OSFI releases guide on administrative monetary penalties

The Office of the Superintendent of Financial Institutions (OSFI) has released its Guide to Administrative Monetary Penalties (the Guide) which, for the first time, formalizes OSFI’s administrative monetary penalties (AMP) enforcement approach and provides more clarity on how OSFI assesses and imposes AMPs for breaches by federally regulated financial institutions (FRFIs) of the Bank Act, the Trust and Loan Companies Act, and the Insurance Companies Act (the FRFI Acts). Key elements of the Guide include setting out the factors OSFI will consider under each statutory criteria when imposing an AMP, and the procedural steps required for FRFIs to challenge an AMP. The Guide follows OSFI’s September 2025 letter to the industry (the September Letter) indicating a revised approach to AMP enforcement.

What you need to know

• This is the first time OSFI has formalized its AMP assessment process, which was previously based on statute and offered limited public guidance on how OSFI exercised its discretion in practice.
• The Guide sets out non-exhaustive factors that OSFI will consider under each statutory criteria to inform the penalty amount.
• OSFI asks FRFIs to promptly report potential compliance issues. FRFIs are afforded several opportunities to advocate for themselves, including before a Notice of Violation is issued by the Superintendent.
• OSFI has indicated that it will apply AMPs more frequently, including at lower levels of contravention and at higher penalty amounts within the legislative maximums.

Background

The Superintendent of Financial Institutions (the Superintendent) has the statutory authority to impose AMPs for violations of certain provisions set out in the FRFI Acts¹. Violations are categorized as minor, serious or very serious, and penalties can be imposed both on organizations (FRFIs or foreign banks with a representative office) and individuals (directors or officers). The Guide² sets out the framework for the imposition of AMPs where the maximum penalty for violations is $100,000 for an individual and $500,000 for an entity, in each case for a very serious violation³.

OSFI’s AMP regime has historically existed primarily through legislation and regulations, with limited public guidance on how it exercises its discretion in practice. The Guide provides a transparent framework for how OSFI will approach enforcement going forward for violations that occurred after September 11, 2025⁴.

OSFI has indicated that the Guide aligns with its risk appetite and proactive approach to supervision. Unlike the Financial Consumer Agency of Canada (FCAC) and the Financial Transactions and Reports Analysis Centre of Canada (FINTRAC), OSFI will not publish any information about FRFIs or individuals that receive AMPs⁵.

Key changes to OSFI’s approach to enforcement

While the statutory basis for AMPs remains unchanged, OSFI has indicated changes to its enforcement approach. Specifically, it will apply AMPs more frequently, including at lower levels of contravention (AMPs may be issued for lesser degrees of negligence or harm than previously) and higher penalty amounts within the legislative maximums.

The September Letter had indicated that key changes to OSFI’s approach would include a revised scaling factor to ensure that AMP amounts are appropriately calibrated for small and mid-sized financial institutions. However, the Guide does not explicitly address proportionality based on the FRFI’s size and/or complexity. Such an approach would align with other federal regulatory frameworks, which are required to take into account an institution’s size and ability to pay in determining the quantum of an AMP⁶.

The AMP process

The AMP process is as follows. First, the Superintendent may issue a Notice of Violation where there are reasonable grounds to believe an FRFI or director/officer (the Recipient) has breached the applicable FRFI Act, setting out the alleged violation, the name of the individual or entity alleged to have committed the violation, the proposed penalty, and the Recipient’s right to make representations to the Superintendent within 30 days.

Upon receiving a Notice of Violation, a Recipient can (i) pay the proposed AMP, which constitutes a deemed admission of the violation and concludes the matter; (ii) make representations to the Superintendent, in which case the Superintendent assesses whether a violation occurred and may impose the proposed penalty, or a lesser or no penalty; or (iii) take no action, which results in a deemed violation and allows the Superintendent to impose the proposed penalty, or a lesser or no penalty. Where a violation is confirmed, the Superintendent will issue a final Notice of Decision.

For serious or very serious violations, the Recipient has the right to appeal to the Federal Court within 30 days. This process is generally aligned with the legislative framework for the imposition of AMPS by the FCAC under the Bank Act’s consumer protection framework, the Bank of Canada under the Retail Payments Activities Act, and FINTRAC under the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA).

Factors in determining an AMP amount

The Guide sets forth the statutory factors OSFI must consider when determining an AMP amount as set out in the Office of the Superintendent of Financial Institutions Act, and provides specific examples of the considerations that OSFI will evaluate with respect to those factors:

• The degree of intention or negligence: OSFI will consider whether the breach was deliberate or concealed, steps taken (or not taken) to comply prior to the breach, adequacy of compliance policies and monitoring, timeliness in detecting, ceasing and reporting the breach, the complexity of the provision, and the institution’s expected understanding of the requirement.
• Harm done by the violation: OSFI will evaluate the extent of harm to the institution’s safety and soundness, reputational impact, the number of affected stakeholders, breach duration and promptness of remediation.
• History of prior violations (five-year lookback): OSFI will consider the number of prior violations under the relevant FRFI Acts over the previous five years.

Reporting of compliance issues

The Guide asks FRFIs to promptly disclose potential compliance issues to the FRFI’s Lead Supervisor. A failure to promptly notify OSFI of the breach will be considered as a factor when assessing the FRFI’s intention or negligence.

It remains unclear what would constitute a “potential” compliance issue. This requirement seems more onerous than that imposed by the FCAC, which requires FRFIs to report actual breaches of a market conduct obligation, and FINTRAC’s expectation that reporting entities file a Voluntary Self-Declaration of Non-Compliance (VSDONC), for actual breaches of the PCMLTFA.

FRFIs may also submit preliminary representations to OSFI before the Superintendent determines whether to issue a Notice of Violation (NOV). These preliminary representations may address whether a breach occurred, the applicable penalty criteria, due diligence efforts, contributing factors, relevant timelines, impacts on the institution or its stakeholders, and any corrective measures planned or already implemented. Preliminary representations may help clarify the issues at an early stage and allow any subsequent NOV to be more focused and reflective of agreed or acknowledged facts. This opportunity is in addition to the right to make formal representations after a NOV has been issued.

Conclusion

OSFI’s Guide indicates to FRFIs that early identification of issues, prompt engagement with OSFI, and well-documented remediation efforts will be essential to managing enforcement risk. FRFIs should expect OSFI to scrutinize not only whether a breach occurred, but how it was identified, escalated, addressed and reported.