COPOLOFF ADVISOR COMPLIANCE GUIDANCE MANUAL

Transcription

1 COPOLOFF ADVISOR COMPLIANCE GUIDANCE MANUAL Introduction... 2 The MGA s Role... 3 Copoloff Advisor Code of Conduct... 5 Anti-Money Laundering and Anti-Terrorist Financing Guidance... 5 Privacy Program Guidance... 9 Market Conduct Compliance Guidance Needs-Based Selling Required Disclosures Do Not Call List Summary of Anti-Spam Regulations Records and File Management Complaints Management Responding to Insurance Company Requests Regulatory Audits and Inquiries and Legal Proceedings Copoloff 2017 Page 1

2 Introduction This compliance guidance manual was originally created by CAILBA, the MGA association, and modified by Copoloff for use by Advisors associated with us. We hope that you will find the material helpful in developing your own compliance program and filling in any gaps. Before you attempt to develop a compliance program or to fill in the gaps in your existing program, review this material carefully. Do a risk assessment. As yourself the following questions: 1. What are the things which, if left undone, could have a really negative effect on my business? 2. What are the regulatory requirements that carry really bad consequences? 3. What are the things that pose reputation risk to me and my business? 1. Having the required anti-money laundering program is vitally important because The Government of Canada has made the fight against money laundering and terrorist financing a national priority. Money Laundering is prevalent in the insurance business and is not being detected as systematically as it needs to be, according to regulators. Failure to maintain an AML compliance regime carries stiff administrative penalties. FINTRAC is an activist regulator that is performing audits on Advisors. Being caught up, even inadvertently, in money laundering and terrorist financing can lead to criminal penalties, severe reputational damage and loss of licence. 2. Having the required privacy program is extremely important because The life insurance business is one of the most information dense businesses, with extraordinary amounts of personal information being exchanged daily. Canada is a world leader in privacy legislation and the Office of the Privacy Commissioner is active and empowered to name names. Insurers require appropriate handling of personal information as a contract condition. Having a privacy program in place is a requirement under the Copoloff Code of Conduct. The reputation risk and financial risk associated with a breach is extreme. The impact of such a breach could have a devastating impact on an Advisor s ability to maintain contracts and earn a living. 3. Understanding and adhering to numerous market conduct laws, regulations, best practices, codes of conduct, traditions and expectations is essential because Advisors are regulated provincially and their licences depend on adherence to a number of very specific obligations and prohibitions. Provincial regulators are charged with protecting the consumer and they take this role seriously. Insurers have obligations under provincial laws and regulations pertaining to the activities of their Advisors. They are obliged to screen, monitor and report Advisors. MGAs perform some of these tasks on behalf of insurers. Their own reputations and livelihoods rely on identifying regulatory risks and imposing controls that will mitigate those risks. The public and press are very alert and are quick to identify questionable practices. See the Copoloff Advisor Code of Conduct, which contains a listing of numerous market conduct obligations and prohibitions for Advisors. Copoloff 2017 Page 2

3 The MGA s Role MGAs act as intermediaries between life insurers and Advisors, providing services to both under contracts. In most provinces, MGAs are regulated as insurance agents. In Quebec and Saskatchewan, they have some additional obligations. The following are some of the obligations that MGAs face. 1. License and E&O checks 2. Screening Advisors for suitability to act as Advisors The CLHIA Guideline G8 Screening Agents for Suitability and Reporting Unsuitable Agents requires an insurer s board of directors to ensure that their organization screens Advisors for suitability, monitors their activities to ensure compliance and reports those Advisors who appear to be unsuitable. The Guideline applies to all member companies in all provinces. The information gathered on the CLHIA Advisor Screening Questionnaire (ASQ implemented in January 2015, represents the minimum amount of information that insurers believe is necessary to make an informed decision as to whether to accept or reject a candidate or seek more information. Screening procedures is expected to include, among other things: Senior management interview to determine suitability and fit within the MGA Filling out of CLHIA ASQ Credit check Criminal background check Full retail background report A check of CAILBA, IIROC, MFDA and provincial insurance regulators websites Verification of license and errors and omissions insurance Reference checks Sign off by senior management on contract Review of Advisor s o methods of holding out o marketing and advertising standards, including websites and the professional use of all social media o standard disclosure documents Verification that the Advisor has o Anti-money laundering program o Privacy program and privacy breach procedure o Needs-based sales practices o Awareness of and adherence to the CRTC Unsolicited Telecommunication Rules, including the National Do Not Call List ( N-DNCL ) and anti-spam rules o Records management and file maintenance practices And providing a deadline (no more than 3 months) for the Advisor to repair any compliance gaps. If the Advisor does not do this, contract termination likely will result. 3. Monitoring and auditing Advisors activity for compliance with laws and regulations, including: A. Licensing and errors and omissions insurance checks, including spot checks. B. Monitoring for Inappropriate Sales Practices including Fraud; Misappropriation of client funds; Forgery; Copoloff 2017 Page 3

4 Money laundering; Selling without a licence or otherwise violating the terms and conditions of a licence; Improper use of sales associates and assistants; Problems with non-face-to-face selling; Fronting; Breach of privacy or confidentiality laws or rules; Violation of holding out laws or rules; Failure to disclose a material conflict of interest; Tied selling; Premium rebating, except to the extent permitted by law; Undisclosed replacements; Indiscriminate systematic replacements; Twisting; Churning; Poor disclosure, material non-disclosure, including failure to provide the required written disclosures; Language barriers and use of unqualified translators; Misuse of, or material changes to, company-provided illustrations; Incomplete comparisons; Poor needs analysis, failure to assess product-client suitability and evidence of KYC problems; Inappropriate sales to seniors; Inappropriate leveraging; Material misrepresentation or omissions; Coercion or undue influence; Inducements to insure, where prohibited by law; Misleading statements to an insurer; Incompetence; Lack of trustworthiness, where An Advisor contract has been terminated for cause; Commission-sharing with an unlicensed individual; Unnecessary delay in delivering policies or failure to deliver policies; Trafficking in insurance policies, where prohibited by law. Poor file management and record-keeping; C. Monitoring Segregated Fund and Other Investment Product Sales including money parked too long in money market funds and market timing. Copoloff 2017 Page 4

5 4. Training Advisors, providing and tracking continuing education 5. Providing compliance support to Advisors including assistance with needs-based selling tools and disclosures. 6. Complaints management 7. Investigating and reporting unsuitable Advisors to insurers 8. Responding to insurance company requests for information 9. Responding to regulatory audits and Inquiries and legal proceedings. COPOLOFF ADVISOR CODE OF CONDUCT This Code of Conduct sets out the standards to which we expect our Associate General Agents and brokers (collectively Advisors ) to adhere in their dealings with customers and in representing insurers. The Code supplements and reinforces but does not replace industry association, provincial regulatory and insurer codes of conduct to which the Advisor may already be subject and forms part of the contract between the Advisor and the CAILBA member. It is posted to the Copoloff website. You are required to read the Code, comply with its contents and inform us of material changes to your circumstances. ANTI-MONEY LAUNDERING AND ANTI-TERRORISM FINANCING Unless you are an attached agent, FINTRAC requires you to create your own compliance regime. Attached agents can rely on the Copoloff program. Independent Advisors should use the Canada Life AML- ATF guidance and template for Advisor anti-money laundering and anti-terrorist financing program on our website to create their own compliance program. What the Act Requires Advisors to Do The Proceeds of Crime (Money Laundering) and Terrorist Financing Act (the Act ) applies to life insurance brokers and agents. FINTRAC says that your compliance regime will have to be tailored to fit your own individual needs. It should reflect the nature, size and complexity of your operations. The Act s 5 requirements include: 1. Appointing a Compliance Officer. 2. Assessing and documenting money laundering and terrorist financing risks unique to our business. 3. Developing detailed compliance policies and procedures for reporting and record-keeping. 4. Ongoing review of the effectiveness of the compliance program through self-assessments. 5. Compliance training for employees, agents or others acting on our behalf as well as a forwardlooking training plan. Copoloff 2017 Page 5

6 Note that new regulations and guidance were introduced effective June If you have not updated your AML-ATF regime to reflect these changes, you should do so immediately. See the Canada Life templates. Failure to identify clients, keep records, monitor financial transactions and take mitigating measures in situations where risk of money laundering or terrorist financing is high could lead to an Administrative Monetary Penalty of up to $100,000. Penalties for Non-Compliance Failure to comply with the compliance regime, reporting, record keeping or client identification requirements can lead to criminal charges against a reporting entity. Conviction of failure to retain records could lead to up to five years imprisonment, to a fine of $500,000, or both. Alternatively, failure to keep records or identify clients can lead to an administrative monetary penalty. For more information on penalties, consult the Penalties for non-compliance section of FINTRAC's Web site ( (FINTRAC) PRIVACY PROGRAM Introduction The Personal Information Protection and Electronic Documents Act ( PIPEDA ) is a federal law that applies to all organizations, including Insurance Advisors, engaged in commercial activities across Canada, except in those provinces that have substantially similar laws. Quebec s Privacy Act is An Act Respecting the Protection of Personal Information in the Private Sector, which has been deemed to be substantially similar to PIPEDA. In fact, amendments have been proposed to the Quebec Act recently, largely aimed at bringing the Act more into line with PIPEDA. Among the changes proposed is doing away with the requirement to create a file holding personal information. In this manual, we will mention only key differences between the Quebec and federal Acts. You are required to create your own privacy compliance program. The guidance that follows is solely for your information. Copoloff makes the Canada Life guidance and templates for Advisors available so that you can create your own program. Please see our website. A Summary of PIPEDA You must obtain an individual s consent when you collect, use or disclose the individual's personal information ( PI ). An individual has a right to access PI you hold on them and to challenge its accuracy. PI can only be used for the purposes for which it was collected. If you wish to use it for another purpose, you must obtain consent again. You also need to assure individuals that their information will be protected by specific safeguards, including measures such as locked cabinets, computer passwords or encryption. Definition of PI: PI includes any factual or subjective information, recorded or not, about an identifiable individual. This includes information in any form, such as: age, name, ID numbers, income, ethnic origin, DNA or blood type; opinions, evaluations, comments, social status, or disciplinary actions; and employee files, credit records, loan records, medical records, existence of a dispute between a consumer and a merchant, intentions (for example, to acquire goods or services, or change jobs). Copoloff 2017 Page 6

7 Summary of the Changes Made by the DPA to PIPEDA in 2015 This act was proclaimed in June 2015 and is in effect except for regulations around notifying parties of privacy breaches, which have not been published yet. The act and regulations apply to insurers, MGAs and brokers alike. Most of the changes relate to removing perceived weaknesses in PIPEDA. However, there are some new, more onerous requirements that are directly relevant to MGAs and brokers, including: 1. Privacy Breaches A. Enhanced Definition of Breach A breach occurs when there is an unauthorized access to, or collection, use or disclosure of personal information including information that is lost, stolen, disclosed in error or as a result of an operational breakdown that results from a breach of security safeguards or failure to establish those safeguards. A breach includes employee snooping or an employee leaving a fax machine unattended while personal information is being transmitted or received, thereby allowing non-authorized access to personal information. The factors that help determine significant harm are the sensitivity of the information and the probability that the personal information has been, is being or will be misused. Probability is increased where safeguards are weak or non-existent. Regulations are to follow. B. New Requirements for Reporting Breaches to Regulator and Notifying Affected Parties and Third Parties Where it is reasonable to believe that the breach creates a real risk of significant harm* to an individual, we are required to: 1. Report the breach to the regulator (OPCC) and estimate the number of individuals who face a real risk of significant harm* from the breach (including such things as bodily harm, damage to reputation or relationships, financial loss and identity theft). The DPA was modelled after the Alberta privacy legislation, which also requires the regulated party to assess the risk of harm to individuals as a result of the breach. The OPCC s current breach notification form does not require this. It is unclear whether new regulations will require an assessment. 2. Notify affected individuals directly, providing sufficient information to allow them to understand the significance of the breach and the steps they should take to reduce the risk or mitigate the harm; and any information prescribed by regulation (TBD). 3. Third party notification - If the regulated party believes that another organization or government institution may be able to reduce the risk that could result from the breach or if any regulatory conditions (TBD) are satisfied, it must notify those organizations. Threshold Test for Reporting Breaches and Notifying Affected Parties * Significant harm triggers reporting and notification. It includes: Copoloff 2014 Page 7

8 - Bodily harm - Humiliation - Damage to reputation or relationships - Loss of employment or business or professional opportunities - Financial loss - Identity theft - Negative effects on credit record and - Damage to or loss of property Note that an organization can now face fines up to $100,000 per violation of the notification requirements, although details of how these fines would be determined have not been provided. At this writing, Quebec is entertaining changes to its act which would impose similar requirements. C. Maintaining Records (Logs) of all Breaches, Large and Small The DPA requires us and any third party to which we transfer personal information to create a record of every breach of security safeguards involving personal information under their control and to provide access to the OPCC upon request regardless of whether the Threshold Test is met. Failure to keep this record is a statutory offence. 2. Compliance Agreements The OPCC can now enter into compliance agreements with organizations in order to ensure compliance with PIPEDA, if it believes the organization has committed, is about to commit or is likely to commit breaches of PIPEDA. Failure to comply with such an agreement may lead to a mandatory order from a federal court. 3. Disclosures of personal information without consent Under certain circumstances, disclosures can be made to detect, suppress or prevent fraud and/or to protect victims of financial abuse, where it is reasonable to believe that getting consent would compromise the effort. In these circumstances, getting it right is critical. Involving legal counsel prior to making such disclosures is highly recommended. 4. Valid Consent new concept The DPA indicates that valid consent is required from individuals, which means that it is reasonable to expect that an individual providing consent understands the nature, purpose and consequences of consenting to the collection, use or disclosure of personal information. The DPA introduced new exemptions from consent requirements, subject to conditions, including but not limited to: 1. Uses of employee information; 2. Reporting to government institutions if the MGA has reasonable grounds to believe that laws are being broken; 3. For purposes of investigating a breach of an agreement, law-breaking or preventing fraud; 4. In prospective business transactions; and 5. For due diligence purposes in a deal. Copoloff 2014 Page 8

9 The DPA exempts any contact information used for communicating or facilitating communication with an individual in relation to their employment, business or profession. Using a business address is appropriate for contacting an individual in a work context. The changes imposed by the DPA bring PIPEDA into line with Quebec s long-standing definition of consent. In Quebec, consent to the collection, communication or use of personal information must be manifest, free, and enlightened, and must be given for specific purposes. Such consent is valid only for the length of time needed to achieve the purposes for which it was requested. Provincial Privacy Laws Variations: Currently Alberta, Quebec and British Columbia have substantially similar privacy laws. Ontario, New Brunswick, Newfoundland and Labrador have enacted laws that are substantially similar in their treatment of personal health information and have breach notification requirements for health-related information. Alberta requires notification of the privacy commissioner if personal information is lost, accessed or disclosed without authorization, where real risk of significant harm to an individual exists as a result of the breach. Also note that some provinces have rules relating to personal information that is sent outside of province. You should become familiar with the privacy laws in the provinces in which you operate. Insurers and MGAs Contractual Requirements You gather, use and retain information about your customers for submission to insurers in order to determine their needs and identify suitable products and recommendations. You do this on your own behalf. When you pass some or all of this information through to the insurer on an insurance application, you generally do this on behalf of the insurer pursuant to a written contract. However, not all insurers include MGAs in their consents in their applications and forms. Because you likely collect more information than you submit on an application, you must ensure that you have the customer s explicit written consent to collect, use and retain the information. Furthermore, because you may use MGA services that are not explicitly covered by the consents insurers attach to their applications (e.g. general marketing support), you must ensure that the written consent you receive from the customer includes consent to share PI with us. PIPEDA s 10 Principles and what you must do Principle 1 - Accountability: Appoint an individual to be responsible for your compliance. Protect all PI you hold or transfer to any 3 rd party for processing. Develop and implement PI policies and practices. Principle 2 - Identify Purposes for Collection: Before or when you collect any PI from an individual, identify why it is needed and inform the individual from whom it is collected why and how it will be used. Document why the PI is collected. Identify any new purpose for the PI and obtain the individual s consent before using it. Principle 3 - Consent: Provide clear explanation of the purposes for the collection, use or disclosure of PI. Obtain the individual s consent before or at the time of collection, and when a new use is identified. Copoloff 2014 Page 9

10 Principle 4 - Limit Collection of Information: Do not collect PI indiscriminately. Do not mislead people about the reasons for collecting PI. Principle 5 - Limit Use, Disclosure, Retention: Use or disclose PI only for the purpose for which it was collected, unless the individual consents, or the Act authorizes use or disclosure. Hold onto PI only as long as it is needed to satisfy the stated purposes. Implement procedures for retaining and destroying PI. Keep PI used to make a decision about an individual for a reasonable time period so that the person can get information after the decision and seek redress. Destroy information that is no longer required for a stated purpose or legally required. Principle 6 - Accuracy: Minimize the possibility of using incorrect information when making a decision about the individual or when disclosing information to 3rd parties. Principle 7 - Safeguards: Protect PI against loss or theft. Safeguard PI from unauthorized access, disclosure, copying, use or modification. Protect PI regardless of the format in which it is held. Principle 8 - Openness: Inform individuals that you have policies and practices for managing PI. Make these policies and practices understandable and easily available. Principle 9 - Individual Access: When requested, inform individuals if you have any PI about them. Explain how it is/has been used and provide a list of any organizations to which it has been disclosed. Give them access to their PI. Correct or amend any PI if its accuracy and completeness is challenged and found to be deficient. Provide a copy of the PI requested, or reasons for not providing access, subject to exceptions set out in Section 9 of the Act. Note any disagreement on the file and advise 3rd parties where appropriate. Principle 10 - Provide Recourse: Develop simple and easily accessible complaint procedures. Inform complainants of their avenues of recourse. These include our MGA's own complaint procedures, those of industry associations, regulatory bodies and the Office of the Privacy Commissioner of Canada. Investigate all complaints received. Take appropriate measures to correct information handling practices and policies. Institute a Compliance Program the 4 elements 1. Appoint a Compliance Officer 2. Privacy Policies and Procedures for - Receiving and processing access requests - the Rules Copoloff 2014 Page 10

11 - Receiving and Responding to Inquiries and Customer Complaints Suggested procedures: - Safeguarding information, including Physical Safeguards ensure that your premises are secure through use of o Locks o Alarms o Fire suppression o Access cards o Paper files holding PI are kept in locked file cabinets o Reception areas o Other Operational Safeguards o a clean desk policy. o policies and procedures regarding information security. o policies and procedures regarding access to PI in work-at-home arrangements. Record retention and destruction schedules. o Prohibit the removal of PI from your offices. o Train staff on information security and the need to safeguard PI. o Allow access to PI on a need-to-know basis, generally based on the roles that staff performs. o Regularly backup electronic records and provide for their secure storage. Technological Safeguards o o o o o Program your computers to scan for viruses. Use encryption for transmission of all sensitive information by electronic means. Establish rules for the use of faxes. House fax equipment in a protected location away from public view. Ensure the use of passwords on your computers. 3. Assess the Program You must assess your controls as often as necessary but in no event less often than every two years, which allows you to develop a gap analysis. This in turn identifies where you have found weaknesses and allows you to create an action plan and timetable for resolution. 4. Training The OPCC urges organizations to train their front-line and management staff and keep them informed, so they can answer the following questions: How do I respond to public inquiries regarding our privacy policies? What is consent? When and how is it to be obtained? How do I recognize and handle requests for access to PI? To whom should I refer complaints about privacy matters? What are the ongoing activities and new initiatives relating to our protection of PI? You should receive annual training on privacy issues. See Appendix H, CAILBA s PowerPoint training for Advisors. You should supplement this training with other material. Copoloff 2014 Page 11

12 Privacy Breaches Some provinces with substantially similar legislation have notification requirements. You must be aware of the specific provincial requirements where you do business. A privacy breach occurs when there is an unauthorized access to, or collection, use or disclosure of PI that contravenes privacy legislation. Typically breaches occur because PI is lost, stolen, disclosed in error or as a consequence of an operational breakdown. A. Privacy Breach Procedures A breach occurs when there is an unauthorized access to, or collection, use or disclosure of personal information including information that is lost, stolen, disclosed in error or as a result of an operational breakdown. If you discover a breach, no matter how small: Notify our Compliance Officer immediately. The Compliance Officer in turn may notify outside Privacy Counsel and seek advice. Gather information about the incident: o Date of occurrence o Date discovered o How discovered o Location of the incident o Cause of the incident o Any other information you can quickly assemble Contain the breach immediately don t let any more information escape. o Stop the unauthorized practice o Recover the records o Shut down the system that was breached o Revoke or change computer access codes or o Correct weaknesses in physical or electronic security. Assess the breach very likely the Compliance Officer will take this on, as the person who conducts the investigation must have authority in the MGA and be able to make recommendations. The OPCC states that if the breach appears to involve theft or other criminal activity, notify the police. Do not compromise the ability to investigate the breach. Be careful not to destroy evidence that may be valuable in determining the cause or allow you to take appropriate corrective action. If customer information was involved, notify the Advisor and Insurers involved and work with them to determine who needs to be apprised of the incident internally and externally. Seek instructions on how the insurer would like to proceed. The insurer should determine whether Copoloff 2014 Page 12

13 affected individuals should be notified, how they will be notified and by whom. The OPCC states Typically, the organization that has a direct relationship with the customer, client or employee should notify the affected individuals, including when the breach occurs at a thirdparty service provider that has been contracted to maintain or process the personal information. The decision as to whether to notify the affected individuals may have to be delayed in order for a full risk assessment to be conducted. Evaluate the risks associated with the breach. Find out: a. What PI was involved b. How sensitive the information is. Generally, the more sensitive the information, the higher risk of harm. Consider these high-risk forms of PI: Health information Government-issued ID such as SINs, driver s license and health care numbers Bank account and credit card numbers If a combination of PI was involved, as this is typically more sensitive. The combination of certain types of sensitive PI along with name, address and DOB suggest a higher risk. c. How this PI can be used. Can it be used for fraud or other harmful purposes (i.e. identity theft, financial loss, loss of business or employment opportunities, humiliation, damage to reputation or relationships)? d. Is there a reasonable risk of identity theft or fraud (usually because of the type of information lost, such as an individual s name and address together with government-issued identification numbers or date of birth)? e. Is there a risk of physical harm (if the loss puts an individual at risk of physical harm, stalking or harassment)? f. Is there a risk of humiliation or damage to the individual s reputation (e.g., g. the PI includes mental health, medical or disciplinary records)? h. Whether the PI was adequately encrypted, made anonymous or otherwise not easily accessible. i. What is the ability of the individual to avoid or mitigate possible harm? j. The cause of the breach. k. The extent of the breach how many individuals have been affected? l. Who are they? m. What harm can result to the MGA? (Loss of trust, assets, financial exposure, legal proceedings). n. Do I have to report the breach to a regulator?* Do a thorough post mortem in order to prevent future breaches. What steps are needed to correct the problem? Is this a one-off issue or is it systemic? If Advisor or employee information was involved, notify the Compliance Officer immediately. There will likely be no need to notify the insurers, but the Compliance Officer will generally follow the same steps as above with appropriate consideration given to the special sensitivities around employee and Advisor PI. Copoloff 2014 Page 13

14 Market Conduct Compliance Needs-Based Selling Numerous provincial rules and insurers codes of conduct require Advisors to identify the needs of their customers before making any life insurance product or concept recommendations, including for segregated funds, which are life insurance products. In 2006, CCIR (the Canadian Council of Insurance Regulators) and CISRO (the Canadian Insurance Regulators Organization) stated that any recommended product must be suitable to the needs of the customer. Quebec has a long-standing requirement that Advisors use needs analyses with each customer, provide a copy to the customer and retain a copy in the file. Failure to do so is a violation that can lead to severe penalties. Copoloff provides insurance company templates, which cover a wide range of customers. It is now expected that you will use needs analysis tools and document the factual basis for any recommendation you make. In the absence of documented proof of having met the obligation to engage in needs-based selling practices, there will be a predisposition to place more weight on the customer s recollections. In 2007, the CLHIA, CAILBA, Advocis and the IFB collaborated on a document titled The Approach: Serving the Client Through Needs-Based Sales Practices, which is found on our website. It offers guidance on the types of information that you might need to collect or provide. The Approach is an important document that represents the consensus of industry stakeholders about what is required. It is principles-based and flexible and allows the Advisor to make decisions about how best to approach the requirements. Important Note: While the Approach suggests that a needs assessment might not be necessary if the customer identifies his or her needs and approaches the Advisor, this apparent carve-out is likely intended for agents selling simple products in non-face-to-face channels such as inbound call centres specializing in term insurance sales. Advisors who place business through CAILBA members are considered to be in the face-to-face channel. Customers cannot waive Advisor obligations. In fact, the presence of such a letter acts as a red flag for compliance officers and others and will often lead to an investigation of the underlying sale. Remember: in Quebec a written needs analysis is required by regulation. Note that in 2016 CLHIA published IVIC Suitability: Needs-Based Sales Practices, which can be found on our website. As stated before, a documented needs analysis is required when selling segregated funds. Form of Needs Assessment We do not dictate the form of needs analysis you must use, but make a variety of tools available on our website. Additionally, if you do financial planning and use planning software, it is highly likely that you will be able to easily produce an appropriate documented needs analysis. Copoloff 2014 Page 14

15 Suitability and Appropriateness of Recommendations with the exception of Quebec and Saskatchewan, which place some responsibility on MGAs for attached Advisors, the suitability of product and advice belongs to the Advisor. Under their contracts and under the CLHIA reference document on MGAs, Copoloff may be required to audit or spot check files to ensure you are using needs analyses. Further, we may ask you to provide samples of the material you use for our records. Finally, in 2016 CLHIA instituted rules that now require Advisors to include a Reason Why letter as part of the sales process, which documents why the recommendation was made. This may also be called a Summary of Sale letter. It need not be in letter form per se, and could consist of an . However, the information must be in writing with a copy to the client and one retained in the file. See the Reason Why template that we include with this manual. Required Disclosures In 2005, in response to high-profile legal and regulatory events in the United States and Canada, the CLHIA, CAILBA, Advocis and IFB collaborated on reference documents for advisor disclosures in individual and group sales. In 2016, CLHIA added additional requirements for disclosure. These documents are found on our website. They provide helpful information on the things that you should consider, along with sample disclosure letters. The required written disclosures include: 1. Listing all of the insurers and other businesses that the Advisor represents; 2. The types of licenses held and the jurisdictions in which they are held; 3. The nature of the relationship with the companies represented, including any ownership interests or other potential conflicts; 4. How the Advisor is compensated; 5. Eligibility for additional compensation such as travel for such things as volume of sales or contests; 6. Any potential or real conflicts of interest; 7. The fact that the customer or plan sponsor has the right to ask for more information. As with needs analyses, you should provide the customer with one copy and keep signed copies of these disclosure. If you certify to insurers that you provided disclosures that you did not in fact provide, this could be grounds for contract termination. See Disclosure Template on our Website. Segregated Fund Disclosures An Advisor who sells a segregated fund is required to: o Deliver the Information Folder and Fund Facts documents for each segregated fund available under the contract before the customer signs the application. The customer may choose to receive these disclosure documents either physically (in person, mail, or fax) or electronically ( or viewed by the client on-line). o Require the customer to sign acknowledging receipt of these documents. (Keep a copy of this receipt for your files). o Ensure that the customer is aware of the rescission right provided by the insurer. See CLHIA Guideline G2, Individual Variable Insurance Contracts (IVICs) Relating to Segregated Funds. Copoloff 2014 Page 15

16 Do Not Call List Advisors who engage in telemarketing either directly or through others are subject to the CRTC s Unsolicited Telecommunications Rules, including National Do Not Call List N-DNCL. They may not attempt to telemarket to numbers that are on the N-DNCL without express prior consent. The Advisor must understand the extensive rules and understand that he or she is required to register with the N-DNCL Operator, who registers consumers numbers for the list, provides telemarketers with updated versions of the list and receives consumer complaints about calls. Referrals are not exempted because the required consent has not been received. Currently, there are no fees for registering but there is provision for fees at a future date. Exclusions and Exemptions from the N-DNCL: Service Calls The N-DNCL rules do not apply to service calls from An Advisor, which consist of calls that relate to advice, products or services the client or prospect has purchased, applied for or inquired about, along with any calls that are required by regulation or standards of professional conduct. Existing Business Relationship An Advisor has an existing business relationship with a person if that person has: Purchased goods or services from the Advisor within the last 18 months; Inquired about insurance or applied for a product or service within 6 months of the call or If the customer has a written contract in effect or expired within 18 months of the call. There appears to be quite a lot of latitude for An Advisor to maintain contact with his existing customers and prospects. How he or she acquires those prospects in the first place is what is at issue. Given the advent of social networking media and other means of communication, restrictions on prospecting for clients or acting on referrals by telephone appear to be manageable. See CLHIA Guidance on CRTC Do Not Call List. Summary of 2014 Anti-Spam Regulation Our summary below is not all-inclusive. Given how new and untested this regulation is, expected to see guidance and industry compliance responses develop over time. Effective July 1, 2014, all commercial electronic messages (CEMs) that you send out (by , text, some voice messages, for example) that are not exempt must include: - the name of the sender, - the complete business mailing address - either your phone number, address or web address - a mechanism to unsubscribe, which must be actioned within 10 days. The mechanism itself must survive for 60 days. Definition of a CEM: any electronic message sent to an electronic address where the purpose is to encourage participation in a commercial activity (e.g. a transaction or commercial act) regardless of whether there is any expectation of profit. According to CRTC, as of July 1, any electronic request for consent to receive CEMs is itself a CEM. Copoloff 2014 Page 16

17 Non-CEM communications: Certain types of communications do not constitute CEMs, including such things as s between administrative staff and Advisors or their customers, regarding pending or existing business. Some exclusions/exemptions apply. The following list is not exhaustive. (See link for full list Business to Business (B2B) Dealings: CEMs by an employee, representative, consultant or franchisee of an organization to another employee, representative, consultant or franchisee of the organization. or of another organization that has a business relationship with the sender are exempt and do not require consent, unsubscribe or contact information. The message must concern the activities of the organization to which it is sent. Copoloff s primary role under our contracts with insurers is to communicate information to Advisors on their behalf. Insurers also rely on the B2B exemption. Communications among Advisors, insurers and MGAs (generally covered by contracts) are covered by this exemption. MGAs do not generally ask for Advisor consent to communicate electronically nor do Advisors have the ability to unsubscribe from electronic communications while they hold a contract or have a business relationship the MGA. Family and Personal Relationships are exempt, subject to certain rules. See link. Responses to complaints and inquiries are exempt (also known as the reply exemption ). See link. Third-party referrals are exempt, subject to conditions: - The sender must disclose in the message the full name of the person who made the referral and - The person who made the referral must have an existing personal or family or business relationship with both the sender and the recipient and - Only one can be sent to a recipient based on the referral. Any additional s must be based on consent. Three-Year Transition Period - For any communications/relationships that are not excluded/exempt. Once again, this is not an exhaustive discussion. Over the next 3 years, starting July 1, 2014 Advisors and MGAs who have identified non-exempt relationships must move from implied consent to express consent from all of non-exempt contacts. Implied Consent You can rely on this if you have an existing business relationship*, the recipient has supplied the electronic address or published it widely without the caveat that unsolicited CEMs are not welcome and the message is relevant to the business relationship. However, implied consent ends - 2 years after any contract establishing the business relationship ends*; or Copoloff 2014 Page 17

18 6 months after an inquiry or application was made, assuming there has been no other activity. *An existing business relationship survives the sale of a business. Express Consent After the 3-year transition period, you will required to have express consent from all of your customers. Under the law, express consent requires an action by the customer hence the need to have the customer respond to you rather than using a negative response mechanism that requires only the un-subscribers to respond to you. Record-keeping You must keep copies of all consents, because if you are challenged, you will have to identify how you got consent and when. Even if you are operating under implied consent, you must document and retain records on when and by what means you got consent. Records and File Management We may perform spot checks or audits of your practices and may be able to help you to identify and repair poor record-keeping practices. Well-maintained files are An Advisor s best protection. Customer files should contain enough information to demonstrate that a needs-based sale took place. A well-maintained file should contain copies of the material that (or detailed notes on what) was provided to the customer. While Advisors are required to verify client ID in keeping with federal AML laws, unlike the rules around the sale of mutual funds, there is no requirement to retain actual copies of the customer s personal ID in insurance files. Much of the information contained on that personal ID must be retained, however. Review your files regularly to identify records that are due for destruction. A Customer file should contain the following and should be retained: 1. Needs analysis, any financial plan and investor profile and Reason Why letter 2. Copy of disclosures 3. Copy of privacy statement and consent. 4. Copies of dated illustrations shown to customer. 5. Any or letter communications with customer 6. Dated notes on any discussions in person or via telephone 7. Copies of any completed forms 8. Policy delivery receipt, where required 9. Any customer complaint documentation. (In Quebec, this must be maintained as a separate file). The following items should not be found in customer files: 1. Original undelivered policy. 2. Any pre-signed blank forms. 3. Client copy of confirms or correspondence Copoloff 2014 Page 18

19 4. Any medical information, including medical portion of application, lab tests or physician notes (all such documentation should be shredded immediately upon policy issuance. Should you retain this information, you must ensure that you have your customer s written consent for doing so). 5. Documents pertaining to other insurance policies or mutual funds (each should be held in separate files. They should not be subject to review by mutual fund regulators or insurers unrelated to the policy in question. Complaints Management If you are An Advisor in Quebec or hold a licence in Quebec, there are certain requirements to which you must adhere, including the establishment of a complaints protocol. You must be aware of these requirements. You are required by the Copoloff Advisor Code of Conduct to report all material complaints from customers to us and the insurer. You must also maintain a Complaint log that includes: Customer name Policy or document number Advisor name Date of complaint, (written or verbal) Recipient of complaint Individual handling the complaint Summary of complaint (details should include whether a regulatory body is involved.) Whether the complaint was reported to the insurer and/or MGA and the contact information. Steps towards resolution Statement of resolution and date of resolution. It is vitally important that you keep this log in good order. It is a protection for your business. You may be called upon to produce the complaint log in regulatory and insurer audits. Responding to Insurance Company Requests Many insurers contracts require you to cooperate and be responsive to requests for information. Contracts also generally call for cooperation and assistance in responding to complaints or investigations into business practices or conduct. Insurers typically expect to be provided access to your records related to all matters governed by the contract. Failure to cooperate can be grounds for contract termination and in some cases, reports to regulators. Regulatory Audits and Inquiries and Legal Proceedings You are required to notify Copoloff and insurers of any interactions you have with regulators, in particular any enforcement actions or legal proceedings. It is critically important that you notify your errors and omissions insurance carrier as well. Depending on the nature of the audit, inquiry or proceeding, you should consider contacting your outside legal counsel for direction and assistance. Copoloff 2014 Page 19