All posts by Roisin Hutchinson

OSFI’s Strategic Plan focuses on cultivating the readiness and resilience of federally regulated financial institutions (FRFIs) and federally regulated pension plans (FRPPs) to financial risks and non-financial risks that could potentially adversely affect their financial condition. In light of the Strategic Plan, OSFI recently published a list of the guidance that it anticipates releasing in the near term. Below is a summary of all of the guidance that OSFI intends to release which relates to insurance companies.

Risk Management Guidance

Industry Letter on Climate-related Risks
• Summarizes feedback received on OSFI’s Climate-related Risks Discussion Paper issued in Q1 2021 and setting out OSFI’s proposal for future climate related risk initiatives.
• Timeframe: Q3 2021

Industry Letter on Technology Risk
• Summarize feedback received on OFSI’s Technology Risk Discussion Paper issued in Q3 2020 and sets out future guidance initiatives
• Timeframe: Q2 2021 (Released on May 10, 2021)

Industry Letter on Operational Resilience
• Seeks views on integrating new Basel Committee on Banking Supervision Principles for Sound Management of Operational Risk and Principles of Operational Resilience into OSFI’s guidance
• Timeframe: Q3 2021

Final Guideline B-2 on Property and Casualty Large Exposure
• Establish OSFI’s expectations with respect to large exposures of property and casualty insurance companies
• Timeframe: Q4 2021

Final Guideline B-2 on Insurance Practices and Procedures
• Establish OSFI’s expectations related to reinsurance practices
• Timeframe: Q4 2021

Develop Guideline on Technology/Cyber Risk
• Develop OSFI’s expectations for technology and cyber risk management
• Timeframe: Q4 2021

Draft Revised Guideline B-10 on Third Party Risk
• Develop OSFI’s expectations for third party risk
• Timeframe: Q1 2022

Industry Letter on Advanced Analytics and Model Risk
• Develop OSFI’s expectations for advanced analytics and model risk
• Timeframe: Q1 2022

Consultative Document on Culture and Reputation Risk
• Develop OSFI’s expectations for culture and reputation risk
• Timeframe: Q1 2022

Capital and Accounting Guidance

Discussion paper on the Assurance of Capital, Leverage and Liquidity Returns
• Develop OSFI’s expectations on assurance of Deposit-Taking Institutions and insurance capital, leverage and liquidity returns
• Timeframe: Q2 2021 (Released on April 13, 2021)

Draft Guidelines on Assurance of Capital, Leverage and Liquidity Returns
• Develop OSFI’s expectations on assurance of Deposit-Taking Institutions and insurance capital, leverage and liquidity returns
• Timeframe: Q4 2021

Final Guideline on Assurance of Capital, Leverage and Liquidity Returns
• Develop OSFI’s expectations on assurance of Deposit-Taking Institutions and insurance capital, leverage and liquidity returns
• Timeframe: Q1 2022

Other

Semi-Annual IFRS 17 Progress Reporting
• Insurers reporting to OSFI on IFRS 17 implementation progress
• Timeframe: Q1 2021

Final IFRS 17 Regulatory Returns
• Regulatory Returns reflecting impact of adopting IFRS 17
• Timeframe: Q2 2021 (Released on April 30, 2021)

Draft LICAT, MCT, MICAT Guidelines for IFRS 17
• Cover updates to the capital frameworks for insurers triggered by IFRS 17
• Timeframe: Q2 2021

Semi-Annual IFRS 17 Progress Reporting
• Insurers reporting to OSFI on IFRS 17 implementation progress
• Timeframe: Q3 2021

Consultation on Draft Methodology for Determining Capital Requirements for Segregated Fund Guarantee (SFG) Risk
• QIS 5 and public consultation of the draft Chapter 7 of LICAT (i.e. the draft standard approach) and SFG-related regulatory returns
• Timeframe: Q3 2021

The timelines listed above are reflective of the current OSFI strategic plans as of May 6, 2021. Plans may be subject to change or amended here.

On September 15, 2020, the Office of the Superintendent of Financial Institutions (“OSFI”) published a discussion paper, Developing financial sector resilience in a digital world. The paper examined the risks arising from increased technological advancement and digitalization, in light of its potential effect on Canada’s financial sector. OSFI invited feedback regarding a variety of technology-related risk areas, with an emphasis on cyber security, advanced analytics, and the technology third party ecosystem. A diverse range of stakeholders including federally regulated financial institutions (“FRFIs”), industry associations, technology companies and consulting firms submitted their feedback. OSFI provided a brief summary of responses by stakeholders and plans to release draft guidance in the future. The full text of OSFI’s results summary publication can be found here.

A brief summary of the responses by the stakeholders includes the following:

Operational Risk & Resilience

Within the larger sphere of non-financial risk and operational risk management, technology risks are effectively managed when included in a firm’s enterprise risk management program. Effective operational risk management (“ORM”) leads to operational resilience, and technology is fundamental for such operations. However, while existing ORM approaches are appropriate, there are still opportunities to bolster practices.

Technology and Cyber Security

Emerging principles-based and technology-neutral perspectives in which definitions, concepts, and expectations comport with existing guidance and accepted international standards is most suitable for technology risk management. However, there is room to improve OSFI’s existing guidance. In general, emerging risks can be effectively managed within the larger sphere of technology risk and management. This requires quantum readiness through collective action by government, industry, and academia, and OSFI needs to continue engaging in these efforts.

Advanced Analytics

OSFI’s proposed principles of soundness, explainability and accountability are suitable for addressing emerging model risks, including those posed by artificial intelligence (“AI”) and machine learning (“ML”). However, there are areas where OSFI should deliberate modification to bolster its principles. Moreover, human review and oversight of AI and ML models is important. In any event, “[a]ny new model of risk guidance should remain risk- and principles-based, technology agnostic, and aligned with other jurisdictions and existing industry standards.”

Third Party Risk

Technology-related Risk
Technology-related third party arrangements should be deliberated as part of OSFI’s planned review of Guideline B-10 rather than as separate guidance. Likewise, any cloud risk management provisions could be integrated into Guideline B-10 rather than as a separate guidance. However, certain expectations regarding technology-related third party arrangements should be replaced with more outcome-based principles.

Proposed Principles
There was a split in the feedback regarding the additional principles as many respondents suggested changes to the descriptions or proposed additional principles, while other respondents believed that the proposed principles sufficiently depict current and emerging risks.

FinTech Arrangements
OSFI should consider FinTech arrangements like other third party arrangements because of the consistency between the inherent risks posed by these firms and other third party providers. However, OSFI should wait until the regulations pursuant to FRFI statutes on FinTech networking are completed to avoid overlap.

Data

Existing regulations offer adequate coverage on data risk guidance for FRFIs, so OSFI need not create additional data risk guidance. However, OSFI should consider the Basel Risk Data Aggregation and Risk Reporting (“RDARR”) principles as a foundation for any additional expectations that could pertain to all FRFIs, outside of systemically important banks.

Key aspects of data risk include quality, security and privacy, and data risk intersects with other risk areas including cyber security and models. Material data risks can occur from utilizing poor quality data, data misuse, outages or breaches – all of which cause operational disruption or reputational damage and financial loss.

Watch for any further updates on OSFI’s website, which can be accessed here.

The Financial and Consumer Services Commission of New Brunswick recently published a Consultation Paper titled Incidental Selling of Insurance Restricted Insurance Licensing Regime. A complete copy of the Consultation Paper is available here.
In the Consultation Paper the Commission has indicated that it proposes to regulate the incidental selling of insurance through a restricted insurance licensing regime similar to regimes previously adopted in Alberta, Saskatchewan and Manitoba.
The Commission has proposed to define an “incidental seller of insurance” to mean:
“a person that, in the course of selling or providing goods or services to the person’s customers or clients, solicits, negotiates, sells or arranges insurance, or offers to sell, negotiate or arrange insurance, that relates to those goods or services.”
The types of businesses that would be eligible to obtain a restricted agent licence would be:
• A deposit-taking institution – a bank, credit union, caisse populaire, or loan or trust company;
• A sales finance company – a corporation, other than a financial institution, that provides consumer loans, or provides or arranges for credit;
• A transportation company that provides transportation service for goods;
• An automobile dealership, a watercraft dealership, a recreational vehicle dealership, a farm implement dealership or a construction equipment dealership;
• A mortgage brokerage licensed under the Mortgage Brokers Act;
• A customs brokerage;
• A freight forwarding business;
• A vehicle rental business (incl. construction equipment rentals);
• A portable electronics vendor – a business that sells or leases portable electronic devices or provides the devices in connection with a transaction between the business and a consumer;
• A business engaged by one of these businesses to solicit, negotiate, sell or arrange insurance on its behalf.
The Commission is proposing to allow restricted insurance licence holders and their employees to solicit, negotiate, sell or arrange the following classes or types of insurance:
• Cargo insurance;
• Creditor’s critical illness insurance
• Creditor’s disability insurance
• Creditor’s life insurance
• Creditor’s loss of employment insurance
• Creditor’s vehicle inventory insurance
• Export credit insurance
• Guaranteed asset protection insurance
• Mortgage insurance
• Portable electronics insurance
• Rented-vehicle accidental injury or death insurance
• Rented-vehicle contents insurance
• Rented-vehicle liability insurance
The Commission has indicted that it does not intend to include travel insurance, funeral insurance and equipment warranty insurance within the restricted insurance licensing regimes as some other provinces have done.
With respect to equipment warranty insurance, the Commission confirmed that it does not consider warranties or extended warranties to be insurance where the warranty is sold incidentally to the product and is sold by the “distributor” of the product or an affiliate of the distributor with a non-arm’s length relationship.
Among other requirements, each business that wishes to apply for a restricted insurance licence would be required to be sponsored by an insurer licensed in New Brunswick and to maintain errors and omissions insurance in minimum specified amounts.
The Commission has invited feedback on a number of questions posed in the Consultation Paper. The comment period for providing written submissions ends on January 31, 2020.

The Ontario government has announced that effective as of June 8, 2019, the new Financial Services Regulatory Authority of Ontario has assumed jurisdiction over those sectors previously regulated by the Financial Services Commission of Ontario (FSCO) and the Deposit Insurance Corporation of Ontario (DICO).

In making this announcement, Finance Minister Vic Fedeli said “The Financial Services Regulatory Authority (FSRA) of Ontario is a modern and innovative regulator with rule-making authority that promotes strong financial services and pensions sectors while protecting the public interest. Its mandate is to be open —open to new ideas, open to business, and open to consumer needs. FSRA has the flexibility to cut red tape, bring products to market quicker and be more responsive to the needs of businesses.” A full copy of the announcement is available here.

FSRA is in the process of reviewing existing regulatory publications which currently reside on the FSCO and DICO websites. A statement has been added to the FSCO webpage which says that “FSRA is actively reviewing all FSCO regulatory direction, including but not limited to forms, guidelines and FAQ. Until FSRA issues new regulatory direction, all existing regulatory direction remains in force.”

Watch for further updates coming on FSRA’s website, which can be accessed here.

May 15, 2019

The Quebec government today published a new regulation under an Act respecting the distribution of financial products and services (the “Distribution Act”), titled Regulation respecting Alternative Distribution Methods (the “Distribution Reg”). The Distribution Reg addresses issues related to (i) the sale of insurance over the internet without the intermediary of a natural person, and (ii) the offering of insurance products through distributors. With certain exceptions, the provisions of the Distribution Reg will come into effect on June 13, 2019.

With the publication of this new regulation, Quebec has taken the lead in setting clear expectations and standards for insurance intermediaries wanting to offer insurance products over the internet without the necessary involvement of a natural person. A copy of the Distribution Reg is available here.

With respect to internet insurance offerings, the Distribution Reg sets out a number of requirements that must be satisfied by firms wishing to sell insurance through a digital space, including disclosure and record keeping requirements. It also requires firms to ensure that the website clearly makes visible to applicants at all times during the process, the means by which the applicant can interact with a representative. When an applicant wishes to speak with a representative and one is not immediately available, the firm must suspend the transaction.

Firms that intend to offer products and services over the internet without the intermediary of a natural person are required to disclose without delay upon such offering, to the Autorite des marches financiers (the “AMF”):
(1) the name given to the digital space, where this name differs from the name of the firm;
(2) the names of the products and the classes to which they are related or the nature of the financial services offered on the digital space;
(3) the hyperlink or any other means to access the digital space; and
(4) the insurers whose products are offered on the firm’s digital space, if applicable.

Firms must notify the AMF of any change to such information within 30 days of such change.

The firm must also disclose annually to the AMF, the number of financial plans prepared, claims settled and insurance policies issued, the amount of premiums written through the digital space and the number of cases where clients have cancelled their insurance contracts in accordance with section 64 of the Insurers Act (Quebec).

Bill C-86, entitled “A second Act to implement certain provisions of the budget tabled in Parliament on February 27, 2018 and other measures” (“Bill C-86”), was introduced in the House of Commons on October 29, 2018, and passed second reading with referral to committee on November 6, 2018. Bill C-86 was referred to the Standing Committee on Finance which proposed certain amendments, and the Standing Senate Committees will submit their final reports by December 4, 2018.

Once Bill C-86 comes into force, it will amend certain sections of the Insurance Companies Act (the “ICA”), as well as amend other financial institutions legislation such as the Bank Act and the Trust and Loan Companies Act. Read the text of the latest publication of Bill C-86 here.

If passed, the proposed amendments will, among other things: (i) create new thresholds below which the acquisition of control of, or the acquisition or increase of a substantial investment in, certain entities, including provincially incorporated trust, loan or insurance corporations, provincially incorporated cooperative credit societies, securities dealers, financial intermediaries, and specialized financing entities, will not require the approval of the superintendent of financial institutions (the “Superintendent”), (ii) permit minority investments in the new business growth fund, (iii) permit customers to consent electronically to the receipt of electronic documents, and (iv) clarify that disclosure of privileged information to the Superintendent will not constitute a waiver of privilege.

Control thresholds

Under the current version of the ICA, subject to certain exceptions, companies (as such term is defined in the ICA) must obtain the approval of the Superintendent in order to acquire control of, or acquire or increase a substantial investment in, the permitted entities described above.

Bill C-86 proposes to add to the existing exceptions by creating new thresholds for determining control, and the acquisition or increase of a substantial investment without taking control, of the entities described above, under which the Superintendent’s approval would no longer be required. The new thresholds for control would provide an exception for acquisitions where the target entity’s consolidated assets would constitute less than one percent of the acquiring company’s total consolidated assets in the case of an acquiring company with equity of 12 billion dollars or more, and two percent of the acquiring company’s total consolidated assets in the case of any other acquiring company.

The new thresholds for acquisition or increase of a substantial investment would provide an exception for acquisitions where the value of the shares, or ownership interests in, the target entity to be acquired, directly or indirectly, or acquired within the prior 12 months, by the acquiring company or a subsidiary of the company would constitute less than half a percent of the acquiring company’s total consolidated assets in the case of a company with equity of 12 billion dollars or more, and one percent of the acquiring company’s total consolidated assets in the case of any other company.

Business growth fund

Bill C-86 would permit a company, or a fraternal benefit society, and its subsidiaries to invest a maximum of 200 million dollars in the new Canadian Business Growth Fund (GP) Inc., a CBCA company (defined as the “business growth fund” in Bill C-86). The Advisory Council on Economic Growth recommended the creation of a private sector led growth fund in its report titled “Unlocking Innovation to Drive Scale and Growth”. Read the report here. According to the report, the business growth fund will be led and financed by financial institutions and is expected to address the gap in growth financing for small to medium-sized firms through the purchase of minority stakes or unsecured debt for approved growth and expansion projects. The proposed amendments set limits on the amount of ownership companies can acquire in the business growth fund.

Consent may be given electronically

Under the existing language of section 1037 of the ICA, receipt of an electronic notice or document is not valid unless the addressee has consented to receive documents and notices in electronic format. Bill C-86 proposes to add to section 1037 by providing that a customer may give consent electronically to the receipt of documents or notices in electronic form. If passed, we expect that this amendment would make it easier for insurance companies to comply with the consent requirements relating to the transmission of electronic documents.

No waiver of privilege

Although the ICA currently prohibits supervisory information from being used as evidence in any civil proceedings, Bill C-86 would provide greater certainty that disclosure by a company of any information that is subject to privilege would not constitute a waiver of privilege. The proposed amendment would also prohibit the Superintendent from disclosing any privileged information to any person whose functions include the investigation or prosecution of offences under any act of Parliament or of the legislature of a province. Corresponding changes have been made to section 37 of the Office of the Superintendent of Financial Institutions Act.

We will keep you informed on the progress of Bill C-86 and its effect on the ICA.

On November 1^st, the new Breach of Security Safeguards Regulations  (the “Breach Regulations“) under the Personal Information and Protection and Electronic Documents Act (“PIPEDA“) came into force. See the link to the Breach Regulations here.

Under the Breach Regulations, both small and large organizations now have an obligation to:

1. Report breaches of security safeguards involving personal information to the Office of the Privacy Commissioner (the “OPC“) where there is a real risk of significant harm.
2. Notify affected individuals and notify appropriate government organizations.
3. Keep a record of every breach of security safeguards.

The OPC has published guidance related to the Breach Regulations, titled “What you need to know about mandatory reporting of breaches of security safeguards”. See the link here.

Reporting A Breach of Security Safeguards

PIPEDA defines a “breach of security safeguards” as “the loss of, unauthorized access to or unauthorized disclosure of personal information resulting from a breach of an organization’s security safeguards that are referred to in clause 4.7 of Schedule 1 [of PIPEDA] or from a failure to establish those safeguards”. The definition contemplates that even the loss of a USB key or a laptop would constitute a “breach of security safeguards”.

The reporting obligations do not require that an organization report all breaches to the OPC. The reporting obligations apply where the breach involves personal information that is under organization’s control, and when it is reasonable to believe that the breach creates a “real risk of significant harm”.

Determining whether there is a “real risk of significant harm” requires, among other things, an analysis of the sensitivity of the personal information involved and the probability that the personal information will be misused. According to the OPC, “significant harm” includes bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record and damage to or loss of property. Neither PIPEDA nor the new Breach Regulations define “sensitivity”. However, Principal 4.3.4 of PIPEDA provides the names and addresses of subscribers to some special-interest magazines as an example of personal information that would likely be considered sensitive.

Under the Breach Regulations, an organization is also responsible for reporting a breach of security safeguards where there is a real risk of significant harm by a third-party service provider. The OPC expects that, in such an event, both the service provider and the organization will submit reports to the OPC.

Organizations may report certain information to the extent that it is available at the time of reporting and an organization may update the report at a later date.

Notifying Affected Individuals and Organizations

The Breach Regulations require that organizations notify affected individuals as soon as feasible in the event of a breach where there is a real risk of significant harm, and that organizations notify affected individuals directly. Depending on the sensitivity of the personal information and the real risk of significant harm, the organization may need to, in some cases, notify affected individuals prior to submitting its report to the OPC.

The Breach Regulations provide that the notification to affected individuals must include information sufficient to allow the affected individuals to understand the significance of the breach and to take any available steps to reduce the risk of harm that may result from the breach.

The Breach Regulations further provide that there are limited circumstances where direct notification may not be required, and an organization may provide indirect notification. Indirect notification may be given in circumstances where direct notification may cause further harm to the individuals, direct notification would cause undue hardship for the organization, or the organization does not have contact information for the affected individual.

In addition to the requirement to notify affected individuals, organizations are required to notify any other government organizations or institutions that the organization believes may be able to reduce the risk of harm to individuals.

Record Keeping

Although the reporting requirements under the Breach Regulations apply to breaches where there is a real risk of significant harm, the record keeping requirements apply to every breach, regardless of the risk of harm. Records of breaches must contain enough information to allow the OPC to confirm compliance with the Breach Regulations and PIPEDA, including an explanation of why, in cases where a breach was not reported, the breach was determined not to pose a real risk of significant harm. Breach records must be kept for two years, or longer as may be required in accordance with applicable law or related internal record-keeping requirements.

On September 28, 2018, the Financial Services Commission of Ontario (FSCO) released its Treating Financial Services Consumers Fairly Guideline.

The Guideline applies to those licensed or registered by FSCO in the insurance, credit union/caisse populaire, loan and trust and mortgage brokering sectors. The purpose of the Guideline is “to ensure there is common understanding between FSCO and its Licensees as to what it means to treat consumers fairly.”

The Guideline contains a list of eight principal expectations, which FSCO says are intended not to be a prescriptive or exhaustive list, but rather to be used as guidance as part of a principles-based approach. The expectations listed by FSCO are:

1. FSCO expects that a core component of a Licensee’s business governance and culture is fair treatment of consumers.

2. FSCO expects Licensees to act with due skill, care and diligence at all times, but especially when dealing with consumers or designing financial services or products for consumers.

3. FSCO expects Licensees to promote financial services and products in a manner that is clear, fair and not misleading or false.

4. FSCO expects Licensees to recommend products that are suitable, taking into account the consumer’s disclosed personal circumstances and financial condition.

5. FSCO expects Licensees to disclose and manage any potential or actual conflicts of interest.

6. FSCO expects Licensees to provide continuing service and keep consumers appropriately informed, through to the point at which all obligations to the financial services consumer have been satisfied, including claims handling or the diligent provision of benefits.

7. FSCO expects Licensees to have policies and procedures in place to handle complaints in a timely and fair manner.

8. FSCO expects Licensees to protect the private information of financial services consumer and inform them of any privacy breach.

The full text of the Guideline can be viewed here.

FSCO has also published a related document to address anticipated questions, which is available here.

Insurance Brokers who own their own book of business and are contemplating moving to a new agency should be aware of a recent order dated April 27, 2018 from the Insurance Council of B.C. (“Council”) in which Council ordered the broker to pay a $2,500 fine as a result of transferring a client list without the express consent of both old and new agencies and of the clients. The client list contained personal information and included client names, policy numbers, and policy effective dates. See the Council’s order here.

In B.C., Council Rule 7(1) provides that licensees “must hold in strict confidence all information acquired in the course of the professional relationship concerning the personal and business affairs of a client” and prohibits licensees from using or disclosing such information without express authorization by the client. In this case, prior to becoming a representative of the agency, the broker had made a verbal agreement with the agency’s nominee that the clients would remain his. After joining the new agency, the broker had also called each client when their policies were up for renewal to advise them of his move to the new agency. However, the broker had not obtained the express consent of his clients to transfer their personal information to the new agency, nor did he obtain the consent of the old and new brokerages to the transfer of the clients’ information, and therefore the broker was in contravention of Council Rule 7(1).

Under Council Notice ICN 17-004 Reminder of Licensee Responsibilities Related to Disclosure or Transfer of Client Information (“Notice 17-004“), if a general insurance agent leaves one agency to represent another, such agent must not have any client information in their possession, and may not transfer client information from the former agency to the new agency without the consent of both agencies and express authority from the client to transfer their personal information.

Although Council Rule 7(1) and Notice 17-004 are only applicable in B.C., brokers in all provinces and territories must comply with the federal Personal Information Protection and Electronic Documents Act (or their province’s substantially similar legislation) which requires individuals to have knowledge of, and consent to, the use and disclosure of their personal information, with certain exceptions for business transactions.

Brokers who work within a corporate agency who intend to own their own books of business are therefore advised to obtain an express consent from each client which permits not only the corporate agency, but also the broker personally, to collect, use and disclose the client’s personal information and permits such information to be transferred to another corporate agency in the event that the broker decides to switch agencies.