Alberta Superintendent of Insurance Issues Bulletin re Motor Vehicle Warranties and Protection Products

On October 18th, 2024, the Alberta Superintendent of Insurance (the “Superintendent“) published Interpretation Bulletin No. 05-2024, titled Motor vehicle warranty contracts, dealership loyalty programs and vehicle protection products (the “Bulletin“).

The Bulletin clarifies the Superintendent’s regulatory view of products commonly marketed by automobile dealerships in conjunction with the sale of motor vehicles. A link to the Bulletin is here – https://www.abcouncil.ab.ca/wp-content/uploads/2024/10/tbf-superintendent-of-insurance-2024-05-bulletin.pdf.

We note that the Superintendent made an announcement on October 21, 2024 regarding a revised bulletin, which has not yet been published on its website.

This follows the issuance by the British Columbia Financial Service Authority of Regulatory Statement No. 24-008 Product Warranty, Vehicle Warranty and Automobile Insurance (the “BC Regulatory Statement“) on April 25, 2024, which advised that the BC regulator considers vehicle warranties to be insurance, and accordingly, they may only be sold by licensed agents (unless an appropriate exemption exists under BC legislation). Unlike Alberta, BC does not have a restricted licensing regime applicable to the sale of these products. A link to the BC Regulatory Statement is here.

The Bulletin applies to three categories of products: (1) motor vehicle warranties, (2) motor vehicle dealership loyalty programs, and (3) motor vehicle protection products.

  1. Motor Vehicle Warranties

The Superintendent distinguishes between manufacturer warranties and third-party warranties. Warranties and extended warranties that are offered by the manufacturer (or a wholly-owned subsidiary) of the vehicle are not insurance and are instead subject to the provisions of the Consumer Protection Act (Alberta). However, the Superintendent states that if the coverage includes any risk, peril, damage or loss beyond those inherent deficiencies in the workmanship or materials arising from the production of the motor vehicle, such products are contracts of insurance.

On the other hand, where a motor vehicle warranty contract is issued by a person (e.g., automotive dealer) other than the motor vehicle manufacturer or its wholly-owned subsidiary, these products are contracts of insurance. There is an exception for warranty contracts issued by a person (e.g., automotive repairer) providing coverage solely for those inherent deficiencies in the workmanship arising from the person’s service or repairs of a motor vehicle, which are not considered insurance.

The Superintendent also confirms in the Bulletin that motor vehicle warranty insurance falls under the class “equipment warranty insurance” as defined in the Classes of Insurance Regulation, and is therefore included in the restricted insurance type “equipment warranty insurance” as defined by the Alberta Insurance Council in this specification from 2020.

  1. Motor Vehicle Dealership Loyalty Programs

The Superintendent describes dealership warranty programs as products where the price is typically described as a membership fee, and a dealership discount is provided to consumers on a future replacement motor vehicle should an event occur that results in damage or total loss of the original motor vehicle. Discount values can vary and are based on several factors including, but not limited to, the type of loss, the sale price of the original motor vehicle, and motor vehicle age at the time of purchase. Such products indemnify consumers for part of the cost of purchasing a replacement motor vehicle only on the happening of a certain risk or peril, such as theft or collision. Accordingly, these loyalty programs are insurance, and must be developed, sold, and underwritten in compliance with the Insurance Act (Alberta) (the Act). Debt waivers (commonly referred to as GAP insurance) remain not insurance. However other types of GAP Insurance are treated as insurance. GAP Insurance is defined by the Alberta Insurance Council in this specification from 2020.

  1. Motor Vehicle Protection Products

The Superintendent provides the following examples of vehicle protection products (which it defines as VPPs) that are considered insurance under the Act.

  • Deductible reimbursement and/or monetary credits given in the event of loss, damage, or theft of a motor vehicle;
  • Non-manufacturer tire and rim warranties providing for tire and rim replacement (warranties provided by the motor vehicle manufacturer for tires and rims included in the motor vehicle’s assembly are excluded and are not considered insurance).
  • Glass protection products promising to pay some or all of the cost of a windshield replacement;
  • Products intended to deter theft that include a promise to make a payment in the event of the theft and/or non-recovery of the motor vehicle (or part thereof), such as theft-deterrent etching or tagging and catalytic converter anti-theft devices, that include a promise to pay if the product fails;
  • Key fob replacement coverage; and
  • Payment for a motor vehicle rental provided in conjunction with a VPP that is insurance.

Roadside service plans, or motor vehicle service plans that provide solely for planned maintenance or routine service of a motor vehicle, or minor repairs that are routine to the ownership of a motor vehicle, are not contracts of insurance.

The Superintendent further clarifies that whether a service plan contract is considered insurance or not will depend on whether the service relates directly to wear and tear due to the use of the item as opposed to damage from an external risk such as collision or theft. If the service/repair provided is for reasonable and expected wear and tear, it is likely not insurance.

The key distinction between whether a product is considered insurance or not is whether the product pays an amount or provides something of value in the event of loss or damage resulting from a fortuitous event, rather than a defect in the quality of the product or reasonable wear and tear.

Penalties

Failure to comply with the requirements of the Act in Alberta may result in an administrative penalty of up to $25,000 for each contravention. A person convicted under section 786 of the Act may also be subject to a fine of up to $200,000 (and if of a continuing nature, each day or part of a day constitutes a separate offence).

If you have questions regarding the Bulletin and its application to your business practices, you can reach out to a member of our team.

 

RIBO Holds Town Hall re Mandatory Disclosures Guidance RIBO-002

The Registered Insurance Brokers of Ontario (“RIBO“) held a virtual town hall on Thursday, October 17 to clarify its expectations for disclosure set out in the new guidance Mandatory Disclosures Guidance RIBO-002 released in April 2024 (the “Guidance“), and to answer questions relating to the Guidance. A link to the Guidance is here.

Some key takeaways from the Guidance and the town hall are:

  • RIBO emphasized that mandatory disclosures must be made no later than at the time of the quote. This is a change from previous guidance which provided that disclosure must be at the point of sale.
  • Although Regulation 991: General requires disclosure in writing, verbal disclosure – if done correctly – can be more meaningful to consumers. If verbal disclosure is provided, the Guidance provides that brokers must follow up in writing to confirm the information that was disclosed.
  • A written follow-up can be made by sending PDF copies of the disclosures, or by including links to the documents in an email.
  • Any material change to compensation arrangements should be brought to consumers’ attention on an ongoing basis and at renewal. This can be done by sending links, provided that the broker highlights the relevant information in the email. A link by itself without any explanation or highlighting will be considered not sufficient by RIBO.
  • There is no requirement to obtain written confirmation from the client that they have received the disclosure. However, obtaining written confirmation may make sense and work within a broker’s internal processes and workflows.
  • The commission disclosure requirements apply to commissions received from MGAs as well as from insurers. Brokers must disclose commissions received from all markets, not only insurers. The presenters invited brokers to contact RIBO if they would like to see MGA specific disclosure guidance.

RIBO began enforcing the disclosure and record-keeping requirements set out in the Guidance as of October 1, 2024. Compliance will be enforced by RIBO through its spot-check program and by investigations. RIBO advised that records of disclosure that are difficult to locate or understand, or disclosure that is unclear or vague, will be treated as “non-compliant”.

A recording of the presentation and a copy of the slide deck will be posted on the RIBO site in the coming weeks.

If you have questions regarding the Guidance and its application to your business practices, you can reach out to a member of our team.

Alberta Reduces Regulatory Charges for Unlicensed Insurance

On May 31, 2022, the Alberta government passed Bill 16: Insurance Amendment Act, 2022.  Among other things, the amendments under this Act:

  • reduce the current regulatory charge for purchasing unlicensed insurance from 50% of the premium payable for unlicensed insurance to 10%;
  • reduce the 50% financial penalty for the late payment of all charges and tax on unlicensed insurance, to 10%; and
  • more closely align the Alberta Insurance Act with other Canadian jurisdictions.

The Superintendent of Insurance in Alberta has also recently issued an Interpretation Bulletin 07-2022 on unlicensed insurance in Alberta, which replaces Interpretation Bulletin 02-2017 and provides updated clarification on the requirements for disclosure of unlicensed insurance in accordance with the new amendments to the Alberta Insurance Act.

FSRA’s New Supervisory Framework for Life and Health Agents Means More Proactive Supervision

New Supervisory Framework

On March 29, 2022, the Financial Services Regulatory Authority of Ontario (“FSRA“) announced the launch of the first Life and Health Agent Supervisory Framework (the “Framework“). The Framework represents FSRA’s new, proactive approach to supervising the sale of life and health insurance and is the first ever supervision framework for life and health agents in Ontario. Click here for the full text of the Framework.

Before the launch of the Framework, FSRA and its predecessor’s approach to the supervision of life agents was reactive. Supervision and enforcement focused mainly on those agents who self-declared non-compliance or were in response to complaints against specific agents[1]. Now, FSRA has established a dedicated Life and Health Insurance Agent Unit (the “LAU“) which helped develop the Framework and, going forward, will be responsible for implementing and scaling the Framework, setting target examination volumes and integrating industry best practices into the Framework.

Has anything changed?

The regulatory requirements applicable to insurers and agents remain the same and the Framework does not change any of the legal or licensing requirements applicable to life and health agents under the Insurance Act (Ontario) (the “Act“), Regulation 347/04 (the “Regulation“), or the CCIR and CISRO’s Conduct of Insurance Business and Fair Treatment of Customers Guidance (the “FTC Guidance“). Nor does the Framework alter the insurer’s ultimate responsibility for oversight of agent conduct. The legislation and FSRA still require insurance companies “to ensure that agents comply with the Insurance Act, the regulations and agent licensing requirements” and that insurers “must complete due diligence when delegating functions to managing general agents, such as agent screening and oversight”[2]. What has changed is that FSRA is now taking a proactive approach to supervising and enforcing compliance with these requirements and has dedicated more resources to the supervision of the sale of life and health insurance.

Four Components of the Framework

The Framework sets out the processes and key supervisory components that FSRA will use and consists of the following four key components:

  1. Life agent risk profiling
  2. Life agent examinations
  3. Communications and enforcement actions
  4. Reporting

 

  1. Life Agent Risk Profiling

The agent profiling process will focus on agents with the highest risks. Higher risk agents will be identified using FSRA’s internal data captured through licensing applications, licensing renewals, consumer complaints, the submission of the Life Agent Reporting Form (“LARF“) by insurers, and life agent enforcement activity reported by other regulatory bodies across Canada[3].

  1. Life Agent Examinations

Once a life agent has been identified with a higher risk profile and is referred to LAU through agent licensing management or consumer complaints management, LAU will then begin an ad hoc examination of the identified agent. During the pilot, FSRA developed a six-step examination process which consisted of (i) notice of examination and questionnaire, (ii) review and assessment of questionnaire including confirmation of compliance processes for FINTRAC and applicable privacy and data security legislation, (iii) requesting client files, (iv) file review, (v) agent interview, and (vi) a report on the findings and escalation for review if appropriate.

Based on the results of the pilot, FSRA determined that these steps were an effective method for determining compliance. Please see Appendix A of the Framework for a detailed description of the ad hoc examination process. This examination process will be used to test and verify the agent’s compliance with the Act, the regulations and FTC Guidance.

  1. Communications and Enforcement

The communications and enforcement component of the Framework means FSRA’s communication with the agent upon completion of the examination. The communication component will be performed by way of a closing letter confirming the outcome of the examination. This closing letter will confirm whether there were any contraventions of the Act, regulations or the FTC Guidance, or any other contraventions of business practices that are beyond FSRA’s jurisdiction. If the LAU concludes there were contraventions of the Act, the regulations or the FTC Guidance, the closing letter will also state whether the contraventions will be escalated to FSRA’s Legal and Enforcement Unit or a Regulatory Discipline Officer for enforcement action.

  1. Reporting

The reporting component includes the publication of reports and industry notices. Such reports and notices are intended to contribute to public confidence in FSRA and the life insurance industry generally by promoting transparency, disclosing information and deterring deceptive or fraudulent conduct by life agents.

During the pilot, FSRA published its Second Annual LARF Report dated May 10, 2021. In the Framework, FSRA discloses the outcomes of the pilot to the industry and the public. FSRA also published two industry notices which provided notice to the industry of the outcomes of examinations where FSRA identified potential consumer harm. In one case, an agent had altered clients’ work and study visas during the application process. These alterations were discovered by the insurer during the underwriting process and the agent was immediately terminated. In the second notice, the agent was found to have terminated insurance policies soon after receiving commission and the examination revealed that the agent had engaged in this same activity with other managing general agencies over several years, using the same pool of clients each time. Both industry notices confirmed insurers’ existing obligations under the Regulation to maintain a compliance system and report agents who are not suitable.

Although FSRA has become more proactive in its supervision of agents’ conduct of business, FSRA still expects insurers to oversee and monitor agent and managing general agency conduct. In both industry notices, FSRA reminded life and health insurance companies of their role in ensuring agents comply with legal obligations and meet high business conduct standards.

Conclusion

Based on the outcomes of its pilot project, FSRA has concluded that life agents in Ontario need to improve their overall business practices and that the insurers who are obligated to monitor the intermediaries authorized to sell their products need to review their life agent compliance programs. As FSRA implements and scales the Framework, FSRA intends to consult with the industry on integrating best practices enforcement into the Framework in support of the fair treatment of customers. FSRA also plans to consult with its stakeholders about what examination volume would be considered reasonable and proportionate within the Ontario marketplace.

[1] See pages 29 and 121 of the International Monetary Fund’s Country Report No. 14/72 – Canada Financial Sector Assessment Program ,dated March 2014.

[2] See FSRA Industry Notice titled FSRA Requires Insurers to Monitor Agent Conduct dated February 17, 2021, for more information.

[3] In 2009, FSRA’s predecessor, the Financial Services Commission of Ontario and Québec’s Autorité des marches financier implemented a common web based system to harmonize complaint data reporting requirements across Canada, except for British Columbia.

OSFI ISSUES FINAL REINSURANCE GUIDELINES

On February 11, 2022, the Office of the Superintendent of Financial Institutions (“OSFI“) issued final versions of its revised Guideline B-3 Sound Reinsurance Practices and Procedures (“New Guideline B-3“) and Guideline B-2 Property and Casualty Large Exposures and Investment Concentration (“New Guideline B-2“) (together, New Guideline B-3 and New Guideline B-2 are the “New Guidelines“), marking the completion of Phase II of OSFI’s review of reinsurance practices which began with the publication of its Reinsurance Framework Discussion Paper in 2018 (the “Discussion Paper”).

The New Guidelines will not be effective until January 2025 and the current in-force guideline B-3 that was published in December 2010 (“In-force Guideline B-3”) will remain effective until that time. OSFI plans to hold information sessions in the coming months to help federally regulated insurers (“FRIs“) better understand OSFI’s expectations under the New Guidelines.

The remaining Phase of OSFI’s review of reinsurance contemplates possible changes to the MCT and LICAT capital guidelines, though no firm dates or timing for such changes have been released to date.

NEW GUIDELINE B-3

The “key principles” established under In-force Guideline B-3 which apply to all FRIs are substantially the same as those set out in New Guideline B-3 and the changes are primarily clarifications and amplifications of OSFI’s existing expectations. Having said that, FRIs will still need to begin adjusting current actuarial and compliance processes to meet OSFI’s expectations for stress testing, due diligence and monitoring of reinsurance counterparties under New Guideline B-3.

A summary of the key clarifications and changes in New Guideline B-3 is set out below.

Managing risks through reinsurance versus risks from the use of reinsurance

  • Although the first key principle in New Guideline B-3 is the same as in the In-force Guideline B-3, New Guideline B-3 distinguishes between OSFI’s expectations for managing risks through reinsurance and managing the risks arising from the use of The scope of an FRI’s reinsurance risk management policy (“RRMP“) should be expanded to include the risks that arise out of the use of reinsurance itself.
  • OSFI expressly acknowledges that reinsurance may be used for purposes not directly linked to mitigation of an FRI’s risks and that OSFI will review reinsurance arrangements based on the risk impact to the FRI.
  • Specifically, OSFI clarifies that, where risks insured in Canada are ceded by a foreign FRI back to the foreign FRI’s home office through affiliated reinsurers, OSFI will generally not recognize or grant credit for that foreign FRI’s reinsurance arrangements.

Stress Testing

  • Under the first key principle, both In-force Guideline B-3 and New Guideline B-3 state that an assessment of the adequacy and effectiveness of an FRI’s reinsurance arrangements may require stress testing of exceptional but plausible scenarios to determine if reinsurance arrangements adequately mitigate losses in accordance with the FRI’s risk appetite.
  • However, New Guideline B-3 provides more clarity and detail concerning OSFI’s expectations for stress testing and assessing reinsurance counterparty risk, as follows:
    • stress testing to assess counterparty risk should be considered at an aggregate level (e.g., group of affiliated counterparties);
    • counterparty risk should be assessed from the perspective of both going-concern and gone-concern scenarios of its reinsurers;
    • the process for assessing counterparty risk should be consistent regardless of whether counterparties are affiliated or non-affiliated;
    • the FRI should consider its total exposure to a counterparty as part of its assessment of counterparty risks;
    • an FRI should establish appropriate counterparty concentration limits applicable to both individual counterparties and to groups of affiliated counterparties; and
    • FRIs must maintain a record of the stress testing performed on its reinsurance program and provide copies to OSFI upon request.

Due Diligence

  • Under the second key principle in New Guideline B-3, OSFI’s expectations of an FRI’s due diligence on its reinsurance counterparties are substantially the same as under In-force Guideline B-3, with the added qualification that the level of due diligence should be “sufficient”.
  • In addition to the level of due diligence being commensurate with the FRI’s aggregate exposure to a reinsurance counterparty, OSFI has clarified that it now expects the level of due diligence with respect to a reinsurance counterparty should not be any less thorough if the counterparty is an affiliate of the FRI

New expectations for clauses in reinsurance contracts

In-force Guideline B-3 modifies the language of the insolvency clauses set out under the fourth key principle that OSFI expects to see in all reinsurance contracts. OSFI still expects that FRIs ensure all reinsurance contracts contain an insolvency clause which requires the reinsurer to continue to make full payments to the FRI without any reduction resulting solely from the FRI’s insolvency. However, New Guideline B-3 adds that, where the reinsurer is within the same corporate group as the ceding FRI, OSFI expects the reinsurance contract to contain a clause stipulating that “all reinsurance receivables are to be paid directly to the FRI-cedant in Canada, or to a person acting for, or on behalf of, the FRI-cedant in Canada”. The effect is that, where the reinsurer is an affiliate of the ceding FRI, this clause would apply whether or not the FRI-cedant is solvent or insolvent.

NEW GUIDELINE B-2

In the Discussion Paper, OSFI indicated that OSFI’s concerns with the current reinsurance framework were more prominent in the property and casualty (“P&C“) sector and that, as a result of its review of the existing reinsurance framework, there may be important changes to prudential limits and restrictions and capital adequacy for P&C FRIs.

New Guideline B-2, which applies to P&C FRIs on an individual and a consolidated basis, sets out OSFI’s expectations for P&C FRIs with respect to: (i) the losses they could withstand from a single large insurance exposure; (ii) the failure of an individual unregistered insurance counterparty; and (iii) investment concentration. Please see below for a high-level summary of OSFI’s expectations set out in New Guideline B-2.

Gross Underwriting Limit Policy

In addition to having an RRMP that meets OSFI’s expectations set out in New Guideline B-3, P&C FRIs are expected to have a Gross Underwriting Limit Policy (“GUWP“) which should:

  • define what constitutes a “Single Insurance Exposure[1]” for each class of insurance;
  • establish limits by class of insurance regarding the level of gross insurance risk that the P&C FRI is willing to accept in respect of a maximum loss related to a Single Insurance Exposure; and
  • be reviewed by senior management at least once a year.

OSFI expects that the determination of the acceptable maximum loss on a Single Insurance Exposure should be made without regard to the probability of the loss event using approaches that are risk-based and forward-looking, and not solely based on past losses.

In New Guideline B-2, OSFI expects P&C FRIs to consider the following in determining its Single Insurance Exposure for each class of insurance:

Property The aggregated insurance exposures on in-force policies at a single location, including any exposures subject to the location.
Credit The aggregated insurance exposures on in-force policies to any one single buyer or group of connected buyers.
Surety The aggregated insurance exposures on in-force bonds to any one single contractor or group of connected contractors.
Title The aggregated insurance exposures on in-force policies related to the legal title for a single location.

 

P&C FRIs will also be expected to provide OSFI, at OSFI’s request, with all information with respect to their large Single Insurance Exposures. OSFI may also, at its discretion, advise a P&C FRI to use specific criteria or an approach to determine and measure its maximum loss on a Single Insurance Exposure.

Insurance Exposure Limit

The New Guideline B-2 also sets insurance exposure limits that apply to the direct business written by P&C FRIs and the assumed business from any affiliated company where that affiliated company is a P&C FRI and is a direct writer of that business. A P&C FRI’s Net Retention[2] plus its Largest Net Counterparty Unregistered Reinsurance Exposure[3] should not, at any time, exceed the following limits for a maximum loss on a Single Insurance Exposure:

Insurance Companies 1)     100 percent of a P&C FRI’s Total Capital Available[4] where any entity in the P&C FRI’s control chain is:

a)     a widely held company; and/or

b)     a regulated financial institution; or

2)     25 percent of Total Capital Available otherwise.

 

Foreign Branches 100% of Net Assets Available[5].

 

OSFI expects that the Largest Net Counterparty Unregistered Reinsurance Exposure to a given counterparty, or group of affiliated counterparties, should be measured on a gross and a net basis (i.e., both before and after the recognition of any eligible counterparty risk mitigation (CRM) technique, including by means of the use of excess collateral or letters of credit[6]).

Investment Concentration

New Guideline B-2 provides that a P&C FRIs investment in any one entity or group of affiliated companies should not exceed the following limit:

Insurance Companies 5% of the company’s assets
Foreign Branches 5% of the company’s assets in Canada

 

For Foreign Branches, “assets in Canada” means the total value of assets under the control of the Minister of Finance (vested in trust in Canada), as reported on the balance sheet of the regulatory return filed with OSFI. These limits should also consider other investments or commitments not shown on the FRI’s balance sheet, such as options, futures, forward contracts and unfunded portions of committed loans.

OSFI’S NEXT STEPS 

OSFI still expects Boards of Directors of all FRIs to apply the New Guidelines within the context of their supervisory and oversight obligations set out in OSFI’s Corporate Governance Guideline and all FRIs will be staying tuned for the feedback that comes from industry information sessions in the coming months. The publication of the New Guidelines brings Phase II of OSFI’s review of reinsurance practices to a conclusion and we will be staying tuned for any changes to the MCT or LICAT guidelines as part of Phase III.

Footnotes

[1] In Annex 1 of New Guideline B-2, OSFI permits FRIs to define “Single Insurance Exposure” for themselves, stating that: “P&C FRIs can define what constitutes a Single Insurance Exposure within their GUWP.

[2] This term is defined in New Guideline B-2 as follows: “The amount of insurance exposure which a P&C FRI retains net for its own account and does not pass on to another insurer (or reinsurer). Any reinstatement premiums should be included in the Net Retention value.”

[3] This term is defined in the New Guideline B-2 as follows: “The largest amount of ceded unregistered reinsurance on an insurance exposure provided by a (re)insurance group (e.g., Affiliated Company counterparties that are part of a (re)insurance group). This amount should be on a net basis; that is, after recognition of any eligible CRM technique.”

[4] This term is defined in New Guideline B-2 as follows: “For a P&C FRI that is a company, the consolidated total available capital of a company as defined for the purpose of calculating the Minimum Capital Test (MCT) / Mortgage Insurer Capital Adequacy Test (MICAT).”

[5] This term is defined in New Guideline B-2 as follows: “For a P&C FRI that is a foreign branch, the net assets available as defined for the purposes of calculating the Branch Adequacy of Assets Test (BAAT).”

[6] New Guideline B-2 states that: “The limit on the use of letters of credit for unregistered reinsurance with a given counterparty, or group of Affiliated Company counterparties, including any letters of credit that are part of excess collateral, is 30% and is measured against the value of the insurance exposure.”

 

OSFI Lifts Restrictions on Canada’s Federally Regulated Financial Institutions related to Increasing Dividends, Share Repurchases and Raising Executive Compensation

On November 4th, 2021, Peter Routledge, the Superintendent of Financial Institutions (Canada) (the “Superintendent“) announced that the Office of the Superintendent of Financial Institutions (“OSFI”) was lifting regulatory restrictions that it had imposed on federally regulated financial institutions (“FRFIs“) relating to dividends, share repurchases and executive compensation, effective immediately.

In response to the potential instability created as a result of the COVID-19 pandemic, in March 2020, OSFI had announced a series of temporary regulatory and supervisory adjustments to protect the resiliency of Canada’s FRFIs which included expectations that FRFIs would not increase regular dividends, undertake common share repurchases or raise executive compensation.

The Superintendent explained there were three key elements of its reasoning for lifting these expectations: (i) the original rationale for its expectations was no longer applicable and most of OSFI’s other regulatory and supervisory accommodations in response to the COVID-19 pandemic have already been removed, (ii) the responsibility for these decisions appropriately rests with the board and management of FRFIs, and (iii) OSFI has confidence in the boards and management of FRFIs to act responsibly when making decisions about capital contribution decisions and expects them to continue to affirm this tendency.

However, the Superintendent noted that OSFI will still expect management and boards of directors of FRFIs to “act responsibly, and employ robust risk management practices and sensitivity analysis that uses conservative and prudent assumptions to guide decisions pertaining to capital distributions”.

The Superintendent also restated OSFI’s intention to transform itself to respond to an ever-changing risk environment and to prepare for more frequent instability, noting that OSFI is changing how it views risk and expect boards of FRFIs to do so as well. Based on the Superintendent’s remarks at the 2021 Global Risk Institute Annual Summit on September 29, 2021, FRFIs and their advisors can expect to hear more from OSFI on disclosures about climate risk, digitalization risk and OSFI’s internal organizational transformation.

For a link to the Superintendent’s announcement related to dividends, share repurchases and executive compensation, click here.

For a link to the Superintendent’s remarks at the 2021 Global Risk Institute Annual Summit, click here.

Updated Requirements for Federally Regulated Financial Institutions’ Technology and Cyber Incident Reporting Obligations

On August 13, 2021, the Office of the Superintendent of Financial Institutions (“OSFI“) released an updated Technology and Cyber Security Incident Reporting Advisory (the “New Advisory“) for federally regulated financial institutions (“FRFIs“) which replaces the Technology and Cyber Security Incident Reporting Advisory previously published in January 2019 (the “2019 Advisory“).

The New Advisory potentially lowers the threshold for reporting and expands the scope of reportable incidents. Under the New Advisory, FRFIs who fail to comply with the new reporting requirements could be subject to increased supervisory oversight by OSFI. In connection with the New Advisory, OSFI also released an updated Cyber Security Self-Assessment Tool to assist FRFIs in reviewing their ability to manage technology and cyber risks and to respond to incidents.

The key updates in the New Advisory are:

  • New Definition of Technology or Cyber Security Incident – The New Advisory defines a technology or cyber security incident as “an incident that has an impact, or the potential to have an impact on the operations of a FRFI”. This appears to be a lower threshold for reporting than the 2019 Advisory, which defined a reportable incident as an incident having the potential to, or having been assessed to, “materially impact the normal operations of a FRFI”.
  • New Characteristics and Criteria for Reporting – Whereas the criteria for reporting set out in the 2019 Advisory included incidents that would have a “significant operational impact”, “material impact”, “extended disruptions” or “material consequences”, the New Advisory has removed these qualifiers. The new criteria no longer require that the impact be significant or material. Under the New Advisory, it appears that any impact to a FRFI’s systems, operations or to the Canadian financial system may trigger the reporting requirement. The New Advisory also expands the list of criteria for reporting. For example, in the 2019 Advisory, one of the criteria was whether an incident had been reported to the Office of the Privacy Commissioner (“OPC“) pursuant to the mandatory reporting of breaches of security safeguards under the Personal Information Protection and Electronic Documents Act (“PIPEDA“). The New Advisory provides that, in addition to reporting to the OPC or law enforcement under PIPEDA, if an incident has invoked internal or external counsel, that the incident may have to be reported.
  • Shorter Initial Notification Requirements – Incidents must now be reported within 24 hours, or sooner if possible. This is shorter than the notification requirement under the 2019 Advisory which was to report an incident “as promptly as possible, but no later than 72 hours.” There are no changes to subsequent reporting requirements and OSFI still expects FRFIs to provide situation updates, including any short-term and long-term remediation actions and plans until the incident is contained or resolved. Reports must be made in writing using the template provided in Appendix II to the New Advisory.
  • New Consequences of Failure to Report – Under the New Advisory, failure to report a technology or cyber security incident may result in increased oversight by OSFI. Notably, such increased oversight could include watch-listing of the FRFI and staging by OSFI. The 2019 Advisory did not provide for the consequences of a failure to report.

The 2019 Advisory provided that incidents “assessed by a FRFI to be of a high or critical severity level should be reported to OSFI”. Under the New Advisory, this provision is now included in the expanded criteria for reporting. OSFI advises that if a FRFI is uncertain whether to report an incident, the FRFI should consult their OSFI Lead Supervisor.

The obligation of FRFIs to report a technology or cyber security incident under the New Advisory is in addition to its obligations under applicable privacy legislation to report a breach of security safeguards.

The updates to the New Advisory may require FRFIs to review and update their policies and procedures related to technology and cyber security as well as outsourcing arrangements given that FRFIs will be expected to report incidents of third-party vendors that may affect the FRFI.

OSFI Publishes Guideline E-4: Foreign Entities Operating in Canada on a Branch Basis

On June 28 2021, the Office of the Superintendent of Financial Institutions Canada (OSFI) issued the final version of Guideline E-4: Foreign Entities Operating in Canada on a Branch Basis (“Guideline E-4”). Guideline E-4 applies to both foreign banks and foreign insurance branches and replaces Guideline E-4A: Role of the Chief Agent and Record Keeping Requirements (which applied only to insurers) and Guideline E4-B: Role of the Principal Officer and Record Keeping Requirements (which applied only to banks) (collectively, the “Existing Guidelines”). OSFI expects all foreign branches operating in Canada to be compliant with Guideline E-4 by January of 2022.

Guideline E-4 compares to the Existing Guidelines as follows:

  • General Direction:
    • Guideline E-4 envisions OSFI’s expectations with respect to foreign entities operating in Canada on a branch basis. It provides for greater emphasis on the expectations of foreign entities operating in Canada by outlining their responsibilities in the management of the Canadian business.
  • Branch Management:
    • Guideline E-4 presents “Branch Management”, which includes a team of individuals who have the authority and responsibility of overseeing the business in Canada. This may include the Chief Agent of a foreign insurance branch or the principal officer of a foreign bank branch and senior officers of the foreign entity located in or outside Canada.
    • The composition of the Branch Management team is expected to be proportionate with the overall size and complexity of the foreign branch’s federally regulated business in Canada.
    • Branch Management will be responsible for the effective adaptation, implementation and oversight of the foreign entity, which includes the expectation that Branch Management have sufficient knowledge of all applicable Canadian legislation, regulations, guidelines and any other supervisory or regulatory matters related to the foreign entity’s federally regulated business in Canada. Accordingly, Guideline E-4 looks to the foreign entity’s Branch Management for accountability and management contrary to the Existing Guidelines which looked only to the Chief Agent or Principal Officer for accountability.
    • If there are any changes to Branch Management, new reporting measures are in place which do not apply to the Chief Agent or Principal Officer under the Existing Guidelines. Particularly, the foreign entity is obligated to notify OSFI of any potential changes to the Brach Management team and any circumstances that may negatively impact the Branch Management team.
  • Arrangements with the Foreign Entity’s Home Office:
    • Branch Management must document any arrangements involving material actions by the foreign entity’s home office on behalf of the branch. Guideline B-10: Outsourcing of Business Activities, Functions and Processes continues to apply to Guideline E-4 when determining the material functions of a branch’s home office when acting on behalf of the foreign entity.
    • If the foreign entity’s home office and its branch engage in the flow of funds then OSFI must be provided with details regarding the arrangement. Moreover, OSFI must be provided advanced notice of 10 business days by Branch Management before any funds are transferred to the foreign entity’s home office if the transfer of funds materially deviates from the documented process. The notice period of 10 business days is shorter than the Draft Guideline initially proposed of 30 days’ notice.
  • Record Keeping:
    • Guideline E-4 aligns with new amendments to the location of records requirements provided in the Insurance Companies Act (“ICA”) and the Bank Act (“BA”), which will be effective in July of 2021. For branches under the BA, copies of records must be stored at the principal office in Canada or at another place in Canada found suitable by the principal officer. For branches under the ICA, copies of records must be stored at the chief agency in Canada.
    • Electronic records must be kept on a computer server physically located at the places stipulated in the BA and the ICA. Although electronic records must be available to be reproduced in written form within a reasonable period of time, certain information, such as reinsurance arrangements, an executed copy may be required to be available at OSFI’s request. However, certain bank branches and insurance branches are exempted from the requirements to keep copies of the records in Canada and must instead provide OSFI with immediate, direct, complete and ongoing access to the records that are stored outside Canada.
    • The Guideline does not include any significant updates to the electronic storage of Records, nor does it clarify data processing and retention of records as it relates to cloud computing.
    • Records must be updated and accurate as at the end of each business day, unless they are records that change less frequently than daily. The records must be sufficiently detailed to allow OSFI to conduct an examination and inquiry into the business of the branch, manage the branch’s assets prior to the appointment of a liquidator (if the Superintendent takes control of the branch’s assets in Canada, and to allow the liquidator to conduct an effective liquidation of the branch’s assets in Canada.
  • Supervision of Branches:
    • Although the designation of branch responsibilities in the Existing Guidelines has not been built-in to Guideline E-4, OSFI expects the foreign entity, through its designated Branch Management, to be accountable to OSFI for its federally regulated business in Canada. As such, Branch Management should be knowledgeable of the results of OSFI’s supervisory role and manage the appropriate response to any supervisory expectations.

OSFI continues to expect that all foreign entities operating in Canada as a branch remain in compliance with the legislative requirements of the BA and ICA, and all applicable supervisory and regulatory expectations set out by OSFI and its guidance. If OSFI is not satisfied that the expectations set out in Guideline E-4 are being met, OSFI may apply additional supervisory and regulatory actions to the foreign entity’s branch in Canada.

Bill C-11: A Step Back Overall for Privacy Protection in Canada says Federal Privacy Commissioner

The Personal Information Protection and Electronic Documents Act (“PIPEDA”) is federal legislation that governs personal information held by private sector organizations in the course of for-profit, commercial activities across Canada. It also applies to personal information of employees of federally-regulated businesses including banks, airlines and telecommunications companies. On November 17, 2020, the federal government introduced Bill C-11, which proposes the enactment of the Consumer Privacy Protection Act (“CPPA”) and the repeal of Part I of PIPEDA. Bill C-11 can only become law after it has been approved by both Houses of Parliament and has received Royal Assent.

On May 11, 2021, the Federal Privacy Commissioner of Canada, Daniel Therrien, released a submission to the House of Commons Standing Committee on Access to Information, Privacy and Ethics, which provides that the Commissioner believes that Bill C-11 “represents a step back overall from our current law and needs significant changes if confidence in the digital economy is to be restored.” The Commissioner emphasizes that Bill C-11, as drafted:

“would be a step back overall because the provisions meant to give individuals more control give them less; because the increased flexibility given to organizations to use personal information without consent do not come with additional accountability one would expect; because administrative penalties will not apply to the most frequent and important violations, those relevant to consent and exceptions to consent; and because [the Office of the Privacy Commissioner of Canada (“OPC”)]  would not have the tools required to manage its workload to prioritize activities that are most effective in protecting Canadians.”

The Commissioner’s submission on Bill C-11 provides over 60 recommendations, which he believes are required to help ensure that organizations can responsibly innovate while recognizing and protecting the privacy rights of Canadians. The Commissioner’s recommended changes are categorized into the following three themes:

Weighting of Privacy Rights and Commercial Interests

  • The Commissioner’s submission provides that Bill C-11 “arguably gives more weight to commercial interests than the current law by adding new commercial factors to be considered in the balance, without adding any reference to the lessons of the past twenty years on technology’s disruption of rights.”
  • The submission further provides that “it would be normal and fair for commercial activities to be permitted within a rights framework, rather than placing rights and commercial interests on the same footing. Generally, it is possible to concurrently achieve both commercial objectives and privacy protection. This is how we conceive responsible innovation. However, when there is a conflict, we believe rights should prevail.”
  • The Commissioner suggests 10 recommendations under this theme, including recommendations with respect to the inclusion of a human rights-based framework in the CPPA and amendments to the definitions of personal information, sensitive information and commercial activity.
  • Of particular interest is the Commissioner’s reference to Dr. Teresa Scassa’s description of a human rights-based approach to privacy protection. Dr. Scassa describes a human rights-based approach to privacy as “one that places the human rights values that underlie privacy protection at the normative centre of any privacy legislation. . . . it acknowledges the nature and value of privacy as a human right so as to give privacy its appropriate weight in any balancing exercise.”

Specific Rights and Obligations

  • The Commissioner suggests 22 recommendations under this theme, focused within three particular areas: consent and the exceptions thereto, organizational obligations, and individual data rights.
  • Consent and the Exceptions Thereto
    • The Commissioner suggests changes to ensure consent is informed and meaningful. The Commissioner also notes that while several new exceptions to consent are reasonable, there are two main concerns:“some exceptions are unreasonably broad; and the Bill fails to associate greater authority to use personal information with greater accountability by organizations for how they will use these permissions.” The Commissioner addresses these concerns by suggesting revisions with respect to the scope of socially beneficial purposes, publicly available personal information, de-identification of personal information and disclosure of personal information to law enforcement.
    • Of particular interest is the Commissioner’s assertion that “[t]he CPPA does not speak to format, content structure, or accessibility. Each of these is a factor that contributes to an individual’s understanding of how their personal information is being used.”
  • Organizational Obligations
    • The Commissioner suggests changes in Bill C-11 with respect to accountability, trans-border data flows and service providers, safeguarding, breach reporting and domestic service providers.
    • Of particular interests is the Commissioner’s suggestion that the accountability principle is not clearly defined in the CPPA, and that the legislation does not “provide protective measures such that the accountability of organizations is real and demonstrable.”
  • Individual Rights
    • The Commissioner suggests changes in Bill C-11 with respect to automated decision-making, the right to reputation and data mobility.

Quick and Effective Remedies and the Role of the Office of the Privacy Commissioner of Canada

  • The Commissioner suggests a strong enforcement and oversight mechanism which should include access to quick and effective remedies for individuals and should provide the regulator with the legal mechanisms required to protect Canadians.
  • The Commissioner suggests 20 recommendations under this theme, including recommendations with respect to remedies, the rules of procedure and evidence in investigations, special cases of breaches, compliance agreements, the Personal Information and Data Protection Tribunal, administrative monetary penalties, private right of action, the role of the regulator, the discretion to investigate, advising organizations on their privacy management programs, codes of practice and certification programs, amendments to rules which mandate the Commissioner to consider the size of the organization and other factors mentioned, demonstrable accountability and proactive inspections, proactive compliance audits, the prohibition on use of information provided by an organization, confidentiality and cooperation with other organizations and offences.
  • Of particular interest is the commissioner’s recommendation with respect to the Personal Information and Data Protection Tribunal. Here, the Commissioner has stated that “[w]hile the OPC welcomes oversight and accountability for our actions, we respectfully suggest that the new Tribunal is both unnecessary to achieve greater accountability and fairness (the Federal Court already plays this role), and counter-productive in achieving quick and effective remedies. In fact, all objective indicators show overwhelmingly that the Tribunal would unnecessarily delay justice for consumers. . . . In summary, there is no need to add an administrative appeal to ensure fairness to business when the Federal Court already plays this role, and as, at any rate, the OPC has an exemplary record in this regard. Moreover, adding a level of appeal can only delay the ultimate resolution of cases.”

In light of the Commissioner’s submission to the Standing Committee, Bill C-11 could undergo changes before it is passed, especially given Commissioner Therrien’s recent reappointment on June 4, 2021 for a one-year term. Organizations should pay particular attention to developments regarding Bill C-11 as changes may be forthcoming.

 

CISRO Seeking Input on the Principles of Conduct for Intermediaries

The Canadian Insurance Services Regulatory Organization (CISRO) recently released for comment draft Principles of Conduct for Intermediaries (“Principles”). The Principles are aimed at safeguarding the fair treatment of customers by intermediaries in the life & health and property & casualty insurance sectors by requiring that they conduct their business in a transparent and honest manner. Insurers are responsible for the fair treatment of customers throughout the life cycle of the insurance product, while intermediaries have oversight responsibilities to ensure that their employees and representatives meet high standards of integrity and ethics. While acknowledging that each jurisdiction has its own regulatory approach for the conduct of business, the Principles envision minimum regulatory conduct standards that are common across Canada regarding the fair treatment of customers. The Principles are intended to tie in with the Guidance on Conduct of Insurance Business and Fair Treatment of Customers (FTC), issued by CISRO and the Canadian Council of Insurance Regulators (CCIR). The Principles also align with Insurance Core Principles (ICP) of the International Association of Insurance Supervisors’ (IAIS).

Who Are Intermediaries? Intermediary encompasses adjusters, individual agents, brokers, representatives and business entities that distribute insurance products and services, including managing general agencies and third party administrators.

Who Are Customers? Customers may include a policyholders (or certificate holders), prospective policyholders with whom an insurer or intermediary interacts, or other beneficiaries and claimants with a legitimate interest in the policy.

The Principles shape professional behaviour and conduct expectations for the fair treatment of customers:

  1. Compliance / Outcomes: Intermediaries must comply with all applicable laws, regulations, rules and regulatory codes to which they are subject to.
  2. Customers’ Interests: Intermediaries must place customers’ interests above their own, including when an intermediary is developing, marketing, distributing and servicing insurance products.
  3. Conflicts of Interest: Intermediaries must identify, disclose and manage any actual or potential conflict of interest pertaining to a transaction or recommendation. Intermediaries must avoid entering into agreements where conflicts of interests may obstruct the fair treatment of customers or cannot be managed.
  4. Advice: In order to comprehend and recognize customers’ unique needs, intermediaries must seek complete information from customers when providing them with advice.
  5. Disclosure: Customers must be provided with objective, complete, relevant and accurate information by intermediaries, so that customers may make informed decisions. Intermediaries must properly disclose relevant information to all necessary parties (including the insurer) and disclose information in a manner that is clear and comprehensible for customers.
  6. Product and Service Promotion: Intermediaries must ensure that products and services are endorsed in a clear and fair manner that is not misleading. Promotions should be easily understandable and disclose all necessary and relevant information.
  7. Claims, Complaints Handling, and Dispute Resolution: Intermediaries must handle claims, complaints and disputes in a timely and fair fashion.
  8. Protection of Personal and Confidential Information: Intermediaries must engage in necessary measures to protect personal and confidential information by: collecting only information that is necessary for the completion of the service or product provided; use and disclose information only for purposes and for the duration for which the customer has consented; and comply with all applicable privacy legislation for information management.
  9. Competence: Intermediaries must preserve an appropriate standard of professional knowledge to ensure the fair treatment of customers. Continuing education obligations must be met and duties must match the level of training and education provided. Intermediaries must not misrepresent their level of competence or conduct business beyond their threshold of professional knowledge and experience.
  10. Oversight: Intermediaries with contractual or regulatory oversight responsibilities are accountable for the conduct of any employee or third party involved in the distribution or servicing of insurance products. Policies and procedures, training and control mechanisms must be utilized by intermediaries in their oversight roles to ensure the fair treatment of customers.

CISRO is seeking feedback on the proposed Principles from a wide range of stakeholders, including the insurance industry and consumer advocates. Respondents should submit comments to cisro-ocra@fsrao.ca by July 9, 2021.

Contact Us