Version in effect
The Supervision Framework came into effect on October 1, 2018. It was updated on August 7, 2020.
The Financial Consumer Agency of Canada’s (FCAC or Agency) Supervision Framework (the Framework) articulates the Agency’s approach for effectively administering its risk-based and outcome-driven supervision program, which seeks to promote and enable compliance on the part of regulated entities. The Framework establishes important principles that underpin FCAC’s three pillars of supervision: Promotion, Monitoring, and Enforcement.
The prevention of breaches of market conduct obligations is a foundational aspect of the FCAC’s supervision program, and the Framework therefore outlines how FCAC seeks to foster compliance on the part of regulated entities subject to market conduct obligations established by legislation, codes of conduct and public commitments.
1.1. Financial Consumer Agency of Canada
FCAC plays a key role in financial consumer protection by supervising the market conduct of federally regulated entities, educating financial consumers about their rights and responsibilities, and strengthening financial literacy among Canadians. It derives its mandate from the Financial Consumer Agency of Canada Act (FCAC Act).
FCAC is led by a commissioner who reports annually to Parliament through the Minister of Finance and oversees the Agency’s supervisory mandate. The FCAC Act sets out the following supervisory objects:
- to supervise regulated entities and determine whether they are complying with legislative and regulatory obligations, codes of conduct and public commitments that are overseen by FCAC (collectively, “market conduct” or “market conduct obligations”);
- to promote the adoption by regulated entities of policies and procedures designed to implement their market conduct obligations;
- to monitor and evaluate trends and emerging issues that may have an impact on financial consumers, and
- to collaborate with other government agencies, regulators and stakeholders to foster an understanding of financial services and related issues.
Specifically, FCAC oversees regulated entities’ compliance under the following federal legislation:
1.2. Regulated entities
FCAC supervises the market conduct of federally regulated entities (collectively, “regulated entities”), which consist of:
- federally regulated financial institutions (FRFIs), which include banks as well as federal credit unions, insurance companies, trust and loan companies, and retail associations;
- external complaints bodies (ECBs), which are independent organizations approved under the Bank Act to handle escalated consumer complaints related to products and services offered by their member banks;
- payment card network operators (PCNOs), whom operate or manage payment card networks by establishing standards and procedures for the acceptance, transmission or processing of payment transactions and by facilitating the electronic transfer of information and funds.
Expectations of regulated entities
- Regulated entities are responsible for understanding their obligations to financial consumers and working proactively to ensure these obligations are met.
- Regulated entities must manage, or ensure the management of, the adoption of business practices, governance and independent oversight functions necessary to achieve compliance with the regulated entity’s market conduct obligations.
- Regulated entities must proactively identify, address and monitor risks, keep FCAC updated on their risks and controls, and report compliance issues as FCAC requires.
- Regulated entities are to proactively report to FCAC any material developments that could change their market conduct risk.
While supervision is intended to foster compliance among regulated entities, the responsibility for fulfilling their market conduct obligations remains fully with the regulated entities.
2. Principles of supervision
In delivering on its mandate, FCAC’s supervision program is guided by the following four principles:
FCAC strives to be transparent by communicating its expectations, concerns and priorities to regulated entities and stakeholders. Transparency provides predictability for regulated entities and enables effective communication and understanding among other relevant stakeholders.
FCAC strives to identify emerging issues and market trends early as well as to proactively assess the market conduct risk of regulated entities to help foster sound market conduct.
FCAC allocates its resources in response to the level of market conduct risk presented by each regulated entity and takes enforcement action that is proportionate to the circumstances of the breach of market conduct obligations.
FCAC is accountable for the delivery of its mandate and the actions it undertakes.
3. Supervision process
3.1. Classification of regulated entities
In keeping with FCAC’s risk-based, outcome-driven approach, regulated entities are classified as either tier 1 or tier 2, depending on the level of market conduct risk that is present or inherent in their business activities. These classifications guide the nature and intensity of the Agency’s supervision of regulated entities.
Tier 1 regulated entities engage in business activities that inherently include market conduct risk. The nature of the products or services offered by tier 1 regulated entities requires compliance with market conduct obligations overseen by FCAC.
Tier 1 includes a wide range of regulated entities with different business models: FRFIs offering retail products and services to consumers; PCNOs whose participants offer payment services to merchants; and ECBs offering dispute resolution services to their member banks.
FCAC supervises tier 1 regulated entities proactively. The intensity of this supervision is based on the market conduct obligations applicable to the tier 1 regulated entity, the size of the regulated entity and the complexity of its business model. This information forms part of the regulated entity’s Market Conduct Profile (see subsection 5.1).
FCAC’s proactive supervision of tier 1 regulated entities varies in intensity proportionate to an entity’s inherent risks and their ability to effectively manage those risks.
Tier 2 includes regulated entities such as banks and trust companies that do not offer retail products and services or insurance companies that restrict their business to the sale of insurance.
Tier 2 regulated entities are supervised by FCAC because they are federally regulated entities. However, due to the nature of the products or services offered by tier 2 regulated entities, the market conduct obligations overseen by FCAC do not typically apply to their business model. These regulated entities engage in business activities that result in minimal risk of non-compliance with a federal market conduct obligation.
As a result, FCAC monitors tier 2 regulated entities less intensively than tier 1 regulated entities. FCAC will reclassify a tier 2 regulated entity if its business model expands into products or services that increase its market conduct risk with relevant market conduct obligations.
3.2. Pillars of supervision
FCAC employs a variety of oversight tools situated within three pillars of supervision, namely:
- promoting responsible market conduct;
- monitoring market conduct;
- enforcing market conduct obligations.
These pillars are meant to work together and should not be considered mutually exclusive. Often, supervisory activity in one pillar may prompt or inform activity in another. For example, as FCAC engages in activities to promote or monitor compliance, it may identify a need to investigate a potential breach.
Figure 1 outlines the supervisory tools most commonly associated with each pillar. This is displayed for illustrative purposes only. FCAC will select the tool(s) that it deems most appropriate for each individual circumstance, and in some cases, the same supervisory tool is applicable to activities in more than one pillar.
Unless otherwise noted, the tools listed below are used to supervise any and all market conduct obligations established by legislation, codes of conduct and public commitments. Each tool is described in the following three sections of this document.
FCAC’s principles and pillars of supervision are the core of its Supervision Framework – a comprehensive, flexible approach to achieving FCAC’s objectives.
Figure 1: Supervisory tools
Text version of Figure 1: Supervisory tools
- Engagement with Stakeholders
- Engagement with regulated entities
- Publication of Commissioner’s Decisions and Proceeding Summaries
- Market Conduct Profiles
- Mandatory Reporting
- Third-party intelligence
- Industry Reviews
- Special Audit
- Notices of Breach
- Action Plans
- Compliance Agreements
- Notices of ViolationFootnote 1
- Notices of Non-ComplianceFootnote 2
- Commissioner’s Decisions and Proceeding Summaries
- Commissioner’s Direction
- Court Enforcement
Enforcement action may be taken as a result of information obtained under any pillar.
Compliance is facilitated when obligations are clearly identified and widely understood by regulated entities and stakeholders. FCAC promotes responsible market conduct by communicating its expectations and interpretations, as needed, using various tools.
4.1. Engagement with stakeholders
FCAC builds understanding by engaging stakeholders. Venues for engagement include public consultations, round tables, speaking engagements and stakeholder surveys. FCAC engages with various consumer groups, other regulators, and international organizations to seek their perspectives on the regulatory environment, market trends and emerging issues that may be impacting financial consumers and supervisory priorities. FCAC may also publish case studies, newsletters, press releases and other material to promote responsible market conduct.
4.2. Engagement with regulated entities
FCAC regularly meets with senior officials of regulated entities to share priorities, build understanding and promote responsible market conduct. FCAC also engages regulated entities through formal and informal discussions and information-sharing on topics such as emerging trends and issues, plans and priorities, and supervision and compliance challenges. When topics require formal substantive discussion with industry, FCAC may put in place ad-hoc working groups.
Tier 1 regulated entities also benefit from proactive supervision whereby FCAC maintains on-going communication with each regulated entity (see subsection 5.1, Market Conduct Profiles).
To communicate its expectations and interpretations to the industry, FCAC issues three types of formal guidance, in addition to informal guidance that is provided through documents like this Supervision Framework, and presentations from FCAC employees. The three types of formal guidance are outlined below:
Guidelines establish practices that FCAC expects regulated entities to incorporate within their business operations. They are intended to assist regulated entities in complying with market conduct obligations stemming from legislation, regulations, codes of conduct and public commitments. The guideline development process includes public consultations.
Bulletins clarify FCAC’s position on different issues relating to compliance, including on the proper application or interpretation of the legislation, regulations, codes of conduct or guidelines. Bulletins are not generally issued to address entity specific circumstances and facts. Regulated entities are expected to consider the relevance of bulletins to their own particular circumstances and to take action as appropriate.
Rulings describe how FCAC applies or interprets provisions of legislation, regulations, codes of conduct, guidelines or bulletins under a particular fact situation presented by a regulated entity. Provided all the material facts have been submitted, are accurate, and remain substantially unchanged, a ruling is binding for that specific fact situation.
4.4. Publication of Commissioner’s Decisions and Proceeding Summaries
Commissioner’s Decisions and Proceeding SummariesFootnote 3 , which are published, inform FCAC’s supervisory program activities. The information also contributes to the protection of consumers and the public by promoting awareness pertaining to the conduct of regulated entities and the expected standards of conduct. At the same time, the information allows regulated entities to assess whether their own respective market conduct meets expectations and to take necessary steps to ensure compliance.
Monitoring the market conduct of regulated entities involves ongoing assessments of their levels of compliance. FCAC monitoring activities also include gathering and assessing information on current and emerging issues in the financial sector. Monitoring tools employed by FCAC are outlined below.
5.1. Market Conduct Profiles (tier 1 regulated entities only)
FCAC recognizes that business models differ substantially among the various types of tier 1 regulated entities. FCAC uses a defined and continuous process to gather information about each tier 1 regulated entity’s business model.
FCAC uses this information to differentiate tier 1 regulated entities based on each regulated entity’s inherent market conduct risks and ability to manage those risks. This process results in a risk profile for tier 1 regulated entities. A regulated entity’s Market Conduct Profile, which includes its risk rating, determines the intensity of FCAC’s supervision and helps FCAC allocate its resources accordingly.
FCAC examines regulated entities to determine compliance with applicable market conduct obligations. FCAC conducts examinations using a variety of tools described in this Supervision Framework, which determine the level of compliance as well as corrective measures.
FCAC may review documents (e.g. policies and procedures, training or disclosure documents, audit or board reports) and interview employees to assess compliance, including the effectiveness of controls put in place to mitigate compliance risks (e.g. risk management or compliance management processes).
Examinations may be conducted by way of:
- on-site examination, which FCAC conducts at the offices of the regulated entity;
- off-site examination, also known as a desk review, where the regulated entity provides the necessary documents for a review conducted at FCAC offices.
Following an examination, FCAC prepares an Examination Report detailing its findings. This report may include recommendations on how the regulated entity can mitigate compliance risks, address deficiencies and/or improve control processes. FCAC may engage with the regulated entity to establish a plan to address identified deficiencies. Regulated entities are expected to address deficiencies promptly and to inform FCAC of progress. Unsatisfactory corrective actions or measures can lead to enforcement action.
5.3. Mandatory reporting
Regulated entities must file specific information with FCAC within timeframes and formats prescribed by statute. This information includes complaint handling procedures, public accountability statements and notices of branch closure, all of which are reviewed to assess compliance. Failure to meet statutory filing requirements may lead to enforcement action.
Regulated entities are also required to submit additional information to FCAC, including aggregated complaints and compliance issues, updated statistics on specific lines of business, and responses to self-assessment questionnaires.
5.4. Third-party intelligence
Third parties such as consumers and merchants contribute to the monitoring process by, for example, participating in consultations or by filing complaints directly with the FCAC Consumer Services Centre. FCAC may initiate investigations based on information obtained from any source, including complaints, media coverage or information received from other regulators.
5.5. Industry reviews
Industry reviews are designed to gather information from multiple regulated entities or stakeholders on specific market conduct matters or on matters related to the financial services sector generally. These reviews serve to achieve one or more of the following objectives:
- to assess current or emerging issues on a specific topic or theme;
- to identify and examine industry practices or trends;
- to verify levels of compliance with market conduct obligations;
- to collect information for policy discussions.
Regulated entities participating in industry reviews are expected to comply with FCAC requests. Industry reviews may also identify compliance breaches that may lead to enforcement action. Following the conclusion of a review, FCAC may publish a summary and/or detailed findings of the industry review.
5.6. Special Audit
FCAC has the authority to direct that a special audit be conducted on a bank or authorized foreign bank if, in the opinion of the Commissioner, it is required for the purposes of administering the FCAC Act and the consumer provisions. A special audit is to be undertaken by a third party.Footnote 4
FCAC can require a bank or authorized foreign bank (collectively “bank”) to conduct a special audit in circumstances where, for example, specialized skills or expertise are needed to appropriately review an issue of compliance with the FCAC Act and the consumer provisions.
The bank will be notified in writing that a special audit is required. This notice will also outline the terms and conditions for the audit, including the firm to be appointed, if required. The audit report must be provided to FCAC, and the regulated entity will incur all expenses for the special audit.
Enforcement involves an investigation, which includes the assessment of possible breaches of market conduct obligations. Once an investigation is complete, the Agency will take appropriate action based on the findings of the investigation. Enforcement actions may take the form of Notices of Breach, Notices of Violation, Notices of Non-Compliance (for breaches of a code of conduct or public commitment), Action Plans, and Compliance Agreements. Figure 2 sets out the typical flow of enforcement activity.
Figure 2: Typical flow of enforcement activity
FCAC conducts an investigation to determine whether there are reasonable grounds to believe that a breach has occurred. Regulated entities must provide the information requested by FCAC by the date specified and in the form requested.Footnote 5 FCAC may compel the regulated entity to provide the information if the regulated entity fails to adequately respond to the request.Footnote 6
Once FCAC completes its investigation, in which the findings establish that there are reasonable grounds to believe a breach has occurred, FCAC’s enforcement response will be informed by relevant factors, that may include the following:
- the compliance record of the regulated entity;
- the degree of negligence or intent;
- the strength of internal controls;
- the risk of recurrence;
- the length of time taken to identify and correct the breach;
- the means through which the breach was identified;
- the degree of direct or indirect harm to consumers or merchants;
- the remediation plans and associated timeframes;
- the level of co-operation with FCAC (including whether the issue was self-reported).
6.2. Notices of Breach
Following an investigation that determines there are reasonable grounds to believe that a breach has occurred, FCAC may issue a Notice of Breach level 1, 2 or 3. These notices levels correspond to the severity of the breach as assessed over the course of the investigation, and may set out FCAC’s expectations, based on the findings of the investigation.
A level 1 Notice of Breach will be issued when the severity of the breach is assessed as low. Enhanced monitoring may be required of the regulated entity to return to compliance and/or meet its compliance obligations.
A level 2 Notice of Breach will be issued when the severity of the breach is assessed as elevated. Specific action may be required of the regulated entity to return to compliance and/or meet its compliance obligations.
A level 3 Notice of Breach will be issued when the severity of the breach is assessed as high. Upon receiving this Notice, FCAC’s expectation is that the concerns related to the breach are escalated within the regulated entity. This Notice signals that more significant enforcement measures may be taken and that in the normal course of action, FCAC will draft a Compliance Report.Footnote 7 A Compliance Report may lead to the issuance of a Notice of Violation (see subsection 6.5).
Instead of, or in addition to issuing any level of Notice of Breach, FCAC may require the regulated entity to enter into an Action Plan (see subsection 6.3) or a Compliance Agreement specifying compliance measures to be taken (see subsection 6.4).
6.3. Action Plans
An Action Plan details the corrective measures required to address a breach of a market conduct obligation, to prevent recurrence, and/or to implement any measure designed to ensure compliance with market conduct obligations.
FCAC works with the regulated entities to establish the terms and timeframes of an Action Plan. Regulated entities will be required to provide FCAC with regular updates throughout the duration of the Action Plan. Once all actions have been completed to FCAC’s satisfaction, the regulated entity will provide a full report.
6.4. Compliance Agreements
A Compliance Agreement is a written agreement between FCAC and the regulated entity, detailing, for example, the corrective measures required to address breaches of market conduct obligations, to prevent recurrence of breaches, and/or to implement any measures designed to further compliance with market conduct obligations. FCAC works with regulated entities to establish terms and timeframes of a Compliance Agreement. Regulated entities will be required to provide FCAC with regular updates throughout the duration of the Compliance Agreement, followed by a full report once all actions have been completed to FCAC’s satisfaction.
Breaching a Compliance Agreement may result in a Notice of Violation.Footnote 8
6.5. Notices of Violation
FCAC may issue a Notice of Violation when there are reasonable grounds to believe that a regulated entity, be it a natural person or body corporate, has breached a legal obligation, also known as a consumer provision,Footnote 9 or when a regulated entity has breached a Compliance Agreement. Violation proceedings may not be commenced later than two years after the date that FCAC has sufficient information on the subject matter upon which a Notice of Violation may be issued.Footnote 10
A Notice of Violation specifies the nature of the violation(s), the name of the person or the regulated entity, be it a natural person or body corporate, who committed the violation, and any proposed administrative monetary penalty (AMP). It also describes the person’s right to make representations in respect of this matter by indicating whether the violation is subject to the FCAC Act either as it read immediately before April 30, 2020 or thereafter. A Notice of Violation also outlines the options the regulated entity has in relation to paying the AMP or making representations to the Commissioner within 30 days.
The Guidelines for Adjudicative Process set out the process that applies following the issuance of a Notice of Violation and provide information on the process for publishing Commissioner’s Decisions and proceedings summaries.Footnote 11
Administrative monetary penalties (AMP): The maximum AMP per violation is $1,000,000 for a natural person and $10,000,000 for entities.Footnote 12 AMPs are payable to the Receiver General for Canada and not to FCAC.Footnote 13 An unpaid AMP is a debt due to Her Majesty in right of Canada and may be recovered as such in Federal Court.Footnote 14
The AMP amount is determined by taking into consideration the following factors:
- the harm done by the violation;
- the degree of intention or negligence on the part of the person who committed the violation;
- the duration of the violation;
- the regulated entity’s history of violations within the five years preceding the violation;
- the ability of the person who committed the violation to pay the penalty.Footnote 15
Administrative monetary penalties (AMPs) are imposed to:
- promote industry compliance with legislative obligations and compliance agreements, not to punish;
- promote the protection of financial consumers and merchants;
- to deter non-compliance with market conduct obligations.
6.6. Notices of Non-Compliance
FCAC may issue a Notice of Non-Compliance when an investigation determines there are reasonable grounds to believe that a regulated entity is in breach of its obligations under a code of conduct or public commitment. A Notice of Non-Compliance specifies the nature of the breach, but no AMP applies to it, nor does the Commissioner have authority to make public the name of the regulated entity. A Notice of Non-Compliance is subject to the process set out in the Guidelines for Adjudicative Process, with necessary adjustments.
6.7 Commissioner’s Decisions and Proceeding Summaries
Commissioner’s Decisions and Proceeding Summaries complete the action that begins with the issuance of a Notice of Violation or a Notice of Non-Compliance. As outlined in the Guidelines for Adjudicative Process, Commissioner’s Decisions and Proceeding Summaries are publishedFootnote 16 to provide transparency to the public of the violation(s) or breach(es) committed by the regulated entity.
6.8 Commissioner’s Direction
FCAC may use a Commissioner’s Direction or temporary Direction to prompt action from a regulated entity to, for example, prevent harm to consumers. The Bank ActFootnote 17 provides the FCAC Commissioner with the authority to direct a bank or, authorized foreign bank to comply with a compliance agreement or a consumer provision and to perform any act that in the opinion of the Commissioner is necessary to do so.
The regulated entity receiving a Commissioner’s Direction will be given the opportunity to provide representations as to why it may not be required or appropriate in respect of the matter.
6.9. Court Enforcement
The Commissioner can apply to a court for an order requiring a bank or an authorized foreign bank to comply with their obligations. This is in addition to and separate from any other enforcement tools or actions referenced above.
7. How to contact FCAC
FCAC welcomes inquiries and feedback from regulated entities and other stakeholders. Tier 1 regulated entities should contact their assigned FCAC Senior Officers directly. For all other inquiries or feedback, FCAC can be contacted by email, mail, fax or telephone.
For services in English: 1-866-461-FCAC (3222)
For services in French: 1-866-461-ACFC (2232)
For calls from the Ottawa area or from outside Canada: 613-960-4666
*Information officers are available Monday to Friday, from 8:30 a.m. to 5:00 p.m. (Eastern Time).
Teletypewriter (TTY): 1-866-914-6097 / 613-947-7771
Fax: 1-866-814-2224 / 613-941-1436
Financial Consumer Agency of Canada
427 Laurier Avenue West, 6th Floor
Ottawa ON, K1R 1B9
Report a problem or mistake on this page
- Date modified: