The Financial Consumer Agency of Canada (FCAC) recently published the final version of its Supervision Framework (2018 Framework), which took effect October 1, 2018.

The 2018 Framework outlines the principles and processes that assist FCAC in fulfilling its mandate to supervise regulated entities. Under the 2018 Framework, FCAC continues to abide by its four guiding principles of:

  1. Transparency: FCAC achieves transparency by communicating its expectations, concerns and priorities clearly, early and often.
  2. Proactivity: FCAC strives to identify emerging issues and market trends early and intervene swiftly to foster sound market conduct.
  3. Proportionality: FCAC allocates its resources proportionally to the level of market conduct risk presented by each regulated entity, and takes enforcement action that is proportionate to the circumstances of the breach.
  4. Accountability: FCAC is accountable for the delivery of its mandate and the actions that ensue. It conducts its supervisory activities in a consistent, timely and professional manner and adheres to established service standards.

FCAC also continues to abide by its three interdependent pillars of supervision, namely:

  1. The promotion of responsible market conduct: FCAC communicates its expectations to regulated entities and stakeholders using tools such as decisions, guidelines and rulings.
  2. The monitoring of market conduct: FCAC is continuously assessing the market conduct of regulated entities through market conduct profiles (for tier 1 regulated entities), examinations, mandatory reporting, third-party intelligence and industry reviews.
  3. The enforcement of market conduct obligations: FCAC investigates breaches of market conduct obligations and, if necessary, responds with the appropriate tools to ensure compliance in the future.

A previous version of the Supervision Framework was published in April 2017 (2017 Framework), following consultation with stakeholders. It was expected to come into effect November 1, 2017, but was delayed. This delay was likely meant to accommodate the development of internal procedures for implementing the new framework, and to allow the FCAC to consider the findings from its domestic bank retail sales practices review, which it concluded in late 2017. While the 2018 Framework remains relatively unchanged from the 2017 Framework; FCAC has made some key changes to its methods of enforcement, which we have summarized below. For more information on the 2017 Framework, see our May 2017 Blakes Bulletin: Financial Consumer Agency of Canada Publishes New Supervision Framework.

PRELIMINARY INVESTIGATION STEP REMOVED

The 2017 Framework provided that FCAC would conduct preliminary investigations to determine basic information about a potential breach such as: its existence, nature, duration and breadth, and whether the breach fell within FCAC’s supervisory authority. If, as a result of the preliminary investigation, FCAC concluded that a breach had occurred, it would then proceed with a full investigation or issue a notice of breach.

Under the 2018 Framework, the preliminary investigation step has been eliminated. FCAC will instead move directly to conducting an investigation when it requires additional information to substantiate a breach. Such an investigation will encompass the assessment of potential breaches of market conduct obligations.

NOTICE OF BREACH

The 2018 Framework continues to provide that once FCAC has completed its investigation, it will determine its course of action based on a number of factors, such as the regulated entity’s:

  • Compliance record degree of negligence or intent
  • Strength of internal controls
  • Risk of recurrence
  • Length of time taken to identify and correct the breach
  • Means through which the breach was identified
  • Degree of direct or indirect harm to consumers or merchants
  • Remediation plans and timeframes
  • Level of co-operation

FCAC and government priorities will also be considered. This list of factors remains substantially unchanged from the 2017 Framework, with one exception: the subject matter of the breach is no longer listed as a key consideration.

Consistent with the 2017 Framework, the 2018 Framework also provides that FCAC may conclude its investigation by issuing a notice of breach (level 1, 2 or 3). However, the 2018 Framework contains certain changes relating to the differences between notice levels:

  1. A level 1 notice of breach may be issued when the severity of the breach is low. Such a notice may require enhanced monitoring to return to compliance and/or to ensure future compliance. This wording is in contrast to the 2017 Framework, which provided that such a notice would be issued if the breach was isolated or minor, if a systemic breach had been promptly identified, corrected and remediated, or if harm or impact was minimal and the regulated entity had shown there was a low risk of recurrence.
  2. A level 2 notice of breach may be issued when the severity of the breach is elevated. This remains unchanged from the 2017 Framework. However, FCAC has added that such a notice may require the regulated entity to take specific action to return to compliance and/or to ensure future compliance.
  3. A level 3 notice of breach may be issued when the severity of the breach is high. Such a notice signals that FCAC may take more significant enforcement measures and requires the regulated entity to escalate concerns related to the breach. Under the 2017 Framework, a level 3 notice of breach would be issued when the severity of the breach was further elevated or when there was a specific need to escalate concerns within the regulated entity. Additionally, the 2017 Framework provided examples of circumstances that would lead to issuance of a level 3 notice of breach, such as where the regulated entity had demonstrated a low level of cooperation with FCAC on voluntary compliance, where corrective actions needed to be completed urgently, or where the breach resulted from a broader compliance deficiency. These examples have been removed in the 2018 Framework.

COMPLIANCE REPORT

The 2018 Framework clarifies that a compliance report will likely be drafted upon completion of an investigation that results in a level 3 notice of breach, and that a compliance report may lead to the issuance of a notice of violation. In this way, the 2018 Framework clarifies that a notice of breach is issued prior to a notice of violation.

ACTION PLAN AND COMPLIANCE AGREEMENT

The 2018 Framework continues to provide that FCAC may require a regulated entity to enter into an action plan or a compliance agreement after receiving any level of notice of breach. Action plans and compliance agreements detail the corrective measures required to address a breach of a market conduct obligation, to prevent recurrence of the breach, or to implement any measure designed to further compliance with market conduct obligations. While it remains unclear when FCAC will require a regulated entity to enter into an action plan rather than a compliance agreement, the 2018 Framework does specify that a compliance agreement is a written agreement between the regulated entity and FCAC, and that breaching the agreement may result in a notice of violation. No such written requirements or consequences of breach are specified for action plans.

A notable change in the 2018 Framework is that regulated entities that are subject to an action plan or a compliance agreement will be required to provide FCAC with: (1) regular updates throughout the duration of the action plan or compliance agreement, and (2) a full report once all actions have been completed. This is in contrast to language used in the 2017 Framework, which provided that regulated entities may be required to provide FCAC with such updates and reports.

Further, as noted above, breaching a compliance agreement may result in a notice of violation; however, the 2018 Framework now specifically states that such a notice of violation may be issued regardless of the type of breach. This is a change from the 2017 Framework, which provided that a breach of a legislative or regulatory provision addressed in a compliance agreement could result in a notice of violation, whereas a breach of non-legislative provisions of a compliance agreement could result in a notice of non-compliance.

PUBLISHING PRINCIPLES FOR FCAC DECISIONS

Despite the 2018 Framework being finalized and published, a final version of the Publishing Principles for FCAC Decisions (Publishing Principles) has yet to be released by FCAC. These Publishing Principles will clarify how FCAC will publish information about notices of violation, notices of decision and notices of non-compliance.