Sometimes being surprised is a good thing. Other times – not so much… Surprise, Mom! Hello George, You’ve been selected for a compliance audit! Surprised maybe – but you don’t want to be unprepared. • INSURANCE – Regulatory audit, Insurers auditing MGA practices = MGAs auditing individual broker practices • SECURITIES – Dealer/regulatory audit of advisor files – KYC, risk profiles • REGULATORY AUDITS – e.g., FINTRAC; Client complaints • E&O claims – document client meetings Global partnerships • Focus of financial regulators to protect the integrity of financial markets and ensure the fair treatment of customers – develop globally accepted requirements for effective supervision of each financial sector to prevent/address gaps in regulation • Detecting money laundering & combatting financing of terrorism – FINTRAC • Canada participates with other countries on international securities/insurance associations. International associations audit the practices of member countries and make recommendations to address regulatory gaps. • FSCO’s legislative mandate – to protect the public interest and enhance public confidence in the sectors it regulates • OSC - to provide protection to investors from unfair, improper or fraudulent practices and to foster fair and efficient capital markets and confidence in capital markets “All the money I took in, I put into stocks. The first day of October made me feel like I was rich… …I figured I could pay my debts any time, and I just let them ride… …On that day of October 29, (1929) they told me I needed more cash to cover up. I couldn’t get it. I was wiped out that day.” Excerpt from George Mehales, South Carolina WPA Life Histories interview, December 1938 American Life Histories, American Memory, Library of Congress • If it ain’t documented, you can’t prove it! • You are the professional – courts and regulators will side with your client if you can’t support your position with documented evidence. • Fintrac – AML policies & procedures • Privacy plan • Do not call/do not email procedures • Disclosure documentation • Life insurance replacement & written analysis Compliance with FINTRAC (Financial Transactions and Reports Analysis Centre of Canada) requirements: • Compliance Regime • Knowledge of what a suspicious transaction is, and how to report it • Legislation in place since July 2000 to deter & detect movement of illegal funds into Canada’s financial system • Mortgage brokers, Real estate agents/developers/brokers • Accountants • Banks, trust companies, loan companies, money service businesses, securities dealers, life insurance companies, independent life insurance brokers • Casinos • Precious metal dealers/jewelers • Exempt – reinsurance, property & casualty insurance • If you are an independent life insurance broker, you need a compliance regime! • MGAs and agencies must have and maintain a compliance regime • Life insurance companies are responsible for the compliance regime for their employees/career agents & that they comply with the reporting, record keeping, client identification requirements • Mutual fund/securities dealers are responsible for employees/approved persons for these transactions ONLY • FinTrac can audit your business (many life insurance brokers across Canada were audited from the fall of 2011 to May 2012) • If your business is selected, it is mandatory to complete a Compliance Assessment Report • MGAs and insurers audit whether you have a compliance regime in place and know your obligations • Financial penalties • Failure to report a suspicious transaction • Incomplete compliance policies and procedures, failure to develop a written ongoing compliance training program and failure to take special measures for high risk activities • Inadequate practices of ascertaining client identity and confirming the existence of an entity other than a corporation, failure to enter into an agreement or arrangement with an agent or mandatary for the purposes of ascertaining identity, and incomplete record keeping • Failure to take reasonable measures to determine whether a person is a politically exposed foreign person. • Failure to appoint a person to be responsible for the implementation of a compliance program • Failure to develop and apply written compliance policies and procedures that are kept up to date and, in the case of an entity, are approved by a senior officer • Failure to assess and document the risk referred to in subsection 9.6(2) of the Act, taking into consideration prescribed factors • Failure of a person or entity that has employees, agents or other persons authorized to act on their behalf to develop and maintain a written ongoing compliance training program for those employees, agents or persons A FINTRAC compliance examination will assess whether a reporting entity is meeting its obligations under the legislation. Areas of review can include: • Is a compliance regime in place? • Is there reporting of all required transactions? • Have proper client identification measures been implemented? • Are you meeting your record keeping requirements? • Is proper ID of third party ownership being determined, where required? • There are 5 components to a FINTRAC Compliance Regime • All 5 steps must be included, although the level of detail may vary for each step depending on the size of your office 1. Appoint a compliance officer 2. Have a written Policies and Procedures manual 3. Assess the risk of money laundering and terrorist financing to your business 4. Document your training program (unless you are a sole proprietor) 5. Update and re-evaluate at least every 2 years Appoint a compliance officer, in writing. • Document who it is in writing. • CO is responsible for implementing your compliance regime and must know and understand their responsibilities. Develop written policies and procedures. Your compliance policies and procedures will be less detailed than those of a larger insurance agency or life insurance company. *BUT* Your policies and procedures have to be in writing and be kept up to date, regardless of whether you are a small business, an individual or an entity. • CLHIA developed a guide for life insurance brokers that can meet the requirement for a written P&P manual. • Links are on IFB’s website (www.ifbc.ca), the CLHIA website (www.clhia.ca), and individual insurance company websites. • Caution: FINTRAC expects it to be customized to reflect your business, as required, not just the last page signed and dated. Assess and document the risks of money laundering and terrorist financing in your business, and Take measures to mitigate potentially high risk situations. Document the following factors in your risk assessment: 1. The products and services you offer and how you deliver them. 2. The geographic locations where you conduct your activities and the geographic locations of your clients. 3. Any other relevant factors related to your business. 4. Your clients and the business relationships you have with them. A helpful resource for your risk assessment: www.fintrac-canafe.gc.ca Good information and suggestions to help you assess your business risks in Guideline 4, Appendices 1, 2, and 3. Implement and document an ongoing compliance training program for you and your staff. Training Program for Sole Proprietors: • If you are a sole proprietor (not a corporation) with no employees, agents or other individuals authorized to act on your behalf, you are not required to have a training program in place for yourself. • However, your policies and procedures must be in place, updated and will have to be reviewed every two years to test their effectiveness. Review and test your program at least every 2 years. • Review and test the effectiveness of your policies and procedures, your risk assessment and your training program. • Modify and update your existing policies and procedures-implement new ones if required. • Sign and date the review as proof. Read FINTRAC Guidance on Conducting a Review (Guideline 4, Section 8 “Review Every 2 Years”) • • • • • • • • Has a compliance officer been appointed? Are policies and procedures in place? Are appropriate measures in place to identify, document, and mitigate risks related to money laundering and terrorist financing? Is a training program established? Is there a periodic review of the compliance regime? Are the reporting requirements being met? Are client identification requirements being met? Are the appropriate records being kept? FINTRAC Guideline 4 has additional guidance on how to implement a compliance regime. www.fintrac-canafe.gc.ca • Federal Personal Information Protection and Electronic Documents Act (PIPEDA) is the default unless a province has “substantially similar” legislation • Substantially similar legislation (PIPA) exists in BC, Albert, and Quebec YOU are required to protect your client’s personal information. 1. Written Privacy Policy and client consent 2. Documented privacy breach procedure 3. Training – keep up to date on changes to legislation 4. Commitment to follow the 10 privacy principles Information that can be used to identify an individual. • Name, gender, birth date, race, marital status, medical and financial information, contact information (address, email, phone number, etc.) • Info in paper files, electronically, video or voice recording • Every organization has to have someone who is responsible for implementing & maintaining the privacy plan. • In a small organization, that person is probably You. In a larger business, you may want to assign responsibility to one of the management team, or to a management committee. • Bottom line – “someone has to be accountable to your customers, so they know where to go to ask questions, get access to their customer records, or resolve any complaints they may have about their privacy”. Source: Privacy Commissioner of Canada’s website: www.priv.gc.ca • • • • • • • • Commitment to protecting your client’s personal information You will only use it for the purpose stated You will only retain the information for as long as needed You have obtained the client’s consent You will take steps to safeguard their information including destroying it Client can access their information to verify it Client is informed about complaint mechanisms Notice that consent cannot be withdrawn in certain circumstances – legal, regulatory • Include permission to share information with 3rd parties – MGAs, other professionals, etc. • Any 3rd party must also adhere to privacy principles – if you are a MGA, you need a privacy plan • Tip: Add consent to contact client by telephone and email to cover off CASL/Do Not Call • Ensure your client’s records are secure whether in files in the office, on your computer, phone– including installing virus/malware software • Encrypt your electronic files especially if client information is on laptop or other portable device • Stronger passwords: Take a sentence, mix in a few upper case letters and a number – for example, “There is no place like home,” would become “tiNOplh62.” • Shred/destroy records in a secure manner when no longer required • Purchase privacy breach insurance – IFB E&O has cheap add on $50/year • April: 900 social insurance numbers were stolen from the Canada Revenue Agency’s website by a hacker exploiting the Heartbleed bug • September: 56 million Home Depot customers in Canada and the U.S. were affected by a data breach from malicious software designed to steal credit card information. Don’t wait until it happens! Know what to do and train other employees who deal with client files: 1. Contain the breach 2. Assess the extent of the breach and risk to clients 3. Inform the client if there’s potential for harm 4. Document what steps you took and who you notified (if needed) Office of the Privacy Commissioner of Canada: www.priv.gc.ca • Securing Personal Information: A Self-Assessment Tool for Organizations • Build a Privacy Plan for your business • Key Steps for Organizations in Responding to Privacy Breaches IFB (for members): updated template Privacy Policy/Client Consent form • Do Not Call Registry: in place since 2008 – Update: phone numbers are now permanently registered until removed by individual • Independent life insurance brokers are “telemarketers” – requires registering on CRTC website and paying monthly/yearly subscription to access list of numbers registered on DNC List • Exemptions: calls to existing clients, business to business calls, service calls, calls made up to 18 months after end of business relationship, 6 months if referral • Free webinar available for IFB members (1 hour CE) • Consent required after July 1st, 2014 for new clients – must be implied or express – Express is better • 3 year transition – allows you to send emails until July 1,2017 to existing clients – after that you will need express consent • Anyone can withdraw consent at any time – you have to respect that unless there’s a legal/contractual obligation that prevents them from withdrawing consent • CASL does not just apply to spam! • Applies to ANY electronic message with a commercial intent. • Includes sales or promotional information you email to prospective clients. • Business to consumers and business to business • Compliance with CASL is rooted in consent. • Consent can be implied or express but after July 1st CEMs cannot be sent without the consent of the recipient. 3 year transition period to help businesses adjust: • Implied consent under the transition rule allows you to send CEMs until July 1, 2017 to existing customers, unless they ask you not to. • And you were already communicating with them electronically prior to July 1, 2014. • Existing business relationship - you can send a CEM to the recipient up to 2 years from the date of your last business transaction. Then it expires. • Referrals - Someone approaches you for information about your services. You have up to 6 months to contact them. Then consent expires. • Proof of consent lies with you – get consent in writing • If oral – keep recording or follow up with email to get proof • Express consent may be valid under CASL if client had signed Privacy Consent form before July 1st – check the wording • Better – ask clients to sign a revised Privacy Consent or additional consent spelling out they consent to you contacting them by phone, electronic mail • Express consent is not time-limited. Permission remains in place unless the recipient withdraws it. • Requires recipient to opt-in, not opt-out, to qualify. Person must provide explicit verbal or written permission to you to contact them. 1. IDENTIFYING INFORMATION – who you are, contact information 2. UNSUBSCRIBE FEATURE- allow opting out at any time 3. CONSENT- express or implied • Look at who you email and why • Get express consent – good time to contact clients and prospects to remind them of your value • Make sure your emails, texts contain the prescribed “identifying information” and an unsubscribe feature • Update your privacy consents • Government of Canada Fight Spam website: http://fightspam.gc.ca • CRTC: www.crtc.gc.ca – Q&A section covering common questions • IFB website – Member Compliance Tools section • IFB Broker Tip sheet at IFB booth “The more you explain it, the more I don’t understand it” - Mark Twain Point of Sale Disclosure: Fund Facts - an easy-to-read document that highlights key information about the fund, such as a description of the fund, its performance, risks and costs. Currently produced for mutual funds & segregated funds. Will be expanded to ETFs. • BIG focus of securities and insurance regulators – do clients understand who they are dealing with, for what services and the cost of those services? • Companies you represent • Compensation – how compensated, additional compensation – bonuses, travel • Conflicts of interest - Reasonable person test: 1. Would your advice or product offered have been different if the situation or incentive giving rise to the potential conflict of interest did not exist? 2. Would it appear to a reasonable, informed third party looking at all the facts that you acted in the best interest of your client? • Consumer’s right to ask for additional information • Client complaint mechanisms • Some provinces have specific legal requirements • Ontario: since 2004, disclosure must be in writing – FSCO study – 90% advisors disclose conflicts of interest but only 50% do so in writing! • BC, Manitoba, Alberta & Quebec all have legal requirements – check the provincial regulator websites if you’re licensed in other provinces • CRM1: disclosure of relationship of client and advisor/firm, conflicts of interest and enhanced (more) suitability reviews • CRM2: enhanced account statements, book cost, market value • Attempts to address imbalance of information – recognizing that financial products can be complex and hard for the ‘average’ investor to understand • Conflicts of interest – disclose any conflict or potential conflict of interest that arises between the interests of the Dealer or Approved Person and the interests of the client (e.g. OBAs) • Relationship disclosure – written disclosure about the nature of the relationship between the Dealer firm and the client on account opening • Referral arrangements – written disclosure of referral arrangements must be made to the client before the party receiving the referral either opens an account for the client or provides services to the client • Transaction fees and charges – prior to the acceptance of any order in respect of a transaction in a client account, inform the client of the nature of compensation • Most common reason for claims being denied by insurers is non-disclosure to client – make sure you have a record proving the disclosure happened • Cancellation of old policy before purchase of new policy confirmed – could result in client left without insurance and advisor responsible • Life Insurance Replacement Declaration (LIRD) standardized form – 11 questions Plus: • Written explanation of reasons for replacement to be provided to client: i) how the existing policy doesn’t address client needs ii) why the replacement policy is better and, iii) any risks associated with replacing the insurance (e.g. suicide provision restarted) • Guidance on preparing the written explanation – jointly prepared by CLHIA, CAILBA, IFB and Advocis –– covers individual and group • Quebec introduced a slightly different replacement form “Notice of Replacement of Insurance of Persons Contract” – must be used for any replacement after October 21, 2014 • Ontario/NFLD: LIRD & written explanation to client, new insurer – existing insurer gets LIRD only • BC, Alberta, Sask, NS, NB, PEI: LIRD & written explanation to client • Manitoba: LIRD & written explanation to client, new insurer LIRD only • Note: Insurance companies may require you to provide the LIRD or both documents with the application for replacement • FSCO new computer system – “the required tools to effectively regulate in an increasingly challenging financial services marketplace” • FSCO - Focus on product suitability and advice – next phase of survey • LLQP national harmonized program – roll out January 1st, 2016 • CCIR - segregated funds review & assess potential for regulatory arbitrage • CRM2 – fee disclosure/performance on statements for mutual funds and securities investors – July 2015/16 • CSA/OSC research on whether embedded fees/commissions influence advice • CSA/OSC response to “Best Interest” (aka fiduciary duty) for mutual fund advice • CE for MFDA advisors – consultation expected early 2015 • Ontario Ministry of Finance: review merits of more tailored regulation of financial planners