Unpacking new OSFI guidelines for assurance on capital, leverage, and liquidity returns

In November 2022, the Office of the Superintendent of Financial Institutions (OSFI) issued a new set of guidelines and expected practices which apply to all federally regulated insurers and deposit-taking institutions. The guidelines are focused on capital, leverage, and liquidity returns — adding enhanced levels of assurance that the inputs which create key regulatory ratios accurately reflect a financial institution’s performance.

The OSFI guidelines will roll out, in a phased approach, starting in fiscal 2023 for internal audit, followed by guidelines for senior management in 2024 and for external auditors in 2025. If you’re in a senior management position at a federally regulated insurer or deposit-taking institution in Canada, or if you audit financial institutions (whether in an internal or external audit role), you need to be aware of what the new guidelines contain, how they may impact you, and what you can do to prepare for a new regime of oversight.

In this whitepaper, we will answer your key questions and share insights on how to ensure you’re compliant.

What mandates and changes do the new OSFI guidelines contain?

First and foremost, it’s worth noting that the document containing the full set of guidelines is brief, so the best first step to understanding its impact to your organization and what you may need to do in order to comply, is to read it in full. The purpose of this article is to provide summary and commentary.

Generally, what OSFI expects of internal auditors, external auditors, senior managers, and CFOs at financial institutions is centered around creating more robust governance practices, improved communication, and more formal opinions and attestations. It’s about performing a more thorough analysis to verify the inputs that created the numerators and denominators on key regulatory ratios.

See below for a summary of OSFI’s key expectations.

Senior managers and CFOs

• Ensure senior managers who provide internal attestations on regulatory reports have the appropriate level of seniority (preferably CFO level).
• Accompany submissions with a summary of unadjusted errors that impact the calculation of regulatory ratios.
• Ascertain all internal processes and controls are being adhered to, and are free of bias, to the highest degree possible.
• Increase collaboration between risk and compliance teams and management, to ensure controls are in place over the development, preparation, review, and approval of these ratios. You may already have this in place through your regular capital management process, and if so the expectation is to make it more formalized.

Internal audit

• Always remain up to date on what the regulatory requirements are for your industry.
• Ensure all new guidelines are formally worked into your audit plan, and executed once every three years, at a minimum.
• Review the attestations of senior management, and issue a formal opinion that the returns in scope, filing requirements, and frequency of these filings are accurate and complete.

External audit

• Provide a formal audit opinion that these ratios, and the inputs that went into calculating the numerator and denominator, are correct and tied back to the appropriate supporting schedules.
  • External auditors have not explicitly been asked to provide a standalone opinion outside of the general financial statement opinion until now. This new expectation will likely require you to fill out an additional form, document everything at a higher level, and be subject to internal QA. Keep an eye out for additional guidance in the External Audit Handbook.

It’s also important to note that expectations for auditors and senior management attestations can vary between the large domestic systemically important banks (D-SIBs) and small to medium-sized deposit-taking institutions (SMSBs). A full list of these differences is found in OSFI’s guidance. On a high level, the expectations for all D-SIBs and the larger Category I SMSBs are virtually identical, but as you move down into the smaller Category II and III SMSBs, you see fewer ratios that need to be scrutinized and opined on, as well as less strenuous reporting timelines, in some cases.

Most, if not all, of the above points are already being executed by prudent financial institutions and auditors. In a sense, these OSFI guidelines are not as much about adding new practices and processes so much as they are about strengthening existing ones — adding more layers of verification and comparability in financial reporting.

This leads to the next important question: why is OSFI releasing these new guidelines at all?

What is the purpose behind the guidelines for assurance on capital, leverage, and liquidity returns?

Alignment across nations and across institutions

The new OSFI guidelines are part of Canada’s broader effort to abide by the standards of the Basel Committee on Banking Supervision. Canada and its central bank are moving towards having a more consistent set of banking standards that aligns more closely with the international community.

Within Canada, these guidelines also serve a purpose of providing more assurance to investors that financial statements are correct. OSFI’s key regulatory ratios — for example BCAR and NSFR — are designed to be calculated the same way for all banks. Their purpose is to serve as a benchmark, or to be absolutely comparable, between financial institutions in the same category.

Managing risk, preserving trust

Normally, when a new set of regulatory guidelines is released for any industry (not just in banking), you can safely assume the regulator saw or anticipated some level of risk and wanted to get ahead of it. That’s not to say that these new OSFI guidelines indicate risks in Canadian banking are abnormal or concerning; they simply serve as one tool that can potentially decrease risk and increase transparency.

It’s important to note that even if you have strong internal and external audit practices, your key regulatory ratios are still self-reported. Mistakes, internal bias, or overly optimistic interpretations of the numbers could taint the integrity of financial statements, leading bondholders, shareholders, and other stakeholders to think an institution is performing better than it actually is. And OSFI would not necessarily be privy to that unless they did their own investigation.

What are the consequences of deviating from these guidelines?

The question of how these guidelines will be enforced is interesting. OSFI is laying out a set of expectations for both executives and auditors. And yet OSFI does not govern external auditors or have the authority to censure them, its oversight powers lie solely with the financial institutions. If you hold an internal role at a federally regulated bank or insurer, obviously you can fire external auditors if they violate these guidelines — but what happens to your own organization?

The reaction from OSFI will depend on the type and severity of the violation. It could include:

• Increased supervisory action and oversight, which can add to your bureaucracy and costs (including the fees you pay to OSFI)
• Discipline of internal auditors, executives, or other decision-makers involved
• An increase to your financial institution’s composite risk rating and intervention level (i.e. staging)

The consequences are not strongly focused on fines and penalties — OSFI is more likely to use whatever levers it has to require banks and insurers to slow down their operations until the controls are in place and sustained.

What does the future hold?

At the moment, OSFI’s guidelines for assurance on capital, leverage, and liquidity returns only apply to federally regulated banks and deposit-taking institutions. One should not, however, rule out the possibility that their scope will expand in future years to reach the provincial level, and the governance of credit unions and mutual insurance companies.

Generally speaking, this is the direction Canada appears to be heading: away from simply trusting the self-reported numbers and ratios that appear in financial statements, and towards more verifications and assurances provided through robust audit practices.

Staying vigilant

As you adjust your internal practices and controls to meet OSFI’s new guidelines, and as you retain external auditors, you need to ensure you have the right third-party advisors at your side. The team at MNP is here to support you in all capacities, to make sure you stay compliant. Our firm performs external audits of federally regulated banks in Canada, and can also conduct internal reviews of your processes and controls to support your internal auditors, executives, risk management teams, and more.