All posts by Roisin Hutchinson

On May 31, 2022, the Alberta government passed Bill 16: Insurance Amendment Act, 2022.  Among other things, the amendments under this Act:

• reduce the current regulatory charge for purchasing unlicensed insurance from 50% of the premium payable for unlicensed insurance to 10%;
• reduce the 50% financial penalty for the late payment of all charges and tax on unlicensed insurance, to 10%; and
• more closely align the Alberta Insurance Act with other Canadian jurisdictions.

The Superintendent of Insurance in Alberta has also recently issued an Interpretation Bulletin 07-2022 on unlicensed insurance in Alberta, which replaces Interpretation Bulletin 02-2017 and provides updated clarification on the requirements for disclosure of unlicensed insurance in accordance with the new amendments to the Alberta Insurance Act.

New Supervisory Framework

On March 29, 2022, the Financial Services Regulatory Authority of Ontario (“FSRA“) announced the launch of the first Life and Health Agent Supervisory Framework (the “Framework“). The Framework represents FSRA’s new, proactive approach to supervising the sale of life and health insurance and is the first ever supervision framework for life and health agents in Ontario. Click here for the full text of the Framework.

Before the launch of the Framework, FSRA and its predecessor’s approach to the supervision of life agents was reactive. Supervision and enforcement focused mainly on those agents who self-declared non-compliance or were in response to complaints against specific agents[1]. Now, FSRA has established a dedicated Life and Health Insurance Agent Unit (the “LAU“) which helped develop the Framework and, going forward, will be responsible for implementing and scaling the Framework, setting target examination volumes and integrating industry best practices into the Framework.

Has anything changed?

The regulatory requirements applicable to insurers and agents remain the same and the Framework does not change any of the legal or licensing requirements applicable to life and health agents under the Insurance Act (Ontario) (the “Act“), Regulation 347/04 (the “Regulation“), or the CCIR and CISRO’s Conduct of Insurance Business and Fair Treatment of Customers Guidance (the “FTC Guidance“). Nor does the Framework alter the insurer’s ultimate responsibility for oversight of agent conduct. The legislation and FSRA still require insurance companies “to ensure that agents comply with the Insurance Act, the regulations and agent licensing requirements” and that insurers “must complete due diligence when delegating functions to managing general agents, such as agent screening and oversight”[2]. What has changed is that FSRA is now taking a proactive approach to supervising and enforcing compliance with these requirements and has dedicated more resources to the supervision of the sale of life and health insurance.

Four Components of the Framework

The Framework sets out the processes and key supervisory components that FSRA will use and consists of the following four key components:

1. Life agent risk profiling
2. Life agent examinations
3. Communications and enforcement actions
4. Reporting

1. Life Agent Risk Profiling

The agent profiling process will focus on agents with the highest risks. Higher risk agents will be identified using FSRA’s internal data captured through licensing applications, licensing renewals, consumer complaints, the submission of the Life Agent Reporting Form (“LARF“) by insurers, and life agent enforcement activity reported by other regulatory bodies across Canada[3].

2. Life Agent Examinations

Once a life agent has been identified with a higher risk profile and is referred to LAU through agent licensing management or consumer complaints management, LAU will then begin an ad hoc examination of the identified agent. During the pilot, FSRA developed a six-step examination process which consisted of (i) notice of examination and questionnaire, (ii) review and assessment of questionnaire including confirmation of compliance processes for FINTRAC and applicable privacy and data security legislation, (iii) requesting client files, (iv) file review, (v) agent interview, and (vi) a report on the findings and escalation for review if appropriate.

Based on the results of the pilot, FSRA determined that these steps were an effective method for determining compliance. Please see Appendix A of the Framework for a detailed description of the ad hoc examination process. This examination process will be used to test and verify the agent’s compliance with the Act, the regulations and FTC Guidance.

3. Communications and Enforcement

The communications and enforcement component of the Framework means FSRA’s communication with the agent upon completion of the examination. The communication component will be performed by way of a closing letter confirming the outcome of the examination. This closing letter will confirm whether there were any contraventions of the Act, regulations or the FTC Guidance, or any other contraventions of business practices that are beyond FSRA’s jurisdiction. If the LAU concludes there were contraventions of the Act, the regulations or the FTC Guidance, the closing letter will also state whether the contraventions will be escalated to FSRA’s Legal and Enforcement Unit or a Regulatory Discipline Officer for enforcement action.

4. Reporting

The reporting component includes the publication of reports and industry notices. Such reports and notices are intended to contribute to public confidence in FSRA and the life insurance industry generally by promoting transparency, disclosing information and deterring deceptive or fraudulent conduct by life agents.

During the pilot, FSRA published its Second Annual LARF Report dated May 10, 2021. In the Framework, FSRA discloses the outcomes of the pilot to the industry and the public. FSRA also published two industry notices which provided notice to the industry of the outcomes of examinations where FSRA identified potential consumer harm. In one case, an agent had altered clients’ work and study visas during the application process. These alterations were discovered by the insurer during the underwriting process and the agent was immediately terminated. In the second notice, the agent was found to have terminated insurance policies soon after receiving commission and the examination revealed that the agent had engaged in this same activity with other managing general agencies over several years, using the same pool of clients each time. Both industry notices confirmed insurers’ existing obligations under the Regulation to maintain a compliance system and report agents who are not suitable.

Although FSRA has become more proactive in its supervision of agents’ conduct of business, FSRA still expects insurers to oversee and monitor agent and managing general agency conduct. In both industry notices, FSRA reminded life and health insurance companies of their role in ensuring agents comply with legal obligations and meet high business conduct standards.

Conclusion

Based on the outcomes of its pilot project, FSRA has concluded that life agents in Ontario need to improve their overall business practices and that the insurers who are obligated to monitor the intermediaries authorized to sell their products need to review their life agent compliance programs. As FSRA implements and scales the Framework, FSRA intends to consult with the industry on integrating best practices enforcement into the Framework in support of the fair treatment of customers. FSRA also plans to consult with its stakeholders about what examination volume would be considered reasonable and proportionate within the Ontario marketplace.

[1] See pages 29 and 121 of the International Monetary Fund’s Country Report No. 14/72 – Canada Financial Sector Assessment Program ,dated March 2014.

[2] See FSRA Industry Notice titled FSRA Requires Insurers to Monitor Agent Conduct dated February 17, 2021, for more information.

[3] In 2009, FSRA’s predecessor, the Financial Services Commission of Ontario and Québec’s Autorité des marches financier implemented a common web based system to harmonize complaint data reporting requirements across Canada, except for British Columbia.

On February 11, 2022, the Office of the Superintendent of Financial Institutions (“OSFI“) issued final versions of its revised Guideline B-3 Sound Reinsurance Practices and Procedures (“New Guideline B-3“) and Guideline B-2 Property and Casualty Large Exposures and Investment Concentration (“New Guideline B-2“) (together, New Guideline B-3 and New Guideline B-2 are the “New Guidelines“), marking the completion of Phase II of OSFI’s review of reinsurance practices which began with the publication of its Reinsurance Framework Discussion Paper in 2018 (the “Discussion Paper”).

The New Guidelines will not be effective until January 2025 and the current in-force guideline B-3 that was published in December 2010 (“In-force Guideline B-3”) will remain effective until that time. OSFI plans to hold information sessions in the coming months to help federally regulated insurers (“FRIs“) better understand OSFI’s expectations under the New Guidelines.

The remaining Phase of OSFI’s review of reinsurance contemplates possible changes to the MCT and LICAT capital guidelines, though no firm dates or timing for such changes have been released to date.

NEW GUIDELINE B-3

The “key principles” established under In-force Guideline B-3 which apply to all FRIs are substantially the same as those set out in New Guideline B-3 and the changes are primarily clarifications and amplifications of OSFI’s existing expectations. Having said that, FRIs will still need to begin adjusting current actuarial and compliance processes to meet OSFI’s expectations for stress testing, due diligence and monitoring of reinsurance counterparties under New Guideline B-3.

A summary of the key clarifications and changes in New Guideline B-3 is set out below.

Managing risks through reinsurance versus risks from the use of reinsurance

• Although the first key principle in New Guideline B-3 is the same as in the In-force Guideline B-3, New Guideline B-3 distinguishes between OSFI’s expectations for managing risks through reinsurance and managing the risks arising from the use of The scope of an FRI’s reinsurance risk management policy (“RRMP“) should be expanded to include the risks that arise out of the use of reinsurance itself.
• OSFI expressly acknowledges that reinsurance may be used for purposes not directly linked to mitigation of an FRI’s risks and that OSFI will review reinsurance arrangements based on the risk impact to the FRI.
• Specifically, OSFI clarifies that, where risks insured in Canada are ceded by a foreign FRI back to the foreign FRI’s home office through affiliated reinsurers, OSFI will generally not recognize or grant credit for that foreign FRI’s reinsurance arrangements.

Stress Testing

• Under the first key principle, both In-force Guideline B-3 and New Guideline B-3 state that an assessment of the adequacy and effectiveness of an FRI’s reinsurance arrangements may require stress testing of exceptional but plausible scenarios to determine if reinsurance arrangements adequately mitigate losses in accordance with the FRI’s risk appetite.
• However, New Guideline B-3 provides more clarity and detail concerning OSFI’s expectations for stress testing and assessing reinsurance counterparty risk, as follows:
  • stress testing to assess counterparty risk should be considered at an aggregate level (e.g., group of affiliated counterparties);
  • counterparty risk should be assessed from the perspective of both going-concern and gone-concern scenarios of its reinsurers;
  • the process for assessing counterparty risk should be consistent regardless of whether counterparties are affiliated or non-affiliated;
  • the FRI should consider its total exposure to a counterparty as part of its assessment of counterparty risks;
  • an FRI should establish appropriate counterparty concentration limits applicable to both individual counterparties and to groups of affiliated counterparties; and
  • FRIs must maintain a record of the stress testing performed on its reinsurance program and provide copies to OSFI upon request.

Due Diligence

• Under the second key principle in New Guideline B-3, OSFI’s expectations of an FRI’s due diligence on its reinsurance counterparties are substantially the same as under In-force Guideline B-3, with the added qualification that the level of due diligence should be “sufficient”.
• In addition to the level of due diligence being commensurate with the FRI’s aggregate exposure to a reinsurance counterparty, OSFI has clarified that it now expects the level of due diligence with respect to a reinsurance counterparty should not be any less thorough if the counterparty is an affiliate of the FRI

New expectations for clauses in reinsurance contracts

In-force Guideline B-3 modifies the language of the insolvency clauses set out under the fourth key principle that OSFI expects to see in all reinsurance contracts. OSFI still expects that FRIs ensure all reinsurance contracts contain an insolvency clause which requires the reinsurer to continue to make full payments to the FRI without any reduction resulting solely from the FRI’s insolvency. However, New Guideline B-3 adds that, where the reinsurer is within the same corporate group as the ceding FRI, OSFI expects the reinsurance contract to contain a clause stipulating that “all reinsurance receivables are to be paid directly to the FRI-cedant in Canada, or to a person acting for, or on behalf of, the FRI-cedant in Canada”. The effect is that, where the reinsurer is an affiliate of the ceding FRI, this clause would apply whether or not the FRI-cedant is solvent or insolvent.

NEW GUIDELINE B-2

In the Discussion Paper, OSFI indicated that OSFI’s concerns with the current reinsurance framework were more prominent in the property and casualty (“P&C“) sector and that, as a result of its review of the existing reinsurance framework, there may be important changes to prudential limits and restrictions and capital adequacy for P&C FRIs.

New Guideline B-2, which applies to P&C FRIs on an individual and a consolidated basis, sets out OSFI’s expectations for P&C FRIs with respect to: (i) the losses they could withstand from a single large insurance exposure; (ii) the failure of an individual unregistered insurance counterparty; and (iii) investment concentration. Please see below for a high-level summary of OSFI’s expectations set out in New Guideline B-2.

Gross Underwriting Limit Policy

In addition to having an RRMP that meets OSFI’s expectations set out in New Guideline B-3, P&C FRIs are expected to have a Gross Underwriting Limit Policy (“GUWP“) which should:

• define what constitutes a “Single Insurance Exposure[1]” for each class of insurance;
• establish limits by class of insurance regarding the level of gross insurance risk that the P&C FRI is willing to accept in respect of a maximum loss related to a Single Insurance Exposure; and
• be reviewed by senior management at least once a year.

OSFI expects that the determination of the acceptable maximum loss on a Single Insurance Exposure should be made without regard to the probability of the loss event using approaches that are risk-based and forward-looking, and not solely based on past losses.

In New Guideline B-2, OSFI expects P&C FRIs to consider the following in determining its Single Insurance Exposure for each class of insurance:

P&C FRIs will also be expected to provide OSFI, at OSFI’s request, with all information with respect to their large Single Insurance Exposures. OSFI may also, at its discretion, advise a P&C FRI to use specific criteria or an approach to determine and measure its maximum loss on a Single Insurance Exposure.

Insurance Exposure Limit

The New Guideline B-2 also sets insurance exposure limits that apply to the direct business written by P&C FRIs and the assumed business from any affiliated company where that affiliated company is a P&C FRI and is a direct writer of that business. A P&C FRI’s Net Retention[2] plus its Largest Net Counterparty Unregistered Reinsurance Exposure[3] should not, at any time, exceed the following limits for a maximum loss on a Single Insurance Exposure:

OSFI expects that the Largest Net Counterparty Unregistered Reinsurance Exposure to a given counterparty, or group of affiliated counterparties, should be measured on a gross and a net basis (i.e., both before and after the recognition of any eligible counterparty risk mitigation (CRM) technique, including by means of the use of excess collateral or letters of credit[6]).

Investment Concentration

New Guideline B-2 provides that a P&C FRIs investment in any one entity or group of affiliated companies should not exceed the following limit:

For Foreign Branches, “assets in Canada” means the total value of assets under the control of the Minister of Finance (vested in trust in Canada), as reported on the balance sheet of the regulatory return filed with OSFI. These limits should also consider other investments or commitments not shown on the FRI’s balance sheet, such as options, futures, forward contracts and unfunded portions of committed loans.

OSFI’S NEXT STEPS 

OSFI still expects Boards of Directors of all FRIs to apply the New Guidelines within the context of their supervisory and oversight obligations set out in OSFI’s Corporate Governance Guideline and all FRIs will be staying tuned for the feedback that comes from industry information sessions in the coming months. The publication of the New Guidelines brings Phase II of OSFI’s review of reinsurance practices to a conclusion and we will be staying tuned for any changes to the MCT or LICAT guidelines as part of Phase III.

Footnotes

[1] In Annex 1 of New Guideline B-2, OSFI permits FRIs to define “Single Insurance Exposure” for themselves, stating that: “P&C FRIs can define what constitutes a Single Insurance Exposure within their GUWP.

[2] This term is defined in New Guideline B-2 as follows: “The amount of insurance exposure which a P&C FRI retains net for its own account and does not pass on to another insurer (or reinsurer). Any reinstatement premiums should be included in the Net Retention value.”

[3] This term is defined in the New Guideline B-2 as follows: “The largest amount of ceded unregistered reinsurance on an insurance exposure provided by a (re)insurance group (e.g., Affiliated Company counterparties that are part of a (re)insurance group). This amount should be on a net basis; that is, after recognition of any eligible CRM technique.”

[4] This term is defined in New Guideline B-2 as follows: “For a P&C FRI that is a company, the consolidated total available capital of a company as defined for the purpose of calculating the Minimum Capital Test (MCT) / Mortgage Insurer Capital Adequacy Test (MICAT).”

[5] This term is defined in New Guideline B-2 as follows: “For a P&C FRI that is a foreign branch, the net assets available as defined for the purposes of calculating the Branch Adequacy of Assets Test (BAAT).”

[6] New Guideline B-2 states that: “The limit on the use of letters of credit for unregistered reinsurance with a given counterparty, or group of Affiliated Company counterparties, including any letters of credit that are part of excess collateral, is 30% and is measured against the value of the insurance exposure.”

On November 4^th, 2021, Peter Routledge, the Superintendent of Financial Institutions (Canada) (the “Superintendent“) announced that the Office of the Superintendent of Financial Institutions (“OSFI”) was lifting regulatory restrictions that it had imposed on federally regulated financial institutions (“FRFIs“) relating to dividends, share repurchases and executive compensation, effective immediately.

In response to the potential instability created as a result of the COVID-19 pandemic, in March 2020, OSFI had announced a series of temporary regulatory and supervisory adjustments to protect the resiliency of Canada’s FRFIs which included expectations that FRFIs would not increase regular dividends, undertake common share repurchases or raise executive compensation.

The Superintendent explained there were three key elements of its reasoning for lifting these expectations: (i) the original rationale for its expectations was no longer applicable and most of OSFI’s other regulatory and supervisory accommodations in response to the COVID-19 pandemic have already been removed, (ii) the responsibility for these decisions appropriately rests with the board and management of FRFIs, and (iii) OSFI has confidence in the boards and management of FRFIs to act responsibly when making decisions about capital contribution decisions and expects them to continue to affirm this tendency.

However, the Superintendent noted that OSFI will still expect management and boards of directors of FRFIs to “act responsibly, and employ robust risk management practices and sensitivity analysis that uses conservative and prudent assumptions to guide decisions pertaining to capital distributions”.

The Superintendent also restated OSFI’s intention to transform itself to respond to an ever-changing risk environment and to prepare for more frequent instability, noting that OSFI is changing how it views risk and expect boards of FRFIs to do so as well. Based on the Superintendent’s remarks at the 2021 Global Risk Institute Annual Summit on September 29, 2021, FRFIs and their advisors can expect to hear more from OSFI on disclosures about climate risk, digitalization risk and OSFI’s internal organizational transformation.

For a link to the Superintendent’s announcement related to dividends, share repurchases and executive compensation, click here.

For a link to the Superintendent’s remarks at the 2021 Global Risk Institute Annual Summit, click here.

On August 13, 2021, the Office of the Superintendent of Financial Institutions (“OSFI“) released an updated Technology and Cyber Security Incident Reporting Advisory (the “New Advisory“) for federally regulated financial institutions (“FRFIs“) which replaces the Technology and Cyber Security Incident Reporting Advisory previously published in January 2019 (the “2019 Advisory“).

The New Advisory potentially lowers the threshold for reporting and expands the scope of reportable incidents. Under the New Advisory, FRFIs who fail to comply with the new reporting requirements could be subject to increased supervisory oversight by OSFI. In connection with the New Advisory, OSFI also released an updated Cyber Security Self-Assessment Tool to assist FRFIs in reviewing their ability to manage technology and cyber risks and to respond to incidents.

The key updates in the New Advisory are:

• New Definition of Technology or Cyber Security Incident – The New Advisory defines a technology or cyber security incident as “an incident that has an impact, or the potential to have an impact on the operations of a FRFI”. This appears to be a lower threshold for reporting than the 2019 Advisory, which defined a reportable incident as an incident having the potential to, or having been assessed to, “materially impact the normal operations of a FRFI”.
• New Characteristics and Criteria for Reporting – Whereas the criteria for reporting set out in the 2019 Advisory included incidents that would have a “significant operational impact”, “material impact”, “extended disruptions” or “material consequences”, the New Advisory has removed these qualifiers. The new criteria no longer require that the impact be significant or material. Under the New Advisory, it appears that any impact to a FRFI’s systems, operations or to the Canadian financial system may trigger the reporting requirement. The New Advisory also expands the list of criteria for reporting. For example, in the 2019 Advisory, one of the criteria was whether an incident had been reported to the Office of the Privacy Commissioner (“OPC“) pursuant to the mandatory reporting of breaches of security safeguards under the Personal Information Protection and Electronic Documents Act (“PIPEDA“). The New Advisory provides that, in addition to reporting to the OPC or law enforcement under PIPEDA, if an incident has invoked internal or external counsel, that the incident may have to be reported.
• Shorter Initial Notification Requirements – Incidents must now be reported within 24 hours, or sooner if possible. This is shorter than the notification requirement under the 2019 Advisory which was to report an incident “as promptly as possible, but no later than 72 hours.” There are no changes to subsequent reporting requirements and OSFI still expects FRFIs to provide situation updates, including any short-term and long-term remediation actions and plans until the incident is contained or resolved. Reports must be made in writing using the template provided in Appendix II to the New Advisory.
• New Consequences of Failure to Report – Under the New Advisory, failure to report a technology or cyber security incident may result in increased oversight by OSFI. Notably, such increased oversight could include watch-listing of the FRFI and staging by OSFI. The 2019 Advisory did not provide for the consequences of a failure to report.

The 2019 Advisory provided that incidents “assessed by a FRFI to be of a high or critical severity level should be reported to OSFI”. Under the New Advisory, this provision is now included in the expanded criteria for reporting. OSFI advises that if a FRFI is uncertain whether to report an incident, the FRFI should consult their OSFI Lead Supervisor.

The obligation of FRFIs to report a technology or cyber security incident under the New Advisory is in addition to its obligations under applicable privacy legislation to report a breach of security safeguards.

The updates to the New Advisory may require FRFIs to review and update their policies and procedures related to technology and cyber security as well as outsourcing arrangements given that FRFIs will be expected to report incidents of third-party vendors that may affect the FRFI.

On June 28 2021, the Office of the Superintendent of Financial Institutions Canada (OSFI) issued the final version of Guideline E-4: Foreign Entities Operating in Canada on a Branch Basis (“Guideline E-4”). Guideline E-4 applies to both foreign banks and foreign insurance branches and replaces Guideline E-4A: Role of the Chief Agent and Record Keeping Requirements (which applied only to insurers) and Guideline E4-B: Role of the Principal Officer and Record Keeping Requirements (which applied only to banks) (collectively, the “Existing Guidelines”). OSFI expects all foreign branches operating in Canada to be compliant with Guideline E-4 by January of 2022.

Guideline E-4 compares to the Existing Guidelines as follows:

• General Direction:
  • Guideline E-4 envisions OSFI’s expectations with respect to foreign entities operating in Canada on a branch basis. It provides for greater emphasis on the expectations of foreign entities operating in Canada by outlining their responsibilities in the management of the Canadian business.
• Branch Management:
  • Guideline E-4 presents “Branch Management”, which includes a team of individuals who have the authority and responsibility of overseeing the business in Canada. This may include the Chief Agent of a foreign insurance branch or the principal officer of a foreign bank branch and senior officers of the foreign entity located in or outside Canada.
  • The composition of the Branch Management team is expected to be proportionate with the overall size and complexity of the foreign branch’s federally regulated business in Canada.
  • Branch Management will be responsible for the effective adaptation, implementation and oversight of the foreign entity, which includes the expectation that Branch Management have sufficient knowledge of all applicable Canadian legislation, regulations, guidelines and any other supervisory or regulatory matters related to the foreign entity’s federally regulated business in Canada. Accordingly, Guideline E-4 looks to the foreign entity’s Branch Management for accountability and management contrary to the Existing Guidelines which looked only to the Chief Agent or Principal Officer for accountability.
  • If there are any changes to Branch Management, new reporting measures are in place which do not apply to the Chief Agent or Principal Officer under the Existing Guidelines. Particularly, the foreign entity is obligated to notify OSFI of any potential changes to the Brach Management team and any circumstances that may negatively impact the Branch Management team.
• Arrangements with the Foreign Entity’s Home Office:
  • Branch Management must document any arrangements involving material actions by the foreign entity’s home office on behalf of the branch. Guideline B-10: Outsourcing of Business Activities, Functions and Processes continues to apply to Guideline E-4 when determining the material functions of a branch’s home office when acting on behalf of the foreign entity.
  • If the foreign entity’s home office and its branch engage in the flow of funds then OSFI must be provided with details regarding the arrangement. Moreover, OSFI must be provided advanced notice of 10 business days by Branch Management before any funds are transferred to the foreign entity’s home office if the transfer of funds materially deviates from the documented process. The notice period of 10 business days is shorter than the Draft Guideline initially proposed of 30 days’ notice.
• Record Keeping:
  • Guideline E-4 aligns with new amendments to the location of records requirements provided in the Insurance Companies Act (“ICA”) and the Bank Act (“BA”), which will be effective in July of 2021. For branches under the BA, copies of records must be stored at the principal office in Canada or at another place in Canada found suitable by the principal officer. For branches under the ICA, copies of records must be stored at the chief agency in Canada.
  • Electronic records must be kept on a computer server physically located at the places stipulated in the BA and the ICA. Although electronic records must be available to be reproduced in written form within a reasonable period of time, certain information, such as reinsurance arrangements, an executed copy may be required to be available at OSFI’s request. However, certain bank branches and insurance branches are exempted from the requirements to keep copies of the records in Canada and must instead provide OSFI with immediate, direct, complete and ongoing access to the records that are stored outside Canada.
  • The Guideline does not include any significant updates to the electronic storage of Records, nor does it clarify data processing and retention of records as it relates to cloud computing.
  • Records must be updated and accurate as at the end of each business day, unless they are records that change less frequently than daily. The records must be sufficiently detailed to allow OSFI to conduct an examination and inquiry into the business of the branch, manage the branch’s assets prior to the appointment of a liquidator (if the Superintendent takes control of the branch’s assets in Canada, and to allow the liquidator to conduct an effective liquidation of the branch’s assets in Canada.
• Supervision of Branches:
  • Although the designation of branch responsibilities in the Existing Guidelines has not been built-in to Guideline E-4, OSFI expects the foreign entity, through its designated Branch Management, to be accountable to OSFI for its federally regulated business in Canada. As such, Branch Management should be knowledgeable of the results of OSFI’s supervisory role and manage the appropriate response to any supervisory expectations.

OSFI continues to expect that all foreign entities operating in Canada as a branch remain in compliance with the legislative requirements of the BA and ICA, and all applicable supervisory and regulatory expectations set out by OSFI and its guidance. If OSFI is not satisfied that the expectations set out in Guideline E-4 are being met, OSFI may apply additional supervisory and regulatory actions to the foreign entity’s branch in Canada.

The Personal Information Protection and Electronic Documents Act (“PIPEDA”) is federal legislation that governs personal information held by private sector organizations in the course of for-profit, commercial activities across Canada. It also applies to personal information of employees of federally-regulated businesses including banks, airlines and telecommunications companies. On November 17, 2020, the federal government introduced Bill C-11, which proposes the enactment of the Consumer Privacy Protection Act (“CPPA”) and the repeal of Part I of PIPEDA. Bill C-11 can only become law after it has been approved by both Houses of Parliament and has received Royal Assent.

On May 11, 2021, the Federal Privacy Commissioner of Canada, Daniel Therrien, released a submission to the House of Commons Standing Committee on Access to Information, Privacy and Ethics, which provides that the Commissioner believes that Bill C-11 “represents a step back overall from our current law and needs significant changes if confidence in the digital economy is to be restored.” The Commissioner emphasizes that Bill C-11, as drafted:

“would be a step back overall because the provisions meant to give individuals more control give them less; because the increased flexibility given to organizations to use personal information without consent do not come with additional accountability one would expect; because administrative penalties will not apply to the most frequent and important violations, those relevant to consent and exceptions to consent; and because [the Office of the Privacy Commissioner of Canada (“OPC”)]  would not have the tools required to manage its workload to prioritize activities that are most effective in protecting Canadians.”

The Commissioner’s submission on Bill C-11 provides over 60 recommendations, which he believes are required to help ensure that organizations can responsibly innovate while recognizing and protecting the privacy rights of Canadians. The Commissioner’s recommended changes are categorized into the following three themes:

Weighting of Privacy Rights and Commercial Interests

• The Commissioner’s submission provides that Bill C-11 “arguably gives more weight to commercial interests than the current law by adding new commercial factors to be considered in the balance, without adding any reference to the lessons of the past twenty years on technology’s disruption of rights.”
• The submission further provides that “it would be normal and fair for commercial activities to be permitted within a rights framework, rather than placing rights and commercial interests on the same footing. Generally, it is possible to concurrently achieve both commercial objectives and privacy protection. This is how we conceive responsible innovation. However, when there is a conflict, we believe rights should prevail.”
• The Commissioner suggests 10 recommendations under this theme, including recommendations with respect to the inclusion of a human rights-based framework in the CPPA and amendments to the definitions of personal information, sensitive information and commercial activity.
• Of particular interest is the Commissioner’s reference to Dr. Teresa Scassa’s description of a human rights-based approach to privacy protection. Dr. Scassa describes a human rights-based approach to privacy as “one that places the human rights values that underlie privacy protection at the normative centre of any privacy legislation. . . . it acknowledges the nature and value of privacy as a human right so as to give privacy its appropriate weight in any balancing exercise.”

Specific Rights and Obligations

• The Commissioner suggests 22 recommendations under this theme, focused within three particular areas: consent and the exceptions thereto, organizational obligations, and individual data rights.
• Consent and the Exceptions Thereto
  • The Commissioner suggests changes to ensure consent is informed and meaningful. The Commissioner also notes that while several new exceptions to consent are reasonable, there are two main concerns:“some exceptions are unreasonably broad; and the Bill fails to associate greater authority to use personal information with greater accountability by organizations for how they will use these permissions.” The Commissioner addresses these concerns by suggesting revisions with respect to the scope of socially beneficial purposes, publicly available personal information, de-identification of personal information and disclosure of personal information to law enforcement.
  • Of particular interest is the Commissioner’s assertion that “[t]he CPPA does not speak to format, content structure, or accessibility. Each of these is a factor that contributes to an individual’s understanding of how their personal information is being used.”
• Organizational Obligations
  • The Commissioner suggests changes in Bill C-11 with respect to accountability, trans-border data flows and service providers, safeguarding, breach reporting and domestic service providers.
  • Of particular interests is the Commissioner’s suggestion that the accountability principle is not clearly defined in the CPPA, and that the legislation does not “provide protective measures such that the accountability of organizations is real and demonstrable.”
• Individual Rights
  • The Commissioner suggests changes in Bill C-11 with respect to automated decision-making, the right to reputation and data mobility.

Quick and Effective Remedies and the Role of the Office of the Privacy Commissioner of Canada

• The Commissioner suggests a strong enforcement and oversight mechanism which should include access to quick and effective remedies for individuals and should provide the regulator with the legal mechanisms required to protect Canadians.
• The Commissioner suggests 20 recommendations under this theme, including recommendations with respect to remedies, the rules of procedure and evidence in investigations, special cases of breaches, compliance agreements, the Personal Information and Data Protection Tribunal, administrative monetary penalties, private right of action, the role of the regulator, the discretion to investigate, advising organizations on their privacy management programs, codes of practice and certification programs, amendments to rules which mandate the Commissioner to consider the size of the organization and other factors mentioned, demonstrable accountability and proactive inspections, proactive compliance audits, the prohibition on use of information provided by an organization, confidentiality and cooperation with other organizations and offences.
• Of particular interest is the commissioner’s recommendation with respect to the Personal Information and Data Protection Tribunal. Here, the Commissioner has stated that “[w]hile the OPC welcomes oversight and accountability for our actions, we respectfully suggest that the new Tribunal is both unnecessary to achieve greater accountability and fairness (the Federal Court already plays this role), and counter-productive in achieving quick and effective remedies. In fact, all objective indicators show overwhelmingly that the Tribunal would unnecessarily delay justice for consumers. . . . In summary, there is no need to add an administrative appeal to ensure fairness to business when the Federal Court already plays this role, and as, at any rate, the OPC has an exemplary record in this regard. Moreover, adding a level of appeal can only delay the ultimate resolution of cases.”

In light of the Commissioner’s submission to the Standing Committee, Bill C-11 could undergo changes before it is passed, especially given Commissioner Therrien’s recent reappointment on June 4, 2021 for a one-year term. Organizations should pay particular attention to developments regarding Bill C-11 as changes may be forthcoming.

The Canadian Insurance Services Regulatory Organization (CISRO) recently released for comment draft Principles of Conduct for Intermediaries (“Principles”). The Principles are aimed at safeguarding the fair treatment of customers by intermediaries in the life & health and property & casualty insurance sectors by requiring that they conduct their business in a transparent and honest manner. Insurers are responsible for the fair treatment of customers throughout the life cycle of the insurance product, while intermediaries have oversight responsibilities to ensure that their employees and representatives meet high standards of integrity and ethics. While acknowledging that each jurisdiction has its own regulatory approach for the conduct of business, the Principles envision minimum regulatory conduct standards that are common across Canada regarding the fair treatment of customers. The Principles are intended to tie in with the Guidance on Conduct of Insurance Business and Fair Treatment of Customers (FTC), issued by CISRO and the Canadian Council of Insurance Regulators (CCIR). The Principles also align with Insurance Core Principles (ICP) of the International Association of Insurance Supervisors’ (IAIS).

Who Are Intermediaries? Intermediary encompasses adjusters, individual agents, brokers, representatives and business entities that distribute insurance products and services, including managing general agencies and third party administrators.

Who Are Customers? Customers may include a policyholders (or certificate holders), prospective policyholders with whom an insurer or intermediary interacts, or other beneficiaries and claimants with a legitimate interest in the policy.

The Principles shape professional behaviour and conduct expectations for the fair treatment of customers:

1. Compliance / Outcomes: Intermediaries must comply with all applicable laws, regulations, rules and regulatory codes to which they are subject to.
2. Customers’ Interests: Intermediaries must place customers’ interests above their own, including when an intermediary is developing, marketing, distributing and servicing insurance products.
3. Conflicts of Interest: Intermediaries must identify, disclose and manage any actual or potential conflict of interest pertaining to a transaction or recommendation. Intermediaries must avoid entering into agreements where conflicts of interests may obstruct the fair treatment of customers or cannot be managed.
4. Advice: In order to comprehend and recognize customers’ unique needs, intermediaries must seek complete information from customers when providing them with advice.
5. Disclosure: Customers must be provided with objective, complete, relevant and accurate information by intermediaries, so that customers may make informed decisions. Intermediaries must properly disclose relevant information to all necessary parties (including the insurer) and disclose information in a manner that is clear and comprehensible for customers.
6. Product and Service Promotion: Intermediaries must ensure that products and services are endorsed in a clear and fair manner that is not misleading. Promotions should be easily understandable and disclose all necessary and relevant information.
7. Claims, Complaints Handling, and Dispute Resolution: Intermediaries must handle claims, complaints and disputes in a timely and fair fashion.
8. Protection of Personal and Confidential Information: Intermediaries must engage in necessary measures to protect personal and confidential information by: collecting only information that is necessary for the completion of the service or product provided; use and disclose information only for purposes and for the duration for which the customer has consented; and comply with all applicable privacy legislation for information management.
9. Competence: Intermediaries must preserve an appropriate standard of professional knowledge to ensure the fair treatment of customers. Continuing education obligations must be met and duties must match the level of training and education provided. Intermediaries must not misrepresent their level of competence or conduct business beyond their threshold of professional knowledge and experience.
10. Oversight: Intermediaries with contractual or regulatory oversight responsibilities are accountable for the conduct of any employee or third party involved in the distribution or servicing of insurance products. Policies and procedures, training and control mechanisms must be utilized by intermediaries in their oversight roles to ensure the fair treatment of customers.

CISRO is seeking feedback on the proposed Principles from a wide range of stakeholders, including the insurance industry and consumer advocates. Respondents should submit comments to cisro-ocra@fsrao.ca by July 9, 2021.

OSFI’s Strategic Plan focuses on cultivating the readiness and resilience of federally regulated financial institutions (FRFIs) and federally regulated pension plans (FRPPs) to financial risks and non-financial risks that could potentially adversely affect their financial condition. In light of the Strategic Plan, OSFI recently published a list of the guidance that it anticipates releasing in the near term. Below is a summary of all of the guidance that OSFI intends to release which relates to insurance companies.

Risk Management Guidance

Industry Letter on Climate-related Risks
• Summarizes feedback received on OSFI’s Climate-related Risks Discussion Paper issued in Q1 2021 and setting out OSFI’s proposal for future climate related risk initiatives.
• Timeframe: Q3 2021

Industry Letter on Technology Risk
• Summarize feedback received on OFSI’s Technology Risk Discussion Paper issued in Q3 2020 and sets out future guidance initiatives
• Timeframe: Q2 2021 (Released on May 10, 2021)

Industry Letter on Operational Resilience
• Seeks views on integrating new Basel Committee on Banking Supervision Principles for Sound Management of Operational Risk and Principles of Operational Resilience into OSFI’s guidance
• Timeframe: Q3 2021

Final Guideline B-2 on Property and Casualty Large Exposure
• Establish OSFI’s expectations with respect to large exposures of property and casualty insurance companies
• Timeframe: Q4 2021

Final Guideline B-2 on Insurance Practices and Procedures
• Establish OSFI’s expectations related to reinsurance practices
• Timeframe: Q4 2021

Develop Guideline on Technology/Cyber Risk
• Develop OSFI’s expectations for technology and cyber risk management
• Timeframe: Q4 2021

Draft Revised Guideline B-10 on Third Party Risk
• Develop OSFI’s expectations for third party risk
• Timeframe: Q1 2022

Industry Letter on Advanced Analytics and Model Risk
• Develop OSFI’s expectations for advanced analytics and model risk
• Timeframe: Q1 2022

Consultative Document on Culture and Reputation Risk
• Develop OSFI’s expectations for culture and reputation risk
• Timeframe: Q1 2022

Capital and Accounting Guidance

Discussion paper on the Assurance of Capital, Leverage and Liquidity Returns
• Develop OSFI’s expectations on assurance of Deposit-Taking Institutions and insurance capital, leverage and liquidity returns
• Timeframe: Q2 2021 (Released on April 13, 2021)

Draft Guidelines on Assurance of Capital, Leverage and Liquidity Returns
• Develop OSFI’s expectations on assurance of Deposit-Taking Institutions and insurance capital, leverage and liquidity returns
• Timeframe: Q4 2021

Final Guideline on Assurance of Capital, Leverage and Liquidity Returns
• Develop OSFI’s expectations on assurance of Deposit-Taking Institutions and insurance capital, leverage and liquidity returns
• Timeframe: Q1 2022

Other

Semi-Annual IFRS 17 Progress Reporting
• Insurers reporting to OSFI on IFRS 17 implementation progress
• Timeframe: Q1 2021

Final IFRS 17 Regulatory Returns
• Regulatory Returns reflecting impact of adopting IFRS 17
• Timeframe: Q2 2021 (Released on April 30, 2021)

Draft LICAT, MCT, MICAT Guidelines for IFRS 17
• Cover updates to the capital frameworks for insurers triggered by IFRS 17
• Timeframe: Q2 2021

Semi-Annual IFRS 17 Progress Reporting
• Insurers reporting to OSFI on IFRS 17 implementation progress
• Timeframe: Q3 2021

Consultation on Draft Methodology for Determining Capital Requirements for Segregated Fund Guarantee (SFG) Risk
• QIS 5 and public consultation of the draft Chapter 7 of LICAT (i.e. the draft standard approach) and SFG-related regulatory returns
• Timeframe: Q3 2021

The timelines listed above are reflective of the current OSFI strategic plans as of May 6, 2021. Plans may be subject to change or amended here.

On September 15, 2020, the Office of the Superintendent of Financial Institutions (“OSFI”) published a discussion paper, Developing financial sector resilience in a digital world. The paper examined the risks arising from increased technological advancement and digitalization, in light of its potential effect on Canada’s financial sector. OSFI invited feedback regarding a variety of technology-related risk areas, with an emphasis on cyber security, advanced analytics, and the technology third party ecosystem. A diverse range of stakeholders including federally regulated financial institutions (“FRFIs”), industry associations, technology companies and consulting firms submitted their feedback. OSFI provided a brief summary of responses by stakeholders and plans to release draft guidance in the future. The full text of OSFI’s results summary publication can be found here.

A brief summary of the responses by the stakeholders includes the following:

Operational Risk & Resilience

Within the larger sphere of non-financial risk and operational risk management, technology risks are effectively managed when included in a firm’s enterprise risk management program. Effective operational risk management (“ORM”) leads to operational resilience, and technology is fundamental for such operations. However, while existing ORM approaches are appropriate, there are still opportunities to bolster practices.

Technology and Cyber Security

Emerging principles-based and technology-neutral perspectives in which definitions, concepts, and expectations comport with existing guidance and accepted international standards is most suitable for technology risk management. However, there is room to improve OSFI’s existing guidance. In general, emerging risks can be effectively managed within the larger sphere of technology risk and management. This requires quantum readiness through collective action by government, industry, and academia, and OSFI needs to continue engaging in these efforts.

Advanced Analytics

OSFI’s proposed principles of soundness, explainability and accountability are suitable for addressing emerging model risks, including those posed by artificial intelligence (“AI”) and machine learning (“ML”). However, there are areas where OSFI should deliberate modification to bolster its principles. Moreover, human review and oversight of AI and ML models is important. In any event, “[a]ny new model of risk guidance should remain risk- and principles-based, technology agnostic, and aligned with other jurisdictions and existing industry standards.”

Third Party Risk

Technology-related Risk
Technology-related third party arrangements should be deliberated as part of OSFI’s planned review of Guideline B-10 rather than as separate guidance. Likewise, any cloud risk management provisions could be integrated into Guideline B-10 rather than as a separate guidance. However, certain expectations regarding technology-related third party arrangements should be replaced with more outcome-based principles.

Proposed Principles
There was a split in the feedback regarding the additional principles as many respondents suggested changes to the descriptions or proposed additional principles, while other respondents believed that the proposed principles sufficiently depict current and emerging risks.

FinTech Arrangements
OSFI should consider FinTech arrangements like other third party arrangements because of the consistency between the inherent risks posed by these firms and other third party providers. However, OSFI should wait until the regulations pursuant to FRFI statutes on FinTech networking are completed to avoid overlap.

Data

Existing regulations offer adequate coverage on data risk guidance for FRFIs, so OSFI need not create additional data risk guidance. However, OSFI should consider the Basel Risk Data Aggregation and Risk Reporting (“RDARR”) principles as a foundation for any additional expectations that could pertain to all FRFIs, outside of systemically important banks.

Key aspects of data risk include quality, security and privacy, and data risk intersects with other risk areas including cyber security and models. Material data risks can occur from utilizing poor quality data, data misuse, outages or breaches – all of which cause operational disruption or reputational damage and financial loss.

Watch for any further updates on OSFI’s website, which can be accessed here.