OSFI Introduces New Supervisory Framework for Federally Regulated Financial Institutions
On February 8, the Office of the Superintendent of Financial Institutions (“OSFI”) announced a new supervisory framework (the “Supervisory Framework”) for federally regulated financial institutions (“FRFIs”). The Framework represents a significant overhaul to OSFI’s supervisory approach. It includes an expansion of the existing 4-point risk rating scale to an 8-point scale, enhanced risk rating information for FRFIs and the introduction of new risk assessment categories, as well as a consideration of climate risk.
The new Supervisory Framework is designed to offer more immediate indication of changes to OSFI’s risk assessment, and more tailored supervision based on the regulated entity’s size and complexity. This allows for more timely intervention and for FRFIs to better understand OSFI’s supervisory expectations. The new Supervisory Framework will come into force in April 2024.
1. Overall Risk Rating Scale and Intervention
Under OSFI’s new Supervisory Framework, the Overall Risk Rating (“ORR”) will correspond to OSFI’s existing Intervention Stage ratings as illustrated in the table below:
ORR | Description | Intervention Stage |
1 | Minimal | 0 |
2 | Low | 0 |
3 | Moderate | 0 |
4 | Watchlist | 0 |
5 | Early warning | 1 |
6 | Material | 2 |
7 | Serious | 3 |
8 | Non-viability imminent | 4 |
Institutions are deemed Stage 0 or “unstaged” by OSFI when they exhibit no significant issues. OSFI’s new Supervisory Framework further distinguishes stage 0 into four subcategories based on the rationale that this will provide greater clarity on an institution’s risk profile and prompt early corrective action.
The staged categories are further defined below by OSFI:
- ORR 1: Indicates no significant problems; minor issues may arise but are deemed manageable with a minimal level of risk to viability.
- ORR 2: signifies low risk, with certain issues requiring action but unlikely to have a significant impact on financial performance or critical operations.
- ORR 3: signifies moderate risk, with issues identified that could significantly impact financial performance or critical operations unless addressed, but no anticipated risk to viability.
- ORR 4: watchlist status, signals immediate attention is required for identified issues to prevent likely formal intervention (Stage 1 or higher)
- ORR 5: early warning signs of issues impacting the viability of the institution, but no expected threat to viability within two years.
- ORR 6: highlights material safety and soundness concerns, but no expected threat to viability within two years.
- ORR 7: signals severe safety and soundness issues putting the institution’s future viability in serious doubt, potentially within one year.
- ORR 8: institutions assigned to Stage 4 are assessed to be non-viable imminently.
2. Tier Rating
OSFI will assign an institution’s tier rating based on its size, complexity and OSFI’s views on the impact of its failure on the financial system. The table below illustrates the OSFI’s 5-tier scale and the classification of each tier:
Tier | Definition |
1 High | Large and/or complex institutions or pension plans with highest system impact |
2 Medium-High | Large and/or complex institutions or pension plans with significant system impact |
3 Medium | Mid-size institutions with moderate system impact | Large and/or complex pension plans |
4 Medium-Law | Smaller and/or less complex institutions with low system impact | Mid-size and/or moderately complex pension plans |
5 Low | Smallest, least complex institution with very low system impact | Small, least complex pension plans |
Subsidiaries or affiliates of larger institutions may also be assigned a separate tier rating called “Related Federally Regulated Financial Institution” linking its risk profile to the parent or affiliated company.
3. Tier Rating and ORR
Depending on the Tier Rating of the institution being assessed, OSFI will take the following approach during a risk assessment:
- For small institutions (in Tier 5), OSFI will assign an ORR that considers the risk categories.
- For larger institutions (in Tiers 1 to 4), OSFI will assign ratings for each risk category on a scale of 1 to 8.
- For the largest institutions (in Tiers 1 to 3), OSFI will include a more detailed analysis of additional risks.
Under OSFI’s new Supervisory Framework, each risk category is weighted equally although each risk category may influence the ORR for institutions in Tiers 1 to 4. OSFI rates each category according to the level of risk it poses to the viability of the institution.
It is important to note, for institutions that receive individual ratings for each category (Tiers 1 to 4), an institution’s ORR cannot exceed any of the rated categories but can be lower if there are multiple categories with less favourable ratings. OSFI notes that the category ratings are intended to highlight where improvements are required.
4. Risk Categories for ORR
OSFI will consider the following four new risk categories when determining an institution’s ORR:
(a) Business risk
The business risk category “represent[s] a forward-looking assessment of an institution’s business model sustainability,” including “the level of vulnerability to external factors” and will form the context for the following financial resilience risk category. OSFI will assess the institution’s capability to generate capital in line with its risk appetite, the competitive pressures faced by the institution, its execution of strategic plans, and potential reputational risks.
(b) Financial resilience
OSFI’s assessment of financial resilience measures an institution’s ability to withstand financial stress by scrutinizing the institution’s capital, liquidity and risk profile including its risk controls. For instance, for insurance companies, OSFI emphasized that the focus lies on insurance risk, including liability valuation, provisions, practices in underwriting, reinsurance, and broader risk management. OSFI is also interested in an insurer’s handling of investment risk and asset-liability management. For banks and similar deposit-taking institutions, OSFI would evaluate credit and market risks.
Additionally, OSFI will examine an institution’s capital adequacy by looking at capital management strategies, including evaluating contingency strategies and the ability to secure capital. Liquidity adequacy analysis will also be conducted which encompasses the assessment of funding risk and liquidity management practices notably for deposit-taking entities.
(c) Operational resilience
OSFI’s assessment of operational resilience considers “the ability of the institution to respond and adapt to potential disruptions.” This includes scrutinizing technology, cyber, and broad operational risks such as data management, relationships with third parties, and business continuity. OSFI will also consider the risk levels and effectiveness of risk oversight and control measures.
(d) Risk governance
OSFI’s assessment of risk governance will examine an institution’s “capacity for appropriate risk identification, evaluation and management” by considering the culture, accountability structures and independence of oversight function within the organization. The following is a list of functions that OSFI could evaluate:
- Business and central functions:
- maintaining effective control environment
- managing risks derived from daily operations
- oversee the implementation of business strategy.
- Enterprise-wide risk and compliance:
- independent frameworks and procedures for identifying, measuring, monitoring, and reporting risks for independent oversight and objective assessment of business management’s risk-taking activities and compliance matters.
- internal audit function:
- effectiveness of internal controls, risk management, and governance processes.
5. Climate Risk Considerations
Climate risk will be an overarching consideration that OSFI considers to be relevant to all rating categories. OSFI will consider the following aspects of climate risk:
- Level of financial and operational resilience to climate change, including physical and transition risk;
- Impact on business strategy; and
- Effectiveness of governance and risk management.
When climate risk is identified by OSFI, it will be reflected in the relevant category and could influence the ORR when OSFI deems the climate risk to be significant to the institution’s viability risk.