Last April, the Office of the Superintendent of Financial Institutions (OSFI) released for comment an updated version of its guideline on Legislative Compliance Management (to be renamed Regulatory Compliance Management) (RCM Guideline). The RCM Guideline requires that every bank and insurance company adopt a regulatory compliance management framework and sets out OSFI’s expectations regarding regulatory compliance and the key elements of the framework. The comment period on the draft expired in June and it is widely expected that the final updated guideline will be released sometime this fall.
OSFI has stated that the purpose for issuing the new RCM Guideline was to better align it with certain other Guidelines that have been recently updated, including their revised Corporate Governance Guideline. The Corporate Governance Guideline overlaps with the RCM Guideline by setting out certain expectations for “control functions”, including the compliance function. While OSFI does not consider that the revised RCM Guideline created any new requirements for banks and insurance companies, a careful reading of the draft suggests that, at very least, OSFI felt that there was a need to place greater emphasis on certain of their expectations.
Three Lines of Defence
For example, one area that appears to have been enhanced in the draft RCM Guideline is the discussion of line management’s accountability for compliance. The RCM Guideline, like its predecessor adopts the three line of defense approach to compliance with the compliance function acting as an independent oversight function. What is new is the extra emphasize in the Guideline on the accountability of the first line. This suggests that OSFI is continuing to uncover instances where the compliance department functions more as part of the business with direct responsibility for developing compliance controls. However, while the draft RCM Guideline contains a more detailed discussion of management’s accountabilities, there is one small area where the Guideline could still create confusion over the responsibilities of management and compliance. When referring to the responsibilities of a CCO, the Guideline states that the CCO has overall responsibility for compliance. In fact, to be consistent with the three line of defense model, this was probably meant to say that the CCO has overall responsibility for compliance oversight.
Allowing for Flexibility
Another area where the RCM Guideline appears to place greater emphasis is with respect to OSFI’s expectation that the compliance framework will be specifically tailored to the particular circumstances of each institution. For example, the RCM Guideline provides that each institution may have different RCM practices depending on a variety of factors, including size; ownership structure; nature, scope and complexity of operations; corporate strategy; risk profile; and geographical locations. In recent years, OSFI has been criticized for applying a “one-size fits all” approach holding the smaller banks and insurance companies to the same standard that it applies for their much larger competitors. The drafting of the Guideline indicates that OSFI is sensitive to the criticism. Of course, whether OSFI will find meaningful ways to differentiate between the larger and the smaller banks with respect to the expectations of the RCM Guideline remains to be seen.
Reporting and Escalation
One other aspect of the draft RCM Guideline is worth noting. Under the draft, the CCO is responsible for advising the board on the accuracy and effectiveness of the information and analysis provided by management. By including this expectation, OSFI has emphasized that it is management and not compliance that should be speaking to the board about compliance issues. It also emphasizes the importance of compliance monitoring and testing as it is through these programs that the CCO has the information to critically analyse information provided to the board by management. Again, while this may always have been OSFI’s expectations, by including the statement it suggests that OSFI continues to see instances where all compliance reporting comes from the compliance function.
You may access a the draft RCM Guideline on OSFI’s website by clicking here.