Kingdom of the Netherlands-Curaҫao and Sint Maarten: Technical Assistance Report—Implementation of Risk-Based Supervision

The CBvCSM is the sole supervisory authority for all regulated financial institutions operating locally and in the offshore (or international) sector, as well as the stock exchange in Curacao and St Maarten. The financial sector comprises different types of institutions, which include banks and non-bank institutions, insurance companies (both Life, and Non-life), securities intermediaries, asset management firms, investments institutions, fund administrators, management of pension funds, reinsurers, and trust companies.

Abstract

The CBvCSM is the sole supervisory authority for all regulated financial institutions operating locally and in the offshore (or international) sector, as well as the stock exchange in Curacao and St Maarten. The financial sector comprises different types of institutions, which include banks and non-bank institutions, insurance companies (both Life, and Non-life), securities intermediaries, asset management firms, investments institutions, fund administrators, management of pension funds, reinsurers, and trust companies.

Executive Summary

The CBvCSM is the sole supervisory authority for all regulated financial institutions operating locally and in the offshore (or international) sector, as well as the stock exchange in Curacao and St Maarten. The financial sector comprises different types of institutions, which include banks and non-bank institutions, insurance companies (both Life, and Non-life), securities intermediaries, asset management firms, investments institutions, fund administrators, management of pension funds, reinsurers, and trust companies.

In January 2021, the CBvCSM implemented a revised organizational structure for financial sector supervision. The new structure comprises 4 functional units (Supervision Policy; Account Supervision; Expert Supervision; and Cross Sectoral Supervision). The revised structure is designed to support the introduction of a Risk-Focused Surveillance Framework (RFSF) across all financial institutions or sectors supervised by the CBvCSM.

Currently, there appears to be some element of overlap between the responsibilities of the Expert and Account Supervision units. It is important to designate which of the two units will assume the lead role in determining the risk profile of each institution and engaging with supervised institutions in executing supervisory work on an ongoing basis. The mission recommends that experienced staff from Account Supervision be assigned as the Relationship Manager (RM) or Lead Supervisor for each institution or portfolio of institutions within the same sector. The RM’s principal responsibilities should include all aspects of supervisory work relating to planning and executing the annual supervisory plan and multi-year supervisory strategy for each assigned institution and/or financial group, including review and updating their respective risk profile; liaising and collaborating with staff within Expert Supervision to undertake and share the results of risk reviews (e.g. credit, market, operational) and assessments conducted. The results from these reviews should be utilized by the RM and staff in Account supervision as inputs in assessing and/or updating the risk profile of supervised institutions.

The supervision department of the CBvCSM uses different methodologies or approaches for conducting risk assessment and assessing the risk profile of institutions within the different sectors covered by its mandate. Based on the findings from the review conducted by the mission team, including discussions held with the different groups of sectoral supervisors, the mission concluded that it is practical and feasible to develop and implement a harmonized risk rating or assessment methodology. A harmonized assessment methodology would serve to minimize duplication in the supervisory process, particularly for banking and insurance supervision, and allow for a standardized process to assess the risk profile of supervised institutions.

The mission recommends that CBvCSM review the approach adopted by several CARTAC member countries for consideration as part of the process of deciding on an appropriate harmonized risk assessment system across the different sectors1. The risk assessment approach currently utilized by the banking supervisors at the CBvCSM reflect some features of the risk-based supervisory framework and risk assessment system adopted and being implemented by several member countries of CARTAC (such as Jamaica, Barbados, Belize, Grenada, St Vincent and the Grenadines, Turks and Caicos Islands) and the Eastern Caribbean Central Bank and would therefore require fewer changes or modifications. The assessment methodology embedded in the risk-based supervisory framework utilized by CARTAC member countries can also be applied to other sectors such as insurance, asset management, trust and pensions with few modifications to reflect differences in underlying business models, an d whether the supervisory objective is prudential or market conduct.

The framework proposed for consideration is activity-based and reflects how institutions manage their business activities and risk exposures irrespective of the sector. The approach would result in standardization and consistency across the sectors in terms of the methodologies and related rating systems, which is a key objective of the supervision department. Any differences resulting from customization of the framework adopted in terms of risk coverage, governance requirements and supervisory expectations should be based on the underlying businesses and supervisory objectives (prudential and/or market conduct) of the institution rather than the supervisory methodology. The methodology should allow for flexibility in application across institutions from different sectors of varied size and complexity. It should also reflect a uniform rating scale and incorporates standardized definition and assessment criteria for risks and control functions.

The key recommendations are shown in Table 1. Additional details on each recommendation are provided in the referenced paragraphs.

Table 1.

Key Recommendations

article image

I. Introduction

1. The CBvCSM is the sole regulatory and supervisory authority in Curaçao and St. Maarten. The main office of the CBvCSM is located in Curaçao. The CBvCSM supervises all regulated financial institutions in both countries that conduct business locally as well as financial institutions licensed and registered with the CBvCSM but limited to doing offshore business only. It also supervises the stock exchange. Of the 44 banks operating locally and offshore, 8 are considered significant. 8 of the 31 insurance companies, and 5 trust and pension funds management firms are also deemed significant by the CBvCSM. The CBvCSM defines an institution as “significant” based on the following criteria: the size of the institution, the market share, the number of customers, the products they offer and their relevance to the local financial system. For example, the 8 significant banks account for 76 percent of the combined assets of all banks operating in the domestic and offshore sectors.

2. The economies of Curaçao and St. Maarten are heavily dependent on tourism (both stopover and cruise arrivals) and revenue from offshore financial businesses. The COVID-19 pandemic inflicted a major shock on the Curaçao economy that had already been struggling with a protracted recession3. Stopover tourism arrivals in 2020 were 68 percent lower than in 2019, and a spike of COVID-19 cases in December 2020 resulted in the reintroduction of social distancing measures. Subsequent spikes in COVID-19 cases in March/April 2021 resulted in a near-lo ckd own o f th e e con om y . Formal private employment in December 2020 was 12 percent lower than in December 2019 and total 2020 tax revenue fell by 14 percent. The economic response measures supported by substantial financing from the Netherlands helped to cushion the shock.

3. In November 2020, Curaçao signed an agreement with the government of the Netherlands that included the implementation of measures across several sectors, including the financial sector to improve Curaçao’s resilience to shocks and raise potential growth. The agreement requires an overall review of the financial markets supervisory system (legislation and regulations, supervisory policy). As part of the process to strengthen its supervisory function, the CBv CSM has restructured its supervision department. Assessing the practicality and appropriateness of developing and implementing harmonized risk assessment methodology across all financial sectors is intended to complement other initiatives being undertaken to strengthen supervisory oversight4.

4. Currently, the supervision department of the CBvCSM uses different methodologies or approaches for conducting risk assessment and assessing the risk profile of institutio ns within the different sectors covered by its mandate. Once the CBvCSM decides on an appropriate methodology for harmonized risk assessment across all sectors, consideration should be given to reassessing current and target staffing levels in the supervision department and the skills required for the effective implementation of the methodology. The mission team presented and discussed key behavioral and technical competencies for successful implementation and incorporation of a harmonized framework for risk assessment as part of its risk-based supervision (RBS) framework (or the CBvCSM equivalent, i.e. RFSF). The RBS entails conducting different types of activities across the supervisory cycle, including risk assessments, assessing the effectiveness of controls and governance to manage risk exposures, and assessing the risk profile of regulated institutions both currently and prospectively.

5. The CBvCSM indicated to the mission team that it recently completed a Strengths, Weaknesses, Opportunities, and Threats (SWOT) analysis of the supervision sector5. The SWOT analysis covered several areas (i.e. laws and regulations; workflow processes; perception of external stakeholders; organization, people, and resources; and internal and external developments) and strategies for addressing weaknesses during the period 2020 to 2024.

II. Organizational Structure and Staffing of the Supervision Department

6. Effective January 2021, the CBvCSM implemented a new organization structure for supervision. Under the revised structure, the supervision department is organized into 4 units. The revised organizational structure, responsibilities, and key deliverables of each unit are depicted in Appendix 1. The responsibilities of each unit are summarized below:

  • Account Supervision: responsible f or maintaining and updating the overall risk profile of institutions. It is organized in three main groups: (1) Banks and Non-banks, (2) Insurance and Pension Funds, and (3) Investments Institutions, Fund administrators, Securities, Exchange Company, and Trusts. Each of these groups is organized by types of institutions.

  • Expert Supervision: responsible for assessing and assigning ratings to the different risk exposures of each regulated entity. It is organized in three groups: (i) financial Risks (credit, market, insurance, etc.); (ii) cyber and operational risks, an d (iii) Anti-Money Laundering/Combatting the Financing of Terrorism (AML/CFT); governance, culture, behavior; compliance; and market conduct issues.

  • Cross Sector Supervision: responsible for licensing, reassessments, and interventions and enforcements.

  • Supervision Policy: comprised three sub-groups responsible for international cooperation, laws and regulations, and projects. Supervision Policy leads all initiatives relating to legislative amendments, introduction of new or amendments to existing regulations.

7. The new organizational structure introduced in the supervision department with discrete functional units, including the establishment of a dedicated team for risk (Expert Supervision) assessment is not typically found in supervision departments at most Central Banks and other supervisory agencies in the region. The new organizational structure could potentially enhance efficiency in the supervisory process and allow for the development of specialized teams to conduct focused risk assessments, and governance reviews. The new structure is similar to that in place at other supervisory agencies outside the region, such as Canada, United Kingdom, Australia, Malaysia in varying degrees. The allocation of supervisory responsibilities within the Account Supervision unit appears to reflect both sectoral and functional approaches to supervision6. Except for risk assessments, which will be conducted by staff within the Expert Supervision, all elements of the supervisory process for each regulated institution will be conducted by staff from the Accounts Supervision and the Cross- sectoral Department. The Supervision Regulation Department will be responsible for the drafting of supervisory policy guidelines and regulations.

8. The mission team stressed the importance of coordination between the Account and Expert Supervision teams in planning and executing supervisory activities especially with respect to ongoing assessments of material risk exposures of each regulated institution. All supervised institutions will require a minimum level of supervisory oversight, including onsite reviews, to identify weaknesses which cannot be easily detected via prudential reporting and offsite monitoring. Experience in other jurisdictions have shown that the bulk of supervisory time and resources, including focused risk assessments will be allocated to financial groups7, high risk institutions irrespective of size and importance, and systemically important institutions 8 during both normal and stressed situations. The mission recommends that a designated team of supervisors be assigned to each financial group comprising different types of regulated entities.

9. Annex 1 shows the current staffing level in each of the 4 units within the supervision department. Current staffing levels appears inadequate across all units given the number of regulated institutions, including entities deemed significant by the CBvCSM. The mission team was advised that the current staff levels in some units are below the optimal or approved level. The CBvCSM will need to urgently address inadequate staffing across the different units within the supervision department. If staffing levels across the different units are inadequate, the likelihood of supervisors devoting disproportionate level of resources to the largest institutions and groups will be high. All institutions require a minimum level of supervisory oversight, and if not done, may result in risks in some institutions remaining undetected or detected too late. Once the CBvCSM decides on a harmonized framework for risk assessment, it will need to reassess optimal staff levels that were earlier established for each unit, and skills required, both behavioral and technical for the effective implementation of the methodology, including assessment of financial and non-financial risks.

III. Supervisory Framework and Assessment Methodologies

A. Risk-Focused Surveillance Framework

10. The Risk-Focused Surveillance Framework (RFSF) adopted by the supervision department at the CBvCSM is designed to provide continuous regulatory and supervisory oversight. The RFSF as articulated requires coordinated efforts and continuous exchange of information between the field examination function (on-site examination) and the financial analysis function (desk supervision) in Account Supervision to ensure that all members of the supervision department are kept informed about the risk profile of all regulated institutions and pension plans.

11. The RFSF and workflow processes will be applied to each financial institution across all regulated sectors. Appendix 2 summarizes the supervisory workflow processes for insurance firms, which appear very comprehensive for each of the six elements of the Risk-Focused Surveillance Cycle. The workflow processes are similar across each regulated sector, except for minor variations to account for differences in business model or activities. The process includes the following activities, which are intended to be integrated: (i) risk-focused examination; (ii) financial analysis; (iii) review of internal/external changes/developments; (iv) priority system; (v) conduct supervision, and (vi) supervisory plan. The expectation is for supervisors to apply these processes consistently in developing the risk profile of each institution.

B. Assessment Methodologies

12. Currently, each group of sectoral (Banks and non-bank institutions, Insurers and pension funds, and Securities and Trusts) supervisors utilize different methodologies to assess the risk profile of institutions within their respective sector. The rating systems or methodologies used are also different:

  • Banks and non-bank institutions (credit unions and specialized credit institutions): These institutions are assessed using CAMELS9 and two risk-based methodologies. Assessments under the two risk-based methodologies are based on: (i) the functional and business activities of an institution, and (ii) on categories of risk (e.g., credit, market, etc.) across all activities of an institution. An overall composite risk rating of either low, moderate, or high is assigned to institutions based on the functional approach. Assessment based on categories of risk assign similar qualitative ratings to each category of risk across an institution’s activities and an assessment of the effectiveness of risk management for each the category of risk to arrive at the residual risk and its direction. However, neither of the above approaches consider an institution’s resources (earnings, capital, and liquidity) in assessing the overall risk profile of these institutions – these are assessed under the CAMELS methodology.

  • Insurance and Pension funds: Two different methodologies are utilized to assess the risk profile of institutions within these sectors. One approach considers various factors [Financial (including assets, solvency, liquidity, and earnings), Corporate Governance, Compliance and Other] to arrive at an overall assessment of the supervised entity. The assessments of these factors are subjectively aggregated to arrive at an overall assessment of the entity, which is rated as low, medium, or high. Similar to banks and non-bank institutions, the second approach focuses on risk categories. Assessment of capital is not considered in determining the overall risk profile of an insurer under the latter approach.

  • Securities and Trust: supervisors utilize a risk matrix that requires an assessment of several factors, including type and size of an institution, lines of businesses, country of origin, reporting, financial position, level of complaints, and findings from a questionnaire survey. Numerical ratings are assigned to the applicable factors, which are aggregated to arrive at a composite score for the entity.

13. The use of more than one methodology, as is the case with two of the three sectors, to assess institutions results in significant duplication of effort and ineffective utilization of supervisory resources. Since the underlying basis of assessments under the methodologies are different, they result in inconsistent assessments, which makes it difficult to reconcile and explain.

14. As is evident from the above observations, there is an opportunity for the CBvCSM to harmonize supervisory methodologies and rating systems across the different sectors. The CBvCSM needs to identify a methodology that could be used across all sectors, while recognizing that any methodology selected will require some modification for application in the different sectors due to differences in the underlying businesses, and objectives of supervision (prudential or market conduct).

15. There appears to be some element of overlap between the responsibilities of the Expert and Account Supervision units. It is unclear how the risk assessment conducted by the Expert Supervision team will be integrated with the analytical work performed by Account Supervision. The staff within Expert Supervision will be responsible for conducting, inter alia, supervisory work relating to risk identification and assessment, including the assignment of ratings, and advising on risk mitigation strategies. The responsibilities of the supervision team within Account Supervision include ongoing monitoring and updating the risk profile of supervised institutions, which will necessitate utilizing the results of assessments undertaken by Expert Supervision. It is also unclear which of the two units will assume the lead role in determining the risk profile of each institution and engaging with supervised institutions in executing supervisory work on an ongoing basis.

16. The mission recommends that experienced staff from Account Supervision be assigned a s the Relationship Manager (RM) or Lead Supervisor for each institution or portfolio of institutions within the same sector. The RM or Lead Supervisor should be supported by a team of supervisors if assigned to a financial group. The RM’s principal responsibilities should include all aspects of supervisory work relating to planning and executing the annual supervisory plan and multi-year supervisory strategy for each assigned institution and/or financial group, including review and updating their respective risk profile; liaising and collaborating with staff within Expert Supervision to undertake and share the results of review and assessment of control functions and risk (e.g. credit, market, operational) conducted. The results of these reviews should be utilized by the RM and staff in Account supervision as inputs in assessing and updating the risk profile of supervised institutions.

IV. Proposed Harmonized Framework for Supervisory Assessments

A. Essential Features

17. Based on the findings from the review, including discussions held with the different groups of sectoral supervisors, the mission team concluded that it is practical and feasible to develop and implement a harmonized risk rating or assessment methodology. The mission discussed different risk-based supervisory approaches and risk assessment methodology adopted by various jurisdictions, including the approach adopted by several member countries of CARTAC. Irrespective of the harmonized rating system ultimately adopted by the CBvCSM, the methodology should reflect the following features which have been incorporated in the RBS approach adopted and being implemented by several member countries of CARTAC:

  • Flexibility: should allow for application across deposit-taking institutions, insurers, trust, pensions, and asset management companies. Any differences in the methodology and its application should be based on the underlying business model of the regulated entity and supervisory objectives (prudential vs. market conduct as in the case of trusts, and asset management companies).

  • Uniform rating scale or assessment system: ideally the rating scale adopted should be limited to 4-level system rather than 3 or 5 levels to prevent supervisors opting for the midpoint of the rating scale in their assessments even when not warranted. The use of numerical rating sometimes results in averaging of risk ratings to determine overall assessment rating without considering the materiality or significance of each rating. To allow for differentiation between ratings assigned to risk, control functions, and other areas of institution’s operation such as capital, and liquidity, the use of numerical rating scale should be avoided.

  • Uniform definition and assessment criteria for risk categories and control functions: The supervision department has identified several risk categories, and control functions (such as compliance, governance, internal audit), which will be assessed by staff within the Expert Supervision unit.

B. Recommendations

18. The key elements of the RBS framework adopted by several member countries of CARTAC was discussed during one of the two presentations delivered by the mission team10. The methodology was briefly discussed with the President of the CBvCSM at the end of the mission. The mission recommends that the CBvCSM consider as an option for implementation, the framework adopted by several member countries of CARTAC. The framework reflects all the above features and includes a harmonized approach for conducting supervisory assessment and assigning ratings across banks, insurers, and trust companies11. It incorporates all elements of the CAMELS and CARAMELS framework utilized by some jurisdictions for supervisory review and assessment of banks, and insurance firms, respectively12. The proposed methodology is similar to the methodology currently used to assess banks and non-bank institutions at the CBv CSM based on functional activities described above. However, there are some material differences in how activities are identified for assessment purposes and how risk mitigation is assessed. This methodology also considers the adequacy of an institution’s capital, earnings, and liquidity to assess its overall risk profile.

19. The framework proposed for consideration is activity-based and reflects how institutions manage their business activities and risk exposures irrespective of the sector. The approach would result in high level of consistency across the sectors in terms of the methodologies and related rating systems, which is a key objective of the supervision department. The approach can also be applied to the pension sector with appropriate modifications as is the case for the supervision of private pension plans in Canada13. Th e supervisory rating classifications are qualitative, and rating terminologies assigned to risk assessments are different from those assigned to control functions, capital, earnings, liquidity, and solvency and funding (in the case of pension plans). The approach a nd training of staff would entail: (i) identification of the activities of an institution (ii) an assessment of the risks inherent in those activities, (iii) an assessment of mitigation by the institution in the context of the risks inherent in its activities, and (iv) an assessment of the adequacy of an institution’s capital, earnings, and liquidity in relation to the residual risk across all activities taken together.

20. Additional considerations to support the transition to harmonized rating/assessment framework should include resourcing and staffing strategies, and the importance of an effective oversight process to ensure consistent application of the methodology across the Account and Expert Supervision units. The mission discussed key elements, including behavioral and technical competencies, adequate staffing, training and strategies to build supervisory competencies, change management and leadership, that are essential for the successful implementation of risk-based supervision. Senior management’s oversight and leadership along with an effective quality assurance process will be necessary to prevent the development of silos and inconsistent application of the methodology. Strategies to prevent silo-driven operations across supervisory teams should be considered as part of the reassessment of the current supervisory practices and processes during the implementation of the harmonized risk rating methodology.

V. Conclusion

21. The framework being proposed as an option for consideration is a generic methodology that will need to be adapted to the circumstances and requirements of the CBvCSM. Transition from the current system of multiple rating/assessment methodologies to assess institutions within different sectors to a harmonized rating system will be a multi-year process that will require appropriate planning, commitment, a nd technical assistance. The process will require some modification in current supervisory practices and processes to facilitate effective implementation of the methodology. The CBvCSM has established timeframes for addressing staffing related issues. The implementation of the harmonized rating/assessment methodology as part of the overall process of strengthening the institutional structure and operational procedures for RBS is scheduled for 2021to 2024.

Appendix 1 Supervision Department: Organizational Structure, Key Responsibilities, and Deliverables

Blueprint for new tz organization

focus areas

detail processes

draft deliverables

uA001fig03
Source: Central Bank of Curacao and St Maarten

Appendix 2 Workflow Processes – Insurance

Appendix 3 Risk-Based Supervisory Framework

DRAFT for DISCUSSION

Risk-Based Supervisory Framework

September, 2013

Note: This draft Supervisory Framework is developed as a generic framework. It will need to be adjusted for use by a given supervisory agency in a country.

Prepared for the Caribbean Regional Technical Assistance Center by Naren Sheth, NAS Consulting Inc.

1

The RBS Framework is similar to the methodology developed and utilized by the Office of the Superintendent of Financial Institutions, Canada (OSFI, Canada).

2

Near term: < 12 months.

3

Curaçao and Sint Maarten––Back-to-Office Report on Staff Visit to Curaçao, January 11–22, 2021.

4

The CBvCSM did not request technical assistance (TA) from CARTAC on the development of its Risk-Focused Surveillance Framework and the new organizational structure of the supervision department. With respect to the current request for TA on the feasibility of introducing a harmonized risk assessment/rating sytem, the CBvCSM advised that they have not submitted a similar request for assistance from De Nederlandsche Bank (DNB) and will make appropriate use of or leverage from relevant TA provided by CARTAC and/or the IMF-HQ to strengthen regulatory and supervisory oversight of the financial sector. The CBvCSM has requested follow-up TA to review and provide feedback on several risk management guidelines to support Basel II/III-Pillar 2 implementation and other supervisory processes in mid-2021. During the mission team’s wrap-up meeting with the Deputy Director of Supervision on May 5, 2021, he advised that the CBvCSM will be requesting follow-up TA from CARTAC to implement the RBS framework proposed for consideration.

5

A PDF power point version (in Dutch) of the SWOT analysis report was provided to the mission team with the requirement that the content of the report should not be distributed or circulated. The version provided was machine translated by the mission team.

6

The sectoral approach provides for institutions to be supervised based on industry – e.g. banking, insurance; while the functional approach focuses on the essential elements of supervision – off-site monitoring, on-site inspections and other specialized functions. The portfolio approach incorporates elements of the sectoral and functional approaches by assigning each institution to one supervisor or examiner who is responsible for all elements of the supervisory process. This approach is evident at some supervisory agencies in the region including those transitioning to risk-based supervision. For a discussion on supervisory architecture, see “Financial Supervisory Architecture: what has changed after the crisis”; Daniel Calvo, Juan Carlos Crisanto, Stefan Hohl and Oscar Pascual Gutiérrez; Bank for International Settlements, FSI Insights on policy implementation, No 8; April 2018.

7

The CBvCSM advised that there are 8 financial groups operating in the jurisdiction. The groups are predominantly mixed-activity groups.

8

The CBvCSM reported a total of 22 “significant institutions” spanning the banking, insurance, pensions , and trust sectors. The CBvCSM defines an institution as “significant” based on the following criteria: the size of the institution, the market share, the number of customers , the products they offer and their relevance to the local financial system.

9

CAMELS : a traditional methodology used for assessing banks and non-bank institutions. It requires an assessment of capital, assets, management, earnings, liquidity, and sensitivity to market risk as well as a composite rating for the institution. Numerical rating of one to five are used for these assessments. The lower the numerical rating assigned the stronger the area being assessed

10

Copies of both presentations delivered by the mission team are attached at Appendix 4

11

A copy of the RBS Framework is attached at Appendix 3. Appendix 3 also includes copy of a TA Report prepared by CARTAC, which reviewed and assessed implementation of the RBS methodology across several member countries of CARTAC.

12

CAMELS: Capital, As sets , Management, Earnings, Liquidity, and Sensitivity to Market Risks; CARAMELS: Capital, Asset, Reinsurance, Actuarial, Management, Earnings, Liquidity, Subsidiaries. CARAMELS is currently utilized by the CBvCSM for the supervision of insurance companies. Neither CAMELS nor CARAMELS are inherently risk-based. The insurance supervisors at the CBvCSM currently utilize the STAMECERRR framework (Solvency, Technical Provisions, Assets, Management, Earnings, Compliance, Earnings, Reinsurance, Ratios, and Risks) to assess various areas of an insurance company’s operations. The framework reflects some elements of CARAMELS but is not risk-based.

13

Risk Assessment Framework for Federally Regulated Private Pension Plans; Office of the Superintendent of Financial Institutions Canada (https://www.osfi-bsif.gc.ca/Eng/pp-rr/rai-eri/Pages/default.aspx)

Appendix A Risk Matrix

Risk Assessment

article image

Appendix B Categories of Inherent Risks and Rating Definations

Inherent Risk Categories.

Following are descriptions of the six inherent risk categories for assessment purposes. These descriptions should be read within the context of the definition of inherent risk contained in the Supervisory Framework.

Credit Risk

Credit risk arises from a counterparty’s inability or unwillingness to fully meet its on- and/or off-balance sheet contractual obligations. Exposure to this risk results from financial transactions with a counterparty including issuer, debtor, borrower, broker, or guarantor.

Market Risk

Market risk arises from changes in market rates or prices. Exposure to this risk can result from market-making, dealing, and position-taking activities in markets such as interest rate, foreign exchange, equity, commodity and real estate.

Interest rate risk and foreign exchange risk are described further below:

a. Interest Rate Risk

Interest rate risk arises from movements in interest rates. Exposure to this risk primarily results f rom timing dif f erences in the repricing of assets and liabilities, both on- and off-balance sheet, as they either mature (fixed rate instruments) or are contractually repriced (floating rate instruments).

b. Foreign Exchange Risk

Foreign exchange risk arises from movements in foreign exchange rates. Exposure to this risk mainly occurs during a period in which the institution has an open position, both on-and off balance sheet, and/or in spot and forward markets.

Insurance Risk

Insurance risk arises from claims and/or policy benefits exceeding the pure premiums charged for the products.

Product Design and Pricing Risk

Product design and pricing risk arises from the exposure to financial loss from transacting insurance and/or annuity business where costs and liabilities assumed in respect of a product line exceed the expectation in pricing the product line.

Underwriting and Liability Risk

Underwriting and liability risk is the exposure to financial loss resulting from the selection and approval of risks to be insured, the reduction, retention and transfer of risk, the reserving and adjudication of claims, and the management of contractual and noncontractual product options.

Operational Risk

Operational risk arises from problems in the performance of business functions or processes. Exposure to this risk can result from deficiencies or breakdowns in internal controls or processes, technology failures, human errors or dishonesty and natural catastrophes.

Legal and Regulatory Risk

Legal and regulatory risk arises from an institution’s non-conformance with laws, rules, regulations, prescribed practices, or ethical standards in any jurisdiction in which the institution operates.

Strategic Risk

Strategic risk arises from an institution’s inability to implement appropriate business plans, strategies, decision-making, resource allocation and its inability to adapt to changes in its business environment.

Definitions of Inherent Risk Ratings

Low Inherent Risk:

Low inherent risk exists when there is a lower than average probability of a material adverse impact on an institution’s capital or earnings due to exposure and uncertainty from potential future events.

Moderate Inherent Risk:

Moderate inherent risk exists when there is an average probability of a material adverse impact on an institution’s capital or earnings due to exposure and uncertainty from potential future events.

Above Average Inherent Risk

Above Average inherent risk exists when there is a higher than average probability of a material adverse impact on an institution’s capital or earnings due to exposure and uncertainty from potential future events.

High Inherent Risk:

High inherent risk exists when there is a higher than above average probability of a material adverse impact on an institution’s capital or earnings due to exposure and uncertainty from potential future events.

Appendix C Operational Management, Corporate Oversight and Governance Functions Rating Categories

The following ratings categories are used for assessing the effectiveness of Operational Management, Corporate Oversight and Governance functions at the Significant Activity level:

Strong

Strong means the function consistently demonstrates highly effective performance in the context of the key risks inherent in the Significant Activity.

Acceptable

Acceptable means the function demonstrates effective performance in the context of the key risks inherent in the Significant Activity.

Needs Improvement

Needs improvement means the function may generally demonstrate effective performance, but there are some areas where effectiveness needs to be improved in the context of the key risks inherent in the Significant Activity.

Weak

Weak means the function has demonstrated serious instances where effectiveness needs to be improved in the context of the key risks inherent in the Significant Activity.

Appendix D Overall Residual Risk in Significant Activities

The following rating categories are used to assess the Overall Residual Risk in an institution’s Significant Activities taken together.

Low

The institution has risk management that substantially mitigates risks inherent in its Significant Activities down to levels that collectively have lower-than-average probability of a material adverse impact on its capital and earnings in the foreseeable future.

Institutions in this category will have a predominance of Significant Activities rated as low residual risk. Other combinations may be possible depending on the circumstances of the institution.

Moderate

The institution has risk management that sufficiently mitigates risks inherent in its Significant Activities down to levels that collectively have an average probability of a material adverse impact on its capital and earnings in the foreseeable future. Institutions in this category will have a significant number of their Significant Activities rated as moderate residual risk, or a few of their Significant Activities rated as high residual risk with others rated as low residual risk. Other combinations may be possible depending on the circumstances of the institution.

Above Average

The institution has weaknesses in its risk management that, although not serious enough to present an immediate threat to solvency, give rise to high residual risk in a number of its Significant Activities. As a result, residual risks in its Significant Activities collectively have an above average probability of a material adverse impact on its capital and earnings in the foreseeable future.

Institutions in this category will have a number of their Significant Activities rated as high residual risk with others mainly rated as moderate residual risk. Other combinations may be possible depending on the circumstances of the institution.

High

The institution has weaknesses in its risk management that may pose a serious threat to its financial viability or solvency and give rise to high residual risk in a number of its Significant Activities. As a result, residual risks in its Significant Activities collectively have a high probability of a material adverse impact on its capital and earnings in the foreseeable future.

Institutions in this category will have the majority of their Significant Activities rated as high residual risk, or will have rated as high residual risk one or more Significant Activities that have a pervasive impact on its operations. The weaknesses in risk management lead to considerable doubt about the institution’s capability and/or willingness to apply prompt and effective corrective measures to sufficiently mitigate high residual risks in its Significant Activities. Other combinations may be possible depending on the circumstances of the institution.

Appendix E Earnings, Capital and Liquidity Definitions

The following rating definitions are used for assessing Earnings, Capital and Liquidity.

Earnings.

Strong

The institution has consistent earnings performance, producing returns that signif icantly contribute to its long-term viability, and there is no undue reliance on non-recurring sources of income to enhance earnings. The earnings outlook for the next 12 months continues to be positive.

Acceptable

The institution has satisfactory earnings performance, producing returns needed to ensure its long-term viability, and there is no undue reliance on non-recurring sources of income to enhance earnings. Although there is some exposure to earnings volatility, the outlook for the next 12 months remains positive.

Needs Improvement

The institution has inconsistent earnings performance, with returns that may, at times, be inadequate to ensure its long-term viability. It may occasionally depend on nonrecurring sources of income to show a profit. The earnings outlook for the next 12 months is uncertain.

Weak

The institution has consistently recorded operating losses or earnings that are insufficient to ensure its long term viability. It may be heavily dependent on nonrecurring sources of income to show a profit. The earnings outlook for the next 12 months is expected to remain negative.

Capital

Strong

Capital adequacy is strong for the nature, scope, complexity, and risk profile of the institution, and meets regulatory and internal target levels. The trend in capital adequacy over the next 12 months is expected to remain positive. Capital management policies and practices are superior to generally accepted industry practices.

Acceptable

Capital adequacy is appropriate for the nature, scope, complexity, and risk profile of the institution and meets regulatory and internal target levels. The trend in capital adequacy over the next 12 months is expected to remain positive. Capital management policies and practices meet generally accepted industry practices.

Needs Improvement

Capital adequacy is not always appropriate for the nature, scope, complexity, and risk profile of the institution and, although meeting minimum regulatory requirements, may not meet, or is trending below, regulatory and internal target levels. The trend in capital adequacy over the next 12 months is expected to remain uncertain. Capital management policies and practices may not meet generally accepted industry practices.

Weak

Capital adequacy is inappropriate for the nature, scope, complexity, and risk profile of the institution and does not meet, or marginally meets, regulatory requirements. The trend in capital adequacy over the next 12 months is expected to remain negative. Capital management policies and practices do not meet generally accepted industry practices.

Liquidity.

Strong

The institution has strong liquidity levels and well developed liquidity management practices. The institution has reliable access to sufficient sources of funds on favorable terms to meet present and anticipated liquidity needs.

Acceptable

The institution has satisfactory liquidity levels and liquidity management practices. The institution has access to sufficient sources of funds on acceptable terms to meet present and anticipated liquidity needs. Modest weaknesses may be evident in liquidity management practices.

Needs Improvement

The institution has liquidity levels or liquidity management practices that need improvement. It lacks ready access to funds on reasonable terms or has significant weaknesses in liquidity management practices.

Weak

The institution has liquidity levels or liquidity management practices that are inadequate. It does not have or is able to obtain sufficient funds at reasonable terms to meet its near-term liquidity needs and may require external financial assistance.

Appendix F Risk Profile Rating Definitions

The following rating categories are used to assess the risk profile of an institution.

Low Risk

A strong, well-managed institution. The combination of its Overall Residual Risk and its capital supported by earnings, and its liquidity makes the institution resilient to most adverse business and economic conditions without materially affecting its risk profile. Its performance has been consistently good, with most key indicators in excess of industry norms, allowing it ready access to additional capital. Any supervisory concerns have a minor effect on its risk profile and can be addressed in a routine manner.

An institution in this category would have a low Overall Residual Risk coupled with acceptable capital, earning, and liquidity, or a moderate Overall Residual Risk coupled with strong capital, earnings, and liquidity. Other combinations may be possible depending on the circumstances of the institution.

Moderate Risk

A sound, generally well-managed institution. The combination of its Overall Residual Risk and its capital supported by earnings, and its liquidity makes the institution resilient to normal adverse business and economic conditions without materially affecting its risk profile. The institution’s performance is satisfactory, with key indicators generally comparable to industry norms, allowing it reasonable access to additional capital. Supervisory concerns are within the institution’s ability to address.

An institution in this category would have moderate Overall Residual Risk coupled with acceptable capital, earnings, and liquidity. Other combinations may be possible depending on the circumstances of the institution.

Above Average Risk

The institution has issues that indicate an early warning or that could lead to a risk to its financial viability. One or more of the following conditions are present. The combination of its Overall Residual Risk and its capital supported by earnings, and its liquidity makes the institution vulnerable to adverse business and economic conditions. Its performance is unsatisfactory or deteriorating, with some key indicators at or marginally below industry norms, impairing its ability to raise additional capital. The institution has issues in its risk management that, although not serious enough to present an immediate threat to financial viability or solvency, could deteriorate into serious problems if not addressed promptly.

An institution in this category would have moderate Overall Residual Risk coupled with capital, earnings, and liquidity that need improvement. Other combinations may be possible depending on the circumstances of the institution.

High Risk

The institution has serious safety and soundness concerns. One or more of the following conditions are present. The combination of its Overall Residual Risk and its capital supported by earnings, and its liquidity is such that the institution is vulnerable to most adverse business and economic conditions, posing a serious threat to its financial viability or solvency unless effective corrective action is implemented promptly. Its performance is poor, with most key indicators below industry norms, seriously impairing its ability to access additional capital.

An institution in this category would have above average Overall Residual Risk with capital, earnings, and liquidity that need improvement. Other combinations may be possible depending on the circumstances of the institution.

Appendix G Guide to Intervention

The intervention guide outlines the types of actions that supervisors consider depending on the risk profile of the institution and the nature and significance of prudential concerns. It is important that interventions are proportionate to the desired outcomes. The actions indicated below are for a range of ratings as the intervention process needs to be flexible to enable supervisors to use interventions that are likely to be most effective in individual cases.

The actions indicated below are cumulative; i.e. actions indicated at lower levels of risk are implicitly included in actions that could be considered for institutions with a higher risk profile. Also, if circumstances warrant, actions can be taken at risk levels lower than that indicated in the guide.

Low to Moderate Risk Profile

  • Continue dynamic up-dating of the institution’s risk profile (financial condition and operating performance) through review of information obtained from regulatory filings and other sources, including discussions with the institution, and through periodic on-site reviews.

  • Meet annually with the institution to discuss its risk profile and related findings and recommendations and communicate these in writing.

  • Monitor timely implementation of the material recommendations by the institution.

Moderate to Above Average Risk Pro File

  • Meet with management and Board of Directors (or a Board committee) to discuss prudential concerns and remedial actions required. These meetings may include external auditors and/or actuaries as appropriate.

  • Notify in writing management and Board of Directors of the prudential concerns and remedial actions required.

  • Require submission of Board approved action plans by the institution indicating the time frame in which the deficiencies will be addressed.

  • Escalate monitoring of the institution as warranted, including expanding the scope, level and frequency of information to be reported to ensure concerns are being addressed on a timely basis.

  • Increase the frequency, depth and scope of on-site supervisory reviews as warranted.

  • Impose operating conditions on the institution and/or issue directive of compliance if warranted.

  • Require the institution to increase capital.

Above Average to High Risk Profile

  • Require the institution to submit a Board approved business plan which incorporates appropriate remedial measures to address identified prudential concerns within specified time-frames.

  • Require the external auditor and/or actuary of the institution to carry out examination of specific areas and report there on.

  • Require the institution to arrange for a special audit by an auditor, other than the institution’s regular auditor.

  • Consider further operating conditions on the institution.

  • Inform the institution’s home/host regulators of the circumstances and the status of the supervisory actions taken, and Commence contingency planning.

High Risk Profile

  • Require the institution to retain external specialist to assess specific areas such as quality and valuation of assets, liquidity, etc.

  • Further enhance the conditions already imposed on the institution, including for example restricting lending, investments, level of deposits, expansion of operations, payment of interest on subordinated debt, payment of dividends, and other such restrictions warranted by the circumstances.

  • Locate supervisory staff at the institution to interact with management and monitor developments on an ongoing basis.

  • Put pressure on management and Board of Directors to restructure or sell part or whole of the company’s operations.

  • Ensure home regulators are kept abreast of the circumstances and the intervention measures taken.

  • Develop plans to take control of assets of the company or the company if the circumstances warrant.

High Risk Profile with an Increasing Trend

  • Meet with management and the Board of Directors to communicate the likely regulatory actions if prudential concerns are not addressed quickly.

  • Advise home/host regulators (national and foreign) of the impending regulatory action.

  • Take control of assets of the company or the company, if the situation warrants such action.

  • In conjunction with the Attorney General, commence action to obtain the necessary Court order to liquidate the institution.

Appendix H Overall Assessment of Corporate Oversight and Governance Functions

The following rating categories are used to assess the Corporate Oversight and Governance functions:

Strong.

Characteristics of the function meet or exceed what is considered necessary for the nature, scope, complexity and risk profile of the institution, and the function has demonstrated highly effective performance on a consistent basis.

Acceptable

Characteristics of the function meet what is considered necessary for the nature, scope, complexity and risk profile of the institution, and the function has demonstrated effective performance.

Needs Improvement

Characteristics of the function generally meet what is considered necessary for the nature, scope, complexity and risk profile of the institution; but, there are some significant areas that require improvement. Performance has generally been effective; but, there are some significant areas where effectiveness needs to be improved. These areas are not likely to cause serious prudential concerns if addressed on a timely basis.

Weak

Characteristics are not, in a material way, what is considered necessary given the nature, scope, complexity and risk profile of the institution. Performance has demonstrated serious instances where effectiveness needs to be improved through immediate action.

Role, Characteristics and Examples of Performance Indicators

The following criteria for characteristics (how a function is set-up to oversee) and examples of performance indicators (how well the function carries out its responsibilities) are used to assess the overall performance of the functions. The assessments are made in the context of the nature, scope and complexity of the institution. The assessment of performance is derived from the assessments of Significant Activities. In developing an overall assessment of a function, it is important to bear in mind that while characteristics are generally predictive of performance, they in themselves do not ensure effective performance. Accordingly, the function’s performance across the institution’s Significant Activities (taking their materiality into account) is the key driver of the overall assessment of the function.

Compliance

Role:

Compliance is an independent function within an institution that ensures that the institution meets the legal and regulatory obligations by 1) ensuring the institution has adequate policies and practices for adhering to the requirements; 2) monitoring adherence to those policies and practices and 3) reporting on compliance matters to Senior Management and the Board of Directors.

Characteristics:

  • An enterprise-wide authority to independently oversee compliance, including periodic reporting to Senior Management and the Board, and follow-up of identified issues for satisfactory resolution.

  • Appropriateness of the organization structure and reporting relationships, including an appropriate level of seniority of the head of the function.

  • Adequacy of resources to carry out its mandate, including staffing levels and required skills.

  • Adequacy of its methodologies and practices for effective execution of its enterprise-wide mandate.

  • Extent of Senior Management and Board oversight of the function.

Examples of Performance Indicators.

  • Develops and communicates new and revised compliance policies and legal and regulatory requirements to all impacted areas of the institution on a timely basis, including assisting management in integrating the requirements into business activities.

  • Actively monitors adherence to compliance requirements across the institution’s operations, and follows-up on significant breaches for timely resolution.

  • Escalates significant breaches of compliance requirements to Senior Management and the Board.

  • Periodically monitors compliance practices for continued effectiveness.

Internal Audit

Role:

Internal audit is an independent function within an institution that assesses adherence to and effectiveness of operational and organizational controls and governance practices. In addition, internal audit may also assess adherence to and effectiveness of compliance and risk management policies and practices.

Characteristics:

  • Independent enterprise-wide mandate to oversee the institution’s operations.

  • Appropriateness of the organization structure and reporting, including seniority of the head of the function and direct reporting to the Board.

  • Adequacy of resources to carry out its mandate, including the level of staffing and availability of required skills.

  • Adequacy of its risk-based audit methodologies and practices.

  • Adequacy of its planning, coverage cycle and reporting and follow-up practices.

  • Extent of Senior Management and Board oversight.

Examples of Performance Indicators.

  • a. Actively seeks relevant information from others (e.g. Compliance, Risk Management, Senior Management, external auditors, etc) in developing risk based supervisory strategies and plans.

  • b. Reviews business plans and strategies to identify activities that could materially impact the institution and ensures that they will be effectively managed and overseen.

  • c. Effective and timely execution of its risk-based audit plans, including timely reporting and follow-up of identified issues for satisfactory resolution.

  • d. Considers pervasiveness and significance of its findings both at the Significant Activity level and in aggregate across the institution’s activities.

  • e. Proactively communicates significant findings to the Board (Audit Committee) and regularly engages the Board (Audit Committee) in discussions on the appropriateness of its audit strategies and adequacy of its resources.

Risk Management

Risk management is an independent function responsible for planning, directing and controlling the impact on the institution of the risks arising from its operations. The function may address the following:

  • 1. Identify current and emerging risks in the institution’s operations,

  • 2. Develop measurement systems for risks,

  • 3. Establish policies and practices for managing risks,

  • 4. Develop risk tolerance limits and periodically stress test limits,

  • 5. Monitor positions against approved limits, and

  • 6. Report on risk monitoring to senior management and the Board.

Characteristics:

  • 1. Independent enterprise-wide mandate to oversee risks in the institution’s operations.

  • 2. Appropriateness of the organization structure and reporting, including seniority of the head of the function and direct reporting to the Board.

  • 3. Adequacy of resources to carry out its mandate, including the level of staffing and availability of required skills.

  • 4. Adequacy of practices to periodically review and update risk management policies and practices, including periodically assessing their appropriateness.

  • 5. Extent to which risk management policies and practices are coordinated with strategic, capital and liquidity planning.

  • 6. Adequacy of policies and practices to monitor positions against approved limits and for timely follow up of material variances.

  • 7. Adequacy of policies and practices to monitor trends and identify emerging risks, and to effectively respond to unexpected significant events.

  • 8. Adequacy of policies and practices to report and follow-up on identified issues for timely resolution.

  • 9. Extent of Senior Management and Board oversight.

Examples of Performance Indicators.

  • Proactively updates policies, practices and limits in response to changes in the institution or externally.

  • Integrates policies, practices and limits in to day to day business activities, and with the institution’s strategic, capital and liquidity planning.

  • Regularly monitors risk positions against approved limits and ensures that material breaches are addressed on a timely basis.

  • Actively participates in the development of new initiatives to ensure processes are in place to identify and mitigate risks prior to implementation.

  • Provides regular, comprehensive reports to the Board and Senior Management on the effectiveness of the institution’s risk management policies and practices and recommends changes for approval, as appropriate.

Senior Management.

Role:

Senior Management is responsible for directing and overseeing the effective management of the institution’s operations. Its key responsibilities include:

  • 1. Developing business objectives, strategies, policies (including policies for risk management and risk appetite), organizational structure and controls for Board approval;

  • 2. Effectively overseeing the operations of the institution to ensure day to day operations are carried out in accordance with Board approved business objectives, strategies and policies.

  • 3. Developing and promoting sound corporate governance practices; and

  • 4. Providing the Board with sufficient and timely information to enable it to carry out its responsibilities, including monitoring and reviewing performance and risk exposures of the institution.

Characteristics:

  • 1. Extent to which the Board has delegated responsibilities for developing and implementing policies and practices for the effective management of the institution’s operations, including business objectives, strategies and plans and a risk management framework.

  • 2. Adequacy of Senior Management organization structure and reporting lines and appropriate delegation of responsibilities from the CEO to other senior management positions and Corporate Oversight functions.

  • 3. Appropriateness of the committee structure used by Senior Management.

  • 4. Adequacy of Senior Management resources and expertise.

  • 5. Adequacy of Senior Management policies and practices for effective execution of its mandate.

  • 6. Extent of Board oversight of Senior Management.

Examples of Performance Indicators.

  • Develops appropriate strategies and plans to attain business objectives for approval by the Board of Directors, including risk policies, limits, practices and reporting systems.

  • Actively monitors execution of Board approved strategies, plans, policies, etc for effective implementation.

  • Proactively reviews business objectives, strategies, plans, policies and limits in response to significant changes and adverse trends in the external environment.

  • Sets appropriate tone from the top through the manner in which it carries out its duties.

  • Is successful in building an effective organization by attracting, developing and retaining high caliber staff.

  • Keeps the Board of Directors and its Committees fully appraised on a timely basis.

Board of Directors

Role:

The Board of Directors is responsible for establishing and implementing a corporate governance framework for a sound and prudent management of the institution. Its key responsibilities include:

  • 1. Reviewing and approving organizational structure, including clearly defining roles and responsibilities of its committees, management and heads of oversight functions.

  • 2. Regularly reviewing, approving and overseeing the implementation of the institution’s

  • 3. business objectives, strategies to achieve the objectives and policies for major activities, including risk strategies and appetites.

  • 4. Ensuring that management and heads of oversight functions are qualified and competent.

  • 5. Providing oversight over the design and effective implementation of sound risk management and internal control systems.

  • 6. Providing for an independent assessment of, and reporting on, effectiveness of the institutions operations.

  • 7. Approving remuneration policies and practices.

  • 8. Monitoring performance against business objectives, strategies and plans and requiring timely corrective actions were warranted; and

  • 9. Providing effective oversight over management and oversight functions.

Characteristics:

  • 1. Adequacy of Board size, range of Director qualifications, knowledge, skills and experience.

  • 2. Adequacy of roles and responsibilities of the Board, including the composition, role and responsibilities of Board committees and committee reporting requirements to the Board.

  • 3. Adequacy of Board policies and practices for:

    • a. Nomination, selection and removal of Directors.

    • b. Orienting new Directors and periodically up-dating other Directors on the institution’s business and related risks.

    • c. The role of independent directors.

    • d. Ensuring the Board is provided with timely, relevant, accurate and complete information. and, where required, the Board requests additional information.

    • e. Establishing and monitoring work plans for Board goals and responsibilities.

    • f. Promoting independent, effective and timely decision making, including practices for setting Board agenda and priorities.

    • g. Ensuring Directors’ compensation promotes prudent decision making and self assessment of Board performance on an annual basis.

Examples of Performance Indicators.

  • a. Active involvement in the selection and performance evaluation of the CEO and other members of Senior Management as appropriate

  • b. Performs a regular independent in-depth review and evaluation of the institution’s business objectives and strategies and risk tolerance limits.

  • c. Regularly reviews the institution’s corporate governance and risk management structures, policies and practices

  • d. Clearly sets out the type and quality of information it requires and related frequency.

  • e. Actively engages in the review of information provided by Senior Management for Board approval, including challenging management’s assumption.

  • f. Requires effective and timely resolution of issues identified by others, including Compliance, Internal Audit, Risk Management, actuary, external auditors, etc.

Kingdom of the Netherlands-Curaçao and Sint Maarten: Technical Assistance Report-Implementation of Risk-Based Supervision
Author: International Monetary Fund. Monetary and Capital Markets Department