AMF Regulatory Reminders for Québec-Authorized Financial Institutions

1 Reminders from the Autorité des marchés financiers (AMF) for financial institutions authorized to operate under the laws of Québec The AMF reminds financial institutions that it is important that they continue to provide their clients with those services designated as essential by the government, while complying with the recommendations of the public health authorities. The AMF has noted in the course of its work that financial institutions reacted promptly and effectively to the various requests made by the AMF early in the crisis and introduced many relief measures for their clients. The AMF asks financial institutions to continue their efforts to implement crisis management strategies and ensure that their clientele is treated fairly. The COVID-19 pandemic poses unique challenges because of the magnitude of its impact, its potential duration and the possibility that it will occur in several waves. The current framework, derived from Québec laws and regulations and the set of guidelines issued by the AMF, has promoted the development of a robust and resilient financial sector. This framework imposes many requirements on financial institutions and sets out a number for expectations. With this communication, the AMF wishes to reiterate the importance of some of those requirements and expectations, which have taken on increased relevance amid the pandemic. In this regard, the AMF expects the boards of directors of financial institutions to fully carry out their roles and responsibilities in directing activities and overseeing senior management performance, in order to ensure that institutions continue to comply with its obligation to adhere to sound commercial practices and follow sound and prudent management practices. It is also the AMF’s view that the establishment by financial institutions of a transparent and effective channel of communication with the various stakeholders is essential to safeguard their reputation and maintain trust in their organization. Again, to ensure sound and prudent management, financial institutions that quickly instituted new procedures to manage their operations in response to the COVID-19 pandemic, such as the large-scale adoption of remote work, are reminded that such procedures need to be documented. Those financial institutions must also ensure that existing controls are still appropriate and within the metrics of the risk appetite and risk tolerance framework approved by their boards of directors. The AMF will be paying attention to these items when carrying out its supervisory work. The following table summarizes by theme the AMF’s main prudential expectations relating to the COVID-19 pandemic for financial institutions authorized to operate under Québec law.

2 Sound and prudent management practices Theme Description of measures Operational resilience In a large-scale remote work situation, it is essential that statutes such as the Act respecting the protection of personal information in the private sector and the Act to establish a legal framework for information technology continue to be complied with and that senior management and the board of directors give them special attention. Financial institutions are asked to take all necessary steps to fulfill the obligations that are in place to protect their clientele, while ensuring the continuity of their operations. In addition, they must inform the AMF of any situation that could compromise their reputation and, ultimately, their solvency. Financial institutions must, in particular: • Monitor the effectiveness of measures taken and make any adjustments • Ensure employee safety and allow employees to resume their duties in a safe environment (remotely, if necessary) • Ensure the technology infrastructure can support significantly higher loads over a long period and take the necessary steps to protect information security • Ensure that providers of third-party and/or critical services are sufficiently prepared and any outsourced activities meet the expectations set out in the Outsourcing Risk Management Guideline • Increase their vigilance against such risks as cybersecurity threats, fraudulent transactions, money laundering and terrorist financing Segregation of duties and potential conflicts of interest The AMF expects financial institutions to act with integrity and in clients’ best interests, appropriately manage potential conflicts of interest, and develop measures to mitigate the possibility of conflicts. Because of the pandemic, institutions have had to rapidly redeploy certain tasks or services. For instance, some staff may have found themselves working temporarily in a different department or area. The AMF wishes to reiterate the importance of adhering to the principle of segregation of duties, a critical control in preventing errors, conflicts of interest and fraud. In addition, the functions of all employees should be clearly defined before any change is made to how duties are allocated. Information security At this time when cyber threats are on the rise and businesses are undergoing accelerated change, including in the shift to remote work, the AMF expects financial institutions to review the risks associated with the technologies used and implement appropriate controls based on the recognized best practices reiterated in the Guideline on information and communications technology risk management The AMF also reminds financial institutions that they must notify it when there is an operational incident, as indicated in the Business continuity guideline. and in the Operational risk management guideline. Money laundering and terrorist financing risks The pandemic is resulting in a rise in on-line transactions and could lead to a massive influx of new clients. This new situation could create fertile ground for financial crime. In view of emerging money laundering, terrorist financing and fraud risks, the AMF expects financial institutions to be very vigilant, perform the appropriate due diligence and continue to effectively mitigate such risks. More precise expectations are set out in the Financial crime risk management guideline. Natural disasters and climate change The AMF asks financial institutions to leverage the takeaways from the current health crisis in order to enhance their capacity to respond to other types of major disruptive events. Since it has been shown that the frequency, intensity and unpredictability of natural disasters due to climate change are likely to increase in the coming years, the AMF

3 expects the strengthening of business continuity plans and the management of investment portfolio volatility to be, among other things, topics of discussion at both the board and senior management levels. Commercial practices Theme Description of measures Fair treatment of consumers The AMF reminds financial institutions that they must continue to properly assess borrowers’ credit quality and follow sound credit risk management practices. The AMF also expects financial institutions to continue to assess, depending on the circumstances, a borrowers’ ability to repay loans before reclassifying the loans or determining the probability of default. Furthermore, the AMF reminds financial institutions that they must treat their clientele fairly. For example, they will have to adapt their claims processes to the current situation and take into account circumstances beyond the insured’s control (e.g., difficulty obtaining a statement from a physician). It is important that claims be assessed and settled quickly, in order to relieve financial pressure on policyholders. Lastly, the AMF wishes to stress to the industry that the temporary relief and deferral measures taken must not have a detrimental impact on the consumer’s credit score. Consumer communications Financial institutions must, in particular: • Provide, using all relevant communication channels, appropriate assistance and a means of communication enabling them to maintain contact with their clientele. • Inform their clients of the flexibilities available to them and what they have to do to benefit from those flexibilities (e.g. measure applied automatically, or action required from the client). These measures must be up-to-date, available on a timely basis and accessible in written format on paper or another durable medium. Observed examples of good practices include adding an electronic banner devoted to such measures that is visible immediately upon accessing the financial institution’s website and providing a toll￾free telephone number to call or dedicated web page to refer to for detailed instructions and to promote access to such flexibilities and the procedures for implementing them. • Communicate in clear and plain language the implications or consequences of the relief measures proposed to clients (e.g., since measures involving a payment deferral increase future obligations, borrowers and policyholders should weigh their options carefully). Accordingly, clients must be able to make informed decisions and determine whether such temporary measures are their best option. The AMF also encourages financial institutions to make their clientele aware of the increased risk of phishing attempts and the importance of reviewing their safeguards to ensure that their information is safe. Electronic transmission of documents (insurance policies) The AMF wishes to remind insurers that under the Act to establish a legal framework for information technology, the insured’s express consent is needed in order to transmit an insurance policy using a method that relies on information technology. For example, insureds must have expressly consented to receive their insurance policy via the insurer’s portal. Furthermore, the AMF expects financial institutions to take the security measures necessary to ensure the protection of the personal information collected, used, communicated, kept or destroyed, given the sensitivity of such information, the purposes for which it is used, the

4 quantity and distribution of the information and the medium on which it is stored, in accordance with the Act respecting the protection of personal information in the private sector. Special attention should also be paid to the use of electronic signatures. Operating digital transaction services Given the measures implemented in the wake of the pandemic, financial institutions should provide clients with information, in clear and plain language, about the multiple functionalities available across existing digital channels and products (e.g. informational and transactional websites and telephone services). For example, financial institutions could encourage their clients to learn about such services and could increase their remote assistance options. Insurance premiums and coverage Given the financial hardship clients may be facing due to the pandemic, insurers are asked to be flexible. The AMF encourages insurers to continue to offer flexibilities tailored to the evolving economic and public health situation. Observed good practices include offering payment deferrals or temporary insurance premium discounts during the pandemic. In addition, the AMF encourages insurers to continue to reassess the cost of certain types of insurance coverage in light of new lockdown and temporary-layoff conditions. Good practices observed among some insurers include reducing or crediting the cost of elements of group insurance coverage that no longer apply owing to limited access to health or professional services.