Trust Business Assessment Criteria

Printed . This content is updated regularly, please refer back to https://bcfsa.ca to ensure that you are relying on the most up-to-date resources.

Select the section you’d like to navigate to.

Go to Description of Line of Business
Go to Definition of Net Risk
Go to Quality of Risk Management Criteria

Description of Line of Business

Trust business encompasses several activities. Not all companies provide all trust activities. Depending on materiality, activities may be assessed individually, or as a group so long as the risk attributes are alike, and these risks are managed in the same manner. Trust activities include, but are not limited to:

Agent (assistance)
Escrow
Executor
Family office
Fiduciary
Self-administered plans
Shareholder records
Substitute decision maker
Transfer agent
Trustee

A trust company may conduct activities permitted by the Financial Institutions Act’s Prescribed Types of Businesses Regulation. The risk assessment of these activities can be grouped with the trust activities, if their significance, risk attributes, and management are similar to the trust activities. Otherwise, these permitted activities, if significant, are assessed separately.

The impact of this activity on the trust company is through the profits or losses generated by the trustee activities. Trust assets are held off balance sheet, so any credit and market risk are owned by the beneficiary not the trust company. Any conduct risk is reflected in the company’s operational, regulatory compliance and strategic risks only to the extent that a potential financial loss to the trust company may occur. The prudential supervisory framework does not directly assess the conduct risk to the consumer.

Definition of Net Risk

The net risk of trust activities is determined by assessing the risks inherent in the activity and the effectiveness with which those risks are being managed.

Operational risk is the primary inherent risk in trust activity. Secondary risks include regulatory compliance, and strategic risks. These inherent risks are mitigated by operational management, oversight functions, senior management, and the board of directors.

A trust company’s net risk for trust activity is assessed as low, moderate, above average, or high.

Low Net Risk	The trust company has risk management that substantially mitigates risk inherent in its trust activities down to levels that have lower than average probability of an adverse impact on the earnings, capital, and liquidity in the foreseeable future. Normally, trust companies in this category will have a predominance of trust activities with low inherent risks and acceptable quality of risk management. Other combinations are possible; for example, moderate inherent risk with strong quality of risk management.
Moderate Net Risk	The trust company has risk management that sufficiently mitigates risks inherent in its trust activities, down to levels that collectively have an average probability of an adverse impact on the earnings, capital, and liquidity in the foreseeable future. Normally, trust companies in this category will have a predominance of trust activities rated as low or moderate inherent risks with acceptable quality of risk management. Other combinations are possible, for example low inherent risk with a quality of risk management that needs improvement.
Above Average Net Risk	The trust company has weakness in its risk management that gives rise to above average net risk in its trust activities. As a result, net risks in its trust activities collectively have an above average probability of an adverse impact on the earnings, capital, and liquidity in the foreseeable future. Normally, trust companies in this category will have several trust activities rated as moderate inherent risk with a needs improvement quality of risk management. Other combinations are possible, for example a combination of low inherent risk with weak quality of risk management.
High Net Risk	The trust company has weakness in its risk management that may pose a threat to its financial viability or solvency and gives rise to high net risk in its trust activities. As a result, net risks in its trust activities collectively have a high probability of adverse impact on the earnings, capital, and liquidity in the foreseeable future. Normally, trust companies in this category will have most trust activities rated as above average inherent risk with a needs improvement quality of risk management. Other combinations are possible, for example/ a combination of moderate inherent risk with weak quality of risk management.

Quality of Risk Management Criteria

The following statements describe the criteria for assessing the adequacy of risk management policies and practices of a trust company. The application and weighting of the individual criteria will depend on the nature, scope, complexity, and risk profile of a trust company.

Essential Element	Criteria
1. Operational Management (First Line of Defence)	Organization and Structure 1.1 Appropriateness of the organization and structure, given the nature and scope of the trust activities. 1.2 Appropriateness of segregation of duties and operational management’s span of control. 1.3 Extent to which frontline risk decisions are independent from oversight functions and senior management. 1.4 Extent to which legal advice is available to support trust agreements or arrangements 1.5 Adequacy of the company’s risk culture. Resources, Staffing, and Training 1.6 Adequacy of the trust company resources, staffing, and training, given the nature and scope of the trust activities. 1.7 Extent to which staff understand the trust activities and keep current with developments in their area of responsibility, including associated risks, legal and legislative changes, emerging issues, new risk management techniques, and changes in the operating environment impacting the nature and level of risk. 1.8 Extent to which staff understand their fiduciary obligations to clients and beneficiaries. 1.9 Appropriateness of staffing for assigned responsibilities and decision-making authorities, in terms of numbers, skill sets, and experience. 1.10 Extent to which new hires are experienced and have strong analytical skills, knowledge, and expertise in the types of trust and other activities offered, and familiarity with target customer base. 1.11 Extent to which operational management have sufficient knowledge and experience on evaluation of trust activity risks, measurement metrics (both qualitative and non-qualitative), mitigation techniques, and identifying signs of fraudulent activity. 1.12 Extent to which staff are knowledgeable, experienced, and skilled in managing complex or problematic trusts. 1.13 Appropriateness of the trust company staff turnover. Policies, Procedures, and Limits 1.14 Extent to which policies, procedures, and limits are clearly defined, documented, and disseminated. 1.15 Extent to which policies clearly define product lines that the trust company is willing and not willing to enter into. 1.16 Extent to which policies are consistent with the trust company plans and business objectives. 1.17 Extent to which policies set criteria for new products, services, and clients. 1.18 Appropriateness of the “Know Your Client,” risk evaluation methodologies and the client’s risk appetite decision criteria. 1.19 Extent to which prudential exposures and concentration limits for each activity and the aggregation of them are managed across all trust business. 1.20 Adequacy of the risk mitigation techniques for each activity. 1.21 Extent to which the day-to-day controls are commensurate with the level of risk in each activity. 1.22 Appropriateness of exceptions to the policies and criteria for granting them. 1.23 Appropriateness of the authority levels and any delegation of authority. 1.24 Appropriateness of client conflict resolution trust practices. Monitoring and Control 1.25 Extent to which adherence to policies, procedures, and limits is monitored and reported. 1.26 Appropriateness of how the nature, characteristics, and quality of products is monitored and reported. 1.27 Extent to which the reporting is sufficiently granular, complete, and accurate. 1.28 Appropriateness of how the performance of the activity is monitored and assessed against plan. 1.29 Extent to which any issues are resolved. Outsourcing 1.30 Extent to which trust company processes are outsourced to service providers. 1.31 Extent to which the due diligence procedures and practices are completed prior to entering the outsourcing arrangements. 1.32 Extent to which roles and responsibilities in policies, procedures, and outsourcing agreements are clearly defined, documented, and disseminated. 1.33 Extent to which staff are knowledgeable, experienced, and skilled in managing outsourced activities. 1.34 Adequacy of the outsourcing agreement, including performance measures, reporting requirements, resolution of differences, notifications, complaint handling, contingency planning, inspection rights, confidentiality and security, compensation, insurance, regulatory requirements, and advertising and promotion material. 1.35 Adequacy of the contingency measures for ensuring the continuation of the outsourced activities in the event of problems or events, that affect the delivery of those activities. 1.36 Extent to which the outsourcing arrangements are aligned with the trust business strategies, plans, objectives, and risk parameters. 1.37 Adequacy of policies and practices in monitoring the performance of the outsourced activities. 1.38 Appropriateness of the reporting, meetings, and periodic reviews to ensure adherence to company practices and procedures.
2. Compliance Management (Second Line of Defence)	2.1 Extent to which compliance management is independent of day-to-day management of risks. 2.2 Adequacy of compliance policies and practices to ensure that the trust company’s approach and practices align with industry and regulatory requirements and are appropriate for executing its mandate. 2.3 Extent to which compliance policies and practices cover the following: new products, characteristics of products, existing trust agreement provisions, IT capability and systems security, outsourcing, on-going staff training, and customer data privacy and protection. 2.4 Extent to which compliance policies and practices keep abreast of new and changing client behaviors; new and changing patterns in specific industries’ ethos; and changes in the trust company’s risk profile. 2.5 Extent to which compliance management promptly develop or amend the trust company’s compliance policies, as legislation is introduced or amended, or as new or changing trust activities impose different legislative requirements on the trust company. 2.6 Extent to which compliance management documents new or amended company compliance policies and communicates them to the staff in a timely manner. 2.7 Extent to which compliance management monitors adherence to applicable laws, regulations, and guidelines by staff. 2.8 Adequacy of the compliance reporting to senior management and the board, and the practices for resolving significant issues in a timely manner. 2.9 Extent to which trust business compliance practices are regularly reviewed for continued effectiveness.
3. Risk Management (Second Line of Defence)	3.1 Extent to which risk management is independent of day-to-day management of trust activity risks. 3.2 Adequacy of the process to regularly review and update risk management policies, processes, and limits, to consider changes in the trust activity environment, and in the risk appetite of the trust company. 3.3 Appropriateness of risk management policies, practices, and limits given the trust company’s activities and related risks. 3.4 Appropriateness of the prudential exposures and concentration limits for each activity and the aggregation of them across all trust activities. 3.5 Appropriateness of the measurement and monitoring of risk culture across the company. 3.6 Extent to which risk management policies and practices for trust activities are coordinated with the strategic, capital, and liquidity management policies and practices. 3.7 Extent to which risk management policies, practices, and limits for trust business are documented, communicated, and integrated with the trust company’s day-to-day operations. 3.8 Adequacy of policies and practices to monitor trust business positions against approved limits and for timely follow-up on material variances. 3.9 Adequacy of policies and practices to monitor trust business trends, identify emerging risks, and respond effectively to unexpected significant events. 3.10 Adequacy of policies and practices to model and measure the trust company’s trust business risks including stress testing. 3.11 Adequacy of the risk management reporting to senior management and the board, and the practices for resolving significant issues in a timely manner. 3.12 Extent to which risk management policies and practices are regularly reviewed for continued effectiveness.
4. Internal Audit (Third Line of Defence)	4.1 Extent to which internal audit staff understand trust activities and keep current with developments in internal audit practices. 4.2 Extent to which internal audit’s management is experienced in trust activities and reviews and oversees the trust activities internal audit work. 4.3 Adequacy of the internal audit program to verify that company policies and procedures have been implemented effectively across all activities. 4.4 Appropriateness of the scope and frequency of the audit program based on the level of trust company risk exposures. 4.5 Extent to which findings identified and reported in the audit process have been addressed by senior management in a timely and effective manner. 4.6 Extent to which high risk issues are raised to the attention of the board with timely follow up.
5. Senior Management and Board Oversight (Corporate Governance)	Senior Management 5.1 Extent of which the board has delegated to the CEO, the responsibility for developing and implementing trust business policies and practices. 5.2 Adequacy of policies and practices delegating responsibilities for developing trust business policies and practices from the CEO to other senior managers. 5.3 Appropriateness of the trust business mandates for senior management positions and the extent to which they clearly define lines of authority, responsibility, and accountability. Extent to which these mandates are communicated across the trust company. 5.4 Extent to which senior management committees are used to oversee the trust activities. 5.5 Appropriateness of senior management’s trust business qualifications, knowledge, skills, and experience. 5.6 Extent to which senior management has a good understanding of the nature, level, and trend of the key risks in the trust activities, its key controls and how risks relate to allocated capital levels. 5.7 Extent of which senior management has a good understanding of the trust activities’ legal and operational requirements and approve all material processes related to these. 5.8 Adequacy of the trust activity reporting to the board and the practices for resolving significant issues in a timely manner. 5.9 Extent to which compensation programs promote prudent risk-taking in the trust activity and are aligned with long-term strategic objectives. 5.10 Extent to which the management reporting senior management receives is sufficient to fulfill their responsibilities. 5.11 Extent to which the senior management has demonstrated effectiveness in carrying out their duties and managing the trust activities. Board of Directors 5.12 Extent to which the board understands, reviews, and approves the trust activity aspects, if any, of the trust company’s trust related policies, and ensures these policies are responsive to changes in the operating environment and supports the trust company’s risk appetite. 5.13 Appropriateness of the board’s and its committees knowledge and experience in the trust activity. 5.14 Extent to which the board understands, reviews, and approves trust activity objectives, strategies, and plans. 5.15 Adequacy of the board’s trust activity reports including relevant metrics, measures and benchmarks, and the extent to which they are provided in a timely manner with clear, accurate, and complete information. 5.16 Extent to which the board understands trust activity operational risk and the controls to manage this risk as well as other significant risks arising from the trust and ancillary businesses. 5.17 Extent to which the board keeps up to date regarding beneficiaries’ needs, market trends, emerging risks, competitor activities, and new trust practices. 5.18 Adequacy of the board’s practices to establish and monitor the senior management involved in the company, including performance, hiring, and fixed and variable compensation. 5.19 Extent to which the board acts independently and has demonstrated effectiveness in carrying out its direction and oversight of the trust activities.