Risk Based Supervisory Framework for Credit Unions

 

Approach 

No. CU0083APP Active

Download a copy in PDF format

 

Purpose

The Risk Based Supervisory Framework for Credit Unions (“RBSF-CU”) sets out FSRA’s approach for supervision and assessment of Ontario Credit Unions and Caisses Populaires (CUs). Its primary focus is to determine the impacts of current and potential future events, both internal and external, on the risk profile of each CU, and drive FSRA’s allocation of supervisory resources.

This Approach Guidance (“Guidance”) articulates FSRA’s supervisory approach for all CUs as well as the practices and processes for determining a CU’s Overall Risk Rating (“ORR”), Intervention Level (“IL”) and level of supervisory activity under the Credit Unions and Caisses Populaires Act, 2020 (the “Act”), supporting Regulations and FSRA Rules and Guidance.

This Guidance does not prescribe compliance obligations for CUs. Rather, it describes the processes and practices that FSRA will follow when establishing supervisory plans and exercising supervisory action or discretion powers under the Act^[1].

The level and extent of supervision under the RBSF-CU will depend on the size, complexity, and risk profile of the CU, and the potential consequences of the CU’s failure including systemic impact.

Scope

This Guidance affects the following entities regulated by FSRA under the Act:

• Credit Unions and Caisses Populaires.

As part of its supervisory assessments FSRA will apply this framework to subsidiaries, joint ventures, and any other entities connected to the CU through financial or management resources, or whose conduct may affect CU members and customers (i.e., consolidated group supervision).

This Guidance complements the information provided in, and should be read in conjunction with, other FSRA guidance and supporting publications available on FSRA’s website, “Guidance – Credit Unions and Caisses Populaires” and “Rules”

Rationale and background

FSRA uses the integrated (prudential and market conduct) RBSF-CU to identify imprudent or unsafe business practices and misconduct that may impact customers and depositors of CUs and intervene on a timely basis. FSRA uses the RBSF-CU to guide its supervisory activities to comprehensively assess the risk profile and determine the ORR of each CU.

The RBSF is designed to assist FSRA in meeting its statutory objects and obligations under the Financial Services Regulatory Authority of Ontario Act, 2016 (the FSRA Act)^[2]. The RBSF will support FSRA’s efforts to:

• contribute to public confidence in the CU sector
• promote high standards of business conduct in the CU sector
• protect the rights and interests of consumers
• foster strong, sustainable, competitive, and innovative financial services sectors
• provide insurance against the loss of part or all of deposits with CUs
• promote and otherwise contribute to the stability of the CU Sector with due regard to the need to allow CUs to compete effectively while taking reasonable risks
• pursue the objects of persons having deposits with CUs and in such manner as will minimize the exposure of the Deposit Insurance Reserve Fund (the “DIRF”) to loss

FSRA will use the RBSF-CU to supervise CUs, including determining the extent and frequency of supervisory assessments pursuant to s. 201 of the Act, supporting regulations, FSRA rules (including but not limited to the Sound Business and Financial Practices Rule, Capital Adequacy Rule and Liquidity Adequacy Rule) and guidance (including with respect to Internal Capital Adequacy Assessment Process (ICAAP) and Internal Liquidity Adequacy Assessment Process (ILAAP) as required).

The ORR of a CU will also help FSRA consider whether a CU should be subject to increased regulatory activity, including supervision^[3] and administration^[4]. It will also determine the supervisory actions that typically occur at each of the intervention levels, which may include recovery and resolution activities.

A significant result of this improved risk-sensitive supervisory process is that FSRA will be able to calculate DIRF assessments with greater accuracy so premiums will be better aligned to the risk profile of each CU and the sector in aggregate.

Approach – Processes and Practices 

FSRA has developed this Guidance to provide clarity in respect of FSRA’s supervisory practices and approach to supervision through the articulation of the key principles and features of the RBSF-CU. This Guidance also articulates how FSRA assesses the most important prudential and conduct risks posed by CUs to supervisory outcomes and the extent to which CUs can manage and mitigate these risks.

The RBSF-CU is principles-based and aligned with national and international supervisory practices. The RBSF-CU increases the effectiveness of supervision by enabling supervisory outcomes to be met while increasing efficiency through improved processes and resource allocation. It involves allocating resources to the areas of greatest risk; for example, not all activities within a CU may need to be assessed for each assessment or at the same intensity.

Guiding principles and supervisory standards

The foundation of FSRA’s RBSF-CU is centered around the Risk definition, Principles, and Supervisory standards described below.

Risk definition

The Risk definition provides clarity for the meaning of “risk” wherever it is used in the RBSF-CU and is applied consistently in the supervisory assessments of all CUs.

Risk in FSRA’s RBSF-CU is assessed from prudential and market conduct perspectives respectively by considering both possibility of financial loss to depositors and possibility that the conduct, acts, or omissions of a CU or deliver poor/unfair outcomes for its members and customers.

Principles

The RBSF-CU Principles focus on achieving outcomes from supervisory work and are aligned with FSRA’s supervisory principles^[5].

Outcomes-focused

Supervisory work is performed to achieve successful supervisory outcomes rather than completing a standard cycle or process.

Risk-based

Supervisory work focuses on material risks of business activities that could pose threats to achieving the key supervisory outcome of depositor protection.

Dynamic, proactive, and adaptable

Supervisory work is continuous, dynamic, and timely to ensure changes in the business, sector, and environment are identified early and reflected in FSRA’s actions and priorities.

Comprehensive

Supervisory work results in a consolidated assessment of the business of the CU. This holistic approach includes assessment of all material interests of the CU entities such as subsidiaries, joint ventures, and other material investments and activities.

Supervisory standards

The Supervisory standards describe key aspects of how FSRA supervisors conduct work using the RBSF-CU. They form the standards of practice of FSRA supervisors.

Forward-looking

To the extent possible assessments are forward-looking and consider the velocity, persistence, and amount of change of the risks. This enables early identification of issues, timely intervention, and higher likelihood of achieving desired outcomes.

Sound judgment

Supervisors exercise sound judgment, supported by rationale, in assessing the CU.

Evidence-based

Supervisors combine sufficient quantitative and qualitative evidence to support observations, recommendations, and requirements.

Efficient and effective

Supervisory work and assessments are planned and completed in an efficient and effective way. This includes use of FSRA’s regulatory actions, data collection, filing requirements, guidance documents, enforcement tools, and service standards.

Use of work of others

FSRA uses, where appropriate, the work of others (e.g., External Audit, Internal Audit and the CU’s other oversight functions and other regulators) to augment its supervisory work and minimize duplication of effort.

Relationship management

FSRA designates a relationship manager (“RM”) as the lead supervisor for each CU. The RM is the main point of contact for the CU and engages in ongoing dialogue with the CU’s management and Board. The RM is responsible for leading the maintenance of an up-to-date risk profile of the CU and is supported by other FSRA staff. The RM is responsible for providing FSRA’s feedback to the CU, leading discussions about the assessment results and monitoring the CU’s remediation or action plans to ensure supervisory concerns, expectations, and requirements are addressed in a timely manner.

Proportionality

The level and extent of supervision will depend on the size, complexity, and risk profile of the CU, and the potential consequences of a CU’s failure. Where there are identified risks or areas of concern the degree of FSRA’s intervention will be commensurate with the CU’s risk profile.

Risk-based supervision for Credit Unions overview

This section of the guidance articulates the essential elements of risk-based supervision, facilitated by FSRA’s RBSF-CU.

FSRA’s assessment process

The following elements of FSRA’s RBSF-CU enable a common approach to assessments across CUs and over time. The ORR is determined through the assessment of inherent risks, quality of controls and oversight, and financial and non-financial resilience with assessment ratings recorded in the Risk Matrix (refer to Appendix A: Risk Matrix). The various elements of the RBSF-CU are described below.

For each of the elements in the Risk Matrix, FSRA will apply a rating based on a five-level scale where the criteria are tailored to each of the elements assessed.

1. Significant activities and importance

A CU’s significant activities (“activities”) are identified at the start of the assessment process. A significant activity can be a line of business, business unit or enterprise-wide process that is fundamental to the CU’s business model and its ability to meet its overall business objectives. The identification and assessment of significant activities and their relative importance or materiality require the use of supervisory judgment which is informed by knowledge of the CU’s external environment, sector, and business profile. To understand the business profile of a CU, supervisors use various sources including organization charts, strategic business plans, capital allocations, internal audit reports, and internal/external reporting.

2. Inherent risk

Inherent risk is assessed for each significant activity of a CU without regard to size of the activity or size of the CU. Inherent risk is intrinsic to a significant activity and arises from exposure to, and uncertainty from, potential future events. Inherent risk is evaluated before any mitigation and by considering the probability of an adverse impact to a CU’s^[6] capital or earnings, and ultimately its depositors. When determining the probability of an adverse impact arising from market conduct risk, supervisors will consider the probability that the conduct, acts, or omissions of a CU harm or result in poor/unfair outcomes for its members and customers.

FSRA uses the following six categories to assess inherent risk:

• financial inherent risks
  • credit
  • market
• non-financial inherent risks
  • operational (including legal)
  • compliance
  • strategic
  • market Conduct

The above inherent risk categories cover other risk sub-categories. For example reputational risk is viewed as a consequence of each of the six inherent risk categories; therefore, it is contemplated in each of the inherent risk categories and legal risk is considered under operational risk.

Based on the inherent risks identified for a significant activity and the level of these inherent risks, supervisors will assess the extent to which commensurate level of controls and oversight is needed to adequately mitigate the inherent risks.

Refer to the information published in FSRA’s guidance on the Credit Union Market Conduct Framework for FSRA’s expectations on how CUs can ensure they are treating their members and customers fairly. Refer to Appendix D for details about market conduct risk assessments.

3. Quality of Controls and Oversight (QCO)

The assessment of QCO for each significant activity considers both the appropriateness of their characteristics and the effectiveness of their performance, in the context of the size, complexity, and risk profile of the CU. Characteristics of a function refers to how it is designed to carry out its role. Performance of a function refers to its effectiveness in carrying out its role and responsibilities. The performance assessment is more important than the characteristics assessment; consequently, the performance assessment will carry more weight when determining the rating of the function.

Controls

Operational management of a CU for any significant activity is responsible for the controls used to manage that activity’s inherent risks on a day-to-day basis. Operational management ensures that the CU’s line staff clearly understand the risks that the activity faces and must manage, and that policies, processes, and staff are sufficient and effective in managing these risks. When assessing operational management FSRA’s primary concern is whether operational management can identify the potential for material loss or misconduct that may arise by taking on that activity and has in place adequate controls to mitigate the inherent risks that may materialize and cause loss or misconduct (see Appendix D). In general, the extent to which FSRA needs to assess the effectiveness of operational management of a significant activity depends on the effectiveness of the CU’s oversight functions. If a CU has sufficient and effective oversight functions, FSRA may not need to also assess the effectiveness of operational management.

Oversight functions

A CU’s oversight functions are responsible for providing independent, enterprise-wide oversight to operational management for each significant activity.

FSRA’s assessment includes the following five oversight functions:

• Compliance;
• Risk Management
• Internal Audit
• Senior Management
• Board of Directors

The presence and nature of these functions vary based on the size, complexity, and risk profile of a CU and the inherent risks in its significant activities. Where a CU lacks a critical oversight function and has engaged external expertise to perform that function FSRA will assess how the CU maintains accountability for that function (i.e., CUs can outsource the function’s responsibility but not the accountability and ownership of risks).

Where a CU lacks some oversight functions, they are not sufficiently independent, or they do not have enterprise-wide responsibility, in applying proportionality, FSRA will assess the effectiveness of other functions (e.g., senior management) in providing the expected, adequate, and independent oversight.

FSRA will assess the extent to which the oversight functions have sufficient stature, authority and independence from operational management, with unfettered access and a functional reporting line to the Board or the appropriate Board committee.

Controls and oversight assessments, including corporate governance assessments, are based on an evaluation of a CU's current practices for each risk management control and oversight function related to the CU’s significant activities. This evaluation is closely related to the assessment of a CU’s adherence with the requirements of FSRA’s Sound Business and Financial Practices Rule.

Enterprise-Wide Oversight Ratings (EWOR)

Enterprise-wide oversight assessments are FSRA’s determination of the oversight functions’ effectiveness across all activities to provide the enterprise-wide view. This considers the function’s characteristics and performance, and FSRA’s expected outcomes, in executing its oversight responsibilities.

The assessment focuses on how well the oversight function oversees the CU operations and considers any weaknesses in the function’s characteristics that may not have affected its performance yet but may do so in the future. Hence, these ratings act as early warning indicators of potential future performance issues with the oversight functions within the activities.

4. Residual risk

Residual risk is defined as inherent risks mitigated by the QCO functions. For each significant activity the level of residual risk is determined by considering all relevant and rated inherent risks and QCO ratings. For each significant activity FSRA will assess the QCO and the degree to which it is commensurate with the level of inherent risks so the residual risk is considered prudent.

5. Prudential Summary Residual Risk (PSRR), Market Conduct Summary Residual Risk (MCSRR), and Summary Residual Risk (SRR)

The PSRR (from the prudential perspective) and MCSRR (from the market conduct perspective) measure the prudential and market conduct risk profiles of the CU based on inherent risks taken on by engaging in significant activities, mitigated by controls and oversight functions, but before the assessment of capital, liquidity, and resilience.

The PSRR is the aggregation of the ratings for the prudential residual risks of all significant activities weighed according to their importance. The MCSRR is determined in a similar way to the PSRR but from a market conduct perspective.

The SRR is determined after considering both the MCSRR and the PSRR.

6. Capital (including Earnings), Liquidity, and Resilience

This section should be read and interpreted in conjunction with the information published in other relevant FSRA guidance, rules and supporting publications related to capital and earnings, liquidity and resilience located on the FSRA website in the “Guidance – Credit Unions and Caisses Populaires” and “Rules” webpages.

Capital (including Earnings)

Capital is a source of financial support to protect against unexpected losses and is a key contributor to the safety and soundness of the CU. Capital management is the ongoing process of raising and maintaining capital at levels sufficient to support planned operations. For more complex CUs capital management also involves allocation of capital to recognize the level of risk in its various activities.

FSRA assesses the capital adequacy of a CU on both a current (at time of assessment) and forward-looking time frame (e.g., how expected earnings may impact capital). This approach enables a longer and broader view of the CU’s capital adequacy and recognizes the key role that retained earnings plays in maintaining and building the capital base of the CU. FSRA uses quantitative and qualitative measures in the assessment of a CU’s capital adequacy and capital management program.

Liquidity

Liquidity is the ability of a CU to obtain sufficient cash or its equivalents in a timely manner at a reasonable price to meet its commitments as they fall due. Managing and maintaining adequate levels of liquidity are critical for the overall safety and soundness of a CU. A CU must ensure that there is enough liquidity for orderly funding, operational expenses, and other obligations and provide a prudent cushion for unforeseen liquidity needs. A CU’s obligations, and the funding sources used to meet them, depend significantly on its business mix, balance sheet structure, and the cash flow profiles of its on and off-balance sheet obligations.

Liquidity risk management is necessary given that a liquidity shortfall at a CU can have potential sector-wide repercussions. FSRA uses quantitative and qualitative measures in the assessment of a CU’s liquidity adequacy and liquidity management programs.

Resilience

Resilience is the ability of a CU to respond to adversity, absorb shocks, and adapt to changes especially during a period of stress or crisis. It is the ability of the CU to continue to:

• deliver on its objectives
• remain sustainable and prosper
• make positive adjustments under challenging conditions
• emerge strengthened and more resourceful

The Board and senior management of a CU have a fiduciary duty which includes the obligation to plan for adverse scenarios and to ensure that the CU is crisis prepared. This aligns with FSRA’s goal of protecting deposits held at CUs and contributing to the stability of the sector in Ontario.

Significant stress or failure of one CU could accelerate stress at others and lead to other failures in the sector. Risk of contagion could further manifest in the broader financial services system in Ontario due to loss of confidence of depositors and customers.

A resilient CU should be able to:

• monitor the current environment
• anticipate future threats and opportunities
• respond effectively to any type of event
• learn from past failures and successes

Overall resilience of a CU is assessed holistically through both financial and non-financial factors and considers both “business as usual” and “stress event” conditions. Financial resilience factors include capital and liquidity; non-financial factors are generally governance and operational-based and focus on crisis preparedness. Some key indicators of resilience are the strength of a CU’s ICAAP Recovery Plan, Contingency Funding Plan, Business Continuity Plan and Disaster Recovery Plan.

FSRA will consider Environmental, Social, and Governance (“ESG”) risks, with an emphasis on climate risk, when assessing the resilience of CUs. Inadequate or mismanagement of these could negatively impact a CU’s franchise strength and risk profile while more serious deficiencies could ultimately threaten the CU’s reputation, capital and earnings, liquidity, and viability.

7. Overall Risk Rating (ORR)

The ORR is an assessment of the CU’s overall risk profile after considering the impact of capital (including earnings), liquidity, and resilience on its SRR. It reflects FSRA’s assessment of the safety and soundness of a CU. The ratings from the capital, liquidity, and resilience assessments are used to determine modification needed to the SRR, if any, to arrive at the ORR.

The five ratings for the ORR are: “Low”, “Low-Moderate”, “Moderate”, “Moderate-High” and “High” (descriptions of each of the five ORR risk ratings are detailed in Appendix B).

B. Risk management process

The Basel Committee on Banking Supervision (BCBS) is the international body responsible for developing the Core Principles for Effective Banking Supervision that regulatory bodies can use to assess their supervisory systems and identify areas for improvement^[7]. Principle 15 - Risk Management Process, states “the supervisor determines that FIs have a comprehensive risk management process (including effective Board and senior management oversight) to identify, measure, evaluate, monitor, report and control or mitigate all material risks on a timely basis …”. FSRA adheres to this principle by using the following supervisory process to assess the risk profiles of CUs.

C. Supervisory process

FSRA uses a defined process to guide its CU-specific supervisory framework that includes the following steps:

1. Developing a supervisory strategy and planning supervisory work

A supervisory strategy (“strategy”) for each CU is prepared annually. The strategy identifies the supervisory work necessary to keep the CU’s risk profile current. The intensity of supervisory work depends on the size, complexity, and risk profile of the CU. The strategy outlines the supervisory work planned for the next three years, with a more detailed description of work for the upcoming year. The strategy is the basis for a more detailed annual plan, which indicates the expected work and resource allocations for the upcoming year.

FSRA’s planning also includes a process to compare the work effort across CUs. This is to ensure that assessments of risk for individual CUs are subject to a broader standard, and to assign supervisory resources effectively to higher-risk CUs and significant activities.

2. Executing supervisory work

Supervisory work includes, but is not limited to, the following:

• monitoring
• targeted assessment
• comprehensive assessment

Monitoring refers to the regular review of information about a CU, its industry, and external environment to keep abreast of changes that are occurring or planned in the CU, and to identify emerging risks and issues. Issues include both CU-specific and sector-wide concerns.

In addition to the core supervisory work of monitoring, and assessments, FSRA undertakes thematic, comparative, and benchmarking reviews to identify standards, best industry practices and sector-wide patterns.

FSRA periodically requires CUs to perform specific stress tests that FSRA uses to assess the potential impact of changes in the operating environment on individual CUs or industries.
Environmental scanning and stress testing have increased in importance as changes in the external environment are a main driver of rapid changes in CU risk profiles. FSRA may also request the CU’s internal auditor, or at the CU’s expense, its external auditor, or other external resource (e.g., consulting firm) to investigate and report on a matter to FSRA.

3. Updating assessments

The assessment and ratings will be revisited and changed to reflect the current state of the CU if new information indicates a material change in a CU’s risk profile.

If there are shifts indicated through monitoring and assessment of the CU, FSRA will respond by adjusting work priorities set out in the supervisory strategy and annual supervisory plan as necessary to ensure that important emerging matters take precedence over items of lesser risk. Such flexibility is vital to FSRA’s successful implementation of risk-based supervision and its ability to meet its legislated mandate.

Assessments for all CUs are subject to FSRA’s rigorous quality assurance process to ensure ratings are proportionate, accurate, and consistent.

4. Reporting and communication to CUs

In addition to ongoing discussions with CU management through the RM, FSRA communicates to CUs through Supervisory Letters. Supervisory Letters summarize FSRA’s recommendations and requirements as necessary based on the supervisory work (both prudential and market conduct) that was completed since issuing the last Supervisory Letter and discloses or affirms the CU’s ORR.

During the year FSRA may also issue an Interim Supervisory Letter to the CU to provide a change in the ORR and/or timely feedback on issues arising from a specific body of supervisory work, especially if a recent assessment was performed or the CU is in a Depositor Protection Program (Watchlist, Supervision, or Administration)^[8].

With both types of letters FSRA will discuss the recommendations and requirements with the CU before issuing the letter. FSRA considers transparency, communication, and the provision of feedback to the CU an important part of its supervisory process.

5. Intervention level

The ORR of a CU is used in determining the level of intervention FSRA will take to address identified prudential or conduct issues. FSRA’s Intervention Guide (The Guide) addresses situations where FSRA has concerns with the CU’s corporate governance, oversight, conduct, viability, or solvency. The Guide (included as Appendix C of this Guidance) aims to communicate at which level an action/intervention would typically occur. The Guide also provides a mapping of the typical combinations of ORR and Intervention Level.

8 The Deposit Protection Program involves placing a CU which meets certain risk-based criteria under Supervision (s 230 of the Act), under Administration (s 233 of the Act) or in Dissolution (237 of the Act). Supervision is where FSRA has the statutory authority to order a credit union's Board of directors to correct its practices or refrain from undertaking activities that may harm the credit union. Administration allows the CU to continue to operate under FSRA’s direct control while providing sufficient time to develop and implement the most appropriate strategy to protect depositors. Dissolution is when a CU goes out of business and FSRA is appointed as liquidator to minimize the impact on the credit union's depositors, pay depositors, wind up affairs in an orderly manner, and maximize the recovery of assets.

6. Level of supervisory engagement

After determining the intervention level proportionality is applied to the ORR of the CU to determine the level of supervisory engagement (i.e., amount of FSRA resources and attention placed on the CU). FSRA will have a higher level of supervisory engagement with larger and/or more complex CUs whose misconduct or failure could materially impact the sector. FSRA will also have a higher level of supervisory engagement with CUs that have elevated or higher risk profiles.

The misconduct or failure of a large or complex CU could give rise to contagion and undermine the general confidence of the CU sector. Therefore, FSRA’s risk tolerance is low for these CUs that display an elevated risk profile. Hence, FSRA will allocate more resources and attention to these CUs to reduce the likelihood of their misconduct and/or failure.

Effective date and future review

This Guidance was effective as of April 1, 2022. It was updated with non-material changes on May 26, 2023 and will be reviewed on or before April 1, 2027.

About this Guidance

This document is consistent with FSRA’s Guidance Framework. As Approach Guidance, it describes FSRA’s internal principles, processes and practices for supervisor, action and application of Chief Executive Officer discretion. Visit FSRA’s Guidance Framework to learn more.

Appendix A: Risk matrix

The Risk Matrix (as shown below) is used to record all the assessment ratings described above. The purpose of the Risk Matrix is to facilitate a holistic assessment of a credit union. The assessment culminates in an Overall Risk Rating (ORR), which represents the overall risk profile of the credit union.