On November 13th, the Office of the Superintendent of Financial Institutions (OSFI) issued the final version of Guideline E-13 – Regulatory Compliance Management (RCM Guideline). The RCM Guideline sets out OSFI’s expectations for compliance risk management at all federally regulated financial institutions (including all Canadian banks and most Canadian insurance companies). The Guideline replaces the former Legislative Compliance Management Guideline issued in 2003 (the 2003 Guideline). Since the 2003 Guideline was issued, OSFI has reissued both its Guideline on Corporate Governance and its description of its Supervisory Framework, both of which make reference to aspects of OSFI’s expectations for compliance risk management. In issuing the new RCM Guideline, OSFI stated that one of the primary purposes for reissuing the Guideline was to ensure that it was aligned with the guidance expressed in these more recent documents.
OSFI also maintains that the RCM Guideline does not create any new regulatory requirements. In the broadest sense, this is true, as OSFI’s expectations for the general framework used to manage regulatory risk has not changed. The 2003 Guideline clearly required that institutions adopt the three lines of defence model, with responsibility shared between operational management, an independent compliance function and internal audit. However, the RCM Guideline elaborates considerably on the various aspects of the RCM framework. Institutions will need to assess their current practices to determine whether any gaps exist between their existing RCM frameworks and the newly elaborated expectations.
One notable change from the draft RCM Guideline that was circulated for comment last spring is the removal of “ethical standards” as one of the sources of regulatory compliance risk. In a complete reversal from the draft Guideline, the RCM Guideline now expressly states that regulatory compliance risk does not include the risk arising from non-conformance with ethical standards. Of course, this exclusion does not mean that institutions do not need to consider the risk of non-compliance with ethical standards. Indeed, the failure to meet ethical standards can lead to significant reputational damage for a firm. For this reason, there is a growing body of literature that recommends that firms consider broadening the mandate of their chief compliance officers to include the role of chief ethics officer. Indeed, some commentators have said that the true first line of defence for a compliance program is the ethical culture of an organization. An organization that has a high ethical standard will tend to do the right thing even if its compliance program is not particularly robust. Meanwhile, the most robust compliance program may not head off problems if the ethical culture is weak. It will be interesting to see whether OSFI choses other means to raise ethics and ethical standards with institutions.
Definition of Regulatory Requirements
The RCM Guideline’s definition of “regulatory requirements” has been broadened somewhat to include “rules” and “prescribed practices”. In the wake of the 2008 financial crisis, regulators have been seeking out more flexible tools, such as guidelines, advisories, notices, etc., to communicate their expectations to financial institutions. By broadening the list of potential sources of regulatory requirements in the RCM Guideline, OSFI is communicating an expectation that compliance programs deal comprehensively with all potential sources of requirements. While OSFI expects compliance programs to be comprehensive, this can present challenges for compliance teams in areas that require a high degree of expertise such as those respecting capital or corporate tax. Institutions will have to consider whether their compliance programs deal comprehensively with all sources of requirements and, if they do not, consider what additional arrangements can be put in place to address the gaps.
Monitoring and Testing
While the 2003 Guideline referred to monitoring as an element of a compliance program, the RCM Guideline contains considerably more commentary with respect to monitoring, and explicitly refers to testing as a distinct program element. While it may seem obvious today that a compliance function must carry out independent testing of the controls established by operational management, until recently, many compliance functions viewed themselves more as business partners helping operational management to develop their controls. This day-to-day relationship with the business side of an organization allowed for close monitoring of compliance and compliance developments, but did not incorporate a formal testing program. The direct reference to testing in the RCM Guideline appears to confirm that these types of monitoring activities are not sufficient. Institutions will have to look at ways to incorporate a testing element into their compliance program.
At a recent Canadian Institute conference on regulatory compliance at financial institutions, the role of internal audit under the RCM Guideline’s new compliance framework was a focus of some panel discussions. It was apparent from the questions received from the audience that many people were struggling to understand how the compliance testing function and internal audit differ. While compliance and audit testing appear to be similar concepts, the RCM Guideline states that testing in the second line of defence is not intended to duplicate the work of internal audit. While OSFI representatives and several other commentators attempted to draw a distinction between the two roles, it was apparent that much confusion remained. Institutions will have to see how practice in this area develops and adjust their compliance programs accordingly.
While the RCM Guideline is not supposed to create any new regulatory requirements, institutions have been given until May 1, 2015 to implement it. Benchmarking current practices against the RCM Guideline will have to begin immediately.
For a copy of the RCM Guideline, click here.