Tolga Yalkin participates in CI’s 30th Anniversary Flagship Conference on Regulatory Compliance for Financial Institutions

Introduction

Good morning, everyone.

It’s an honour to join you today for the 30th anniversary of this flagship conference on regulatory compliance. This milestone gives us a chance to celebrate the professionals who dedicate themselves to ensuring that our financial institutions operate safely, soundly, and with integrity.

Before I begin, let me acknowledge that we gather today on the traditional land of the Mississaugas of the Credit, the Anishinaabeg, the Chippewa, the Haudenosaunee, and the Wendat peoples. This land is also home to many diverse First Nations, Inuit, and Métis peoples.

Now, let’s turn to the topic of my remarks—regulatory compliance management (RCM) and its growing importance in today’s increasingly complex risk environment.

Regulatory compliance risk—that is, non-conformance with laws, rules, and requirements—has always been critical to maintaining the safety and soundness of financial institutions. Today, however, the stakes are higher than ever as the financial industry faces a rapidly evolving and increasingly complex risk environment.

The Evolving Risk Landscape

These shifts have made it significantly more challenging for institutions to meet regulatory requirements, as they contend with mounting complexity and uncertainty.

At the same time, the consequences of failing to comply with regulatory requirements are growing more severe.

Canadian banks, both domestically and internationally, have faced multi-million and sometimes billion-dollar fines for deficiencies in anti-money laundering and anti-terrorist financing compliance programs. These failures have resulted in severe financial penalties, reputational damage, and heightened regulatory scrutiny.

Internationally, several major global banks have been fined billions for failing to prevent financial crimes, including money laundering and sanctions violations. These cases highlight the widespread consequences of regulatory compliance failures, threatening institutions’ stability, eroding public trust, and prompting stricter oversight across jurisdictions.

These examples are not isolated incidents. They reflect a growing trend of heightened regulatory scrutiny and increasing penalties for non-compliance.

What’s clear is this: strong regulatory compliance management is not just a regulatory expectation—it is a business imperative. Financial institutions that fail to meet these expectations put their safety and soundness at risk.

Regulatory Compliance: A Foundation for Safety and Soundness

At OSFI, we recognize that a financial institution’s conformity with regulatory requirements is foundational to its safety and soundness. This goes beyond financial metrics like capital, liquidity, and leverage. It speaks to the broader need for institutions to comply with prudential and other regulatory requirements in Canada and globally.

Our expanded mandate for integrity and security also highlights the importance of regulatory requirements. When we look at risks like regulatory compliance management, we’re no longer limited to viewing them only through the lens of safety and soundness. Now, we can also consider them as integrity issues in their own right.

Failing to follow regulatory rules can shake a financial institution’s stability in many ways:

• Financial penalties: Significant fines can erode capital and profitability.
• Operational disruptions: Enforcement actions often require costly and time-consuming remediation efforts.
• Reputational damage: Publicized failures undermine trust with customers, investors, and counterparties.
• Heightened regulatory scrutiny: Institutions with compliance deficiencies may face restrictions or increased oversight, limiting their ability to compete and grow.

In short, non-compliance doesn’t just lead to regulatory consequences—it undermines the very stability of the institution.

The Growing Complexity of Compliance

Add to this the fact that the complexity of regulatory compliance has grown significantly in recent years, driven by several factors:

• Globalization: Financial institutions operate across multiple jurisdictions, each with its own regulatory frameworks and expectations.
• Expanding regulatory requirements: As risks evolve, so too do the rules governing financial institutions.
• Interconnectedness: Institutions must navigate increasingly complex relationships with third parties, customers, and counterparties, all of which carry compliance implications.
• Velocity of risk: The speed at which risks materialize has increased, requiring institutions to respond quickly and effectively.

These factors have made compliance risk management more challenging—and more critical—than ever. After decades of relative economic and financial stability, institutions now face a more turbulent environment marked by geopolitical shifts, rapid technological changes, and increased market volatility. This has heightened the stakes for compliance, as the predictability of past frameworks gives way to a need for agility in managing risks. Institutions must be proactive in identifying and addressing compliance risks to avoid being caught off guard.

Ship Analogy

The challenges of doing this well are obvious and clear, but an added challenge is the fact that to many, regulatory compliance management can often feel abstract given its focus on establishing systems and processes to prevent violations of rules and regulations, rather than addressing visible or immediate issues.

Moreover, its success often goes unnoticed because, when done effectively, nothing goes wrong. This preventive and behind-the-scenes nature of regulatory compliance management makes it harder to visualize and rally around compared to tangible actions or crises.

Additionally, its emphasis on adhering to detailed, often complex regulatory frameworks can feel technical and removed from the day-to-day operations or outcomes that people easily understand.

To make this concept more relatable and easier to grasp, I like to use the analogy of a ship navigating the open seas.

RCM is like a ship’s guidance system, keeping it on course, avoiding hazards, and ensuring it reaches its destination safely. Regulatory frameworks and requirements, meanwhile, are like the rules of various ports—each with specific guidelines for docking, customs, and cargo handling. A ship must comply with these rules to operate smoothly at every stop.

When the guidance system is poorly maintained, even small faults—like a slight miscalibration—can cause the ship to drift off course. This drift might lead to missed deadlines, violations of port rules, or even denial of entry. Over time, such gaps in navigation erode trust with the ports and compromise the ship’s ability to complete its journeys.

Encountering a new port with unfamiliar rules adds another layer of complexity. Without a robust guidance system, the ship’s crew struggles to adapt, increasing the risk of errors and regulatory breaches. In contrast, a strong RCM framework equips the ship to interpret new requirements and adjust operations seamlessly, ensuring it stays on course.

The flag and homeport of a ship also serve as critical signals. Ships registered in countries with strong regulatory systems benefit from enhanced credibility, safer operations, and better interactions with ports, regulatory authorities, and other vessels. These high standards foster trust and reduce risks, creating advantages for the ship.

This is why we, as a regulator, place such importance on regulatory compliance management—not just for individual institutions, but for the reputation of Canada as a whole. Every financial institution shares this interest, because the strength of "Brand Canada" underpins trust in our financial system and supports its success on the global stage.

The lesson is clear: gaps in compliance management strike at the core of an institution’s ability to function safely and soundly. Left unaddressed, these gaps can lead to regulatory violations, reputational damage, and operational disruptions, threatening not only an institution’s long-term stability but also the broader trust and credibility that underpin our financial system.

Just as a ship’s failures can affect the safety and operations of the entire fleet, weak compliance at one institution can ripple outward, impacting our national reputation and the resilience of the financial ecosystem as a whole.

What Effective Compliance Management Looks Like

For a ship to operate safely, its captain, crew, and guidance system must work together to navigate hazards and adapt to changing conditions. Similarly, effective compliance management requires:

• Clear governance: Boards and senior management must act like the ship’s captain, setting a clear course and ensuring compliance risks are properly managed.
• Robust frameworks: Just as accurate charts guide navigation, compliance frameworks must be regularly updated to address emerging risks.
• Proactive monitoring: A ship’s instruments are routinely tested to keep it on course; likewise, compliance frameworks should be continuously strengthened to maintain institutional stability.

Chief Compliance Officers (CCOs) play the role of the ship’s navigator, guiding institutions safely through today’s complex regulatory environment. They:

• Identify and address non-compliance early, much like identifying hazards before they become crises.
• Foster a culture of vigilance, ensuring the institution doesn’t drift into complacency—akin to a well-prepared crew anticipating challenges.

However, no navigator can steer a ship alone. Compliance requires collaboration across senior management, the board, and the entire organization, working as a cohesive crew.

The Way Forward: Set, Spot, Stop

This work is no small feat, something we think about often as a regulator. While this complexity requires a significant and comprehensive response, we have developed a useful reference point to help remind financial institutions of the bases they need to cover.

We say it is important to remember to “set, spot, stop.” What do we mean by this?

• Set: Develop and implement clear, robust controls and policies to ensure adherence to all relevant regulatory requirements.
• Spot: Proactively identify risks and compliance gaps early through continuous monitoring, audits, and risk assessments.
• Stop: Prevent issues from escalating by addressing identified weaknesses promptly and reinforcing controls to mitigate future risks.

Closing

In closing, I’d like to briefly refer back to the analogy of the ship. We all want to sail on vessels that are seaworthy, well-guided, and prepared for the journey ahead. The same principle applies to financial institutions. Strong compliance management not only keeps the institution on course but also helps chart a path to stability and resilience.

As the saying goes, a ship in harbour is safe, but that’s not what ships are built for. With robust compliance systems in place, financial institutions can navigate even the most challenging waters, fulfilling their purpose while safeguarding trust and stability for all.

Thank you, and I look forward to your questions.