Consultation on FCAC’s proposed Supervision Framework

Notice:

The FCAC Supervision Framework contains general information and is provided for the guidance and convenience of FCAC stakeholders. It describes a general approach to typical supervision matters. FCAC reserves the right to adjust its approach, as necessary.

1. Intro​d​uction

This Supervision Framework describes the principles and processes applied by the Financial Consumer Agency of Canada (“FCAC”) to supervise the market conduct of federally regulated financial entities and ensure that financial consumers and merchants continue to benefit from the applicable protections.

1.1. Financial Co​nsumer Agency of Canada

FCAC plays a key role in financial consumer protection by supervising the market conduct of federally regulated financial entities, educating financial consumers about their rights and responsibilities, and strengthening financial literacy. It derives its mandate from the Financial Consumer Agency of Canada Act (FCAC Act).

FCAC is led by a Commissioner who reports annually to Parliament through the Minister of Finance. The FCAC Supervision and Promotion Branch pursues its supervisory objectives through the activities of its two divisions: the Supervision and Enforcement Division and the Promotion and Policy Division.

The FCAC Act sets out the following objects for supervision:

• to supervise regulated entities and determine whether they are complying with applicable laws, voluntary codes of conduct and public commitments that they have adopted (collectively, their “market conduct obligations”)
• to promote the adoption by regulated entities of policies and procedures designed to implement their obligations
• to monitor and evaluate trends and emerging issues that may have an impact on financial consumers, and to collaborate with other government agencies, regulators and stakeholders to foster an understanding of financial services and related issues

Specifically, FCAC oversees regulated entities’ compliance under the following federal legislation:

• Bank Act
• Insurance Companies Act
• Trust and Loan Companies Act
• Cooperative Credit Associations Act
• Payment Card Networks Act​
• Green Shield Canada Act

1.2. Reg​ul​ated entities

FCAC supervises the market conduct of the following federally regulated financial entities (collectively, “regulated entities”):

• ​​Federally regulated financial institutions (FRFIs)
  FRFIs include banks as well as federally regulated credit unions, insurance companies, trust and loan companies, and retail associations.
• External complaints bodies (ECBs)
  ECBs are independent organizations approved under the Bank Act to handle escalated consumer complaints related to products and services offered by their members. Every bank or federal credit union must be a member of an ECB.
• Payment card network operators (PCNOs)
  PCNOs operate or manage payment card networks by establishing standards and procedures for the acceptance, transmission or processing of payment transactions and by facilitating the electronic transfer of information and funds.

FCAC expects a regulated entity’s directors and officers to manage or supervise the management of the adoption of business practices, governance and independent oversight functions targeted to achieve compliance with its market conduct obligations.​  

2. Guiding ​principles

FCAC’s supervisory activities and decisions are driven by its mandate and guided by the following four principles.

2.1. Trans​parency

Transparency provides predictability for regulated entities and enables effective collaboration among stakeholders. FCAC achieves transparency by communicating its expectations, concerns and priorities—clearly, early and often.

2.2. Pro​activity

FCAC strives to identify emerging issues and market trends early. It intervenes swiftly to foster sound market conduct.

2.3. Propo​rtionality

FCAC allocates its resources proportionally to the level of risk presented by the regulated entities, and takes enforcement action that is proportionate to the severity of the breach.

2.4. Acc​ountability

FCAC is accountable for the delivery of its mandate and the actions that ensue. It conducts its supervisory activities in a consistent, timely and professional manner and adheres to established service standards.

3. Superv​ision process

3.1. Classif​ication of entities

In keeping with FCAC’s risk-based approach, FCAC has developed a tiered classification that guides the nature and intensity of its supervisory interactions. Every regulated entity is classified as either tier 1 or tier 2.

T​ier 1

These regulated entities present a higher inherent risk of breaching their market conduct obligations, due principally to their business models and/or their product and service offerings. These entities include those offering retail products and services to consumers, those whose participants offer payment services to merchants, and those offering dispute resolution services to their member banks.

Tier 1 entities are assigned a senior officer and undergo a cycle of proactive supervision that includes an assessment of their capacity to manage market conduct risk. Within tier 1 entities, the intensity of supervision varies according to an entity’s inherent risks and its ability to mitigate them. Intensity can also vary based on the size of the entity and the complexity of its business model, the analysis of which forms part of its Market Conduct Profile (see subsection 5.1). 

Tie​r 2 

These regulated entities present a lower inherent risk of breaching their market conduct obligations, due principally to their business models and/or their product and service offerings. These entities include those not offering retail products and services, and those whose business is restricted to the sale of insurance products and services.

Tier 2 entities are monitored less intensively through activities such as annual examinations. They are not typically assigned a senior officer but do have access to liaison officers to address questions that may arise from time to time.

3.2. Pil​lars of supervision

FCAC employs a variety of oversight tools that broadly support three pillars of supervision, namely:

• promoting responsible market conduct
• monitoring market conduct
• enforcing market conduct obligations​

These pillars are meant to work together and should not be considered mutually exclusive: action in one pillar may prompt or inform action in another. For example, as FCAC engages in activities to promote or monitor compliance, it may identify a need to investigate a potential breach.

Figure 1 outlines the tools most commonly associated with each pillar. This is displayed for illustration purposes only and is not meant to limit the actions of FCAC. FCAC will select the tool(s) that it deems most appropriate for each individual circumstance. In some situations, the same tool may be used to support more than one pillar of supervision. Each of these tools is described in the following three sections of this document.

Figure 1: Tools of supervision

4. Tool​s for promotion

Compliance is facilitated when obligations are clearly identified and widely understood by regulated entities and stakeholders. FCAC promotes responsible market conduct by communicating its expectations and interpretations, early and often, using various tools.

4.1. FC​AC Decisions

FCAC Decisions provide information about Notices of Violation and Notices of Decision (for breaches of legislation/regulation) or Notices of Non-Compliance (for breaches of voluntary codes or public commitments). Publishing Decisions allows regulated entities to assess their own market conduct, and to take necessary action to ensure compliance with their obligations.

4.2. FCAC Gu​idelines

FCAC Guidelines set out the manner in which regulated entities are expected to comply with their market conduct obligations. Developed following consultation with stakeholders, Guidelines set broad industry standards and establish prudent practices, which FCAC expects regulated entities to incorporate into their business operations.

4.3. FCAC​ Rulings

FCAC Rulings assist regulated entities in the interpretation of their market conduct obligations. While they are case-specific, Rulings can nonetheless provide direction to entities whose situations are substantially similar. Rulings do not restrict FCAC in its approach to similar situations.

4.4. Eng​agement with regulated entities

FCAC regularly meets with senior officials of regulated entities to communicate compliance concerns, share priorities, build trust and promote responsible market conduct. FCAC also engages the entities through annual Industry Sessions, which present opportunities for open discussions and information-sharing on topics such as emerging trends and issues; plans and priorities; and supervision and compliance challenges.

Tier 1 entities also benefit from a cyclical process of proactive supervision where compliance opportunities and challenges are discussed (see subsection 5.1).

4.5. Engagem​ent with stakeholders

FCAC builds understanding and trust by engaging stakeholders to assist in the execution of its mandate. Venues for engagement include public consultations, round tables, speaking engagements and stakeholder surveys. FCAC engages with various consumer groups to seek their perspectives on the regulatory environment, market trends and emerging issues that may be impacting Canadians. FCAC may also publish hypothetical case studies, newsletters, press releases and other material to promote responsible market conduct.

5. Too​ls for monitoring

Monitoring the market conduct of regulated entities involves ongoing assessments of their levels of compliance. FCAC also engages in other monitoring activities such as gathering information on current and emerging issues in the financial sector. Monitoring tools employed by FCAC are outlined below.

5.1. Market Co​nduct Profiles (tier 1 only)

FCAC uses a defined and continuous process to assess the overall market conduct risk of each tier 1 regulated entity. This process guides the development of individual Market Conduct Profiles, which FCAC uses to determine the intensity of supervision activity and to allocate resources accordingly. This process has three stages:

Figure 2: The Market Conduct Profiling cycle

Planning: FCAC senior officers devise annual supervision plans for each tier 1 regulated entity in their respective portfolios. These plans also set out activities to be undertaken in the following three years. The nature and intensity of the supervision activities are determined by an entity’s most recent Market Conduct Profile.

Execution: FCAC compiles and assesses information on each regulated entity, focussing on the following factors:

• effectiveness of five oversight functions: compliance, risk management, internal audit, senior management and board of directors (as applicable)
• inherent risks based on products and services offered
• planned growth
• history of investigations and breaches
• trends or issues identified through ongoing monitoring
• compliance culture
• willingness and ability to comply with market conduct obligations and to proactively mitigate risks

Reporting: FCAC senior officers update the Market Conduct Profiles of tier 1 regulated entities based on information gathered during the execution stage. Profiles are shared individually or in aggregate with FCAC senior management and are used to determine priorities for subsequent years.

5.2. Exam​inations

Examinations are conducted to gather information about a regulated entity’s business, to determine levels of compliance with market conduct obligations, or to follow up on corrective measures. FCAC may review documents (e.g., policies and procedures, training or disclosure documents) and interview employees to assess the effectiveness of controls put in place to mitigate compliance risks (e.g., complaint-handling procedures, risk management processes or other oversight functions).

Examinations may be conducted by way of:

• on-site examination, which FCAC conducts at the offices of the regulated entity
• off-site examination, also known as a desk review, where the regulated entity provides the necessary documents for a review conducted at FCAC offices

Following an examination, FCAC prepares an Examination Report detailing its findings. This report may include recommendations on how the regulated entity can mitigate compliance risks, address deficiencies or improve control processes. FCAC may also engage with the entity to establish a plan to address identified deficiencies. Regulated entities are expected to address deficiencies promptly and to inform FCAC of their progress. Unsatisfactory corrective measures can lead to enforcement action.

FCAC is required to examine each regulated entity annually to determine whether they are complying with applicable market conduct obligations.^{Footnote 1}  FCAC conducts its annual examinations using a variety of tools described in this Supervision Framework, and reports to the Minister upon completion.

5.3. Mand​atory reporting

Regulated entities must file certain information with FCAC within timeframes and formats prescribed by statute. This information includes complaint-handling procedures, public accountability statements and notices of branch closure, all of which are reviewed to ensure compliance. Failure to meet statutory filing requirements may lead to enforcement action.

FCAC requires regulated entities to submit additional information, in accordance with its mandate, including aggregated complaints and compliance issues, updated statistics on specific lines of business, and responses to self-assessment questionnaires. Regulated entities are also expected to proactively report any issues or developments that could change their market conduct risk.

5.4. Third-pa​rty intelligence

Third parties such as consumers and merchants contribute to the monitoring process by participating in consultations or by filing complaints directly with the FCAC Consumer Services Centre. FCAC may initiate investigations based on information obtained from any source, including media coverage or information received from other regulators.

5.5. Indust​ry reviews

Industry reviews are designed to gather information from regulated entities on specific market conduct matters and on matters related to the financial services sector generally. These reviews serve to achieve any of the following objectives:

• to assess current or emerging issues on a specific topic or theme
• to identify and examine industry practices or trends
• to verify levels of compliance with market conduct obligations
• to collect information for policy discussions

Regulated entities participating in industry reviews are expected to comply with FCAC requests. Information from these reviews may be used to provide guidance, establish best practices or inform policy makers. Reviews may also identify compliance breaches that will lead to enforcement action.

6. To​ols for enforcement

Enforcement begins with investigating any potential breach of a market conduct obligation that comes to FCAC’s attention. If FCAC determines that a breach has occurred, it responds with the appropriate enforcement tool(s) to ensure compliance and deter future breaches.

Figure 3: Typical flow of enforcement activity

6.1. Inv​estigations

Preliminary investigations: FCAC conducts preliminary investigations to determine basic information such as:

• whether a potential breach falls within its supervisory authority
• the existence, nature and duration of a potential breach
• whether the potential breach is isolated or systemic

If a preliminary investigation leads FCAC to believe that a breach has occurred, it will either proceed with a full investigation or issue a level 1 Notice of Breach (see subsection 6.2).

FCAC notifies the regulated entity of the date when FCAC had acquired sufficient information on the subject matter of the potential breach. Violation proceedings may not be commenced on the matter more than two years after that date.^{Footnote 2}

Investigations: FCAC conducts an investigation when it requires additional information about a breach identified in a preliminary investigation. Entities must provide the information by the date and in the form requested.^{Footnote 3}  Failure to do so may result in their being compelled to provide the information.^{Footnote 4}

Once an investigation is completed, FCAC’s Supervision and Enforcement Division issues one of the following:

a) Notice of Breach (see subsection 6.2), which may require the regulated entity to enter into a Compliance Agreement or Action Plan

b) Compliance Report, which may lead to a Notice of Violation (see subsection 6.5) or Notice of Non-Compliance (see subsection 6.6)

A Compliance Report captures the facts of the breach, an assessment of its severity, and recommendations for enforcement. The regulated entity is provided 30 calendar days to review the report to validate its facts. FCAC will expect the regulated entity to exercise due diligence in this regard. Once comments, if any, are received from the entity, the report is finalized and forms part of the record for review by the Deputy Commissioner who will decide whether there are reasonable grounds to believe a violation has been committed. Following the Deputy Commissioner’s consideration, FCAC may issue a Notice of Violation (for a breach of legislative obligations) or a Notice of Non-Compliance (for breaches of voluntary codes of conduct and public commitments).

The selection of enforcement tool(s) is based on factors such as:

• degree of negligence or intent
• degree of direct or indirect harm
• compliance record (including past breaches, Action Plans or Compliance Agreements)
• strength of controls or actions taken to prevent the breach from occurring
• length of time taken to identify and correct the breach
• remediation plans and associated timeframes
• risk of recurrence
• level co-operation with FCAC (including whether the issue was self-reported to FCAC)

6.2. Noti​ces of Breach

If FCAC has determined that the severity of a breach falls within one of the levels below, it may proceed by issuing a Notice of Breach.

A level 1 notice may be issued if the breach is isolated or minor. A level 1 notice may also be issued when a systemic breach has been promptly identified and rectified, the regulated entity has shown that sufficient controls are in place to prevent recurrence and impact was minimal.

Regulated entities are expected to assess their policies and processes to ensure that risks are identified and mitigated. A recurrence may lead to stronger enforcement action.​

A level 2 notice may be issued if the regulated entity is required to take specific action to address a breach. FCAC notifies the entity that failure to correct the breach could lead to stronger enforcement action. The entity is expected to promptly correct the breach and assess and change its internal practices, if necessary, to avoid any recurrence. The entity is also required to enter into an Action Plan specifying these corrective measures (see subsection 6.3). A recurrence may lead to stronger enforcement action.

A level 3 notice may be issued in any of the following circumstances:

• there is a heightened sense of urgency to complete corrective actions
• the breach is a symptom of a broader compliance deficiency or concern
• the entity has demonstrated a low level of cooperation towards voluntary compliance
• there is a specific need to escalate related concerns within the regulated entity

A level 3 notice typically requires the regulated entity to enter into an Action Plan (subsection 6.3) or Compliance Agreement (subsection 6.4).

6.3. Acti​on Plans

An Action Plan details the corrective measures required to prevent recurrence of a breach, and the timeframes for action. FCAC works with regulated entities to establish parameters and timeframes. Regulated entities must provide FCAC with regular updates throughout the duration of the Action Plan, followed by a full report once all actions have been completed.

6.4. Compl​iance Agreements

A Compliance Agreement specifies the corrective measures required to address a breach and the timeframes for action. Regulated entities can be required to provide regular updates throughout the duration of the Compliance Agreement and a full report once all actions have been completed to FCAC’s satisfaction. For legislative/regulatory obligations, breaching a Compliance Agreement may result in a Notice of Violation.^{Footnote 5}  For non-legislative obligations, breaching a Compliance Agreement may result in a Notice of Non-Compliance.

6.5. Notic​es of Violation

A Notice of Violation is issued when there are reasonable grounds to believe that a regulated entity has breached a consumer provision or failed to comply with a Compliance Agreement requirement.

A Notice of Violation specifies the name of the regulated entity, the nature of the violation(s), and any proposed administrative monetary penalty (AMP).^{Footnote 6 Footnote}

Upon being served with a Notice, a regulated entity can pay the AMP, make representations to the Commissioner within 30 days, or do nothing.  This is the sole opportunity for a regulated entity to make representations to the Commissioner on the Notice of Violation, on any proposed AMP(s), and on the publication of the name of the person/entity that committed the violation.​

A regulated entity that pays the AMP or does nothing is deemed to have committed the violation.^{Footnote 7}  In such cases, the Notice of Violation stands and is subject to FCAC’s Publishing Principles.

Administrative monetary penalties (AMP): The maximum AMP per violation is $50,000 for a natural person and $500,000 for all other persons, including regulated entities.^{Footnote 8}  AMPs are payable to the Receiver General for Canada.^{Footnote 9}  An unpaid AMP is a debt due to Her Majesty in right of Canada and may be recovered as such in Federal Court.^{Footnote 10}

The AMP amount is determined taking into account the following criteria,^{Footnote 11}  applied with regard to the overall purpose of the FCAC Act:

• Degree of intent or negligence: FCAC considers factors such as the type and severity of the breach; whether it is isolated or recurring; whether there was a wrongful purpose on the part of the entity; the overall profile of the entity, including its size and the complexity of its business; the quality of its internal controls; and its commitment to ensuring compliance generally.
• Harm done by the violation: FCAC considers factors such as direct financial loss to consumers; consumers’ inability to make informed decisions due to a lack of information or information that is unclear or misleading; how that harm impacted consumers, the public and the federally regulated financial sector; and the nature and number of consumers or merchants affected.
• Compliance history: FCAC considers the overall compliance history of a regulated entity with respect to any previous violations or convictions during the previous five years, such as the severity, number and circumstances of previous violations or convictions. Generally, larger AMPs ensue for successive violations.

Representations: A regulated entity may make representations to the Commissioner within 30 calendar days of being served with a Notice of Violation. Representations are written statements that set out the entity’s position with respect to the Notice of Violation, any proposed AMP(s), publication of the name of the person/entity that committed the violation, and any other matter the entity wishes the Commissioner to consider in rendering a decision.^{Footnote 12}  The Commissioner may request additional information as needed.

Notices of Decision: If representations are made, the Commissioner reviews them along with the Compliance Report and decides, on a balance of probabilities, whether a violation has occurred. The Commissioner’s decision is communicated by way of Notice of Decision, which includes the Reasons for Decision.^{Footnote 13}  The Reasons for Decision provide the facts and rationale in support of the Commissioner’s decision. Upon deciding that a violation has occurred, the Commissioner may impose the proposed AMP, a lesser AMP or no AMP.^{Footnote 14}  A regulated entity may appeal the Commissioner’s decision to the Federal Court.^{Footnote 15}

Publication: The Commissioner has the discretion to make public the nature of a violation, the name of the regulated entity, and the amount of any AMP.^{Footnote 16}  FCAC always publishes the nature of the violation and the AMP. In exercising the legislated discretion to also name an entity, the Commissioner considers factors such as:

• FCAC’s consumer protection mandate, which includes promoting consumer and merchant awareness about obligations of regulated entities and promoting compliance among regulated entities
• the egregiousness of the entity’s actions or inactions
• the entity’s willingness to assume responsibility for the violation
• the degree of collaboration shown throughout the investigative process
• the impact of the violation on consumers and consumer confidence
• whether systemic issues are likely to cause further problems
• deterrence

FCAC publishes information about violations according to its Publishing Principles.

6.6. Not​ices of Non-Compliance

FCAC may issue a Notice of Non-Compliance when an investigation reveals that a regulated entity is in breach of its obligations under a voluntary code of conduct or public commitment.

A Notice of Non-Compliance specifies the nature of the breach.

Representations: The regulated entity may make representations to the Commissioner within 30 calendar days of being served with a Notice of Non-Compliance. Representations are written statements setting out the entity’s position on the Notice of Non-Compliance and must be submitted in accordance with instructions given in the Notice. The Commissioner may request additional information as needed. If a regulated entity chooses not to make representations, it is deemed to have breached the provision of the applicable voluntary code of conduct or public commitment. In such cases, the Notice of Non-Compliance stands and is noted in the entity’s compliance record.

Notices of Decision: If representations are made, the Commissioner reviews them along with the Compliance Report and decides, on a balance of probabilities, whether a breach has occurred. The Commissioner’s decision is communicated by way of Notice of Decision, which includes the Reasons for Decision. The Reasons for Decision provide the facts and rationale in support of the Commissioner’s decision.

Publication: When it is determined that a regulated entity is in breach of its obligations under a voluntary code of conduct or public commitment, FCAC will make public the nature of the breach. Publication will proceed according to FCAC’s Publishing Principles.

7. Ho​w to contact FCAC

FCAC welcomes inquiries and feedback from regulated entities and other stakeholders. Tier 1 regulated entities should contact their assigned FCAC senior officers directly. For all other inquiries or feedback, FCAC can be contacted by email, mail, fax or telephone.

Email: info@fcac-acfc.gc.ca

Phone:

For services in English: 1-866-461-FCAC (3222) 
For services in French: 1-866-461-ACFC (2232) 
For calls from the Ottawa area or from outside Canada: 613-960-4666 
*Information officers are available Monday to Friday, 8:30 a.m.–5:00 p.m. (Eastern Time) 

Teletypewriter (TTY): 1-866-914-6097 / 613-947-7771 

Fax: 1-866-814-2224 / 613-941-1436 

Mailing Address:

Financial Consumer Agency of Canada
427 Laurier Avenue West, 6th Floor
Ottawa ON K1R 1B9