Larry Lowenstein, Shawn Irving
Banking and Financial Services
Canadian financial institutions continue to live in a world shaped by the 2008 financial crisis and by the various regulatory responses to that event, both in their home market and in other jurisdictions.
In 2014, top areas of focus for management should include the risks posed by insufficient internal controls on risky or unlawful behaviour, and the challenge of rigorously addressing customer privacy amid rapid increases in the scope and volume of personal data.
The potential cost of tolerating ineffective internal controls is higher than ever
While the global trend of increased enforcement activity in the financial services sector associated with the failure to maintain adequate internal controls was largely caused by the accounting scandals of the early 2000s and then amplified by the 2008 financial crisis, recent colossal regulatory sanctions in the U.S. and elsewhere have again drawn attention to compliance risks.
In the United States, JPMorgan Chase & Co.’s recent agreement to pay approximately $13 billion in a civil settlement to the U.S. government for the bank’s allegedly lax practices in the vetting and packaging of mortgage-backed securities represents the largest settlement in history between a government and a single corporate entity. It is expected that this settlement may well presage comparable settlements against American and non-American banks involved in similar practices. Similarly, the sub-prime mortgage scandal has continued to make headlines and will likely result in very significant regulatory activity or penalties.
Administrative penalties in Canada have traditionally been small by comparison. However, it is becoming increasingly clear that Canadian regulators seeking to achieve tangible changes in corporate behaviour are also willing to target a company’s bottom line, and to adopt a similarly hard-line approach to penalties. A more immediate reality is that Canadian companies already face potential exposure to large penalties if they are doing business in the U.S.
If large potential administrative penalties are not reason enough to make internal controls and compliance high priorities for management and boards, another is the very real risk of securities related class proceedings stemming from criminal or unlawful conduct. Class proceedings can be expected to accompany or follow regulatory investigations. To cite one example, subsequent to its scandal involving the alleged bribery of foreign officials, a class proceeding was commenced against SNC-Lavalin alleging that the company misrepresented in its public disclosures the adequacy of its internal controls.
Finally, the US$2 billion in trading losses generated by JPMorgan’s “London Whale” trading fiasco should remind financial institutions of the basic preventative purposes of risk management, compliance procedures and internal controls. In today’s volatile and fast-paced market environment, the cost of such behaviour can add up very rapidly if not detected and rectified early on. Once again, prevention is better than a cure.
Selected Best Practices
Drive from the top
A well-communicated commitment to effective risk management, compliance procedures and internal controls should start at the board and senior executive levels.
Use risk to prioritize controls
Thoughtful risk assessment should focus initial efforts on areas with the greatest potential for harm.
Implement a system of riskmanagement
Typical policies include whistleblower programs, internal audit and investigation and compliance functions.
Focus on prevention
Effective controls should help prevent or detect potential misconduct early on; more lenient administrative penalties may be available if a company “self-reports.”
Privacy and data retention
As the volume and scope of personal data collected and retained by financial institutions increases, so do privacy-related litigation risks.
With the rapid development and now nearly universal customer usage of digital channels for financial transactions and advice, as well as with the digitization and storage of customer documentation in general, financial institutions now find themselves directly exposed to litigation risks arising from the collection and retention of “big data” and client expectations of privacy. Though the precise level of risk introduced by the retention of personal and financial information is difficult to quantify, recent class actions in Canada indicate the risks are indeed real.
Following the Ontario Court of Appeal’s 2012 decision in Jones v. Tsige – a case in which a bank employee repeatedly snooped on the private financial records of her boyfriend’s former spouse – there is now an established common law tort of “intrusion upon seclusion” in Ontario. Although the tort is limited to “moral” damages and is not based on economic loss, the Court has confirmed that a person may be liable for intentional or reckless invasions of another’s privacy where the invasion would be regarded as “highly offensive” to a reasonable person. Intrusions into financial matters are regarded as “highly offensive”, and, therefore, actionable under the common law tort. This new common law right of action, together with statutory rights of action in certain other provinces, has led to the commencement of numerous class actions in the past year across Canada. One lawsuit, for example, was recently commenced in response to the loss of an external hard drive at Ontario’s Ministry of Human Resources and Skills Development containing the personal information of approximately 583,000 Canadians, while another was launched after cybercriminals accessed the personal data of more than 12,000 customers of the Peoples Trust Company.
The spectrum of liability currently varies from province to province, and as privacy and data retention issues increase and new lawsuits are advanced, the way losses are defined and quantified will remain an open issue to be considered by Canadian courts.
Another emerging privacy risk stems from the implementation of the United States’ Foreign Account Tax Compliance Act (FATCA) in July 2014, requiring foreign (e.g. Canadian) financial institutions to identify and report to the IRS all financial accounts belonging to specified U.S. persons – including U.S. citizens resident in Canada – and certain U.S. owners of non-U.S. entities. Financial accounts include bank, brokerage and other custodial accounts. By some estimates, this could impact almost one million Americans living in Canada. Depending in part on the Canadian government’s response to the act, which is yet to be finally determined, FATCA’s requirements make privacy-based litigation against Canadian financial institutions a serious possibility.
Even in the absence of specific litigation, in this digital age Canadian financial institutions face significant reputational risks from unauthorized or reckless use of their customer’s personal information. As the issues become better understood by the public and regulators, financial institutions will come under greater scrutiny for their privacy and data retention practices. This alone should warrant sustained attention from the executive suite.
Selected Best Practices
Get the right tools
Obtain IT security protection, hire a qualified system administrator, and invest substantially in recovery capabilities.
Obtain and retain the necessary customer consents.
Implement effective policies
Implement robust data collection, data destruction, and overall privacy policies. Review and revise periodically to stay current with the times.
Develop a communications strategy
Be prepared to communicate transparently and comprehensively with customers in the event a breach occurs
2014 Litigation Report: Chapters
Food and Beverage Products
Securities and Consumer Class Actions
Banking and Financial Services
Energy, Mining and Aboriginal
Osler Videos on YouTube
Chair, National Litigation Department