• OSFI Issues RCM Guideline E-13 - Regulatory Compliance Management
  • January 10, 2015 | Authors: Miho Felicio; Gordon Goodman; Laurie LaPalme; Jared Puterman; Brian Reeve
  • Law Firm: Cassels Brock & Blackwell LLP - Toronto Office
  • On November 13, 2014, the Office of the Superintendent of Financial Institutions (“OSFI”) released the final version of Guideline E-13 - Regulatory Compliance Management (the “RCM Guideline”), which replaces the 2003 Guideline E-13 then referred to as the Legislative Compliance Management (the “Old Guideline”).

    The RCM Guideline sets out OSFI’s expectations for federally regulated financial institutions (“FRFI”) with respect to the management of regulatory compliance risk inherent in FRFIs’ business activities enterprise-wide. The RCM Guideline is intended to do all of the following:

    • Outline OSFI’s supervisory expectations with respect to FRFIs’ control frameworks for mitigating regulatory risk.

    • Promote industry best practices in regulatory compliance risk management.

    • Align with OSFI’s more recently revised Supervisory Framework (2010) and Corporate Governance Guideline (2013).

    • Be more consistent with international risk management standards (set out by the Basel Committee on Banking Supervision’s updated 2011 version of its Principles for the Sound Management of Operational Risk, and the International Association of Insurance Supervisors’ relevant Insurance Core Principles).

    The RCM Guideline defines “RCM Framework” as the structures, processes and other key control elements through which a FRFI and its subsidiaries manage and mitigate regulatory compliance risk inherent in their activities enterprise-wide.
    At a minimum, OSFI expects the RCM Framework to include all of the following:

    • The role of the Chief Compliance Officer (the “CCO”). This individual is responsible for assessing the adequacy of, adherence to and effectiveness of the FRFI’s day-to-day controls. OSFI recognizes that this individual may have other responsibilities, especially in the case of small, less complex FRFIs.

    • Reasonable procedures for identifying, risk assessing, communicating, effectively managing and mitigating regulatory compliance risk and maintaining knowledge of applicable regulatory requirements.

    • Day-to-day compliance procedures in operational management.

    • Independent monitoring and testing procedures by the CCO and validation by Internal Audit or other independent review function.

    • Internal reporting to Senior Management and the Board (or Chief Agent in the case of a Canadian branch). OSFI expects the Board (or Chief Agent) to determine the type, content and frequency of reports, although they must occur at least annually. The RCM Guideline sets out examples of the content expected in a regulatory compliance management (“RCM”) report.

    • Adequate documentation setting out the roles and responsibilities of all individuals involved in RCM.

    • The role of Senior Management and the Board of Directors (or Chief Agent). These are persons who are ultimately responsible for effective enterprise-wide RCM.


    In recent years, OSFI has become increasingly focused on ensuring that FRFIs identify, assess, measure, manage and mitigate various types of risks. The RCM Guideline continues in this approach with respect to regulatory compliance risks. OSFI has taken a risk-based approach giving FRFIs flexibility in their RCM framework, which are expected to vary depending on the FRFI’s nature, size, complexity and inherent risks (e.g., a variety of ways to determine when and how often to assess RCM controls, where and what method of testing or monitoring, or both, is done, etc.). However, all FRFIs, regardless of size, are expected to have risk management controls that are proportionate to their identified risks.

    OSFI expects FRFIs to implement the RCM Guideline by May 1, 2015. In addition, the RCM Guideline requires FRFIs to review and update their RCM Framework at least annually. In practice, we do not expect FRFIs who have been in compliance with the Old Guideline and more recent Corporate Governance Guideline (2013) to require significant changes to their regulatory risk management practices as OSFI has made it clear that the RCM Guideline does not create new regulatory requirements; rather, the RCM Guideline is intended to communicate OSFI’s key expectations in respect of the need for FRFIs to establish and maintain an enterprise-wide framework of regulatory risk management controls.

    OSFI’s supervisory assessment of FRFIs may include an evaluation of their RCM Framework against the expectations of the Revised Guideline. FRFIs should revisit their RCM Framework in light of the Revised Guideline and make improvements where required.