Authors
Jaidyn McEwen
The Office of the Superintendent of Financial Institutions (OSFI) released its new framework for supervising federally regulated financial institutions (FRFIs) on February 8, 2024. The new framework, which will come into force in April 2024, is the most significant change to OSFI’s supervisory approach in 25 years.
OSFI’s new supervisory framework introduces changes to the current risk rating scale, introducing an eight-point Overall Risk Rating Scale and Tier Rating system. Within this framework, there are new risk assessment categories, with the ultimate goal of ensuring that institutions understand what drives their individual risk ratings and OSFI’s risk appetite.
A summary of the key changes is below.
The existing framework operates under a four-point “Intervention Risk Rating”:
The new framework will expand this to an eight-point “Overall Risk Rating Scale” (ORR), which will map directly to OSFI’s existing intervention stage ratings.
OSFI will assign an ORR 1 when no significant issues are identified; an ORR 2 means that an FRFI has a low risk; an ORR 3 means that an FRFI has a moderate risk; and an ORR 4 is described as a watchlist to make it clear that identified issues need prompt attention or the FRFI is likely to be subject to formal intervention (i.e., a Stage 1 or higher rating).
An FRFI with an ORR between 1 and 4 will be in Stage 0. The rationale for splitting the existing Stage 0 into four distinct rating categories is to give FRFIs a better sense of how OSFI views their risk profile and provide signals for early corrective actions.
For higher ratings, OSFI will consider how quickly threats are developing.
An ORR 5 will be assigned to FRFIs that are in Stage 1 and is an early warning of issues that could impact viability. At this rating level, the impact to viability is not expected to occur within two years based on available information.
An ORR 6 will correspond to Stage 2. At this level, the FRFI poses material safety and soundness concerns. While the threat to viability is not immediate, it could occur within two years.
An ORR 7 will be assigned, and the FRFI will be placed in Stage 3, when future viability is in serious doubt (e.g., the FRFI has severe safety and soundness concerns that could affect viability within one year).
Finally, an ORR 8 will be assigned to FRFIs in Stage 4. At this point, non-viability is assessed as imminent.
OSFI will also implement Tier Rating according to a 1-to-5 scale, which will be based on an FRFI’s size and complexity, as well as OSFI’s view of the impact that its failure could have on the financial system.
The Tier Rating will determine the granularity of OSFI’s risk assessment. For small FRFIs (in Tier 5), OSFI will assign an ORR that considers the four new risk assessment categories (discussed below): business risk, financial resilience, operational resilience and risk governance.
For larger FRFIs (in Tiers 1 to 4), OSFI will also assign ratings for each of the four risk categories on the same 1-to-8 scale as the ORR. Each category will be rated according to the level of risk it poses to the viability of the FRFI. In addition, OSFI’s internal assessment of the largest FRFIs (in Tiers 1 to 3) will also include a more detailed analysis of additional risks.
For FRFIs that receive individual rating categories, any category has the potential to drive the ORR—the category with the weakest rating will become the starting point for the ORR. The ORR can’t be better than any of the rated categories; however, it can be worse (e.g., where different issues lead to multiple categories being rated at the same level).
This category represents a forward-looking assessment of an FRFI’s business model sustainability. Business risk can provide an early indicator of increasing prudential risk. If an FRFI fails to address a damaged business model, a loss of confidence can follow, resulting in financial stress.
OSFI’s assessment of financial resilience reflects the FRFI’s ability to withstand financial stress and considers the FRFI’s financial risk profile, capital and liquidity. OSFI assesses capital adequacy for financial resilience in severe but plausible stress scenarios, and considers capital management and the FRFI’s ability to identify, measure and monitor risk. The analysis is forward-looking and includes the FRFI’s contingency plan and access to capital. Financial resilience also includes consideration of liquidity adequacy, funding risk and the strength of liquidity management. This is a particularly important consideration for deposit-taking institutions.
Under this category, OSFI considers the ability of the FRFI to respond and adapt to potential disruptions. This category includes an assessment of technology, cyber, and operational risks. Operational risks include business continuity, third-party and data management.
OSFI defines effective risk governance as the ability to identify, assess and manage risks appropriately. When assessing effectiveness, OSFI considers culture, accountability structures and the extent to which oversight functions provide independent and objective challenges. OSFI’s assessment of risk governance includes the frameworks used to identify, assess and manage risks.
In addition to the four risk categories above, OSFI also identifies climate change as an example of a new risk type that is rapidly evolving and has the potential to significantly affect the safety of individual FRFIs and the system more broadly. Accordingly, climate risk considerations are relevant to all rating categories.
OSFI considers an FRFI’s level of financial and operational resilience to climate change (including physical and transition risks) and the impact on business strategy, as well as the effectiveness of governance and risk management. The ORR, discussed above, can be driven by climate risks when these risks are significant in OSFI’s assessment of the FRFI’s viability risk.
There are four main elements to OSFI’s supervisory process: the work OSFI does to identify risks at FRFIs, how OSFI assesses risks and assigns ratings, OSFI’s response to risks and the monitoring of remediation activity, and how OSFI reports the results of their supervisory work.
OSFI factors in size, complexity and potential financial system impact in terms of the supervisory work it carries out. This is reflected in an FRFI’s Tier Rating (as discussed above). Risk identification begins with data analytics. OSFI analyzes risk trends in a broader context by scanning the environment for emerging risks and other relevant trends. This work draws on stress testing and advanced analytics. OSFI then leverages the data and analytics to generate insights and timely signals of changes in risk level. Metrics derived from regulatory returns and other sources provide a consistent starting point for supervisory judgment. OSFI expects advanced data analytics will continue to lead to new supervisory capabilities.
The ORR reflects the level of risk to the viability of an FRFI with the 1-to-8 scale described above.
OSFI is “outcomes-focused”. When OSFI has supervisory concerns, it will highlight these to FRFIs and explain the outcomes it wants to see.
OSFI engages in supervisory reporting by providing FRFIs with written reports, by sharing information with Canadian and foreign regulators in certain situations, and by working with their partners in Canada’s federal regulatory system.
To discuss these issues, please contact the author(s).
This publication is a general discussion of certain legal and related developments and should not be relied upon as legal advice. If you require legal advice, we would be pleased to discuss the issues in this publication with you, in the context of your particular circumstances.
For permission to republish this or any other publication, contact Janelle Weed.
© 2024 by Torys LLP.
All rights reserved.