Deposit Insurance Corporation of Ontario

By-law no. 5

Standards of sound business and financial practices

A By-law made under paragraph (g) of subsection 264(1) of the Credit Unions and Caisses Populaires Act, 1994 to prescribe standards of sound business and financial practices for credit unions.

Throughout this By-law, the term “credit union” also refers to “caisse populaire” and “league”.

Be it enacted as By-law No. 5 of the Deposit Insurance Corporation Of Ontario (hereinafter called the "DICO"), subject to the approval of the Lieutenant Governor in Council, as follows:

The standards set out DICO’s minimum requirements regarding sound business and financial practices for credit unions. The standards are designed in such a way to make them adaptable to every credit union regardless of size or complexity, recognizing that approaches will differ among credit unions. 

DICO will consider material non-compliance with this By-law as evidence that a credit union is:

  • in breach of the standards of sound business and financial practices for the purposes of cancellation of deposit insurance under subsection 274(1) of the Credit Unions and Caisses Populaires Act, 1994 (the “Act”); or
  • conducting its affairs in a way that might be expected to harm the interests of members or depositors or that tends to increase the risk of claims by depositors against DICO for the purposes of ordering a credit union under Supervision under subsection 279(1) of the Act.

All credit unions are required to comply with the standards of sound business and financial practices outlined in this by-law.

Guidance for meeting the standards is provided for credit unions in DICO’s Guidance Notes, Reference Manual on Sound Business and Financial Practices, Director’s Handbook, Audit Committee Handbook, Self-Assessment Workbooks, Examination Manual, Enterprise Risk Management (ERM) Framework and other related publications, as may be amended from time to time. A credit union should ensure that adequate planning is in place and processes developed to address the increase in risk and additional requirements and expectations as the credit union becomes larger and more complex.

Reporting Requirements

At least annually, the board of directors of a credit union shall review and assess the operations of the credit union and submit to DICO within 75 days of the end of the financial year, a board resolution, using the template outlined in Appendix A confirming that:

  • management has provided a representation letter to the board of directors regarding its assessment of adherence to management’s responsibilities under the standards of sound business and financial practices; and
  • the board of directors is familiar with, and is acting in compliance with, the standards of sound business and financial practices.

Standards

Section A: Corporate Governance

All credit unions are expected to address the minimum requirements as set out below.

  1. Corporate Governance:  Board of Directors

    The board of directors is ultimately responsible for ensuring that the credit union is operated in a safe and prudent manner and for ensuring adherence to these standards of sound business and financial practices. In fulfilling its responsibilities, the board of directors should ensure that the credit union is consistently operating in accordance with co-operative principles.

    At a minimum, the board of directors shall:

    • understand and fulfill its responsibilities;
    • exercise independent judgement;
    • establish the training requirements and qualifications for directors and members of the audit committee;
    • establish appropriate and prudent risk management policies (refer Section B),
    • oversee risk management policies and obtain reasonable assurance that the credit union is adhering to its risk management policies for significant risks;
    • establish the responsibilities, accountability and authority of the CEO, the audit committee and other board committees as applicable;
    • establish standards of business conduct and ethical behaviour;
    • select and evaluate the effectiveness of the CEO;
    • ensure that management is appropriately skilled and experienced to implement the board’s objectives;
    • establish the business objectives of the credit union consistent with co-operative principles and approve the credit union’s business strategy and business plans;
    • evaluate the credit union’s actual operating and financial results against business plans and address any material variances;
    • evaluate the effectiveness of the board and oversee the responsibilities of the audit committee;
    • ensure that employee compensation plans are consistent with prudential incentives; and
    • affirm a control environment and ensure that the credit union is in control.
  2. Corporate Governance: Audit Committee

    The audit committee supports the board of directors through oversight responsibilities relating to financial reporting and disclosure, internal audit, external audit, risk management, controls and compliance. The committee’s understanding and oversight are critical for safeguarding assets of all stakeholders of the credit union.

    At a minimum, the audit committee shall:

    • develop a work plan for all meetings for the year that addresses all the duties and responsibilities set out in the Act and Regulations made under the Act;
    • oversee an independent internal audit function to evaluate internal controls and ensure that management has mitigated any material weaknesses;  
    • take all reasonable steps to ensure that the credit union is in compliance with the Act, its Regulations and other legislative requirements; and
    • ensure appropriate follow-up on all outstanding issues, weaknesses and deficiencies including findings and recommendations of examinations and internal and external auditors.
  3. Corporate Governance: Management

    Management is responsible to ensure that the management and staff of the credit union applies the processes, procedures and controls necessary to prudently manage the risk and to provide the board of directors with timely, relevant, accurate and complete information to enable it to assess that delegated responsibilities are being discharged effectively.

    At a minimum, management shall:

    • implement appropriate and prudent risk management policies, procedures and controls (refer to Section B);
    • monitor the effectiveness of risk management practices and controls for the credit union’s significant risks;
    • develop and implement an appropriate and prudent business strategy and business plans; and
    • provide the board of directors with timely, relevant, accurate reports on the implementation of the credit union’s business strategy, business and financial plans and any material risk that may affect the business objectives and financial stability of the credit union.

Section B: Risk Management Policies

All credit unions are expected to develop and implement appropriate and prudent risk management policies, including the following:

Capital Management

The fundamental elements of capital management include implementing a policy that, at a minimum, addresses:

  • the quantity, quality and composition of capital needed that reflect the inherent risks of the credit union and to support the current and planned operations;
  • distribution of dividends and redemptions of capital instruments to members; and
  • monitoring and board reporting requirements.

Credit Risk Management

The fundamental elements of credit risk management include implementing a policy that, at a minimum, addresses:

  • authorized types and classes of credit instruments;
  • limits or prohibitions on credit exposures including concentration;
  • assessment criteria and security requirements for each authorized credit instrument;
  • an effective credit assessment system;
  • defined and prudent levels of decision making authority for approving credit exposures;
  • management of delinquent and impaired loans; and
  • monitoring and board reporting requirements

Operational Risk Management

The fundamental elements of operational risk management include implementing a policy that addresses:

  • defined and prudent levels of decision-making authority;
  • the security and operation of a management information system;
  • technology development and maintenance;
  • safeguarding of the institution’s premises, assets and records of financial and other key information;
  • disaster recovery and business continuity plans;
  • outsourcing of services;
  • internal controls;
  • internal audit; and
  • monitoring and board reporting requirements.

Market Risk Management

The fundamental elements of market risk management include implementing a policy that, at a minimum, addresses:

  • authorized types, limits and concentration of investments, other financial instruments, and assets;
  • defined and prudent levels of decision-making authority;
  • identifying, measuring, providing for and recording market impairments; and
  • monitoring and board reporting requirements.

Structural Risk Management

The fundamental elements of structural risk management include implementing a policy that, at a minimum, addresses:

  • limits on the balance sheet mix and maturities of capital, deposits, loans and investments;
  • criteria for pricing of deposits and loans;
  • limits on the exposure to foreign currency risk;
  • limits on the exposure to changes in interest rates;
  • use of appropriate techniques for measuring the institution’s structural risk and evaluating the potential impact under current and reasonably foreseeable scenarios;
  • the use of analysis and appropriate consultation for the purchase of derivatives; and
  • monitoring and board reporting requirements.

Liquidity Risk Management

The fundamental elements of liquidity risk management include implementing a policy that, at a minimum, addresses:

  • limits on the sources, quality and amount of liquid assets to meet normal operational, contingency funding for significant deposit withdrawals and regulatory requirements; and
  • monitoring and board reporting requirements.

Section C: Enterprise Risk Management

Each credit union is expected to implement a comprehensive enterprise wide risk management (ERM) framework that is appropriately scaled to recognize its size, complexity and risk profile. Under ERM, the board of directors is responsible for confirming risk appetite and risk tolerances, and monitoring compliance to risk management processes. Management is responsible for identifying, evaluating, mitigating and reporting on risk exposures.

An ERM framework includes the processes that the credit union uses to identify and manage significant risks and to realize opportunities related to the achievement of their objectives. It involves an objective, pro-active enterprise wide view of all risks and their associated risk tolerances to ensure that they are fully aligned with corporate objectives and strategies, and reflect the quality, competencies and capacity of a credit union’s people, technology and capital.

ERM is a part of the decision-making processes that the credit union uses to measure variation from its goals. In a robust model, the process would aggregate risk across the entire organization to assess the enterprise risk profile in relation to credit union’s capacity to absorb the risk. 

  1. Corporate Governance: Board of Directors
    In addition to the requirements set out in Section A and B, the board of directors of a credit union shall:
    • establish an appropriate and prudent enterprise risk management policy(ies) that set out the risk appetite and risk tolerances for all significant risk areas; and
    • review and confirm the credit union’s risk exposure is aligned with its risk appetite and risk tolerances.
  2. Corporate Governance: Audit Committee (or other designated Board Committee)
    In addition to the requirements set out in Section A, the audit committee or other board designated committee shall:
    • review management’s identification of the significant risks of the credit union in accordance with the ERM policy;
    • ensure there are enterprise risk management processes in place to measure, monitor, manage and mitigate significant risk exposures including appropriate policies, procedures and controls;
    • oversee the application of ERM practices and the on-going identification of emerging risks; and
    • report to the board on risk exposure levels.
  3. Corporate Governance: Management
    In addition to the requirements set out in Section A and B, management shall implement the ERM policy, processes and controls which address:
    • identification, measurement and evaluation of significant strategic, business and process risk exposures;
    • mitigation of risk exposures through appropriate risk responses;
    • monitoring the application of risk responses and mitigation strategies;
    • reporting on ERM processes and findings, including the level and direction of risk exposures and extent of risk management activities.

 

Appendix A

Sample Board Resolution

Resolution of the Board of Directors

It is resolved that:

This resolution is made in respect of <name of credit union > (the “credit union”) and concerns its adherence to the Deposit Insurance Corporation of Ontario ("DICO") Standards of Sound Business and Financial Practices (the "Standards") as set out in DICO By-law No.5.

The board of directors (the “board”) of the credit union is familiar with the contents of the Standards By-law and acknowledges its responsibilities under the Standards.

The board of directors of the credit union is, to the best of its knowledge and abilities, fulfilling its responsibilities under the Standards [if applicable, add: "except as indicated below"].

The board has carefully considered the management representation letter dated <month> <day>, <year> addressed to the board concerning adherence to the Standards. The board has also carefully considered other information, and made such inquiries as it deems appropriate and relevant to the forming of its opinion on whether the credit union is following the Standards. It is the opinion of the board that to the best of its knowledge, it has obtained reasonable assurance that the credit union is following the Standards [add, if applicable: "except as indicated in the representation letter and/or below"].

[If applicable, add: "With respect to the deficiency(ies) or exception(s) not indicated in the representation letter, the board of directors confirms that an action plan (plans) addressing their correction has(have) been prepared and is (are) being implemented. A copy of the action plan(s) is being (has been) submitted to DICO and/or the Financial Services Commission of Ontario."]

*************************

The foregoing is certified as a true copy of a resolution of the board of directors of <name of credit union > passed at a meeting of the board held on the <day> of <month>, <year>.

Dated at <insert place> this <day>of<month>, <year>.

________________________________

Corporate Secretary

Copy to: Deposit Insurance Corporation of Ontario

Definitions

The following definitions apply with respect to this By-law:

"Appropriate" means that it is suitable for its intended purpose, having regard to the nature, magnitude, complexity and implications of the matter in question.

“Co-operative Principles” are outlined in the “Statement on the Co-operative Identity” (8th January 1996) from the International Co-operative Alliance. These principles include, voluntary and open membership; democratic member control; member economic participation; autonomy and independence; education, training and information; co-operation among co-operatives; concern for community.

"Effective" means that it is achieving, or can reasonably be expected to achieve, its intended purpose.

"Material or Significant Risk" means a risk or a combination of risks that is important because of the probability of occurrence, the severity of impact or both, that could have an adverse effect on the credit union’s earnings, liquidity, capital or reputation, or on the ability of the credit union to achieve its business objectives or implement its business strategy and business plans.

"Prudent" means that it is the result of careful and practical judgment, having regard to business objectives, risks, the business and economic environment, and the quantity, quality and sustainability of earnings, liquidity, capital and other resources.

Representation letter” means any report, document or letter in the format as specified by the board of directors.

Application of by-law to a credit union

This By-law comes into force on January 1, 2018 and the previous By-law No. 5 enacted on the 21st day of January 2011 is repealed effective December 31, 2017.

Enacted by the DICO Board of Directors on the 30th day of October 2017, subject to the approval of the Lieutenant Governor in Council by Order.

[Signed by]

Chair

[Signed by]

Corporate Secretary

Order in Council 2255/2017