacy and effectiveness of the RCM framework, and whether, based on the monitoring and testing performed by the compliance oversight function, the FRFI is in compliance with applicable regulatory requirements. The opinion should be based on enough pertinent information that is verified or reasonably verifiable to support the opinion. The CCO should meet with the Board on a regular basis, including as appropriate, in camera meetings.
Role of the Chief Compliance Officer
As in the 2003 LCM Guideline, overall responsibility for compliance should be assigned to a member of Senior Management who should be designated, at least functionally, as the FRFI’s CCO. The adequacy of, adherence to, and effectiveness of day-to-day compliance procedures should be independently overseen by the CCO, using a risk-based approach. The CCO should have appropriate stature, authority, resources and support to fulfill the duties of the role, and should be sufficiently independent of operational management, and have the capacity to offer objective opinions and advice to Senior Management and the Board. Clarification that the CCO should not be directly involved in a revenue-generating function or in the management of any business line or product of the FRFI is provided.
Role of Internal Audit or Other Independent Review Function
The role of Internal Audit or another independent review function has been described in much more detail. The scope of the work undertaken should include the consideration of the reliability of the RCM framework including:
- Management’s identification of material regulatory compliance risks and their corresponding controls
- The accuracy of reporting on compliance to Senior Management and the Board
- An assessment of the effectiveness of compliance oversight
Internal Audit or other independent review function methodologies need to be supplemented by “effective challenge” and an attitude of “professional skepticism” by Internal Auditors. Like the CCO’s reports to the Board, Internal Audit or other independent review reports should contain sufficient pertinent information to facilitate the Board’s oversight of the RCM framework’s adequacy and effectiveness, while maintaining their independence. These reports should assist the Board in assessing the reliability of RCM assurances provided to the Board by the CCO and Senior Management.
Smaller, Less Complex FRFIs – Oversight Functions and Independent Review Functions
Flexibility is provided to smaller, less complex FRFIs when it comes to the oversight and independent review functions. OSFI states that the presence and nature of oversight functions are expected to vary based on the nature, size, complexity and risk profile of a FRFI, and the potential consequences of the FRFI’s failure. Where the FRFI lacks some of the oversight functions, it is not sufficiently independent, or it does not have enterprise-wide responsibility, OSFI expects other functions, within or external to the FRFI, to provide the independent oversight needed. Also, one person may have more than one set of oversight responsibilities. Where an institution lacks an oversight function, OSFI will look to other oversight functions for compensating controls to provide the type of continuous oversight expected. In the absence of other independent oversight functions or compensating controls, oversight would be expected to remain with Senior Management.
In smaller, less complex FRFIs, the independent review function or “assurance provider” (i.e., the role normally fulfilled by Internal Audit) could be an external consultant, such as a public accounting firm or consulting company.
- The revised definition of regulatory (compliance) risk includes not just laws, regulations and regulatory directives, but also prescribed practices.
- An RCM framework is defined as the “structures, processes and other key control elements through which a FRFI and its subsidiaries manage and mitigate regulatory compliance risk inherent in their activities enterprise-wide.”
- The first line of defence must now independently monitor and test compliance controls.
- The second line of defence must have a monitoring and testing methodology that is sufficiently consistent enterprise-wide and enables the aggregation of information across the enterprise where appropriate.
- The third line of defence must explicitly test both the first and second lines of defence with respect to the RCM framework, and have appropriate skills and knowledge to do so.
- Reporting needs to be reasonably verifiable with respect to the adequacy and effectiveness of RCM.
- Reporting on monitoring and testing results must be aggregated within and across areas of business activity pertinent to the RCM responsibilities of report recipients.
- Material RCM framework weakness must be defined in conjunction with the Board.
- Reporting from the CCO must include an opinion on the state of the RCM framework’s adequacy and effectiveness, and whether the FRFI is in compliance with applicable regulatory requirements, in addition to in camera sessions.
- The CCO should not be directly involved in a revenue-generating function or the management of any business line or product of the FRFI.
- Internal Audit or other independent review function’s role with respect to RCM has been provided in much more detail, and its methodologies must be supplemented by “effective challenge and professional skepticism.”
- Smaller, less complex FRFIs are provided flexibility and guidance with respect to alternative structures for oversight functions and independent review functions.