April 2021

IntroductionThis guideline was first published in April 2009, followed by a first update in September 2016.

Corporate governance involves a set of relationships between a company’s management, its board, its shareholders and its other stakeholdersAny individual, group or organization that can affect, be affected by, or perceive itself to be affected by, a result, a decision or an intervention coming from another party. . Corporate governance also provides the structure through which the objectives of the company are set and the means of attaining those objectives and monitoring performance are determined.ORGANISATION FOR ECONOMIC CO-OPERATION AND DEVELOPMENT. G20/OECD Principles of Corporate Governance, September 2015.

In the financial products and services industry, as in other regulated industries that depend on the confidence of consumers, sound governance is crucial. It constitutes the cornerstone of sound and prudent management.

With this in mind, the AMF wishes to ensure that financial institutions adopt sound governance practices by instilling and promoting a corporate cultureRefers to the common values and standards that define a business and influence its mindset, conduct and the actions of its entire staff. based on ethical organizational behaviour and board and senior managementThe group of individuals responsible for managing a financial institution on a day-to-day basis in accordance with the strategies and policies set by the board of directors. accountability.

By corporate culture, the AMF means the common values and standards that define a business and influence its mindset, conduct and the actions of all personnel. A good corporate culture is therefore essential to the viability of financial institutions, whose business depends on consumer confidence. Conversely, a deficient corporate culture can cause significant damage and harm an institution’s reputation to the point of threatening its viability.

The core principles and guidance published by the Basel Committee on Banking SupervisionBASEL COMMITTEE ON BANKING SUPERVISION. BANK FOR INTERNATIONAL SETTLEMENTS. Corporate Governance Principles for Banks (Guidelines), July 2015. and the International Association of Insurance SupervisorsINTERNATIONAL ASSOCIATION OF INSURANCE SUPERVISORS. Insurance Core Principles, November 2015. clearly identify the need for financial institutions to implement sound governance practices and for regulatory authorities to provide the frameworks required to do this.

The AMF adheres to the principles and guidance set out by those international bodies that promote sound and prudent management practicesA financial institution’s management practices ensuring good governance and compliance with the laws governing its activities, in particular, the assurance that the financial institution will maintain adequate assets to meet its liabilities as and when they become due and adequate capital to ensure its sustainability. . Therefore, pursuant to the authority conferred upon it by the various sector-based statutes,Insurers Act, CQLR, c. A-32.1, section 463; Act respecting financial services cooperativesA legal person in which persons with common economic needs unite to form a deposit and financial services institution to meet those needs. , CQLR, c. C-67.3, section 565.1; Deposit Institutions and Deposit Protection Act, CQLR, c. I-13.2.2, section 42.2; Trust companies and Savings Companies Act, CQLR, c. S-29.02, section 254. the AMF is issuing this guidelineA document that describes the steps that financial institutions can take to satisfy their legal obligation to follow sound and prudent management practices and sound commercial practices. expressly to inform financial institutions of its expectations regarding governance.

1. Financial institution governance

This section outlines what the AMF views as the key components of effective and efficient financial institution governance. Those components—namely, the roles and responsibilities of the board of directorsA body of elected or appointed individuals ultimately responsible for the governance and oversight of a financial institution. References to the board of directors can also include a board committee established, for example, to examine specific issues. and senior management, a formal governance frameworkThe means through which a financial institution implements its corporate governance. , internal controlThe set of control mechanisms implemented in a financial institution to give its decision-making bodies reasonable assurance that the objectives relating to operational effectiveness and efficiency, safeguarding of assets, reliability of information and compliance will be met. , the supervisoryIncluding risk management, compliance and, where applicable, actuarial practices. and audit functions, integrityThe quality that an individual has of being honest and having strong moral principles that he or she refuses to change. It is demonstrated through the individual’s actions and through the conduct of the his or her personal and professional business. and competencyAn appropriate level of expertise, professional qualifications, knowledge or relevant experience in the financial industry. criteria, a remuneration policyA set of general principles adopted by a financial institution for conducting its activities in a given area. and the transparent disclosure of information to all stakeholders—are described in detail in the following sections of this Guideline.

Governance generally describes the administrative organization that a financial institution puts in place to achieve its objectives, direct it and manage its risks. To ensure the financial institution is governed in an effective and efficient manner, the roles and responsibilities of the members of the board and senior management must be clearly defined in relation to fostering a corporate culture reflective of the institution’s fundamental values.

For a financial institution to be governed effectively and efficiently, a formal operating, supervisory and accountability framework must be implemented through policies, proceduresA set series of tasks to be performed. It is generally the result of imperatives that cannot be negotiated by the individual who applies it. and information systems that help to organize and monitor the way the financial institution is managed.

Effective and efficient governance also requires risk management and control processes to be implemented across the organization using a rigorous, coordinated approach. In this regard, the “three lines of defenseThe three separate control levels within a financial institution that are necessary for effective risk management and control. The first line of defense manages risk and operational controls. The second line of defense is composed of the risk management, compliance and, for insurers, actuarial control functions. The third line of defense, internal audit, provides independent assurance to the board of directors and senior management about the effectiveness of risk management and internal controls. ” modelTHE INSTITUTE OF INTERNAL AUDITORS. Leveraging COSO across the three lines of defense, July 2015. is suitable for all types of financial institutions and can be adapted to take into account an institution’s nature, size, complexity and risk profileA financial institution’s overall level of risk exposure that is based on an evaluation of the risks inherent in the financial institution’s significant activities, its ability to manage risks, its financial condition and its commercial practices. .

The “three lines of defense” model has the merit of being a reliable control structure that allows roles and responsibilities to be allocated in a clear and orderly manner. Using this model, financial institutions are able to coordinate the risk management and control functions using a systematic approach based on three distinct lines:

• The first line of defense: the functions related to controls and corrective actions that are performed by the operational units that own and manage risk on a day-to-day basis;

• The second line of defense: all functions that oversee risk, including finance, risk management, compliance, and, where applicable, the actuarial function;

• The third line of defense: internal auditInternal audit ensures the systematic and independent assessment of all risk management, control and governance processes. It constitutes the third line of defense of a financial institution. , which provides an independent assessment of, and objective assurance on, the overall effectiveness of governance, risk management and internal control.

Sound governance depends on the integrity and competency of the individuals who have decision-making authority within the financial institution. It is therefore critical for financial institutions to establish a policy enabling them to asses these two attributes against, and ensure ongoing compliance with, robust, objective criteria.

Another intrinsic key component of financial institution sound governance is remuneration. Financial institutions are consequently expected to adopt a remuneration policy for members of the board and senior management, key persons in supervisory functions and other major risk-taking staff. The policy should be designed to avoid incentivesUsed in its broad sense, it may includes bonuses, commissions, salaries, premiums and fees in compensation programs, and other benefits from sales contests, promotions, perks or gifts. for excessive risk-taking and be aligned with the financial institution’s long-term interests.

Lastly, sound governance implies that the financial institution discloses the key aspects of its governance framework and is sufficiently transparent to all stakeholders to enable them to assess the framework’s effectiveness and properly evaluate the institution’s performance.

2. Roles and responsibilities assigned to the board of directors and senior management

The AMF also expects the majority of board members to be independent. The concept of independence is characterized by the ability of the board members to exercise, collectively or individually, objective and impartial judgment regarding the financial institution’s affairs without undue influence from senior management or stakeholders.Independent directors should be able to meet regularly without non-independent directors and members of senior management being present. If the majority of directors are not independent, the institution should document the procedures that are in place to encourage open dialogue and objective judgment.

A financial institution’s stability and effectiveness depends, first and foremost, on the directors and senior management managing the institution responsibly. Particular attention must therefore be paid to the quality of supervision and control exercised at the senior management and board levels, where policies are developed and strategic decisions made. Managing a financial institution requires an in-depth understanding of the entity and its external operating environment, culture, area(s) of activity and risk profile. This knowledge can also cover areas such as the nature of risks, regulations, business lines, products, and accounting and/or actuarial principles. From this prospective, it appears essential that financial institutions set out, through a human resources management policy or otherwise, their intentions regarding senior management succession planning.

2.1 Roles and responsibilities of the board of directorsUnder the sector-based statutes, the board of directors must ensure that the authorized financial institution adheres to sound commercial practices and sound and prudent management practices: Insurers Act, CQLR, c, A-32.1, sections 94 and following; Act respecting financial services cooperatives, CQLR, c. C-67.3, sections 243 and following; Deposit Institutions and Deposit Protection Act, CQLR, c. I-13.2.2, section 28 and section 38 and following; Trust Companies and Savings Companies Act, CQLR, c. S-29.02, sections 75 and following.

The board of directors oversees the managerial performance of senior management. It should therefore ensure that the mechanisms needed to achieve effective governance are put in place by, in particular, reading the relevant senior management reports that result from applying those mechanisms. With this in mind, the board of directors should also ensure that the roles and responsibilities assigned to members of the board and its committees, senior management and key persons in the institution’s supervisory functions are clearly defined in order to allow for an appropriate separation of supervisory and management responsibilities, based on the nature, size and complexity of the institution’s activities.

The board of directors should be composed of members who, together, have the competencies needed to meet the requirements of the mandate entrusted to them. The board mandate must be in writing and include a description of the roles and responsibilities assigned to the board members.

While the board members remain collectively responsible for the decisions made by the financial institution, the chair of the board plays a key role in this regard. To ensure an autonomous board of directors capable of effectively discharging its mandate, best practices argue in favour of separating the role of board chair and from that of president and CEO of the financial institution. However, the AMF may consider this expectation to be met, even where one person holds both positions, if the financial institution can demonstrate that mechanisms have been put in place to promote objective decision-making.

Subject to the legislation applicable to the financial institution, the board chair should be appointed by the board members so that he or she enjoys the trust of his or her peers, senior management, middle managers and, where applicable, the members or shareholders of the financial institution. The chair should demonstrate leadership by presiding over meetings that are focused on debating ideas and discussing matters in an open and transparent manner and where everyone has an opportunity to express their viewpoint. With this in mind, the chair should also demonstrate insight by effectively managing potentially conflicting opinions, sometimes within very short timelines, while ensuring timely and informed decision-making.

Sound governance practices also encourage board members to regularly self-assess, individually and collectively, the effectiveness of the work accomplished. This type of exercise helps to maintain and even enhance board effectiveness. Transparency regarding board renewal mechanisms is also advisable.

The board of directors has overall responsibility for establishing a corporate culture, governance framework and strategic objectives that are aligned with the institution’s values and long-term interests. As part of its general responsibility to see that senior management ensures the smooth operation of the organization, in respect of the roles and responsibilities that are customarily delegated to it, the board should, among other things:

• approve the organizational structure, the governance framework and the implementation of internal controls;

• approve policies;

• approve strategies, objectives and business plans;

• approve new initiatives and significant activities;An activity is considered significant when it contributes to the achievement of the institution’s objectives and the successful implementation of its strategies.

• review the financial institution’s performance in relation to its objectives, strategies and business plans and ensure that corrective action is taken, if necessary;

• ensure that the financial institution has a sound understanding and knowledge of its environment and risk management;

• ensure that the financial institution acts in accordance with applicable laws, regulations and standards;

• approve internal audit’s charter, audit plan, budget and resource forecast;

• ensure succession planning for board, senior management and other key positions;

• approve the remuneration policy for board members, senior management and other key positions and ensure it is aligned with the institution’s long-term interests;

• ensure that members of the board and senior management and key persons in supervisory functions have integrity, are competent and act in a manner that is consistent with the financial institution’s values and long-term interests;

• ensure that senior management promotes a corporate culture based on ethical organizational behaviour, sound risk management and compliance practices and the fair treatment of consumers (“FTC”).

Audit Committee

The sector-based statutes,Insurers Act, CQLR, c. A-32.1, section 100; Act respecting financial services cooperativesA legal person in which persons with common economic needs unite to form a deposit and financial services institution to meet those needs. , CQLR, c. C-67.3, section 253.1; Deposit Institutions and Deposit Protection Act, CQLR, c. I-13.2.2, section 28.44, Trust Companies and Savings Companies Act, CQLR, c. S-29.02, section 81. require financial institutions authorized in Québec to establish an audit committee within their boards. The main functions of this committee are generally to monitor financial reporting and the internal control and risk management mechanismsThese two functions could also be performed by a risk management committee, if such a committee exists. and governance framework implemented by senior management to ensure that major risks are properly managed and escalated.

Along the same lines and in accordance with best practices, the audit committee should:

• be separate from other committees;

• have a chair who is independent and is not the chair of the board of directors or any other committee;

• be mainly composed of non-executive, independent directors; and

• include members with, for example, experience in audit, financial reporting, accounting or risk management practices or, where applicable, actuarial practices.

The audit committee should ensure the effectiveness of governance, risk management and internal control processes. Accordingly, it should, among other things:

• ensure the independence and objectivity of the internal and external auditors;

• foster an environment conducive to transparent dialogue between senior management and the internal and external auditors;

• understand the internal and external audit strategies and ensure that major risksRisk that the auditors will produce wrong conclusions and incorrect opinions based on their work. are taken into account;

• monitor the work of the internal and external auditors and assess audit effectiveness.

Generally, the audit committee’s role in its relationship with internal audit is to:

• recommend and review the internal audit charter setting out the internal audit function’s mission, authority and responsibilities;

• recommend the risk-based internal audit plan;

• recommend internal audit’s budget and resource forecast;

• approve the appointment, reappointment, dismissal and, where applicable, remuneration of the head of internal audit;Subject to legislation applicable to the financial institution.;

• receive any information provided by the head of internal audit regarding the implementation of the audit plan or any other internal audit matter;

• request relevant information from senior management and the head of internal audit to determine whether the scope and resources for the internal audit are adequate.

By maintaining a good relationship with internal audit, the audit committee ensures that its charter, activities and processes are appropriate, understood and always meet its needs and the needs of the board of directors.

Moreover, the audit committee should be able to meet regularly with the head of internal audit and, if necessary, depending on the nature, size, complexity and risk profile of the institution, with the heads of the supervisory functions. It should also schedule a private session with those individuals at least once a year, without senior management present, in order to, among other things, reinforce their independence within the financial institution and discuss specific issues, including viewpoints that do not coincide with those of senior management.

In its relationship with the external auditors, the audit committee should, among other things:

• ascertain the scope of the audit plan;

• ensure the competency and resources of the external auditors;

• make recommendations regarding the appointment, reappointment, dismissal and remuneration of the external auditors;

• periodically review the efficiency and quality of the work of the external auditors;

• review and monitor the external auditors’ independence, practices and internal quality control policy;

• ensure that the auditors comply with accounting and actuarial practices, as applicable, and that those practices are prudent and appropriate;

• ensure that it is sent all material correspondence between the external auditors and senior management regarding the audit findings;

• ensure that the financial statements are prepared in accordance with applicable financial reporting standards.

The audit committee should meet regularly with the external auditors to discuss any matters relating to the audit report or financial statements or any concerns raised by the external auditors. As in the case of the internal auditors, the audit committee should hold private sessions with the external auditors in order to gain a clear and independent understanding of all the issues and any actions that may have been taken.

2.2 Roles and responsibilities of senior management

Generally, senior management carries out all functions involved in the management and effective operation of the organization in a manner consistent with the institution’s strategy, risk appetiteThe aggregate level and types of risk a financial institution is willing to assume to achieve its strategic objectives and business plan. , risk toleranceRisk tolerance sets boundaries on the level of risks a financial institution is prepared to accept based on its risk appetite. and various board-approved policies.

A financial institution’s senior management therefore plays a vital role in the governance structure. It is not only the architect of systems and processes critical to the functioning of the governance framework, but it also ensures that management and accountability mechanisms put in place for this purpose properly fulfill the mandates assigned to them.

The main roles and responsibilities of senior management are generally to:

• develop policies for approval by the board of directors and make sure that they are implemented;

• develop the institution’s strategies, business plans, business objectives, organizational structure and controls;

• plan, direct and monitor the financial institution’s activities;

• ensure and report regularly to the board of directors on the effectiveness of the organizational structure and controls;

• ensure that the business objectives, strategies and plans approved by the board of directors are achieved;

• ensure sound management and governance practices;

• ensure that information for the board of directors is sufficiently complete, understandable and relevant to enable the board to make informed decisions;

• promote a corporate culture based on ethical organizational behaviour and sound risk management, compliance and FTC practices.

In brief, a financial institution’s decision-making bodiesThe board of directors, senior management and persons in charge of oversight functions. , composed of members of the Board, members of Senior Management and Key Persons in Control Functions, are the pillars on which a governance framework aligned with the AMF’s expectations must rest. The next section describes the requirements for implementing such a governance framework.

3. Governance framework

The AMF expects the financial institution to develop, implement and ensure the effectiveness of a governance framework tailored to its nature, size, operational complexity and risk profile.

The governance framework sets out and formalizes the strategies, policies and procedures to be implemented in defining the organizational structure and organizing the various elements of effective and efficient governance that are necessary to ensure that the institution is soundly and prudently managed to protect the interests of policyholders or depositors.

Development of the governance framework should take into account the distinctive nature of entities such as cooperative-type entities, mutuals or companies, or reflect membership in a financial groupRefers to any group of legal persons composed of a parent company (financial institution or holding company) and legal persons affiliated therewith. and the activities conducted through subsidiaries across its operational territory.

A financial institution’s governance framework should also reflect changes that take place over time. The quality of governance practices is an important factor in maintaining market confidence. They should consequently evolve to reflect new practices, particularly those pertaining to technology, and industry best practices.

The governance framework is the means by which the board of directors demonstrates its determination to apply the highest principles of governance within the financial institution.

The governance framework should be flexible and transparent enough to ensure appropriate and timely decision-making with a view to achieving the financial institution’s strategic objectives. It should also be developed in line with the nature, size, complexity and risk profile of the financial institution and take into account various other factors, such as the ownership structure, the organizational structure and available resources.

The governance framework should also enable a financial institution to coordinate initiatives to improve management practices within the financial institution in connection with more subjective factors such as the institution’s culture and values. Such a governance framework enables the strategy and objectives to be aligned with the institution’s risk profile and ensures that operations are managed at all times in a sound and prudent manner, with integrity and in compliance with applicable laws, regulations and standards.

Usually, an effective governance framework helps ensure that risk management and control processes are functioning properly. This requires careful coordination among three groups of distinct functions, divided into three lines of defense.

First line of defense

The first line of defense is operational management. It is responsible for managing risks on a day-to-day basis, because controls are designed, pilot-tested and integrated into systems and processes under its guidance. Its responsibilities should include:

• identifying, assessing, managing and controlling risks;

• guiding the development and implementation of internal control procedures;

• overseeing the application of those procedures by operational their employees;

• identifying and reporting unusual risk exposures, taking into account the financial institution’s risk appetiteThe aggregate level and types of risk a financial institution is willing to assume to achieve its strategic objectives and business plan. and risk toleranceRisk tolerance sets boundaries on the level of risks a financial institution is prepared to accept based on its risk appetite. levels and its policies, limits and controls;

• ensuring that activities are consistent with goals and objectives;

• ensuring that activities are carried out in compliance with applicable laws, regulations and standards.

Operational management/mid-line managers should also take corrective actions to address process and control deficiencies. Furthermore, they should adhere to the risk cultureThe set of norms, values, attitudes and behaviours that characterizes the way in which a financial institution conducts its activities related to risk awareness, risk taking and risk management and controls. promoted by senior management in discharging their duties.

Second line of defense

This line of defense consists of supervisory functions that are established by senior management to ensure that the first line of defense is properly designed, effective and operating as intended. They help build and/or monitor operational controls. They vary with a financial institution’s typology and characteristics. Typically, the supervisory functions in the second line of defense should include finance, risk management, compliance and, where applicable, the actuarial function.As the components of the second line of defense relating to internal controls and the compliance and risk management functions are especially important to the prudential regulation of financial institutions, they will be addressed in separate sections of this guidelineA document that describes the steps that financial institutions can take to satisfy their legal obligation to follow sound and prudent management practices and sound commercial practices. .

Its responsibilities should include:

• assisting senior management in developing internal controls to mitigate risk;

• monitoring the adequacy and effectiveness of internal control;

• providing guidance and training on risk management processes;

• reviewing compliance with laws, regulations and standards;

• reporting to the board of directors; and

• identifying deficiencies and submitting and following up on recommendations for their timely remediation.

The functions in the second line of defense should be independent from operational management. The AMF is aware that financial institutions vary in nature, size and complexity and in terms of their risk profile and this has an impact on the composition, structure and degree of independence of the second line of defense. For example, some financial institutions might ensure independence through a mere segregation of duties or by implementing mechanisms for that purpose.

Third line of defenseIIA POSITION PAPER. The Three Lines of Defense in Effective Risk Management and Control, January 2013.

The third line of defense is the internal audit function. Independent from the first two lines of defense, the internal audit function should, using a risk-based approachA prudential methodology that involves graduating the supervision of financial institutions based on their respective risk profiles. , provide assurance to the board of directors and senior management on the effectiveness of governance, risk management and internal controls and their alignment with the financial institution’s activities.

Guided by standards in the matter, such assurance should, among other things, cover:

• the efficiency and effectiveness of operations;

• the safeguarding of assets;

• the reliability and integrity of reporting processes;

• compliance with laws, regulations, standards, procedures and contracts;

• the overall financial institution, including divisions, subsidiaries, operating units and functions.

As previously stated, internal control, risk management and compliance are discussed in greater detail in the next three sections.

4. Internal control

Internal control is usually defined as a set of controls that are implemented within a financial institution to provide the institution’s decision-making bodies with reasonable assuranceRefers to all of the audit evidence that the auditor may require to be able to conclude that the financial statements taken as a whole do not contain material misstatements. that the objectives with respect to following are being met:

• operational effectiveness and efficiency;

• the safeguarding of assets;

• the reliability and transparency of internal and external financial and non-financial information;

• compliance with applicable laws, regulations and standards.

Internal control is a key component of an effective governance structure because it enables, among other things, the detection of functional deficiencies that could be major sources of risk for a financial institution. As a result, the constituent controls should be designed and operated to ensure that the financial institution’s key policies and processes are effective from an operational, technological and financial perspective, accounting and financial reports are reliable, and adequate measures are in place for the financial institution’s sound and prudent management.

Since staff at all levels of the financial institution are involved in internal control, they should be made aware of the importance of the constituent controls and receive clear communications from senior management for that purpose. It is therefore essential to identify and compile the relevant information and provide it to the individuals concerned in a form and within a timeframe that allows them to properly fulfill their responsibilities.

The exercise of identifying, compiling and communicating information should help to ensure that internal controls adequately meet the objectives set by the institution. Specifically, the assessment of the effectiveness of internal controls should include the following:

• the control strategy adopted;

• the control reference framework;

• completion status of the implementation or update;

• information regarding the resources needed to ensure internal control operating effectiveness;

• progress report by sector and business unit;

• a description of identified issues and deficiencies.

Furthermore, depending on the nature, scale and complexity of the financial institution’s activities, effective controls should, in particular, cover the following:

• the appropriate segregation of duties, where necessary;

• decision approval policies and the accuracy of authorized signatories;

• the presence of controls adapted to each appropriate level of the organization;

• internal control training, particularly for employees with key responsibilities or involved in high-risk activities;

• consistency of internal control overall and for each individual control;

• verifications and tests by independent parties (internal or external auditors) to determine the effectiveness of existing controls.

The board of directors is generally given a specific role: to periodically conduct an overall assessment of, and consequently approve major changes to, internal controls. This assessment helps ensure that internal control operational effectiveness adequately supports the set objectives.

In reviewing internal control, the board of directors should base its assessment on various information sources, including:

• senior management reports addressing, in whole or in part, the operation of the institution’s financial reporting system, risk management system, compliance and any other controls or control overrides;

• reports from the supervisory functions;

• the auditors’ conclusions and recommendations pertaining to the adequacy of the controls implemented by the financial institution;

• the external auditors’ report on the audited financial statements and their communications with senior management;

• the opinions sought by the board of directors from legal counsel;

• for insurers, the actuary’s report on policy liabilities and the Financial Condition Testing report (FCT);

• recommendations, observations or opinions issued by the financial institution’s regulator.

Where appropriate, the board is responsible for ensuring that senior management takes necessary, timely action to correct any material control issues identified in the course of the assessment and follows up as appropriate.

The next section discusses risk management, an important function of the second line of defense and one of the pillars of the AMF’s prudential frameworkA supervisory approach based on principles rather than the enactment of specific rules, favouring financial institutions’ adoption of best practices through guidelines. .

5. Risk management function

An effective risk management function in the second line of defense is independent from risk-taking business units and closely monitors material and emerging risks. To enable a financial institution to achieve its objectives, risk management should be carried out in an integrated and continuous manner, according to a structured and consistent process enabling the assessment, management and monitoring of potential events that could pose a threat to the institution’s results.

With this in mind, the financial institution, supported by a risk governance framework that involves the board of directors and senior management, should implement effective strategic management, an efficient operations management system and proactive and integrated risk assessment.

In order to be effective and properly fulfill its role in the second line of defense, the risk management function should have sufficient authority, be appropriately positioned in the hierarchy, be independent from operational management, have the necessary resources, and have unrestricted access to the board of directors.

The risk management function should be under the responsibility of the chief risk management officer or, where such a position does not exist, a person with enough authority to ensure his or her independence and the necessary powers and resources, based on the institution’s nature, size and complexity, to properly fulfill his or her mandate.

The implementation of effective governance within the financial institution depends on contributions from various mechanisms. In addition to internal control and risk management, there is also compliance, one of the key pillars of prudential oversight and an important function in the second line of defense.

6. Compliance function

A compliance functionA compliance function is not necessarily a specific unit within the financial institution. The staff responsible for compliance may be involved in operational units and report to the management team responsible for the activity involved. However, where appropriate, it is important for those units to be able to report to the chief compliance officer or the individual responsible for that function, who should be independent from operational management. that is independent from the activities it oversees is one to the key components of a financial institution’s second line of defense and an essential underpinning for sound and prudent management practicesA financial institution’s management practices ensuring good governance and compliance with the laws governing its activities, in particular, the assurance that the financial institution will maintain adequate assets to meet its liabilities as and when they become due and adequate capital to ensure its sustainability. .

Senior management should implement a compliance management frameworkA set of policies, procedures and controls for managing an organization’s key functions. approved by the board of directors. The framework contains the basic principles for identifying, assessing, quantifying, controlling, mitigating and monitoring non-compliance risk.Risk of non-compliance with the laws, regulations, guidelinesA document that describes the steps that financial institutions can take to satisfy their legal obligation to follow sound and prudent management practices and sound commercial practices. and standards to which the financial institutions are subject. The framework helps to ensure that knowledge of regulatory requirements is maintained and that the financial institution operates with integrity and in compliance with its legal obligations.

To be effective and properly fulfill its role in the second line of defense, the compliance function should have sufficient authority, be appropriately positioned in the hierarchy, be independent from operational management, have the necessary resources and enjoy direct access to the board of directors.

The compliance function should be under the responsibility of the chief compliance officer or, where such a position does not exist, an individual with enough authority to ensure the function’s independence and the necessary powers and resources, based on the institution’s nature, size and complexity, to properly fulfill its mandate.

For the first and second lines of defense to be effective, a third line of defense is essential. The internal audit function serves as the third line of defense and will be discussed in the next section, which will also cover the role of the external auditors, whose objective and independent opinions and assessments strengthen the third line of defense, particularly in the area of financial reporting.

7. Audit functions

7.1 Internal audit

An effective and efficient independent internal audit function constitutes the third line of defense of the governance framework, providing the financial institution with independent, objective assurance and consulting services designed to add value and improve the organization’s operations. With respect to governance, internal audit must assess the design, adequacy and operational effectiveness of processes and make appropriate recommendations to improve them. The goal is to provide the board of directors and senior management with objective assurance that the processes are properly designed, operate as intended and achieve, in particular, the objectives of:

• promoting appropriate ethical organizational behaviour consistent with the institution’s values and culture;

• ensuring effective organizational performance management and accountability;

• communicating risk and control information to the appropriate areas of the institution; and

• providing adequate information to the board, senior management, the external auditors and internal auditors, and effectively coordinating internal audit activities.THE INSTITUTE OF INTERNAL AUDITORS, Standard 2110.

Internal audit should also evaluate the effectiveness and relevance of risk management and compliance processes and internal controls and promote their continuous improvement, including the achievement of the organization’s risk management, compliance and internal control objectives by the functions in the first and second lines of defense.

To effectively fulfil its role as the third line of defense, internal audit should have a dual-reporting line to the top level in order to assert its independence and reinforce its objectivity within the financial institution.

According to the International Standards for the Professional Practice of International Auditing, internal audit should report functionally to the board of directors and/or audit committee and administratively to senior management.THE INSTITUTE OF INTERNAL AUDITORS, Standard 1100.

For internal audit to actively contribute to the effectiveness of the institution’s governance framework, certain requirements affecting its organizational independence in its relationship with the board of directors and senior management must be satisfied in accordance with professional standards.

Accordingly, the internal audit function should:

• communicate directly and regularly with, and report directly to, the board of directors and/or the audit committee;

• report to a member of management who is at a sufficiently senior level to promote independence and ensure a broad audit scope;

• have access to the documents, staff and resources needed to perform its engagements;

• coordinate with the external auditors to avoid duplication of efforts and optimize efficiency;

• acquire the requisite resources with the necessary knowledge and skills to carry out their responsibilities;

• perform its work without restriction, objectively and impartially.

While the AMF acknowledges that governance process maturity within a financial institution, internal audit’s organizational role, and auditor qualifications are all factors that influence auditing activity with respect to governance, setting up an internal audit function should be included in the rules of sound governance of any financial institution.

In the case of institutions that are members of a group, an internal audit function may already exist within the group and there may be no need to set up an additional function. However, where all or part of the internal audit function is outsourced or independent supervision is provided by a function other than internal audit, the board of directors must monitor performance to obtain reasonable assuranceRefers to all of the audit evidence that the auditor may require to be able to conclude that the financial statements taken as a whole do not contain material misstatements. as to the effectiveness of its processes and activities.

7.2 External auditors

The external auditors play a vital role in maintaining public confidence in financial reporting. The external auditors’ goal is to obtain reasonable assuranceRefers to all of the audit evidence that the auditor may require to be able to conclude that the financial statements taken as a whole do not contain material misstatements. that the financial statements as a whole are free from material misstatement, whether due to fraud or error, and, consequently, to express an opinion whether the financial statements are prepared and presented, in all material respects, in accordance with applicable financial reporting standards and legal and regulatory requirements.

Based on best practices, the external auditors should:

• be overseen and evaluated by the audit committee/board of directors in terms of their independence and the quality and effectiveness of their work;

• be reviewed and rotated periodically (partners, not firms) based on criteria that are guided by standards in the matter and determined by the audit committee/board of directors, in order to avoid situations that could impair the auditors’ independence and objectivity;

• subject to the powers granted to shareholders by applicable legislation, be appointed, reappointed, dismissed, supervised, assessed and remunerated further to a decision or recommendation of the audit committee/board of directors or at the annual general meeting, as applicable;

• have the necessary skills and integrity to successfully conduct their audit engagement;

• be able to address the audit committee/board of directors directly, without senior management present;

• have unrestricted access to individuals and information in order to conduct their audit engagements;

• coordinate with internal auditors to avoid duplication of efforts and optimize efficiency.

When there is effective coordination, external auditors can be considered an added line of defenseExternal auditors and regulators play an important role in a financial institution’s overall governance and control structure and may be considered a fourth line of defense (BANK FOR INTERNATIONAL SETTLEMENTS. Occasional Paper No. 11, The “four lines of defense model” for financial institutions, December 2015). providing senior management, the board and the shareholders with assurance in addition to that provided by internal audit.

8. Integrity and competency

Due to the nature of financial institutions, the role they play in the economy and the types of risks associated with their operations, board members, senior management and key persons in control functions must possess the necessary skills, demonstrated by an appropriate level of expertise, professional qualifications, knowledge, or relevant experience, to work in the financial sector, as well as good judgment. In addition to the skills required to ensure sound management of a financial institution, it is essential for the members of the board, members of senior management and key persons in control functions to have integrity.

The integrity and competency of individuals with decision-making authority within a financial institution therefore underpin sound governance and should be beyond reasonable doubt.

Integrity is demonstrated by an individual’s behaviour and the way he or she conducts his or her personal and professional affairs, while competency is demonstrated by an appropriate level of expertise, professional qualifications, knowledge, or relevant experience in the financial sector. In the case of the board of directors, the appropriate level of competency may be achieved collectively, through the complementarity of the specific attributes of the individual board members.

8.1 Assessment policy

A financial institution should have an assessment policy in place, along with integrity and competency criteria and procedures for assessing the individuals who are subject to this expectation. The assessment policy should be applied when the individuals in question are appointed and then periodically thereafter to ensure, based on the established criteria, that an appropriate level of integrity and competency is maintained at all times.

The financial institution should also put in place controls to ensure that the criteria chosen and how they are applied are aligned with best practices. It should also take the necessary steps to review the criteria at regular intervals and adjust them if necessary.

In addition to the responsibility expressly delegated to the board of directors to approve the policy for assessing the integrity and competency criteria, specific responsibilities are assigned to the board or one of its committees.Within the scope of this guidelineA document that describes the steps that financial institutions can take to satisfy their legal obligation to follow sound and prudent management practices and sound commercial practices. , a board committee created for purposes of assessing integrity and competency could also perform the assessment on the basis of the policy established.

The board of directors should therefore determine whether the individuals subject to the assessment policy have the integrity and competency required to hold the positions concerned within the institution. Although the board members are required to self-assess, the AMF expects them to ensure that measures are in place to enable them to exercise independent judgment in performing this function.

The board of directors should also be aware of any concerns arising from the results of the integrity and competency assessments of the individuals concerned. If it learns that any such individuals are in their positions despite an assessment yielding adverse findings, it should ensure that appropriate actions are taken and controls put in place to mitigate any potential risks arising from the assessment. Actions taken should be proportionate to the seriousness of non-compliance with the established criteria.

Lastly, the financial institution could decide to entrust all or part of the integrity and competency criteria assessment of the candidates concerned to separate entities within the institution or the group to which it belongs. It could also decide to outsource all or part of the assessment to an external firm, in which case it will be important for the outsourcing arrangement established for that purpose to comply with the principles set out in the Outsourcing Risk Management Guideline.AUTORITÉ DES MARCHÉS FINANCIERS. Outsourcing Risk Management Guideline.

8.2 Assessment criteria

The assessment criteria or integrity and competency indicators that will be developed could focus on aspects such as the ones described below.

In addition, based on these or any other criteria that will be developed, the institution will have to adjust its judgment to take into account, for example, the time elapsed since, and the seriousness of, the identified irregularity. Consideration should also be given to the person’s conduct and behaviour subsequent to the identified irregularity.

1. Criminality criteria or indicators

With respect to members of decision-making bodies, there should be no cases or evidence of such individuals having been found to have engaged in misconduct prior to being hired that could have an impact on their responsibilities (e.g., cases in which they were found guilty of a criminal offence, dishonesty, misappropriation of assets, embezzlement, fraud or other penal offences, including money laundering and terrorism financing).

1. Financial criteria or indicators

Members of decision-making bodies are expected not to have engaged in any improper or wrongful conduct affecting their own financial condition or the financial condition of an entity they previously worked for or were appointed by. Indicators such as financial difficulties leading to legal proceedings, bankruptcy or financial hardship and insolvency proceedings in or in respect of an entity in which a member of a decision-making body took actions or performed functions that may have led to such events are significant indicators for purposes of the assessment policy.

1. Prudential criteria or indicators

Members of decision-making bodies are expected not to have been found to be incompetent or to lack integrity by another regulatory authority in performing duties similar to the ones for which they are being assessed. Concerns raised by other regulators could involve, for example, the withholding of information, the submission of incorrect or falsified financial information or statements, or previous instances of corrective action or a public authority intervening in respect of a person while he or she was in an equivalent position.

1. Competency assessment criteria or indicators

Members of decision-making bodies are expected to have an appropriate level of expertise, professional qualifications, knowledge, or relevant experience to work in the financial sector. The institution should know which of these attributes is possessed by the current members of its decision-making bodies and identify any gaps that will need to be filled by future directors, members of senior management and key persons in supervisory functions.

An aptitude and knowledge grid could be created to support the planning of training activities for current members. Such a grid could, for example, contain criteria such as operational experience, functional competency, knowledge of the institution’s activities, interpersonal skills, aptitude for teamwork, availability, motivation and diversity. Lastly, the various attributes identified by the institution should be ranked in order of importance based on the institution’s needs and any deficiencies identified among the current members of its decision-making bodies.

1. Other criteria or indicators

The institution could also consider other criteria, such as an unfavourable final judgment against a person in a dispute with a previous employer involving a failure by the person to properly discharge his or her responsibilities or comply with internal policies, including codes of ethics and professional conduct, where the failure to comply leads to the person’s dismissal or to penalties or disciplinary measures being imposed by professional associations, for example.

8.3 Decision-making process

The financial institution should implement a decision-making process that can be relied upon when an assessment yields adverse findings. It should therefore determine, when such a case arises, what types of information need to be obtained to further analyze the file.

An adverse finding would not necessarily render a person unsuitable to hold another position within the financial institution. The institution will have to consider each case individually on the basis of the institution’s needs and risk toleranceRisk tolerance sets boundaries on the level of risks a financial institution is prepared to accept based on its risk appetite. levels. Note that adverse findings could be tolerable provided mitigating measures are implemented. However, if a person is found to lack integrity—where there is fraud or money laundering, for example—it should result in the person being deemed unfit, regardless of the position involved.

The AMF therefore expects people who do not demonstrate integrity and do not have the competency required to fulfill the functions for which they were being considered not to be permitted to perform those functions.

8.4 Notifying the AMF

The AMF expects financial institutions to notify it of any changes within its decision-making bodies and the functions held by each member. Similarly, financial institutions should notify the AMF of any non-compliance with integrity criteria by members of its decision-making bodies.

Should, owing to events or circumstances, a person who meets the integrity and competency criteria become temporarily or permanently unable to perform his or her function, the AMF expects the person concerned to be replaced within a reasonable time period by another person who satisfies the integrity and competency criteria set out in the assessment policy.

It is likely, in some situations, that the newly selected person will not have all the skills needed to satisfy the criteria in the assessment policy. If this is the case, the institution will have to ensure that the new person is able, within a reasonable time period, to meet the criteria.

The institution could provide such individuals with mentoring, additional training or access to external resources, for example, so they achieve the criteria set out in its assessment policy as soon as possible. Similarly, control or follow-up measures could be increased or additional resources could be hired on a temporary basis, to enable newly selected people to acquire the skills needed to meet the competency criteria determined by the institution.

9. Remuneration policy

Sound remuneration practices are an integral part of the good governance of any financial institution. The adoptionA contract under which the holder has the right, but not the obligation, to buy or sell a specific number of shares at a predetermined price during a specific period of time. and implementation of a remuneration policy is not intended to unduly restrict or reduce an institution’s ability to attract and retain qualified people by prescribing a particular form or level of remuneration. By viewing remuneration as a component of effective risk management, the AMF instead is seeking to promote the adoption by financial institutions of a remuneration policy that considers their risk appetiteThe aggregate level and types of risk a financial institution is willing to assume to achieve its strategic objectives and business plan. and long-term interests so as to avoid excessive risk-taking.

The board of directors is responsible for ensuring that the remuneration policy is broad enough to cover members of the board and senior management, key persons in supervisory functions and other major risk-taking staff.

The board of directors should have the requisite skills to make informed decisions regarding the relevance of the remuneration policy. Those skills require, whether through a remuneration committee or not, a sufficient understanding of the link between risk-taking and remuneration and the participation of individuals who are not members of senior management to improve the objectivity of the decision-making process.

Accordingly, the board of directors should be satisfied with the remuneration policy’s overall consistency with the institution’s risk appetite, risk toleranceRisk tolerance sets boundaries on the level of risks a financial institution is prepared to accept based on its risk appetite. levels and long-term interests. To this end, particular attention should be given to certain aspects of remuneration, such as:

• the proportion of fixed and variable components;

• the use of performance criteria;

• the structure of the remuneration of major risk-taking staff;

• the individual remuneration of members of the board of directors and senior management.

The board of directors should also ensure that the persons involved in establishing the remuneration policy interact closely with those responsible for risk management in order to promote the alignment of risks and variable remuneration in any organization.

However, to maintain the integrity and objectivity of staff in supervisory functions and reduce the potential risk of conflicts of interest, the remuneration of these individuals should:

• be primarily based on the effective achievement of objectives appropriate to their supervisory function;

• where applicable, not be tied to the performance of the business units under their supervision but, rather, to the institution’s overall performance;

• be generally adequate and sufficiently generous to attract and retain individuals with the skills, knowledge and expertise required to perform their respective functions;

• where this function is outsourced,AUTORITÉ DES MARCHÉS FINANCIERS. Outsourcing Risk Management Guideline. be consistent with the objectives and parameters of the existing remuneration policy.

Finally, variable remuneration components, when present, should be established using performance measures that take into account the creation of long-term value and the time horizon of the risks to which the institution may be exposed, while avoiding the creation of incentivesUsed in its broad sense, it may includes bonuses, commissions, salaries, premiums and fees in compensation programs, and other benefits from sales contests, promotions, perks or gifts. that could lead to inappropriate risk-taking. The performance criteria applicable to variable remuneration components should therefore:

• be clearly defined and objectively measurable;

• be based on financial and non-financial criteria, as appropriate;

• take into account not only the individual’s performance but also the performance of the business unit, where relevant, and the overall results of the financial institution;

• use growth and volume as criteria only if they are paired with other performance criteria.

Ultimately, for a remuneration policy to be effective and prevent conflicts of interest, it should be based on objective criteria that may differ depending on the individuals directly affected by the policy and should be reinforced through objective supervision of its application.

10. Disclosure and transparency

Such disclosure should enable stakeholders to assess the financial institution’s governance structure. No particular vehicle needs to be used: what matters is for the disclosure to be satisfactory. The institution could use its annual report, website or any other medium, provided such information is communicated in an effective and timely manner, thereby enabling stakeholders to make an informed judgment about the ability of the board of directors and senior management to govern the financial institution.

In order to ensure transparency, unless information is commercially sensitive or its disclosure would breach the institution’s confidentiality obligations, the financial institution’s communications strategy should include information that is relevant and useful for understanding the key components of the institution’s governance. Consideration should therefore be given to disclosing official information such as the organization’s financial condition, performance and structure. In addition, any event or other material information that could affect one or more stakeholders should also be promptly disclosed, within the time limits prescribed by regulatory requirements, if any.

As a general rule, disclosure should be sufficiently complete and detailed to enable stakeholders to form a clear opinion on the institution’s performance as regards its ability to exercise sound governance. Disclosure should therefore include, as good practices, items such as information on the strategic objectives, the organizational structure, the qualifications and diversity of the members of the board of directors, the remuneration policy, share ownership and voting rights, principal affiliations and alliances, and material related-party transactions.

In addition, to respond to the desire for transparency, disclosure could also cover the following: the independence criteria used and applied to key positions of responsibility, conflict-of-interest rules, risk management systems, internal control, and events that occurred during the reference period.

Finally, in performing its supervisory role, the AMF may seek to obtain additional information that could include sensitive items such as the board’s assessment of the governance framework, the internal audit reports and details about the remuneration structure, particularly in relation to risk-taking.