In November 2008, Alberta became the first Canadian jurisdiction to provide privilege for the self-assessment programs of insurance companies.
Risk based regulation involving self-assessments overseen by a company's governing structure are an effective and ever growing mode of regulation. In Canada, the federal insurance regulator which oversees the prudential (solvency) of the majority of Canadian insurers and all foreign insurers operating in Canada has adopted it. The provincial regulators are looking at it for market conduct regulation and, where they have responsibility, prudential (solvency) regulation. It is a regulatory model that can be applied to other areas of regulation and in the broader area of risk management.
Risk based regulation requires companies to implement a system which identifies risks (for example, regulatory compliance), and requires periodic reports on compliance to be provided to a compliance officer who is charged with overseeing the system and who reports to the appropriate corporate governance body, usually the board of directors or a committee of the board.
Risk based regulation is felt to be effective and desirable for a number of reasons, including:
- Systematic and proactive approach to identifying problems early and thereby enhancing the company's ability to rectify.
- Alignment with the company's corporate governance. Risk management is one of the important oversight functions of the board of directors. A robust and effective risk management system can also provide directors statutory due diligence protection.
- Increased regulatory efficiency. Regulators can focus on risk or problem areas rather than devoting limited human and financial resources examining areas of operations that pose little or no risk.
In addition to insurance company regulation, the risk based approach also applies to privacy and money laundering and anti-terrorism regulation. It will be interesting to see if this approach becomes part of the much expected revamping of the financial regulatory system.
Sophisticated web-based self-assessment systems are available in Canada. A properly operating self-assessment system provides a central and readily accessible location for problems identified and how they are dealt with by the company.
Insurers, understandably, are concerned that a robust and effective self assessment system, which is designed to identify and document problems and instances of non-compliance, does not provide a roadmap for plaintiffs and others wishing to attack the company. A number of U.S. states have introduced privilege provisions to address this concern.
Starting in 2005, a working group of the Canadian Council of Insurance Regulators (CCIR) looked at this issue. After consulting with a number of groups, the working group issued its final report in the summer of 2008, recommending that privilege be extended to self-assessments and proposed a form of wording that can be included in legislation to achieve this.
Alberta is the first Canadian jurisdiction to act on the CCIR recommendation. The privilege provisions are found in section 816.2 of the Insurance Act (Alberta). It defines what constitutes an "insurance compliance self-evaluation audit" and the resulting "document". With some very express and limited exceptions, it makes those documents privileged and non-discoverable or admissible in civil and administrative proceedings and prohibits being able to discover or require their production in such proceedings. The exceptions to privilege are: (i) proceedings commenced by the regulator; (ii) privilege asserted for fraudulent purposes; (iii) proceedings involving disputes with a person involved in the audit; and (iv) non-audit information referred to in the document. The section also addresses the issue of waiver. While the company may waive the privilege, disclosures to persons with "a need to know" including auditors, directors and regulators does not constitute waiver.
Alberta's approach is a reasonable balance of the equities and its lead will hopefully be followed by the other jurisdictions.