rain
This is your blog

The daily Post

OSFI Consultation on Draft Guideline B-13 – Technology and Cyber Risk Management

The Office of the Superintendent of Financial Institutions (“OSFI”) launched a three-month public consultation on Draft Guideline B‑13, Technology and Cyber Risk Management (the “Proposed Guideline”) on November 9, 2021, and is inviting comments on the Proposed Guideline until February 9, 2022.

The Proposed Guideline has been released as part of OSFI’s Strategic Plan 2019 – 2022 and puts into action some of the themes set out is OSFI’s discussion paper Developing Financial Sector Resilience in a Digital World, published in September 2020.

The Proposed Guideline sets out OSFI’s expectations for sound technology and cyber risk management across five domains and, once finalized, would apply to all federally regulated financial institutions (“FRFIs”). However, consistent with OSFI’s other guidance on outsourcing, risk management and incident reporting, OSFI recognizes that the application of its expectations should be commensurate with the size, nature, scope and complexity of operations and the risk profile of each FRFI.

The five domains of OSFI’s expectations, and their respective desired outcomes, are as follows:

Domains for Sound Management of Technology and Cyber Risk Outcomes
1. Governance and Risk Management Technology and cyber risks are governed through clear accountabilities and structures, and comprehensive strategies and frameworks
2. Technology Operations A technology environment that is stable, scalable and resilient. The environment be kept current and supported by robust and sustainable technology operating processes
3. Cyber Security A secure technology posture that maintains the confidentiality, integrity and availability of the FRFI’s technology assets
4. Third-Party Provider Technology and Cyber Risk Reliable and secure technology and cyber operations from third-party providers
5. Technology Resilience Technology services be delivered, as expected, through disruption

OSFI recommends that the Proposed Guideline be considered in conjunction with other OSFI guidance, as well as other guidance issued by other authorities applicable to the FRFI’s operating environment. OSFI references, in particular, the OSFI Guideline E-21 (Operational Risk Management), OSFI Guideline B-10 (Outsourcing), OSFI Cyber Security Self-Assessment Tool, OSFI Technology and Cyber Security Incident Reporting Advisory, alerts, advisories and other communications issued by the Canadian Centre for Cyber Security, and recognized frameworks and standards for technology operations and information security.

Each of the five domains contains related prescriptive principles which are reproduced below.  The Proposed Guideline contains further discussion related to each of these principles which expand on OSFI’s expectations for FRFIs in connection with meeting the requirements in each domain.

Domain 1 – Technology and Cyber Governance and Risk Management

Principle 1 – Accountability and Organizational Structure

Senior Management should assign responsibility for managing technology and cyber risks to senior officers. It should also ensure an appropriate organizational structure and adequate resourcing are in place for managing technology and cyber risks across the FRFI.

Principle 2 –Technology and Cyber Strategy

The FRFI should define, document, approve and implement a strategic technology and cyber plan(s). The plan(s) should align with the FRFI’s business strategy and set goals and objectives that are measurable and evolve with changes in the FRFI’s technology and cyber environment.

Principle 3 – Technology and Cyber Risk Management Framework

The FRFI should establish a technology and cyber risk management framework. The framework should set out a risk appetite for technology and cyber risks and define what processes and requirements the FRFI utilizes to identify, assess, manage, monitor and report on technology and cyber risks.

Domain 2 – Technology Operations

Principle 4 – Technology Architecture

The FRFI should implement a technology architecture framework with supporting processes to ensure solutions are built in line with business, technology and security requirements.

Principle 5 – Technology Asset Management

The FRFI should maintain an updated inventory of all technology assets supporting business processes or functions. The FRFI’s asset management process should address classification of assets to facilitate risk identification and assessment, record configurations to ensure asset integrity, provide for the safe disposal of assets at the end of their life cycle and monitor and manage technology currency.

Principle 6 – Technology Project Management

The FRFI should ensure that effective processes are in place to govern and manage technology projects, from initiation to closure, to ensure that project outcomes are aligned with business objectives and are achieved within the FRFI’s risk appetite.

Principle 7 – System Development Life Cycle

The FRFI should implement a System Development Life Cycle framework for the secure development, acquisition and maintenance of technology systems that perform as expected in support of business objectives.

Principle 8 – Change and Release Management

The FRFI should establish and implement a technology change and release management process and supporting documentation to ensure changes to technology assets are documented, assessed, tested, approved, implemented and verified in a controlled manner that ensures minimal disruption to the production environment.

Principle 9 – Patch Management

The FRFI should implement patch management processes to ensure controlled and timely application of patches across its technology environment to address vulnerabilities and flaws.

Principle 10 – Incident and Problem Management

The FRFI should effectively detect, log, manage, resolve, monitor and report on technology incidents and minimize their impacts.

Principle 11 – Technology Service Measurement and Monitoring

The FRFI should develop service and capacity standards and processes to monitor operational management of technology ensuring business needs are met.

Domain 3 – Cyber Security

Principle 12 – Identify

The FRFI should maintain a range of practices, capabilities, processes and tools to identify and assess cyber security for weaknesses that could be exploited by external and insider threat actors.

Principle 13 – Defend

The FRFI should design, implement and maintain multi-layer, preventive cyber security controls and measures to safeguard its technology assets.

Principle 14 – Detect

The FRFI should design, implement and maintain continuous security detection capabilities to enable monitoring, alerting, and enable forensic cyber security incident investigations.

Principle 15 – Respond, Recover and Learn

The FRFI should triage, respond to, contain, recover and learn from cyber security incidents impacting its technology assets, including incidents originating at third-party providers.

Domain 4 – Third-Party Provider Technology and Cyber Risk (TPP”)

Principle 16 – General

The FRFI should ensure that effective controls and processes are implemented to identify, assess, manage, monitor, report and mitigate technology and cyber risks throughout the TPP’s life cycle, from due diligence to termination/exit.

Domain 5 – Technology Resilience

Principle 17 – Disaster Recovery

The FRFI should establish and maintain an Enterprise Disaster Recovery Framework to support its ability to deliver technology services through disruption and operate within its risk tolerance.

Principle 18 – Testing of Disaster Recovery

The FRFI should perform scenario testing on disaster recovery capabilities to confirm its technology services operate as expected through disruption.

OSFI is inviting public comments on the Proposed Guideline which must be submitted by February 9, 2022.

OSFI is particularly interested in feedback on:

  • the clarity of OSFI’s expectations as set out in the Proposed Guideline;
  • the application of these expectations in relation with a financial institution’s size, nature, scope, and complexity of operations;
  • the balance between principles and prescriptiveness in OSFI’s expectations; and
  • any other suggestions that may contribute to OSFI’s mandate, while also allowing institutions to compete and take reasonable risks.

OSFI Lifts Restrictions on Canada’s Federally Regulated Financial Institutions related to Increasing Dividends, Share Repurchases and Raising Executive Compensation

On November 4th, 2021, Peter Routledge, the Superintendent of Financial Institutions (Canada) (the “Superintendent“) announced that the Office of the Superintendent of Financial Institutions (“OSFI”) was lifting regulatory restrictions that it had imposed on federally regulated financial institutions (“FRFIs“) relating to dividends, share repurchases and executive compensation, effective immediately.

In response to the potential instability created as a result of the COVID-19 pandemic, in March 2020, OSFI had announced a series of temporary regulatory and supervisory adjustments to protect the resiliency of Canada’s FRFIs which included expectations that FRFIs would not increase regular dividends, undertake common share repurchases or raise executive compensation.

The Superintendent explained there were three key elements of its reasoning for lifting these expectations: (i) the original rationale for its expectations was no longer applicable and most of OSFI’s other regulatory and supervisory accommodations in response to the COVID-19 pandemic have already been removed, (ii) the responsibility for these decisions appropriately rests with the board and management of FRFIs, and (iii) OSFI has confidence in the boards and management of FRFIs to act responsibly when making decisions about capital contribution decisions and expects them to continue to affirm this tendency.

However, the Superintendent noted that OSFI will still expect management and boards of directors of FRFIs to “act responsibly, and employ robust risk management practices and sensitivity analysis that uses conservative and prudent assumptions to guide decisions pertaining to capital distributions”.

The Superintendent also restated OSFI’s intention to transform itself to respond to an ever-changing risk environment and to prepare for more frequent instability, noting that OSFI is changing how it views risk and expect boards of FRFIs to do so as well. Based on the Superintendent’s remarks at the 2021 Global Risk Institute Annual Summit on September 29, 2021, FRFIs and their advisors can expect to hear more from OSFI on disclosures about climate risk, digitalization risk and OSFI’s internal organizational transformation.

For a link to the Superintendent’s announcement related to dividends, share repurchases and executive compensation, click here.

For a link to the Superintendent’s remarks at the 2021 Global Risk Institute Annual Summit, click here.

Updated Requirements for Federally Regulated Financial Institutions’ Technology and Cyber Incident Reporting Obligations

On August 13, 2021, the Office of the Superintendent of Financial Institutions (“OSFI“) released an updated Technology and Cyber Security Incident Reporting Advisory (the “New Advisory“) for federally regulated financial institutions (“FRFIs“) which replaces the Technology and Cyber Security Incident Reporting Advisory previously published in January 2019 (the “2019 Advisory“).

The New Advisory potentially lowers the threshold for reporting and expands the scope of reportable incidents. Under the New Advisory, FRFIs who fail to comply with the new reporting requirements could be subject to increased supervisory oversight by OSFI. In connection with the New Advisory, OSFI also released an updated Cyber Security Self-Assessment Tool to assist FRFIs in reviewing their ability to manage technology and cyber risks and to respond to incidents.

The key updates in the New Advisory are:

  • New Definition of Technology or Cyber Security Incident – The New Advisory defines a technology or cyber security incident as “an incident that has an impact, or the potential to have an impact on the operations of a FRFI”. This appears to be a lower threshold for reporting than the 2019 Advisory, which defined a reportable incident as an incident having the potential to, or having been assessed to, “materially impact the normal operations of a FRFI”.
  • New Characteristics and Criteria for Reporting – Whereas the criteria for reporting set out in the 2019 Advisory included incidents that would have a “significant operational impact”, “material impact”, “extended disruptions” or “material consequences”, the New Advisory has removed these qualifiers. The new criteria no longer require that the impact be significant or material. Under the New Advisory, it appears that any impact to a FRFI’s systems, operations or to the Canadian financial system may trigger the reporting requirement. The New Advisory also expands the list of criteria for reporting. For example, in the 2019 Advisory, one of the criteria was whether an incident had been reported to the Office of the Privacy Commissioner (“OPC“) pursuant to the mandatory reporting of breaches of security safeguards under the Personal Information Protection and Electronic Documents Act (“PIPEDA“). The New Advisory provides that, in addition to reporting to the OPC or law enforcement under PIPEDA, if an incident has invoked internal or external counsel, that the incident may have to be reported.
  • Shorter Initial Notification Requirements – Incidents must now be reported within 24 hours, or sooner if possible. This is shorter than the notification requirement under the 2019 Advisory which was to report an incident “as promptly as possible, but no later than 72 hours.” There are no changes to subsequent reporting requirements and OSFI still expects FRFIs to provide situation updates, including any short-term and long-term remediation actions and plans until the incident is contained or resolved. Reports must be made in writing using the template provided in Appendix II to the New Advisory.
  • New Consequences of Failure to Report – Under the New Advisory, failure to report a technology or cyber security incident may result in increased oversight by OSFI. Notably, such increased oversight could include watch-listing of the FRFI and staging by OSFI. The 2019 Advisory did not provide for the consequences of a failure to report.

The 2019 Advisory provided that incidents “assessed by a FRFI to be of a high or critical severity level should be reported to OSFI”. Under the New Advisory, this provision is now included in the expanded criteria for reporting. OSFI advises that if a FRFI is uncertain whether to report an incident, the FRFI should consult their OSFI Lead Supervisor.

The obligation of FRFIs to report a technology or cyber security incident under the New Advisory is in addition to its obligations under applicable privacy legislation to report a breach of security safeguards.

The updates to the New Advisory may require FRFIs to review and update their policies and procedures related to technology and cyber security as well as outsourcing arrangements given that FRFIs will be expected to report incidents of third-party vendors that may affect the FRFI.

OSFI Publishes Guideline E-4: Foreign Entities Operating in Canada on a Branch Basis

On June 28 2021, the Office of the Superintendent of Financial Institutions Canada (OSFI) issued the final version of Guideline E-4: Foreign Entities Operating in Canada on a Branch Basis (“Guideline E-4”). Guideline E-4 applies to both foreign banks and foreign insurance branches and replaces Guideline E-4A: Role of the Chief Agent and Record Keeping Requirements (which applied only to insurers) and Guideline E4-B: Role of the Principal Officer and Record Keeping Requirements (which applied only to banks) (collectively, the “Existing Guidelines”). OSFI expects all foreign branches operating in Canada to be compliant with Guideline E-4 by January of 2022.

Guideline E-4 compares to the Existing Guidelines as follows:

  • General Direction:
    • Guideline E-4 envisions OSFI’s expectations with respect to foreign entities operating in Canada on a branch basis. It provides for greater emphasis on the expectations of foreign entities operating in Canada by outlining their responsibilities in the management of the Canadian business.
  • Branch Management:
    • Guideline E-4 presents “Branch Management”, which includes a team of individuals who have the authority and responsibility of overseeing the business in Canada. This may include the Chief Agent of a foreign insurance branch or the principal officer of a foreign bank branch and senior officers of the foreign entity located in or outside Canada.
    • The composition of the Branch Management team is expected to be proportionate with the overall size and complexity of the foreign branch’s federally regulated business in Canada.
    • Branch Management will be responsible for the effective adaptation, implementation and oversight of the foreign entity, which includes the expectation that Branch Management have sufficient knowledge of all applicable Canadian legislation, regulations, guidelines and any other supervisory or regulatory matters related to the foreign entity’s federally regulated business in Canada. Accordingly, Guideline E-4 looks to the foreign entity’s Branch Management for accountability and management contrary to the Existing Guidelines which looked only to the Chief Agent or Principal Officer for accountability.
    • If there are any changes to Branch Management, new reporting measures are in place which do not apply to the Chief Agent or Principal Officer under the Existing Guidelines. Particularly, the foreign entity is obligated to notify OSFI of any potential changes to the Brach Management team and any circumstances that may negatively impact the Branch Management team.
  • Arrangements with the Foreign Entity’s Home Office:
    • Branch Management must document any arrangements involving material actions by the foreign entity’s home office on behalf of the branch. Guideline B-10: Outsourcing of Business Activities, Functions and Processes continues to apply to Guideline E-4 when determining the material functions of a branch’s home office when acting on behalf of the foreign entity.
    • If the foreign entity’s home office and its branch engage in the flow of funds then OSFI must be provided with details regarding the arrangement. Moreover, OSFI must be provided advanced notice of 10 business days by Branch Management before any funds are transferred to the foreign entity’s home office if the transfer of funds materially deviates from the documented process. The notice period of 10 business days is shorter than the Draft Guideline initially proposed of 30 days’ notice.
  • Record Keeping:
    • Guideline E-4 aligns with new amendments to the location of records requirements provided in the Insurance Companies Act (“ICA”) and the Bank Act (“BA”), which will be effective in July of 2021. For branches under the BA, copies of records must be stored at the principal office in Canada or at another place in Canada found suitable by the principal officer. For branches under the ICA, copies of records must be stored at the chief agency in Canada.
    • Electronic records must be kept on a computer server physically located at the places stipulated in the BA and the ICA. Although electronic records must be available to be reproduced in written form within a reasonable period of time, certain information, such as reinsurance arrangements, an executed copy may be required to be available at OSFI’s request. However, certain bank branches and insurance branches are exempted from the requirements to keep copies of the records in Canada and must instead provide OSFI with immediate, direct, complete and ongoing access to the records that are stored outside Canada.
    • The Guideline does not include any significant updates to the electronic storage of Records, nor does it clarify data processing and retention of records as it relates to cloud computing.
    • Records must be updated and accurate as at the end of each business day, unless they are records that change less frequently than daily. The records must be sufficiently detailed to allow OSFI to conduct an examination and inquiry into the business of the branch, manage the branch’s assets prior to the appointment of a liquidator (if the Superintendent takes control of the branch’s assets in Canada, and to allow the liquidator to conduct an effective liquidation of the branch’s assets in Canada.
  • Supervision of Branches:
    • Although the designation of branch responsibilities in the Existing Guidelines has not been built-in to Guideline E-4, OSFI expects the foreign entity, through its designated Branch Management, to be accountable to OSFI for its federally regulated business in Canada. As such, Branch Management should be knowledgeable of the results of OSFI’s supervisory role and manage the appropriate response to any supervisory expectations.

OSFI continues to expect that all foreign entities operating in Canada as a branch remain in compliance with the legislative requirements of the BA and ICA, and all applicable supervisory and regulatory expectations set out by OSFI and its guidance. If OSFI is not satisfied that the expectations set out in Guideline E-4 are being met, OSFI may apply additional supervisory and regulatory actions to the foreign entity’s branch in Canada.

Bill C-11: A Step Back Overall for Privacy Protection in Canada says Federal Privacy Commissioner

The Personal Information Protection and Electronic Documents Act (“PIPEDA”) is federal legislation that governs personal information held by private sector organizations in the course of for-profit, commercial activities across Canada. It also applies to personal information of employees of federally-regulated businesses including banks, airlines and telecommunications companies. On November 17, 2020, the federal government introduced Bill C-11, which proposes the enactment of the Consumer Privacy Protection Act (“CPPA”) and the repeal of Part I of PIPEDA. Bill C-11 can only become law after it has been approved by both Houses of Parliament and has received Royal Assent.

On May 11, 2021, the Federal Privacy Commissioner of Canada, Daniel Therrien, released a submission to the House of Commons Standing Committee on Access to Information, Privacy and Ethics, which provides that the Commissioner believes that Bill C-11 “represents a step back overall from our current law and needs significant changes if confidence in the digital economy is to be restored.” The Commissioner emphasizes that Bill C-11, as drafted:

“would be a step back overall because the provisions meant to give individuals more control give them less; because the increased flexibility given to organizations to use personal information without consent do not come with additional accountability one would expect; because administrative penalties will not apply to the most frequent and important violations, those relevant to consent and exceptions to consent; and because [the Office of the Privacy Commissioner of Canada (“OPC”)]  would not have the tools required to manage its workload to prioritize activities that are most effective in protecting Canadians.”

The Commissioner’s submission on Bill C-11 provides over 60 recommendations, which he believes are required to help ensure that organizations can responsibly innovate while recognizing and protecting the privacy rights of Canadians. The Commissioner’s recommended changes are categorized into the following three themes:

Weighting of Privacy Rights and Commercial Interests

  • The Commissioner’s submission provides that Bill C-11 “arguably gives more weight to commercial interests than the current law by adding new commercial factors to be considered in the balance, without adding any reference to the lessons of the past twenty years on technology’s disruption of rights.”
  • The submission further provides that “it would be normal and fair for commercial activities to be permitted within a rights framework, rather than placing rights and commercial interests on the same footing. Generally, it is possible to concurrently achieve both commercial objectives and privacy protection. This is how we conceive responsible innovation. However, when there is a conflict, we believe rights should prevail.”
  • The Commissioner suggests 10 recommendations under this theme, including recommendations with respect to the inclusion of a human rights-based framework in the CPPA and amendments to the definitions of personal information, sensitive information and commercial activity.
  • Of particular interest is the Commissioner’s reference to Dr. Teresa Scassa’s description of a human rights-based approach to privacy protection. Dr. Scassa describes a human rights-based approach to privacy as “one that places the human rights values that underlie privacy protection at the normative centre of any privacy legislation. . . . it acknowledges the nature and value of privacy as a human right so as to give privacy its appropriate weight in any balancing exercise.”

Specific Rights and Obligations

  • The Commissioner suggests 22 recommendations under this theme, focused within three particular areas: consent and the exceptions thereto, organizational obligations, and individual data rights.
  • Consent and the Exceptions Thereto
    • The Commissioner suggests changes to ensure consent is informed and meaningful. The Commissioner also notes that while several new exceptions to consent are reasonable, there are two main concerns:“some exceptions are unreasonably broad; and the Bill fails to associate greater authority to use personal information with greater accountability by organizations for how they will use these permissions.” The Commissioner addresses these concerns by suggesting revisions with respect to the scope of socially beneficial purposes, publicly available personal information, de-identification of personal information and disclosure of personal information to law enforcement.
    • Of particular interest is the Commissioner’s assertion that “[t]he CPPA does not speak to format, content structure, or accessibility. Each of these is a factor that contributes to an individual’s understanding of how their personal information is being used.”
  • Organizational Obligations
    • The Commissioner suggests changes in Bill C-11 with respect to accountability, trans-border data flows and service providers, safeguarding, breach reporting and domestic service providers.
    • Of particular interests is the Commissioner’s suggestion that the accountability principle is not clearly defined in the CPPA, and that the legislation does not “provide protective measures such that the accountability of organizations is real and demonstrable.”
  • Individual Rights
    • The Commissioner suggests changes in Bill C-11 with respect to automated decision-making, the right to reputation and data mobility.

Quick and Effective Remedies and the Role of the Office of the Privacy Commissioner of Canada

  • The Commissioner suggests a strong enforcement and oversight mechanism which should include access to quick and effective remedies for individuals and should provide the regulator with the legal mechanisms required to protect Canadians.
  • The Commissioner suggests 20 recommendations under this theme, including recommendations with respect to remedies, the rules of procedure and evidence in investigations, special cases of breaches, compliance agreements, the Personal Information and Data Protection Tribunal, administrative monetary penalties, private right of action, the role of the regulator, the discretion to investigate, advising organizations on their privacy management programs, codes of practice and certification programs, amendments to rules which mandate the Commissioner to consider the size of the organization and other factors mentioned, demonstrable accountability and proactive inspections, proactive compliance audits, the prohibition on use of information provided by an organization, confidentiality and cooperation with other organizations and offences.
  • Of particular interest is the commissioner’s recommendation with respect to the Personal Information and Data Protection Tribunal. Here, the Commissioner has stated that “[w]hile the OPC welcomes oversight and accountability for our actions, we respectfully suggest that the new Tribunal is both unnecessary to achieve greater accountability and fairness (the Federal Court already plays this role), and counter-productive in achieving quick and effective remedies. In fact, all objective indicators show overwhelmingly that the Tribunal would unnecessarily delay justice for consumers. . . . In summary, there is no need to add an administrative appeal to ensure fairness to business when the Federal Court already plays this role, and as, at any rate, the OPC has an exemplary record in this regard. Moreover, adding a level of appeal can only delay the ultimate resolution of cases.”

In light of the Commissioner’s submission to the Standing Committee, Bill C-11 could undergo changes before it is passed, especially given Commissioner Therrien’s recent reappointment on June 4, 2021 for a one-year term. Organizations should pay particular attention to developments regarding Bill C-11 as changes may be forthcoming.

 

CISRO Seeking Input on the Principles of Conduct for Intermediaries

The Canadian Insurance Services Regulatory Organization (CISRO) recently released for comment draft Principles of Conduct for Intermediaries (“Principles”). The Principles are aimed at safeguarding the fair treatment of customers by intermediaries in the life & health and property & casualty insurance sectors by requiring that they conduct their business in a transparent and honest manner. Insurers are responsible for the fair treatment of customers throughout the life cycle of the insurance product, while intermediaries have oversight responsibilities to ensure that their employees and representatives meet high standards of integrity and ethics. While acknowledging that each jurisdiction has its own regulatory approach for the conduct of business, the Principles envision minimum regulatory conduct standards that are common across Canada regarding the fair treatment of customers. The Principles are intended to tie in with the Guidance on Conduct of Insurance Business and Fair Treatment of Customers (FTC), issued by CISRO and the Canadian Council of Insurance Regulators (CCIR). The Principles also align with Insurance Core Principles (ICP) of the International Association of Insurance Supervisors’ (IAIS).

Who Are Intermediaries? Intermediary encompasses adjusters, individual agents, brokers, representatives and business entities that distribute insurance products and services, including managing general agencies and third party administrators.

Who Are Customers? Customers may include a policyholders (or certificate holders), prospective policyholders with whom an insurer or intermediary interacts, or other beneficiaries and claimants with a legitimate interest in the policy.

The Principles shape professional behaviour and conduct expectations for the fair treatment of customers:

  1. Compliance / Outcomes: Intermediaries must comply with all applicable laws, regulations, rules and regulatory codes to which they are subject to.
  2. Customers’ Interests: Intermediaries must place customers’ interests above their own, including when an intermediary is developing, marketing, distributing and servicing insurance products.
  3. Conflicts of Interest: Intermediaries must identify, disclose and manage any actual or potential conflict of interest pertaining to a transaction or recommendation. Intermediaries must avoid entering into agreements where conflicts of interests may obstruct the fair treatment of customers or cannot be managed.
  4. Advice: In order to comprehend and recognize customers’ unique needs, intermediaries must seek complete information from customers when providing them with advice.
  5. Disclosure: Customers must be provided with objective, complete, relevant and accurate information by intermediaries, so that customers may make informed decisions. Intermediaries must properly disclose relevant information to all necessary parties (including the insurer) and disclose information in a manner that is clear and comprehensible for customers.
  6. Product and Service Promotion: Intermediaries must ensure that products and services are endorsed in a clear and fair manner that is not misleading. Promotions should be easily understandable and disclose all necessary and relevant information.
  7. Claims, Complaints Handling, and Dispute Resolution: Intermediaries must handle claims, complaints and disputes in a timely and fair fashion.
  8. Protection of Personal and Confidential Information: Intermediaries must engage in necessary measures to protect personal and confidential information by: collecting only information that is necessary for the completion of the service or product provided; use and disclose information only for purposes and for the duration for which the customer has consented; and comply with all applicable privacy legislation for information management.
  9. Competence: Intermediaries must preserve an appropriate standard of professional knowledge to ensure the fair treatment of customers. Continuing education obligations must be met and duties must match the level of training and education provided. Intermediaries must not misrepresent their level of competence or conduct business beyond their threshold of professional knowledge and experience.
  10. Oversight: Intermediaries with contractual or regulatory oversight responsibilities are accountable for the conduct of any employee or third party involved in the distribution or servicing of insurance products. Policies and procedures, training and control mechanisms must be utilized by intermediaries in their oversight roles to ensure the fair treatment of customers.

CISRO is seeking feedback on the proposed Principles from a wide range of stakeholders, including the insurance industry and consumer advocates. Respondents should submit comments to cisro-ocra@fsrao.ca by July 9, 2021.

OSFI Publishes List of Near-term Guidance Priorities and Anticipated Timeframes for Release

OSFI’s Strategic Plan focuses on cultivating the readiness and resilience of federally regulated financial institutions (FRFIs) and federally regulated pension plans (FRPPs) to financial risks and non-financial risks that could potentially adversely affect their financial condition. In light of the Strategic Plan, OSFI recently published a list of the guidance that it anticipates releasing in the near term. Below is a summary of all of the guidance that OSFI intends to release which relates to insurance companies.

Risk Management Guidance

Industry Letter on Climate-related Risks
• Summarizes feedback received on OSFI’s Climate-related Risks Discussion Paper issued in Q1 2021 and setting out OSFI’s proposal for future climate related risk initiatives.
• Timeframe: Q3 2021

Industry Letter on Technology Risk
• Summarize feedback received on OFSI’s Technology Risk Discussion Paper issued in Q3 2020 and sets out future guidance initiatives
• Timeframe: Q2 2021 (Released on May 10, 2021)

Industry Letter on Operational Resilience
• Seeks views on integrating new Basel Committee on Banking Supervision Principles for Sound Management of Operational Risk and Principles of Operational Resilience into OSFI’s guidance
• Timeframe: Q3 2021

Final Guideline B-2 on Property and Casualty Large Exposure
• Establish OSFI’s expectations with respect to large exposures of property and casualty insurance companies
• Timeframe: Q4 2021

Final Guideline B-2 on Insurance Practices and Procedures
• Establish OSFI’s expectations related to reinsurance practices
• Timeframe: Q4 2021

Develop Guideline on Technology/Cyber Risk
• Develop OSFI’s expectations for technology and cyber risk management
• Timeframe: Q4 2021

Draft Revised Guideline B-10 on Third Party Risk
• Develop OSFI’s expectations for third party risk
• Timeframe: Q1 2022

Industry Letter on Advanced Analytics and Model Risk
• Develop OSFI’s expectations for advanced analytics and model risk
• Timeframe: Q1 2022

Consultative Document on Culture and Reputation Risk
• Develop OSFI’s expectations for culture and reputation risk
• Timeframe: Q1 2022

Capital and Accounting Guidance

Discussion paper on the Assurance of Capital, Leverage and Liquidity Returns
• Develop OSFI’s expectations on assurance of Deposit-Taking Institutions and insurance capital, leverage and liquidity returns
• Timeframe: Q2 2021 (Released on April 13, 2021)

Draft Guidelines on Assurance of Capital, Leverage and Liquidity Returns
• Develop OSFI’s expectations on assurance of Deposit-Taking Institutions and insurance capital, leverage and liquidity returns
• Timeframe: Q4 2021

Final Guideline on Assurance of Capital, Leverage and Liquidity Returns
• Develop OSFI’s expectations on assurance of Deposit-Taking Institutions and insurance capital, leverage and liquidity returns
• Timeframe: Q1 2022

Other

Semi-Annual IFRS 17 Progress Reporting
• Insurers reporting to OSFI on IFRS 17 implementation progress
• Timeframe: Q1 2021

Final IFRS 17 Regulatory Returns
• Regulatory Returns reflecting impact of adopting IFRS 17
• Timeframe: Q2 2021 (Released on April 30, 2021)

Draft LICAT, MCT, MICAT Guidelines for IFRS 17
• Cover updates to the capital frameworks for insurers triggered by IFRS 17
• Timeframe: Q2 2021

Semi-Annual IFRS 17 Progress Reporting
• Insurers reporting to OSFI on IFRS 17 implementation progress
• Timeframe: Q3 2021

Consultation on Draft Methodology for Determining Capital Requirements for Segregated Fund Guarantee (SFG) Risk
• QIS 5 and public consultation of the draft Chapter 7 of LICAT (i.e. the draft standard approach) and SFG-related regulatory returns
• Timeframe: Q3 2021

The timelines listed above are reflective of the current OSFI strategic plans as of May 6, 2021. Plans may be subject to change or amended here.

Respondent Feedback to OSFI Technology Risk Consultation

On September 15, 2020, the Office of the Superintendent of Financial Institutions (“OSFI”) published a discussion paper, Developing financial sector resilience in a digital world. The paper examined the risks arising from increased technological advancement and digitalization, in light of its potential effect on Canada’s financial sector. OSFI invited feedback regarding a variety of technology-related risk areas, with an emphasis on cyber security, advanced analytics, and the technology third party ecosystem. A diverse range of stakeholders including federally regulated financial institutions (“FRFIs”), industry associations, technology companies and consulting firms submitted their feedback. OSFI provided a brief summary of responses by stakeholders and plans to release draft guidance in the future. The full text of OSFI’s results summary publication can be found here.

A brief summary of the responses by the stakeholders includes the following:

Operational Risk & Resilience

Within the larger sphere of non-financial risk and operational risk management, technology risks are effectively managed when included in a firm’s enterprise risk management program. Effective operational risk management (“ORM”) leads to operational resilience, and technology is fundamental for such operations. However, while existing ORM approaches are appropriate, there are still opportunities to bolster practices.

Technology and Cyber Security

Emerging principles-based and technology-neutral perspectives in which definitions, concepts, and expectations comport with existing guidance and accepted international standards is most suitable for technology risk management. However, there is room to improve OSFI’s existing guidance. In general, emerging risks can be effectively managed within the larger sphere of technology risk and management. This requires quantum readiness through collective action by government, industry, and academia, and OSFI needs to continue engaging in these efforts.

Advanced Analytics

OSFI’s proposed principles of soundness, explainability and accountability are suitable for addressing emerging model risks, including those posed by artificial intelligence (“AI”) and machine learning (“ML”). However, there are areas where OSFI should deliberate modification to bolster its principles. Moreover, human review and oversight of AI and ML models is important. In any event, “[a]ny new model of risk guidance should remain risk- and principles-based, technology agnostic, and aligned with other jurisdictions and existing industry standards.”

Third Party Risk

Technology-related Risk
Technology-related third party arrangements should be deliberated as part of OSFI’s planned review of Guideline B-10 rather than as separate guidance. Likewise, any cloud risk management provisions could be integrated into Guideline B-10 rather than as a separate guidance. However, certain expectations regarding technology-related third party arrangements should be replaced with more outcome-based principles.

Proposed Principles
There was a split in the feedback regarding the additional principles as many respondents suggested changes to the descriptions or proposed additional principles, while other respondents believed that the proposed principles sufficiently depict current and emerging risks.

FinTech Arrangements
OSFI should consider FinTech arrangements like other third party arrangements because of the consistency between the inherent risks posed by these firms and other third party providers. However, OSFI should wait until the regulations pursuant to FRFI statutes on FinTech networking are completed to avoid overlap.

Data

Existing regulations offer adequate coverage on data risk guidance for FRFIs, so OSFI need not create additional data risk guidance. However, OSFI should consider the Basel Risk Data Aggregation and Risk Reporting (“RDARR”) principles as a foundation for any additional expectations that could pertain to all FRFIs, outside of systemically important banks.

Key aspects of data risk include quality, security and privacy, and data risk intersects with other risk areas including cyber security and models. Material data risks can occur from utilizing poor quality data, data misuse, outages or breaches – all of which cause operational disruption or reputational damage and financial loss.

Watch for any further updates on OSFI’s website, which can be accessed here.

Ontario Amends Insurance Regulation to Permit Emergency Auto Premium Rebating

Effective April 15, 2020, section 2 of the Ontario Regulation 7/00 – Unfair or Deceptive Acts or Practices made under the Insurance Act (Ontario) (the “Regulation”) was amended by adding the following subsections:

“(3) Despite paragraphs 1 to 3 of subsection (1), a rebate of all or part of an automobile insurance premium is not prescribed as an unfair or deceptive act or practice if,

(a)  an emergency is declared under the Emergency Management and Civil Protection Act;

(b)  the rebate is issued in response to the declared emergency; and

(c)  the insurer files an undertaking with the Chief Executive Officer, in the form approved by the Chief Executive Officer.

(4) Subsection (3) applies from the day an emergency is declared under the Emergency Management and Civil Protection Act to the day that is one year after the day on which the declared emergency is terminated under that Act.”

The Ontario government’s regulatory action allows insurers in Ontario to respond to the state of emergency declared in the province on March 17, 2020 (the “State of Emergency”) by rebating all or part of an automobile insurance premium to their customers in order to relieve financial hardship due to the COVID-19 outbreak without violating the anti-rebating provisions of the Regulation.

The Financial Services Regulatory Authority of Ontario (“FSRA”) has published an Interpretation, an Approach and Information Guidance, dated April 15, 2020 which includes FSRA’s interpretation of the legal framework for emergency auto insurance premium rebate programs and the process for implementing such programs. There are a number of recommendations and requirements contained in this Guidance, which insurers should review prior to implementing emergency premium rebating programs.

Insurers providing any rebate to their customers during this emergency will only be protected by this amendment from March 17, 2020 to the day that is one year after the day on which the State of Emergency is terminated in Ontario.

Insurers who wish to implement emergency premium rebating programs must submit an undertaking to FSRA agreeing to be bound by such undertaking, the breach of which would be deemed to be an offense under section 447 of the Insurance Act and shall void application of section 2(3) of the Regulation.

Ontario case could allow recovery of Business Interruption Losses due to Covid-19 under Property Insurance Policies

The March 30, 2020 decision in MDS Inc. v. Factory Mutual MDS vs. Factory mutual Company, 2020 ONSC 1924 (Ontario Superior Court of Justice) (“MDS”)  provides an interesting analysis of a number of provisions in an all-risk property insurance policy.

Of particular interest is the analysis by Madame Justice Wilson of the term “resulting physical damage” in the business interruption section of the policy and her conclusion that, as used in this particular all-risk property insurance policy and in the context of the factual matrix of the case, resulting physical damage included the impairment of function or use of tangible property, even in the absence of actual physical damage to property.

A number of commentators have identified the possibility that this conclusion could allow insureds to recover their business interruption losses under property insurance policies due to Covid-19 on the basis that, although the virus has not caused actual physical damage to their property, it has impaired the function or use of their property.  We understand that this issue is already being litigated in the United States.

The facts of the MDS case were that heavy water used to cool a nuclear reactor began leaking through a hole caused by corrosion that Wilson J. found, on the evidence, to have been unexpected and unanticipated (i.e. fortuitous).  This resulted in a 15-month shutdown of the reactor for safety reasons while the source of the leak was located and repaired.  Wilson J. stressed this was a unique and important fact because, unless the reactor had been shut down by the nuclear regulator, there was a risk that the leak could have led to a nuclear meltdown.

The all-risk property insurance policy in question covered, among other things, business interruption losses directly resulting from physical loss or damage and included contingent business interruption coverage that protected the insured for its actual loss sustained and extra expense incurred directly resulting from physical loss or damage of the type insured to property of the type insured at the locations of various suppliers important to the insured, including the supplier that operated the nuclear reactor.

However, all coverage under the policy in question (both direct damage and business interruption coverage) was subject to the following exclusion:

“This Policy excludes the following, but if physical damage not excluded by the Policy results, then only that resulting damage is insured…

3) deterioration, depletion, rust, corrosion or erosion, wear and tear, inherent vice or latent defect.”

Wilson J. concluded that the exclusion with respect to “corrosion” did not exclude fortuitous or unanticipated corrosion.  As noted above, she found as a fact that the corrosion in question was fortuitous and, therefore, that the above exclusion did not apply to deny the insured coverage.

However, in case another court disagreed with this conclusion, she considered the alternative that the corrosion exclusion applied and asked whether the coverage add-back in the above exclusion for “resulting property damage” would, nevertheless, afford coverage to the insured.

It was accepted by the parties that the heavy water did not cause actual tangible damage to the reactor. The insurer argued that in the circumstances the presence of the leaking heavy water was not resulting physical damage.  The insured argued that it was resulting physical damage because the character of the reactor was changed in an important way by the heavy water, requiring the shutdown and rendering the entire reactor unusable.

Wilson J. agreed with the plaintiff.  She concluded that the policy, considered as a whole, and the objective reasonable expectations of the parties as to the meaning of physical damage, viewed from a common-sense perspective, supported the view that the leak of heavy water would constitute resulting physical damage because it rendered the reactor inoperable until the safety concerns and protocol imposed by the nuclear regulator had been met.

She stated that:

“This interpretation is in accordance with the purpose of all-risk property insurance which is to provide broad coverage. To interpret physical damage as suggested by the Insurer would deprive the Insured of a significant aspect of the coverage for which they contracted, leading to an unfair result contrary to the commercial purpose of broad all-risk coverage.”

The phrase “directly resulting from physical loss or damage” is used to describe coverage under the policy in question for both business interruption losses incurred as a result of physical damage to property at the insured’s own locations and contingent business interruption losses incurred as a result of physical loss or damage to property at specified suppliers’ locations.  Accordingly, the decision in MDS appears to apply to business interruption coverage generally and not just to contingent business interruption coverage.

The MDS decision may also support the broader proposition that “physical damage”, whether used in the business interruption insuring clause or the direct damage insuring clause of a property insurance policy, includes the impairment of function or use of tangible property, even in the absence of actual physical damage to such property.

In the MDS case, the only exclusions that could have applied were the corrosion, idle period and nuclear exclusions, all of which Wilson J. concluded did not apply.  In the case of Covid-19, other exclusions or conditions in property insurance policies might apply.  For example, some property insurance policies explicitly exclude coverage for any cost due to contamination resulting from the presence of a virus or impose sub-limits with respect to the length of business interruption coverage in cases where the government has ordered that the insured’s property not be used.  Some of these exclusions explicitly provide that they apply to exclude business interruption losses.

The decision of the Ontario Superior Court of Justice in MDS is a decision of first instance.  Accordingly, it may be appealed.  In addition, its broader applicability may be limited by its special facts.

However, as long as the MDS case remains the law in Ontario, insureds in Ontario (and in other provinces and territories in Canada, as their courts may apply this case) whose businesses have been affected by Covid-19 would be wise to review their policies with their insurance and legal advisors.

Contact Us