Document Properties
(formerly Legislative Compliance Management (LCM)) Show
I. Purpose and Scope of the GuidelineThe purpose of the RCM guideline is to communicate OSFI's expectations with respect to the management of regulatory compliance risk by federally regulated financial institutions (FRFIs)Footnote 1. This guideline revises and replaces the 2003 LCM Guideline to better align it with guidance provided by more recently updated OSFI GuidelinesFootnote 2 and complements OSFI's Supervisory Framework and Assessment Criteria. The guideline also elaborates on a number of principles regarding key controls as part of RCM. OSFI recognizes that FRFIs may have different RCM practices depending on a variety of factors, including their: size; ownership structure; nature, scope and complexity of operations; corporate strategy; risk profile; and geographical locations. II. Definitions(i) Regulatory Compliance Management (RCM)The term "Regulatory Compliance Management" (RCM) in this guideline refers to the set of key controls through which a FRFI manages regulatory compliance risk. (ii) Regulatory Compliance RiskFor the purposes of this guideline, regulatory compliance risk is the risk of a FRFI's potential non-conformance with laws, rules, regulations and prescribed practices ("regulatory requirements") in any jurisdiction in which it operates. It does not include risk arising from non-conformance with ethical standards. Regulatory requirements are applicable to the FRFI or a subsidiary worldwide that require the FRFI or subsidiary to do (or prohibit it from doing) certain things or to act or conduct its affairs in a particular manner. (iii) RCM FrameworkA RCM framework refers to the structures, processes and other key control elements through which a FRFI and its subsidiaries manage and mitigate regulatory compliance risk inherent in their activities enterprise-wideFootnote 3. III. RCM Framework – OverviewOSFI considers an effective RCM framework to be an essential component of an overall risk management program that provides the means by which a FRFI satisfies itself it is in compliance with applicable regulatory requirements. Non-compliance with applicable regulatory requirements can have significant negative effects on a FRFI's reputation and/or safety and soundness and may lead to increased regulatory intervention. The RCM framework should enable a FRFI to apply a risk-based approach for identifying, risk-assessing, communicating, managing and mitigating regulatory compliance risk. The framework should also include a definition of regulatory compliance risk appropriate for the FRFI. Overall responsibility for assessment and management of regulatory compliance risk within the FRFI should be assigned to an individual who is independent from operational management, has sufficient stature, authority, resources and support within the FRFI to influence the FRFI's activities, and who should be designated, at least functionally, as the FRFI's Chief Compliance Officer (CCO) or equivalent. Although most FRFIs will have a dedicated CCO position, OSFI recognizes that this individual may have other responsibilities as well, especially in the case of small, less complex FRFIs. Staff assigned to compliance responsibilities, including the CCO, should have the appropriate skills and knowledge of the business and regulatory environments that are essential to effective RCM. See further, Role of CCO, below. OSFI assesses the quality of RCM at the following levels of control:
OSFI expects the RCM framework to be reviewed and updated regularly, at least annually, to address: any need for improvement, new and changing regulatory compliance risk, new business activities and any changes to corporate structure. The review methodology should include a mechanism that holds individuals or areas accountable for their assigned duties or functions. OSFI will administer its RCM supervisory program in a manner appropriate to the circumstances of each FRFI. Each FRFI, regardless of the size, is expected to have risk management controls that are proportionate to its identified risks. IV. RCM FrameworkKey controls, including oversight functions, are the basic elements of a sound RCM framework. At a minimum, OSFI expects the RCM framework to include the following, administered through a methodology that establishes clear lines of responsibility and a mechanism for holding individuals accountable: (i) role of the CCO; (ii) procedures for identifying, risk assessing, communicating, effectively managing and mitigating regulatory compliance risk and maintaining knowledge of applicable regulatory requirements; (iii) day-to-day compliance procedures; (iv) independent monitoring and testing procedures; (v) internal reporting; (vi) role of Internal Audit or other independent review function; (vii) adequate documentation; and (viii) role of Senior ManagementFootnote 7. Each of these items is described in further detail below. OSFI expects FRFIs to establish and maintain an effective enterprise-wide RCM framework. RCM controls should include oversight by individuals or oversight functions that are independent of the activities they oversee. (i) Role of the CCOThe CCO should be responsible for assessing the adequacy of, adherence to and effectiveness of the FRFI's day-to-day controls, and for opining on whether, based on the independent monitoring and testing conducted, the RCM controls are sufficiently robust to achieve compliance with the applicable regulatory requirements enterprise-wide. The CCO should have a clearly defined and documented mandate, unfettered access, and for functional purposes, a direct reporting line to the Board, or Branch Management. See further, Compliance Reports to Senior Management, below. Where an institution lacks a particular oversight function, or such oversight function is not sufficiently independent or does not have enterprise-wide responsibility, OSFI expects other functions, within or external to the FRFI, to provide an appropriate level of independent oversight. (ii) Procedures for Identifying, Risk Assessing, Communicating, Managing and Mitigating Regulatory Compliance Risk and Maintaining Knowledge of Applicable Regulatory RequirementsReasonableFootnote 8 procedures should exist to assure that appropriate individuals are provided with current and accurate information needed to identify, assess, communicate, manage and mitigate regulatory compliance risk, and maintain knowledge of applicable regulatory requirements. The procedures should enable a FRFI to take a risk-based approach to managing regulatory compliance risk so that appropriate resources are allocated to higher risk areas. The information provided should be updated, as necessary, to reflect new and changing regulatory requirements. In addition, such procedures should assure that information is updated when changes with respect to products, services, strategic plans, other activities and corporate structure are made. (iii) Day-to-Day Compliance ProceduresAppropriate procedures should exist in operational managementFootnote 9 to reasonably assure that a FRFI is complying on a day-to-day basis with the regulatory requirements applicable to the activities of the FRFI. Such procedures should be tailored to the business activities. They should be incorporated into, and maintained in, relevant business operations. The procedures should also include a monitoring and testing component using a risk-based approach to reasonably assure the adequacy of, adherence to, and effectiveness of such procedures in business operations. (iv) Independent Monitoring and Testing ProceduresThe adequacy of, adherence to, and effectiveness of day-to-day compliance procedures should be independentlyFootnote 10 overseen by the CCOFootnote 11, using a risk-based approach. Where appropriate in the circumstances of the FRFI, independent monitoring and testingFootnote 12, wherever it is conducted within the FRFI, should be sufficiently consistent enterprise-wide to enable the aggregation of information to identify any patterns, themes or trending in compliance controls that may indicate weaknesses. Compliance control processes should include verification of key information (including significant remediation activities) used in compliance reporting. The adequacy of, adherence to and effectiveness of compliance oversight should be validated by Internal Audit or other independent review functionFootnote 13. Such validation should be on a rotational or other regular basis, and should be undertaken using a risk-based approach. This includes testing of both operational and independent oversight levels of compliance controls. Such review function should be independent of the activities it reviews, have appropriate skills and a good knowledge of the business and regulatory environments. (v) Internal Reporting
(vi) Role of Internal Audit or Other Independent Review FunctionThe activities carried out by the CCO should be subject to periodic review by Internal Audit or other independent review function. The scope of work should consider the reliability of the RCM framework, which includes management's identification of material regulatory compliance risks and their corresponding controls, the accuracy of reporting on compliance, and an assessment of the effectiveness of the compliance oversight. Internal audit methodologies need to be supplemented by effective challenge and an attitude of "professional skepticism" by internal auditors.Footnote 16 Review findings that are considered significant should be reported, as appropriate, to operational management, the CCO and Senior Management. Actions taken by operational management in response to significant review findings should be monitored as appropriate by Senior Management. (vii) Adequate DocumentationOSFI expects the roles and responsibilities of all individuals involved in RCM to be clearly documented. Both the day-to-day and independent oversight review levels of key control elements should produce sufficient documentation that demonstrates how regulatory compliance risk is managed and supports the flow of information reported to the CCO and Senior Management. Such documentation should also support the periodic assessment of the RCM framework. (viii) Role of Senior ManagementOSFI expects Senior Management to oversee the RCM framework. Senior Management should take reasonable measures to assure that:
Senior Management should also proactively consider whether RCM deficiencies identified in one area of the FRFI's operations may also be present in other areas. Please refer to OSFI's Corporate Governance Guideline for OSFI's expectations of FRFI Boards of Directors in regards to operational, business, risk and crisis management policies. V. OSFI's Supervisory AssessmentOSFI conducts supervisory work and monitors the performance of FRFIs to assess safety and soundness, the quality of control and governance processes, and regulatory compliance. Supervision is carried out within a framework that is principles-based and focused on material risks. The intensity of supervision will depend on the nature, size, complexity and risk profile of a FRFI, and the potential consequences of the FRFI's failure. When supervising FRFIs, OSFI assesses their RCM frameworks against the expectations of this guideline. Such assessments may also be made in the case of applicants who seek Ministerial approval to incorporate or register new FRFIs. Regardless of where RCM roles and responsibilities reside in a FRFI or how they are constructed, OSFI's assessment will focus on the FRFI's ability to manage its regulatory compliance risk. What is the 1st 2nd and 3rd line of defense?First line of defense: Owns and manages risks/risk owners/managers. Second line of defense: Oversees risks/risk control and compliance. Third line of defense: Provides independent assurance/risk assurance.
What is the third line of defense in risk management?In the previous model, the three lines of defense were represented by management control as the first line, risk and control monitoring as the second, and independent assurance through the internal audit function as the third.
What is the 2nd line of defense?The second line of defence is a group of cells, tissues and organs that work together to protect the body. This is the immune system.
|