In April, we wrote that the Financial Stability Board (FSB) was seeking comment on 46 recommended cyber incident response and recovery (CIRR) practices for financial institutions. On October 19, the FSB published its final “toolkit” consisting of 49 recommendations (Report). Although the FSB tends to focus more on systemically important financial institutions, we think that all capital markets participants will find it worthwhile to read the final Report. The FSB expects that firms of various sizes and with different business models will choose to adopt, and adapt, some or all of the recommendations as appropriate, taking into account their size, complexity and risks to the financial system.
AUM Law can help you assess and enhance your cyber security policies and procedures and conduct training in this area for your employees. Please contact us to find out more about our services in this area.
October 30, 2020
On September 15, the Office of the Superintendent of Financial Institutions (OSFI) published Developing Financial Sector Resilience in a Digital World: Selected Themes in Technology and Related Risks (Discussion Paper) for comment. Although OSFI’s mandate concerns federally regulated financial institutions, we believe that the Discussion Paper’s themes are relevant to the wider financial services sector including securities dealers, advisers and investment fund managers. Among other things, the Discussion Paper discusses the evaluation of technology risks in light of supervisory trends that are shifting from process-based, operational risk management (ORM) to more holistic and outcome-oriented operational resilience. OSFI then proposes three sets of core principles focusing on:
- Cyber-security (principles relating to confidentiality, availability, and integrity);
- Advanced analytics (principles relating to soundness, explainability and, and accountability); and
- The third-party ecosystem (principles relating to transparency, reliability, and substitutability).
The Discussion Paper includes references to OSFI standards as well as research, standards and proposals published by international organizations such as the Financial Stability Board and therefore represents a useful compilation of research and standards in this field.
September 30, 2020
On August 13, the Ontario Ministry of Government and Consumer Services (Ministry) launched a consultation (Consultation) regarding potential reforms to Ontario’s privacy laws. Currently, the principal legislation governing privacy matters in Ontario’s asset management sector is the federal Personal Information Protection and Electronic Documents Act (PIPEDA). The Ontario government is considering whether there is a need for Ontario legislation or other measures to address potential legislative gaps or provide enhanced protections for individuals in Ontario.
This initiative is at an early stage of development, with the Ministry is seeking feedback on general concepts, including the following:
- Increase transparency: Provide individuals with more detail about how their information is being used by businesses and organizations;
- Enhance consent provisions allowing individuals to revoke consent at any time and establishing an opt-in model for secondary uses of their information;
- Introduce a right to be forgotten so that individuals can request that information relating to them be deleted;
- Introduce standards for de-identified data (i.e. anonymized data derived from personal information) to clarify how privacy protections apply;
- Introduce data portability standards, giving individuals greater freedom to change service providers without losing their data;
- Create a legislative framework for data trusts so that, for example, an organization’s data could be governed by a third party to ensure the data is used in a transparent and accountable way; and
- Increase the Information and Privacy Commissioner’s enforcement powers including the introduction of penalty powers.
Many of these themes overlap with issues being considered by the Government of Canada as part of its initiative to modernize PIPEDA, which we discussed in our May 2019 bulletin.
In Ontario, the Ministry has launched a survey to collect individuals’ views on privacy issues. Organizations are invited to make written submissions on the Consultation by October 1, 2020. If you want to make a submission or learn more about how existing privacy legislation and potential reforms may affect your business, please do not hesitate to contact us.
August 31, 2020
On June 25, the International Organization of Securities Commissions (IOSCO) published a draft report and proposed guidance (Report) regarding asset managers and market intermediaries’ use of artificial intelligence (AI), including machine learning (ML). It’s a useful reference document to help you stay informed on evolving firm practices, as well as regulatory concerns and approaches, in this area.
The Report is based on IOSCO’s survey of and discussions about AI and ML with asset managers and market intermediaries. It analyzes how firms are using the relevant technologies, outlines the potential benefits and risks, and describes how firms are addressing those risks. The report also includes appendices describing how various regulators (including Canadian securities regulators) are addressing AI and ML risks and summarizes guidance in this area published by international organizations such as the Financial Stability Board.
IOSCO is seeking feedback on six proposed regulatory measures (Measures). Three of the measures are framed as proposed requirements that IOSCO believe regulators should adopt:
- Test and monitor algorithms: Regulators should require firms to test and monitor the algorithms to validate the results of any AI and ML technique on a continuous basis. Testing should be conducted in an environment that is segregated from the live environment before deployment to ensure that AI and ML behave as expected in stressed and unstressed market conditions and operate in a way that complies with regulatory obligations.
- Competence: Regulators should require firms to have adequate skills, expertise and experience to develop, test, deploy, monitor and oversee the controls over the AI and ML that the firm uses. Compliance and risk management functions should be able to understand and challenge the algorithms that are produced and conduct due diligence on any third-party provider, including on the level of knowledge, expertise, and experience present.
- Oversight of third parties: Regulators should require firms to understand their reliance upon, and manage their relationship with, third party providers, including monitoring their performance and conducting oversight. This includes having clear service-level agreements and contracts that clarify the scope of any outsourced functions and the third party’s responsibilities and that specify clear performance indicators and “sanctions” for poor performance.
The other proposed Measures are framed in softer language, which may indicate a lack of consensus among IOSCO members regarding the universal necessity for such requirements:
- Senior management responsible for AI/ML and its controls: Regulators should consider requiring firms to have designated senior management responsible for overseeing the development, testing, deployment and monitoring of, and controls for, AI and ML. This includes having a documented internal governance framework and having appropriately senior individuals with relevant skills and knowledge sign off on the technology’s initial deployment and any substantial updates.
- Disclosure and regulatory reporting: Regulators should consider what level of disclosure they should require firms to provide about their use of AI and ML. Among other things, regulators should consider:
- Requiring firms to disclose meaningful information to customers and clients around their use of AI and ML that impact client outcomes; and
- What information the regulators may require from firms using AI and ML to ensure they can have appropriate oversight of those firms.
- Data quality controls: Regulators should consider requiring firms to have appropriate data quality controls so that data on whose performance the AI and ML depends is of sufficient quality to prevent bias and sufficiently broad to ensure a well-founded application of AI and ML.
Although the Measures won’t be binding on IOSCO member regulators, we expect that the Ontario Securities Commission (OSC) and other Canadian securities regulators likely will take the final version of the Measures into account when they interpret existing rules and consider regulatory reforms.
The comment deadline is October 26, 2020. If you have questions about the Report or are interested in discussing how evolving regulatory expectations in this area might affect your business, please contact us.
June 30, 2020
As we mentioned in last month’s article on business continuity plans (BCPs), the COVID-19 pandemic has brought with it heightened cyber-security risks. Now more than ever, registered firms need to maintain robust cyber-security policies and procedures, monitor employees’ compliance with them, and adapt their policies and procedures to address emerging or changing risks. Recently, financial sector regulators have published warnings and guidance for firms about how to address cyber-security risks. This article highlights several publications that we think our readers will find useful.
- IIROC Offers Practical Tips: On April 21, the Investment Industry Regulatory Organization of Canada (IIROC) published a notice with practical tips for advisory firms and their employees regarding the kinds of cyber-security risks they face while operating remotely during the COVID-19 pandemic. Among other things, it describes common, COVID-19 relate phishing and social engineering attacks that some firms are observing.
- FSB Consults on Cyber Incident Response and Recovery (CIRR): On April 20, the Financial Stability Board (FSB) published a consultation paper outlining 46 effective CIRR practices for financial institutions to consider. Although the FSB tends to focus more on systemically important financial institutions, we think that all capital markets participants will find it worthwhile to skim the consultation paper. The recommended CIRR practices relate to such topics as how firms organize and manage CIRR, how they ensure effective response, mitigation and recovery activities, how to coordinate and communicate with stakeholders, and how to establish processes to learn from past cyber incidents. In addition to requesting feedback on the specific practices described in its consultation paper, the FSB wants to know what firms are learning from their response to the COVID-19 pandemic. Comments are requested by July 20.
- Updated Baseline Controls for Small and Medium-sized Enterprises (SMEs): The Canadian Centre for Cyber Security (Centre), established by the federal government, updated its Baseline Controls for Small and Medium Organizations (Baseline Controls) earlier this year. Noting that some of national and global cyber-security standards likely are beyond the financial and human resource means of most SMEs, the Centre developed the Baseline Controls with the 80/20 rule (i.e. that 80% of the benefit can be achieved through 20% of the effort) in mind. We recommend that firms read Annex A, which summarizes the Baseline Controls.
Given the regulators’ growing concerns about pandemic-related cyber-threats, we believe that cyber-security is likely to become a focus area for securities regulators in compliance reviews. AUM Law can help you assess and enhance your cybersecurity policies and procedures and conduct training in this area for your employees. Please contact us to find out more about our services in this area.
April 30, 2020
In light of the COVID-19 outbreak, many registered firms are implementing their business continuity plans (BCPs) and having their employees work from home, except where certain individuals need to access office facilities to ensure continued service to clients. In this article, we’ll address some issues for registered firms to consider in the short and medium term while operating in such conditions. We emphasize that firms and regulators are facing an unprecedented and constantly changing situation, and so our initial views on the issues below may change as circumstances evolve and regulators issue new or updated guidance or rules.
If my firm is covered by an “essential service” exemption from a government order to close businesses, why not carry on as usual from our office? Workplaces can contribute to the spread of the virus that causes COVID-19, and so a firm needs to evaluate the occupational health and safety, public health and litigation risks of having employees work from its offices or meet physically with clients, etc. The Government of Canada has published Risk-Informed Decision-Making Guidelines for workplaces and businesses during the pandemic. If you need legal advice on employment or occupational health and safety matters, AUM Law can source, evaluate and help you retain appropriate counsel and then manage the provision of that advice so that you can focus on running your business. From a securities regulatory compliance perspective, we think that a registered firm that requires all or most of its employees to work onsite instead of working from home could attract scrutiny from securities regulators due to concerns that the firm’s BCP is not functioning effectively.
Should my firm contact the securities regulator because we have activated our BCP? Activating your BCP does not, in itself, trigger an obligation to notify the Ontario Securities Commission (OSC). If, however, your firm finds that it might not be able to meet one or more of its regulatory obligations on a timely basis because of the pandemic, then that might trigger a filing obligation and we encourage you to speak to your usual lawyer at AUM Law as soon as possible. (See also our article in this bulletin on the blanket orders issued by members of the Canadian Securities Administrators (CSA) extending certain filing deadlines for registrants, investment funds and others.) We can advise you on your options and liaise with regulators on your behalf.
Do the home offices of registered individuals need to be approved as branch offices? Technically, having registered employees work from a location other than the address indicated on their Form 33-109F4 (Form F4), could be viewed as requiring an updated filing and/or approval of new “branch offices”. However, in light of the recent government orders and recommendations requiring or asking people to stay at home as much as practicable, we believe that at least in the short term, it is unlikely that OSC staff will expect registered firms to update Form F4s or seek approval for branch offices, provided that registered individuals are not meeting with clients in their homes or bringing home physical files that contain sensitive client information.
Cross-training: Are there functions at your firm that only one or two employees know how to perform? If you haven’t done so lately, we encourage you to review and update your list of key tasks and deadlines and the individuals responsible for performing those tasks. Identify a back-up person for each task and deadline (or group of related tasks and deadlines) and, if necessary, train that back-up person.
BCP considerations for “one-registrant” firms: If a registered firm has only one registered individual (One-Registrant Firm) to serve clients, we encourage the firm to have a plan to address a scenario where that individual is absent or incapacitated for weeks or months. We recommend that One-Registrant Firms, at a minimum, prepare standing instructions for the firm’s administrative staff and legal representatives to follow if the registered individual is absent or incapacitated for more than a brief period. Such firms also might wish to explore the feasibility of negotiating, in advance, a formal agreement with another registered firm (Temporary Successor). Such an arrangement could be a reciprocal one between two One-Registrant Firms seeking to address the same business continuity issue. Under such an agreement, the Temporary Successor would step into the shoes of the registered individual, for certain purposes, if that individual was unable to perform their duties for more than a brief period. The purpose of the agreement would only be to communicate with service providers and clients as the clients decide how best to address their account assets.
Technology risks including cyber-security and privacy risks: The rapid shift to remote work arrangements has resulted in some issues arising with respect to technology slowdowns, disruptions and hacking. Some firms are deploying new software or devices (including virtual meeting systems) that employees are having to become familiar with quickly, and many employees are dealing with the challenge of handling matters discreetly with family members or roommates present. There also are reports of some public, virtual meetings and conferences conducted over Zoom and similar systems being hacked. Finally, some employees are experiencing anxiety and confusion because of the pandemic. All these circumstances increase the risks of inadvertent cyber-security failures and opportunities for hacking. Maintaining robust cyber-security policies and procedures, adapting them as needed to address emerging or changing risks, reminding employees of the need to take precautions, and monitoring employees’ compliance with such policies and procedures are essential actions at this time both from a regulatory compliance and litigation risk perspective.
Communications with clients: Pandemic conditions and their knock-on effects in financial markets may result in a significant increase in customer call volumes or online account usage. Registered firms should review their BCPs and assess the effectiveness of their systems and processes to handle this level of increased activity. If your firm is experiencing difficulty serving customers in a timely way, please contact us to discuss measures you should undertake (including communication strategies) to address the situation. (On a related subject, please see our FAQ in this bulletin focused on ensuring that you’ve got current know-your-client (KYC) information for clients whose life situations may be changing dramatically.)
Supervision, compliance and internal controls during the new “work from home” normal: As we all adjust over the next month or so to the “new normal” of working remotely as much as practicable for an unknown period of time, we think that regulators will begin expecting to see registered firms consider whether they need to adapt their policies, procedures and controls to address any new or magnified regulatory compliance risks. AUM Law can help you assess whether your existing supervisory system, compliance manual, procedures and internal controls should be revised to ensure compliance while many employees are operating from remote locations.
We can help: At AUM Law, we are experienced in reviewing BCPs from a regulatory compliance perspective. We can draft or update your BCP to ensure that it addresses a scenario like this one. Please don’t hesitate to contact us.
March 31, 2020
On January 28, the Office of the Privacy Commission (OPC) published its Proposals for Ensuring Appropriate Regulation of Artificial Intelligence (Consultation Paper). This work is a subset of a larger reform project focused on federal privacy laws. According to the Consultation Paper, the OPC believes that artificial intelligence (AI) presents fundamental challenges to all of the “foundational privacy principles” formulated in the Personal Information Protection and Electronic Documents Act (PIPEDA). The Consultation Paper outlines eleven proposals and related discussion questions for consideration, and requests feedback by March 13, 2020.
These AI-related potential reforms to privacy laws are at an early stage of development, but if adopted they likely will have a significant impact on how registered firms use AI in their development and delivery of products and services as well as their compliance systems and other internal controls. For example, reforms to PIPEDA might introduce provisions similar to those in the European Union’s General Data Protection Regulation (GDPR) that grant individuals the rights:
- Not to be subject to automated decision-making, including profiling, except when an automated decision is necessary for a contract, authorized by law, or explicit consent is obtained; and
- To object to having their personal information processed for direct marketing purposes.
Another proposal, if implemented, might require entities to inform individuals about the use of automated decision-making, the factors involved in the decision and, where the decision is “impactful”, information about the logic upon which the decision is based.
AUM Law will continue monitoring developments in this area and update you on the status of significant proposals. In the meantime, if you have any questions about the Consultation Paper and its potential impact on your operations, please contact us.
February 28, 2020