Supervision Framework  

From: Financial Consumer Agency of Canada

Version in effect

The Supervision Framework came into effect on October 1, 2018. It was updated on February 26, 2020. The Compliance Framework is no longer in effect.


A stable financial sector benefits all Canadians. This stability rests in part on public confidence in the financial institutions that provide Canadians with products and services. To maintain this public trust, robust and effective consumer protection is vital.

The mandate of the Financial Consumer Agency of Canada (FCAC) includes supervising federally regulated financial institutions, payment card network operators and external complaint bodies (regulated entities). FCAC has further advanced its regulatory approach to be proactive, transparent, proportionate and accountable by being open-minded, forward-thinking and clear about its expectations for the entities it regulates.

I am pleased to present this Supervision Framework. This document illustrates FCAC’s vision for robust and effective oversight to ensure Canadians continue to benefit from the financial consumer protection framework put in place by the Government of Canada. It summarizes FCAC’s legislative mandate as well as its supervisory roles and responsibilities. It describes the entities that FCAC regulates, their obligations and the roles of various other stakeholders. Finally, this document explains the activities and tools that FCAC leverages to fulfill its supervisory mandate.

The Supervision Framework updates and replaces FCAC’s Compliance Framework. Although the core activities governing its supervisory approach remain consistent, FCAC has incorporated numerous enhancements and this document provides a clearer overview of that approach.

The Supervision Framework is not a stand-alone initiative. For example, internal FCAC processes and functions will need to be redesigned to support the core components of the modernized framework. The framework, and the underlying initiatives that will be undertaken to support it, will be phased in over time. FCAC will commence the rollout of the new Supervision Framework in 2018.  

The Supervision Framework reflects the following key concepts:

  • The prevention of breaches of market conduct obligations is the foundation of the framework. Regulated entities are responsible for understanding and working proactively to meet their obligations to financial consumers.
  • Regulated entities must proactively identify, address and monitor risks and keep FCAC updated on their particular risks and controls.
  • FCAC is increasingly proactive in its efforts to understand emerging risks before they impact consumers, and in communicating guidance and other information.
  • FCAC continuously evaluates and improves its supervisory and enforcement processes in order to remain efficient and effective.

While this Supervision Framework provides a deeper understanding of how FCAC fulfills its mandate to protect financial consumers, it is neither a comprehensive guide nor a binding statement on how FCAC will proceed in specific matters. FCAC will apply discretion appropriate to each case.

Lucie M. A. Tedesco
FCAC Commissioner

1. Introduction

This Supervision Framework describes the principles and processes applied by the Financial Consumer Agency of Canada (“FCAC”) to supervise federally regulated entities and ensure that financial consumers and merchants continue to benefit from the applicable protections.

1.1. Financial Consumer Agency of Canada

FCAC plays a key role in financial consumer protection by supervising federally regulated entities, educating financial consumers about their rights and responsibilities, and strengthening financial literacy among Canadians. It derives its mandate from the Financial Consumer Agency of Canada Act (FCAC Act).

FCAC is led by a Commissioner who reports annually to Parliament through the Minister of Finance. The FCAC Supervision and Promotion Branch pursues its supervisory objectives through the activities of its three divisions: the Supervision Division, Enforcement Division and the Promotion and Policy Division.

The FCAC Act sets out the following objects for supervision:

  • to supervise regulated entities and determine whether they are complying with legislative obligations, voluntary codes of conduct and public commitments that are overseen by FCAC (collectively, “market conduct” or “market conduct obligations”)
  • to promote the adoption by regulated entities of policies and procedures designed to implement their market conduct obligations
  • to monitor and evaluate trends and emerging issues that may have an impact on financial consumers, and to collaborate with other government agencies, regulators and stakeholders to foster an understanding of financial services and related issues

Specifically, FCAC oversees regulated entities’ compliance under the following federal legislation:

While supervision fosters compliance, regulated entities remain fully responsible for fulfilling their market conduct obligations.

1.2. Regulated entities

FCAC supervises the market conduct of the following types of federally regulated entities (collectively, “regulated entities”):

  • federally regulated financial institutions (FRFIs)
    include banks as well as federally regulated credit unions, insurance companies, trust and loan companies, and retail associations.
  • external complaints bodies (ECBs)
    are independent organizations approved under the Bank Act to handle escalated consumer complaints related to products and services offered by their member banks. Every bank or federal credit union must be a member of an ECB.
  • payment card network operators (PCNOs)
    operate or manage payment card networks by establishing standards and procedures for the acceptance, transmission or processing of payment transactions and by facilitating the electronic transfer of information and funds. PCNOs establish rules and controls that govern the participants of the credit and debit card networks.

FCAC expects a regulated entity’s directors and officers to manage, or supervise the management of, the adoption of business practices, governance and independent oversight functions targeted to achieve compliance with the entity’s market conduct obligations.

Regulated entities are also expected to proactively report to FCAC any material developments that could change their market conduct risk.

2. Guiding principles

FCAC’s supervisory activities and decisions are driven by its mandate and guided by the following four principles.

2.1. Transparency

Transparency provides predictability for regulated entities and enables effective collaboration among stakeholders. FCAC achieves transparency by communicating its expectations, concerns and priorities clearly, early and often.

2.2. Proactivity

FCAC strives to identify emerging issues and market trends early. It intervenes swiftly to foster sound market conduct.

2.3. Proportionality

FCAC allocates its resources proportionally to the level of market conduct risk presented by each regulated entity, and takes enforcement action that is proportionate to the circumstances of the breach.

2.4. Accountability

FCAC is accountable for the delivery of its mandate and the actions that ensue. It conducts its supervisory activities in a consistent, timely and professional manner and adheres to established service standards.

3. Supervision process

3.1. Classification of entities

In keeping with FCAC’s risk-based approach, regulated entities are classified as either tier 1 or tier 2, depending on the level of market conduct riskFootnote 1  that is present or inherent in their business activities. These classifications guide the nature and intensity of the Agency’s supervision of regulated entities.

Tier 1

Tier 1 regulated entities engage in business activities that inherently include market conduct risk. The nature of the products or services offered by tier 1 entities requires compliance with market conduct obligations overseen by FCAC.

Tier 1 includes a wide range of regulated entities with different business models: FRFIs offering retail products and services to consumers; PCNOs whose participants offer payment services to merchants; and ECBs offering dispute resolution services to their member banks.

FCAC supervises tier 1 entities proactively and assigns each entity an FCAC Senior Officer as their liaison with the Agency. The intensity of proactive supervision is influenced by the market conduct obligations applicable to the tier 1 entity, the size of the entity and the complexity of its business model. This information forms part of the entity’s Market Conduct Profile (see subsection 5.1).

FCAC’s proactive supervision of tier 1 entities varies in intensity proportionate to an entity’s inherent risks and their ability to effectively manage those risks.

Tier 2

Tier 2 includes regulated entities such as banks and trust companies that do not offer retail products and services or insurance companies that restrict their business to the sale of insurance.

Tier 2 regulated entities are supervised by FCAC because they are federally regulated entities. However, due to the nature of the products or services offered by tier 2 entities, the market conduct obligations overseen by FCAC do not typically apply to their business model. These entities engage in business activities that result in minimal risk of breaching a federal market conduct obligation.

As a result, FCAC monitors tier 2 regulated entities significantly less intensively than tier 1 regulated entities. FCAC will reclassify a tier 2 regulated entity if its business model expands into product or services that increase its federal market conduct risk.

3.2. Pillars of supervision

FCAC employs a variety of oversight tools that broadly support three pillars of supervision, namely:

These pillars are meant to work together and should not be considered mutually exclusive: action in one pillar may prompt or inform action in another. For example, as FCAC engages in activities to promote or monitor compliance, it may identify a need to investigate a potential breach.

Figure 1 outlines the tools most commonly associated with each pillar. This is displayed for illustration purposes only and is not meant to limit the actions of FCAC. FCAC will select the tool(s) that it deems most appropriate for each individual circumstance. In some situations, the same tool may be used to support more than one pillar of supervision.

Unless otherwise noted, the tools listed below are used to supervise any market conduct obligations, i.e., legislative, voluntary codes of conduct or public commitments. Each tool is described in the following three sections of this document.

FCAC’s guiding principles and pillars of supervision are the core of its Supervision Framework—a comprehensive, flexible approach to achieving FCAC’s objectives.

Figure 1: Tools of supervision

Figure 1: Tools of supervision
Text version of Figure 1: Tools for supervision

Promoting responsible market conduct

  • FCAC Decisions
  • FCAC Guidelines
  • FCAC Rulings
  • Engagement with regulated entities
  • Engagement with stakeholders

Monitoring market conduct

  • Market Conduct Profiles
  • Examinations
  • Mandatory reporting
  • Third-party intelligence
  • Industry reviews

Enforcing market conduct obligations

  • Investigations
  • Notices of Breach
  • Action Plans
  • Compliance Agreements
  • Notices of ViolationFootnote 2 
  • Notices of Non-ComplianceFootnote 3

Enforcement action may be taken as a result of information obtained under any pillar.

4. Promoting

Compliance is facilitated when obligations are clearly identified and widely understood by regulated entities and stakeholders. FCAC promotes responsible market conduct by communicating its expectations and interpretations, early and often, using various tools.

4.1. FCAC Decisions

FCAC Decisions provide information about Notices of Violation and Notices of Decision (for breaches of legislation/regulation) or Notices of Non-Compliance (for breaches of voluntary codes or public commitments). Publishing FCAC Decisions promotes awareness about the conduct of regulated entities and allows regulated entities to review their own market conduct and take necessary action to ensure compliance.  

4.2. FCAC Guidelines

FCAC Guidelines set out the manner in which regulated entities are expected to comply with their market conduct obligations. Developed following consultation with stakeholders, Guidelines set broad industry standards and establish prudent practices that FCAC expects regulated entities to incorporate into their business operations.

4.3. FCAC Rulings

FCAC Rulings provide FCAC’s views on the applicability of a market conduct obligation to a conduct or practice.  FCAC Rulings may be issued following a request by a regulated entity or may be proactively issued to assist regulated entities in the interpretation of their market conduct obligations.

When a regulated entity formally requests a Ruling, the Ruling issued by FCAC is binding for that particular situation provided all material facts were presented accurately, remain substantially unchanged and the conduct or practice is carried out as proposed. Although Rulings apply to a particular case and its specific circumstances, publishing information about the Ruling provides direction to entities whose situations are substantially similar.

FCAC may also proactively issue an FCAC Ruling to promote responsible market conduct and provide direction to regulated entities.  Rulings issued proactively do not restrict FCAC in its approach to specific cases.  

4.4. Engagement with regulated entities

FCAC regularly meets with senior officials of regulated entities to share priorities, build trust and promote responsible market conduct. FCAC also engages the entities through annual Industry Sessions, which present opportunities for open discussions and information sharing on topics such as emerging trends and issues, plans and priorities, and supervision and compliance challenges.

Tier 1 entities also benefit from proactive supervision whereby FCAC maintains on-going communication with each entity. (See Market Conduct Profile subsection 5.1).

4.5. Engagement with stakeholders

FCAC builds understanding and trust by engaging stakeholders to assist in the execution of its mandate. Venues for engagement include public consultations, round tables, speaking engagements and stakeholder surveys. FCAC engages with various consumer groups to seek their perspectives on the regulatory environment, market trends and emerging issues that may be impacting Canadians. FCAC may also publish hypothetical case studies, newsletters, press releases and other material to promote responsible market conduct.

5. Monitoring

Monitoring the market conduct of regulated entities involves ongoing assessments of their levels of compliance. FCAC monitoring activities also include gathering and assessing information on current and emerging issues in the financial sector. Monitoring tools employed by FCAC are outlined below.

5.1. Market Conduct Profiles (tier 1 regulated entities only)

FCAC recognizes that business models differ substantially among the various types of tier 1 regulated entities. FCAC uses a defined and continuous process to gather information about each institution’s business model and maintains a risk profile for each tier 1 regulated entity.

FCAC uses this information to differentiate tier 1 entities based on each entity’s inherent market conduct risks and ability to manage those risks. This process results in a Market Conduct Profile for each tier 1 entity. The regulated entity’s Market Conduct Profile determines the intensity of FCAC’s supervision and helps FCAC direct its resources. The intensity of supervision varies among tier 1 entities.

This process has three stages:

Planning: FCAC Senior Officers devise annual supervision plans for each tier 1 regulated entity assigned to them. Supervision plans may also set out activities to be considered in the future.

Execution: In preparing Market Conduct Profiles, FCAC focusses on the following factors:

  • business model and its inherent market conduct risks
  • how the regulated entity manages risk and complies with market conduct obligations (e.g. the effectiveness of oversight functions, including compliance, risk management, internal audit, senior management and board of directors, as applicable)
  • planned growth or changes in business model
  • history of investigations and breaches
  • trends or issues identified through ongoing monitoring
  • compliance culture
  • willingness and ability to comply with market conduct obligations and to proactively mitigate risks

Reporting: FCAC Senior Officers update the Market Conduct Profiles of tier 1 regulated entities based on information gathered during the execution stage. Profiles are shared individually or in aggregate with FCAC senior management and are used to determine priorities for subsequent years.

Figure 2: The Market Conduct Profile cycle

The Market Conduct Profile cycle as described in section 5.1: plan, execute, report

5.2. Examinations

Examinations are conducted to satisfy FCAC that a specific regulated entity complies with its market conduct obligations. More specifically, information obtained as a result of an examination is used to update a regulated entity’s Market Conduct Profile, to determine its level of compliance with market conduct obligations, or to follow up on corrective measures.

FCAC may review documents (e.g., policies and procedures, training or disclosure documents, audit or board reports) and interview employees to assess topics including the effectiveness of controls put in place to mitigate compliance risks (e.g. risk management or compliance management processes).
Examinations may be conducted by way of:

  • on-site examination, which FCAC conducts at the offices of the regulated entity
  • off-site examination, also known as a desk review, where the regulated entity provides the necessary documents for a review conducted at FCAC offices

Following an examination, FCAC prepares an Examination Report detailing its findings. This report may include recommendations on how the regulated entity can mitigate compliance risks, address deficiencies or improve control processes. FCAC may engage with the entity to establish a plan to address identified deficiencies. Regulated entities are expected to address deficiencies promptly and to inform FCAC of their progress. Unsatisfactory corrective measures can lead to enforcement action.

FCAC is required to examine each regulated entity annually to determine whether they are complying with applicable market conduct obligations.Footnote 4  FCAC conducts annual examinations using a variety of tools described in this Supervision Framework, and reports to the Minister of Finance upon completion.

5.3. Mandatory reporting

Regulated entities must file specific information with FCAC within timeframes and formats prescribed by statute. This information includes complaint handling procedures, public accountability statements and notices of branch closure, all of which are reviewed to ensure compliance. Failure to meet statutory filing requirements may lead to enforcement action.

FCAC requires regulated entities to submit additional information, in accordance with FCAC’s mandate, including aggregated complaints and compliance issues, updated statistics on specific lines of business, and responses to self-assessment questionnaires.

5.4. Third-party intelligence

Third parties such as consumers and merchants contribute to the monitoring process by participating in consultations or by filing complaints directly with the FCAC Consumer Services Centre. FCAC may initiate investigations based on information obtained from any source, including complaints, media coverage or information received from other regulators.

5.5. Industry reviews

Industry reviews are designed to gather information from multiple regulated entities or stakeholders on specific market conduct matters and on matters related to the financial services sector generally. These reviews serve to achieve any of the following objectives:

  • to assess current or emerging issues on a specific topic or theme
  • to identify and examine industry practices or trends
  • to verify levels of compliance with market conduct obligations
  • to collect information for policy discussions

Regulated entities participating in industry reviews are expected to comply with FCAC requests. Information from these reviews may be used to provide guidance, establish best practices or inform policy makers. Industry reviews may also identify compliance breaches that will lead to enforcement action.

6. Enforcing

Enforcement begins with an investigation, which includes the assessment of potential breaches of market conduct obligations that come to FCAC’s attention. Once an investigation is complete, the Agency responds with the appropriate tool(s) to ensure compliance and deter future breaches. Figure 3 sets out the typical flow of enforcement activity.

Figure 3: Typical flow of enforcement activity

Typical flow of enforcement activity as described in sections 6.1 to 6.6.

6.1 Investigations

FCAC conducts an investigation when it requires additional information to substantiate the breach. Entities must provide the information requested by FCAC by the date and in the form requested.ootnote 5 FCAC may compel the regulated entity to provide the information if the entity fails to do so.Footnote 6  

Once FCAC completes its investigation, its response to the breach is informed by factors such as:

  • compliance record of the regulated entity (including all breaches, Action Plans or Compliance Agreements)
  • degree of negligence or intent
  • strength of internal controls
  • risk of recurrence
  • length of time taken to identify and correct the breach
  • means through which the breach was identified
  • degree of direct or indirect harm to consumers or merchants
  • remediation plans and associated timeframes
  • level of co-operation with FCAC (including whether the issue was self-reported)
  • FCAC or government priorities

6.2 Notices of breach

Following an investigation, FCAC may issue a Notice of Breach level 1, 2 or 3. These notices reflect the severity of the breach as assessed over the course of the investigation. They also set out FCAC’s expectations of the regulated entity, resulting from the investigation.

A level 1 Notice of Breach may be issued when the severity of the breach is assessed as low. Enhanced monitoring may be required of the regulated entity, to return to compliance and/or to ensure future compliance.

A level 2 Notice of Breach may be issued when the severity of the breach is assessed as elevated. Specific action may be required of the regulated entity, to return to compliance and/or to ensure future compliance.

A level 3 Notice of Breach may be issued when the severity of the breach is assessed as high. This Notice signals to the regulated entity that more significant enforcement measures may be taken by FCAC, and that there is a need to escalate concerns related to the breach within the regulated entity. Upon completion of the investigation FCAC will likely draft a Compliance ReportFootnote 7  which may lead to the issuance of a Notice of Violation (see subsection 6.5).

In addition to issuing any level of Notice of Breach, FCAC may require the regulated entity to enter into an Action Plan (see subsection 6.3) or a Compliance Agreement specifying corrective measures to be taken (see subsection 6.4).

6.3 Action Plans

An Action Plan details the corrective measures required to address a breach of a market conduct obligation, to prevent recurrence, or to implement any measure designed to further compliance with market conduct obligations.  

FCAC works with the regulated entities to establish the terms and timeframes of an Action Plan. Regulated entities will be required to provide FCAC with regular updates throughout the duration of the Action Plan, followed by a full report once all actions have been completed to FCAC’s satisfaction.

6.4 Compliance Agreements

A Compliance Agreement is a written agreement between the FCAC and the regulated entity, detailing the corrective measures required to address breaches of market conduct obligations, to prevent recurrence of breaches, or to implement any measures designed to further compliance with market conduct obligations. FCAC works with regulated entities to establish terms and timeframes. Regulated entities will be required to provide FCAC with regular updates throughout the duration of the Compliance Agreement, followed by a full report once all actions have been completed to FCAC’s satisfaction. Breaching a Compliance Agreement may result in a Notice of Violation.Footnote 8  

6.5 Notices of Violation

FCAC may issue a Notice of Violation when there are reasonable grounds to believe that a regulated entity has breached a legislative obligation, also known as a consumer provision,Footnote 9 or when a regulated entity breached a Compliance Agreement. Violation proceedings may not be commenced later than two years after the date that FCAC has sufficient information on the subject matter upon which a Notice of Violation may be issued.Footnote 10  

A Notice of Violation specifies the name of the regulated entity, the nature of the violation(s), and any proposed administrative monetary penalty (AMP).Footnote 11  

Upon being served with a Notice of Violation, a regulated entity has the option of paying the AMP, making representations to the Commissioner with respect to the violation within 30 days, or doing nothing.

A regulated entity that pays the AMP or does nothing is deemed to have committed the violationFootnote 12  and the Commissioner may make public the nature of the violation, the name of the person who committed it, and the amount of the penalty imposed.Footnote 13  

The Adjudicative Guidelines set out the Commissioner’s adjudicative process following the issuance of a Notice of Violation.Footnote 14  These Guidelines also provide information as to how decisions are published.

Administrative monetary penalties (AMP): The maximum AMP per violation is $50,000 for a natural person and $500,000 for all other persons, including regulated entities.Footnote 15  AMPs are payable to the Receiver General for Canada.Footnote 16  An unpaid AMP is a debt due to Her Majesty in right of Canada and may be recovered as such in Federal Court.Footnote 17

The AMP amount is determined taking into account the following criteria,Footnote 18  applied with regard to the overall purpose of the FCAC Act:

  • Degree of intent or negligence: FCAC considers factors such as the type and severity of the breach; whether it is isolated or recurring; whether there was a wrongful purpose on the part of the entity; the overall profile of the entity, including its size and the complexity of its business; the quality of its internal controls; and its commitment to ensuring compliance generally.
  • Harm done by the violation: FCAC considers factors such as direct financial loss to consumers; consumers’ inability to make informed decisions due to a lack of information or information that is unclear or misleading; how that harm impacted consumers, the public and the federally regulated financial sector; and the nature and number of consumers affected.
  • Compliance history: FCAC considers the violations or convictions committed by the regulated entity in the previous five years.

Publication: The Commissioner has the discretion to make public the nature of a violation, the name of the regulated entity, and the amount of any AMP.Footnote 19  FCAC always publishes the nature of the violation and the AMP by issuing an FCAC Decision. In exercising the legislated discretion to also name an entity, the Commissioner considers factors such as:

  • promoting consumer awareness
  • promoting compliance among regulated entities
  • the egregiousness of the entity’s actions or inactions
  • the entity’s willingness to assume responsibility for the violation
  • the degree of collaboration shown throughout the investigative process
  • the impact of the violation on consumers and consumer confidence
  • deterrence

6.6. Notices of Non-Compliance

FCAC may issue a Notice of Non-Compliance when an investigation reveals that a regulated entity is in breach of its obligations under a voluntary code of conduct or public commitment. A Notice of Non-Compliance specifies the nature of the breach. The Adjudicative Guidelines do not apply to Notices of Non-Compliance but a similar process will be applied.

Representations: The regulated entity may make representations to the Commissioner within 30 calendar days of being served with a Notice of Non-Compliance. Representations are written statements setting out the entity’s position on the Notice of Non-Compliance and must be submitted in accordance with instructions given in the Notice. The Commissioner may request additional information as needed. If a regulated entity chooses not to make representations, it is deemed to have breached the provision of the applicable voluntary code of conduct or public commitment. In such cases, the Notice of Non-Compliance stands and is noted in the entity’s compliance record.

Notices of Decision: If representations are made, the Commissioner reviews them along with the Compliance Report and decides, on a balance of probabilities, whether a breach has occurred. The Commissioner’s decision is communicated by way of Notice of Decision, which includes the Reasons for Decision. The Reasons for Decision provide the facts and rationale in support of the Commissioner’s decision.

Publication: When it is determined that a regulated entity is in breach of its obligations under a voluntary code of conduct or public commitment, FCAC will make public the nature of the breach through a FCAC Decision. Redactions of Decisions may be made by the Commissioner by omitting or replacing text to protect identifying information, confidential business information or personal information. Notices of Decision are published, in both official languages.  

7. How to contact FCAC

FCAC welcomes inquiries and feedback from regulated entities and other stakeholders. Tier 1 regulated entities should contact their assigned FCAC Senior Officers directly. For all other inquiries or feedback, FCAC can be contacted by email, mail, fax or telephone.



For services in English: 1-866-461-FCAC (3222)

For services in French: 1-866-461-ACFC (2232)

For calls from the Ottawa area or from outside Canada: 613-960-4666

*Information officers are available Monday to Friday, 8:30 a.m.–5:00 p.m. (Eastern Time)

Teletypewriter (TTY): 1-866-914-6097 / 613-947-7771

Fax: 1-866-814-2224 / 613-941-1436

Mailing Address:

Financial Consumer Agency of Canada
427 Laurier Avenue West, 6th Floor
Ottawa ON K1R 1B9

Report a problem or mistake on this page
Please select all that apply:

Thank you for your help!

You will not receive a reply. For enquiries, contact us.

Date modified: