Guidance 

☒ Interpretation     ☒ Approach     ☐ Information     ☐ Decision

No. CU0064INT

 

Download a copy in PDF format

Purpose

This guidance[1] provides FSRA's:

  1. Interpretation of the requirements under Section B of By-Law No. 5 - Standards of Sound Business and Financial Practices (By-Law No. 5)[2]  for Ontario Credit Unions' and Caisses Populaires' (CUs') risk management policies to include recovery plans and under subsection 144(2) of the Credit Union and Caisses Populaires Act, 1994 (the Act); and
  2. Approach by FSRA for assessing the adherence to by CUs to the principles identified in this Interpretation in their recovery plans.

The Approach section of this guidance does not prescribe compliance requirements for Ontario CUs. Rather, it is intended to define the processes and practices that FSRA will employ when exercising supervisory action or when exercising FSRA's discretion under the Act[3]. The Interpretation section of this guidance sets out FSRA's view of requirements under the Act so that non-compliance can lead to supervisory action and potentially enforcement sanctions. This may include requiring remediation and reporting, and/or issuing orders and in extreme cases, placing the CU under supervision or administration under the Act.

FSRA considers proportionality in the application of the requirements based on the Interpretation section of this guidance, including the structure, size, complexity and risk profile of the CU, and the potential consequences of the CU's failure, including the systemic impact of that failure.

Scope

This Interpretation and Approach guidance affects the following entities regulated by FSRA:

Credit Unions and Caisses Populaires incorporated under the Act.

This guidance complements the information provided in, and should be read in conjunction with, other FRSA guidance and supporting publications available on FSRA's website (www.fsrao.ca).

Rationale and background

Members of CU Boards and of senior management have a fiduciary duty to the CU which necessitates that they plan for adverse scenarios and to that end, ensure that contingencies are developed to recover from such adversity. A failure to do so could amount to a breach of their fiduciary duty and/or standard of care, resulting in exposure by the CU Board and its management to civil and regulatory liability. Recovery planning is thus a means by which to demonstrate responsible and prudent activity by a CU. A CU that can recover from adversity will be safer for its members, depositors and customers and is less likely to experience disruptions in core services. It will also enhance the crisis preparedness and resiliency overall of the CU sector, which aligns with FSRA's statutory objectives to protect deposits held by members of CUs and to contribute to the stability of the sector in Ontario.

The Interpretation section of this guidance outlines FSRA's principles for recovery planning including underwriting practices, risk controls, and oversight practices at CUs. This guidance supplements other FSRA by-laws, rules, and guidance, and should be read and interpreted in conjunction with other FSRA guidance, rules and applicable provisions of the Act and Ontario Regulation 237/09 (the Regulation).    

The Approach section of this guidance describes how FSRA will assess CUs' adherence to the principles set out in the Interpretation.

This Guidance promotes high standards of business conduct for CUs and the stability of the CU sector in Ontario. These outcomes are consistent with a number of FSRA's statutory objects, as set out in the Financial Services Regulatory Authority of Ontario Act, 2016 (the FSRA Act)[4],:

  1. to promote high standards of business conduct;
  2. to foster strong, sustainable, competitive, and innovative financial services sectors; and
  3. to promote and otherwise contribute to the stability of the credit union sector in Ontario with due regard to the need to allow credit unions to compete effectively while taking reasonable risks.
  4. to pursue the objects of persons having deposits with credit unions and in such manner as will minimize the exposure of the Deposit Insurance Reserve Fund to loss.

Interpretation 

The purpose of recovery planning is to enhance crisis preparedness and resiliency of the CU system. This will further protect deposits held by members of CUs and contribute to the stability of the sector in Ontario.

Adherence to the principles identified in the Interpretation part of this guidance is a course of conduct that is in the best interest of the CU and its members. Effective adherence to these principles also in FSRA's Interpretation, demonstrates the degree of care, diligence and skill that a prudent person would exercise in comparable circumstances. Hence, effective adherence to the principles in this Interpretation guidance would demonstrate how powers and duties should be exercised and discharged by each director, officer or committee members of a CU under s. 144(1) of the Act. Effective adherence to these principles would satisfy the care, skill and diligence that each director, officer or committee member of a CU must exercise pursuant to s. 144(2) of the Act.

Section B of By-Law No. 5 requires that CUs "develop and implement appropriate and prudent risk management policies." With respect to operational risk management, one of the fundamental elements that CUs should address in their policies includes, "disaster recovery and business continuity plans." Effective adherence to the principles identified in the Interpretation portion of this guidance would reflect the types of prudent planning that a CU should engage in to address the continuity of its business during periods of severe stress.

This Interpretation sets out FSRA's view of requirements under the Act and of By-Law No.5as they relate to recovery planning. Non-adherence may lead to supervisory action or enforcement sanction by FSRA, including requiring remediation and reporting, and/or issuing orders and in extreme cases, placing the CU under supervision or administration.

FSRA will monitor adherence to these principles and requirements as part of its supervisory approach, as outlined in the Approach section of this guidance below.

FSRA's supervision, and any required, enforcement activities, will be carried out under the relevant provisions of the Act and its general authority under the FSRA Act.

Principles

FSRA has identified the following principles for effective recovery planning as a function of its Interpretation in the above noted requirements of By-Law No. 5 and under the Act. FSRA will apply these principles to assess the CU's recovery planning in order to determine whether the requirements of By-Law No. 5 and under the Act are satisfied as they relate to recovery planning by a CU.

Principles of recovery planning

1. Effective Recovery Plan Development and Implementation: The CU, through its Board and senior management, has an obligation to create a recovery plan to prepare the CU to manage adversity.

Each officer and director of a CU has an obligation to ensure that the CU is in a constant state of readiness to manage adversity. The development of viable recovery plans that identify credible options to survive a range of severe but plausible stress scenarios help to ensure this state of readiness. The CU's recovery plan should include recovery policies and practices and set out a course of action for senior management to follow. This will include early warning indicators and triggers in place to identify the emergence of stress scenarios. The recovery plan should be based on best available information (which should be regularly updated), address potential uncertainty, and be able to be enacted in a timely manner.

2. Transparent Governance: The CU, through its Board and senior management, should evaluate risks in adverse scenarios and prepare to implement identified actions, if necessary.

Senior management should periodically evaluate risks in adverse scenarios and develop and prepare to implement identified actions through appropriate documentation in response to such risks/scenarios. A CU should be able to identify and act on risks as they develop. A robust recovery plan process ( with effective challenge, documentation, practising and pre-planning) will allow for ease of implementation when those circumstances develop. These activities should be undertaken by different levels of the CU, including the Board and senior management and the CU's records, including the Board minutes, should effectively evidence this process.

3. Periodic Reassessment: The recovery plan should be periodically reassessed to ensure it is up to date with current information.

A regular cadence should be established for re-assessing recovery planning and identifying clear triggers that require an immediate refreshing of the recovery plan. For example, when adding or exiting a business or geography, or responding to an external development.

4. Proportionality: Recovery Plans should be developed based on the structure, size, complexity, and risk profile of a CU.

A credit union recovery plan should be tailored to the structure, size, complexity, and risk profile of the institution.

Approach - Processes and Practices 

FSRA has developed this Approach to define the practices and procedures that it will employ when assessing the CU's adherence with the requirements. These requirements are identified in the Interpretation section of this guidance.

The purpose of the recovery plan is ultimately to serve as a 'playbook' for both the CU (senior management and the Board), and FSRA in times of financial stress. A recovery plan should be tailored to the structure, size, complexity, and risk profile of the CU. FSRA has articulated the following essential elements to outline how FSRA will approach the assessment of a CU's recovery plan processes (e.g. development, challenge, implementation, and monitoring) and outputs (e.g. recovery plan documentation).

A. Institutional analysis

A recovery plan should specify sufficient information about the institution to provide a basis for planning and analysis. A recovery plan should incorporate existing materials by reference that exist for other management purposes. This would include such materials as the Board package prepared for new directors and managers to understand the CU's legal, organizational and business structure, its businesses and support functions, sources of risk and profitability (including liquidity and exposures to credit loss) and external and internal dependencies.

A key component of the recovery plan is the identification of the core businesses that are fundamental to the CU's viability. Doing so ensures all individuals necessary to the successful execution of the recovery plan understand those businesses required to be preserved to ensure the surviving entity is a stable and functioning financial institution. The recovery plan should identify the basis used to determine the CU's core businesses. The key functions and services necessary to maintain those core businesses should also be identified.

The recovery plan should clearly identify any external stakeholder relationships that may be impacted by the divestiture of non-core businesses or other recovery actions. This includes any dependencies the CU has on third-party information technology providers or other vendors that have contractual clauses giving them a unilateral option to terminate their contract with the CU in the event of the CU's deteriorating financial condition or other pertinent circumstances. It should also explain what special arrangements the CU would need to make to these contracts to ensure:

  • that the underlying products and services remain available throughout the event,
  • what the additional costs may be
  • how the payments would be authorized, triggered and funded.

B. Key measures and associated triggers

A recovery plan is one that is CU-specific and identifies material and existential risks, where such risks may include but are not limited to:

  • credit risk
  • concentration risk
  • market risk
  • liquidity risk
  • contagion risk
  • securitization risk
  • operational risk
  • other risks (e.g., strategic, reputation, legal)

The impact of these risks can typically be measured by metrics that describe:

  • required and available regulatory capital;
  • asset and liability composition and valuation;
  • level of impaired assets and write-offs;
  • operational profit and loss; and
  • liquidity and funding gaps.

A recovery plan should specify a series of specific qualitative and quantitative measures that serve as early warning indicators (the metrics). These metrics will allow a CU to monitor its risk exposures along a continuum of severe stress events.

Triggers for recovery planning should be incorporated into the CU's overall risk management frameworks. Recovery triggers should be aligned with (but not be limited to) existing triggers for liquidity or capital contingency plans, early warning indicators and the CU's risk appetite.

Triggers should be measurable, reasonable, well-defined, and calibrated to allow enough time for the CU to respond when triggering event(s) activates its recovery plan. Such triggers will enable CUs to maintain or restore financial strength and viability before regulatory authorities see the need to intervene.

The number and combination of quantitative and qualitative triggers may vary by CU. The triggers should be tailored to a CU's structure, size, complexity, and risk profile. Where possible, triggers should be predominantly quantitative and focused on CU-specific liquidity and capital measures.

Recovery plans describe the process to follow upon any breach of the triggers, causing activation of the recovery plan. This includes escalation to the CU's senior management or the Board and the decision-making process once those individuals have been informed.

C. Recovery options

A CU should be prepared to take increasingly aggressive actions in response to any deterioration of the key measures. FSRA will review the recovery plan to see that it identifies key vulnerabilities, by risk area, the key measures that will reveal such risk as manifesting itself (and appropriate triggers by such measures) and the CU has identified responses that can be taken as such risk arises. An example of how a summary of such information could be portrayed and organized is shown in Appendix A.

The recovery plan should specify a menu of recovery options. Certain risk mitigating responses like those identified in Appendix A might have already been taken by senior management before the activation of the recovery plan.  The recovery plan should therefore identity options under high stress severity that could threaten the viability of the CU.

The recovery plan should identify the priority of the recovery options based on factors including but not limited to: the options' overall impact on the CU's financial condition, time and ease of execution, and potential negative impact on confidence and/or reputation. FSRA will review the recovery plans to see that they clearly identify recovery options, financial impacts/concerns and implementation issues. Appendix B provides a sample table as an illustration of how a summary of the recovery options could be prepared.

The recovery plan should detail how the potential proceeds from the recovery options would be allocated to meet its obligations as they come due throughout the recovery event.  A recovery plan must also consider how these proceeds will impact the CU's balance sheet, capital ratios and liquidity profile.

Recovery options should be reliable, timely, and comply with applicable laws, regulatory and other requirements. There should be a high degree of confidence that the CU would be able to implement the outlined recovery options during extreme stress events. The recovery plan should clearly outline the credit union's operational readiness and outline how the recovery options would be executed. The costs (e.g. discounts on asset sales), and time to execute the recovery options should be considered, as should the extent to which the identified recovery options are mutually exclusive and/or dependent. If there are any regulatory approvals required, the anticipated timeline for such approvals should be described.

The recovery plan should describe the impact of executing these options on both the short-term market confidence in the CU and the long-term viability of its business model. The recovery plan should describe how the CU would look post-recovery, assuming the successful implementation of a recovery option (e.g. potentially fewer business lines, different management or organizational structure).

D. Scenario analysis

The recovery plan should be informed by stress testing and scenario analysis. The recovery plan should test whether recovery actions will be sufficient to recover from the manifested risks arising from a certain stress scenario as the backdrop.

As described in Guidance Note: Stress Testing for Credit Union with Assets Greater than $500 million and the Guidance Note: Internal Capital Adequacy Assessment Process (ICAAP) –  For Credit Unions with Total Assets Greater than $500 Million, FSRA will review whether a CU uses its stress testing to challenge  its recovery plan and incorporate learnings from its stress testing in its recovery plan.   Each CU is required to include certain stress tests in its ICAAP analysis, including a (reverse stress test) scenario that in management's view would likely cause a breach of minimum regulatory capital requirements.

A recovery plan should consider plausible idiosyncratic and systemic stresses that could affect the CU and require it to invoke its recovery plan.  Some examples of the types of stresses that CU leaders could consider to inform and evaluate its recovery plan are:

  • a severe but plausible idiosyncratic stress scenario that captures considerations involving a series of CU-specific credit, market, and operational events (e.g. cyber/operational risk issues, loan losses where the CU's loss has substantially exceeded its peers, reputational risk issues that negatively impact funding and liquidity);
  • a severe but plausible systemic stress scenario that captures systemic conditions (e.g. an interest rate shock, an economic downturn with projected losses, additional funding costs as a result of lack of securitization opportunities under tightening credit conditions, natural disasters and pandemic); and
  • a blended idiosyncratic and systemic scenario (e.g. a combination of events from the idiosyncratic scenario and systemic scenario under different severities).

Recovery planning necessitates a comprehensive analysis of the link between capital and liquidity since recovery actions aimed at improving liquidity may have a negative impact on capital, and vice versa.
Recovery plans for large and complex CUs (for example, those with multiple business lines and/or subsidiaries) should  illustrate through financial projections how the assumed stress events and execution of recovery options will change the capital, liquidity, and other key financial metrics over time.

A recovery plan's capital analysis should include an assessment of current and potential allocations of capital needs and losses associated with each of the scenarios and outline some immediate steps to conserve capital and limit outlays.

Liquidity analysis in a recovery plan should likewise include an assessment of inflows and outflows in different time buckets. The analysis should also identify situations where there are multiple approaches to obtaining liquidity from the same assets and ensure that the recovery options do not rely on conflicting approaches.

E. Framework and governance

A recovery plan should articulate how decisions will be made by key members (CEO, CFO, CRO) of senior management if different risks manifest themselves in a way that engages one or more triggers. A recovery plan should describe the process for Board oversight and senior management accountability and be in accordance with the pre-determined existing reporting and control processes and structures.

A recovery plan should include a communication plan (or plans) to  inform internal and external stakeholders (including regulators such as FSRA and members of the CU), for every risk that triggers an action. The plan should ensure that communication patterns and substantive approaches are known in advance to allow for timely notification of all relevant stakeholders. If a separate communication plan is not required, the recovery plan should at least describe the persons responsible for communications, the actions that need to be taken as well as the timing, process and substance of each communication required.

F. Information management

FSRA will consider whether there are documented and implemented processes for CU management to monitor and report, and for the Board to oversee the key metrics identified in the recovery plan. This reporting could be done through a dashboard shared with the Board or other means that allow it to be integrated with parts of the risk reporting/appetite framework. These reports should be produced with a frequency and timeliness that allows for the data about the key metrics to be known by the CU they trigger an action under the CU's recovery plan. Based on the current data aggregation and reporting procedures a recovery plan  assess the gaps in data that would be available to the CU during a recovery event. The recovery plan should then outline a strategy to overcome such gaps proactively, prior to the invocation of the recovery plan.

Decision makers need to rely on information to make informed decision in stress (e.g. revised valuation of assets, updated amount of loan loss, daily deposit withdrawal pattern). The CU's recovery plan should clearly articulate data capabilities, challenges, and remedial actions.

G. Implementation plan

The recovery plan is an overlay that cuts across key policies, processes, and frameworks and, when triggers are activated, takes precedence.

Potential impediments or obstructions to the successful execution of the recovery options should be outlined. For example, selling some certain assets of the CU may pose unacceptably high reputational risks. FRSA will consider whether risk mitigation, remedial actions, and effective challenge have taken place by reviewing documentation of these processes and actions. Insufficient descriptions may result in the recovery plan deemed not credible.

Submission frequency and assessment considerations

FSRA expects to review a CU's recovery plan in accordance with the following list. For CU with total assets of:

  • greater than $4 billion
  • between $500 million and $4 billion
  • between $100 million and $500 million
  • less than $100 million
  1. once per year
  2. once per year
  3. once every two years
  4. once every two years

FSRA will evaluate recovery plans and related processes and may ask questions and identify potential shortcomings or concerns.

A recovery plan should identify the streams and types of risks that need to be addressed, with a series of actions identified to address those risks. Any recovery plan that fails to identify a material risks and to provide a series of escalating credible responses to those risks will need to be amended.

The development of an effective recovery plan is an iterative process that requires significant interactions between the CU senior management and its Board, with senior management having the responsibility to improve the plan, address self-identified gaps and issues, and address concerns raised by FSRA.  FSRA expects incremental improvements with each iteration of the recovery plan. The plan should be periodically reviewed and refined by the CU to ensure that it remains relevant given changing conditions within the CU and in the broader financial environment.

FSRA's assessment will determine whether the CU is required to immediately address deficiencies in the subsequent draft to be submitted within a specified timeframe or if further enhancements and refinements can be addressed as part of the next scheduled review.

If FSRA requires re-submission before the next scheduled filing, the plan should be amended and include explanations to address FSRA's concerns when resubmitted.

Effective Date and Future Review

The Interpretation portion of this guidance is effective (date TBD). FSRA will expect to see the initial Recovery Plans from all CUs based on total assets as outlined in the following schedule:

  • greater than $4 billion
  • between $500 million and $4 billion
  • between $100 million and $500 million
  • less than $100 million
  1. (Date TBD)
  2. (Date TBD)
  3. (Date TBD)
  4. (Date TBD)

This Guidance will be reviewed at a future date (TBD).

About this Guidance

This document is consistent with FSRA's Guidance Framework. As Interpretation guidance, it sets out FSRA's view of requirements under its legislative mandate (i.e. legislation, regulations and rules) so that non-compliance can lead to enforcement or supervisory action. While as Approach guidance, it describes FSRA's internal principles, processes and practices for supervisory action and application of CEO discretion where applicable.

Appendix A – Risk Mitigating Responses

The following table provides a sample format for documenting the details of potential vulnerabilities and risk mitigating responses to address these vulnerabilities. The table is for illustrative purposes only and each credit union can develop their own format to document the details in their recovery plan.

Vulnerabilities Risk area Key measures Potential responses taken to address vulnerabilities

Over exposure to high risk, high RWA assets

Credit risk
Market Risk

Risk-based capital ratio

Reduce and/or restructure risky loans.

Suboptimal use of balance sheet

Multiple risk areas (Credit risk, Market risk, Interest rate risk, etc.)

Leverage ratio

Optimize asset portfolio by changing and realigning asset mix; de-risk institution

Asset quality deterioration causing capital erosion

Credit risk, Market risk, etc.

Level of impaired assets and write-offs;
Risk-based capital ratio
Leverage ratio

Increase loan loss provision; build reserve allowances; raise capital through investment shares; reduce dividends; curtail expenses

Inadequate availability and access to liquid assets and various sources of funding

Liquidity risk

LCR, NCCF, NSFR

Increase quantity and quality of liquid assets; diversify funding source

Cyber attack

Operational risk

Profit and loss

Enhance IT system security, control and oversight

Below plan new business volume and increased loan provisioning in a business line

Strategic risk

Level of impaired assets and write-offs;
ROAA
Risk-based capital ratio

Exit business line; sell non-core assets

Low interest rate environment

Interest rate risk

Net Interest Income

Study interest rate trends, projections and behaviour; adjust interest cost of deposits as well as lending rates and time horizon.

Appendix B – Recovery Options Upon Activation of Recovery Plan

The following table provides a sample format for documenting the financial impacts/concerns and implementation issues associated with various potential recovery options. The table is for illustrative purposes only and each credit union can develop their own format to document the details in their recovery plan.

Recovery Options to be executed for Scenario Name: ______________

Recovery Option Capital Impact
(in $)
Liquidity Impact
(in $)
Other Impact
(franchise value, reputation issues, etc.)
RWA Impact
(in $)
Timing to realization of benefits
(days/months)
Operational readiness
(H/M/L)
Key Impediments to Implementation Ownership, Execution, and Communication protocol

Option 1

 

 

 

 

 

 

 

 

Option 2

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Effective Date: TBD


[1] This guidance is being published as combined Interpretation and Approach Guidance under FSRA's Guidance Framework. Each component is labelled for clarity.

[2] Pursuant to s. 321.0.4 (4) of the Act, DICO By-Law No. 5 is deemed to be a FSRA by-law made in accordance with the requirements of the Financial Services Regulatory Authority of Ontario Act, 2016.

[3] Both the CEO of FSRA and FSRA may exercise discretion under the Act. However, for the purposes of this Guidance, reference will be made to FSRA, instead of the CEO, as the CEO may delegate his authority to FSRA, as permitted by the Act.

[4] See ss. 3(2) and 3(4) of the FSRA Act.