When and Where Certain Records May be Kept Outside Canada Pursuant to Guideline E-4 and the Record Keeping Requirements of Branches
Since our last article discussing the Office of the Superintendent of Financial Institutions Canada’s (OSFI) newly-released E-4: Foreign Entities Operating in Canada on a Branch Basis (Guideline E-4), there have been some legislative developments to help clarify OSFI’s expectations regarding when and where branches of foreign insurance companies operating in Canada (Branches) may store records (Records) outside of Canada that they would otherwise be required to maintain within Canada pursuant to the Insurance Companies Act (Canada) (ICA).
Recall the new Guideline E-4 provides that, pursuant to Canada’s obligations under certain international trade agreements, some Branches are permitted to maintain the Records outside Canada, where OSFI is provided immediate, direct, complete, and ongoing access to them. This is welcome news to many Branches, as it will provide them an opportunity to leverage their respective international group IT platforms to achieve cost savings by, say, storing Records on servers located outside of Canada already maintained by the Branch’s home office and affiliates, which may be cheaper than having to purchase or pay for space on stand-alone servers located in Canada to store the Records.
When Guideline E-4 was released on June 28, 2021, the ICA was not updated to clarify exactly which of Canada’s international trade agreements would trigger the exemption to the requirement to store in Canada the Records. In welcome news, the ICA has been updated to include the new section 647(4), which now provides clarity on this.
The ICA’s new section 647(4) provides that, subject to the Superintendent’s discretionary power provided by the ICA’s section 268(1.1), the requirement for Branches to maintain in Canada the Records does not apply to Branches of foreign companies incorporated or formed otherwise in a country that is a party to a trade agreement listed in Schedule IV of the Bank Act (Canada), or to the Branches of a foreign company that is a subsidiary of a regulated foreign entity (a “regulated foreign entity” being an entity that is both formed in a country or territory subject to a trade agreement listed under Schedule IV of the Bank Act (Canada) and subject to regulation in that country or territory).
The following are the trade agreements listed in Schedule IV of the Bank Act (Canada) currently:
- Canada-Chile Free Trade Agreement Implementation Act
- Canada–Peru Free Trade Agreement Implementation Act
- Canada–Colombia Free Trade Agreement Implementation Act
- Canada–Panama Economic Growth and Prosperity Act
- Canada–Honduras Economic Growth and Prosperity Act
- Canada–Korea Economic Growth and Prosperity Act
- Canada–European Union Comprehensive Economic and Trade Agreement Implementation Act
- Comprehensive and Progressive Agreement for Trans-Pacific Partnership Implementation Act
- Canada–United States–Mexico Agreement Implementation Act
- Canada–United Kingdom Trade Continuity Agreement Implementation Act
Although Guideline E-4 offers renewed insight into OSFI’s expectations of Branches, several issues were not addressed directly, particularly as it pertains to the mobility of data. For example, how would Records that span across multiple servers hosted in multiple jurisdictions be treated? And, is there an assumption that the Records permitted to be stored outside Canada will be kept within the geographical areas of one or more countries that are parties to the trade agreements listed in Schedule IV of the Bank Act (Canada)? On this last question, OSFI clarified during the information session on Guideline E-4 it hosted on November 2, 2021 that the Records are not required to be maintained within any of the countries that are parties to the trade agreements, when such an exemption applies.
In the letter announcing the release of Guideline E-4, OSFI responds to a selection of the comments that were received during Guideline E-4’s drafting stages. Respondents requested that the new guideline contain additional clarity on data processing and the retention of records, particularly as it pertains to cloud computing. OSFI did not to provide any further direction on this topic, citing its desire to respect its principles-based approach to the supervision of federally regulated financial institutions and the flexibility that goes along with such an approach. Assumingly, this is meant to revert the question of how to engage cloud computing and cloud storage networks back to Branches, as OSFI entrusts these entities with the ability to use their own judgement to guide their continued compliance with the relevant legislation and guidance.
OSFI expects all Branches to comply with Guideline E-4 by January 1, 2022.