Slide right to see more

Risk-based Supervision Framework

The Central Bank of Trinidad and Tobago (Central Bank) has updated its Risk-Based Supervision Framework (RBSF) which will now apply to the Banking and Insurance sectors and becomes effective on October 1, 2025. This RBSF introduces a harmonized supervisory framework to guide the Financial Institutions Supervision Department’s (FISD) supervision of the banking and insurance sectors only.

Introduction

The Central Bank is the regulator for the banking, insurance, pensions, bureaux de change and payments sectors in Trinidad and Tobago and derives its supervisory authority and function from the Financial Institutions Act, Chap. 79:09, Insurance Act Chap. 84:01, Exchange Control Act and Central Bank Act. The Central Bank is also the AML/CFT supervisory authority for the entities that it regulates. Accordingly, the Central Bank fulfils its supervisory mandate through the application of a RBSF which is designed to scale supervisory attention to institutions and activities in line with the risks they pose to the integrity and stability of the financial system.

This RBSF outlines the principles, approach, concepts, and core processes that guide the Central Bank’s approach to supervision of its regulated entities. This Framework, which embodies the principle of proportionality, will apply to all licensees, insurers, and financial holding companies.

This Risk Based Supervision Framework entails:

A holistic understanding of the institution;
A dynamic and forward-looking process;
Assessment of the adequacy of the financial institution’s corporate governance and risk management frameworks;
Placing of reliance on Internal and External Auditors, and Appointed Actuaries, to support supervisory reviews and
Ensuring alignment the Central Bank’s supervisory framework with international standards and best practices. It should be noted that this RBSF does not apply to pension plans, intermediaries, bureaux de change and payments systems which are governed by their own frameworks.
It should be noted that this RBSF does not apply to pension plans, intermediaries, bureaux de change and payments systems which are governed by their own frameworks.

Statutory Obligations

This RBSF is designed to assist the Central Bank in meeting its statutory obligations set out in the FIA, IA, and other governing legislation and guidelines regarding the supervision of financial institutions in Trinidad and Tobago.

International Standards

The Central Bank’s legislative and supervisory framework is aligned to the international standards and best practices in the regulation and supervision of its regulated financial institutions. The relevant international standards for this RBSF are the BCBS’ “Core Principles for Effective Banking Supervision” for banks and financial groups, the IAIS’ “Insurance Core Principles and Methodology” for insurers and insurance-led groups. It should be noted that the Central Bank has a separate risk-based supervisory framework for AML/CFT supervision.

Supervisory Approach

The Central Bank has adopted a risk-based supervision approach which prioritises supervisory intensity based on the level of risk posed by the financial institution, rather than applying the same level of scrutiny to all entities.

Risk Based Supervision (RBS) requires the examiner to acquire detailed knowledge of the financial institution, inclusive of its:

Group and organisational structures;
Size, business model and business strategy;
Significant products, activities and material risks;
Governance and risk management structure and functions; and
Internal controls.

RBS requires application of sound supervisory judgement to analysis of key institutional performance metrics (e.g. capital adequacy, asset quality, earnings, liquidity, and concentrations, stress tests, systemic importance) to determine the risk posed by the institution to the financial system and the commensurate level of supervisory intensity that should be applied.

This RBS approach is based on the following concepts and principles:

Relationship management is a key aspect for effective supervision. Each institution is assigned one or more Relationship Officers (RO) based on its size, complexity and risks, to serve as the main point(s) of contact between the institution and Central Bank for supervisory matters.

The RO(s) is/are responsible for “Knowing the institution” which is the basic starting point for effective supervision (see section 4.1). This involves, inter alia, developing and maintaining a detailed institutional profile; conducting and maintaining up-to-date risk assessments of the institution, and escalating potential risks to the FISD management in a timely manner; and ensuring that the level and intensity of supervision and intervention in aligned with the risk assessment of the institution. The level and intensity of supervision and intervention should be based on the institution’s size, complexity and risk profile.

The Corporate Governance Guideline sets out the Central Bank’s expectation of the governance structure, systems and procedures of regulated entities. An institution’s Board of Directors and Senior Management are primarily responsible for the management of the institution and ultimately, accountable for its safety and soundness and compliance with governing legislation and guidelines.

Central Bank’s supervisory approach includes alerting the Board and Senior Management of the financial institution where, through on-site or off-site supervision, it has identified weaknesses in the institution’s governance, risk management, internal controls and/or material emerging or existing risks that are not being adequately mitigated. In these circumstances, the Central Bank will issue either recommendations or directives to address the identified deficiencies; require the financial institutions to submit a corrective action plan; or both.

Notwithstanding the Central Bank’s ongoing supervisory activities, it also expects the Board and Senior Management to be proactive in providing timely notification of important issues affecting the institution.

Similar to other supervisory authorities, the Central Bank will place reliance on independent assessments such as those conducted by the institutions’ internal and external auditors and appointed actuaries when conducting the institution’s risk assessment. For example, the Central Bank places reliance on the external auditors to ensure that the financial statements are prepared in accordance with prevailing accounting standards. In addition, the Central Bank utilises information provided in routine regulatory returns and other reports (e.g. stress testing reports, internal audit reports, AML/CFT reports) and open source information, to obtain a more current or forward-looking assessment of an institution’s risks and potential financial outlook.

For institutions regulated under the IA, the Central Bank relies on the Appointed Actuary to ensure that provisions of the IA and Regulations as they relate to the responsibilities of the Appointed Actuary comply with the standards of accepted actuarial practice specified by the IOFI.

The Central Bank may also use, where appropriate, the work of others, such as financial modelling experts and actuarial experts, in carrying out its supervisory work, e.g., in the review of specialised models such as Expected Credit Loss (ECL) models, where these models have been reviewed internally or externally by specialists engaged by the institution.

The RBS approach requires the supervision of a financial group or financial holding company to be conducted on a consolidated basis. Consolidated supervision evaluates the strength of the entire group, taking into account all the risks that might affect the regulated entity in the group. This group-wide approach to supervision, where all the risks of a banking group are considered, goes beyond accounting consolidation. Accordingly, the Central Bank will cooperate and share information with other domestic and foreign supervisors as applicable and will use information available from other supervisors as appropriate. Consolidated supervision minimises group risks by reducing the opportunity for regulatory arbitrage and contagion risks. Consolidated supervision may also involve the conduct of joint on-site examinations by home and host regulators, and communication and information sharing via participation in periodic supervisory meetings, teleconferences and colleges.

Key Principles of RBS

Knowing the Institution

The starting point in RBS lies with developing a detailed institutional profile of the regulated financial institution or financial group. Building or developing an institutional profile involves the following steps:

Understanding the Drivers of Risk

The drivers of risks are the factors or variables that influence the likelihood, impact, or timing of risks. Drivers are the root causes or sources of risks, such as market conditions, stakeholder expectations, or technical issues. Understanding the drivers of risks based on knowledge of the institution will help the examiner in the early identification of emerging issues.

Proportionality and Consistency

The intensity of supervision and frequency of supervisory reviews will depend on the business model, size, complexity, financial condition and risk profile of the institution or activity, and the potential risk to the health of the institution or system. Where there are identified risks or areas of concern, the degree of intervention will be commensurate with the risk assessment, and in accordance with the Central Bank’s Supervisory Ladder of Intervention, which can be accessed via the link.

Focus on Material Risks

Risk assessment will focus on identifying material risks to an institution which may pose a threat to Central Bank’s supervisory objectives of safety and soundness of the financial system and which, may also pose a risk of potential for loss to depositors or policyholders. It is recognized that ‘materiality’ may vary from institution to institution depending on the institution’s size and complexity.

Intelligence Based

Supervision will take account of relevant information available internally and externally. This will include, but is not limited to regulatory reports and other information submitted by the institution, data and research reports produced by the Central Bank and other regulators and supervisory bodies, information and intelligence regarding the institution, wider industry, economy, and global events, which may be gleaned from environmental scanning.

Forward Looking and Dynamic Risk Assessments

The Central Bank will employ a forward-looking approach to its supervisory risk assessment. This approach aims to address questions such as:

How are the risks to the institution and/or the wider system likely to develop, taking into account such factors as the wider economy, trends in the wider sector or industry and the strategy and business model of the institution?
Are the controls, management and governance of the institution sufficiently robust to ensure that these risks are properly managed?
Does the institution have sufficient skills, expertise and resources to deal with potential risks?
What remedial action (if any) is the institution required to take to ensure that risks remain at an acceptable level now and in the future?
What are the institution’s recovery options to restore its financial viability in the event of a stress event?

RBS Methodology

The RBS methodology commences with a determination of the significant activities and their inherent risks. This is followed by an assessment of the quality of risk management over each significant activity which includes an assessment of the Three Lines of Defence, as well as board and senior management governance of the activity, in order to determine the overall net risk. Finally, capital adequacy, earnings and liquidity are considered to determine the overall composite risk rating and commensurate intervention rating.

A significant activity is a line of business, unit or process that is fundamental to the institution’s business model and its ability to meet its overall business objectives (i.e., if the activity is not well managed there is a significant risk to the organization as a whole in terms of meeting its goals).

Significant activities may be identified by quantitative or qualitative criteria as follows:

quantitative criteria include metrics such as the activity’s percentage of total assets, revenue, premiums written, net income, allocated capital, or its potential for material losses; and
qualitative criteria include criteria such as the activity’s strategic importance, planned growth, risk, effect on brand value or reputation, or the criticality of an enterprise-wide process.

It is important to note that significant activities are specific to the financial institution and what is considered significant in one institution, may be insignificant in another and vice versa. In general, activities identified as significant by a supervisor would be in line with those considered significant by the financial institution’s management.

Once the significant activities are determined, supervision must determine the inherent risk in each of the significant activities. “Inherent risk” is risk that is intrinsic to an institution or activity and occurs naturally due to a factor other than a failure of internal controls. Inherent risk typically reflects the nature, complexity, or volatility of the activity or process and can vary by industry, institution, size and operational scope. Inherent risk arises from exposure to, and uncertainty from, possible future events, or changes in business or economic conditions. Inherent risk is identified and assessed before considering the quality of the institution’s governance, internal controls and risk management.

Examples of key inherent risks in banking and insurance institutions include credit, market, liquidity, operational, legal, compliance and strategic risks. Insurance and reinsurance risks are also key inherent risks for insurance companies. With the emergence of financial technology and rapid digitalisation of financial services, technology and cyber risks have come to the fore as key risks. Other key risks that may arise are concentration, strategic, and reputational. Where a financial institution is part of a financial group, subsidiary risk may also be important. This is not an exhaustive list and risks may ascend or descend in priority based on prevailing circumstances. The categories and levels of inherent risk are described in more detail in Appendix A.

From time to time new risks may emerge which can have implications for one or more of the inherent risks mentioned above, e.g., artificial intelligence. These new risks should be considered in the assessment of the inherent risks.

Based on the key inherent risks identified for an institution or significant activity and their levels, supervisors develop expectations for the quality of risk management. The higher the level of inherent risk, the more rigorous the day-to-day controls and oversight expected.

Inherent risks should be assessed and rated as:

Low (L) – where there is a lower than average probability of a material loss due to exposure and uncertainty arising from current and potential future events.
Moderate (M) – where there is an average/ moderate probability of a material loss due to exposure and uncertainty arising from current and potential future events. Although the activity potentially could result in a loss, the entity could absorb the loss without significant impact to its soundness.
Above Average (AA) – where there is greater than average probability of a material loss due to exposure and uncertainty arising from current and potential future events. The activity potentially could result in a loss to the entity, which may influence its soundness.
High (H) – where there is a high probability of a material loss due to exposure and uncertainty arising from current and potential future events. The activity potentially could result in a significant and damaging loss to the entity.

The Four Lines of Defence model is a framework for managing and controlling risks in financial institutions and the Central Bank’s supervisory approach is aligned to this framework. The Four Lines of Defence model is an enhancement of the traditional Three Lines of Defence model. See here for details.

The Four Lines of Defence are:

1. First Line of Defence: Functions that own and manage risk: Operational Management

This include day-to-day risk management and control activities conducted by the business units. They are responsible for identifying and managing risks directly within their areas of responsibility. When assessing operational management, Central Bank’s primary concern is whether operational management is capable of identifying the potential for material loss and has adequate controls in place.

2. Second Line of Defence: Functions that oversee risk: Risk Management and Compliance

These functions provide oversight and support to the first line and comprises various risk management and compliance functions (i.e. support functions) such as financial, compliance, risk control, model validation and back office, whose key duties are to monitor and report risk-related practices and information, and to oversee all types of compliance and financial controlling issues.
The second line of defence defines preventive and detective control requirements, and ensures that such requirements are embedded in the policies and procedures of the first line. The second line must be independent of the first line and apply controls either on an ongoing (e.g., daily) or periodical basis. There are three key oversight functions, which may exist in an institution: Financial, Compliance, and Risk Management (see Appendix B).

The structure and nature of these functions are expected to vary based on the business, size, complexity and risks of an institution. Where an institution lacks some of the oversight functions, or they are not sufficiently independent, the Central Bank expects other functions, within or external to the institution, to provide the independent oversight needed.

3. Third Line of Defence: Internal Audit

Internal audit provides independent assurance to senior management and the board on a broad range of objectives, including efficiency and effectiveness of operations, safeguarding of assets, reliability and integrity of reporting processes and compliance with laws and regulations.
For the function to be effective, it needs to have the highest level of independence and objectivity. Consequently, the Chief Internal Auditor should have unfettered access to senior management and the board of the financial institution. Measures taken to ensure this high level of independence include the ability of the internal audit function to meet with the board in the absence of senior management. The board is primarily responsible for an independent audit function and has to be cognisant of potential impairments to objectivity.

4. Fourth Line of Defence: External Audit and Supervisory Oversight

The fourth line of defence includes independent bodies, such as, external auditors and regulatory bodies[1]. They provide an additional layer of assurance by independently verifying the effectiveness of the first three lines of defence and ensuring compliance with external regulations.

The Central Bank will focus on the three (3) Lines of Defence shown above as well as the adequacy of Board and Senior Management oversight to determine the quality of risk management for each significant activity. For each significant activity, the following risk areas – namely, Operational Management, Finance, Risk Management, Compliance, Internal Audit, Senior Management and Board – will be assessed and assigned a rating of either Strong, Acceptable, Needs Improvement, or Weak. (see Appendix B for explanations of the ratings for the Quality of Risk Management).

The Central Bank has Assessment Criteria that guide the determination of the rating for each oversight function. The assessment includes a determination of the direction of the quality of oversight (improving, stable, or deteriorating).

Chart 1: Illustration of a Four Lines of Defence Model

Source: FSI Occasional Paper No. 11 – The “four lines of defence” model for financial institutions, Dec 2015.

The Board and Senior Management sit above the Three Lines of Defence. Collectively, they have responsibility for setting organisational objectives, defining strategies to achieve them and establishing the necessary governance, risk management and control frameworks to manage the risks to the achievement of their objectives.

In particular, the Board has ultimate accountability for the institution’s risk management and control framework and must approve risk management policies and strategies proposed by Senior Management. The Board relies on internal audit (Third Line of Defence) to provide independent assurance on the effectiveness of risk management and controls. The Board must also ensure compliance with regulations and standards and depends on the Second Line of Defence in this regard.

Senior management is responsible for defining the institution’s objectives and strategies to achieve same; establishing governance frameworks and processes to manage risks effectively; overseeing the first and second lines of defence and ensuring that operational management and risk management frameworks are performing effectively; and allocating resources to ensure that risk management and control functions are adequately supported.

Together, the board and senior management ensure that the institution has a robust risk management framework, aligning with its strategic goals and regulatory requirements.

Net risk or residual risk is the risk that remains after application of the controls. For each significant activity, the level of net risk is determined based on judgment that considers all of the key inherent risk ratings and relevant risk management and control ratings for the activity. Net risk may be rated as Low, Moderate, Above Average, or High.

The chart below shows typical net risk (or residual risk) ratings for combinations of inherent risk and quality of governance and risk management (QGRM) ratings. The net risk assessment includes a determination of the direction of net risk (decreasing, stable, or increasing). Determination of the direction of risk should take into account macro-economic information, the institution’s business strategy, results of stress tests and any other reliable open source information.

The Central Bank expects an institution to maintain controls and oversight that are commensurate with the key inherent risks, so that levels of net risk are considered prudent by the Central Bank.

Chart 2 below shows typical net risk ratings for combinations of inherent risk and Quality of Governance and Risk Management ratings.

The importance of the net risk of each significant activity is a judgment of its contribution to the overall risk profile of the institution. Importance is rated as low, medium, or high. The significant activities assigned higher importance ratings are the key drivers of the overall net risk rating.

After determination of the net risk of each significant activity, it is important to derive the overall net risk on an institutional basis. To do this, each significant activity is rated by importance.

The net risks of the significant activities are combined by considering their relative importance, to arrive at the Overall Net Risk of the institution. The Overall Net Risk is a combined risk assessment determined by taking into consideration the importance and net risk assessment of each significant activity to arrive at a risk assessment for the institution as a whole. Overall Net Risk is rated as Low, Moderate, Above Average, or High, and the direction is assessed as decreasing, stable, or increasing.

Capital

Adequate capital is critical for the overall safety and soundness of institutions. Capital is assessed based on the appropriateness of its level and quality, both at present and prospectively, and under both normal and stressed conditions, given the institution’s Overall Net Risk.

The effectiveness of the institution’s capital management processes for maintaining adequate capital relative to the risks across all of its significant activities is also considered in the assessment. Institutions with higher Overall Net Risk are expected to maintain a higher level and quality of capital and stronger capital management processes.

Earnings

Earnings are an important contributor to an institution’s long-term viability. Earnings are assessed based on their quality, quantity and consistency as a source of internally generated capital. The assessment takes into consideration both historical trends and outlook, under both normal and stressed conditions. Earnings are assessed in relation to the institution’s Overall Net Risk.

Liquidity

Ensuring adequate liquidity is another critical contributor to the overall safety and soundness of institutions. Liquidity risk is the risk that a financial institution will not be able to meet its obligations as they fall due because of an insufficiency of cash and an inability to convert assets into cash without incurring significant losses.

The level of liquidity risk depends on the institution’s balance sheet composition, its funding sources, its liquidity strategy, and market conditions and events. Institutions are required to maintain, both at present and prospectively, an adequate level of liquidity under both normal and stressed conditions.

Capital, Earnings, and Liquidity may be rated as Strong, Acceptable, Needs Improvement, or Weak and the direction assessed as Improving, Stable, or Deteriorating.

The Risk Matrix:

The Central Bank’s supervisory Risk Matrix is the key tool which ROs must use to record the risk assessment of the institution and illustrate the overall Composite Risk Rating (CRR) and the commensurate Intervention Rating (IR). While the Risk Matrix is a convenient way to summarize Central Bank’s conclusions of risk assessment, it must be supported by detailed documentation of the analysis and rationale for the conclusions. The Risk Matrix Template can be viewed by clicking on this link.

Note: The ratings shown in the Risk Matrix table is for illustration purposes only and intended as a guide for completion of the risk matrix.

The Composite Risk Rating (CRR):

The CRR is an assessment of the institution’s risk profile, after considering the assessments of its earnings and capital in relation to the derived Overall Net Risk from its significant activities, and the assessment of its liquidity. The CRR gives an indication of the regulator’s assessment of the safety and soundness of the institution with respect to its depositors and policyholders.

The CRR is rated as Low, Moderate, Above Average or High. The assessment is supplemented by the Direction of Composite Risk, which is the Central Bank’s assessment of the most likely direction in which the CRR may move. The Direction of Composite Risk is rated as decreasing, stable, or increasing and takes into consideration the direction in which capital, earnings and liquidity are expected to move.

Intervention Rating (IR):

The IR is used to determine the level of supervisory intervention required for a financial institution. It is based on the CRR and other factors such as the institution’s size, complexity, and systemic importance. The IR helps the Central Bank decide on the appropriate regulatory action, which can range from increased monitoring to more severe measures such as requiring the financial institution to take supervisory action to resolving the institution. Table 1 shows the relationship between the CRR and IR.

Chart 3 below illustrates a process flow diagram for the RBSF from identification of significant activities to determining the intervention rating.

Source: FISD, Central Bank

TABLE 1: RELATIONSHIP BETWEEN THE CRR AND IR:

The Intervention Rating (reference Central Bank’s Supervisory Ladder of Intervention) will also take into consideration the size, complexity and systemic importance of the institution.

Appendices

Examples and Descriptions of Inherent Risk Categories

Inherent Risk Categories	Detail
Concentration	The risk that any single exposure or group of exposures with the potential to produce losses large enough relative to a bank’s capital, total assets, or overall risk level may threaten a bank’s health or ability to maintain its core operations
Credit	The risk that a borrower or counterparty will fail to meet its obligations in accordance with agreed terms
Climate	The risk emanating from the effects of climate events such as extreme weather, temperature increases, epidemics and changes in the earth’s eco-systems
Insurance	Insurance risk is the risk that unexpected changes in assumptions of underwriting, product design, pricing and claims settlement may adversely impact on an insurer’s capital resources, and expose the entity to financial loss and consequent inability to meet its liabilities. Exposure to this risk results from adverse events occurring under specified perils and conditions covered by the terms of an insurance policy. Typical insured perils include accident, injury, liability, catastrophe, mortality, longevity, and morbidity. Insurance risk includes uncertainties around: a) the ultimate amount of net cash flows from premiums, commissions, claims, payouts, and related settlement expenses, b) the timing of the receipt and payment of these cash flows, and c) policyholder behavior (e.g., lapses). Although the business of insurance contributes to the investment portfolio of an insurer, actual or imputed investment returns are not elements of insurance risk.
Liquidity	Liquidity risk refers to the risk that a financial institution is unable to realize its investments and other assets in a timely manner in order to meet its financial obligations, including collateral needs, when they become due, without disrupting its operations and without incurring substantial losses.
Market	The risk of losses in on and off-balance sheet positions arising from adverse movements in market prices
Operational	The risk of loss resulting from inadequate or failed internal processes, people and systems or from external events and includes legal risk, but excludes strategic and reputational risk
Compliance	Compliance risk arises from an institution’s potential non-conformance with laws, rules, regulations, internal policies, prescribed practices, or ethical standards in any jurisdiction in which it operates.
Reputational	The risk arising from negative perception on the part of customers, counterparties, shareholders, investors, debt-holders, market analysts, other relevant parties or regulators that can adversely affect an institution’s ability to maintain existing, or establish new, business relationships and continued access to sources of funding
Strategic	Strategic risk arises from an institution’s potential inability to implement appropriate business plans and strategies, make decisions, allocate resources, or adapt to changes in its business environment.

This is not an exhaustive list and is subject to change based on developments in the industry.

Ratings	Explanations
Strong	The characteristics (e.g., mandate, organization structure, resources, methodologies, practices) of the function exceed what is considered necessary, given the nature, scope, complexity, and risk profile of the institution. The function has consistently demonstrated highly effective performance. The function’s characteristics and performance are superior to sound industry practices.
Acceptable	The characteristics (e.g., mandate, organization structure, resources, methodologies, practices) of the function meet what is considered necessary, given the nature, scope, complexity, and risk profile of the institution. The function’s performance has been effective. The function’s characteristics and performance meet sound industry practices.
Needs Improvement	The characteristics (e.g., mandate, organization structure, resources, methodologies, practices) of the function generally meet what is considered necessary, given the nature, scope, complexity, and risk profile of the institution, but there are some significant areas that require improvement. The function’s performance has generally been effective, but there are some significant areas where effectiveness needs to be improved. The areas needing improvement are not serious enough to cause prudential concerns if addressed in a timely manner. The function’s characteristics and/or performance do not consistently meet sound industry practices.
Weak	The characteristics (e.g., mandate, organization structure, resources, methodologies, practices) of the function are not, in a material way, what is considered necessary, given the nature, scope, complexity, and risk profile of the institution. The function’s performance has demonstrated serious instances where effectiveness needs to be improved through immediate action. The function’s characteristics and/or performance often do not meet sound industry practices.