OSFI’s next chapter for accountability and credit risk

OSFI’s emerging expectations around senior leadership accountability signal a strengthening of Canada’s governance architecture, expanding on expectations currently set out in the Corporate Governance Guideline and Guideline E-17 Background Checks on Directors and Senior Management. OSFI’s proposals represent a more explicit articulation of accountability for senior leadership, bringing Canada closer to accountability regimes in the United Kingdom, Australia, Singapore, and Ireland, while maintaining a principles-based approach and giving institutions flexibility to implement frameworks that suit their businesses.

Canadian institutions anchor on a three line of defence model, with senior management providing direction and appropriate oversight from an independent board. However, growing complexity in risk and operations has led to the creation of “1a and 1b” and “2a and 2b” functions, which can muddy accountability for decisions and risk outcomes. In addition, supervisors have concerns related to first line accountability for risk identification, assessment, and escalation, in risk culture contexts where the second line is driving the risk management agenda. OSFI’s proposals will bring needed clarity by formalizing responsibilities mapping at the senior leadership level, including how decision-making authority, incentives, and risk ownership are assigned across executives and business lines.

OSFI’s proposals also introduce more explicit expectations for how institutions assess the suitability of senior leadership appointees across both fitness and propriety. This means evaluating criteria such as educational background, professional track record, relevant experience, character, judgement, and integrity. To meet these heightened standards, Human Resources teams will play a critical role in establishing robust assessment processes that evaluate competency and experience for new appointments and internal promotions. Institutions will also need to invest in ongoing capability-building to ensure senior leaders continue to develop the expertise required to navigate evolving regulatory and risk environments.

Ultimately, OSFI’s proposals are intended to reinforce a culture where accountability for risk sits firmly with senior leaders in the first line, supported, but not substituted, by second line challenge and third line assurance. The guidance also provides an opportunity for risk and business leaders to take a step back and reflect on where decision-making should be happening across their enterprises. 

OSFI’s proposed Credit Risk Management Guideline will represent a significant evolution toward a holistic architecture for credit risk governance. Credit risk is the top risk of most deposit-taking institutions, however, OSFI historically supervised this risk by referring to a wide range of guidance, including specific expectations for residential mortgage underwriting and commercial real estate. While Guideline B-20 will still drive underwriting expectations for residential lending books, OSFI is signalling a focus on overall credit risk management practices throughout the lifecycle of a loan.

To set clear expectations for chief credit officers across Canada, OSFI is broadening its approach by articulating fundamental principles for credit risk management in the first chapter of its planned guideline, based on international standards. In later chapters, to be issued for consultation in phases, OSFI will publish more detailed guidance covering specific business lines: wholesale credit, non-bank financial intermediation, and real estate secured lending. Some of these chapters will likely incorporate existing OSFI guidance, while others will create new regulatory expectations.

OSFI’s release of broader credit risk management guidance will combine a principles-based approach with more comprehensive expectations for particular business lines, including emerging segments such as lending to non-bank financial intermediaries. The approach aims to uplift credit risk management practices across the industry while ensuring appropriate risk management and a level playing field in key market segments.

Banks, particularly small and midsized deposit-taking institutions (SMSB), should view these developments as a catalyst to enhance the sophistication and granularity of their risk rating systems beginning with origination and extending to ongoing monitoring. While many SMSBs currently operate with relatively narrow credit profiles (e.g., Btier or alternative lending segments), OSFI’s direction may push for more granularity within these portfolios to establish more precise thresholds and risk limits. Achieving this uplift begins with strengthening underlying risk rating criteria and ensuring they are robust, forward-looking, and appropriately calibrated to the institution’s risk appetite.

What is particularly striking is the clear focus on the potential credit exposure posed to banks and the broader nonbank financial intermediary sector. The pressure to closely monitor these intermediaries stems from heightened expectations and scrutiny around third-party risk, with a growing emphasis on credit exposure. In this environment, banks should review third-party risk management practices and related risk assessments for this group, as well as increase their understanding and oversight from a credit risk standpoint. To align with regulatory expectations, banks of all sizes should have plans in place to conduct thorough reviews of these portfolios, ensuring these third parties comply with regulatory guidelines, underwriting policies, and documentation requirements.

OSFI is emphasizing that accountability for risks must be firmly rooted in day-to-day business activities, reinforcing clear accountability on where risks originate within the core business. Institutions will need to re-examine who is responsible for risk decisions, incentives for decision makers, and where accountability resides. This may require redistributing responsibilities between business, risk, and compliance teams, ensuring first-line ownership is explicit and consistently applied.

The compliance exercise that may result from the proposed senior leadership accountability regime is an opportunity for institutions to:

• Revisit organizational mandates, job descriptions, and escalation processes to clarify decision making authority and risk ownership.
• Closely examine where risk decisions and outcomes between the first line and second line differ, and in particular, revisit second line approvals and final decisions on risk taking.
• Optimize roles, responsibilities and escalation protocols between first and second line to reflect risk ownership and decision-making authority.
• More clearly reflect accountability for decision making and risk taking in incentive and compensation programs and scorecards.
• Consider enhancing existing accountability frameworks like the Code of Conduct to strengthen consequence management.

OSFI’s move to a comprehensive credit risk management guideline means that institutions should assess current credit risk management frameworks against baseline expectations in international guidance. Institutions should evaluate whether current governance structures, policies, roles and responsibilities, and controls are fit for purpose under a consolidated set of principles that will span underwriting, valuation, account management, and portfolio‑level monitoring.

Both first line and second line will need to benchmark existing practices against the new expectations. Institutions should identify gaps at the portfolio, process, and risk control levels. Key activities include mapping guideline expectations to business‑line practices, assessing policy and procedure alignment, and documenting areas requiring remediation. Institutions should expect to repeat and refine this diagnostic as OSFI releases more detailed, segment‑specific guidance over time.

Compliance teams will need to reassess inherent risks by considering regulatory scrutiny, enforcement intensity, and the complexity of new expectations. Controls will need to be identified, redesigned or enhanced. Institutions should connect guideline requirements to their risk taxonomies, control libraries, and monitoring programs.