Key Information

Please note this is a previous version. View latest version.



No. CU0083APP

Download a copy in PDF format



The Risk Based Supervisory Framework for Credit Unions (“RBSF-CU”) sets out FSRA’s approach for supervision and assessment of Ontario Credit Unions and Caisses Populaires (“CUs”). Its primary focus is to determine the impacts of current and potential future events, both internal and external, on the risk profile of each CU, and drive FSRA’s allocation of supervisory resources.

This Approach Guidance (“Guidance”) articulates FSRA’s supervisory approach for all CUs, as well as the practices and processes for determining a CU’s Overall Risk Rating (“ORR”), Intervention Level (“IL”) and level of supervisory activity under the Credit Unions and Caisses Populaires Act, 2020 (“the Act”), supporting Regulations, and FSRA Rules and Guidance.

This Guidance does not prescribe compliance obligations for CUs. Rather, it describes the processes and practices that FSRA will follow when establishing supervisory plans and exercising supervisory action or discretion powers under the Act[1].

The level and extent of supervision under the RBSF-CU will depend on the size, complexity, and risk profile of the CU, and the potential consequences of the CU’s failure including systemic impact.


This Guidance affects the following entities regulated by FSRA under the Act:

  • Credit Unions and Caisses Populaires.

As part of its supervisory reviews and assessments FSRA will apply this framework to subsidiaries, joint ventures, and any other entities connected to the CU through financial or management resources, or whose conduct may affect CU members and customers (i.e., consolidated group supervision).

This Guidance complements the information provided in, and should be read in conjunction with, other FSRA guidance and supporting publications available on FSRA’s website, “Guidance – Credit Unions and Caisses Populaires” and “Rules

Rationale and background

FSRA uses the integrated (prudential and market conduct) RBSF-CU to identify imprudent or unsafe business practices and misconduct impacting customers and depositors of CUs and intervene on a timely basis. FSRA uses the RBSF-CU to guide its supervisory activities to comprehensively assess the risk profile and determine the ORR of each CU.

The RBSF is designed to assist FSRA in meeting its statutory objects and obligations under the Financial Services Regulatory Authority of Ontario Act, 2016 (“the FSRA Act”)[2]. The RBSF will support FSRA’s efforts to:

  • contribute to public confidence in the CU sector
  • promote high standards of business conduct in the CU sector
  • protect the rights and interests of consumers
  • foster strong, sustainable, competitive, and innovative financial services sectors
  • provide insurance against the loss of part or all of deposits with CUs
  • promote and otherwise contribute to the stability of the CU Sector with due regard to the need to allow CUs to compete effectively while taking reasonable risks
  • pursue the objects of persons having deposits with CUs and in such manner as will minimize the exposure of the Deposit Insurance Reserve Fund (the “DIRF”) to loss

FSRA will use the RBSF-CU to supervise CUs, including determining the extent and frequency of supervisory assessments pursuant to s. 201 of the Act, supporting regulations, and FSRA rules (e.g., Sound Business and Financial Practices Rule, Capital Adequacy Requirements for Credit Unions and Caisses Populaires Rule, Liquidity Adequacy Requirements for Credit Unions and Caisses Populaires Rule) and guidance (e.g., Internal Capital Adequacy Assessment Process (“ICAAP”), Internal Liquidity Adequacy Assessment Process (“ILAAP”)).

The ORR of a CU will also help FSRA consider whether a CU should be subject to increased regulatory activity, including supervision[3] and administration[4]. It will also determine the supervisory actions that typically occur at each of the intervention levels, which may include recovery and resolution activities.

A significant result of this improved risk-sensitive supervisory process is that FSRA will be able to calculate DIRF assessments with greater accuracy so premiums will be better aligned to the risk profile of each CU and the sector in aggregate.

Approach – Processes and practices 

FSRA has developed this Guidance to provide clarity in respect of FSRA’s supervisory practices and approach to supervision through the articulation of the key principles and features of the RBSF-CU. This Guidance also articulates how FSRA assesses the most important prudential and conduct risks posed by CUs to supervisory outcomes and the extent to which CUs can manage and mitigate these risks.

The RBSF-CU is principles-based and aligned with national and international supervisory practices. The RBSF-CU increases the effectiveness of supervision by enabling supervisory outcomes to be met while increasing efficiency through improved processes and resource allocation. It involves allocating resources to the areas of greatest risk; for example, not all activities within a CU may need to be assessed for each review or at the same intensity.

Guiding principles and supervisory standards

The foundation of FSRA’s RBSF-CU is centered around the risk definition, principles, and supervisory standards described below.

Risk definition

The Risk definition provides clarity for the meaning of “risk” wherever it is used in the RBSF-CU and is applied consistently in the supervisory assessments of all CUs.

Risk in FSRA’s RBSF-CU is assessed from prudential and market conduct perspectives respectively by considering both possibility of financial loss to depositors and possibility that the conduct, acts, or omissions of a CU harm or deliver poor/unfair outcomes for its members and customers.


The RBSF-CU Principles focus on achieving outcomes from supervisory work and are aligned with FSRA’s supervisory principles[5].


Supervisory work is performed to achieve successful supervisory outcomes rather than completing a standard cycle or process.


Supervisory work focuses on material risks of business activities that could pose threats to achieving the key supervisory outcome of depositor protection.

Dynamic, proactive, and adaptable

Supervisory work is continuous, dynamic, and timely to ensure changes in the business, sector, and environment are identified early and reflected in FSRA’s actions and priorities.


Supervisory work results in a consolidated assessment of the business of the CU. This holistic approach includes assessment of all material interests of the CU entities such as subsidiaries, joint ventures, and other material investments and activities.

Supervisory standards

The Supervisory standards describe key aspects of how FSRA supervisors conduct work using the RBSF-CU. They form the standards of practice of FSRA supervisors.


To the extent possible assessments are forward-looking and consider the velocity, persistence, and amount of change of the risks. This enables early identification of issues, timely intervention, and higher likelihood of achieving desired outcomes.

Sound judgment

Supervisors exercise sound judgment, supported by rationale, in assessing the CU.


Supervisors combine sufficient quantitative and qualitative evidence to support observations, recommendations, and requirements.

Efficient and effective

Supervisory work and assessments are planned and completed in an efficient and effective way. This includes use of FSRA’s regulatory actions, data collection, filing requirements, guidance documents, enforcement tools, and service standards.

Use of work of others

FSRA uses, where appropriate, the work of others (e.g., External Audit, Internal Audit and the CU’s other Oversight Functions, and other regulators) to augment its supervisory work and minimize duplication of effort.

Relationship management

FSRA designates a relationship manager (“RM”) as the lead supervisor for each CU. The RM is the main point of contact for the CU and engages in ongoing dialogue with the CU’s management and Board. The RM is responsible for leading the maintenance of an up-to-date risk profile of the CU and is supported by other FSRA staff. The RM is responsible for providing FSRA’s feedback to the CU, leading discussions about the assessment results, and monitoring the CU’s remediation or action plans to ensure supervisory concerns, expectations, and requirements are addressed in a timely manner.


The RBSF-CU will be applied proportionately based on the size and complexity of the CU. FSRA’s level of intervention will be commensurate with the CU’s risk profile. CUs that are well managed will generally require less supervisory engagement.

Risk-based supervision overview

This section of the Guidance articulates the essential elements of risk-based supervision, facilitated by FSRA’s RBSF-CU.

FSRA’s assessment process

The following elements of FSRA’s RBSF-CU enable a common approach to assessments across CUs and over time. The ORR is determined through the assessment of inherent risks, quality of controls and oversight, and financial and non-financial resilience with assessment ratings recorded in the Risk Matrix (refer to Appendix A: Risk Matrix). The various elements of the RBSF-CU are described below.

For each of the elements in the Risk Matrix, FSRA applies a rating based on a five-level scale where the criteria are tailored to each of the elements assessed.

1. Significant activities and importance

A CU’s significant activities (“activities”) are identified at the start of the assessment process. A significant activity can be a line of business, business unit or enterprise-wide process that is fundamental to the CU’s business model and its ability to meet its overall business objectives. The identification and assessment of significant activities and their relative importance or materiality require the use of supervisory judgment which is informed by knowledge of the CU’s external environment, sector, and business profile. To understand the business profile of a CU, supervisors use various sources including organization charts, strategic business plans, capital allocations, internal audit reports, and internal/external reporting.

2. Inherent risk

Inherent risk is assessed for each significant activity of a CU without regard to size of the activity or size of the CU. Inherent risk is intrinsic to a significant activity and arises from exposure to, and uncertainty from, potential future events. Inherent risk is evaluated before any mitigation and by considering the probability of an adverse impact to a CU’s[6] capital or earnings, and ultimately its depositors. When determining the probability of an adverse impact arising from market conduct risk, supervisors will consider the probability that the conduct, acts, or omissions of a CU harm or deliver poor/unfair outcomes for its members and customers.

FSRA uses the following six categories to assess inherent risk:

  • financial inherent risks
    • credit
    • market
  • non-financial inherent risks
    • operational (including legal)
    • compliance
    • strategic
    • market Conduct

The above inherent risk categories cover other risk sub-categories. For example, legal risk is considered under operational risk and reputational risk is viewed as a consequence of each of the six inherent risk categories and is therefore contemplated in each of the inherent risk categories.

Based on the inherent risks identified for a significant activity and the level of these inherent risks, supervisors will assess the extent to which commensurate level of controls and oversight is needed to adequately mitigate the inherent risks.

Refer to the information published in FSRA’s guidance on the Credit Union Market Conduct Framework for FSRA’s expectations on how CUs can ensure they are treating their members and customers fairly. Refer to Appendix D for details about market conduct risk assessments.

3. Quality of Controls and Oversight (“QCO”)

The assessment of QCO for each significant activity considers both the appropriateness of their characteristics and the effectiveness of their performance, in the context of the size, complexity, and risk profile of the CU. Characteristics of a function refers to how it is designed to carry out its role. Performance of a function refers to its effectiveness in carrying out its role and responsibilities. The performance assessment is more important than the characteristics assessment; consequently, the performance assessment will carry more weight when determining the rating of the function.


Operational management of a CU for any significant activity is responsible for the controls used to manage that activity’s inherent risks on a day-to-day basis. Operational management ensures that the CU’s line staff clearly understand the risks that the activity faces and must manage, and that policies, processes, and staff are sufficient and effective in managing these risks. When assessing operational management, FSRA’s primary concern is whether operational management can identify the potential for material loss or misconduct that may arise by taking on that activity and has in place adequate controls to mitigate the inherent risks that may materialize and cause loss or misconduct (see Appendix D). In general, the extent to which FSRA needs to assess the effectiveness of operational management of a significant activity depends on the effectiveness of the CU’s Oversight Functions. If a CU has sufficient and effective Oversight Functions, FSRA may not need to also assess the effectiveness of operational management.

Oversight Functions

A CU’s Oversight Functions are responsible for providing independent, enterprise-wide oversight to operational management for each significant activity.

FSRA’s assessment includes the following five Oversight Functions:

  • Compliance
  • Risk Management
  • Internal Audit
  • Senior Management
  • Board of Directors

The presence and nature of these functions vary based on the size, complexity, and risk profile of a CU and the inherent risks in its significant activities. Where a CU lacks a critical Oversight Function and has engaged external expertise to perform that function, FSRA will assess how the CU maintains accountability for that function (i.e., CUs can outsource the function’s responsibility but not the accountability and ownership of risks).

Where a CU lacks some Oversight Functions, they are not sufficiently independent, or they do not have enterprise-wide responsibility, in applying proportionality, FSRA will assess the effectiveness of other functions (e.g., senior management) in providing the expected, adequate, and independent oversight.

FSRA will assess the extent to which the Oversight Functions have sufficient stature, authority, and independence from operational management, with unfettered access and a functional reporting line to the Board or the appropriate Board committee.

Controls and oversight assessments, including corporate governance assessments, are based on an evaluation of a CU's current practices for each risk management control and Oversight Function related to the CU’s significant activities. This evaluation is closely related to the assessment of a CU’s adherence with the requirements of FSRA’s Sound Business and Financial Practices Rule.

Enterprise-Wide Oversight Ratings (EWOR”)

Enterprise-wide oversight assessments are FSRA’s determination of the Oversight Functions’ effectiveness across all activities. This assessment considers the Oversight Function's characteristics and performance in executing its oversight responsibilities.

The assessment focuses on how well the Oversight Function oversees the CU operations and considers any weaknesses in the function’s characteristics that may not have affected its performance yet but may do so in the future. Hence, these ratings act as early warning indicators of potential future performance issues with the Oversight Functions of the activities.

4. Residual risk

Residual risk is defined as inherent risks mitigated by the QCO functions. For each significant activity the level of residual risk is determined by considering all relevant and rated inherent risks and QCO ratings. For each significant activity FSRA will assess the QCO and the degree to which it is commensurate with the level of inherent risks, so the residual risk is considered prudent.

5. Prudential Summary Residual Risk (“PSRR), Market Conduct Summary Residual Risk (“MCSRR), and Summary Residual Risk (“SRR)

The PSRR (from the prudential perspective) and MCSRR (from the market conduct perspective) measure the prudential and market conduct risk profiles of the CU based on inherent risks taken on by engaging in significant activities, mitigated by Controls and Oversight Functions, but before the assessment of Capital, Liquidity, and Resilience.

The PSRR is the aggregation of the ratings for the prudential residual risks of all significant activities weighed according to their importance. The MCSRR is determined in a similar way to the PSRR but from a market conduct perspective.

The SRR is determined after considering both the MCSRR and the PSRR.

6. Capital (including Earnings), Liquidity, and Resilience

This section should be read and interpreted in conjunction with the information published in other relevant FSRA guidance, rules and supporting publications related to capital and earnings, liquidity, and resilience located on the FSRA website in the “Guidance – Credit Unions and Caisses Populaires” and “Rules” webpages.

Capital (including Earnings)

Capital is a source of financial support to protect against unexpected losses and is a key contributor to the safety and soundness of the CU. Capital management is the ongoing process of raising and maintaining capital at levels sufficient to support planned operations. For more complex CUs, capital management also involves allocation of capital to recognize the level of risk in its various activities.

FSRA assesses the capital adequacy of a CU on both a current (at time of assessment) and forward-looking time frame (e.g., how expected earnings may impact capital).

This approach enables a longer and broader view of the CU’s capital adequacy and recognizes the key role that retained earnings plays in maintaining and building the capital base of the CU. FSRA uses quantitative and qualitative measures in the assessment of a CU’s capital adequacy and capital management program.


Liquidity is the ability of a CU to obtain sufficient cash or its equivalents in a timely manner at a reasonable price to meet its commitments as they fall due. Managing and maintaining adequate levels of liquidity are critical for the overall safety and soundness of a CU. A CU must ensure that there is enough liquidity for orderly funding, operational expenses, and other obligations and provide a prudent cushion for unforeseen liquidity needs. A CU’s obligations and the funding sources used to meet them depend significantly on its business mix, balance sheet structure, and the cash flow profiles of its on and off-balance sheet obligations.

Liquidity risk management is necessary given that a liquidity shortfall at a CU can have potential sector-wide repercussions. FSRA uses quantitative and qualitative measures in the assessment of a CU’s liquidity adequacy and liquidity management program.


Resilience is the ability of a CU to respond to adversity, absorb shocks, and adapt to changes especially during a period of stress or crisis. It is the ability of the CU to continue to:

  • deliver on its objectives
  • remain sustainable and prosper
  • make positive adjustments under challenging conditions
  • emerge strengthened and more resourceful

The Board and senior management of a CU have a fiduciary duty which includes the obligation to plan for adverse scenarios and to ensure that the CU is crisis prepared. This aligns with FSRA’s goal of protecting deposits held at CUs and contributing to the stability of the sector in Ontario.

Significant stress or failure of one CU could accelerate stress at others and lead to other failures in the sector. Risk of contagion could further manifest in the broader financial services system in Ontario due to loss of confidence of depositors and customers.

A resilient CU should be able to:

  • monitor the current environment
  • anticipate future threats and opportunities
  • respond effectively to any type of event
  • learn from past failures and successes

Overall resilience of a CU is assessed holistically through both financial and non-financial factors and considers both “business as usual” and “stress event” conditions. Financial resilience factors include capital and liquidity; non-financial factors are generally governance and operational-based and focus on crisis preparedness. Some key indicators of resilience are the strength of a CU’s ICAAP Recovery Plan, Contingency Funding Plan, Business Continuity Plan and Disaster Recovery Plan.

FSRA will consider Environmental, Social, and Governance (“ESG”) risks, with an emphasis on climate risk, when assessing the resilience of CUs. Inadequate or mismanagement of these risks could negatively impact a CU’s franchise strength and risk profile while more serious deficiencies could ultimately threaten the CU’s reputation, capital and earnings, liquidity, and viability.

7. Overall Risk Rating (“ORR”)

The ORR is an assessment of the CU’s overall risk profile after considering the impact of Capital (including earnings), Liquidity, and Resilience on its SRR. It reflects FSRA’s assessment of the safety and soundness of a CU. The ratings from the capital, liquidity, and resilience assessments are used to determine modification needed to the SRR, if any, to arrive at the ORR.

The five ratings for the ORR are: “Low”, “Low-Moderate”, “Moderate”, “Moderate-High” and “High” (descriptions of each of the five ORR risk ratings are detailed in Appendix B).

B. Risk management process

The Basel Committee on Banking Supervision (“BCBS”) is the international body responsible for developing the Core Principles for Effective Banking Supervision that regulatory bodies can use to assess their supervisory systems and identify areas for improvement[7]. Principle 15 - Risk Management Process, states “the supervisor determines that FIs have a comprehensive risk management process (including effective Board and senior management oversight) to identify, measure, evaluate, monitor, report and control or mitigate all material risks on a timely basis …”. FSRA adheres to this principle by using the following supervisory process to assess the risk profiles of CUs.

C. Supervisory process

FSRA uses a defined process to guide its CU-specific supervisory framework that includes the following steps:

1. Developing a supervisory strategy and planning supervisory work

A supervisory strategy (“strategy”) for each CU is prepared annually. The strategy identifies the supervisory work necessary to keep the CU’s risk profile current. The intensity of supervisory work depends on the size, complexity, and risk profile of the CU. The strategy outlines the supervisory work planned for the next three years, with a more detailed description of work for the upcoming year. The strategy is the basis for a more detailed annual plan, which indicates the expected work and resource allocations for the upcoming year.

FSRA’s planning also includes a process to compare the work effort across CUs. This is to ensure that assessments of risk for individual CUs are subject to a broader standard, and to assign supervisory resources effectively to higher-risk CUs and significant activities.

2. Executing supervisory work

Supervisory work includes, but is not limited to, the following:

  • monitoring
  • targeted assessment
  • comprehensive assessment
  • thematic review

Monitoring refers to the regular review of information about a CU, its industry, and external environment to keep abreast of changes that are occurring or planned in the CU, and to identify emerging risks and issues. Issues include both CU-specific and sector-wide concerns.

CU-specific monitoring includes the analysis of the CU’s financial and operating results, typically considering its performance by business line and vis-à-vis its peers and any significant internal developments. Assessments refer to more extensive supervisory work than monitoring and may involve various activities depending on the specific requirements identified in the planning process.

In addition to the core supervisory work of monitoring and assessments, FSRA undertakes thematic (also called horizontal, comparative or benchmarking) reviews to identify standards, best industry practices, and sector-wide patterns.

FSRA periodically requires CUs to perform specific stress tests that FSRA uses to assess the potential impact of changes in the operating environment on individual CUs or industries. Environmental scanning and stress testing have increased in importance as changes in the external environment are a main driver of rapid changes in CU risk profiles. FSRA may also request the CU’s internal auditor, or at the CU’s expense, its external auditor, or other external resource (e.g., consulting firm) to investigate and report on a matter to FSRA.

3. Updating assessments

The assessment and ratings will be revisited and changed to reflect the current state of the CU if new information indicates a material change in a CU’s risk profile.

If there are shifts indicated through monitoring and assessment of the CU, FSRA will respond by adjusting work priorities set out in the supervisory strategy and annual supervisory plan as necessary to ensure that important emerging matters take precedence over items of lesser risk. Such flexibility is vital to FSRA’s successful implementation of risk-based supervision and its ability to meet its legislated mandate.

Assessments for all CUs are subject to FSRA’s rigorous quality assurance process to ensure ratings are proportionate, accurate, and consistent.

4. Reporting to and communicating with CUs

In addition to ongoing discussions with CU management through the RM, FSRA communicates to CUs through Supervisory Letters. Supervisory Letters summarize FSRA’s recommendations and requirements as necessary based on the supervisory work (both prudential and market conduct) that was completed since issuing the last Supervisory Letter and discloses or affirms the CU’s ORR.

During the year FSRA may also issue an Interim Supervisory Letter to the CU to provide a change in the ORR and/or timely feedback on issues arising from a specific body of supervisory work, especially if a recent assessment was performed or the CU is in a Depositor Protection Program (Watchlist, Supervision, or Administration)[8].

With both types of letters FSRA will discuss the recommendations and requirements with the CU before issuing the letter. FSRA considers transparency, communication, and the provision of feedback to the CU an important part of its supervisory process.

5. Intervention level

The ORR of a CU is used in determining the level of intervention FSRA will take to address identified prudential or market conduct issues. FSRA’s Intervention Guide (“The Guide”) addresses situations where FSRA has concerns with the CU’s corporate governance, oversight, conduct, viability, or solvency. The Guide (included as Appendix C of this Guidance) aims to communicate at which level an action/intervention would typically occur. The Guide also provides a mapping of the typical combinations of ORR and Intervention Level.

6. Level of supervisory engagement

After determining the Intervention Level, proportionality is applied to the ORR of the CU to determine the level of supervisory engagement (i.e., amount of FSRA resources and attention placed on the CU). FSRA will have a higher level of supervisory engagement with larger and/or more complex CUs whose misconduct or failure could materially impact the sector. 

FSRA will also have a higher level of supervisory engagement with CUs that have elevated or higher risk profiles.

The misconduct or failure of a large or complex CU could give rise to contagion and undermine the general confidence of the CU sector. Therefore, FSRA’s risk tolerance is low for these CUs that display an elevated risk profile. Hence, FSRA will allocate more resources and attention to these CUs to reduce the likelihood of their misconduct and/or failure.

Effective date and future review

This Guidance was effective as of April 1, 2022. It was updated with non-material changes on December 6, 2023 and will be reviewed on or before April 1, 2027.

About this Guidance

This document is consistent with FSRA’s Guidance Framework. As Approach Guidance, it describes FSRA’s internal principles, processes and practices for supervisor, action and application of Chief Executive Officer discretion. Visit FSRA’s Guidance Framework to learn more.

Appendix A: Risk Matrix

The Risk Matrix (as shown below) is used to record all the assessment ratings described above. The purpose of the Risk Matrix is to facilitate a holistic assessment of a credit union. The assessment culminates in an Overall Risk Rating (“ORR”), which represents the overall risk profile of the credit union.

Risk Matrix_EN

Appendix B: ORR descriptions

The following table provides descriptions for each of the five ORR ratings.

Overall Risk Rating Description


This rating indicates a highly safe, sound, well-managed, and well- governed CU. The combination of its summary residual risk and its capital, liquidity and resilience makes the CU resilient to most adverse business and economic conditions, which will not materially affect its risk profile. The CU has consistently performed well and most key indicators are better than sector averages.


This rating indicates a safe, sound, well-managed, and well- governed CU. The combination of its summary residual risk and its capital, liquidity and resilience makes the CU resilient to many adverse business and economic conditions, which will not materially affect its risk profile. The CU has generally performed well, and many key indicators are better than sector averages.


This rating indicates a generally safe, sound, well-managed, and well-governed CU. The combination of its summary residual risk and its capital, liquidity and resilience makes the CU resilient to some adverse business and economic conditions which will not materially affect its risk profile. The CU’s performance is satisfactory and key indicators are generally comparable to sector averages.


The CU has safety and soundness concerns. It has issues that trigger early warning indicators of potential financial non-viability if not addressed. One or more of the following conditions are present. The combination of its Summary Residual Risk and its capital, liquidity and resilience makes the CU vulnerable to some adverse business and economic conditions.

  • Its performance is unsatisfactory or deteriorating, with some key indicators at or marginally below sector averages.
  • The CU has issues or weaknesses with its controls and oversight that although not serious enough to present an immediate threat to financial viability or solvency could deteriorate into serious problems if not addressed promptly.

The CU has serious safety and soundness concerns. One or more of the following conditions are present:

  • The combination of its Summary Residual Risk and its capital, liquidity and resilience makes the CU vulnerable to most adverse business and economic conditions, posing a serious threat to its viability or solvency unless effective corrective action is implemented promptly.
  • Its performance is poor and most key indicators are worse than sector averages.

Appendix C: Intervention guide

Intervention level

The ORR of a CU is used to determine the level of intervention or remediation FSRA will take to address prudential or conduct issues identified. FSRA has also developed this Guide to address situations where FSRA has concerns with the CU’s vulnerabilities, practices that could lead to misconduct, or when viability or solvency are of concern. The Guide gives summary descriptions of CU risk profiles for each intervention level and indicates supervisory actions that typically occur at each level. The intervention process is not fixed as circumstances may vary from case to case. It is not a rigid regime under which every situation is necessarily addressed with a predetermined set of actions. The Guide aims to communicate at which level an action would typically occur and the actions described at one level may also be used in subsequent levels; in some situations, certain actions may also take place at earlier levels than set out in the guide. If warranted, a CU’s intervention level can be increased or decreased by more than one level at one time. Risk profiles, as summarized by the ORR and typical supervisory actions for each corresponding intervention level are described below.

overall risk rating to intervention level

Level 1 – Normal

The CU has a sound financial position, adequate market conduct practices and sufficient controls, oversight, and governance for its size, complexity and risk profile. Its practices do not indicate any significant problems or material deficiencies. Early Warning System (“EWS”) ratios do not indicate material issues or flags. The CU is not likely to fail or pose any undue loss or harm to depositors in foreseeable circumstances.

Level 1 supervisory actions include but are not limited to:

  • monitoring of select information on a monthly, quarterly and/or annual basis
  • performing other supervisory activities including assessments
  • providing the CU with a supervisory letter annually and an interim supervisory letter as warranted

Level 2 – Early warning

The CU categorized at this level is not expected to fail or engage in practices that pose any immediate loss or harm to depositors; however, there are aspects of its risk profile that may create vulnerabilities under adverse circumstances, or its future trend may create vulnerabilities in the mid-term, and as such requires more extensive oversight by FSRA. Some EWS ratios have moved outside of the normal range. At Level 2 the CU is expected to implement an improvement plan to rectify or address identified concerns and commit to reducing its level rating. FSRA expects the CU to return to Level 1 (normal) within the timeframes established by an appropriate improvement plan.

In addition to activities in the preceding level, Level 2 supervisory actions may include but are not limited to:

  • placing the CU on the watchlist
  • conducting a higher frequency of supervisory assessments
  • receiving a detailed action plan with timelines to address identified items
  • requiring special assessments to be performed by external experts
  • requesting more frequent and detailed collection and analysis of data
  • performing follow up and assessments of remediation/action plan
  • communicating concerns to the CU’s Board, senior management, and internal and external auditors
  • requiring the CU to increase liquidity and/or capital levels
  • requesting additional stress testing and/or revised business plan and/or risk appetite statement
  • establishing or issuing expectations under a voluntary compliance agreement
  • increased deposit insurance premiums

Level 3 – Risk to financial viability or solvency

Improvements are needed as the CU’s business operations or circumstances potentially put depositors at risk. Many EWS ratios and indicators are outside normal range. At this Level, these improvements will be mandated by FSRA. The CU is unlikely to fail in the short-term but this expectation relies on FSRA’s view that supervisory intervention is necessary to help avert any failure. At Level 3 the CU must address identified problems or implement improvements to quickly reduce its level rating. The Board and senior management must demonstrate a commitment to improvement by establishing urgent timelines. FSRA expects a CU to reduce its level rating within the determined timeframe.

In addition to activities in preceding levels, Level 3 supervisory actions may include but are not limited to:

  • placing the CU under statutory supervision or administration
  • updating/revising recovery or restructuring plans
  • implementing the recovery or restructuring plans
  • requiring the CU to revise its capital recovery or business plans
  • requiring the internal auditor (or other control function) to expand the scope of review or to perform other procedures and prepare reports for FSRA/Administrator
  • engaging the external auditor to expand scope of review or to perform other procedures and prepare reports for FSRA/Administrator
  • issuing orders
  • updating the resolution plan (if already a FSRA requirement) or prepare contingency plan
  • requiring the CU to consider amalgamation/merger opportunities under FSRA’s oversight
  • entering into a voluntary compliance agreement
  • placing conditions or prohibitions on business authorization

Level 4 – Future financial viability or solvency in serious doubt

The CU has severe safety and stability concerns and is experiencing problems that are expected to pose loss to depositors unless corrective measures are promptly undertaken. Most EWS ratios and indicators are outside normal range. The CU has failed to remedy the issues identified in previous intervention levels and its situation is worsening. At Level 4 the CU will be directed to immediately resolve issues or implement mandated improvements. Immediate actions will be taken to reduce the CU’s overall risk and intervention level.

In addition to activities in preceding levels, Level 4 supervisory actions may include but are not limited to:

  • placing the CU under statutory administration
  • directing external specialists/consultants to assess specific areas (e.g., quality of loan security, assets values, provisioning, capital)
  • increased frequency (e.g., daily) and engagement with CU to monitor the situation on a continuous and ongoing basis
  • implementing the recovery plan
  • implementing the resolution plan (e.g., open CU resolution, Purchase & Assumption transaction)
  • winding down or amalgamating/merging the CU
  • divesting of non-core businesses
  • selling certain assets
  • closing branches
  • providing financial assistance to the CU

Level 5 – Nonviability or insolvency imminent or has occurred

The CU is experiencing severe financial difficulties and has deteriorated to such an extent that there is insufficient capital to adequately protect depositors from undue losses with a high level of certainty.

In addition to activities in preceding levels, Level 5 supervisory actions may include but are not limited to:

  • withdrawing business authorization
  • implementing the resolution plan (e.g., open CU resolution, Purchase & Assumption transaction)
  • placing the CU into liquidation or dissolution
  • paying out insured deposits

Appendix D: Market conduct

1. Inherent risk assessment

Market conduct inherent risk is an essential component of FSRA’s supervisory framework. It refers to the probability that the conduct, acts, or omissions of a CU or its staff harm or deliver poor/unfair outcomes for members or customers. It will be assessed by considering multiple sub- risks. These may increase or decrease the overall level of inherent market conduct risk and include risks of mis-selling, tied selling; misrepresentation; conflict of interest; improper use, disclosure or loss of private or confidential information; and unreasonable or unnecessary holding of funds.

Mis-selling of products and services

Mis-selling refers to the risk of selling members or customers unsuitable or unnecessary products or services.

Tied selling of products and services

Tied selling refers to the risk of requiring members or customers to acquire one or more additional products or services as a condition of another product or service.


Misrepresentation refers to the risk of presenting members or customers with incomplete, inaccurate or misleading information to influence their decisions (e.g., purchase of a specific product or service).

Conflict of interest

Conflict of interest risk refers to the risk of a CU putting the interest of the organization, the interest of a staff member, or the interest of another party ahead of their members’ or customer’s interests.

Improper use, disclosure, or loss of confidential or private member or customer information

Improper disclosure refers to the risk of a breach of security for members’ or customers’ confidential information.

Unreasonable or unnecessary holding of funds

Unreasonable or unnecessary holding of funds refers to the risk that a CU unreasonably hold funds, prevents or unreasonably restricts or imposes barriers to members’ or customers’ funds.

Quantitative or qualitative information may be used by a Supervisor as an indicator of market conduct inherent risk. Some examples of material information would include an organization’s regulatory compliance history; complaints activity including handling procedures; appropriate staff resources and training for product and customer suitability; compensation structures; business arrangements with product or service suppliers and intermediaries.

2. Controls and oversight assessment

Consistent with FSRA’s expectations on a CU’s internal governance framework, FSRA will consider the key functions listed below when assessing the Quality of Controls and Oversight Functions for a CU. A function’s assessment considers both the appropriateness of their characteristics and the effectiveness of their performance, in the context of the size, complexity and risk profile of the CU. Characteristics of a function refers to how it is designed to carry out its role. Performance of a function refers to its success in carrying out its role and responsibilities.

When assessing the characteristics and performance of each function, FSRA considers, at a minimum, the following essential elements:

Board of directors

Mandate roles and responsibility
Size and composition
Practices and expertise
Assessment of performance

Senior management

Organization structure
Committees Human resources policies and practices
Assessment of performance

Internal audit

Organization structure
Audit methodology and reporting
Relationship with other Oversight Functions
Assessment of performance

Risk management

Organization structure
Methodology and practices
Relationship with other Oversight Functions
Assessment of performance


Organization structure
Policies, practices, and methodology
Relationship with other oversight functions
Assessment of performance

Operational management

Policies and procedures on sales of products or services suitable for members and customers
Know your client and suitability assessment
Know your product
Compensation structure
Consent regarding changes

Tied selling
Pricing of products and services
Options for depositors
Suitability assessment
Policies and procedures

Policies and procedures
Process for developing advertising or promotional materials for members and customers
Content of advertising or promotional
Reporting to members and customers after the point of sale

Conflicts of interest
Policies and procedures
Reporting of conflicts
Management of conflicts

Disclosure of private or confidential member information
Policies and procedures
Consent for disclosure

Access to funds
Policies and procedures
Application of “Hold Fund” policy
Disclosure of “Hold Fund” policy
Approval of exceptions

Complaints handling
Policies and procedures

  • establishment and maintenance of Policies and Procedures
  • training

Designated complaints officer
Handling of complaints

  • transparency
  • consistency
  • timeliness
  • escalation process
  • resolution satisfaction

Record keeping

  • maintenance of records


  • nature of reporting
  • frequency of reporting
  • use of reports

Effective date: December 6, 2022

[1] Both the CEO of FSRA and FSRA may exercise discretion under the Act. However, for the purposes of this Guidance, reference will be made to FSRA, instead of the CEO, as the CEO may delegate his authority to FSRA, as permitted by the Act.
[2] See ss. 3(1), 3(2) and 3(4) of the FSRA Act.
[3] See s. 230 of the Act
[4] See s. 233 of the Act
[5] FSRA uses the following principles as the foundation for developing guidance: Accountable (Internal and External), Effective, Efficient, Adaptable, Collaborative and Transparent. The definitions of these principles can be found on the FSRA Guidance Framework webpage.
[6] Note that supervisors assess the credit union’s inherent risk in the context of the industry experience and the “impact” is to the generic institution (“an institution”) and not the specific CU that is being assessed. In contrast, later when arriving at the Summary Residual Risk FSRA refers to the impact to the specific CU being assessed.
[7] Core Principles for Effective Banking Supervision, BCBS, 2019.
[8] The Deposit Protection Program involves placing a CU which meets certain risk-based criteria under Supervision (s 230 of the Act), under Administration (s 233 of the Act) or in Dissolution (237 of the Act). Supervision is where FSRA has the statutory authority to order a credit union's Board of directors to correct its practices or refrain from undertaking activities that may harm the credit union. Administration allows the CU to continue to operate under FSRA’s direct control while providing sufficient time to develop and implement the most appropriate strategy to protect depositors. Dissolution is when a CU goes out of business and FSRA is appointed as liquidator to minimize the impact on the credit union's depositors, pay depositors, wind up affairs in an orderly manner, and maximize the recovery of assets.