Internal Audit Report on Insurance Supervision Sector – Securities Administration Unit

Publication type
Audit
Date

Table of contents

    Glossary and Abbreviations

    TBS
    Treasury Board Secretariat
    SAU
    Security Administration Unit
    DTB Administration
    Custom design software system used to support SAU activities
    PCG
    Property and Casualty Group
    ISS
    Insurance Supervision Sector
    FRFI
    Federally regulated financial institutions which include deposit taking and insurance institutions operating in Canada under a branch structure
    Financial Institution (FI) branch regime
    OSFI’s guidelines and responsibilities with respect to the adequacy of control over assets held in Canada of foreign insurance and bank branches, as required by the Bank Act and the Insurance Companies Act
    STA
    Standard trust agreements outline requirements to hold and maintain assets in-trust
    FBB
    Foreign bank branches
    OSFI Guideline A-10
    OSFI’s Guideline A-10 Capital Equivalency Deposit, dated January 2002 (Appendices dated April 2002)
    CED
    Capital equivalency deposit
    LOC
    Standby Letters of Credit
    Trustee
    Canadian financial institutions holding accounts vested in-trust

    1. About The Engagement

    Context

    An audit of the Securities Administration Unit (SAU) was recommended by OSFI’s Audit Committee and approved by the Superintendent for inclusion in the OSFI 2017-2018 Internal Audit Plan.

    SAU acts as OSFI’s administrator for the vested asset/capital equivalency deposit accounts of federally regulated foreign bank and insurance branches. SAU also oversees reinsurance collateral placed in Reinsurance Security Agreements (RSA) with trustees in respect of insurance companies.

    SAU’s primary role is supporting Lead Supervisors in ensuring there is adequate monitoring of assets held in Canada, as required by the Bank Act and the Insurance Companies Act. SAU’s primary internal stakeholders include:

    • Lead Supervisors;
    • Legal Services Division; and
    • Legislation and Approvals Division.

    SAU externally liaises with Federally Regulated Financial Institutions (FRFIs), FRFI trustees (custodians/depositories) as well as FRFI legal counsel.

    SAU is a unit within the Property and Casualty Insurance Group (PCG) that reports to the Assistant Superintendent of the Insurance Supervision Sector (ISS).

    SAU’s Role and Responsibility

    For operational efficiency, SAU acts as the central coordinator/liaison between the Lead Supervisor, FRFIs and trustee/custodian. SAU’s primary responsibilities include:

    Foreign Insurance Branches

    Pursuant to the Insurance Companies Act, life, property and casualty foreign insurance companies branches are required to hold and maintain assets held in accounts vested in-trust with a Canadian financial institution (the ‘Trustee’). The foreign insurer must establish a Standard Trust Agreement as set out in OSFI’s Instruction Guide: Establishment or Termination of a Trust for Vesting Assets in Canada by a Foreign Company. Schedule “A” is part of the Standard Trust Agreement outlining the types of investments that can be vested without OSFI’s approval.

    SAU’s key role and responsibility in respect of foreign insurance branches:

    • As part of the approval process for the establishment of a new foreign branch (performed by Legislation and Approvals with Supervision’s recommendation), SAU performs a review of the Trust Agreement to ensure it is consistent with the Standard Trust Agreements (STA) as published on OSFI’s website; and
    • Obtain requisite approval from the responsible lead supervisors of the request (Form 298) for either the purchase of “non-Schedule A” investments or the release of vested assets.

    Foreign Bank Branches

    Pursuant to the Section 582 of the Bank Act, foreign bank branches (FBB) are required to deposit unencumbered assets with an approved financial institution in Canada (the ‘Depository’). This deposit is referred to as the Capital Equivalency Deposit (CED). FBBs must establish a Standard Deposit Agreement as set out in OSFI’s Capital Equivalency Deposit Guideline for standard deposit agreement.

    SAU’s key role and responsibility in respect of FBBs:

    • As part of the approval process for the establishment of a new foreign bank branch (performed by Legislation and Approvals with Supervision’s recommendation), SAU performs a review of the Standard Deposit Agreements (SDA) to ensure it is consistent with the template published on OSFI’s website; and
    • Obtain requisite approval from the responsible lead supervisors (Form 298s) for non-schedule A deposits and Asset Withdrawal Forms.

    Reinsurance Collateral

    Under the applicable capital rules, all insurance companies may seek to receive capital credit for liabilities ceded to unregistered reinsurance companies with applicable reinsurance collateral, either through Standby Letters of Credit (LOCs) and/or Assets held in Reinsurance Security Agreement(s) (RSAs). SAU is responsible for the :

    • Review of new and/or revised LOCs and RSAs to ensure that the wordings on the LOCs/RSAs are consistent with the standard template wording reviewed by OSFI Legal and posted on OSFI’s website. No deviations from the wordings are permitted unless reviewed by OSFI Legal.

    Other

    DTB Administration is a custom in-house designed software system used to support SAU’s activities including the collection of monthly reports from trustees/custodians listing the assets vested/deposited under STA, SDA and RSA.

    There are currently 136 foreign banking and insurance institution branches. As at December 31, 2016, assets held under the vested asset/capital equivalency deposit agreements with 16 trustees amounted to approximately $48.8 billion for all foreign institutions’ branches. In addition, there was approximately $20.0 billion assets held under the terms of reinsurance collateral agreements.

    SAU is considered a critical service within OSFI’s business continuity plans given the three-day settlement period for OSFI to approve branch requests (Form 298s) to reinvest/release non-Schedule A assets or withdraw vested assets.

    Objective

    The objective of the engagement was to assess the effectiveness of SAU’s management control framework in place to administer, monitor, and ensure OSFI has adequate control over all assets vested-in-trust and reinsurance collateral, held in Canada, by the branches of foreign banks, life and property and casualty insurance institutions and reinsurers, as required by OSFI’s rules and legislation.

    Scope

    The scope of this engagement focused on the following:

    • SAU’s management control framework in place, including a review of the mandate, core processes, operational procedures, guidance, standard templates and practices;
    • the DTB Administration system;
    • SAU management oversight controls built around core processes; and
    • selected documentation related to SAU’s activities.

    Statement of Conformance

    The audit was conducted in conformance with the Institute of Internal Auditors’ International Standards for the Professional Practice of Internal Auditing, consistent with the Treasury Board Secretariat (TBS) Policy on Internal Audit and the Internal Auditing Standards of the Government of Canada, as supported by the results of the Quality Assurance and Improvement Program.

    2. Results of the Engagement

    Executive Summary

    The observations contained in this report fall outside of the responsibilities and general operating activities performed by SAU in acting as the administrator for OSFI’s financial institutions branch regime.

    OSFI has not performed a recent assessment of its Financial Institutions’ (FI) branch regime to ensure legislative requirements are adequately addressed, security interests are properly safeguarded and operational efficiencies are maximized.

    Enhancing OSFI’s ability to effectively and efficiently execute its mandate may best be initiated by senior management from all internal stakeholders revisiting the origins of FI branch regime obligations and critically examining the impact, relevance and interdependencies of these responsibilities in their current format and in conjunction with OSFI’s present risk tolerance for FI branches.

    3. Management Response

    Management appreciates the observations set out in this report and agrees that a strategic review of the SAU is both timely and appropriate to ensure that OSFI continues to meet its obligations in supervising financial institution branches in Canada.

    Management notes that core elements of the financial institution branch regime in Canada are set out in legislation and regulation and therefore not within OSFI’s purview to change. The current legislation and regulations pertaining to bank and insurance branches are different. Deposit taking institution branches, for example, are precluded in legislation from dealing with retail depositors, whereas insurance branches can deal in the Canadian retail insurance market. These differences in legislated business powers lead to differences in OSFI’s risk tolerances and hence its approach to regulation and supervision. OSFI’s responsibility is to ensure that the legislated standards and requirements are met efficiently and effectively and management will approach this review with those objectives in mind.

    The Legislation and Approvals Division (LAD) within OSFI’s Regulation Sector has expertise in interpreting the relevant legislation in respect of FI branches, including OSFI’s obligations under the legislation. Management has asked LAD to lead a comprehensive review in keeping with the scope recommended in this audit. LAD will report to the Executive Committee no later than June 30, 2018, with recommendations that will address the observations contained in this report. Included in the scope of this review management intends to consider whether the full range of functions currently performed by the SAU continue to be necessary and/or whether some or all of them could be outsourced.

    4. Observations and Recommendations

    1. Financial Institutions Branch Regime

    Medium Priority Observation

    A number of financial institutions branch regime initiatives could benefit from being updated to ensure alignment with OSFI’s current operating environment and to ensure security interests are properly safeguarded.

    SAU provides administrative support to Lead Supervisors in carrying out their supervisory responsibilities for Federally Regulated Financial Institutions (FRFIs), in particular foreign insurance and bank branches, as well as insurance companies in respect of the oversight of reinsurance collateral. SAU acts as the central coordinator/liaison between the Lead Supervisor, FRFIs and trustee/custodian/depository.

    OSFI has not performed a recent assessment of its Financial Institutions’ (FI) branch regime to ensure legislative requirements are adequately addressed, security interests are properly safeguarded and operational efficiencies are maximized.

    SAU requires assistance to more effectively contribute to OSFI’s mandate with respect to foreign institutions’ branches. The audit revealed several interrelated challenges that, if diagnostically reviewed and addressed, would provide a much more supportive intersection between Supervision (assets/capital adequacy of equivalency deposits) and SAU (process and administration). Observations relating to the challenges include:

    • Technology & reporting limitations – DTB Administration, the legacy system used to support SAU’s activities, is outdated with significant data limitations. (see Observation #2);
    • Level of scrutiny – foreign bank branches of deposit taking institutions are required to deposit the equivalent of 5% of Canadian liabilities with a Canadian financial institution approved by OSFI. Foreign branches of insurance institutions are required to deposit 100% of their required assets in vested asset accounts. OSFI requires approval via a Form 298 filing when adding new assets to a vested account or when withdrawing/reinvesting non-Schedule A assets. SAU currently resides within the Property & Casualty Group as insurance branches generate a disproportionately high number of Form 298 requests compared to banking branches. By the nature of their business, property and casualty branches maintain shorter duration investment portfolios resulting in increased investment activity. Current approval thresholds could be reviewed to ensure OSFI is employing an appropriate amount of oversight within this transaction level control;
    • Dated guideline/agreements – guidelines with respect to SAU procedures are dated and may not properly reflect the current financial/legal environment in which OSFI and financial institutions operate and may not ensure that branch assets are properly secured.
      • Guideline A-10 Capital Equivalency Deposit, last revised in 2000 has resulted in supervision implementing compensating controls.
      • Standard Trust Agreements, dated 2002, are not reviewed regularly to ensure adequate alignment with OSFI’s needs for information with respect to the holdings contained in vested accounts.
      • The standard working template for Standby Letters of Credit guidance relating to various forms of security and approval processes utilized by SAU has not been reviewed recently and therefore potentially represents reputational risks to OSFI should these agreements not withstand legal challenge in drawing funds when needed. The security interest of the LOC is a key component of the branch regime.
    • Consistent Approach – variations in the understanding of SAU responsibilities across FI branch regime stakeholders suggest a reactive approach to ensuring that clearly defined roles, responsibilities and accountabilities exist for each internal stakeholder. Controls gaps and duplication of efforts can occur if roles and responsibilities are not maintained, accessible and periodically updated as necessary.

    Recommendation

    Enhancing SAU’s ability to effectively and efficiently contribute to OSFI’s mandate may best be initiated by performing a current assessment of OSFI’s responsibilities with respect to the FI branch regime.

    Beginning with the origins of OSFI’s initial FI branch asset obligations and critically examining the impact, relevance and interdependencies of these responsibilities in their current format and in conjunction with OSFI’s present risk tolerance for foreign branches will best position senior management from all internal stakeholders to address the above initiatives in an informed and risk-based priority sequence. Simply addressing isolated initiatives may result in outcomes lacking insight and long-term impact.

    Management Action Plan

    As noted, management will conduct a strategic review of OSFI’s oversight of FI branches in accordance with the current legislative requirements. Management accepts that some of the Guidelines, agreements and templates cited above have not been updated recently, and the review will recommend a plan to update, as necessary, these documents. Management also notes some existing measures to mitigate the risks identified with respect to pledged security arrangements (LOCs). OSFI’s guidance specifies that these arrangements must adhere to international guidance (ISP98). In addition, OSFI’s Legal Services unit provides advice on both standard trust agreements and any modifications to LOCs.

    Management believes the current level of scrutiny and controls in place is commensurate with the risks involved in the FI branch regime but agrees with the audit findings that there is room for improvement in consistency and efficiency, particularly given the predominantly manual processes and outdated technology being used in SAU. Management is of the view that an equivalent level of oversight can be achieved in a significantly more efficient fashion and will be looking for ways to achieve this outcome as part of our review.

    2. Technology Limitations

    Medium Priority Observation

    DTB Administration, the legacy system used to support SAU’s activities, is outdated with significant limitations, which constrains OSFI’s ability to risk assess vested/deposit account activity.

    OSFI requires all trustees/depositories to submit to SAU a monthly statement of all assets held in the form of Schedule ‘B’ under the terms of the trust/custodial agreements they have with financial institutions. SAU assists in monitoring the quality and type of the assets held in these accounts as well as assessing whether the trustees comply with the terms of these agreements. SAU requires adequate technology to gather the trustees’ information with appropriate controls in place to validate the accuracy, completeness, and existence of the information collected and disseminated within OSFI.

    SAU compiles trustee reporting of vested assets on a monthly basis. Variance reports are generated with differences above prescribed thresholds reported to Supervision as an early warning mechanism for potential negative capital trends.

    Trustees and depositories currently submit their information using different methods (only two submit data files while the remainder email/mail reports) which involve significant manual intervention and work-around procedures by SAU, and may compromise the integrity and quality of the information collected and reported. DTB Administration, is outdated with significant limitations in data entry. DTB Administration does not allow detailed vested asset holdings to be entered (only summarized holdings are entered) which limits OSFI’s ability to analyze assets held in these accounts. This data is not available in OSFI’s Business Intelligence system and the data is not submitted through the Regulatory Reporting System (RRS). To accommodate supervision inquires, SAU must locate and extract physical documents and forward a scanned copy.

    In December 2016, SAU performed a one-time manual reconciliation of its records, against trustees’ reported holdings and FRFIs’ reporting, to assess accuracy and to bring awareness to Lead Supervisors with respect to reporting gaps. This exercise was challenging due to technology limitations and only focused on the insurance branches.

    Recommendation

    Enhancing SAU’s ability to collect, manage and analyze information collected from external stakeholders will better position SAU to discharge its responsibilities and support supervision in ensuring institutions comply with OSFI’s FI branch regime’s rules and regulations.

    Depending on the outcome of the initiatives undertaken in observation #1, an updated technology solution should be explored to address SAU’s information needs with integration potential into Vu.

    Management Action Plan

    Technology solutions will be explored, as necessary, as part of the strategic review that management intends to undertake.

    Another avenue that management intends to explore with Common Supervisory Services is to have the SAU technology solution integrated with the Vu application. This would further enhance both operational efficiencies and broader risk identification capabilities.

    Appendix 1

    Observation Ratings

    Observations are ranked in order to assist management in allocating resources to address identified weaknesses and/or improve internal controls and/or operating efficiencies. These ratings are for guidance purposes only. Management must evaluate ratings in light of their own experience and risk appetite.

    Observations are ranked according to the following:

    High priority - should be given immediate attention due to the existence of either a significant control weakness (i.e. control does not exist or is not adequately designed or not operating effectively or a significant operational improvement opportunity.

    Medium priority – a control weakness or operational improvement that should be addressed in the near term.

    Low priority - non-critical observation that could be addressed to either strengthen internal control or enhance efficiency, normally with minimal cost and effort.

    Individual ratings should not be considered in isolation and their effect on other objectives and areas should also be considered.