May 5, 2014
On April 30, 2014, the Office of the Superintendent of Financial Institutions (OSFI) issued for comment a revised draft Guideline E-13 (renamed Regulatory Compliance Management [RCM], formerly Legislative Compliance Management [LCM]), representing the first update to the Guideline in eleven years. An update was deemed necessary to bring the Guideline into alignment with the revised Supervisory Framework, Corporate Governance Guideline, draft Operational Risk Guideline and other international guidance. Additionally, OSFI stated that it has, over the years, identified a number of issues within Federally Regulated Financial Institutions (FRFIs) that it believes would be well served by additional and clarified guidance. The draft Guideline is out for industry comment until June 20, 2014. This Financial Services Flash Report highlights the proposed key updates to the Guideline.
Broadening of the Definition of Regulatory Risk
In previous LCM guidance, “regulatory risk” was defined as the “risk of non-compliance with applicable regulatory requirements.” And for the purposes of the LCM Guideline, “applicable regulatory requirements” were defined to include those in:
- The FRFI’s governing federal legislation, regulations and regulatory directives, and
- Other legislation, regulations and regulatory directives applicable to the activities of the FRFI or its subsidiaries worldwide.
In the draft RCM Guideline, the term now used is “regulatory compliance risk,” which is the risk that arises from an FRFI’s potential nonconformance with laws, rules, regulations, prescribed practices or ethical standards in any jurisdiction in which it operates. And “regulatory requirements” are defined as provisions in legislation, regulations or regulatory directives (i.e., rules, guidelines, expectations, and guidance issued by responsible regulators) applicable to the FRFI or a subsidiary worldwide that require the FRFI to do (or prohibit it from doing) certain things or to act or conduct its affairs in a particular manner.
What has been removed is the concept of “Governing” and “Other” legislation that renders all legislation of equal status. Also, the definition of regulatory compliance risk includes not just laws, regulations and regulatory directives, but also prescribed practices and ethical standards.
The RCM Framework
An RCM framework is defined in the draft Guideline as the “structures, processes and other key control elements through which a FRFI and its subsidiaries manage and mitigate regulatory compliance risk inherent in their activities enterprise-wide.”
The following table provides a comparison between the key components of the LCM Framework and the updated RCM Framework:
- Operational management (day-to-day controls for regulatory compliance risk)
- Ongoing enterprise-wide oversight of dayto- day compliance controls
- Internal audit or other independent review function
- Independent oversight
- Procedures for identifying, risk assessing, communicating, managing and mitigating regulatory compliance risk and maintaining knowledge of applicable regulatory requirements
- Day-to-day compliance procedures
- Independent monitoring and testing procedures
- iv. Internal reporting
- Reporting procedures
- Compliance reports to senior management and the board or committee(s) of the board
- Internal audit or other independent review function reports to senior management and the board or committee(s) of the board
- Adequate documentation
- Identification, assessment, communication and maintenance of applicable regulatory requirements
- Compliance procedures
- Monitoring procedures
- Reporting procedures
- Compliance oversight function reports to the board of directors
- Internal audit or other independent review function reports to the board
- Regular review and improvement
The FRFI is expected to administer the key control elements through a methodology that establishes clear lines of responsibility and a mechanism for holding individuals accountable.
First Line of Defence Responsibilities
The draft RCM Guideline clarifies that there are two levels of compliance control, supplemented by a third line of defence. The first level of control resides with operational management in the first line of defence. Operational management for a given business activity is primarily responsible for those controls used to manage all the regulatory compliance risks within an activity on a day-to-day basis.
The Guideline clarifies that operational management is responsible for ensuring that there is a clear understanding by FRFI line staff of the regulatory compliance risks that are posed by its activity and must be managed, and that the policies, procedures and resources are sufficient and effective in managing those risks. Additionally, it reinforces that senior management is responsible for ensuring that the RCM framework is implemented.
It clarifies that day-to-day compliance procedures should include monitoring and testing of the adequacy of, adherence to and effectiveness of compliance procedures in business operations. This replaces previous expectations for monitoring and reporting procedures. This is an explicitly new requirement for testing in the first line of defence.
Second Line of Defence Responsibilities
The draft RCM Guideline reiterates the need for ongoing enterprise-wide oversight of day-to-day compliance controls by individuals or oversight functions that are independent of the activities they oversee (e.g., a compliance oversight function), led by a chief compliance officer (CCO).
It also clarifies that the adequacy of, effectiveness of and adherence to day-to-day compliance procedures, including day-to-day monitoring and testing procedures, should be independently monitored and tested by the CCO and other oversight functions as appropriate on an ongoing basis using a risk-based approach.
Where appropriate, the monitoring and testing methodology should be sufficiently consistent enterprise-wide so that it enables aggregation of information to identify any patterns, themes or trending in compliance controls that may indicate weaknesses. However, it is not clear what “where appropriate” means. Verification of key elements of pertinent information used in key reports, including CCO reports to senior management and the board, should be included as part of the monitoring and testing program.
Third Line of Defence Responsibilities
Internal audit or another independent review function is expected to validate the effectiveness of and adherence to the RCM Framework enterprise-wide by risk-based testing on a rotational or other regular basis. This includes both testing of operational and independent oversight levels of compliance controls. The Guideline also states that auditors or reviewers responsible for this third line of defence review must have the appropriate skills and knowledge of the business and regulatory environment to conduct the reviews.
Reporting procedures now require that “reasonably verifiable” information about RCM adequacy and effectiveness be communicated on a timely basis to “individuals with RCM responsibilities.” Previously, reporting was focused on senior management and the board, and there was no requirement for “verifiability” of information. Additionally, there is now a requirement for aggregation of monitoring and testing results within and across areas of business activity pertinent to the RCM responsibilities of report recipients.
With respect to the CCO reporting to senior management and the board, the draft RCM Guideline provides additional guidance as to what is expected:
- Reports should cover the results of enterprise-wide compliance oversight, including
- Material RCM framework weakness
- Instances of material noncompliance
- Material exposures to regulatory compliance risk
- Related remedial action plans
It’s important to note that the definition of “materiality” needs to be established in conjunction with the board. Reports should provide an objective view on whether the FRFI is operating within the RCM framework and identify problems or issues to senior management and the board, as appropriate.
The CCO should provide an “opinion” to the board on a regular basis, but at least annually, on the adequacy and effectiveness of the RCM framework, and whether, based on the monitoring and testing performed by the compliance oversight function, the FRFI is in compliance with applicable regulatory requirements. The opinion should be based on enough pertinent information that is verified or reasonably verifiable, to support the opinion. The CCO should meet with the board on a regular basis, including, as appropriate, in camera meetings.
Role of the Chief Compliance Officer
As in the original LCM Guideline, overall responsibility for compliance should be assigned to a member of senior management who should be designated, at least functionally, as the FRFI’s CCO. Clarification that the CCO should not be directly involved in a revenue-generating function or in the management of any business line or product of the FRFI is provided.
Role of Internal Audit or Other Independent Review Function
The role of internal audit or other independent review function has been described in much more detail. The scope of the work undertaken should include:
- Consideration of the reliability of the RCM framework
- Management’s identification of material regulatory compliance risks and their corresponding controls
- The accuracy of reporting on compliance to senior management and the board
- An assessment of how effectively the compliance oversight function fulfills its responsibilities
Internal audit or other independent review function methodologies need to be supplemented by “effective challenge” and an attitude of “professional skepticism” by internal auditors. Like the CCO’s reports to the board, internal audit or other independent review reports should contain sufficient pertinent information to facilitate the board’s oversight of the RCM framework’s adequacy and effectiveness, while maintaining their independence. These reports should assist the board in assessing the reliability of the RCM assurances provided to the board by the CCO and senior management.
Smaller, Less Complex FRFIs – Oversight Functions and Independent Review Functions
Flexibility is provided to smaller, less complex FRFIs when it comes to the oversight and independent review functions. OSFI states that the presence and nature of oversight functions are expected to vary based on the nature, size and complexity of the FRFI and its inherent risks. Where the FRFI lacks some of the oversight functions, it is not sufficiently independent, or it doesn’t have enterprise-wide responsibility, OSFI expects other functions, within or external to the FRFI, to provide the independent oversight needed. Also, one person may have more than one set of oversight responsibilities. Where an institution lacks an oversight function, OSFI will look to other oversight functions for compensating controls to provide the type of continuous oversight expected. In the absence of other independent oversight functions or compensating controls, oversight would be expected to remain with senior management. In smaller, less complex FRFIs, the independent review function or “assurance provider” (i.e., the role normally fulfilled by internal audit) could be an external consultant such as a public accounting firm, consulting company, legal firm, security organization, or an internal audit department of a third-party service provider.
- The definition of regulatory (compliance) risk has been broadened to include prescribed guidance and ethical standards.
- An RCM framework is defined as the “structures, processes and other key control elements through which a FRFI and its subsidiaries manage and mitigate regulatory compliance risk inherent in their activities enterprise-wide.”
- The first line of defence must now monitor and test compliance controls.
- The second line of defence must now have a monitoring and testing methodology that is sufficiently consistent enterprise-wide and enables the aggregation of information across the enterprise where appropriate.
- The third line of defence must explicitly test both the first and second lines of defence with respect to the RCM framework, and have appropriate skills and knowledge to do so.
- Reporting needs to be reasonably verifiable with respect to the adequacy and effectiveness of RCM.
- Reporting on monitoring and testing results must be aggregated within and across areas of business activity pertinent to the RCM responsibilities of report recipients.
- Material RCM framework weakness must be defined in conjunction with the board.
- Reporting from the CCO must include an opinion on the state of the RCM framework’s adequacy and effectiveness, and whether the FRFI is in compliance with applicable regulatory requirements, in addition to in camera sessions.
- The CCO should not be directly involved in a revenue-generating function or the management of any business line or product of the FRFI.
- Internal audit or other independent review function’s role with respect to RCM has been provided in much more detail, and its methodologies must be supplemented by “effective challenge and professional skepticism.”
- Smaller, less complex FRFIs are provided flexibility and guidance with respect to alternative structures for oversight functions and independent review functions.