IFB comments on FSRA's IT Risk Management Guidance, seeking clarity on its impact on life insurance licensees and credentialing bodies for financial planners
March 31, 2023
Financial Services Regulatory Authority of Ontario (FSRA)
25 Sheppard Ave. W., Suite 100
Toronto ON M2N 6S6
Submitted on the FSRA website
Subject: Proposed Information Technology (IT) Risk Management Guidance
Independent Financial Brokers of Canada (IFB) appreciates the opportunity to comment on FSRA’s proposed IT Risk Management Guidance.
IFB is a national, not for profit association representing 3,000+ licensed financial professionals. The majority of IFB members are licensed by FSRA, most commonly as life insurance agents.
Most IFB members are self-employed owners/operators of a financial practice in their local community. IFB supports its members, and the financial community more broadly, by offering accredited CE opportunities, a comprehensive professional liability insurance program, compliance resources and regulatory updates. IFB’s advocacy and stakeholder relations provides a collective voice for those who operate as independent financial advisors and planners.
Our interest in the draft IT guidance is directed to its potential impact on life insurance licensees, and the credentialing bodies for financial planners and advisors.
Individual life insurance licensees
We would like clarification of the statement (page 7) that regulated entities and individuals must comply with existing requirements related to IT risk and the protection of personal information, including, but not limited to, the requirements of PIPEDA. Life insurance agents/brokers are obligated to comply with PIPEDA, except in Alberta, B.C., and Quebec, which have their own Privacy Protection legislation. We are not sure what FSRA’s intent is in suggesting life agents may have responsibilities in addition to PIPEDA.
Under PIPEDA, life insurance agents must comply with the 10 fair information privacy principles and have a documented privacy program in place. The program must include taking steps to safeguard personal information collected from clients, or prospective clients, and notifying the Office of the Privacy Commissioner and any other organization that could reduce the risk of harm or help mitigate the harm. We note that FSRA will accept risk incident reporting forms issued by another financial services regulator. We agree that this will help reduce the burden of reporting.
FSRA has indicated it may include a review of an agent’s or regulated entity’s IT risk management processes when assessing their suitability to be licensed. We note that insurers and MGAs conduct periodic audits of the compliance practices of the agents under contract and suggest FSRA seek to co-ordinate such audits to reduce the regulatory burden on these individuals and small agencies. As part of this process, FSRA should review the training provided by insurers and MGAs to their contracted agents on the required steps these agents should take to manage their IT risks when transmitting sensitive health and personal information of consumers. Examples might include multi-factor authentication (MFA), using secure email addresses, encrypting files, securing a Wi-Fi network or a virtual private network (VPN), and securely deleting files.
Credentialing bodies for financial planners and advisors
The IT guidance only applies to credentialing bodies, not to individuals accredited as Financial Planners and Financial Advisors. We understand that FSRA’s oversight is restricted to CBs. However, this raises some concerns. First, individual FPs and FAs who are not otherwise licensed will have no privacy requirements, regardless of their need to collect personal information in the provision of their services. In our view, this is a gap for consumers who use unlicensed FPs and FAs, and not one most consumers would be aware of.
As a second point, under the Financial Professionals Title Protection Act, FSRA can revoke a CB’s approval for lack of compliance with the proposed Guidance. It will be important to establish processes in the event a CB’s approval is revoked, so that individual FPs and FAs who have earned the credential in good faith are not disadvantaged.
Please contact the undersigned should you have questions on our comments, or Susan Allemang (sallemang@ifbc.ca), Director of Policy & Regulatory Affairs.
Yours truly,
Nancy Allan
Executive Director
T: 905.279.2727 Ext. 102
E: allan@ifbc.ca