Each year, the Office of the Superintendent of Financial Institutions (OSFI) holds a seminar in Toronto to update both in house lawyers and outside counsel on recent activities undertaken by the Legislation and Approvals Division. In addition to administering applications for approvals under the Bank Act, Trust and Loan Companies Act and Insurance Companies Act, the Division is responsible for developing much of the guidance that is published by OSFI including guidelines, advisories and rulings. The most recent seminar was held on November 25th. Some of the highlights of this year’s seminar are discussed below.
New deposit-taking institutions
OSFI noted that it currently has under review applications for 19 new deposit-taking institutions. This seems like a very big number when you consider that currently there are less than 100 active federally regulated deposit-taking institutions. However, a review of the notices of intention to apply published over the last three years indicates that many of these applications have been filed by foreign banks that have a Schedule II subsidiary in Canada and are now looking to either add a Schedule III branch or convert their subsidiary to a branch. The actual number of net new applicants is actually much lower.
Although not in the written materials circulated by OSFI for the meeting, OSFI indicated that in 2014-2015 two applications for deposit-taking institutions were approved. One for a new domestically owned institution and one for an institution associated with a foreign bank. Given the large number of applications that OSFI stated were under review, this suggests that applications are continuing to take a long time to process. Earlier this year, OSFI released an update of its Guide for Incorporation of a Deposit-taking Institution. One of the stated purposes for the update was to streamline the application process. We will have to wait for next year’s statistics to see if the new process is resulting in more applications being successfully completed. Of course, OSFI’s review process is not the only factor that impacts the time that it takes to successfully complete the application process.
Recently, there have been some important transactions involving the transfer of portfolios of leases and OSFI took the opportunity to review the peculiar rules applicable to federally regulated institutions with respect to leasing. OSFI reminded everyone that, in addition to being restricted to “financial leasing”, leasing of motor vehicles is restricted to large vehicles (over 21 tonnes) and leasing of personal household property is prohibited. However, OSFI noted that institutions are prohibited from “entering into” such leases. This means that the prohibition does not apply if an institution is acquiring an existing lease, such as case when it is acquiring a portfolio of leases. OSFI did caution that when an institution acquires leases that would not otherwise be permitted, issues can arise down the road if the lease is renewed. Depending on the changes that are made to the terms of the lease on renewal, the institution could be considered to be entering into a new lease, which may not be permitted.
OSFI also noted that all leases, even those that it acquires through a portfolio transfer must be financial leases. In OSFI’s view a financial lease is one that is a loan substitute. To determine if a lease is a loan substitute OSFI stated that they consider the residual value of the leased property under the lease. A lease that has an unguaranteed residual of 25% or more would generally not be considered to be a financial lease. Further, OSFI indicated that if the aggregate unguaranteed residuals for a portfolio of leases exceeds 10% the portfolio would generally not be considered to be a portfolio of financial leases.
Finally, OSFI also provided some guidance on its interpretation of the exception from the 21 tonne rule made for motor vehicles that are “utility trucks”. In this regard, OSFI stated that a utility truck is a vehicle with special equipment that cannot be easily removed and that are used at a particular destination to perform particular tasks. One of the example OSFI provide was the all too familiar “chip wagon”.
Disclosure of supervisory information
OSFI took the audience through the recent amendments made to the legislation to provide greater protection from disclosure for “prescribed supervisory information”. The information, such as OSFI examination results, is now protected by evidentiary privilege. When asked whether there was any thought being given to extending protection for institutions that self-report regulatory issues, OSFI responded that it did not feel that it could do anything further in this regard without the support of the provinces.
Final operational risk guidance
Last August, OSFI issued draft Guideline E-21 under which it set out its expectations for operational risk management. At the seminar, OSFI confirmed that it intends to issue a final guideline either in December or January. As with most OSFI Guidelines, the draft guideline essentially set out OSFI view of best practices in operational risk management. Therefore, institutions that have robust operational risk management frameworks in place may not have to make major changes to conform those practices to the Guideline. Others that may not have formalized their frameworks will face a bigger burden. OSFI did not indicate if their will be transitional relief to allow institutions to bring their practices into conformity over time.
International capital reform
OSFI reviewed for the audience the areas currently under review at the Basel Committee for Bank Supervision. According to OSFI, the areas under review include the risk-weighted assets framework, the calibration of capital floors, the standardized and internal ratings based approaches for credit risk, the trading book rules for market risk, operational risk, interest rate risk in the banking book, the calibration of the leverage ratio and sovereign risk. Essentially, it would appear that just about every aspect of the Basel capital rules are still open for further review.
OSFI devoted an entire portion of the seminar to cyber security risk. OSFI reminded everyone that in 2013 OSFI issued a self assessment template that it expected institutions to use to assess their current practices in this area. OSFI indicated that it will be focusing on cyber risk management as part of its examinations and encouraged any institutions that may not have completed an assessment based on the template to do so. Four areas that OSFI mentioned as needing improvement based on its reviews to date were:
- Implementing of data loss prevention measures
- Implementing advanced analytic tools enterprise wide to mitigate against new malware and cyber threats
- Centrally managing the deployment of security patches, including all types of mobile devices in use
- Implementing tighter controls over the use of elevated system privileges
- Conducting enhanced security checks on IT specialists with elevated privileges
- Enhancing the due diligence and monitoring of 3rd party arrangements, including parent organizations and sub-contracting arrangements
- Developing test programs for all external cyber security mitigating services