Guidelines to enhance credit union members and deposits released

New Financial Services Regulatory Authority of Ontario (FSRA) guidance on operational risk and resilience outlines how Ontario credit unions and caisses populaires (CUs) can be better prepared for a variety of threats, such as third-party risks, cybersecurity, and data risks.

The guidance will also equip CUs to be able to better monitor their current environment, anticipate future threats and opportunities, respond effectively to stress events and learn from past failures and successes. 

The guidance sets out FSRA’s interpretation of the requirements that apply to CUs under relevant legislation and rules and the regulator’s approach to assessing how CUs adhere to these requirements. The rulebook also includes information on environmental, social and governance risk management guidance or standards that have been developed by other jurisdictions. 

The first guidance principle is governance, which the report says falls under the purview of both senior management and CU boards.

“CUs must establish an organizational structure where operational risk management activities are conducted by operational management (first line of defence), are reviewed and challenged by risk management (second line of defence), and independent assurance is then provided by internal audit (third line of defence), facilitating effective governance, oversight and risk management,” writes the regulator. 

For better operational risk identification and assessment, the CUs should perform regular environmental scans of their operations, the guidance says. 

Related: Service at Ontario regulator exceeds standards 

Related: Credit union regulator in Ontario publishes new guidance for comment 

The regulator guidance also says that depending on the CU’s size, they should put in place policies and frameworks that identify, assess, mitigate, monitor and report operational risk exposures. 

The FSRA guidance also requires that CUs build operational resilience so they can deliver critical operations through disruptions and are less prone to experiencing operational risk events.

“In the event that operational risk materializes, resilient CUs are more likely to incur shorter lapses in their operations and experience smaller losses from disruptions, thus lessening incident impact on critical operations and related services, functions, and systems,” writes the FSRA.