This guidance1 provides FSRA’s:
- Interpretation of the requirements under Section B of By-Law No. 5 - Standards of Sound Business and Financial Practices (By-Law No. 5)2 and 144(2) of the Credit Union and Caisses Populaires Act, 1994 (the Act), as requiring that all Ontario Credit Unions’ and Caisses Populaires’ (CUs’) risk management policies to include recovery plans; and
- Approach for assessing the adherence by CUs to the principles identified in this Interpretation set out in this guidance, in their recovery plans.
The Approach section of this guidance does not prescribe compliance requirements for Ontario CUs. Rather, it is intended to define the processes and practices that FSRA will follow when exercising supervisory action or when exercising its discretion under the Act.3 The Interpretation section of this guidance sets out FSRA’s view of requirements under the Act to identify where non-compliance can lead to supervisory action and potentially enforcement sanctions. This may include requiring remediation and reporting by the CU, and/or issuing orders, and in extreme cases, placing the CU under supervision or administration in accordance with the provisions of the Act.
FSRA considers the principle of proportionality in determining how to apply the Interpretation set out in this guidance, based on the the structure, size, complexity and risk profile of the CU, and the potential consequences of the CU’s non-compliance.
This Interpretation and Approach guidance affects the following entities regulated by FSRA:
- Credit Unions and Caisses Populaires incorporated under the Act.
This guidance complements the information provided in, and should be read in conjunction with, other FRSA guidance and supporting publications available on FSRA’s website (www.fsrao.ca).
Rationale and background
Members of the Board and Senior Management of a CU have a fiduciary duty to the CU and are subject to a standard of care both of which necessitates that they plan for adverse scenarios and to that end, ensure that contingencies are developed to recover from such adversity. A failure to do so could amount to a breach of their fiduciary duty and/or the standard of care, which can give rise to civil and regulatory liability of the members of the Board and Senior Management of a CU. Recovery planning is thus a means through which the Board and Senior Management of a CU can demonstrate responsible and prudent oversight and management of a CU . A CU that can recover from adversity will be safer for its members, depositors and customers and is less likely to experience disruptions in core services. It will also enhance the crisis preparedness and resiliency overall of the CU sector, which aligns with FSRA’s statutory objectives to protect deposits held by members of CUs and to contribute to the stability of the sector in Ontario.
The Interpretation section of this guidance outlines FSRA’s principles for recovery planning including underwriting practices, risk controls, and oversight practices at CUs. This guidance also supplements other FSRA by-laws, rules, and guidance, and should be read and interpreted in conjunction with other FSRA guidance, rules and applicable provisions of the Act and Ontario Regulation 237/09 (the Regulation).
The Approach section of this guidance describes how FSRA will assess CUs’ adherence to the principles set out in the Interpretation section.
This Guidance promotes high standards of business conduct specifically for CUs and the stability of the CU sector in Ontario in general. These outcomes are consistent with a number of FSRA’s statutory objects, as set out in the Financial Services Regulatory Authority of Ontario Act, 2016 (the FSRA Act)4 ,:
- to promote high standards of business conduct;
- to foster strong, sustainable, competitive, and innovative financial services sectors;
- to promote and otherwise contribute to the stability of the credit union sector in Ontario with due regard to the need to allow credit unions to compete effectively while taking reasonable risks: and
- to pursue the objects for the benefit of persons having deposits with credit unions and in such manner as will minimize the exposure of the Deposit Insurance Reserve Fund to loss.
The purpose of recovery planning is to enhance crisis preparedness and resiliency of the individual CU and the CU system. This will facilitate protection of deposits held by members of CUs and contribute to the stability of the CU sector in Ontario.
Adherence to the principles identified in the Interpretation part of this guidance is a course of conduct that is in the best interest of the CU and its members. It also demonstrates the degree of care, diligence and skill that a prudent person would exercise in comparable circumstances. Hence, effective adherence to the principles in this Interpretation guidance would demonstrate how powers and duties should be exercised and discharged by each director, officer or committee members of a CU under s. 144(1) of the Act. Effective adherence to these principles would satisfy the care, skill and diligence that each director, officer or committee member of a CU must exercise pursuant to s. 144(2) of the Act.
Section B of By-Law No. 5 also requires that CUs “develop and implement appropriate and prudent risk management policies.” With respect to operational risk management, one of the fundamental elements that CUs should address in their policies includes, “disaster recovery and business continuity plans.” Effective adherence to the principles identified in the Interpretation portion of this guidance would reflect the types of prudent planning that a CU should engage in to address the continuity of its business during periods of severe stress.
Therefore, to the extent that a CU does not implement and maintain recovery planning consistent with FSRA’s Interpretation of the requirements under the Act and of By-Law No. 5, this may lead to supervisory action or enforcement sanction by FSRA against the CU, its Board or Senior Management. This may include requiring remediation and reporting, and/or issuing orders and in extreme cases, placing the CU under supervision or administration.
FSRA will monitor adherence to these principles and requirements as part of its supervisory approach, as outlined in the Approach section of this guidance below.
FSRA’s supervision, and any required, enforcement activities, will be carried out under the relevant provisions of the Act and its general authority under the FSRA Act.
FSRA has identified the following principles for effective recovery planning as a function of its Interpretation in the above noted requirements of By-Law No. 5 and under the Act. FSRA will apply these principles to assess a CU’s recovery planning in order to determine whether the requirements of By-Law No. 5 and under the Act are satisfied as they relate to recovery planning by a CU.
Principles of recovery planning
1. Effective Recovery Plan Development and Implementation: The CU, through its Board and Senior Management, should create a recovery plan to prepare the CU to manage adversity.
Each officer and director of a CU has an obligation to ensure that the CU is in a constant state of readiness to manage adversity. The development of a credible recovery plan that identify feasible options to survive a range of severe but plausible stress scenarios help to ensure this state of readiness. The CU’s recovery plan should include recovery policies and practices and set out a clear course of action for Senior Management to follow in the face of an adverse situation. This will include early warning indicators and triggers in place to identify the emergence of stress scenarios. The recovery plan should be based on best available information,should be regularly updated, address potential uncertainty, and be capable of implementation in a timely manner.
2. Transparent Governance: The CU, through its Board and Senior Management, should evaluate risks in adverse scenarios and prepare to implement identified actions, if necessary.
Senior Management should periodically evaluate risks in adverse scenarios and develop and prepare to implement identified actions through appropriate documentation in response to such risks/scenarios. A CU should be able to identify and act on risks as they develop. A robust recovery plan process ( with effective challenge, documentation, practising and pre-planning) will allow for ease of implementation when those circumstances develop. These activities should be undertaken by different levels of the CU, including the Board and Senior Management and the CU’s records, including the Board meeting minutes, should properly evidence this process.
3. Periodic Reassessment: The recovery plan should be periodically reassessed to ensure it is up to date with current information.
A regular cadence should be established for re-assessing recovery planning and identifying clear triggers that require an immediate refreshing with current information. For example, when adding or exiting a business, or responding to an external development.
4. Proportionality: Recovery Plans should be developed based on the structure, size, complexity, and risk profile of a CU.
A CU recovery plan should be tailored to the structure, size, complexity, and risk profile of the institution.
Approach - Processes and Practices
FSRA has developed this Approach to define the practices and procedures that it will employ when assessing the CU’s adherence with the Interpretation of By-Law No. 5 and the Act identified in the Interpretation section of this guidance.
The purpose of the recovery plan is ultimately to serve as a ‘playbook’ for both the CU (Senior Management and the Board) and FSRA in times of financial stress. A recovery plan should be tailored to the structure, size, complexity, and risk profile of the CU. FSRA has identified articulated the following essential elements to outline how FSRA will approach the assessment of a CU’s recovery plan processes (e.g. development, challenge, implementation, and monitoring) and outputs (e.g. recovery plan documentation).
A. Institutional analysis
A recovery plan should specify sufficient information about the institution to provide a basis for planning and analysis. A recovery plan should incorporate existing materials which exist for other management purposes by reference . This includes materials such as the Board package prepared for new directors and managers to understand the CU’s legal, organizational and business structure, its businesses and support functions, sources of risk and profitability (including liquidity and exposures to credit loss) and external and internal dependencies.
A key component of the recovery plan is the identification of the core businesses that are fundamental to the CU’s viability. Doing so ensures all individuals necessary to the successful execution of the recovery plan understand those businesses required to be preserved to ensure the surviving entity is a stable and functioning financial institution. The recovery plan should identify the basis used to determine the CU’s core businesses. The key functions and services necessary to maintain those core businesses should also be identified.
The recovery plan should clearly identify any external stakeholder relationships that may be impacted by the divestiture of non-core businesses or other recovery actions. This includes any dependencies the CU has on third-party information technology providers or other vendors that have contractual clauses which may grant a unilateral option to terminate their contract with the CU in the event of the CU’s deteriorating financial condition or other similar circumstances. It should also explain what special arrangements the CU would need to make to these contracts to ensure:
- that the underlying products and services remain available throughout the event,
- what the additional costs may be
- how the payments would be authorized, triggered and funded.
B. Key measures and associated triggers
A recovery plan is one that is CU-specific and identifies material and existential risks, where such risks may include but are not limited to:
- credit risk
- concentration risk
- market risk
- liquidity risk
- contagion risk
- securitization risk
- operational risk
- other risks (e.g., strategic, reputation, legal)
The impact of these risks can typically be measured by metrics that describe:
- required and available regulatory capital;
- asset and liability composition and valuation;
- level of impaired assets and write-offs;
- operational profit and loss; and
- liquidity and funding gaps.
A recovery plan should specify a series of specific qualitative and quantitative measures that serve as early warning indicators (the metrics). These metrics will allow a CU to monitor its risk exposures along a continuum of severe stress events.
Triggers for recovery planning should be incorporated into the CU’s overall risk management frameworks. Recovery triggers should be aligned with (but not be limited to) existing triggers for liquidity or capital contingency plans, early warning indicators and the CU’s risk appetite.
Triggers should be measurable, reasonable, well-defined, and calibrated to allow enough time for the CU to respond when triggering event(s) activates its recovery plan. Such triggers will enable CUs to maintain or restore financial strength and viability before regulatory authorities see the need to intervene.
The number and combination of quantitative and qualitative triggers may vary by CU. The triggers should be tailored to a CU’s structure, size, complexity, and risk profile. Where possible, triggers should be predominantly quantitative and focused on CU-specific liquidity and capital measures.
Recovery plans describe the process to follow upon any breach of the triggers, causing activation of the recovery plan. This includes escalation to the CU’s Senior Management or its Board and the decision-making process once those individuals have been informed.
C. Recovery options
A CU should be prepared to take increasingly aggressive actions in response to any deterioration of the key measures. FSRA will review the recovery plan to see that it identifies key vulnerabilities, by risk area, the key measures that will reveal such risk as manifesting itself (and appropriate triggers by such measures) and the CU has identified responses that can be taken as such risk arises. An example of how a summary of such information could be portrayed and organized is shown in Appendix A.
The recovery plan should specify a menu of recovery options. Certain risk mitigating responses like those identified in Appendix A might have already been taken by senior management before the activation of the recovery plan. The recovery plan should therefore identity options under high stress severity that could threaten the viability of the CU.
The recovery plan should identify the priority of the recovery options based on factors including but not limited to: the options' overall impact on the CU’s financial condition, time and ease of execution, and potential negative impact on confidence and/or reputation. FSRA will review the recovery plans to see that they clearly identify recovery options, financial impacts/concerns and implementation issues. Appendix B provides a sample table as an illustration of how a summary of the recovery options could be prepared.
The recovery plan should detail how the potential proceeds from the recovery options would be allocated to meet its obligations as they come due throughout the recovery event. A recovery plan must also consider how these proceeds will impact the CU’s balance sheet, capital ratios and liquidity profile.
Recovery options should be reliable, timely, and comply with applicable laws, regulatory and other operational requirements. There should be a high degree of confidence that the CU would be able to implement the outlined recovery options during extreme stress events. The recovery plan should clearly outline the credit union’s operational readiness and outline how the recovery options would be executed. The costs (e.g. discounts on asset sales), and time to execute the recovery options should be considered, as should the extent to which the identified recovery options are mutually exclusive and/or dependent. If there are any regulatory approvals required, they should be identified and the anticipated timeline for such approvals should be described.
The recovery plan should describe the impact of executing these options on both the short-term market confidence in the CU and the long-term viability of its business model. The recovery plan should describe how the CU would look post-recovery, assuming the successful implementation of a recovery option (e.g. potentially fewer business lines, different management or organizational structure).
D. Scenario analysis
The recovery plan should be informed by stress testing and scenario analysis. The recovery plan should test whether recovery actions will be sufficient to recover from the manifested risks arising from a certain stress scenario as the backdrop.
As described in the Stress Testing Guidance and the Guidance Note: Internal Capital Adequacy Assessment Process (ICAAP) – For Credit Unions with Total Assets Greater than $500 Million, FSRA will review whether the CU uses its stress testing to challenge its recovery plan and incorporate learnings from its stress testing in its recovery plan. Each CU is required to include certain stress tests in its ICAAP analysis, including a (reverse stress test) scenario that in management’s view would likely cause a breach of minimum regulatory capital requirements.
A recovery plan should consider plausible idiosyncratic and systemic stresses that could affect the CU and require it to invoke its recovery plan. Some examples of the types of stresses that CU leaders could consider to inform and evaluate its recovery plan are:
- a severe but plausible idiosyncratic stress scenario that captures considerations involving a series of CU-specific credit, market, and operational events (e.g. cyber/operational risk issues, loan losses where the CU’s loss has substantially exceeded its peers, reputational risk issues that negatively impact funding and liquidity);
- a severe but plausible systemic stress scenario that captures systemic conditions (e.g. an interest rate shock, an economic downturn with projected losses, additional funding costs as a result of lack of securitization opportunities under tightening credit conditions, natural disasters and pandemic); and
- a blended idiosyncratic and systemic scenario (e.g. a combination of events from the idiosyncratic scenario and systemic scenario under different severities).
Recovery planning necessitates a comprehensive analysis of the link between capital and liquidity since recovery actions aimed at improving liquidity may have a negative impact on capital, and vice versa.
Recovery plans for large and complex CUs (for example, those with multiple business lines and/or subsidiaries) should illustrate through financial projections how the assumed stress events and execution of recovery options will change the capital, liquidity, and other key financial metrics over time.
A recovery plan’s capital analysis should include an assessment of current and potential allocations of capital needs and losses associated with each of the scenarios and outline some immediate steps to conserve capital and limit outlays.
Liquidity analysis in a recovery plan should likewise include an assessment of inflows and outflows in different time buckets. The analysis should also identify situations where there are multiple approaches to obtaining liquidity from the same assets and ensure that the recovery options do not rely on conflicting approaches.
E. Framework and governance
A recovery plan should articulate how decisions will be made by key members (CEO, CFO, CRO) of Senior Management if different risks manifest themselves in a way that engages one or more triggers. A recovery plan should describe the process for Board oversight and Senior Management accountability and be in accordance with the pre-determined existing reporting and control processes and structures.
A recovery plan should include a communication plan (or plans) to inform internal and external stakeholders (including regulators such as FSRA and members of the CU), for every risk that triggers an action. The plan should ensure that communication patterns and substantive approaches are known in advance to allow for timely notification to all relevant stakeholders. If a separate communication plan is not required, the recovery plan should at least describe the persons responsible for communications, the actions that need to be taken as well as the timing, process and substance of each communication required.
F. Information management
FSRA will consider whether there are documented and implemented processes for CU management to monitor and report, and for the Board to oversee the key metrics identified in the recovery plan. This reporting could be done through a dashboard shared with the Board or other means that allow it to be integrated with parts of the risk reporting/appetite framework. These reports should be produced with a frequency and timeliness that allows for the data about the key metrics to be known by the CU they trigger an action under the CU’s recovery plan. Based on the current data aggregation and reporting procedures, a recovery plan assesses the gaps in data that would be available to the CU during recovery. The recovery plan should then outline a strategy to overcome such gaps proactively, prior to the invocation of the recovery plan.
Decision makers need to rely on information to make informed decision in stress (e.g. revised valuation of assets, updated amount of loan loss, daily deposit withdrawal pattern). The CU’s recovery plan should clearly articulate data capabilities, challenges, and remedial actions.
G. Implementation plan
The recovery plan is an overlay that cuts across key policies, processes, and frameworks and, when triggers are activated, takes precedence. Potential impediments or obstructions to the successful execution of the recovery options should be outlined. For example, selling some certain assets of the CU may pose unacceptably high reputational risks. FRSA will consider whether risk mitigation, remedial actions, and effective challenge have taken place by reviewing documentation of these processes and actions. Insufficient descriptions may result in the recovery plan deemed not credible.
Submission Frequency and Assessment Considerations
FSRA expects to review a CU’s recovery plan in accordance with the following list. For CU with total assets of:
- greater than $4 billion - once per year
- between $500 million and $4 billion - once per year
- between $100 million and $500 million - once every two years
- less than $100 million - once every two years
FSRA will evaluate recovery plans and related processes and may ask questions and identify potential shortcomings or concerns.
A recovery plan should identify the streams and types of risks that need to be addressed, with a series of actions identified to address those risks. Any recovery plan that fails to identify a material risks, or to provide a series of escalating credible responses to those risks will need to be amended.
The development of an effective recovery plan is an iterative process that requires significant interactions between the CU senior management and its Board, with Senior Management having the responsibility to improve the plan, address self-identified gaps and issues, and address concerns raised by FSRA. FSRA expects incremental improvements with each iteration of the recovery plan. The plan should be periodically reviewed and refined by the CU to ensure that it remains relevant given changing conditions within the CU and in the broader financial environment.
FSRA’s assessment will determine whether the CU is required to immediately address deficiencies in the subsequent draft to be submitted within a specified timeframe or if further enhancements and refinements can be addressed as part of the next scheduled review.
If FSRA requires re-submission before the next scheduled filing, the plan should be amended and include explanations to address FSRA’s concerns when resubmitted.
Effective date and future review
This guidance will be effective as of July 5, 2021. However, credit unions will have a transition period during which they will be required to develop credible recovery plans to be submitted to FSRA by January 13, 2023. In order to provide credit unions with an opportunity to receive feedback as they develop their recovery plans during the transition period, FSRA will require that credit unions provide an interim submission detailing the key components of their recovery plans by January 14, 2022. FSRA will also consider proportionality in the application of the requirements.
This Guidance will be reviewed on or before July 5, 2026.
About this guidance
This document is consistent with FSRA’s Guidance Framework. As Interpretation guidance, it sets out FSRA’s view of requirements under its legislative mandate (i.e. legislation, regulations and rules) so that non-compliance can lead to enforcement or supervisory action. While as Approach guidance, it describes FSRA’s internal principles, processes and practices for supervisory action and application of CEO discretion where applicable.
Appendix A – Risk mitigating responses
The following table provides a sample format for documenting the details of potential vulnerabilities and risk mitigating responses to address these vulnerabilities. The table is for illustrative purposes only and each credit union can develop their own format to document the details in their recovery plan.
|Vulnerabilities||Risk area||Key measures||Potential responses taken to address vulnerabilities|
|Over exposure to high risk, high RWA assets||Credit risk
|Risk-based capital ratio||Reduce and/or restructure risky loans.|
|Suboptimal use of balance sheet||Multiple risk areas (Credit risk, Market risk, Interest rate risk, etc.)||Leverage ratio||Optimize asset portfolio by changing and realigning asset mix; de-risk institution|
|Asset quality deterioration causing capital erosion||Credit risk, Market risk, etc.||Level of impaired assets and write-offs; Risk-based capital ratio Leverage ratio||Increase loan loss provision; build reserve allowances; raise capital through investment shares; reduce dividends; curtail expenses|
|Inadequate availability and access to liquid assets and various sources of funding||Liquidity risk||LCR, NCCF, NSFR||Increase quantity and quality of liquid assets; diversify funding source|
|Cyber attack||Operational risk||Profit and loss||Enhance IT system security, control and oversight|
|Below plan new business volume and increased loan provisioning in a business line||Strategic risk||Level of impaired assets and write-offs; ROAA Risk-based capital ratio||Exit business line; sell non-core assets|
|Low interest rate environment||Interest rate risk||Net Interest Income||Study interest rate trends, projections and behaviour; adjust interest cost of deposits as well as lending rates and time horizon.|
Appendix B – Recovery options upon activation of recovery plan
The following table provides a sample format for documenting the financial impacts/concerns and implementation issues associated with various potential recovery options. The table is for illustrative purposes only and each credit union can develop their own format to document the details in their recovery plan.
Recovery Options to be executed for Scenario Name:
|Recovery Option||Capital Impact (in $)||Liquidity Impact (in $)||Other Impact (franchise value, reputation issues, etc.)||RWA Impact (in $)||Timing to realization of benefits (days/months)||Operational readiness (H/M/L)||Key Impediments to Implementation||Ownership, Execution, and Communication protocol|
Effective Date: July 5, 2021
1 This guidance is being published as combined Interpretation and Approach Guidance under FSRA’s Guidance Framework. Each component is labelled for clarity.
2 Pursuant to s. 321.0.4 (4) of the Act, DICO By-Law No. 5 is deemed to be a FSRA by-law made in accordance with the requirements of the Financial Services Regulatory Authority of Ontario Act, 2016.
3 Both the CEO of FSRA and FSRA may exercise discretion under the Act. However, for the purposes of this Guidance, reference will be made to FSRA, instead of the CEO, as the CEO may delegate his authority to FSRA, as permitted by the Act.
4 See ss. 3(2) and 3(4) of the FSRA Act.