electronic document regulations for financial institutions finalized

Earlier this year (May 8 to be precise), the Canadian federal government published some draft regulations relat­ing to the use of elec­tronic doc­u­ments by fed­er­ally reg­u­lated fin­an­cial insti­tu­tions. You can find a rather brief summary in an earlier post, along with some colour commentary comparing the regulations against similar types of provisions in the Ontario Consumer Protection Act and Electronic Commerce Act. You can find the earlier draft regulations in that post or at the Canada Gazette website (scroll down to the bottom).

In any event, about two weeks ago (November 10 to be precise), the federal government released the finalized regulations for banks and bank holding companies, cooperative credit associations, insurance and insurance holding companies and trust and loan companies.

If you haven’t yet reviewed the legislation, you may want to look at my earlier post, which remains, I think, somewhat useful, as the revisions made between the draft and final regulations are not that significant. If you’d like to see for yourself, I’ve taken the liberty of generating redlines (in Word format) for each of them (banks – redline,  coops – redlineinsur – redline and trusts – redline) or you can read the summary below.

There’s basically two items that are common across all the regulations. The first isn’t really much of a change but rather the fixing of the date upon which they come into force, which has now been set for June 1, 2011. The second change is a minor clarification that specific information provided in a consent is only applicable if that consent is provided in writing (whether in paper or electronic form). Here’s the specific change, which looks to be common across all four regulations:

(4) TheIf the addressee’s consent is provided in writing, in paper or electronic form, it must include the name of the information system designated by the addressee for the receipt of the electronic document and a list, in paper or electronic form, of the notices, documents or other information that is covered by the consent.

Seems to make sense, given that such consent can also be provided orally, and that is addressed in the next clause:

(5) If the addressee’s consent is provided orally, the originator or the person acting for the originator must, without delay, provide the addressee in writing, in paper or electronic form, with the information referred to in subsection (2) and confirm the information referred to in subsection (4).

The federal government’s provides the following comments in the related regulatory impact analysis statement (scroll down toward the end) with respect to this change, the in-force date and some changes which had been requested but were not made:

Consultation

After pre-publication of these regulations on May 8, 2010, in the Canada Gazette, Part I, comments related to about 10 different issues were raised from financial industry associations. Only two of the four regulations were commented on, namely the Electronic Documents Regulations and the Policyholders Disclosure Regulations. In addition, the comments did not raise any substantial concerns but rather focused on ensuring that the regulations efficiently achieved the stated policy goals.

As a result, the Government has made minor modifications to the Electronic Documents Regulations to more efficiently handle situations where a customer of a financial institution provides oral consent for the electronic delivery of documents. The previous version of the Regulations appeared to require customers to give financial institutions written documentation when giving consent in call cases — notwithstanding the fact that the Regulations allow for consent to be granted orally. Section 5(4) now sets out the information that must be provided when consent is not provided orally (including the name of the information system designated by the addressee and a list of the notices, documents or other information that is covered by the consent). Section 5(5) goes on to set out the responsibilities of the originator to properly document oral consent and confirm the information received from the customer.

Some comments have not been reflected as stakeholders requested changes that were inconsistent with the policy intent of the regulations. For example, requested changes to the Policyholder Disclosure Regulations would have had the effect of unduly narrowing the scope of information provided to holders of insurance policies with governance rights attached. Other comments to remove from the definition of adjustable policies those where an insurance company can indirectly change the premium or charge for insurance would have had the effect of restricting the Government’s ability to ensure compliance with the regulations.

Implementation, enforcement and service standards

Industry representatives asked that the regulations come into force from six months to one year after final publication, indicating operational challenges (systems, procedures, training). To allow financial institutions sufficient time to prepare documentation in advance of annual general meetings, this package of regulations will come into force on June 1, 2011.

The regulations do not require any new mechanisms to ensure compliance and enforcement. The Office of the Superintendent of Financial Institutions (OSFI) already administers the governance provisions in the federal financial institutions statutes. As such, OSFI would ensure compliance with the new requirements using its existing compliance tools, including compliance agreements and administrative monetary penalties.

draft electronic document regulations for financial institutions published

Last week (May 8 to be exact) the federal government published draft regulations relating to the use of electronic documents by federally regulated financial institutions. These regulations are part of a process that began in 2005 to harmonize and modernize legislation governing banks, insurance companies, trust companies and cooperatives.

The new regulations set out the general requirements that such institutions must meet in order to use electronic documents when dealing with stakeholders. You can find links to the draft regulations and a regulatory impact analysis at the end of this post.

Here’s the Coles Notes summary:

  • electronic documents related to securities transfers are excluded;
  • electronic documents must be in clear and simple language that is not misleading
  • a requirement to provide a document may be satisfied by making the document available through a generally accessible electronic source (such as a website) and giving notice (whether paper or electronic) to the person to whom the document must be provided, unless there’s a requirement under the legislation to deliver to a specific place, in which case the website mechanism won’t work;
  • consent to receive electronic documents can be obtained from addressees in writing (paper or electronic) or orally, but, unless it’s just a one time consent, they must be notified in writing (paper or electronic) regarding:
    • when their consent  is effective,
    • that they can revoke their consent,
    • that they are responsible for updating the address to which electronic documents are delivered, and
    • that the sender will only retain electronic documents for a specified period, following which it becomes the responsibility of the recipient to retain a copy
  • the notification or consent above, if in electronic form, must be provided in a form that can be retained by the recipient for future reference
  • consent must include address designated for receipt and a list of notices covered by the consent and, if consent is provided orally, the sender must confirm such information, as well as that in the original notice, in writing (paper or electronic)
  • consent can be revoked in writing (paper or electronic) or orally
  • revocation must be confirmed in writing and when it takes effect and, if provided in electronic form, must be accessible and capable of being retained for future reference
  • an electronic document is considered provided to someone when it:
    • leaves an information system in the control of the sender, or
    • when it is posted or made available through the secure website of the sender (no reference to a notice needing to be sent to them)
  • an electronic document is considered received by someone when it:
    • enters the information system designated by them
    • it is posted or made available through the secure website of the sender, or
    • the recipient receives the notice mentioned in the third bullet above (i.e. when posting to a website, the notice alerting the recipient that it’s available)
  • electronic signatures must consist of letters, characters, numbers or symbols in digital form incorporated, attached or associated with an electronic document

Not quite clear to me why the provision on sending doesn’t refer to the alert notice being sent. Nor is it clear to me what the reference to “secure” websites means. But apart from those nits, one of the good things about these new regulations is that they expressly provide for a mechanism that permits the delivery of electronic documents by posting to a website, combined with the delivery of a notice (which can of course be much shorter) that the electronic documents are available. In contrast, other acts, such as the Ontario Consumer Protection Act and its associated regulations do not expressly permit such a mechanism when it comes to delivery of “internet agreements” – for example, s. 33(3) of the regulations indicate that an internet agreement is considered delivered by:

1. Transmitting it in a manner that ensures that the consumer is able to retain, print and access it for future reference, such as sending it by e-mail to an e-mail address that the consumer has given the supplier for providing information related to the agreement.

2. Transmitting it by fax to the fax number that the consumer has given the supplier for providing information related to the agreement.

3. Mailing or delivering it to an address that the consumer has given the supplier for providing information related to the agreement.

4. Providing it to the consumer in any other manner that allows the supplier to prove that the consumer has received it.

Similarly, the equivalence rules in the Ontario Electronic Commerce Act specifically exclude the posting of information to a website as satisfying a legal requirement to provide information or a document in writing:

10. (1) For the purposes of sections 6, 7 and 8, electronic information or an electronic document is not provided to a person if it is merely made available for access by the person, for example on a website.

Same

(2) For greater certainty, the following are examples of actions that constitute providing electronic information or an electronic document to a person, if section 6, 7 or 8 is otherwise complied with:

1. Sending the electronic information or electronic document to the person by electronic mail.

2. Displaying it to the person in the course of a transaction that is being conducted electronically.

Though in both cases there is some room either to argue that a web-based posting could satisfy the requirements of either act (e.g. posting to a website plus sending a notice of availability would not be “merely” making the information available on a website), it’s certainly not as expressly permitted as in the new draft regulations.

Of course, the regulations should be read in connection with the corresponding provisions (Bank Act – scroll down to Part XVIII, Insurance Companies Act – scroll down to Part XX, Trust and Loan Companies Act – scroll down to Part XIV.1, Cooperative Credit Associations Act – scroll down to Part XVII.1) in each act relating to the use of electronic documents.

Links to draft regulations: Regulatory Impact Analysis; Bank Regulations; Insurance Company Regulations; Trust and Loan Companies Regulations; Cooperative Credit Associations Regulations