Audit of regulatory approvals

Publication type
Audit
Date

Table of contents

    1. Background

    1.1 Overview

    The Bank Act, Trust and Loan Companies Act, Insurance Companies Act, and Cooperative Credit Associations Act all require federally regulated financial institutions (FRFIs) to seek regulatory approval from the Superintendent or the Minister of Finance before engaging in certain transactions or business undertakings, such as acquisitions of other entities and amalgamations. The statutes also provide for the establishment of new FRFIs (e.g., incorporation, continuance, and Canadian branches).

    Some approval services also require the payment of various administration fees, which are subject to service standards according to the Service Fees Act. OSFI reports annually on the details of each fee and its performance related to these service standards.

    The Approvals Division manages all regulatory approval processes at OSFI, which include analyzing requests, providing guidance to applicants, and making recommendations to the Superintendent and the Minister of Finance. The team is also responsible for liaising with OSFI stakeholders and, on Ministerial approvals, the Department of Finance. The Approvals Division also administers the application of OSFI’s legislative intervention tools and provides advice on the use of these tools. Supervision is a key internal party to the approvals process as they are required to be consulted on many applications and provide recommendations.

    Internal approval processes and workflows are supported by the Case Management System (CMS), a custom-built software implemented in 2002. Due to its age, CMS is currently classified as at an ‘end-of-life’ stage, making it ineligible for upgrades. As a result, the system does not have the functionality to support data extraction and reporting needs, which limits its usability by the Approvals Division, as well as its alignment with OSFI’s data modernization objectives. At the time of the audit, a system renewal project to implement a new software solution was underway, with an estimated completion date of April 2025.

    1.2 Why We Did This Audit

    The Approvals Division plays a key role as OSFI’s first point of contact for matters involving legislative approvals, including interaction with new and emerging areas of the financial services industry. Recent examples include navigating non-traditional new entrants (e.g. digital currency portfolios), and integrating OSFI’s expanded mandate to establish requirements for FRFIs to have policies and procedures to protect themselves against threats to their integrity and security. Consequently, the Approvals Division must have processes that are modern and adaptable to the changing environment, while still delivering traditional regulatory approvals.

    With the degree of change and limited audit coverage over the past five years, this audit aims to provide assurance on the effectiveness of current processes and systems and provide valuable feedback on control design and operating effectiveness, service standard reporting and file documentation.

    Additionally, with the new system renewal underway at the time of the audit, Internal Audit (IA) leveraged the assurance work to provide insights into the new system development to ensure system controls are designed effectively.

    1.3 Previous Audit Engagements

    The Internal Audit group has previously conducted audits of the Approvals and Precedents Group (2017) and the Legislative and Regulatory Approvals Process (2008). Recommendations issued as part of those audits focused on enhancing controls around information security, performing a periodic review of service standards, conducting a review of the Approvals framework of external guidance and further improvements in quality assurance. All recommendations have since been closed.

    2. Summary of audit results and findings

    2.1 Overview of Results

    The Internal Audit team recognizes that the Approvals Division is in the early stages of developing a new CMS and that it acknowledges the shortcomings and impacts of the current system on the effectiveness of the application process.

    As the new system is being developed but not anticipated to be implemented until 2025, IA’s findings are focused on elements to improve controls and processes for the new system. Key findings include improvements to:

    • The tracking of application processing times;
    • Enhancing guidance around key milestones for service standards; and
    • Updating policies, procedures, and guidelines.

    2.2 Management Response

    The Approvals Division would like to thank the audit team for its work, collaboration, and the professionalism it displayed in conducting its audit.

    The division is committed to continually improving its processes, procedures and standards, and the audit team’s work will be leveraged in support of these ongoing efforts.

    Management agrees with the findings and two recommendations contained within this report, and has identified Management Action Plans with associated timelines for each recommendation as outlined in the relevant sections.

    3. Key findings

    3.1 Tracking Processing Times and Monitoring Service Standards

    As per the OSFI Act, OSFI currently provides both fees-based approvals services as well as approvals services with no cost to the applicant. Fees-based approval services include processing certain non-FRFI applications, such as establishing a new FRFI, and other activities such as providing copies of corporate documents or written interpretations, with fees ranging from under $200 to $38,000. While these fees represent less than 1% of OSFI’s total revenuesFootnote1, the OSFI Act and the Service Fees Act outline a number of obligations related to these services, including establishing service standards and a refund policy if those standards aren’t met.

    OSFI also has service standards for services not subject to fees, which are published on its website for applicant reference. These include most approvals such as share issuances, acquisitions of other entities, and approvals of amendments to incorporating instruments.

    Timely regulatory approvals for federally regulated financial institutions are also a program result indicator for the Government of Canada Departmental Results Framework (DRF). OSFI publicly reports annually on the percentage of completed applications that are processed within established standards as part of the DRF.

    As per the established process, applications are received through email and applicants receive an Acknowledgement of Filing signaling that their application has been received by the Approvals Division. If the application is incomplete, a deficiency letter is issued outlining the information outstanding. The service standard clock is deemed to begin when all required information to support an application has been received.  An Application Receipt effective this date is then issued. The last day of the process is deemed to be, as applicable:

    • When the recommendation is sent to the Minister to approve or deny an application (for ministerial approvals only);
    • When the Superintendent approves or denies the request; or
    • When the requester withdraws or places the request on hold

    OSFI provides over 50 types of application services which vary greatly in nature, as well as in the level of effort needed to complete each service. A case officer and an approvals manager are assigned for each application received. To process the applications, the assigned case officer will conduct a comprehensive review of the case; consulting with Supervision when their review is required, or with other specialist groups within OSFI, as needed. The review process is often iterative in nature, with OSFI making requests for additional or missing application information to support its review, and the applicant responding. The number of such iterations is generally correlated with the complexity of the application. Case officers update applicants throughout the process on its status and once the assessment is completed, the applicant is notified of the decision.

    Accurate and consistent issuances of application receipts are necessary to promote transparency, adhere to service standards, and to be able to monitor whether the service standards are appropriate. Accurate tracking of application processing times beginning from submission of the applications is necessary to promote transparency and to inform process efficiency and enable effective resource utilization. Without accurate processing time estimates for applications, it is not possible to assess whether resource allocations are appropriate.

    Audit’s Gold Stars

    • Applicants consistently received an acknowledgement of filing letter, which is sent within one to two business days after submission to notify them that the application was submitted successfully.
    • Case officers had ongoing communication with the applicants during the time between the Acknowledgement of Filing and the Application Receipt letter, keeping them apprised of file status.

    What We Found

    We found that some of the key milestones associated with the application process (listed above) are not consistently implemented and that there are gaps in how supporting documents and records are managed. As a result, the Approval Division’s ability to monitor service standards is hindered.

    The audit also found that processing times were not reliably being tracked. Specifically, we found that the processes relating to both service standards and processing times had gaps, including:

    Service Standards

    • The standards have not been reviewed and updated since 2005 and may not be appropriate.
    • Application Receipts are not consistently retained in eSpace as per the established process, therefore it is difficult to confirm the accuracy of reported processing times against service standards for those applications.
    • Application Receipts are not issued in a consistent manner. Interviews with case officers and Approval managers indicated that there is not a clear understanding of when the Application Receipt should be issued and that in some cases, the issuance of the Application Receipt could be unnecessarily delayed.

    OSFI reported that service standards subject to a fee were met 99% of the time during the scope period of the audit but given the inconsistent tracking of Application Receipts, it is unclear if the service standards reporting is accurate. Given the weaknesses listed previously, assessing whether current standards are reasonable and achievable is challenging.

    Processing Times

    • Processing times do not establish expectations for all parties involved in the process, such as Supervision. As a result, it is not always possible to track the source of processing delays or hold other parties accountable for their processing time.
    • There are no mechanisms to accurately track overall application processing times from submission to end, nor are there established internal benchmarks for monitoring performance.
    • CMS does not accurately track application milestones and case officers can enter any date as the start of processing time in the system.

    Furthermore, IA testing demonstrated a high level of variability in days required to complete an application, ranging from 8 days to 911 days (from the date of filing of an application to date of approval). Given the diversity in the types of approvals and associated levels of effort, and the number of iterations associated with their review, not having internal benchmarks to monitor performance, or an ability to account for when OSFI is awaiting additional information from applicants, makes it difficult to assess whether the range of processing times is reasonable and reflective of the complexity of application.

    The Approvals Division acknowledges the limited tracking related to processing times and lack of consistency in when application receipts are issued, which impacts the reliable tracking of service standards, and intends to address this through additional controls in the new system.

    Why It Matters

    • Inconsistent issuance of Application Receipts makes it difficult to demonstrate that applications are processed in accordance with service standards;
    • Unreliable processing times make it difficult to identify and remediate sources of delays in application approvals; and
    • Timely processing of applications is essential as approvals facilitate key transactions as well as new products, services and capital into the financial sector.

    Recommendation #1 (High Risk)

    The Approvals Division should develop a methodology to track and monitor processing times, with a clear definition of the complete lifecycle, including milestones, applicant notifications, key fields, and associated controls. This should include enhancing guidance around the issuance of Application Receipts to ensure consistency of tracking against service standards.

    3.2 Updating existing policies, procedures and guidelines

    Approval policies, procedures, and guidance should be available and current to support regulatory approval activities. Regularly reviewing these tools ensures their relevance and alignment with the needs of stakeholders in the approval process.

    Audit’s Gold Stars

    • Approval managers have developed and leveraged their own area-specific process maps, outlining what should be documented where to support their work where there is a gap.

    What We Found

    While the Approvals Division has policies and guidance, both internal and externally facing (e.g., transaction instructions), the majority have not been updated in several years, with some dating back to before 2014. Some internal process documents, such as updated process maps outlining where documents should be retained, remained in draft or were leveraged as informal guidelines rather than established standards to follow. Interviews indicated that in some cases this was due to resourcing challenges, and in others, process documents were waiting for the implementation of a new CMS before being finalized.

    Established procedures and standards also lack coverage of certain scenarios, for example:

    • There is no standard process to close cases that remain inactive for multiple years due to a lack of application response (‘stale cases’). This causes these files to be monitored by case officers throughout this period, such as having to follow-up with non-responsive applicants during this time. In the event new information is received from an applicant after a lengthy period of inactivity, a new case file is often created regardless.
    • There is no defined process for identifying and flagging new or emerging application types or considerations.
    • CMS does not enable searching for precedents or trends across cases.

    Established internal policies and procedures were designed for the Approvals Division 10-15 years ago, and may not align with current processes or OSFI risk appetite. Outdated instruments do not effectively support case officers in handling applications including non-traditional applications or ones involving innovations, such as open banking and artificial intelligence. Additionally, without regular review, processes may not be reflective of OSFI's current risk appetite and may hinder its ability to streamline policies and procedures to focus resources on high-risk applications.

    The Approvals Division acknowledges that the current process documents are out of date and is developing new process and procedure documents in tandem with developing the new CMS.

    Why It Matters

    • The lack of regular reviews and updates of procedure documents may result in ineffective or outdated approval activities which are not aligned with OSFI’s risk appetite.
    • In a fast-paced changing risk environment, it is critical that policies, procedures, and guidelines be adaptable to the needs of the current risk environment. Without regular review of these instruments there may be inconsistent treatment of applicants or approval delays.

    Recommendation #2 (Medium Risk)

    The Approvals Division should implement a defined review cycle to ensure policies, procedures and guidance remain current and aligned with the current environment and OSFI’s risk appetite.

    Appendix A – Recommendation ratings

    Recommendations are ranked in order to assist management in allocating resources to address identified weaknesses and/or improve internal controls and/or operating efficiencies. These ratings are for guidance purposes only. Management must evaluate ratings in light of their own experience and risk appetite.

    Recommendations are ranked according to the following definitions:

    • High Risk: should be given immediate attention due to the existence of either a significant control weakness (i.e. control does not exist or is not adequately designed or not operating effectively) or a significant operational improvement opportunity.
    • Medium Risk: a control weakness or operational improvement that should be addressed in the near term.
    • Low Risk: non-critical recommendation that could be addressed to either strengthen internal control or enhance efficiency, normally with minimal cost and effort. Individual ratings should not be considered in isolation; and their effect on other objectives should be considered.

    Appendix B - About the Audit

    Objective

    To assess whether current policies, processes, tools, and guidance support effective, timely and adaptable regulatory approvals activities and are being applied consistently.

    Scope

    This phase will cover Insurance and Deposit-Taking Institutions (DTI) regulatory approval activities between April 1, 2021 and July 31, 2023 and will focus on the following:

    • Design and operating effectiveness of key regulatory approvals processes including those related to intake, assessment and closure, and outcomes of approvals work;
    • Design and compliance with applicable frameworks, standards, policies, service and performance standards, and alignment with OSFI risk appetite;
    • Adaptability of assessment processes (including external and internal guidance) to consider changing environment for new applicants; and
    • Interaction model between the Approvals Division and key internal partners, including supervision, specialist groups and the legislation team.

    As Pension Approvals were only recently included in the Approvals Division portfolio, their processes are not aligned with those of Insurance and DTI and they were not included in the scope of this phase.

    Approach and methodology

    The audit leveraged agile methodologies and used a phased approach to cover both frameworks, policies and guidelines as well as CMS.

    This phase was conducted through document reviews, interviews, and sample testing of files. Internal Audit selected a sample of files related to approval activities during the audit period and assessed how applicable policies and directives were adhered to, how processes were adapted to assess non-traditional applicants and how timelines were managed.

    There has been limited audit coverage in this area in the past five years and the risk environment has evolved over time. Given the changes and the lack of coverage, the results of this phase were designed to provide valuable insights to management on the effectiveness of approval activities and OSFI’s ability to adapt to a changing environment.

    Audit criteria

    The following criteria have been established for this audit:

    1. Approval activities are effective to support timely application assessments and recommendations
      • 1.1. Approval policies, standards, templates and guidance are formalized, accessible and regularly updated.
      • 1.2. Approval operations comply with applicable policies and standards and integrate dynamic adjustments to approval activities for timely escalations and assessment of risks.
      • 1.3. Mechanisms in place to monitor performance, including KPIs and service standards, are appropriate and reported on a timely basis.
      • 1.4. Processes are in place for continuous improvement, including lessons learned and peer regulatory collaborative/benchmarking sessions.
    2. Stakeholder engagement is integrated into processes and is effective, timely and relevant to stakeholders
      • 2.1. Processes for review, consultation and communication of external guidance are in place.
      • 2.2. Interaction model for internal stakeholder engagement throughout approval applications is clearly defined, communicated and understood.

    Statement of conformance

    This review was conducted in conformance with the Institute of Internal Auditors’ International Standards for the Professional Practice of Internal Auditing, consistent with the Treasury Board’s Policy on Internal Audit, and as supported by the results of the Quality Assurance and Improvement Program.

    Date modified: