LETTERS TO THE EDITOR
IF IT AIN'T BROKE
In March, the B.C. Ministry of Finance issued a set of proposals which could have far-reaching implications for mortgage broker licensing and regulation in B.C. The proposals appear to adopt the concept behind Ontario’s new Financial Services Regulatory Authority, commonly known as FSRA. Specifically, the proposals include recommendations to:
- turn the Financial Institutions Commission into a Crown agency, which would have greater authority and autonomy than it currently possesses;
- expand the role of the Commission to oversee mortgage broker regulation and appoint the Registrar; and
- issue legally enforceable guidelines and rules.
One member wrote to us to express the following concerns with these proposals:
Thank you for an opportunity to provide my comments with respect to the Review of the FIA and how the recommendations may impact mortgage brokers. My long-standing position is that the government that governs least governs best; on all fronts, it is clear that the review is headed towards a regulatory nightmare.
The purpose of the review is to determine “whether changes to the legislative and regulatory framework are needed.” The review document does not list one single problem that might require such changes, and therefore it is difficult to conclude what, if any, changes are required and it can be easily concluded that no such changes are required since no problems are referenced. In another paragraph, the government claims that the current regulations have proven effective. Then why does it need to be changed at all?
The very concept of an “enforceable regulation” is ill-formed. We already have enforceable regulations – laws. And we already have a public body that drafts these – the legislature. Essentially, a body that makes enforceable regulations is nothing other than an unelected legislature. This both undermines the basic structure of our parliamentary democracy and creates a confusing, complex and non-transparent pseudo-legal structure which can only result in decreased efficiency and increased political influences and possibly corruption. To best protect the general public, they should be able to know what is legal and what is not, simply by reading the applicable law. If there is a parallel framework in place, this ceases to be the case and creates a regulatory environment where only a lawyer or other specialist can determine what is allowed and what is not. More regulation and more laws are not the answer; simpler regulations are the solution.
The recommendations hold out “public consultation and ministerial approval” as a replacement for due deliberation by a legislative body. But this is disingenuous. Public consultation and ministerial approval can only be seen as a way of circumventing proper and public legislative debate and replacing it with a patently un-transparent process – particularly in view of the intent to replace qualified executives with political appointees.
Am I correct when I say that currently, the positions of CEO of FICOM, Superintendent of Financial Institutions, Superintendent of Pensions, Registrar of Mortgage Brokers and CUDIC are all positions that are filled by a standard talent search and hiring process, ensuring that the most qualified individuals are hired?
If so, it would be a terrible mistake to transform these into political appointees. This would result in a politically motivated bureaucracy and would therefore make FICOM less effective and more expensive. This is the exact opposite of the stated goal, which is to create a “Commission structure that reflects best practices and includes expertise from the regulated sectors.”
In several places, the review paper holds out the proliferation of increasingly intrusive regulations and reporting requirements as a trend to be embraced. On the contrary, we have already gone much too far in this direction. This dangerous trend towards invasive and oppressive over-regulation is to be resisted in the strongest possible terms.
Recommendation 8, although not directly aimed at mortgage brokers, amounts to an open-ended proposal to give FICOM the power to demand information which is rightfully private and proprietary. Once this power is granted, there is no safeguard to prevent FICOM’s demands from becoming arbitrarily invasive. The information should be set out in detail at the outset. Neither FICOM nor any other government agency should ever be given carte blanche to demand information or make regulations beyond what is specifically provided for in the applicable statutes.
Again, without having one single problem or internal challenge listed in the review paper or in the initial paper, how can one direct resources or even make recommendations that would actually be considered an improvement in the “system”?
If it ain’t broke, don’t fix it!
Thank you for the opportunity to comment.
Crystal M. Foti, AMP, MBI
“The Mortgage Chick”
CROSS-BORDER PRIVACY QUESTIONED
Not sure if you have any industry insight on this but we have a question regarding technology. We are thinking of using an email service provided by Microsoft that uses cloud technology.
The servers are American (and it is an American company). How would that affect our compliance with FICOM given that our information will be outside of Canada? Microsoft has yet to explain or document how it ensures compliance with Canadian privacy laws while it is a U.S. company – its own documentation says the users themselves are ultimately responsible for that.
Can you shed any further light on this issue? Appreciate your input with thanks.
Anonymous executive assistant to CEO of a brokerage
Editor’s Note: While this question originates from a B.C. broker, the protection of privacy principles stated in the answer apply across Canada.
The brokerage investigated further and found out through Microsoft Canada that the cloud technology servers are also domiciled in Canada: one stationed outside of Montreal and one in Ontario, which the brokerage believes would follow the jurisdictional laws of those provinces. The brokerage is in the process of gathering further information to be sure.
Answer: The following is not meant to be legal advice; it represents our understanding of the industry. Should you wish legal advice, you will need to consult a lawyer with your specific and detailed circumstances.
We are not able to provide you with a definitive answer applicable to your specific circumstances, particularly in the absence of having reviewed the agreement with the cloud services provider and the laws of the jurisdiction(s) where the data will be stored. In any event, that type of review is more appropriately done by your lawyer. As you will see below, your obligations are expressed in terms of protecting, using reasonable steps, and the sensitivity of the information. This wording means whether a mortgage broker has met the obligations very much depends on the specific circumstances. That aside, we do provide the following to assist you in your considerations.
General Protection of Personal Information Requirements for Mortgage Brokers
The B.C. Registrar of Mortgage Brokers has issued Information Bulletin MB 10-001, “Use and Protection of Client Information.” The Bulletin clarifies the obligations of brokers in dealing with client information as being to:
- comply with the relevant legislation on the protection and privacy of personal information;
- not disclose information regarding a client or a transaction to another person unless the disclosure has been authorized by the client or the disclosure is required by law; and
- take reasonable steps to ensure that client information is kept safe from access by persons who are not authorized by the client to have the information unless such access is required by law.
Note that the Registrar refers to “personal information” in a way that makes it a subset of “client information.” Privacy legislation tends to protect “personal information.” In effect, this means that a broker is obligated to protect more than just “personal information.” It would seem that a mortgage broker would have to protect client information at least to the degree indicated below regarding personal information.
istockCloud Computing – General
The relevant legislation referred to above is B.C.’s Personal Information Protection Act.
Privacy legislation holds an organization that collects personal information accountable for the collection, use and disclosure of the information, even when the information is outsourced for processing to third-party providers. Cloud computing is a type of outsourcing. This means that the organization putting the information into the cloud would remain accountable for personal information outsourced to a service provider that operates in the cloud.
The Canada, Alberta and B.C. privacy commissioners have together, including in the following publications, provided guidance as to compliance requirements concerning cloud computing; the checklist at the end of the item listed at the first below bullet is particularly helpful:
- “Cloud Computing for Small- and Medium- Sized Enterprises” at www.priv.gc.ca/en/privacy-topics/technology-and-privacy/online-privacy/cloud-computing/gd_cc_201206/
- “Getting Accountability Right with a Privacy Management Program” at www.priv.gc.ca/en/privacy-topics/privacy-laws-in-canada/the-personal-information-protection-and-electronic-documents-act-pipeda/pipeda-compliance-help/pipeda-compliance-and-training-tools/gl_acc_201204/.
Cloud Computing – Transborder
Canadian organizations in the private sector are permitted to transfer personal information to an organization in another jurisdiction for processing. However, doing so can pose several issues including:
- the cloud provider’s backup servers could be in a different physical location than the primary servers;
- the data that is outsourced may be physically located in several jurisdictions;
- the data in another jurisdiction is subject to the laws of that jurisdiction;
- the laws of the jurisdiction where the data is located may allow access in broader circumstances than would be allowed in Canada; and
- it may be difficult to obtain and enforce judgments in other jurisdictions.
The sensitivity of the information is a major factor in determining whether it is appropriate to send it to cloud computing. A person’s financial information is considered one of the more sensitive types of information and so is subject to greater protection. A foreign jurisdiction storing and allowing access to a client’s information may very well contravene the Registrar’s bulletin, as the disclosure would be neither authorized by the client nor required by law (we are concluding that access or disclosure required by foreign law is not to be considered as required by law for our purposes). It could also be concluded that the broker did not take reasonable steps to ensure the safety of the client information from access by persons who are not authorized by the client to have the information.
For additional guidance on transborder data flows, see Guidelines for Processing Personal Data Across Borders at www.priv.gc.ca/media/1992/gl_dab_090127_e.pdf. Although these Guidelines relate to the federal legislation, the principles would as well be valuable in determining compliance with the provincial legislation.
More complete information is available on the B.C. Information and Privacy Commissioner’s site at www.oipc.bc.ca/ and at the sites of the Canadian and other provincial privacy commissioners.
We hope you find this of assistance and thank you for your question.
Please send letters to the editor to