The Risk Based Supervisory Framework (“RBSF”) sets out FSRA’s approach for supervision and risk assessment of Ontario Credit Unions and Caisses Populaires (CUs). Its primary focus is to determine the impacts of current and potential future events, both internal and external, on the risk profile of each CU, and drive FSRA’s allocation of supervision resources.
This guidance articulates FSRA’s supervisory approach for all CUs, as well as the practices and processes for determining a CU’s Overall Risk Rating (ORR) and level of FSRA’s supervisory activity under the Credit Unions and Caisses Populaires Act, 2020 (the Act), supporting Regulations and FSRA Rules and Guidance.
This Approach Guidance does not prescribe compliance obligations for CUs. Rather, it is intended to define the processes and practices that FSRA will follow when establishing supervision plans and exercising supervisory action or discretion powers under the Act.1
The level and extent of supervision under the RBSF will depend on the nature, size, complexity, and risk profile of the CU, and the potential consequences of the CU’s failure including systemic impact and non-compliance.
This Approach Guidance affects the following entities regulated by FSRA:
- Credit Unions and Caisses Populaires incorporated under the Act.
As part of its supervisory reviews, FSRA will apply this framework to subsidiaries or other entities connected to the CU through financial or management resources, or whose conduct may affect CU members and customers (i.e., consolidated group supervision.).
This guidance complements the information provided in, and should be read in conjunction with, other FSRA guidance and supporting publications available on FSRA’s website, “Guidance – Credit Unions and Caisses Populaires” and “Rules.”
Rationale and background
FSRA uses an integrated RBSF to identify imprudent or unsafe business practices and misconduct impacting customers, including depositors, at CUs and intervenes on a timely basis. FSRA’s RBSF integrates prudential and market conduct supervisory activities to comprehensively assess the risk profile and determine the overall risk rating of each CU.
The RBSF is designed to assist FSRA in meeting its statutory objects and obligations under the Financial Services Regulatory Authority of Ontario Act, 2016 (the FSRA Act)2. The RBSF will support FSRA’s efforts to:
- contribute to public confidence in the CU sector
- promote high standards of business conduct in the CU sector
- protect the rights and interests of consumers
- foster strong, sustainable, competitive, and innovative financial services sectors
- provide insurance against the loss of part or all of deposits with CUs
- promote and otherwise contribute to the stability of the CU Sector with due regard to the need to allow CUs to compete effectively while taking reasonable risks
- pursue the objects of persons having deposits with CUs and in such manner as will minimize the exposure of the Deposit Insurance Reserve Fund (the DIRF) to loss
FSRA will use the RBSF to supervise CUs, including to determine the extent and frequency to which individual CUs should be subject to examinations pursuant to s. 201 of the Act, supporting regulations, FSRA rules (including but not limited to the Sound Business and Financial Practices Rule, Capital Adequacy Rule and Liquidity Adequacy Rule) and guidance (including with respect to Internal Capital Adequacy Assessment Process (ICAAP) and Internal Liquidity Adequacy Assessment Process (ILAAP) as required).
The ORR of a CU will also help FSRA consider whether a CU should be subject to increased regulatory activity, including supervision3 and administration.4 It will also determine the supervisory actions that typically occur at each of the intervention levels, which may include recovery and resolution activities.
A significant result of this improved risk-sensitive supervisory process is that FSRA will be able to calculate DIRF assessments with greater accuracy so premiums will be better aligned to the risk profile of each CU and the sector in aggregate.
Approach – processes and practices
FSRA has developed this Approach Guidance to provide clarity in respect of FSRA’s supervisory practices and approach to supervision through the articulation of the key principles and features of the RBSF. This guidance also articulates how FSRA assesses the most important prudential and conduct risks posed by CUs to supervisory objectives and the extent to which CUs can manage, mitigate, and contain these risks.
The new RBSF is dynamic and principles based as it adopts the most up-to-date national and international supervisory practices. The RBSF increases the effectiveness of supervision by enabling supervisory outcomes to be met while increasing efficiency through improved processes and resource allocation. It involves allocating resources to the areas of greatest risk; for example, not all activities within a CU may need to be assessed at every review.
Guiding principles and supervisory standards
The foundation of FSRA’s RBSF is centered around the Risk Definition, Principles, and Supervisory Standards described below.
The Risk Definition provides clarity for the meaning of “risk” wherever it is used in the RBSF and is applied consistently in the risk assessments of all CUs.
Risk in FSRA’s RBSF is assessed with respect to both possibility of financial loss to depositors and possibility that the conduct, acts, or omissions of a CU or its staff harm or deliver poor/unfair outcomes for its members and customers.
The RBSF Principles focus on achieving outcomes from supervisory work and are aligned with FSRA’s principles5.
Supervisory work is performed to achieve successful supervisory outcomes rather than completing a standard cycle or process.
Supervisory work focuses on material risks of business activities that could pose threats to achieving the key supervisory outcome of minimizing possible losses to depositors and harm to consumers.
Dynamic, proactive, and adaptable
Supervisory work is continuous, dynamic, and timely to ensure changes in the business, sector, and environment are identified early and reflected in FSRA’s actions and priorities.
Supervisory work results in a consolidated assessment of risks in the business of the CU. This holistic approach includes assessment of all material CU entities such as subsidiaries, joint ventures, and other material investments and activities.
The Supervisory Standards describe key aspects of how FSRA supervisors conduct supervisory work using the RBSF. They form the standards of practice and roles of FSRA supervisors.
To the extent possible assessments are forward-looking and consider the velocity, persistence, and amount of change of the risks. This enables early identification of issues, timely intervention, and higher likelihood of achieving desired outcomes.
Supervisors exercise sound judgment, supported by rationale, in identifying and evaluating risks in a CU.
Supervisors combine sufficient quantitative and qualitative evidence to support judgments, findings, recommendations, and requirements.
Efficient and effective
Supervisory work and assessments are planned and completed in an efficient and effective way and with due regard to the risk profile of each CU. This includes use of FSRA’s regulatory actions, data collection, filing requirements, guidance documents, enforcement tools, and service standards.
Use of work of others
FSRA uses, where appropriate, the work of others (External Audit, Internal Audit and other oversight functions and regulators) to augment its supervisory work and minimize regulatory burden and duplication of effort.
FSRA designates a relationship manager (RM) for each CU. The RM is the main point of contact for the CU and engages in ongoing dialogue with CU management. The RM is responsible for maintaining an up-to-date risk profile of the CU and is supported by specialists and other staff within FSRA in performing this function. The RM is responsible for providing FSRA’s feedback to the CU, leading discussions about the assessment and examination results, and the development, implementation, and monitoring of timely remediation plans by the CU.
The level and extent of supervision will depend on the size, complexity, and risk profile of the CU, and the potential consequences of a CU’s failure. Where there are identified risks or areas of concern, the degree of intervention will be commensurate with the risk profile. CUs that are well managed relative to their risks will require less oversight.
Risk-Based Supervisory Framework overview
This section of the guidance articulates the three essential elements of FSRA’s RBSF: the Risk Assessment Process, the Risk Management Process, and the Supervisory Process.
A. Risk assessment process
The following elements of FSRA’s RBSF enable a common approach to risk assessment across CUs and over time. The Risk Matrix (as shown in Appendix A: Risk Matrix) is used to record all the assessment ratings for the various elements of the RBSF that are described below.
For each of the elements in the matrix, supervisors will apply a rating based on a five-level scale (refer Appendix B) where the criteria are tailored to each of the elements assessed.
1. Significant activities and importance
The CU’s significant activities are identified at the start of the risk assessment process. A significant activity can be a line of business, business unit or enterprise-wide process that is fundamental to the CU’s business model and its ability to meet its overall business objectives. The identification and assessment of significant activities and their relative importance (i.e., materiality) require the use of supervisory judgment which is informed by knowledge of the CU’s external environment, sector, and business profile. To understand the business profile of a CU, supervisors use various sources including the CU’s organization charts, strategic business plan, capital allocations, internal audit reports, and internal/external reporting.
2. Inherent Risk
Inherent risks are assessed for each significant activity of a CU. Inherent risk is intrinsic to a business (significant) activity and arises from exposure to, and uncertainty from, potential future events. Inherent risk is evaluated before any mitigation and by considering the probability of an adverse impact to an institution’s6 capital or earnings, and ultimately its depositors. When determining the probability of an adverse impact arising from Market Conduct Risk, supervisors will consider the probability that the conduct, acts, or omissions of a CU or its staff harm or result in poor/unfair outcomes for its members and customers.
Inherent risk is assessed without regard to the size of the activity relative to the size of the CU, and before considering the CU’s Quality of Controls and Oversight. FSRA uses the following six categories to assess inherent risk:
- Financial inherent risks
- Non-financial inherent risks
- Market Conduct
The above umbrella inherent risk categories cover other risk sub-categories including for example, legal risk and reputational risk.
Based on the inherent risks identified for a significant activity and the level of these inherent risks, supervisors will assess the extent to which a commensurate level of controls and oversight is needed to adequately mitigate the inherent risks.
Refer to the information published in FSRA’s guidance on the Credit Union Market Conduct Framework for FSRA’s expectations on how CUs can ensure they are treating their members and customers fairly. Appendix D to this guidance also contains details about market conduct risk and assessments.
3. Quality of Controls and Oversight (QCO)
The assessment of QCO for each significant activity (activity) considers both the appropriateness of their characteristics and the effectiveness of their performance, in the context of the size, complexity, and risk profile of the CU. Characteristics of a function refers to how it is designed in order to carry out its role. Performance of a function refers to its effectiveness in carrying out its role and responsibilities. The performance assessment is more important than the characteristics assessment. Consequently, the performance assessment will carry more weight when determining the rating of an activity.
Operational management for any significant activity (activity) is responsible for the controls used to manage that activity’s inherent risks on a day-to-day basis. Operational management ensures that the CU’s line staff clearly understand the risks that the activity faces and must manage, and that policies, processes, and staff are sufficient and effective in managing these risks. When assessing operational management, FSRA’s primary concern is whether operational management can identify the potential for material loss or misconduct that may arise by taking on that activity and has in place adequate controls to mitigate the inherent risks that may materialize and cause loss or misconduct (see Appendix D). In general, the extent to which FSRA needs to review the effectiveness of operational management of a significant activity depends on the effectiveness of the CU’s oversight functions. If a CU has sufficient and effective (e.g., adequate) oversight functions, FSRA may not need to also assess the effectiveness of operational management independently of the oversight functions.
Oversight functions are responsible for providing independent, enterprise-wide oversight to operational management for each significant activity. There are six oversight functions: Financial; Compliance; Risk Management; Internal Audit; Senior Management; and Board of Directors. The financial oversight function is relevant to overseeing the identification and mitigation of financial and related risks and is not involved in overseeing market conduct risk management.
The Oversight Functions provide objective assessments to the directors of the Board and Senior Management to allow them to fulfill their responsibilities. The Oversight Functions identify, measure, and report on the CU’s risks, assess the effectiveness of the CU’s risk management and internal controls, and determine whether the CU’s operations and risk exposures are consistent with the CU’s risk appetite.
The presence and nature of these functions vary based on the size, complexity, and risk profile of a CU and the inherent risks in its significant activities. Where a CU lacks a critical oversight function (e.g., internal audit, risk management, etc.) and has engaged external expertise to perform that function, FSRA expects the CU to maintain accountability for that function (i.e., CUs can outsource the function’s responsibility but not the accountability and not ownership of risks).
Where a CU lack some of the other Oversight Functions, they are not sufficiently independent, or they do not have enterprise-wide responsibility, in applying proportionality, FSRA will assess the effectiveness of other functions (e.g., senior management) in providing the expected, adequate, and independent oversight.
FSRA will assess the stature and authority of the executive leadership (heads) of the Oversight Functions within the organization and the extent to which they are independent from operational management. FSRA will look to ensure that the heads have unfettered access and a functional reporting line to the Board or the appropriate Board committee.
Controls and Oversight, including corporate governance assessments, are based on an evaluation of a CU's current practices for each risk management control and oversight function related to the CU’s significant activities. This evaluation is closely related to the assessment of a CU’s adherence with the requirements of FSRA’s Sound Business and Financial Practices Rule.
Enterprise-wide oversight ratings
The enterprise-wide oversight assessment is the supervisor’s determination of the oversight function’s effectiveness across all activities to provide an enterprise-wide view. It considers the function’s characteristics and performance (and FSRA’s expected outcomes) in executing its oversight responsibilities.
The assessment focuses on how well the oversight function oversees the institution and considers any weaknesses in the function’s characteristics that may not have affected its performance yet but may do so in the future. Hence, these ratings act as early warning indicators of potential future performance issues with the oversight functions within the activities.
4. Residual risk
Residual Risk is defined as Inherent Risks mitigated by the Quality of Controls and Oversight. For each significant activity the level of residual risk is determined by considering all relevant and rated inherent risks and QCO ratings. For each significant activity FSRA will assess the degree to which a CU maintains a level and quality of controls and oversight that is commensurate with the level of inherent risks, so the level of residual risk is considered prudent.
5. Prudential Summary Residual Risk (PSRR), Market Conduct Summary Residual Risk (MCSRR), and Summary Residual Risk (SRR)
The PSRR and MCSRR measure the prudential and market conduct risk profiles of the CU based on inherent risks taken on by engaging in significant activities, mitigated by controls and oversight functions, but before the assessment of capital, liquidity, and resilience.
The PSRR is the aggregation of the ratings for the residual risks of all significant activities weighed according to their importance. The MCSRR is determined in a similar way to the PSRR but from a market conduct perspective.
The SRR is determined after considering both the MCSRR and the PSRR.
6. Capital and Earnings, Liquidity, and Resilience
This section should be read and interpreted in conjunction with the information published in other FSRA guidance, rules and supporting publications related to capital and earnings, liquidity and resilience located on the FSRA website in the “Guidance – Credit Unions and Caisses Populaires” and “Rules” webpages.
Capital and earnings
Capital is a source of financial support to protect against unexpected losses and is a key contributor to the safety and soundness of the CU. Capital management is the on-going process of raising and maintaining capital at levels sufficient to support planned operations. For more complex CUs capital management also involves allocation of capital to recognize the level of risk in its various activities. Credit unions must consider their exposure to Environmental, Social and Governance (ESG) risks and assess their effects on capital.
FSRA assesses the capital adequacy of a CU on both a current (at time of assessment) and forward-looking time frame (e.g., how expected earnings would affect the capital position). This approach enables a longer and wider view of the CU’s capital adequacy and recognizes the key role that retained earnings plays in maintaining and building the capital base of CUs.
Liquidity is the ability of a CU to obtain sufficient cash or its equivalents in a timely manner at a reasonable price to meet its commitments as they fall due. Managing and maintaining adequate levels of liquidity are critical for the overall safety and soundness of a CU. The CU must ensure that there is enough liquidity to ensure orderly funding, operational expenses and other obligations and provide a prudent cushion for unforeseen liquidity needs. A CU’s obligations, and the funding sources used to meet them, depend significantly on its business mix, balance sheet structure, and the cash flow profiles of its on and off-balance sheet obligations.
Liquidity risk management is of paramount importance because a liquidity shortfall at a CU can have potential sector-wide repercussions. Credit unions must consider their exposure to Environmental, Social and Governance (ESG) risks and assess their effects on liquidity. FSRA uses quantitative and qualitative measures in the assessment of a CU’s liquidity adequacy and liquidity management programs.
Resilience is the ability of a CU to respond to adversity, absorb shocks, and adapt to changes especially during a period of stress or crisis. It is the ability of the CU to continue to:
- deliver on its objectives
- remain sustainable and prosper
- make positive adjustments under challenging conditions
- emerge strengthened and more resourceful
The Board and senior management of a CU have a fiduciary duty to plan for adverse scenarios and to ensure that the CU is crisis ready. This aligns with FSRA’s goal of protecting deposits held at CUs and contributing to the stability of the sector.
Significant stress or failure of one CU could accelerate stress at others and lead to other failures in the sector. Risk of contagion could further manifest in the broader financial services system due to loss of confidence of depositors and customers.
A resilient CU should be able to:
- respond effectively to any type of event
- monitor current environment
- anticipate future threats and opportunities
- learn from past failures and successes
Overall resilience of a CU is assessed holistically through both financial and non-financial factors and considers both “business as usual” and “post-stress event” conditions. Financial resilience factors include capital and liquidity; non-financial factors are generally governance and operational-based and focus on crisis preparedness. Some key indicators of resilience performance and characteristics are the strength of a CU’s Internal Capital Adequacy Assessment Process; adequacy and implementation of Recovery Plan, Contingency Funding Plan, Business Continuity Plan and Disaster Recovery Plan during stress.
A resilient CU is expected to anticipate future threats and opportunities including being able to identify and manage ESG risks. Inadequate or mismanagement of these could negatively impact a CU’s franchise strength and risk profile, while more serious deficiencies could ultimately threaten a CU’s reputation, capital and earnings, liquidity, and viability.
7. Overall Risk Rating (ORR)
The ORR is an assessment of the CU’s overall risk profile, after considering the impact of Capital (including earnings), Liquidity, and Resilience on its SRR. It reflects FSRA’s assessment of the safety and soundness and conduct of the CU. The ratings from the Capital, Liquidity, and Resilience assessments are used to determine modification needed to the SRR, if any, to arrive at ORR.
The five risk ratings for the ORR are: “Low”, “Low-Moderate”, “Moderate”, “Moderate-High” and “High” (Descriptions of each of the five ORR risk ratings are detailed in Appendix B).
FSRA is considering the use of the ORR as an input to the calculation of the deposit insurance premiums as part of the Differential Premium Score Determination model.
B. Risk management process
The Basel Committee on Banking Supervision (BCBS) is the international body responsible for developing the Core Principles for Banking Supervision that regulatory bodies can use to assess their supervisory systems and identify areas for improvement7. Principle 15 - Risk Management Process, states “the supervisor determines that FIs have a comprehensive risk management process to identify, measure, evaluate, monitor, report and control or mitigate all material risks on a timely basis …”. FSRA adheres to this principle by using the following supervisory process to assess the risk profiles of CUs.
C. Supervisory process
FSRA uses a defined process to guide its CU-specific supervisory framework that includes the following steps:
1. Developing a supervisory strategy and planning supervisory work
A supervisory strategy (Strategy) for each CU is prepared annually. The Strategy identifies the supervisory work necessary to keep the CU’s risk profile current. The intensity of supervisory work depends on the size, complexity, and risk profile of the CU. The Strategy outlines the supervisory work planned for the next three years, with more detailed description of work for the upcoming year. The Strategy is the basis for a more detailed annual plan, which indicates the expected work and resource allocations for the upcoming year.
In addition to being CU-specific, FSRA’s planning also includes a process to compare the work effort across CUs. This is to ensure that assessments of risk for individual CUs are subject to a broader standard, and to assign supervisory resources effectively to higher-risk CUs and significant activities.
2. Executing supervisory work
There is a continuum of supervisory work that ranges from lesser to greater supervisory intensity:
- Document review
- Meeting with senior management and board
- Off-site desk review
- Limited scope off-site or on-site review/examination
- Expanded scope off-site or on-site review/examination
- Comprehensive on-site review/examination
Monitoring refers to the regular review of information about the CU, its industry, and external environment to keep abreast of changes that are occurring or planned in the CU, and to identify emerging risks and issues.
CU-specific monitoring includes the analysis of the CU’s financial and operating results, typically considering its performance by business line and vis-à-vis its peers and any significant internal developments. Reviews and examinations refer to more extensive supervisory work than monitoring and may involve on-site examinations depending on the specific requirements identified in the planning process.
In addition to the core supervisory work of monitoring and reviews FSRA frequently undertakes comparative or benchmarking reviews to identify standards and best industry practices.
Given the dynamic environment in which CUs operate FSRA also scans the external environment and industry, gathering information as broadly as possible, to identify emerging issues. Issues include both CU-specific and sector-wide concerns.
FSRA periodically requires CUs to perform specific stress tests that FSRA uses to assess the potential impact of changes in the operating environment on individual CUs or industries. Environmental scanning and stress testing have increased in importance as changes in the external environment are a main driver of rapid changes in CU risk profiles. FSRA may also request the CU’s internal auditor, or at the CU’s expense, its external auditor, or other external resource (e.g., consulting firm) to investigate and report on a matter to FSRA.
3. Updating risk assessments
In between full examinations supervisors monitor the CU and if new information indicates a material change in the CU’s risk profile, supervisors will update the CU’s risk assessment ratings as needed. When there are shifts in the risk assessment of the CU, FSRA responds by adjusting work priorities set out in the supervisory strategy and annual supervisory plan as necessary to ensure that important emerging matters take precedence over items of lesser risk. Such flexibility is vital to FSRA’s successful implementation of risk-based supervision and its ability to ensure the safety and soundness and appropriate business conduct of the CU.
Risk assessments for all CUs are subject to internal quality assurance and reviews to ensure ratings are consistent and accurately represent the risk profile of the CU.
4. Reporting and communication to CUs
In addition to ongoing discussions with CU management through the RM, FSRA communicates to CUs through Supervisory Letters, when warranted. Supervisory Letters summarize FSRA’s key findings (including those resulting from examinations), recommendations, and requirements, as necessary based on the supervisory work (both prudential and market conduct) that was completed since issuing the last Supervisory Letter. The Supervisory Letter may require the CU to develop, implement and report on a remediation plan to address the issues arising from this review. FSRA may also choose to meet with the CU senior management and/or directors to discuss its supervisory findings and any issues of concern. The Supervisory Letter also reports the CU’s ORR.
During the year FSRA may also issue an Interim Letter to the CU to provide the CU with timely feedback on issues arising from a specific body of supervisory work, especially if the CU is on the Watchlist or in a Depositor Protection Program8.
With both types of letters FSRA will discuss the findings, recommendations, and requirements with the CU before issuing the letter. FSRA’s considers communication and the provision of feedback to the CU an important part of its supervisory process.
5. Intervention level
The ORR of a CU is used in determining the level of intervention FSRA will take to address identified prudential or conduct issues. FSRA’s Intervention Guide (The Guide) addresses situations where FSRA has concerns with the CU’s vulnerabilities or when viability or solvency are of concern. The Guide (included as Appendix C of this Guidance) aims to communicate at which stage an action/intervention would typically occur. The Guide also provides a mapping of the typical combinations of ORRs and Intervention Levels.
6. Level of supervisory engagement
After determining the intervention level, proportionality (size and complexity) is applied to the ORR of the CU to determine the level of supervisory engagement (i.e., FSRA resources and attention placed on the CU). FSRA will have a higher level of supervisory engagement with larger and/or more complex CUs whose failure could materially impact the Ontario CU sector. As well, FSRA will have a higher level of supervisory engagement with CUs that are riskier.
The failure of a large, complex CU would likely give rise to contagion and undermine the general confidence of the greater CU sector. For this reason, FSRA’s risk tolerance is low for CUs that are large and/or complex and display an elevated risk profile (e.g., High ORR). Hence, FSRA will allocate more resources and attention to such CUs to reduce the likelihood of their failure.
Effective date and future review
This guidance will be effective as of (date TBD – upon issuance) and will be reviewed on or before (date TBD).
About this Guidance
This document is consistent with FSRA’s Guidance Framework. As Approach Guidance, it describes FSRA’s internal principles, processes and practices for supervisory work, action and application of CEO discretion where applicable.
Appendix A: Risk matrix
The Risk Matrix (as shown below) is used to record all the assessment ratings described above. The purpose of the Risk Matrix is to facilitate a holistic risk assessment of a credit union. This assessment culminates in an Overall Risk Rating (ORR), which represents the overall risk profile of the credit union.
Appendix B: ORR level descriptions
This rating indicates a highly safe, sound, well-managed, and well-governed CU. The combination of its summary residual risk and its capital, liquidity and resilience makes the CU resilient to most adverse business and economic conditions, which will not materially affect its risk profile. The CU has consistently performed well and most key indicators are better than sector averages.
This rating indicates a safe, sound, well-managed, and well-governed CU. The combination of its summary residual risk and its capital, liquidity and resilience makes the CU resilient to many adverse business and economic conditions, which will not materially affect its risk profile. The CU has for the most part performed well, and many key indicators are better than sector averages.
This rating indicates a generally safe, sound, well-managed, and well-governed CU. The combination of its summary residual risk and its capital, liquidity and resilience makes the CU resilient to some adverse business and economic conditions which will not materially affect its risk profile. The CU’s performance is satisfactory and key indicators are generally comparable to sector averages.
The CU has safety and soundness concerns. It has issues that trigger early warning indicators of potential financial non-viability if not addressed. One or more of the following conditions are present. The combination of its summary residual risk and its capital, liquidity and resilience makes the CU vulnerable to some adverse business and economic conditions. Its performance is unsatisfactory or deteriorating, with some key indicators at or marginally below sector averages. The CU has issues or weaknesses with its controls and oversight that although not serious enough to present an immediate threat to financial viability or solvency could deteriorate into serious problems if not addressed promptly.
The CU has serious safety and soundness concerns. One or more of the following conditions are present. The combination of its summary residual risk and its capital, liquidity and resilience makes the CU vulnerable to most adverse business and economic conditions, posing a serious threat to its viability or solvency unless effective corrective action is implemented promptly. Its performance is poor and most key indicators are worse than sector averages.
Appendix C: Intervention guide
The ORR of a CU is used to determine the level of intervention or remediation FSRA will take to address prudential or conduct issues identified. FSRA has also developed this Intervention Guide (The Guide) to address situations where FSRA has concerns with the CU’s vulnerabilities or when viability or solvency are of concern. The Guide gives summary descriptions of CU risk profiles for each intervention level and indicates supervisory actions that typically occur at each level. The intervention process is not fixed as circumstances may vary from case to case. It is not a rigid regime under which every situation is necessarily addressed with a predetermined set of actions. The Guide aims to communicate at which level an action would typically occur and the actions described at one level may also be used in subsequent levels; in some situations, certain actions may also take place at earlier levels than set out in the guide. If warranted, a CU’s intervention level can be escalated or de-escalated by more than one level at one time. Risk profiles, as summarized by the Overall Risk Rating (ORR) and typical supervisory actions for each corresponding intervention level are described below.
Level 1 – Normal
The CU has a sound financial position and sufficient governance and risk control frameworks for its size, complexity and risk profile. Its practices do not indicate any significant problems or control deficiencies. Early Warning System (EWS) financial ratios are not indicating material issues or flags. The CU is not likely to fail or pose any undue loss to depositors in foreseeable circumstances.
Level 1 supervisory actions include but are not limited to:
- periodic examinations and on-site reviews
- monitoring of select information on a monthly, quarterly and/or annual basis
- providing the CU with a supervisory letter annually
- other supervisory activities as required or at the discretion of the supervisory teams
Level 2 – Early warning
A CU categorized at this level is not expected to fail or pose any immediate loss to depositors; however, there are aspects of its risk profile that may create vulnerabilities under adverse circumstances, or its future trend may create vulnerabilities in the mid-term, and as such requires more extensive oversight by FSRA. Some EWS ratios have moved outside of normal range. At level 2, the CU is expected to implement an improvement plan to rectify or address identified concerns and commit to reducing its level rating. FSRA expects a CU to return to level 1 (normal) within the timeframes established by its improvement plan.
In addition to activities in the preceding level, Level 2 supervisory actions may include but are not limited to:
- placing the CU on the watchlist
- more frequent and/or more targeted on-site examinations and reviews
- special examinations by external experts
- more frequent and detailed collection and analysis of data
- follow up and tracking of improvement plan
- communicating concerns to directors, senior management and internal and external auditors
- requiring the CU to increase liquidity and/or capital levels
- requests for additional stress testing, revised business plans and risk appetite
- establishing or issuing expectations under a voluntary compliance agreement
- increased deposit insurance premium assessment
Level 3 – Risk to financial viability or solvency
Improvements are needed as the CU’s business operations or circumstances potentially put depositors at risk. Many EWS ratios and indicators are outside normal range. In this level, these improvements will be mandated by FSRA. The CU is unlikely to fail in the short-term but this expectation relies on FSRA’s view that supervisory intervention is necessary to help avert any failure. At level 3, the CU must address identified problems or implement improvements to quickly reduce its level rating. The board and senior management must demonstrate a commitment to improvement by establishing urgent timelines. FSRA expects a CU to reduce its level rating within this timeframe.
In addition to activities in preceding levels, Level 3 supervisory actions may include but are not limited to:
- placing the CU under statutory supervision or administration
- updating recovery or restructuring plans
- implementing the recovery plan
- requiring the CU to revise its capital recovery or business plans
- requiring the internal auditor (or other control function) to expand the scope of review or to perform other procedures and prepare reports for FSRA/Administrator
- engaging the external auditor to expand scope of review or to perform other procedures and prepare reports for FSRA/Administrator
- issuing orders
- updating the resolution plan (if already a FSRA requirement) or prepare contingency plan
- requiring the CU to consider amalgamation/merger opportunities under FSRA’s oversight
- entering into a voluntary compliance agreement
- placing conditions or prohibitions on business authorization
Level 4 – Future financial viability or solvency in serious doubt
The CU has severe safety and stability concerns and is experiencing problems that are expected to pose loss to depositors unless corrective measures are promptly undertaken. Most EWS ratios and indicators are outside normal range. The CU failed to remedy the issues identified in level 3 and its situation is worsening. At level 4, the CU will be directed to immediately resolve issues or implement mandated improvements. Immediate actions will be taken to reduce the CU’s overall risk and intervention level.
In addition to activities in preceding levels, Level 4 supervisory actions may include but are not limited to:
- placing the CU under statutory administration
- directing external specialists/consultants to assess specific areas (e.g., quality of loan security, assets values, sufficiency, or reserves)
- increased frequency (e.g., daily) and engagement with CU to monitor the situation on a continuous and ongoing basis
- implementing recovery plan
- implementing the resolution plan (e.g., open CU resolution, Purchase & Assumption transaction)
- winding down or amalgamating/merging the CU
- divesting of non-core businesses
- selling certain assets
- closing branches
- consider providing financial assistance to the CU
Level 5 – Nonviability or insolvency imminent or has occurred
The CU is experiencing severe financial difficulties and has deteriorated to such an extent that there is insufficient capital to adequately protect depositors from undue losses with a high level of certainty.
In addition to activities in preceding levels, Level 5 supervisory actions may include but are not limited to:
- withdrawing business authorization;
- implementing the resolution plan (e.g., open CU resolution, Purchase & Assumption transaction);
- placing the CU into liquidation or dissolution; and
- paying out insured deposits
Appendix D: Market conduct
1. Inherent risk assessment
Market conduct inherent risk is an essential component of FSRA’s supervisory framework. It refers to the probability that the conduct, acts, or omissions of a CU or its staff harm or deliver poor/unfair outcomes for members or customers. It will be assessed by considering multiple sub-risks. These may increase or decrease the overall level of inherent market conduct risk and include risks of mis-selling, tied selling; misrepresentation; conflict of interest; improper use, disclosure or loss of private or confidential information; and unreasonable or unnecessary holding of funds.
Mis-selling of Products and Services
Mis-selling refers to the risk of selling members or customers unsuitable or unnecessary products or services.
Tied Selling of Products and Services
Tied selling refers to the risk of requiring members or customers to acquire one or more additional products or services as a condition of another product or service.
Misrepresentation refers to the risk of presenting members or customers with incomplete, inaccurate or misleading information to influence their decisions (e.g., purchase of a specific product or service).
Conflict of Interest
Conflict of interest risk refers to the risk of a CU putting the interest of the organization, the interest of a staff member, or the interest of another party ahead of their members’ or customer’s interests.
Improper Use, Disclosure or Loss of Confidential or Private Member or Customer Information
Improper disclosure refers to the risk of a breach of security for members’ or customers’ confidential information.
Unreasonable or Unnecessary Holding of Funds
Unreasonable or unnecessary holding of funds refers to the risk that a CU unreasonably hold funds, prevents or unreasonably restricts or imposes barriers to members’ or customers’ funds.
Quantitative or qualitative information may be used by a Supervisor as an indicator of market conduct inherent risk. Some examples of material information would include an organization’s regulatory compliance history; complaints activity including handling procedures; appropriate staff resources and training for product and customer suitability; compensation structures; business arrangements with product or service suppliers and intermediaries.
2. Controls and oversight assessment
Consistent with FSRA’s expectations on a CU’s internal governance framework, FSRA will consider the key functions listed below when assessing the quality of controls and oversight functions for a CU. A function’s assessment considers both the appropriateness of their characteristics and the effectiveness of their performance, in the context of the size, complexity and risk profile of the CU. Characteristics of a function refers to how it is designed to carry out its role. Performance of a function refers to its success in carrying out its role and responsibilities.
When assessing the characteristics and performance of each function, FSRA considers, at a minimum, the following essential elements:
Board of Directors
Mandate Roles and Responsibility
Size and Composition
Practices and Expertise
Assessment of Performance
Human Resources Policies and Practices
Audit Methodology and Reporting
Relationship with Other Oversight Functions
Methodology and Practices
Relationship with Other Oversight Functions
Mandate / Terms of Reference
Policies, Practices and Methodology
Relationship with Other Oversight Functions
Policies and Procedures on Sales of Products or Services Suitable for Members and Customers
Know Your Client and Suitability Assessment
Know Your Product
Consent Regarding Changes
Pricing of Products and Services
Options for Depositors
Policies and Procedures
Policies and Procedures
Process for Developing Advertising or Promotional Materials for Members and Customers
Content of Advertising or Promotional
Reporting to Members and Customers After the Point of Sale
Conflicts of Interest
Policies and Procedures
Reporting of Conflicts
Management of Conflicts
Disclosure of Private or Confidential Member Information
Policies and Procedures
Consent for Disclosure
Access to Funds
Policies and Procedures
Application of “Hold Fund” Policy
Disclosure of “Hold Fund” Policy
Approval of Exceptions
Policies and Procedures
- Establishment and maintenance of Policies and Procedures
Designated Complaints Officer
Handling of Complaints
- Escalation Process
- Resolution Satisfaction
- Maintenance of records
- Nature of reporting
- Frequency of reporting
- Use of reports
1 Both the CEO of FSRA and FSRA may exercise discretion under the Act. However, for the purposes of this Guidance, reference will be made to FSRA, instead of the CEO, as the CEO may delegate his authority to FSRA, as permitted by the Act.
2 See ss. 3(1), 3(2) and 3(4) of the FSRA Act.
3 See s. 230 of the Act
4 See s. 233 of the Act
5 FSRA uses the following principles as the foundation for its approach to using guidance: Accountable (Internal and External), Effective, Efficient, Adaptable, Collaborative and Transparent. The definitions of these principles can be found on the FSRA Guidance Framework webpage.
6 Note that supervisors assess the credit union’s inherent risk in the context of the industry experience and the “impact” is to the generic institution (“an institution”) and not the specific credit union that is being assessed. In contrast, later when arriving at the Summary Residual Risk we refer to impact to the specific Credit Union being assessed.
8 The Deposit Protection Program involves placing a CU which meets certain risk-based criteria under Supervision (s 230 of the Act), under Administration (s 233 of the Act) or in Dissolution (237 of the Act). Supervision is where FSRA has the statutory authority to order a credit union's board of directors to correct its practices or refrain from undertaking activities that may harm the credit union. Administration allows the CU to continue to operate under FSRA’s direct control while providing sufficient time to develop and implement the most appropriate strategy to protect depositors. Dissolution is when a CU goes out of business and FSRA is appointed as liquidator to minimize the impact on the credit union's depositors, pay depositors, wind up affairs in an orderly manner, and maximize the recovery of assets.