Consultation draft proposed risk based supervisory framework

Overview – proposed guidance:

The proposed Risk Based Supervisory Framework (RBSF) Guidance sets out FSRA’s approach for supervision and risk assessment of Ontario Credit Unions and Caisses Populaires (CUs). Its primary focus is to determine the impacts of current and potential future events, both internal and external, on the risk profile of each CU, and drive FSRA’s allocation of supervision resources. It articulates FSRA’s practices and processes for determining a CU’s Overall Risk Rating (ORR) and level of FSRA’s supervisory activity under the Credit Unions and Caisses Populaires Act, 2020 (CUCPA 2020), supporting Regulations and FSRA Rules and Guidance.

The proposed Guidance includes three essential elements of FSRA’s RBSF: 

  • risk assessment process
  • risk management process 
  • supervisory process 

Outcome of consultation:

Based on the feedback received during the consultation period, FSRA has made the following amendment to the RBSF Guidance: 

  • Provided clarification that the RBSF uses a wide variety of approaches in its supervisory work which include targeted and thematic exams.

Feedback from the sector:

FSRA received five submissions with feedback on the proposed Guidance during the consultation period (December 13, 2021 to February 4, 2022). The submissions and comments are also available on FSRA’s website.

FSRA would like to thank all stakeholders who commented on the proposed Guidance. FSRA has carefully considered all comments before finalizing. 

Contributors:

The following stakeholders shared their perspectives with FSRA through the formal consultation: 

CU/Association

Representative(s)

  1. Canadian Credit Union Association (“CCUA”) 

Sabena Sandhu

  1. Desjardins Group (“Desjardins”) 

Bernard Brun

  1. The Institute of Internal Auditors (The IIA) 

Paul Forgues & Jeremy Picco

  1. Libro Credit Union (Libro)

Stephen Bolton & Janet Johnson

  1. Meridian Credit Union (“Meridian”) 

Sunny Sodhi

Subject

Stakeholders

Summary of Stakeholders’ Feedback

FSRA’s Response

Support for RBSF and Principles-Based Regulation (PBR)

  • CCUA
  • Desjardins 
  • The IIA
  • Libro
  • Meridian

Stakeholders were supportive of FSRA implementing a RBSF and pleased that it generally conforms to the non-prescriptive approach of PBR. 

FSRA would like to thank stakeholders for their support of the proposed RBSF and FSRA’s transition to PBR.

Burden Reduction

  • CCUA
  • Libro

Stakeholders commented that the guidance does not reduce current supervisory actions and examinations and could potentially lead to an increase in oversight and Deposit Insurance Reserve Fund (DIRF) premiums. Citing appendix C, stakeholders commented that no burden reduction is prescribed in cases where a credit union fully minimizes their residual risk and receives the lowest ORR. Stakeholders recommend that the supervisory outcomes, based on ORR, be amended so that the lower levels of risk include burden reduction measures, such as: 

 

  • reduced insurance premium assessments 
  • less frequent examinations 
  • reduced data reporting requirements

 

Further, stakeholders expressed some concern that larger credit unions would be regularly assessed as moderate to moderate-high categories based upon size alone and therefore subject to Level 2 “Early Warning” intervention which is characterized as requiring an improvement plan to return to Level 1.
Stakeholders also expressed concern that the RBSF would push for increased access to data at a more granular level and greater frequency, creating additional burden on CUs.

FSRA is adopting a principles-based and risk-based supervisory approach, under which FSRA will not prescribe the manner in which institutions achieve desired outcomes. It will be the responsibility of the regulated institution to achieve such outcomes in an effective manner that is most appropriate for the institution. In the short term, this may require that CUs make changes to their internal systems and procedures. However, we expect that it will lead to improved efficiencies in the mid- to long-term and result in better alignment between risk and level of supervisory activity. 

 

As stated in the guidance, FSRA will consider proportionality in the application of the RBSF. The level and extent of supervision will depend on the size, complexity, and risk profile of the CU, and the potential consequences of a CU’s failure. Where there are identified risks or areas of concern, the degree of intervention will be commensurate with the risk profile. CUs that are well managed relative to their risks will require less regulatory oversight. FSRA will have a higher level of supervisory engagement with larger and/or more complex CUs whose failure could materially impact the Ontario CU sector. As well, FSRA will have a higher level of supervisory engagement with CUs that are riskier.

 

Further, accurate and appropriate risk data is important for effectively implementing risk-based supervision and principles-based regulation. FSRA will consider proportionality in any new requests for data. FSRA has established a Technical Advisory Committee (TAC), composed of CU representatives, for Credit Union Data Strategy and Digital Transformation. FSRA has been engaging with this TAC to seek advice on enhancing regulatory efficiency and effectiveness through data, analytics, and digital technology. A subcommittee of this TAC has been established to provide more targeted input on appropriate data requirements.

ORR and the DIRF Premium Formula

  • CCUA
  • Desjardins
  • Libro
  • Meridian

Stakeholders questioned why the RBSF will factor into the calculation of deposit insurance premiums, without publicly setting out the DIRF formula. It was requested that the DIRF formula either be reflected in the guidance or be developed in consultation with the DIRF TAC. Further, they requested that once the DIRF formula is complete, it be made publicly available, detailing the interplay between the premium calculation and RBSF. 

 

Stakeholders suggested that it is difficult to comment on the impact of RBSF scores on deposit insurance premiums without knowing the DIRF premium calculation formula. Concerns were also raised with timeliness of adjustments to deposit insurance premiums when risk ratings are changed.

Consistent with risk-based deposit insurance premium frameworks that have been adopted in other jurisdictions, premiums will be reflective of the financial institution’s level of risk. The purpose of the RBSF guidance is not to determine how premiums will be calculated, but rather to assess the risk profile of individual CUs. The deposit insurance premium calculation formula is set out in regulations under the CUCPA 2020. Further, FSRA’s Differential Premium Score Determination (DPSD) document sets out additional details on the calculation of the various inputs into the statutory formula. Over the coming year, FSRA will consult with the sector on a proposal for a new differential premium score methodology, which will include input from the RBSF. After consultations are concluded, FSRA will finalize its proposal and work with the Ministry of Finance to propose any potential amendments to regulations. The deposit insurance premium calculation formula is publicly available in regulations under the CUCPA 2020 and FSRA’s DPSD document.

Dispute Resolution Mechanism

  • CCUA

It was requested by a stakeholder that FSRA adopt a process for resolving disputes over a CU’s ORR, and that such a process be impartial and independent of FSRA staff.

FSRA has implemented a system of internal checks and balances, including an internal multi-level quality assurance and review process that involves reviews beyond those conducted by the lead supervisory team (e.g., Relationship Managers and Examiners). This process also includes a panel composed of FSRA senior management that were not directly involved in the assessment (e.g., review, examination) process to ensure accurate and consistent assessments. After FSRA’s internal review process is complete, the ORR and Supervisory Letter (or Interim Supervisory Letter) will be shared with the CU. If a CU has an issue with its assessment or ORR it can arrange further discussion with FSRA, beyond the staff that have been directly involved in the assessment. Further, as an Ontario government agency, FSRA falls under the jurisdiction of the Ontario Ombudsman. If a CU has an issue that is not able to be resolved through FSRA’s internal process, the CU has the ability to file a complaint with the Ontario Ombudsman and request an independent investigation.

Assessment Consistency

  • CCUA
  • Desjardins
  • Libro

Stakeholders asked that measures be put in place to ensure that all CUs are assessed under the RBSF in a consistent manner. The perception was that with multiple Relationship Managers assigning risk ratings to CUs, there is a concern that non-uniformities in each Relationship Manager’s assessment processes will lead to inconsistent risk ratings. It was requested that FSRA periodically audit and/or perform cross-comparisons between Relationship Managers as appropriate to ensure consistency. Stakeholders also suggested assigning fixed terms to Relationship Managers to maintain stability and consistency in monitoring responsibilities. 


It was also requested that CUs should be provided with more specific information about what drives the various risk assessments (inherent, Quality of Controls and Oversight (QCO), capital, liquidity, resilience) in advance of examinations and as part of reporting outcomes.


Further it was suggested that transparency should be included as one of the supervisory standards or incorporated into the Relationship Management standard.

The RBSF guidance sets out FSRA’s supervisory processes for CUs. As part of this, the guidance indicates that risk assessments for all CUs will be subject to internal quality assurance and reviews to ensure ratings are consistent and accurately represent the risk profile of the CU.

 

FSRA’s principles-based, outcomes-focused and proportionate approach allows for flexibility to be applied when assessing CUs, depending on the specific characteristics of the individual institutions.

 

The ORR is not determined by the Relationship Manager; the assessment involves the input of many supervisors that collectively assess each CU and is subject to an internal review process which includes a panel review to ensure accuracy and consistency in application of the RBSF. Furthermore, it is part of FSRA’s mandate to promote transparency. In this respect, we will ensure that a CUs ORR, and an explanation of the evidence on which it is based, will be provided to the CU. CUs will also receive a supervisory letter that will provide further explanation. 

 

With respect to the comment about fixed terms for RMs, FSRA will continue to rotate RMs on a regular basis. This is best practice and keeps RMs from getting too comfortable and missing new issues. New perspectives every few years is good to ensure that the supervisory program is operating efficiently. 

Oversight Functions

  • CCUA
  • The IIA

Stakeholders asked for clarity on the role and reporting relationships of the oversight functions. Stakeholders stated that in practice, and in the Standards of Sound Business and Financial Practices (SBFP) Rule, the oversight function heads report to the CEO. However, the proposed RBSF guidance notes that FSRA will assess the extent to which oversight functions are independent from operational management and also ensure they have unfettered access and a functional reporting line to the Board or the appropriate committee. 


A stakeholder also asked for clarification of the definition of independence in relation to an entity’s internal oversight functions. The stakeholder stated that independence is traditionally reserved for the Internal Audit function which ideally has a direct reporting relationship to the Board. It was recommended that if the intention of the RBSF is to address the level of cross-functional autonomy between oversight functions, alternative terminology may help to clarify intent.

The RBSF and SBFP Rule were developed in alignment. FSRA’s SBFP Rule contemplates that the heads of oversight functions of a CU may have a direct day-to-day reporting relationship with the CEO, as long as they have direct and unfettered access to the Board or a suitable Board committee. 


The oversight functions of a CU do not necessarily need to be organizationally separate in order to ensure independence. Independence will be determined on a proportional basis, and if appropriate given the size, complexity and risk profile of the CU, a CU may not need all oversight functions (e.g., second line functions like Risk Management and Compliance) to be organizationally separate to be considered independent. However, in accordance with the new SBFP Rule, a CU may not combine the Internal Audit function with any other oversight function. 

Capital and Earnings

  • CCUA

A stakeholder expressed concern that FSRA will be combining capital and earnings by assessing capital adequacy of a CU on both current (e.g., at time of assessment) and forward-looking (e.g., how expected earnings would affect the capital position) time frames. The stakeholder stated that profitability trends and current/future earning capacity, while a key determinant in building and maintaining capital, also reflect a significant portion of a CU’s overall risk profile, separate from capital levels. It was recommended that profitability and earnings, while related to capital, should have greater recognition in the capital and earnings section of the guidance. 

As indicated in the guidance, assessing capital and earnings together enables better assessment of the CU’s capital adequacy and recognizes the key role that retained earnings plays in maintaining and building the capital base of CUs. 

Environmental, Social, and Governance (ESG) Risks

  • CCUA
  • Libro
  • Meridian

Stakeholders expressed concern with the incorporation of ESG risks and their effects on capital in the RBSF guidance. Stakeholders acknowledged the importance of considering ESG risks on capital, liquidity, and how it is applied to broader threats and opportunities but expressed that it is premature to introduce such provisions. It was recommended that FSRA consult on ESG separately from the RBSF guidance to ensure the sector is ready to take on these new considerations.

FSRA has included ESG-related risk in the RBSF framework, as it aligns with the principle of being forward-looking on risk assessment. 

 

We recognize that ESG is a new area of supervisory focus for CUs. The RBSF guidance does not set out any requirements for CUs with respect to the management of ESG risks. Upon implementation of the guidance, FSRA’s initial focus will be on creating awareness of this as an emerging risk. Some CUs have been assessing their operations from an ESG perspective for a number of years while not being as specific as including it in their ICAAPs. As both the sector and FSRA build expertise on ESG risks in the credit union context, we will work collaboratively to enhance our assessment processes. If we determine that it is appropriate to establish requirements relating to ESG in the future, FSRA will do so in consultation with the sector. 

Executing Supervisory Work
  • CCUA

A stakeholder commented on requirements for internal auditors to report on matters that arise from stress tests and environmental scanning, expressing concern that resources may be required to report directly to FSRA and bypass senior management at the CU.

The RBSF does not require that internal audit bypass senior management when providing reports to FSRA. We acknowledge that the internal audit report on stress tests and environmental scanning would be sent to the CU’s senior management.


Section 136 (1) of the CUCPA 2020 (“Extended Examination Required of Chief Executive Officer”), requires an auditor to conduct a special examination of a CU at FSRA’s request. FSRA would only use its authority under this section in situations where the severity of the concern warrants such an action. 

Controls and oversight assessment

  • CCUA

A stakeholder requested that FSRA add the following to the essential elements that will be assessed for controls and oversight:

 

  • Board of Directors - Add Board Policies and Strategic Business Plan
  • Senior Management - Add Operational and Capital Budgets and Management Policies and Procedures

 

It was also recommended that the guidance rely on a review of a CU’s Enterprise Risk Management (ERM) program as a primary source and input to the RBSF risk assessment process. A CU’s ERM activities already include considerations to reporting, mitigation efforts, risk appetite statement, etc.

A CU’s ERM will be considered and used in the assessment of its overall risk profile under the RBSF, including but not limited to the assessment of QCOs. Although we consider a CU’s ERM to be an important part of the assessment, it is important to recognize that it is only one of a number of elements that will be considered in the full review/assessment process.

Three Lines of Defence

  • CCUA

A stakeholder asked to include the ‘three lines of defence’ concept in the proposed framework citing that it will create alignment with the Office of the Superintendent of Financial Institutions (OSFI) and improve accountability.

The proposed RBSF guidance incorporates the concept of the three lines of defence with reference to Operational Management (first line of defence), Risk Management and Compliance oversight functions (second line of defence), and Internal Audit (third line of defence). In this respect, FSRA’s proposed RBSF guidance aligns with other Canadian jurisdictions’ supervisory frameworks.

Inherent Risks

  • Desjardins
  • The IIA

Stakeholders asked for clarity on the definition of inherent risks. Specifically, they asked if known events would be implicitly considered in the assessment of inherent risks. It was also requested that FSRA include a reference to risk tolerance or risk appetite to further clarify expectations for effective CU risk management and mitigation. 

Under the RBSF, known events will be considered in the assessment of inherent risk. Further, risk mitigation, risk tolerance/risk appetite limits are assessed in the QCO part of the RBSF, while inherent risk is assessed before consideration of risk mitigation. The RBSF will assess the current risk in the context of potential future risk.


The new SBFP Rule includes reference to “an enterprise-wide risk appetite framework” as an important part of a CU’s risk management function that will be assessed in the RBSF.

Residual Risks

  • IIA

A stakeholder suggested that the wording in the Guidance stating that the "level of residual risk is considered prudent”, was vague and subjective and encouraged FSRA to consider including reference to risk tolerance or risk appetite to further clarify expectations.

FSRA appreciates the suggestion and will clarify the wording in the “Residual Risk” section of the Guidance to indicate that, in accordance with prudent risk management practices, we will be assessing the extent to which residual risks are appropriate for the institution.

FSRA’s Supervision

  • Desjardins 
  • Libro

A stakeholder asked for clarification on whether supervisory work will be consistent across FSRA, citing that the Market Conduct Framework guidance references three types of examinations: comprehensive examinations, targeted examinations, and thematic examinations. However, in subsection 2 of the RBSF, titled “Executing supervisory work”, targeted and thematic examinations are omitted.

 

Further, a stakeholder inquired if FSRA will be developing an annual supervisory strategy for each CU and whether this strategy will be made available to the CU on an annual basis. As well, it was asked if CUs will receive individual and sector data relating to FSRA’s monitoring activities. 

The RBSF is an integrated framework which incorporates both market conduct and prudential supervisory processes and practices. RBSF uses a wide variety of approaches in its supervisory work which include targeted and thematic exams, similar to those outlined in the market conduct framework. CUs will get notification of the planned areas of focus for supervisory work over the coming year. In addition, FSRA intends to continue publishing the quarterly Sector Outlook Report and will from time to time communicate broadly on emerging risk trends.

Reporting and Communications to CUs

  • Desjardins 
  • The IIA

Stakeholders requested that FSRA identify clear expectations regarding the deadlines assigned to each communication e.g., for the production (FSRA) and the response (CU), as well as the details of the intended recipients of the supervisory letters or reports, i.e., the Board of Directors, senior managers, external or internal auditors, etc.

 

Stakeholders also encouraged FSRA to standardize its inspection processes and templates. Consistency in the inspection process and content of supervisory letters will help to enhance the transparency and effectiveness of processes.  

Consistent processes and procedures will be established as part of FSRA’s supervisory work. 

 

Standard internal supervisory processes will be used under the RBSF in a manner consistent with a risk-based approach to supervision. However, FSRA will generally not apply a prescriptive approach that relies on checklists or arbitrary thresholds in its supervision. Individual CUs will receive supervisory letters that provide details for and the basis of FSRA’s assessments and ORR

Effective date and Timeline

  • Desjardins

A stakeholder requested that FSRA produce a clear timeline for the effective date of the RBSF so the sector can prepare for its new obligations.

As noted in FSRA’s 2022-23 Statement of Priorities, we will be beginning to assess CUs under the new RBSF at the start of the 2022-23 fiscal year (April 1, 2022).


The RBSF is approach guidance that sets forth processes and procedures for assessing CU risk. It does not introduce new compliance obligations. 

Risk Matrix

  • Desjardins

It was recommended by a stakeholder that FSRA add a glossary that includes definitions and explanations (e.g., the definitions of the categories used in the risk matrix, similar to OSFI's Supervisory Framework). They believe this would facilitate the understanding of each of the criteria and align with other regulatory peers.

FSRA is committed to a principles-based approach to supervision. Including prescriptive detail in a glossary would limit flexibility in applying the guidance and be contrary to a principles-based approach. The risk matrix contained in the guidance provides appropriate flexibility for a principles-based supervisory approach.