On October 27, 2020, the Office of the Superintendent of Financial Institutions Canada (OSFI) issued its draft Guideline E-4: Foreign Entities Operating in Canada on a Branch Basis (Guideline E-4). The release of the draft Guideline E-4 consolidates Guideline E-4A: Role of the Chief Agent & Record Keeping Requirements and Guideline E-4B: Role of the Principal Officer and Record Keeping Requirements into a single principles-based guideline that sets out OSFI’s expectations for foreign insurers and bank branches operating in Canada. The publication of draft Guideline E-4 has been delayed several months due to OSFI’s focus on other initiatives as well as the COVID-19 pandemic.
The draft Guideline E-4 is re-positioned to focus on OSFI’s expectations of, among other things, a foreign insurer operating in Canada on a branch basis (Branch) rather than its expectations of the chief agent or principal officer. The draft Guideline E-4 also contains modernized record-keeping requirements to reflect new amendments to the location of record requirements contained in the Insurance Companies Act (ICA) and Bank Act (BA) which will come into force in July 2021. These amendments also follow the ratification of the Canada-United States-Mexico Trade Agreement (CUMSA). While we welcome OSFI’s approach regarding the draft Guideline E-4, we expected more detail regarding OSFI’s expectations on Branch management and governance, outsourcing arrangements, data processing and data security, record retention, cloud computing and the location of servers.
We have summarized below the material guidance set out in the draft Guideline E-4, along with describing certain areas we feel could be expanded upon with greater detail in the final version of Guideline E-4:
- Branch Management
The draft Guideline E-4 provides that the oversight obligations of the Branch should be the responsibility of Branch management and not solely the responsibility of the chief agent or the principal officer. We agree with this allocation of responsibility amongst the Branch management team and note that it is in-line with the Branch steering committee model that most Branches have adopted. The draft Guideline E-4 contains little guidance, however, as to the structure of Branch management. OSFI expects Branch management to be responsible for the effective implementation and oversight of business objectives, strategies and plans, and risk management policies and procedures. To achieve the foregoing, OSFI expects Branch management to implement controls to manage risks, policies, procedures, assets and liabilities of the Branch, as well as undertake an independent assessment of the adequacy and effectiveness of such controls, policies and procedures through internal and independent audits. We believe it would be helpful for OSFI to provide more detail with respect to the controls, policies and procedures required of a Branch, making it easier for a Branch to understand its obligations under Guideline E-4.
- Arrangements with the Foreign Entity’s Home Office
The draft Guideline E-4 provides that a Branch’s arrangements with its home office must be documented by written service level agreements. In particular, any arrangements involving the flow of funds between the foreign entity’s home office and its Branch should be clearly documented and details of such arrangements should be provided to OSFI. All material outsourcing arrangements are expected to be documented in a written service level agreement that complies with Guideline B-10: Outsourcing of Business Activities, Functions and Processes (Guideline B-10). In addition, OSFI requires Branch management to provide OSFI with 30-days’ advance notice of proposed fund transfer(s) to the foreign entity’s home office that materially deviate from the documented processes provided to OSFI. This requirement for a written service level agreement between the entity’s home office and the Branch can pose some difficulties for foreign regulators, particularly in the US where approvals of such agreements may be required. Foreign regulators often do not recognize an agreement between a Branch and its Home Office, as they are the same legal entity. Accordingly, such an agreement merely constitutes an agreement amongst itself in certain foreign jurisdictions and perhaps would be better positioned as an internal memorandum or undertaking.
- Record Keeping
The draft Guideline E-4 requires Branches to comply with the requirements under the ICA and BA regarding the preparation and maintenance of records. OSFI continues to expect Branches to keep records up to date and accurate at the end of each business day. The draft Guideline E-4 also requires electronic records to be capable of being produced in intelligible written form within a reasonable period of time. OSFI, however, may require certain types of information, such as reinsurance arrangements or files on more complex activities, to be available in original hard copy at the Branch in Canada, as needed. The draft Guideline E-4 provides that if the records are in electronic form, complete copies must be kept on a computer server physically located at the places stipulated in the ICA or BA. Where certain Branches under the ICA and BA are exempt from this requirement, they must provide OSFI with immediate, direct, complete and ongoing access to the records stored outside of Canada pursuant to CUMSA. OSFI did not, however, provide any examples of what types of data processing or retention of records delegation they would accept. Furthermore, OSFI did not provide any expectations with respect to cloud computing or the location of servers.
When the draft Guideline E-4 is viewed in its entirety, OSFI’s initial views regarding the role of chief agent and record keeping requirements have not changed in any material respect. None of OSFI’s proposed revisions to the draft Guideline E-4 are particularly surprising. Branches should, however, begin reviewing their Branch management processes to ensure that there are appropriate controls, policies and procedures in place for the effective identification and monitoring of risk within the Branch by Branch management. Branch management has to be adequately informed of Branch operations and available to address any concerns of OSFI and communicate with OSFI representatives, when required. While further clarity is required, we expect that most Branches already have the appropriate controls, policies and procedures in place to comply with the draft Guideline E-4 when considering each Branch’s nature, scope, complexity and risk profile.
In addition, we expect that Branches will require more detail regarding OSFI’s expectations set out in the draft Guideline E-4 including the following: (i) who is to be considered a member of Branch management and what is each member’s roles and responsibilities; (ii) are there specific governance procedures and controls required of Branch management; (iii) what the obligations of the Branch are under Guideline B-10 when outsourcing arrangements to a foreign entity’s home office; (iv) what types of data processing or retention of records delegation will be accepted by OSFI; (v) whether OSFI will permit cloud computing services for the retention of records; and (vi) where servers may be located.
OSFI has invited comments to be submitted on the proposed draft Guideline E-4 by email at email@example.com by December 18, 2020. We would encourage Branches to provide submissions to OSFI about how the revised Guideline E-4 will affect their respective businesses in Canada. We would be pleased to assist with any submissions on your behalf to OSFI. OSFI expects to issue the final guidance in spring 2021, along with a non-attributed summary of comments received and OSFI’s response.