2024 Ontario Continuing Education Course for Mortgage Brokers and Mortgage Agents 9781988049168

Citation preview

Course Manual for the REMIC 2024 Ontario Continuing Education Course for Mortgage Brokers and

2024 Ontario Continuing Education Course for Mortgage Agents

ii

Copyright © 2023 by Joseph J. White. All rights reserved. Printed in Canada. No part of this publication may be reproduced or distributed in any form or by any means, or stored in a database or retrieval system, without the prior written permission of the author. ISBN 978-1-988049-16-8 This publication is intended to provide accurate information at the time of publication regarding the mortgage industry in Ontario. Legal and other decisions related to financial transactions should be completed only after seeking advice from a competent professional person and should not be based on information contained herein. Neither the publisher nor the author is engaged in rendering legal or other professional advice. The events and characters in this book are fictitious. Any resemblance to persons, living or dead is purely coincidental.

iii

Acknowledgements My thanks to all of the students of the Real Estate and Mortgage Institute of Canada Inc., Seneca College, and the consortium of Ontario Colleges through Ontario Learn who have so richly enhanced my career and who constantly challenge my knowledge and assumptions. Sincere thanks to all of my colleagues for their constant support, input, and dedication to our industry.

About the Author Joseph J. White is the founder and President of the Real Estate and Mortgage Institute of Canada (REMIC), and founder and President of the Fraud Prevention Centre of Canada, a national charity, as well as the Association of Mortgage investment Professionals (AMIPROS). Mr. White has been a staunch supporter of the mortgage industry since 1988. He began his career as a mortgage agent, and in the mortgage lending sector of the industry he has held positions as National Sales Manager and VP of Sales with two national mortgage lenders. In the industry’s mortgage brokering sector he is a licensed mortgage broker and has been a partner at a successful mortgage brokerage, manager at two national brokerages, principal broker at a commercial brokerage, founder of a mortgage investment corporation, and is owner and principal broker of his own boutique brokerage. As an educator, Mr. White has personally instructed over fifteen thousand students since 1996, many of whom are now leaders in the industry. During his 14 years at Seneca College, he was a professor, program coordinator, subject matter expert and winner of the Excellence Award for exceptional leadership. In addition to having developed several courses for Seneca College, including the first mortgage broker education program in Ontario’s history, he designed the mortgage agent course currently used by REMIC and Ontario’s colleges. Mr. White has written two textbooks used in the mortgage industry and by over 20 Ontario colleges, with over thirty thousand copies in print, as well as several business focused books and e-books. Mr. White has made significant contributions to the growth of the mortgage industry. When he began his career in teaching, 120 students per year were taking the mortgage agent course. Because of his passion and dedication to helping those who want to make mortgage brokering their career, REMIC has become the largest mortgage educator in Canada, teaching over 10,000 students per year.

iv

Table of Contents ACKNOWLEDGEMENTS .............................................................................................................................................III ABOUT THE AUTHOR ...............................................................................................................................................III INTRODUCTION ..................................................................................................................................................... 7 CHAPTER 1: CONFLICTS OF INTEREST ..................................................................................................................... 9 1.1 1.2 1.3 1.4

1.5

1.6 1.7

1.8

LEARNING OUTCOME ................................................................................................................................ 9 LEARNING OBJECTIVES ............................................................................................................................... 9 INTRODUCTION ........................................................................................................................................ 9 CONFLICTS OF INTEREST ............................................................................................................................. 9 1.4.1 What is a conflict of interest? ...................................................................................................... 9 1.4.2 Conflicts due to compensation .................................................................................................. 10 1.4.3 Conflicts due to relationships .................................................................................................... 10 1.4.4 Conflicts due to multiple roles in a transaction .......................................................................... 10 IDENTIFYING ACTUAL AND/OR POTENTIAL CONFLICTS OF INTEREST ....................................................................... 11 1.5.1 Personal conflicts of interest ..................................................................................................... 11 1.5.2 Business conflicts of interest...................................................................................................... 12 DISCLOSURE THAT PROMOTES INFORMED DECISION MAKING ............................................................................. 12 1.6.1 Disclosure of conflicts of interest or potential conflicts of interest .............................................. 12 THE IMPACT OF INAPPROPRIATE CONFLICT OF INTEREST DISCLOSURES................................................................... 14 1.7.1 Administrative Penalties ........................................................................................................... 14 1.7.2 Administrative Penalties: Amounts ............................................................................................ 15 1.7.3 Offences ................................................................................................................................... 15 PRACTICES TO HELP MANAGE CONFLICTS OF INTEREST..................................................................................... 16 1.8.1 Conflict of Interest Policies ........................................................................................................ 16 1.8.2 How to Disclose a Conflict of Interest – 3 Simple Steps ............................................................... 17

CHAPTER 2: ETHICAL PRACTICES IN BROKERED MORTGAGE TRANSACTIONS....................................................... 18 2.1 2.2 2.3

2.4 2.5 2.6

2.7 2.8 2.9

LEARNING OUTCOME .............................................................................................................................. 18 LEARNING OBJECTIVES ............................................................................................................................. 18 INDUSTRY VALUES AND THE MORTGAGE BROKER CODE OF CONDUCT ................................................................. 18 2.3.1 Mortgage Broker Regulators’ Council of Canada (MBRCC) Code of Conduct for the Mortgage Brokering Sector ................................................................................................................................ 18 2.3.2 Rationale and Background ........................................................................................................ 19 MBRCC – DRAFT PRINCIPLES FOR MORTGAGE PRODUCT SUITABILITY ASSESSMENTS – JUNE 21, 2023 ...................... 22 MORTGAGE CHARACTERISTICS AFFECTING SUITABILITY .................................................................................... 23 MORTGAGE SUITABILITY: BORROWER ......................................................................................................... 24 2.561 Knowing Your Client - Borrower................................................................................................ 24 2.6.2 Product Knowledge ................................................................................................................... 25 Policy Advisory – Product Knowledge ................................................................................................. 26 MORTGAGE SUITABILITY: INVESTOR/LENDER................................................................................................. 30 2.7.1 Knowing Your Client - Investor/Lender....................................................................................... 31 STRATEGIES .......................................................................................................................................... 34 APPENDIX 1: DECLARATION OF COMPLIANCE ................................................................................................ 36

CHAPTER 3: RELATIONSHIP BETWEEN THE MBLAA, FSRA AND LICENSEES ........................................................... 37 3.1 3.2 3.3 3.4

LEARNING OUTCOME .............................................................................................................................. 37 LEARNING OBJECTIVES ............................................................................................................................. 37 ANALYZING THE PRINCIPLES-BASED ASPECT OF THE MBLAA .............................................................................. 37 HOW FSRA ADMINISTERS THE MBLAA ....................................................................................................... 38 3.4.1 About FSRA ............................................................................................................................... 38 3.4.2 FSRA mandate .......................................................................................................................... 39 3.4.3 Approach for Promoting High Standards of Business Conduct in the Mortgage Brokering Sector 39 3.4.4 Enforcement and Monitoring .................................................................................................... 41

v 3.5 3.6 3.7

INNOVATION OFFICE ............................................................................................................................... 41 AREAS OF SUPERVISION FOCUS 2022-2023 ................................................................................................. 42 STAYING UP TO DATE ON REGULATORY REQUIREMENTS.................................................................................... 42

CHAPTER 4: REPORTING AND RECORD-KEEPING REQUIREMENTS........................................................................ 43 4.1 4.2 4.3 4.4 4.5

LEARNING OUTCOME .............................................................................................................................. 43 LEARNING OBJECTIVES ............................................................................................................................. 43 CHECKLIST FOR REPORTING REQUIREMENTS .................................................................................................. 43 4.3.1 Reporting Requirements for Licensees ....................................................................................... 43 RATIONALE OF EACH REPORTING REQUIREMENT ............................................................................................ 44 RECORD-KEEPING REQUIREMENTS .............................................................................................................. 46

CHAPTER 5: ROLE OF THE PRINCIPAL BROKER...................................................................................................... 48 5.1 5.2 5.3 5.4 5.5

LEARNING OUTCOME .............................................................................................................................. 48 LEARNING OBJECTIVES ............................................................................................................................. 48 DUTIES AND RESPONSIBILITIES OF THE PRINCIPAL BROKER ................................................................................ 48 POLICIES AND PROCEDURES: REQUIRED ELEMENTS & PURPOSE ......................................................................... 49 POLICIES AND PROCEDURES: STAYING UP TO DATE .......................................................................................... 49

CHAPTER 6: CYBERSECURITY ................................................................................................................................ 51 6.1 6.2 6.3

6.4

6.5 6.6

6.7

LEARNING OUTCOME .............................................................................................................................. 51 LEARNING OBJECTIVES ............................................................................................................................. 51 CYBERSECURITY – AN OVERVIEW ............................................................................................................... 51 6.3.1 What is Cybersecurity?.............................................................................................................. 51 6.3.2 Why is Cybersecurity Necessary? ............................................................................................... 51 6.3.3 Cybersecurity responses – 2021 Annual information return........................................................ 52 TYPES OF THREATS.................................................................................................................................. 56 6.4.1 Malware ................................................................................................................................... 57 6.4.2 Phishing .................................................................................................................................... 59 6.4.3 Man-in-the-Middle (MitM) Attacks ........................................................................................... 60 6.4.4 Denial-of-Service (DoS) or Distributed Denial-of-Service (DDoS) Attacks ..................................... 61 6.4.5 SQL Injection ............................................................................................................................. 62 6.4.6 Zero-day Exploits ...................................................................................................................... 63 6.4.7 DNS Tunneling .......................................................................................................................... 63 6.4.8 Cross-Site Scripting (XSS) ........................................................................................................... 64 6.4.9 Cryptojacking............................................................................................................................ 64 6.4.10 Advanced Persistent Threats (APTs)......................................................................................... 65 STEPS IN CYBERSECURITY .......................................................................................................................... 65 6.5.1 Steps in Preventing a Cybersecurity Breach................................................................................ 66 MBRCC PRINCIPLES FOR CYBERSECURITY PREPAREDNESS FOR THE MORTGAGE BROKERING SECTOR........................... 67 6.6.1 Purpose .................................................................................................................................... 67 6.6.2 Scope........................................................................................................................................ 67 6.6.3 Rationale and background ........................................................................................................ 67 6.6.4 FSRA mandate .......................................................................................................................... 68 6.6.5 Information .............................................................................................................................. 68 6.6.6 FSRA’s Market Conduct Protocol for Cybersecurity..................................................................... 69 MBRCC PRINCIPLES FOR CYBERSECURITY PREPAREDNESS ................................................................................ 70 6.7.1 Purpose .................................................................................................................................... 70 6.7.2 Approach .................................................................................................................................. 71 6.7.3 Principles for Cybersecurity Preparedness.................................................................................. 71 6.7.4 Appendix A – Cybersecurity Preparedness Checklist ................................................................... 72 6.7.5 Appendix B – Other Cybersecurity Standards Examples .............................................................. 74

CHAPTER 7: FOSTERING A CULTURE OF COMPLIANCE AND CONSUMER PROTECTION ......................................... 76 7.1

LEARNING OUTCOME .............................................................................................................................. 76

vi 7.2 7.3 7.4 7.5 7.6

7.7 7.8 7.9

7.10

7.11

7.12 7.13

LEARNING OBJECTIVES ............................................................................................................................. 76 INTRODUCTION ...................................................................................................................................... 76 SUPERVISION OF BROKERS AND AGENTS ....................................................................................................... 77 BROKERAGE SPECIFIC POLICIES AND PROCEDURES .......................................................................................... 78 COMMUNICATING POLICIES AND PROCEDURES .............................................................................................. 79 7.6.1 Self-reporting............................................................................................................................ 80 7.6.2 Attendance records................................................................................................................... 80 7.6.3 Attendees’ signatures confirming understanding ....................................................................... 80 7.6.4 Testing to confirm understanding.............................................................................................. 81 7.6.5 Periodic Communication of Policies and Procedures................................................................... 81 MONITORING AGENTS AND BROKERS FOR COMPLIANCE................................................................................... 81 SUPERVISION OF AGENTS AND BROKERS UNDER SUPERVISION BY FSRA ............................................................... 82 SUPPORTING AGENTS AND BROKERS ........................................................................................................... 84 7.9.1 Benefits of Effective Appraisal Programs ................................................................................... 85 7.9.2 Reasons for ineffective performance appraisal programs........................................................... 85 7.9.3 Guidelines for an effective performance appraisal process ......................................................... 86 7.9.4 Deciding who should perform the appraisal............................................................................... 87 PERFORMANCE APPRAISAL METHODS ......................................................................................................... 89 7.10.1 Management by Objectives (MBO).......................................................................................... 89 7.10.2 Graphic Rating Scale (GRS) ...................................................................................................... 90 7.10.3 Behavioural Observation Scale (BOS)....................................................................................... 90 ASSESSING AGENTS AND BROKERS FOR COMPLIANCE ...................................................................................... 96 7.11.1 Customer Relations ................................................................................................................. 96 7.11.2 Disclosure ............................................................................................................................... 97 7.11.3 Business Practices ................................................................................................................... 98 7.11.4 Prohibited Activities ................................................................................................................ 98 SELF-ASSESSMENT TO ENSURE PRINCIPAL BROKER OBLIGATIONS ARE MET ............................................................ 99 COMPLIANCE CHECKLIST FOR MANAGING THE MORTGAGE BROKERAGE AS OF JANUARY 1, 2009 ............................... 99 7.13.1 Managing the Mortgage Brokerage ...................................................................................... 100 7.13.2 Keeping Records ................................................................................................................... 100 7.13.3 Trust Funds ........................................................................................................................... 101

INDEX ................................................................................................................................................................ 103 TABLE OF FIGURES ............................................................................................................................................. 105

vii

Introduction This manual is to be used in conjunction with the REMIC 2024 Ontario Continuing Education Course for Mortgage Agents as well as the 2024 Ontario Continuing Education Course for Mortgage Brokers for the 2024 re-licensing cycle. It is my hope that you will not only complete this course for the purposes of relicensing, but that you will gain the knowledge necessary to ensure continued compliance with the Mortgage Brokerages, Lenders and Administrators Act, 2006 (MBLAA), and its Regulations. To achieve this goal, I’ve written this text in what I hope you will find to be a user-friendly format, arranging chapters in a fashion that previous students and readers of my other texts, Mortgage Brokering in Ontario – Agent Edition and Mortgage Brokering in Ontario – Broker Edition, and the re-licensing courses in 2012, 2014, 2016, 2018, 2020 and 2022 have found beneficial. Each chapter begins with a “Learning Outcome” and “Learning Objectives” mandated by the Financial Services Regulatory Authority of Ontario (FSRA). It is my hope that this book will not only provide you valuable insights into the mortgage brokerage industry but also continue to serve as a practical reference guide which will support you as you advance in your professional career. I firmly believe that every consumer, not just those who have been declined by their financial institution, should use a qualified mortgage broker or agent. I have had the honour and pleasure of working with and managing some of the most professional and ethical agents in our industry. They have acted and continue to act as ambassadors on our behalf, increasing the public’s awareness and respect of our industry. While the legislation discussed throughout this text will help raise the standards of professionalism for our industry as a whole, legislation is not the sole answer. In my opinion, to increase market penetration from the current level of approximately 30% requires a change in the public’s attitude about our industry. Every broker and agent who acts with the highest levels of integrity, ethics and professionalism is an ambassador for our industry, increasing consumer confidence in our abilities and reinforcing the belief that we are here to serve them, not ourselves. Unfortunately, every broker and agent who acts unethically or unprofessionally tarnishes the reputation of the industry as a whole. Simply stated, there is no place in our industry for those who would tarnish our reputation by taking advantage of the public. Brokerages and lenders must continue to have and expand upon top-down philosophies that reward ethical and professional behaviour and raise the standard of professionalism above what the MBLAA, its Regulations and the regulator require. In so doing our industry will shatter that 30% ceiling, an event that is long overdue. Joseph J. White Toronto September 2023

8

PART 1 AGENTS AND BROKERS

Chapter 1: Conflicts of Interest

9

Chapter 1: Conflicts of Interest 1.1

Learning Outcome

Brokers and agents comply with regulatory requirements and apply best practices in their daily operations to ensure actual and/or potential conflicts do not harm client interests.

1.2

Learning Objectives

Successful understanding of the concepts presented in this chapter will enable the learner to: 1. Analyze relationships in a transaction to identify actual and/or potential conflicts of interest. 2. Prepare/plan clear and complete disclosures that promote informed decision-making by clients. 3. Evaluate the impact of inappropriate conflict of interest disclosures on the suitability of a mortgage for clients (borrowers and/or lenders). 4. Recommend practices to help manage conflicts of interest (e.g., between brokers/agents and their brokerages and clients, when conducting concurrent businesses).

1.3

Introduction

Conflicts of interest are an important factor to consider when recommending a mortgage to a borrower or an investment to an investor or lender. Why? Simply put, every borrower, investor or lender has the right to make an informed decision and to understand if there are other real or perceived motivations behind the recommendation that is being made, aside from earning a commission or fee. And, just as importantly, every brokerage has the legal obligation to ensure that this information is properly disclosed to a borrower, lender, or investor, as the case may be. This chapter discusses how to ensure that potential conflicts of interest are identified and properly disclosed.

1.4

Conflicts of Interest 1

1.4.1 What is a conflict of interest? FSRA states that “conflicts of interest arise when the brokerage, broker or agent in a transaction has (or appears to have) an incentive to place their own interests ahead of the interests of the borrower, lender or investor.” In mortgage transactions, real or perceived conflicts of interest often arise due to how brokerages, brokers and agents are compensated for their work, relationships between parties to the transaction, and brokerages, brokers or agents serving multiple roles in the same transaction.

1

FSRA, https://www.fsrao.ca/industry/mortgage-brokering/compliance-and-other-resources/mortgagebrokerage-disclosure-requirements

Chapter 1: Conflicts of Interest

10

Unsure if your compensation structure, relationships, or multiple roles in a transaction result in disclosable conflicts of interest? These scenarios, their identification and their disclosure should be discussed with the Principal Broker. When in doubt, disclose!

1.4.2 Conflicts due to compensation p It is up to a mortgage brokerage to determine who its client is and disclose its role, regardless of which party it receives compensation from. This applies whether it is acting as a representative of the lender but not the borrower, the borrower but not the lender or both the borrower and the lender. Mortgage brokers and agents must recommend suitable products based on their clients needs and circumstances, not which lender pays the highest commission. If you recommend a product that earns you a higher commission (or other monetary or non-monetary benefit) while still meeting the borrower’s needs and circumstances, you should disclose it to the client.

1.4.3 Conflicts due to relationships p Relationships between parties in a transaction can sometimes lead to actual or perceived conflicts of interest. In addition to requiring the disclosure of a relationship’s existence, as required by section 26 of O. Reg. 188/08, the brokerage must disclose if the relationship poses an actual or perceived conflict of interest.

Examples of relationships which may result in disclosable conflicts of interest: x x x

The mortgage broker/agent has a family member that works for a lender. If that lender is recommended for the transaction, the relationship and conflict of interest should be disclosed to the borrower. The mortgage brokerage shares ownership (e.g., officers/directors, management) with that of the lender recommended for the borrower. This relationship and potential conflict of interest should be disclosed to the borrower. The mortgage broker/agent is related to the borrower. This relationship and potential conflict of interest should be disclosed to the lender/investor.

1.4.4 Conflicts due to multiple p roles in a transaction When the brokerage, broker or agent serves multiple roles in a transaction, there is a higher potential for actual or perceived conflicts of interest. Examples include: x Brokerage is also the lender in the same transaction: If a brokerage is acting as both the brokerage and the lender in a transaction, this potential conflict of interest should be clearly disclosed to the borrower. Clear disclosure of who the brokerage is representing is still required. x Individual broker/agent is also the lender in the same transaction: If the broker/agent is also personally serving as the lender in the transaction, this potential conflict of interest should be clearly disclosed to the borrower. Clear disclosure of whom the brokerage is representing is still required. o An example of a co-brokering scenario would be when a broker/agent is licensed under brokerage A and is serving personally as the lender in a transaction. Brokerage A is representing the broker/agent as the lender. The transaction is being co-brokered with brokerage B that is representing the borrower. Since the broker/agent (from brokerage A) is only acting as a lender in the transaction, and not representing the borrower, there is no obligation to disclose that the lender is also the mortgage broker/agent.

Chapter 1: Conflicts of Interest

x

11

Nonetheless, it is recommended as a best business practice to disclose this information to the borrower. Real estate agent is also the mortgage broker/agent in the same transaction: If you are acting as both the mortgage broker/agent and the real estate agent for a subject property, you must ensure that this does not jeopardize your integrity, independence, or competence. Your mortgage brokerage is required to disclose in writing to a borrower whether a mortgage broker/agent will receive payment of an incentive from another person, the nature of the incentive (such as mortgage finder’s fee and real estate commission), and the identity of the person. o You cannot use any information that is obtained while working as a mortgage agent for any other purpose without the person or entity subject to the information’s written consent. Note that additional disclosure obligations also apply to real estate agents and borrowers under the Trust in Real Estate Services Act, 2002.

50 per cent disclosure rule In all transactions, the brokerage must disclose to the borrower the number of lenders on whose behalf the brokerage has acted during the previous fiscal year. It must also disclose if the brokerage itself was a lender. The “50 per cent disclosure rule” is an additional requirement, if requested by the borrower. It highlights for borrowers if more than 50 per cent of new mortgages and renewals arranged by the brokerage in the last fiscal year were directed to the same lender. What exactly must be disclosed? If a borrower requests the information, the brokerage must disclose: x Whether the brokerage itself was the lender for more than 50 per cent of the total number of new mortgages and renewals completed during the previous fiscal year x The name of the lender, if any, with whom the brokerage arranged more than 50 per cent of the total number of new mortgages and renewals during the previous fiscal year The percentage is based on the total number of new mortgages and renewals (number of deals), not the total dollar amount of those mortgages. The disclosure is only required to be disclosed upon request by the borrower. It is considered a best business practice, however, if the information is disclosed even without a request.

1.5

Identifying actual and/or potential conflicts of interest

The following are examples of potential mortgage brokerage conflicts of interest provided by industry members. Note, some of these examples are governed by specific regulations, e.g., disclosing a brokerage’s roles, relationships with lenders and fees payable by others. See sections 18, 19 and 21 of O. Reg. 188/08.

1.5.1 Personal conflicts of interest x x x x x

The lender is a family member of the borrower. A mortgage broker/agent is related to the developer on the project (where the developer is different from the borrower). A mortgage broker/agent is related to the appraiser. A mortgage broker/agent is acting for both the borrower and lender. A mortgage brokerage or any of its related parties have, or expect to have, a direct or indirect interest in the subject property.

Chapter 1: Conflicts of Interest x x x x x x x

12

A mortgage brokerage or any of its related parties is related to the developer (where the developer is different from the borrower). A mortgage brokerage is related to the mortgage administrator The mortgage broker/agent is acting as both the intermediary and the lender. The mortgage broker/agent or his/her spouse funds the mortgage for the borrower. A client is being sent to a lender because they are offering the mortgage broker/agent an incentive, such as travel points or a free trip. The mortgage broker/agent is receiving a higher bonus/commission for working with a specific lender during a specific timeframe. The principal broker is also a real estate broker who is involved with listing and selling the subject property.

1.5.2 Business conflicts of interest x x x x

1.6

The mortgage brokerage/broker/agent is also the lender. The mortgage brokerage is receiving a fee from a party involved in the transaction (e.g., commission or gift from the lender/investor). A lender is being favoured due to monetary reasons. A large portion of the business (over 50 per cent) is being done exclusively with one party.

Disclosure that promotes informed decision making

1.6.1 Disclosure of conflicts of interest or potential p conflicts of interestt 2 The following is taken from Ontario Regulation 188/08: MORTGAGE BROKERAGES: STANDARDS OF PRACTICE. 27. (1) A brokerage shall disclose in writing to a borrower, lender or investor, as the case may be, any conflict of interest or potential conflict of interest that the brokerage or any broker or agent authorized to deal or trade in mortgages on its behalf may have in connection with a mortgage or a trade in a mortgage that the brokerage presents for the consideration of the borrower, lender or investor. O. Reg. 188/08, s. 27 (1); O. Reg. 153/15, s. 3. (2) The brokerage shall obtain the written acknowledgement of the borrower, lender or investor, as the case may be, that the brokerage made the disclosure required by this section. O. Reg. 188/08, s. 27 (2). (3) Subsection (1) does not apply in the following circumstances: 1. The lender is another brokerage. 2. The investor is another brokerage or a financial institution. 3. The borrower, lender, or investor, as the case may be, is a permitted client that is not an individual and the mortgage in question is a syndicated mortgage that is not a qualified syndicated mortgage. O. Reg. 695/20, s. 9 (1). (4) Revoked: O. Reg. 695/20, s. 9 (2).

2

O. Reg. 188/08: MORTGAGE BROKERAGES: STANDARDS OF PRACTICE, https://www.ontario.ca/laws/regulation/080188#BK36

Chapter 1: Conflicts of Interest

13

The following is taken from the Compliance Checklist for Mortgage Brokerages, Brokers & Agents3 Disclose potential conflicts of interest. Disclose in writing to a borrower, lender or investor, any conflict of interest that the Mortgage Brokerage, Broker or Agent may have in connection with the mortgage or trade in a mortgage. This does not apply if the lender is another Mortgage Brokerage, or if the investor is another Brokerage or financial institution. Obtain written acknowledgement of the disclosure. The following list, while not exhaustive, describes some of the conflicts that arise and must be disclosed to a potential borrower to promote informed decision making. 4

Points programs While points programs in and of themselves are simply another form of commission, points programs that allow a broker/agent to charge a higher interest rate to accumulate points for use in future transactions or that are redeemable for cash or merchandise must be disclosed to a potential borrower. For example, a broker is given a choice between offering a borrower an interest rate of 4% up to a maximum of 4.5%. If the broker charges above 4% they will obtain additional points that will not be used for the current borrower but may be used in the future. The broker knows that these points may be used to buy down a rate for a future borrower below market rates and therefore will give him or her a competitive advantage in that future transaction. While these points may be beneficial to a future borrower, they come at the expense of a higher rate to the current borrower. This is a conflict of interest that must be disclosed, by way of informing the current borrower that they are being charged a rate higher than the lender’s lowest rate, so that the current borrower can then make an informed decision. In British Columbia, the Financial Institutions Commission (FICOM) issued a bulletin in April, 2004 which addressed this conflict. It stated that, “The Registrar considers the banking of points or bonuses to be a conflict of interest that must be disclosed to any borrower to whom the lowest interest rate offered by the lender is not given.” If the broker is not charging the current borrower a higher rate, they must only disclose that they will receive remuneration in the form of points.

Broker/agent related to the lender If a broker/agent is related to the lender this is a potential conflict of interest that must be disclosed. For example, a broker is arranging a second mortgage for a borrower that will be funded by his wife’s selfdirected RRSP. In this case the broker/agent could have an incentive to charge the borrower a higher rate to maximize the return for his wife. Although this may not be the case, the broker/agent has a duty to disclose this potential conflict so that the borrower may make an informed decision.

Broker/agent is the lender or a member of a syndicate lender Similar to being related to the lender, in some cases the broker/agent is using their money to fund the mortgage and is the lender. While the broker/agent may be charging the borrower market rates based on their circumstances, the borrower must be informed that the broker/agent is the lender so that they can make an informed decision. In the case of a syndicate lender (where several lenders come together to pool their money into one mortgage), the same logic applies, and disclosure must be made.

3

FSRA, Compliance Checklist for Mortgage Brokerages, Brokers & Agents, https://www.fsrao.ca/media/4571/download 4 Joseph White, Mortgage Brokering in Ontario, Broker Edition, First Edition (REMIC, 2009), pg. 312

Chapter 1: Conflicts of Interest

14

Broker/agent will acquire the mortgage after funding In some cases, the broker/agent is also an investor. If they arrange a mortgage that is funded by another investor that they intend to purchase at a future date, this information must be disclosed for the same reasons that disclosure must be made if the broker/agent is the lender.

Broker/agent obtaining a benefit from the borrower In a scenario where the broker/agent is arranging a mortgage in which they will obtain some benefit, such as part of the mortgage proceeds, the broker/agent must inform the lender/investor so that they can make an informed decision.

Broker/agent related to the borrower In a scenario where the broker/agent is arranging a mortgage and is related to the borrower, whether by business or family, the broker/agent has a duty to disclose this information to the lender since the broker/agent may be biased in favour of the borrower.

1.7

The impact of inappropriate conflict of interest disclosures

Improper disclosure of conflicts of interest can result in a borrower, investor, or lender, as the case may be, making a decision to enter into a mortgage without the proper information to make an informed decision. This has resulted in investors losing money and borrowers obtaining mortgages that were not in their best interests. When this occurs, the brokerage puts itself at risk of being sued by the injured party. In addition, there are regulatory penalties that can and will be levied by FSRA. These contraventions of legislation consist of administrative penalties, and offences under the Act, both of which can have serious consequences for those involved.

1.7.1 Administrative Penalties Regulation 192/08 spells out rules and procedures related to administrative penalties. This Regulation (sections 1 – 4) prohibits FSRA from imposing penalties on those covered in section 46 of the MBLAA (which prohibits reprisals against those who provide information to FSRA). Administrative penalties are either “general” or “summary” and are covered in detail in Regulation 192/08 sections 1 – 6. The same timeframes apply to both. FSRA may impose administrative penalties for contraventions of or failures to comply with the MBLAA in amounts determined in accordance with the Regulations. If FSRA proposes to impose an administrative penalty, the affected party may request a hearing before the Financial Services Tribunal.

Chapter 1: Conflicts of Interest

15

Pause for clarification – Financial Services Tribunal The Financial Services Tribunal is an independent, adjudicative body composed of at least nine members, including the Chair and two Vice-Chairs. The Tribunal has exclusive jurisdiction to exercise the powers conferred under the Financial Services Tribunal Act, 2017 and other Acts that confer powers on or assign duties to the Tribunal. It also has exclusive jurisdiction to determine all questions of fact or law that arise in any proceeding before it. As well, the Tribunal has authority to make rules for the practice and procedure to be observed in a proceeding before it and to order a party to a proceeding before it to pay the costs of another party or the Tribunal's costs of the proceeding.

1.7.2 Administrative Penalties: Amounts Section 41 of the MBLAA empowers FSRA to impose administrative penalties to promote compliance with the MBLAA. As of February 1, 2022, there are three separate penalties that may be imposed. 1. Mortgage Brokerage or Administrator, up to a maximum of $500,000 2. Broker or agent, up to a maximum of $100,000, and 3. Anyone else not licensed, up to a maximum of $500,000 If FSRA proposes to impose an administrative penalty the licensee has the right to appeal this proposal to the Tribunal within 15 days of receiving it. If the penalty is not paid, it is considered a debt to the Crown and can be enforced as such. Those assessed a penalty must pay the penalty within thirty days of being assessed the penalty or once a hearing has been conducted, or longer if provided for in the penalty or order made from the hearing. Example Judy obtained a mortgage agent license on June 14, 2015, and has been brokering mortgages for ABC Mortgages Inc., a licensed brokerage in Ontario, since that time. In March of 2022 Judy was approached by GiGi Mortgages Inc., another licensed mortgage brokerage, to broker mortgages on their behalf. Since Judy liked working for ABC Mortgages Inc., she kept her license there while also brokering mortgages for GiGi Mortgages Inc., thereby working for two mortgage brokerages at the same time. Because an agent can only be authorized to deal in mortgages for one mortgage brokerage, GiGi Mortgages Inc. was in contravention of section 43(2) of Regulation 188/08 for authorizing Judy to broker mortgages on behalf of that brokerage, knowing that Judy was already authorized to deal in mortgages for ABC Mortgages Inc. In this case FSRA could impose an administrative penalty in an amount that it feels is appropriate up to $100,000.

1.7.3 Offences While the preceding penalties refer to the establishment of policies and procedures to deal with conflicts of interest, section 27 of O. Reg. 188/08: MORTGAGE BROKERAGES: STANDARDS OF PRACTICE, requires a brokerage to disclose these conflicts. 27. (1) A brokerage shall disclose in writing to a borrower, lender or investor, as the case may be, any conflict of interest or potential conflict of interest that the brokerage or any broker or agent authorized to deal or trade in mortgages on its behalf may have in connection with a mortgage or a trade in a mortgage that the brokerage presents for the consideration of the borrower, lender or investor.

Chapter 1: Conflicts of Interest

16

(2) The brokerage shall obtain the written acknowledgement of the borrower, lender or investor, as the case may be, that the brokerage made the disclosure required by this section. O. Reg. 188/08, s. 27 (2). Failure to meet these requirements may result in FSRA making a determination that an offence has been committed, with the following penalties.

Offence re standards of practice (2) Every person who contravenes or fails to comply with a standard of practice that is applicable to his, her or its licence is guilty of an offence. 2006, c. 29, s. 48 (2).

Penalties for offences The MBLAA lists the specific penalties for offences. As of February 1, 2022, there are two separate penalties that may be imposed. 1. Individuals charged with an offence, a fine up to $500,000 and imprisonment for up to one year, or both 2. Corporations charged with an offence, a fine of up to $1,000,000 Additional order for compensation or restitution 50 (1) If a person is convicted of an offence under this Act, the court may order the person convicted to pay compensation or make restitution in such amount and on such conditions as the court considers just, in addition to any other penalty imposed by the court. 2006, c. 29, s. 50 (1). Payment to insurer (2) If an order for compensation or restitution is made in favour of a person or entity who has received an amount from an insurer who is licensed under the Insurance Act in respect of the matter, the person required by the order to pay the compensation or make the restitution shall deliver the amount payable under the order to the insurer. 2006, c. 29, s. 50 (2). Civil remedy (3) No civil remedy for an act or omission is affected by reason only that an order for compensation or restitution under this section has been made in respect of that act or omission. 2006, c. 29, s. 50 (3).

1.8

Practices to Help Manage Conflicts of interest

1.8.1 Conflict of Interest Policies The following list of conflicts of interest policies is taken from Mortgage Brokering in Ontario, Broker Edition5 x All employees, brokers and agents must avoid undisclosed conflicts of interest. A conflict of interest may occur if an employee’s, broker’s or agent’s outside activities or personal interests influence or appear to influence their ability to make objective decisions in the course of their job responsibilities.

5

Joseph White, Mortgage Brokering in Ontario, Broker Edition, First Edition (REMIC, 2009), pg. 382

Chapter 1: Conflicts of Interest

17

x Avoid the appearance of a conflict of interest and disclose potential conflicts. Take appropriate steps to avoid both conflicts of interest and situations that may appear to others to present a conflict of interest. Anytime an employee, broker or agent faces a situation that might give rise to questions, the employee, broker, or agent should disclose the potential conflict to their manager or the principal broker. All employees, brokers and agents who are not sure whether a situation presents a conflict should ask first. x Avoid conflicts of interest with family members. Avoid situations in which the interests of an immediate family member or close relative may be at odds with those of the brokerage. x

Disclose all potential conflicts of interest to all parties of a mortgage transaction.

1.8.2 How to Disclose a Conflict of Interest – 3 Simple p Steps p Step 1: Identify if there is a conflict In considering whether a situation poses a conflict of interest, it may be helpful to ask yourself: “Would I be concerned if other people found out about it?” “How would it look if it was in the newspaper?” and/or “How would I feel if it involved someone else?” Step 2: Disclosure in writing Explain the conflict of interest, either real or perceived, in writing. This is what you’ll present to your client, so be sure to be clear and concise. Accuracy and full disclosure are crucial. Step 3: Present to your client Present your written disclosure to your client, ensuring to explain it and have receipt acknowledged in writing. FSRA has stated that it “will not consider a client's signature on a disclosure document, on its own, as sufficient proof the client was adequately informed about the mortgage and its risks”. 6 This disclosure may be part of your larger disclosure document, such as the Borrower Disclosure, or Investor/Lender Disclosure, as the case may be, or be a separate document. Be sure to provide the client with a signed copy and keep one for your records.

6

FSRA, FAQs on FSCO's Checklist on Detecting and Preventing Mortgage Fraud, https://www.fsrao.ca/media/4586/download

Chapter 2: Ethical Practices in Brokered Mortgage Transactions

18

Chapter 2: Ethical Practices in Brokered Mortgage Transactions 2.1

Learning Outcome

Brokers and agents carry out their obligations under the MBLAA and its Regulations and FSRA Rules and Guidance in an ethical manner.

2.2

Learning Objectives

Successful understanding of the concepts presented in this chapter will enable the learner to: 1. Describe values promoted by the MBLAA and its Regulations and the MBRCC Mortgage Broker Code of Conduct. 2. Describe key characteristics of a mortgage that impact the suitability assessment (e.g., cost, conditions for early repayment, foreclosure, conflicts of interest). 3. Analyze the factors (including disclosures) that impact a broker’s/agent’s assessment of the suitability of a mortgage for a borrower (e.g., in a private lending transaction). 4. Analyze the factors (including disclosures) that impact a broker’s/agent’s assessment of the suitability of a mortgage investment for a lender/investor (e.g., in a private lending transaction). 5. Recommend strategies to achieve common understanding of mortgage/mortgage investment options with clients, including situations in which a client wishes to proceed with a transaction that contradicts the broker’s/agent’s recommendation.

2.3

Industry Values and the Mortgage Broker Code of Conduct

2.3.1 Mortgage g g Broker Regulators’ g Co uncil of Canada (MBRCC) ( ) Code of 7 Conduct for the Mortgage g g Brokering g Sectorr The MBRCC is a forum for Canadian mortgage broker regulators to collaborate and promote regulatory consistency to serve the public interest. The MBRCC developed this plain-language Code of Conduct (Code) to promote high standards of conduct to protect consumers of mortgage brokering services. The ten principles in the Code outline professional behaviour and conduct expectations that Canadians should expect when working with mortgage brokers. Mortgage brokers should conduct their business following these common principles, while ensuring compliance with all applicable laws, regulations, rules, or regulatory codes within their respective jurisdiction. Any stricter or more specific requirements, rules or standards of conduct take priority over the Code. Beyond professional conduct expectations, the MBRCC supports a vibrant and inclusive working environment, where industry representatives do not discriminate or participate in discrimination against any person or entity and where they are not subject to discrimination. The common principles for conduct in the Canadian mortgage brokering sector are:

7

FSRA, https://www.fsrao.ca/media/4871/download

Chapter 2: Ethical Practices in Brokered Mortgage Transactions

19

1. Compliance / Outcomes: Regulated persons and entities must comply with legislative and regulatory requirements. They should take reasonable steps to ensure their staff and third-party partners also comply. Their conduct should embody the principles included in this Code. 2. Accountability: Regulated persons and entities must act in a responsible / accountable manner. They must exercise care, due diligence, and sound judgement in providing products and services. 3. Honesty: Regulated persons and entities must conduct their activities in a truthful, clear, and transparent manner. They must not mislead, hide, or obscure material information. 4. Competence: Regulated persons must have and maintain the skills, knowledge, and aptitudes necessary for their business activities. They should decline to act when they are unable to provide products / services in accordance with this Code. 5. Suitability: Regulated persons and entities must take reasonable steps to present products / services that are suitable for their client(s). They must have a sound understanding of how the products / services match the disclosed circumstances of their client(s). 6. Disclosure: Regulated persons and entities must fully disclose material information to applicable parties in a transaction. Disclosures must be meaningful and made in an honest and timely manner. 7. Management of Conflicts of Interest: Regulated persons and entities must identify and disclose actual, potential and / or perceived conflicts of interest to applicable parties in a transaction. They should have documented policies for managing such conflicts. 8. Security and Confidentiality: Regulated persons and entities must protect their clients’ information. They must use and disclose it only for purposes for which the client has given consent or as compelled by law. 9. Stewardship: Regulated persons and entities should act ethically, with integrity and respect. They should foster a culture of compliance. Their conduct should not undermine the public’s confidence in the mortgage brokering sector. 10. Co-operation with Regulators: Regulated persons and entities must co-operate with mortgage brokering regulators. They should report possible violations of laws, regulations, or this Code to the appropriate authority.

2.3.2 Rationale and Background g d8 The MBRCC developed the Code in response to industry feedback from the Canadian Mortgage Brokers Association–Ontario (CMBA-ON) and Mortgage Professionals Canada (MPC). MBRCC and the industry believe consumers benefit from consistent minimum conduct standards for mortgage professionals across Canada. The MBLAA and its regulations govern mortgage brokering activities in Ontario. The Code is a plainlanguage guide to help licensees comply with the MBLAA and its regulations. It also helps consumers

8

FSRA, https://www.fsrao.ca/industry/mortgage-brokering/regulatory-framework/guidance-mortgagebrokering/mortgage-broker-regulators-council-canada-code-conduct-mortgage-brokering-sector

Chapter 2: Ethical Practices in Brokered Mortgage Transactions

20

understand licensees’ obligations. It promotes regulatory compliance, confidence in the sector, and the interests of consumers who deal with licensees.

For the industry The Code provides simple, clear guidance on how to conduct mortgage brokering activities that protect consumers’ interests. It does this by reminding licensees to: x Provide products and services that are suitable for each client; x Provide services in a transparent and effective manner; and x Comply with all applicable legal and regulatory requirements.

For the consumer The Code outlines behaviour that consumers should expect from mortgage brokering licensees. By doing so, the Code: x Raises awareness of consumers’ rights when dealing with a licensee; and x Provides consumers with a reference / education tool for appropriate conduct. Consumers of mortgage brokering services can use the Code to learn more about their rights and what appropriate service looks like.

Processes and practices The following processes and practices help raise licensees’ awareness of, and compliance with, the Code. 1. All applicants for licensing and renewal are required to acknowledge that they are aware of and understand the Code. 2. Principal Brokers are required to declare, as part of the ‘Mortgage Brokerage Declaration of Compliance’ (see Appendix 1), that the brokerage has implemented policies and procedures to ensure that the brokerage and its agents and brokers adhere to the MBLAA requirements reflected in the Code. 3. Brokerages and administrators should incorporate the principles of the Code into their policies and procedures. 4. Brokerages and administrators should record non-adherence to the Code and identify and implement actions to rectify non-adherence. This information should be made available to FSRA upon request. As the Code is principles-based, licensees can implement processes, practices and controls in a way that is most effective and efficient for their business. They can assess themselves against the Code when setting or revising policies and procedures and operating their businesses. Licensees should be able to demonstrate application of the principles in ways appropriate to the nature, size and complexity of their business operations and activities.

Supervision This section presents FSRA’s supervision approach for the Code. Significant differences between conduct promoted by the Code and a licensee’s practices may be an indicator of a breach of the MBLAA. In its supervisory reviews, FSRA will highlight non-compliance with all aspects of the Code and may enforce against those that align with requirements in the MBLAA. The following are approaches that FSRA may take to assess adherence:

Chapter 2: Ethical Practices in Brokered Mortgage Transactions x x x

21

Comprehensive desk reviews / onsite examinations – When reviewing transactions completed by mortgage brokers, agents, and staff of mortgage administrators, FSRA assesses the documents and practices used to complete the transactions against the principles of the Code. Targeted reviews – FSRA may focus on specific principles of the Code, for example, complainthandling activities. Thematic reviews – FSRA may also conduct reviews of a large number of licensees to assess overall trends in industry implementation of or adherence to the Code.

FSRA’s reviews may include an examination of the brokerages’ or administrators’ record of non-adherence to the Code and corrective actions taken.

Complaints handling FSRA expects that licensees and their principal broker should be the first points of contact, as appropriate, for consumer concerns. Brokerages and administrators must have a process for tracking all complaints from the public and how they resolve them. Processes for filing and resolving complaints should be easy to access and use by the public. Complaints should be responded to in a timely, transparent, effective, and fair manner. FSRA may request to review the brokerage’s or administrator’s complaint handling policies and procedures, complaint resolution outcomes and statistics. FSRA reviews unresolved complaints submitted about a licensee’s conduct against the Code. Where noncompliance with the Code reflects non-compliance with the MBLAA, FSRA acts to address the issue (see Enforcement section below). Complaints should be submitted to FSRA: x According to the directions on the FSRA website; and x Using the Complaint Form. The Code is posted on the “For Industry” (https://www.fsrao.ca/industry/mortgage-brokering/codeconduct-mortgage-brokering-sector) and “For Consumer” sections, (https://www.fsrao.ca/consumers/mortgage-brokering/code-conduct-mortgage-brokering-sector) of FSRA’s website.

Supervisory and complaints findings FSRA relies on data and analysis of Code complaints, inquiries, examinations, and filings to: x inform licensee risk assessments; x identify risks (e.g., failures in processes that result in consumer harm, repeat patterns of misconduct); x validate environmental trends; and x drive evidence-based decision-making for next steps in the supervisory process. Feedback to licensees from supervisory findings will refer to the Code, relevant requirements of MBLAA, FSRA guidance or related best practices.

Chapter 2: Ethical Practices in Brokered Mortgage Transactions

22

Enforcement and suitability FSRA considers adherence to the Code, where it aligns with the MBLAA, as a factor in its assessment of whether an individual or entity is suitable for licensing. FSRA has authority to refuse, impose conditions, revoke, or suspend a licence based on suitability. FSRA may take enforcement action to address breaches of licensee obligations under MBLAA and its regulations, most of which are reflected in the Code. FSRA takes into consideration the nature and extent of risks to consumers, mitigating actions taken by licensees, and past supervisory findings. Enforcement actions include: x warning or cautionary letters; x imposition of licence conditions; x licence suspension; x licence revocation; x imposition of administrative penalties; and x prosecution in the courts.

Effective date and future review This Guidance is effective August 5, 2021, and will be reviewed no later than August 2024. Effective March 31, 2021, Guideline No. 03/18: Treating Financial Services Consumers Fairly Guideline no longer applies to licensees in the mortgage brokering sector. It is replaced by this Approach Guidance.

About this guidance This Guidance is an Approach. Approach Guidance describes FSRA’s internal principles, processes and practices for supervisory action and application of Chief Executive Officer discretion. Approach Guidance may refer to compliance obligations but does not in and of itself create a compliance obligation. Visit FSRA’s Guidance Framework to learn more.

2.4

MBRCC – Draft Principles for Mortgage Product Suitability Assessments – June 21, 2023 9

Regulated persons and entities must ensure any mortgage product option(s) (including renewals) they present to their clients are suitable for the client based on the client’s unique circumstances. However, regulators noticed, through supervision, that regulated persons and entities are often unable to demonstrate if and how they meet this obligation. To aid regulated persons and entities to meet this obligation, and assist regulators with supervision, the MBRCC has developed a set of six principles for conducting suitability assessments of the products they present to their clients (“suitability assessment principles”). Regulated persons and entities should conduct their business following these common principles, while ensuring compliance with all applicable laws, regulations and rules within their respective jurisdiction. Any stricter or more specific requirements, rules or standards of conduct take priority over these principles.

9

MBRCC, https://www.mbrcc.ca/Documents/View/8366

Chapter 2: Ethical Practices in Brokered Mortgage Transactions

23

The suitability assessment principles further help regulated persons and entities achieve the principles set out in the MBRCC Code of Conduct for the Mortgage Brokering Sector (“Code of Conduct”), including Principle 2 on Accountability, Principle 4 on Competence, Principle 5 on Suitability and Principle 6 on Disclosure. The MBRCC published the Code of Conduct in 2021. The Code of Conduct outlines 10 principles to promote high standards of conduct for regulated persons and entities in order to protect consumers of mortgage brokering services. Mortgage Product Suitability Assessment Principles 1. Know your Client (KYC). Regulated persons and entities must understand the unique needs and circumstances of their client. 2. Know Your Product (KYP). Regulated persons and entities must understand and be able to explain the mortgage products that are available (e.g., the features and risks of a product). 3. Assess Options and Make Suitable Recommendations. Regulated persons and entities must ensure any mortgage product option(s) they present to the client matches their client’s unique needs and circumstances. 4. Clearly Communicate and Explain Rationale of the Recommended Option. Regulated persons and entities must clearly explain to their client any mortgage product option(s) they present for the client’s consideration. The explanations must include documented rationale for the option(s) they select to present to the client. Regulated persons and entities should obtain written acknowledgement from their client that the client understands the option(s). 5. Ensure Adequate Oversight and Accountability. Regulated entities should have reasonable processes in place to ensure regulated persons authorized by the brokerage conduct adequate suitability assessments of mortgage product options and present the option(s) that are suitable for the client. 6. Document Suitability Assessment and Oversight. Regulated persons and entities, as applicable, must adequately document their suitability assessments. Documentation should, at a minimum, include the mortgage product recommendation provided to the client and the rationale for how the recommendation matches the client’s unique needs and circumstances. Further, regulated entities should document their (a) approach to reviewing the suitability assessments conducted by their authorized regulated persons, and (b) implementation of such approach.

2.5

Mortgage Characteristics Affecting Suitability

Taking a mortgage application and finding the right lender and product for the borrower is not possible unless the mortgage agent has detailed knowledge of a borrower’s needs. That is an important distinction from simply having the borrower express what they believe their needs to be to the mortgage agent. Successfully analyzing a borrower’s needs requires that the mortgage agent assist the borrower in determining what those needs are. Characteristics that must be taken into consideration when determining suitability include, but are not necessarily limited to: 1. Conflicts of interest 2. Material risks, including risk of default (power of sale/foreclosure) 3. Standard Charge Terms (specific clauses, including a prohibition on renting or leasing, and if a variable rate mortgage, how a payment increase is triggered, for example) 4. Term 5. Repayment options (open, closed, etc.) 6. Prepayment options (payment increase, lump sum payments, etc.) 7. Penalties 8. Interest rate (amount, variable, fixed)

Chapter 2: Ethical Practices in Brokered Mortgage Transactions 9. 10. 11. 12. 13. 14. 15. 16.

2.6

24

Payment type (interest only, blended) Payment frequency (monthly, weekly, bi-weekly, etc.) Mortgage type (collateral mortgage, HELOC, etc.) Amortization (length) Portable Assumable Cash back Any other factor that may impact the suitability of a mortgage or investment.

Mortgage Suitability: Borrower

2.561 Knowing g Your Client - Borrower When determining suitability, it is necessary to have a full understanding of the client’s current circumstances as well as their future goals. In a webinar, the regulator clearly stated that suitability includes knowing the client’s needs, risk tolerance and financial circumstances, and referred to the “Know Your Client” (KYC) requirements found in securities regulations. Achieving this goal requires the brokerage to have policies and procedures in place to obtain this information from every potential borrower, regardless of whether or not the mortgage is funded. It is advisable to create a separate form for this information in addition to the client’s mortgage application form. The form that is created by a brokerage is a requirement of the Principal Broker and they must satisfy him or herself that it meets the requirements under the MBLAA and its Regulations. This form should be kept in the client’s mortgage file at all times to meet the requirements of the MBLAA and its Regulations. Once this information has been obtained the agent/broker can analyze the available products and their characteristics to determine if a specific product is suitable. The following is a list of information that should be obtained from a client in addition to their mortgage application. 1. What are your goals with regards to this mortgage? Purchase: What is your price range? $___________ to $___________ Purchase: Available down payment: $___________ Refinance: Obtain a lower rate: Current Rate: _________% Desired Rate: _________% Refinance Obtain a lower payment: Current Payment: $_________ Desired Payment: $_________ Refinance/ETO Consolidate Debt: Amount: $___________ Refinance/ETO Renovations: Amount: $__________ Refinance: Other Explain:_______________________________________________________________ 2. What is the amount of the mortgage payment that you believe would fit your current lifestyle? From $__________ to $__________ 3. What interest rate range do you expect to obtain? From __________% to __________% 4. Do you plan on moving in the next 5 years? If yes, when? 5. Do you plan on changing employers in the next 5 years? Is yes, when? 6. Do you believe your current home will meet your family’s needs over the next five years?

Chapter 2: Ethical Practices in Brokered Mortgage Transactions

25

__Yes __No 7. Do you typically receive bonus or commission income in addition to your regular income? If yes, how often? __Annually__Monthly 8. Do you intend to make a lump sum payment or payments on your mortgage to pay it off faster? __Yes __No 9. Which is most important to you? __Debt Repayment: Paying your mortgage off as soon as possible? __Cash Flow: Having a low or the lowest payment possible? 10. Which is most important to you: __Mortgage Payment: Having a mortgage payment that fits your cash flow? __Interest Rate: Having a low or the lowest interest rate possible? 11. When it comes to your mortgage payment, would you say that you: __Would like a mortgage payment that stays the same month to month? __Would like a mortgage payment that might increase or decrease if there is the potential to save money? 12. If given the option to have a variable interest rate that is lower than a fixed interest rate, would you: __Be willing to watch interest rates on a monthly basis to ensure that your mortgage has the best rate possible? OR __Prefer to have a fixed interest rate that did not fluctuate and did not require regular attention? 13. Would you prefer a payment frequency that is: __Monthly__Bi-Weekly__Weekly

2.6.2 Product Knowledge g While products change from time to time and require brokers and agents to be knowledgeable on which lenders offer which products, the types of mortgages remain constant. For instance, a partially amortized, constant payment mortgage with a fixed rate is a type of mortgage and will not change; the features that are offered by each lender, however, such as the maximum loan to value and repayment options, and the requirements for approval, such as the GDS, TDS and credit score requirements will change. It is therefore necessary for the brokerage to have policies and procedures in place to ensure that its brokers/agents are always updated on those features and requirements for approval. Before a broker/agent can determine which features are suitable for the borrower and if they can meet the lender’s approval requirements, the broker/agent must determine which type of mortgage is suitable for the borrower. To achieve that goal requires an understanding of the characteristics of each type of mortgage as well as an understanding of its associated benefits and risks. Once the type of mortgage has been chosen, the broker/agent can then determine which mortgage option(s) is/ are best for their borrower which implies, of course, that the broker/agent has an understanding of the standard mortgage options available from lenders.

Chapter 2: Ethical Practices in Brokered Mortgage Transactions

26

Policyy Advisoryy – Product Knowledge g To comply with suitability requirements of the MBLAA and its Regulations, a brokerage should have policies and procedures in place to ensure that its brokers and agents receive product updates in a timely fashion, thereby ensuring that its brokers and agents can consistently recommend suitable products to their borrowers.

Capacity/Affordability In all cases affordability is one of the tests for suitability of a mortgage for a borrower. While institutional lenders typically rely on GDS and TDS standards to determine affordability, most private mortgage lenders do not use them. Again, the main focus is on the collateral. However, it is of great important to review affordability because this is necessary to determine the level of risk this proposed mortgage presents to the private mortgage lender. In a past webinar, the regulator clearly stated that a major concern when determining suitability revolves around the borrower’s ability to make the mortgage payments based on their financial circumstances, not just the financial components used for approving a mortgage. It should be noted that neither FSRA, in this webinar, nor the MBLAA or its Regulations state or imply that brokers/agents must be financial planners or offer the advice that a financial planner would. However, they must take all financial components of the borrowers’ circumstances into account when making a recommendation. For example, a family with five children will be judged using the same GDS and TDS guidelines as a family with one child. While both families might have identical incomes, their expenses will be vastly different, affecting the affordability of the mortgage. As long as a lender approved the application, the borrower has typically decided whether they could afford the mortgage payment. The brokerage now has the responsibility to take this fact into consideration when determining suitability. While there is nothing to prevent the borrower from accepting a mortgage that the broker/agent considers unaffordable, the brokerage has a responsibility to ensure that the borrower knows that the mortgage may be unaffordable. Simply put, the brokerage has a responsibility to provide the borrower with the information necessary for the borrower to make an informed decision and based on information provided by FSRA this includes having the borrowers complete a budget. Consider that example. If a brokerage arranges a mortgage for the family with five children and six months later the borrowers find that they cannot afford the mortgage and file a complaint with FSRA, FSRA will investigate the complaint and the brokerage must prove that the mortgage was suitable given the needs and circumstances of the borrowers. If the broker/agent did not take into account the borrowers’ expenses related to their five children as a factor to be included in determining affordability, FSRA’s auditor (again the “reasonable person” at this stage) may find that the mortgage was unsuitable for the borrowers. One way for the brokerage to prove that it did take this information into account is to have the borrowers complete a budget, and if the mortgage appears to be unaffordable have the borrowers acknowledge this fact and sign a waiver indemnifying the brokerage for any potential future default. While this may seem extreme it would certainly protect the brokerage from possible allegations that it did not properly advise the borrowers.

Chapter 2: Ethical Practices in Brokered Mortgage Transactions

27

Because a private mortgage investor has the ability to be much more flexible than an institutional lender, they may be able to mitigate the affordability risk by prepaying the mortgage payments. This is but one option available to the private mortgage lender to mitigate the borrower’s risk of default. The following case study illustrates the effects of a budget regarding the suitability of a potential mortgage. Case Study - Budget Bob, a Mortgage Broker, has completed taking an application on Jose and Maria, a married couple with two children, aged 3 and 5. They have recently signed a conditional Agreement of Purchase and Sale for $320,000 to buy their first home and have $32,000 to use as a down payment. In taking their application Bob has learned that they have a combined family income of $95,923 (this amount is based on the average before tax income of a two earner family for Ontario of $80,900 as provided by Statistics Canada 10) and have the following obligations: $320 per month for his car loan and $300 per month for her car loan, a Visa card with a $4,000 balance and monthly payments of $120, a MasterCard with a balance of $2,500 and monthly payments of $75, a LOC with a balance of $8,000 and monthly payments of $240; property taxes on this new home of $2,729 per year (based on the 2007 City of Toronto property tax rate of 0.8528434%); heating costs for approval are standardized at $75 per month. Since Jose and Maria have a 10% down payment, they require default insurance. Bob has calculated the premium to be 2%, or $5,760. Based on an interest rate of 4.5%, compounded semi-annually with a 25year amortization, Bob has calculated that the monthly mortgage payment will be $1,625.89. Given this information Bob has determined that his clients’ GDS is 24.12% while their TDS is 37.32% and coupled with the additional information that Bob has gathered, he has submitted and obtained a commitment from a lender for these clients. The question that must now be asked is, “Is this mortgage affordable for his clients?” To answer this question Bob has asked Jose and Maria to complete a budget, illustrated in the following figure – Sample Budget. This budget uses information obtained from Statistics Canada on average household spending in Ontario 11, as well as assumptions made based on anecdotal evidence for the purposes of illustration. Figure 1 – Sample Borrower Budget

Summary:

Monthly

Yearly

Total Income Necessary Expenses Discretionary Spending Amount remaining to save or invest

$7,993.58 $6,893.89 $2,231.67

$95,923.00 $82,726.72 $26,780.00

($1,131.98)

($13,583.72)

Monthly Budget

Annual Amount

$3,996.79 $3,996.79 $7,993.58

$47,961.50 $47,961.50 $95,923.00

Income:

Your Primary Income Your Spouse's Income Total Income

10 11

Statistics Canada, CANSIM Table 202-0603 Statistics Canada, CANSIM Table 203-0001

Chapter 2: Ethical Practices in Brokered Mortgage Transactions

28

Necessary Expenses:

Payroll Taxes Other income deductions Rent or Mortgage Property Taxes Gas & Electric Auto Insurance Auto repairs Food & Groceries (not dining out) Clothing (necessary) Telephone (not mobile phone) Home or Renters Insurance Life Insurance Costs Laundry Childcare (daycare & babysitters) Child & Baby Expenses Total Necessary Expenses

$1,251.92 $250.00 $1,625.89 $227.42 $120.00 $180.00 $150.00 $610.00 $265.00 $50.00 $41.67 $60.00 $20.00 $400.00 $1,642.00 $6,893.89

$15,023.04 $3,000.00 $19,510.68 $2,729.00 $1,440.00 $2,160.00 $1,800.00 $7,320.00 $3,180.00 $600.00 $500.00 $720.00 $240.00 $4,800.00 $19,704.00 $82,726.72

$195.00 $620.00 $200.00 $50.00 $100.00 $0.00 $0.00 $0.00 $200.00 $300.00 $166.67 $25.00 $0.00 $50.00 $0.00 $35.00 $40.00 $250.00 $2,231.67

$2,340.00 $7,440.00 $2,400.00 $600.00 $1,200.00 $0.00 $0.00 $0.00 $2,400.00 $3,600.00 $2,000.00 $300.00 $0.00 $600.00 $0.00 $420.00 $480.00 $3,000.00 $26,780.00

Discretionary Expenses:

Credit Card Bills Auto Loan (s) Gasoline Cable or Satellite TV Mobile Phone (s) Home Improvement Home Security Garden Supplies Entertainment (not dining out) Dining Out Travel & Vacation Pets, Pet Care and Pet Food Clothing (above what's needed) Internet Access Computer Costs Gym membership Beer & Alcohol Cigarettes & Tobacco Total Discretionary Expenses

Based on this budget, Jose and Maria have a net deficit of $1,131.98 per month. Of course, spending patterns and expenses differ with each client, however in this example two potential futures emerge. If the clients continue with their spending habits as illustrated, they may go further into debt. In an economy where housing prices increase, they may be able to refinance their home in the future and reduce their expenses.

Chapter 2: Ethical Practices in Brokered Mortgage Transactions

29

However, in an economy where housing prices remain flat or decrease, this is no longer an option and these clients may continue to run up their debt to unmanageable levels, resulting in some or all of the accompanying problems faced by families in financial difficulty. By completing a budget, they have the knowledge to make an informed decision on this mortgage, and if they decide to purchase this home they may decide to curb some of their spending habits and prevent either of those potential futures.

Show your work: documenting that a mortgage is suitable for your client 12 As a mortgage agent or broker, are you confident that your clients are getting the right mortgage and you have the documentation to prove it? Recently, FSRA reviewed the borrower side of 63 private mortgage transactions and found that agents and brokers are not always appropriately documenting suitability assessments. These practices are inconsistent with the spirit of consumer protection expressed in regulatory requirements. FSRA observed processes at brokerages which helped agents and brokers collect information which informed suitability assessments. However, these processes did not necessarily help document the rationale for product recommendations. If a process is not documented, licensees cannot demonstrate compliance. We believe agents and brokers can and must do better. Observations x Our examinations showed that most brokerages have processes in place to assist their brokers/agents in collecting information relevant to a suitability assessment, including: x mandatory mortgage application completion/record x completing know your client forms x discussing consumers’ financial plans x matching consumers’ data with available products using industry software x added disclosures and/or initials required next to specific disclosure items In speaking with agents and brokers, seeing the rationale for recommended products was relatively clearer for borrowers who qualified for mortgages from financial institutions (e.g., banks, credit unions). However, it becomes more difficult to piece together the rationale for transactions involving private mortgages. Context FSRA continues to supervise private mortgages. In 2022, we examined specific brokerages and reviewed a sample of 63 mortgage transactions. O. Reg. 188/08 s. 24 requires brokerages to take reasonable steps to ensure mortgages or mortgage investments presented to clients are suitable. Records are crucial Record keeping is required under the Mortgage Brokerages, Lenders and Administrators Act, 2006 (MBLAA); records also help agents and brokers evaluate a transaction’s compliance. Records include emails, discussion notes, completed forms, documents and so on.

12

FSRA, https://www.fsrao.ca/industry/mortgage-brokering/regulatory-framework/supervision/show-your-workdocumenting-mortgage-suitable-your-client

Chapter 2: Ethical Practices in Brokered Mortgage Transactions

30

Without records, it is difficult, if not impossible, to re-create suitability assessments and subsequent product recommendations. Moreover, inadequate documentation may lead borrowers to question whether their recommended product meets their needs. Service quality might also come into question once the “pressure to close” is gone. Worse still, borrowers may file complaints or start legal action against their agent or broker for perceived or real inadequacies. On the other hand, accurate and complete records help improve borrowers’ relationships with their mortgage professionals. Documentation helps agents and brokers demonstrate in a transparent manner why a given product was recommended to a client. Moreover, documentation helps with any insurance and legal proceedings. For principal brokers (and compliance departments where applicable) the suitability assessment process and rationale documentation provide a base from which to assess a broker/agent’s actions. These documents offer an objective measure for principal brokers to review when taking steps to ensure the compliance of the brokerage’s authorized staff with MBLAA and the brokerage’s policies and procedures. Reviewing the suitability assessment process and rationale provides principal brokers valuable insights into the competence of their brokers and agents and highlights areas that may need further training. FSRA encourages agents and brokers to effectively document their rationale for recommending products. Apart from collecting relevant information from consumers, licensees must show how that information was used to inform recommendations. Think of it this way: if your principal broker was to review your file, would they be satisfied with your documentation?

2.7

Mortgage Suitability: Investor/Lender

Consumer protection is the underlying theme of the MBLAA and its Regulations. Suitability deals with the appropriateness of a transaction in regard to the investor/lender’s needs and circumstances. The underlying belief that a client knows what is in their best interests and what they can afford is no longer an acceptable assumption. Section 24.1 of Regulation 188/08, Mortgage Brokerages: Standards of Practice, states that, “A brokerage shall take reasonable steps to ensure that any mortgage or investment in a mortgage that it presents for the consideration of a borrower, lender or investor, as the case may be, is suitable for the borrower, lender or investor having regard to the needs and circumstances of the borrower, lender or investor.” Furthermore, in its October 24, 2008, webinar, the regulator clearly stated that it will respond to all complaints by borrowers, lenders, and investors regarding the suitability of a transaction, and that it will be the brokerage’s responsibility to prove that the mortgage or investment was suitable, putting the burden of proof for disclosure and suitability on the brokerage and its principal broker. This requirement clearly necessitates the need for the brokerage and its principal broker to have the proper policies and procedures in place for its brokers and agents to determine if those suitability requirements are met in every transaction. In addition to ensuring that the transaction is suitable, the question that a brokerage must be able to answer for every transaction is, “Does the completed mortgage file contain the requisite proof to convince a reasonable person that this transaction was suitable for the parties involved?” The rationale behind this question is that if FSRA were to view the mortgage file six months or a year after its completion, without having the broker or agent to interview, would FSRA’s auditor (the “reasonable

Chapter 2: Ethical Practices in Brokered Mortgage Transactions

31

person” at this stage) be able to determine, based on the documented evidence contained within the file, that it was suitable for the borrower, lender and/or investor? Even if FSRA’s auditor had access to the broker or agent who brokered the transaction, would they be able to remember the circumstances of that particular file with enough certainty to be able to prove that the transaction was suitable? The answer to the latter question is most likely no, and should be irrelevant if the brokerage has the proper policies and procedures in place that ensure documentary evidence of suitability is in every completed mortgage file. Before being able to determine if a product is, for example, suitable for an investor/lender, the broker/agent must be able knowledgeably to assess the transaction in its entirety. This means that the broker/agent must have a complete understanding of the risks associated with each proposed investment, understand the investor/lender’s risk tolerance, and understand the potential conflicts of interest and how to disclose them. A mortgage brokerage has a responsibility to ensure that the mortgage it is recommending to an investor/lender is suitable with regard to their needs and circumstances unless, as stated in section 24.2, Regulation 188/08, Mortgage Brokerages: Standards of Practice, the investor/lender is another brokerage or financial institution. In addition, the material risks must be disclosed in writing to the investor/lender unless the investor/lender is a member of a designated class of lenders and investors as listed in section 2 of Regulation 188/08, Mortgage Brokerages: Standards of Practice. To ensure that this responsibility is met, the brokerage should have policies and procedures in place that require all investors to complete a Know Your Client (KYC) form and ensure that this form is kept in an investor file that can be reviewed, if requested, by FSRA.

2.7.1 Knowing g Your Client - Investor/Lender The following form is an investor/lender template; however, this form is for illustrative purposes only and is not warranted to meet the requirements of the MBLAA and its Regulations. While many brokers/agents like to keep their private investor’s information confidential to prevent others from accessing these sources of funds, the protection of the brokerage makes this policy unacceptable. If an investor files a complaint with FSRA regarding the suitability of a mortgage that they have funded, the brokerage is required to prove that the transaction was suitable for that investor. Failure to take into account the investor’s risk tolerance, needs, and circumstances will indicate that, at the very least, the brokerage did not know if the investment was suitable, and at worst, that the investment was in fact unsuitable for the investor.

Identification To meet the KYC requirements, the brokerage must verify the identity of the investor. This should be accomplished by requiring the investor to provide photo identification in the form of a driver’s license or another document deemed acceptable by the regulator and industry. In Ontario, as in Manitoba and PEI, provincial health cards cannot be used for identification purposes.

Chapter 2: Ethical Practices in Brokered Mortgage Transactions

32

Social insurance number cards have specific restrictions on how they may be used13, and although an investor may be asked to provide their social insurance number card as proof of identity, this cannot be mandatory unless the brokerage is administering a mortgage on behalf of the investor and providing a T5. In this scenario, it must obtain the investor/lender’s social insurance number for income reporting purposes 14. The original of identification provided should be viewed by the broker/agent and a photocopy obtained and kept in the investor/lender’s file. The document number, such as the driver’s license number, should be recorded on the KYC form. If the investor/lender’s identity cannot be verified, the brokerage should have a policy in place that prohibits the broker/agent from doing business with that investor. If the investor/lender is a corporation, the brokerage should have policies and procedures in place that require the broker/agent to obtain the corporation's certificate of corporate status; a record that has to be filed annually under provincial securities legislation; or any other record that confirms the corporation's existence. Examples of these include such other records as the corporation's published annual report signed by an independent audit firm, or a letter or a notice of assessment for the corporation from a municipal, provincial, territorial, or federal government. If the investor/lender is not physically present and their identity cannot be verified by the broker/agent, the brokerage should have policies and procedures in place to deal with this, such as the guidelines as set out by the Financial Transactions and Reports Analysis Centre of Canada (FINTRAC) for Real Estate Brokers 15.

Risk Tolerance Risk tolerance for an investor/lender is viewed differently than that of a borrower and takes different factors into account. The securities industry has several risk assessment tools, including online quizzes and paper-based forms; however, determining an investor’s risk for mortgage investments should include understanding the investor’s income, net worth, and knowledge of mortgage investments, investment liquidity requirements, and investment objectives.

Needs and Circumstances The brokerage must have policies and procedures in place that adequately assess the needs and circumstances of an investor/lender. Information of particular importance is anything that might impact the investor/lender’s short and long-term needs, such as the need to liquidate the investment on short notice, which is often problematic in mortgage investments. By completing a KYC form on the investor/lender and determining their needs, the brokerage can protect itself from allegations that it did not provide an investment that was suitable for the investor/lender.

13

Office of the Privacy Commissioner of Canada, Best Practices for the use of Social Insurance Numbers in the private sector, https://www.priv.gc.ca/en/privacy-topics/sins-and-drivers-licences/social-insurancenumbers/02_05_d_21/ 14 Ibid 15 FINTRAC, Methods to verify the identity of persons and entities, https://www.fintrac-canafe.gc.ca/guidancedirectives/client-clientele/Guide11/11-eng

Chapter 2: Ethical Practices in Brokered Mortgage Transactions

33

Exit Strategy Common exit strategies include being paid out at the end of the term, selling the mortgage to another investor, or, if the borrower has been making regular payments and principal repayment isn’t required, renewing. Those are the exit strategies that everyone expects to occur. However, if the borrower goes into default and these exit strategies are no longer options, does the investor/lender have the requisite knowledge to collect? If not, that is a risk that can be mitigated by having the mortgage administered. Sample Know your client form (KYC) Figure 2 – Sample Know Your Client Form for Investors

CLIENT INFORMATON FORM – INVESTOR/LENDER Our brokerage is dedicated to ensuring that we provide you with suitable investments based on your needs and circumstances. To meet this objective and fulfill the suitability requirements as dictated by law, we require the following information. We are dedicated to the protection of our investors and this information is considered personal and confidential and will only be used to meet the objectives as provided and as required by law. INVESTOR INFORMATION Name (First, Middle Initial, Last) DOB (MM/DD/YYYY) SIN ID TYPE AND # (Attach all corporate documentation when necessary)

Contact Information Tel: Present Address

I have viewed the original I have attached a clear and legible photocopy I have not physically met the investor/lender and cannot confirm identity

Cel:

Email: No. of Years

Previous Address

Approximate Income Under $25,000 $25,000 - $49,999 $50,000 - $74,999 $75,000 - $99,999 $100,000 - $124,999 $125,000 - $200,000 Over $200,000 Mortgage Knowledge Sophisticated Good Fair Novice Risk Tolerance Scale

No. of Years KNOW YOUR CLIENT INFORMATION Approximate Net Worth Under $25,000 $25,000 - $49,999 $50,000 - $74,999 $75,000 - $99,000 $100,000 - $124,900 $125,000 - $200,000 Over $200,000 Objectives Safety Income Balance Growth Aggressive Liquidity Requirement

Chapter 2: Ethical Practices in Brokered Mortgage Transactions Choose the number that best reflects your level of risk tolerance. 1 LOW 2 3 4 MEDIUM 5 6 MEDIUM HIGH 7 8 9 HIGH 1.

3.

4.

1 – 3 years – 5 years 5 – 10 years 11 – 20 years 20+ years

Do you need all of your invested money back in the next year or two? Yes

2.

34

No

Your financial stability is important when determining how much risk you can tolerate in your investments. Do you feel that your current financial situation is: 1. Very secure

2. Relatively secure

4. Somewhat secure

5. Not secure

3. Secure

Your age is: Under 30

30 to 42

55 to 64

Over 64

43 to 54

Which statement best describes your preferred approach to investing? I would rather accept a lower rate of return to reduce my risk. I would like to achieve a high rate of return and am willing to accept a greater degree of risk

Certification By signing below you certify that the information in this form is accurate and will be considered current unless we are notified otherwise. We are compliant with current PIPEDA legislation and our “Privacy Policy” can be viewed on our website at www.Samplemortgagesinc.ca/PrivayPolicy.html. Personal information will be held in the strictest of confidence and only released to third parties to fulfill our obligations to you or to comply with regulatory requirements or when required to do so by law. _____________________________________ ____________________________ Client Signature: Date: _____________________________________ ____________________________ Mortgage Agent/Broker Date

2.8

Strategies

Ensuring that your client makes an informed decision means more than providing one recommendation; it means: 1. Having documented justification for your recommendation

Chapter 2: Ethical Practices in Brokered Mortgage Transactions 2. 3. 4. 5.

35

Completing a needs assessment and KYC form, where appropriate Providing proper disclosure so your client can make an informed decision, Providing a written rationale behind your recommendation(s) Obtaining written confirmation of potential consequences (i.e., risks) from your client if your recommendation is not taken 6. Taking whatever additional steps are necessary in a specific circumstance to ensure the client makes an informed decision 7. Taking whatever additional steps are necessary in a specific situation to ensure that all decisions are understood and documented 8. Ensuring that your client fully understands the information provided; FSRA has stated that it “will not consider a client's signature on a disclosure document, on its own, as sufficient proof the client was adequately informed about the mortgage and its risks”. 16

16

FSRA, Checklist for Detecting and Preventing Mortgage Fraud, https://www.fsrao.ca/media/5021/download

Chapter 2: Ethical Practices in Brokered Mortgage Transactions

2.9

Appendix 1: Declaration of Compliance

36

Chapter 3: Relationship between the MBLAA, FSRA and Licensees

37

Chapter 3: Relationship between the MBLAA, FSRA and Licensees 3.1

Learning Outcome

Brokers and agents comprehend their relationship with the MBLAA and FSRA.

3.2

Learning Objectives

Successful understanding of the concepts presented in this chapter will enable the learner to: 1. Analyze the principles-based aspect of the MBLAA. 2. Describe the functions that FSRA performs to administer the MBLAA. 3. Recommend actions licensees can take to stay up to date on regulatory requirements (e.g., regulation updates, FSRA guidance and/or forms).

3.3

Analyzing the principles-based aspect of the MBLAA

The MBLAA is both rules and principles-based. A principles-based approach to regulation is designed to legislate for a set of outcomes. The measures, policies, and procedures to achieve these outcomes are left to the licensed entities to determine. In this manner the legislation can be “future-proofed,” in other words it won’t have to be amended when industry practices change, or new technology is introduced, for instance, as long as they produce the required outcomes. For example, section 9 (5) of the MBLAA states that, “A person who has a mortgage agent’s licence shall not deal in mortgages in Ontario or trade in mortgages in Ontario except under the supervision of a mortgage broker.” This is not a detailed, prescriptive rule, rather it is a more high-level, broadly stated principle since the MBLAA does not prescribe how direct supervision must be performed. It is up to the brokerage to determine how best to comply with this requirement. Continuing with agent supervision, section 40 (2) of Regulation 188/08, states, “A brokerage shall establish and implement policies and procedures providing for the adequate supervision of every broker and agent who is authorized to deal or trade in mortgages on its behalf.” Therefore, the MBLAA states that every agent must be supervised by a broker, and Regulation 188/08 states that the brokerage must have policies and procedures in place to achieve this outcome, but how this is achieved is left up to the brokerage. This allows for a brokerage to manage its business based on its own business model, as long as the outcome is compliant with the legislation’s principles. Examples of principles-based legislation can be found throughout the MBLAA and its Regulations.

Chapter 3: Relationship between the MBLAA, FSRA and Licensees

3.4

38

How FSRA administers the MBLAA

3.4.1 About FSRA A 177 The Financial Services Regulatory Authority of Ontario (FSRA) is an independent regulatory agency created to improve consumer and pension plan beneficiary protections in Ontario. FSRA was established to replace the Financial Services Commission of Ontario (FSCO) and the Deposit Insurance Corporation of Ontario (DICO). The agency is flexible, self-funded and designed to respond rapidly to an evolving commercial and consumer environment. In this capacity, FSRA will: x Promote high standards of business conduct x Foster a sustainable, competitive financial services sector x Respond to market changes quickly x Promote good administration of insurance and pension plans x Encourage innovation

Sectors we regulate The newly created agency protects Ontarians by regulating: x Property and casualty insurance x Life and health insurance x Credit unions and caisses populaires x Loan and trust companies x Mortgage brokers x Health services providers (related to auto insurance) x Pension plan administrators x Financial planners and advisors

As of March 31, 2023, FSRA regulated or registered: x x x x x x x x x x x x

290 insurance companies (296 in 2021) 4,516 regulated pension plans (4,991 in 2021) 60 credit unions and caisses populaires (61 in 2021) 51 loan and trust corporations (49 in 2021) 1,231 mortgage brokerages (1,236 in 2021) 2,881 mortgage brokers (2,962 in 2021) 14,005 mortgage agents (15,182 in 2021) 242 mortgage administrators (233 in 2021) 4,965 accident benefit service providers (5,114 in 2021) 68,956 insurance agents (64,126 in 2021) 6,838 corporate insurance agencies (6,582 in 2021) 1,852 insurance adjusters (1,368 in 2021)

Legislative mandate x

17

Regulate and generally supervise the regulated sectors

FSRA, https://www.fsrao.ca/about-fsra

Chapter 3: Relationship between the MBLAA, FSRA and Licensees x x x x x

39

Contribute to public confidence Monitor and evaluate developments and trends Promote public education and knowledge Promote transparency and disclosure of information Deter deceptive or fraudulent conduct, practices, and activities

FSRA administers the MBLAA through supervision, monitoring and enforcement. The following sections are provided by FSRA.

3.4.2 FSRA mandate e 188 In supervising and regulating the mortgage brokering sector, FSRA administers and enforces the MBLAA and its Regulations. FSRA aims to achieve the following statutory objects: x Contribute to public confidence in the mortgage brokering sector; x Monitor and evaluate trends in the mortgage brokering sector; x Cooperate and collaborate with other regulators where appropriate; x Promote high standards of business conduct; x Deter deceptive or fraudulent conduct, practices, and activities in the mortgage brokering sector; x Protect the rights and interests of consumers; and x Foster a strong, sustainable, and innovative sector.

Principles FSRA uses a general supervision approach to achieve its statutory objects: x Proactive, Risk-based Approach – FSRA focuses its supervision on high-risk licensees and their activities. x Focus on Governance – FSRA expects brokerages and administrators to have effective internal controls and supervision to promote a strong compliance culture and mindset among licensees to identify and manage risks arising from their dealings with consumers. x Proportionate Approach to Discipline – FSRA uses a range of compliance and enforcement tools to influence marketplace behaviour. The tools used depend on, for example, the nature and extent of risks to consumers, mitigating actions taken by licensees, and past supervisory findings.

3.4.3 Approach pp for Promoting g High g Standards of Business Conduct in 19 9 the Mortgage g g Brokering g Sectorr The Financial Services Regulatory Authority of Ontario (FSRA) protects consumers in the mortgage brokering sector by overseeing the conduct of over 15,000 licensed agents, brokers, brokerages, and administrators in Ontario. FSRA promotes high standards of business conduct in the mortgage brokering sector by: x communicating FSRA’s expectations with licensees through meaningful, two-way conversation; x ensuring licensees are appropriately protecting consumers and investors; and x reviewing licensees’ level of compliance with the Mortgage Brokerages, Lenders and Administrators Act, 2006 (MBLAA) and associated regulations.

18

FSRA, https://www.fsrao.ca/industry/mortgage-brokering/regulatory-framework/guidance-mortgagebrokering/mortgage-broker-regulators-council-canada-code-conduct-mortgage-brokering-sector 19 FSRA, https://www.fsrao.ca/approach-promoting-high-standards-business-conduct-mortgage-brokering-sector

Chapter 3: Relationship between the MBLAA, FSRA and Licensees

40

How does FSRA supervise licensed mortgage agents, brokers, brokerages, and administrators? FSRA’s supervision activities of licensees consist of: x Targeted reviews – limited in scope, focused on specific issue(s), may be the result of complainthandling activities x Comprehensive reviews – assessment of all applicable requirements under MBLAA x Thematic reviews – reviews to assess a specific focus to understand current and/or emerging risks or trends These reviews may be conducted at licensees’ offices or remotely.

Who can be selected for a review? All mortgage agents, brokers, brokerages, and administrators licensed by FSRA can be selected for a review. FSRA may also conduct reviews on licensees who: x are considered high-risk based on information collected in the Annual Information Return or through survey responses. High-risk factors include: o nature of their business o size of their business (e.g., value and number of mortgages arranged, number of brokers and agents) o geographical spread of their operations x are the subject of a disproportionately high number of complaints x are the subject of media reports What can I expect if I’m selected for a review? During a review, FSRA’s goal is to better understand or validate information that we have collected, in order to assess compliance and evaluate risk to consumers. If you are selected, FSRA will: x contact and inform you that you will be subject to a review; x provide a document request list outlining the documents and business records that should be provided to FSRA or made available for review, and the due date; x meet with you to discuss your business practices and any issues noted; and x at times, visit you at your office(s) What happens after a review? At the end of a review, FSRA will discuss our findings and you will have an opportunity to respond (e.g., provide further information confirming compliance with regulatory requirements). FSRA will formally report to you any findings that could cause consumer harm, and you will be asked to explain how you intend to address the concerns raised. While enforcement action following a review is possible, it is dependant on whether a regulatory breach is noted, as well as the seriousness of the issue.

Chapter 3: Relationship between the MBLAA, FSRA and Licensees

41

3.4.4 Enforcement and Monitoring g 200 As part of our core regulatory activities to protect the public interest, FSRA undertakes a number of monitoring and enforcement activities including desk reviews, and on-site examinations, and reviews complaints in the sectors it regulates. These actions represent a first step in the enforcement process. Many matters are resolved at this stage, although some need to be investigated further and some ultimately require enforcement actions – a last step. FSRA’s enforcement tools range from education and remediation action to regulatory intervention, which includes licence revocation, licence suspension and administrative monetary penalties. The type of enforcement applied is based on the unique circumstances of a contravention. Through our monitoring and enforcement activities, we are working to improve consumer protections in Ontario to ensure the public gets fair treatment in the sectors we regulate. FSRA’s Enforcement Actions monitoring/enforcement-actions

3.5

can

be

viewed

at

https://www.fsrao.ca/enforcement-and-

Innovation Office 21

In 2020, FSRA launched the Innovation Office to support you in creating strong, sustainable, and competitive innovations in the financial services sector. Since launch, FSRA has gathered information, established working relationships, and developed an Innovation Framework to guide the creation of responsible and impactful innovations in Ontario.

20 21

FSRA, https://www.fsrao.ca/enforcement-and-monitoring FSRA, https://www.fsrao.ca/about-fsra/innovation-office

Chapter 3: Relationship between the MBLAA, FSRA and Licensees

3.6

42

Areas of supervision focus 2022-2023 22

FSRA is concerned by its findings that brokers and agents were not following requirements and best practices in private mortgage brokering. In a market where the potential for consumers to turn to private lending remains high because of interest rate hikes and inflation, FSRA determined that private mortgage brokering must remain a supervision focus for 2022-2023. FSRA also observed two more recent trends and developments that could increase consumer protection risks in this sector this year, such as: x an increase in the number of new licensed brokers and agents in this sector who may have less experience, especially providing advice and guidance to clients in a rising rates and inflationary environment. x higher-than-average financial vulnerability of consumers in the mortgage brokering sector. To address these consumer risk areas, FSRA identified the following supervision areas of focus for 202223: 1. continued focus on ensuring private mortgages are suitable for and are understood by borrowers. 2. review conduct culture, compliance structure and principal broker’s supervision in large brokerages. 3. conduct supervisory research and compliance reviews in scenarios where financially vulnerable consumers may be more prone to misconduct or abuse. As per the new NQSMI regime implemented in July 2021, FSRA will also examine how mortgage brokerages who broker NQSMI transactions are ensuring that they only deal with permitted clients unless they have the appropriate securities registration.

3.7

Staying up to date on Regulatory Requirements

The most effective way to stay up to date on regulatory requirements is to get the information directly from FSRA as it is updated. This can be done by: x x x x x

22

Subscribing to FSRA’s mailing list: http://fsrao.ca/subscribe-our-mailing-list Viewing FSRA publications: http://fsrao.ca/industry/mortgage-brokering/publications Viewing Eblasts: http://fsrao.ca/industry/mortgage-brokering/eblasts-mortgage-brokeringsector Viewing FSRA’s newsroom: http://fsrao.ca/newsroom Following FSRA on Facebook at https://www.facebook.com/FSRAOnt and Twitter at https://twitter.com/FSRA_News or LinkedIn at https://www.linkedin.com/company/financialservices-regulatory-authority-of-ontario/life/

FSRA, https://www.fsrao.ca/industry/mortgage-brokering/regulatory-framework/supervision/mortgagebrokering-sector-supervision-plan-2022-23

Chapter 4: Reporting and Record-keeping Requirements

43

Chapter 4: Reporting and Record-keeping Requirements 4.1

Learning Outcome

Licensees maintain appropriate records and report required items to FSRA on a timely basis.

4.2

Learning Objectives

Successful understanding of the concepts presented in this chapter will enable the learner to: 1. Create a checklist of the items (including timeframe) that must be reported by mortgage agents, brokers, brokerages, and administrators to FSRA. 2. Explain the rationale for each of the reporting requirements. 3. Describe the record-keeping requirements.

4.3

Checklist for Reporting Requirements

Regulation 193/08: Reporting Requirements for Licensees mandates specific reporting requirements for licensees, and the penalties for failing to comply with those requirements. Penalty Amounts that may be imposed for brokerages and mortgage administrators: x $1,000 for each failure to comply with section 2, 3, 4 or 13. x $500 for each failure to comply with any other provision of this Regulation. Penalty amounts that may be imposed for brokers and agents: x $250 for failure to comply with section 6, 7 or 12.

4.3.1 Reporting p g Requirements q for Licensees Reporting Requirement

Licensee

Timing

On or 1. Annual Information Brokerage or before Return (AIR) Administrator March 31 of every year 2. Audited financial statements, Auditor’s report Within 90 and Auditor’s days of Administrator report on trust fiscal year account, assets, end and liabilities under administration 3. If a trust account is Brokerage or Within 5 required Administrator days after

Penalty: Penalty: Brokerage/Administrator Broker/Agent $1,000

N/A

$1,000

N/A

$1,000

N/A

Chapter 4: Reporting and Record-keeping Requirements

44

the brokerage is required to establish this account 4. Location of records, if other than Brokerage or As principal place of Administrator necessary business in Ontario Within 5 5. Change of mailing ALL days after address for service the change 6. Change of other Within 5 contact information ALL days after (email, phone, fax) the change Within 5 7. Change of principal Brokerage or days after place of business Administrator the change Within 5 8. Change of offices Brokerage or days after open to the public Administrator the change Corporation Within 5 9. Change of director, or days after officer, partner Partnership the change Within 5 10. Change of principal Brokerage days after broker the change 11. Change of authority to act on behalf of Within 5 brokerage – Brokerage days after reported by the change brokerage 12. Change of authority Within 5 to act on behalf of Agent or days after brokerage – Broker the change reported by Broker/Agent 13. Change re Brokerage or Immediately insurance coverage Administrator 14. Change re financial guarantee, Administrator Immediately mortgage administrator 15. Shortfall in a trust Brokerage, Immediately account Administrator

4.4

Rationale of each Reporting Requirement

$500

N/A

$500

$250

$500

$250

$500

N/A

$500

N/A

$500

N/A

$500

N/A

$500

N/A

N/A

$250

$1,000

N/A

$500

N/A

Chapter 4: Reporting and Record-keeping Requirements

45

As previously stated, in supervising and regulating the mortgage brokering sector, FSRA administers and enforces the MBLAA and its Regulations. FSRA aims to achieve the following statutory objects: 23 x Contribute to public confidence in the mortgage brokering sector; x Monitor and evaluate trends in the mortgage brokering sector; x Cooperate and collaborate with other regulators where appropriate; x Promote high standards of business conduct; x Deter deceptive or fraudulent conduct, practices, and activities in the mortgage brokering sector; x Protect the rights and interests of consumers; and x Foster a strong, sustainable, and innovative sector. To achieve these goals, FSRA has developed specific reporting requirements, as detailed in section 4.2. The rationale of each reporting requirement is discussed below: 1. Annual Information Return (AIR) The AIR is designed to collect information about business practices, internal controls, and market conditions for the previous calendar year. The information is used to assist FSRA in its risk assessment and oversight of mortgage brokerages and administrators. The AIR Reports published by FSRA also allow the industry to obtain an overview of the mortgage brokering sector. 24 2. Audited financial statements, Auditor’s report and Auditor’s report on trust account, assets and liabilities under administration Within 90 days after the end of every fiscal year, every mortgage administrator shall give FSRA: x a copy of its audited financial statements for the year; x a copy of a report by the auditor about the books, records, and accounts of the mortgage administrator for the year, in a form approved by the Chief Executive Officer; and x a copy of a report by the auditor about the mortgage administrator’s trust account and the assets and liabilities under administration for the year, in a form approved by the Chief Executive Officer. x The financial statements must be prepared in accordance with generally accepted accounting principles as set out in the Handbook of the Canadian Institute of Chartered Accountants and must be audited by a licensed public accountant. x The reports for a fiscal year must be prepared by the same person who audits the financial statements for the year. 3. If a trust account is required Trust accounts allow the mortgage brokerage or mortgage administrator, as the case my be, to manage the money of a third party. If a brokerage or administrator is doing so, they are required to have a trust account and must notify FSRA so that FSRA can ensure that the MBLAA’s requirements of having a trust account are being met. 4. Location of records, and other updates The following must be reported to FSRA. x Change of mailing address for service x Change of other contact information (email, phone, fax) x Change of principal place of business

23

FSRA, https://www.fsrao.ca/industry/mortgage-brokering/regulatory-framework/guidance-mortgagebrokering/mortgage-broker-regulators-council-canada-code-conduct-mortgage-brokering-sector 24 FSRA, https://www.fsrao.ca/industry/mortgage-brokering/annual-information-returns

Chapter 4: Reporting and Record-keeping Requirements x x x x x x x

46

Change of offices open to the public Change of director, officer, partner Change of principal broker Change of authority to act on behalf of brokerage – reported by brokerage Change of authority to act on behalf of brokerage – reported by Broker/Agent Change re insurance coverage Change re financial guarantee, mortgage administrator

This information is designed to ensure that: x FSRA can communicate with the brokerage and its licensees x The brokerage is meeting its regulatory requirements for licensing x FSRA can maintain its public database of licensees x Those authorized or unauthorized to act on behalf of a brokerage are properly identified x The brokerage has adequate insurance to meet its regulatory requirements x The administrator has the appropriate financial resources in place How to Review and Update Your Contact Information 1. Go to Licensing Link at http://mbsweblist.fsco.gov.on.ca/agents.aspxv 2. On the log in page, enter your last name or licence number, and then click on the "Search" button. 3. You should now see a new web page that shows your licence number, name, and city. Click on your licence number. 4. You should now see your mortgage broker or agent licence profile. Click on the button called "Update contact information (email, address, telephone…)". 5. Read the instructions that are provided. Click on the "I agree" button. 6. Enter your PIN and click on the "Continue" button. 7. Review and update your contact information. Click on the "Save address changes" button.

4.5

Record-keeping Requirements 25

To ensure that the consumers are protected and that FSRA may conduct its regulatory oversight of the industry, brokerages must comply with the following requirements: Maintain complete and accurate records of: x Financial records for all mortgage brokering activities in Ontario. (Financial records must distinguish between deemed trust funds and other assets). x Every mortgage application, instrument and renewal agreement that is received or arranged. x Mortgage Brokerage agreements on dealing/trading in mortgages and mortgage lending. x All documents and written information given to and received from clients and prospective clients. Take adequate precautions to guard against falsification of records or improper access to clients’ personal information. Retain all records that the Mortgage Brokerage is required to maintain for at least six years: x After the maturity or expiry of mortgage agreements and mortgage renewals. x After completion or other expiry of a purchase, sale, or trade of a mortgage.

25

FSRA, Compliance Checklist for Managing the Mortgage Brokerage, https://www.fsrao.ca/media/4566/download

Chapter 4: Reporting and Record-keeping Requirements

47

Store all records at your main office. Inform FSRA if you are storing your records in a different location. Electronic records do not need to be stored at your main office as long as they can be quickly retrieved. These requirements are clearly listed in sections 46 and 47 of O. Reg. 188/08: MORTGAGE BROKERAGES: STANDARDS OF PRACTICE

Chapter 5: Role of the Principal Broker

48

Chapter 5: Role of the Principal Broker 5.1

Learning Outcome

Agents and brokers comprehend the importance of the role of the Principal Broker.

5.2

Learning Objectives

Successful understanding of the concepts presented in this chapter will enable the learner to: 1. Describe the duties and responsibilities of the Principal Broker, including references to the relevant provisions in the MBLAA and its Regulations. 2. Describe the purpose of each element that should be included in a brokerage’s policies and procedures. 3. Recommend actions agents (and brokers) can take to stay up to date on their brokerage’s policies and procedures.

5.3

Duties and Responsibilities of the Principal Broker

Regulation 410/07 Principal Brokers: Eligibility, Powers and Duties clearly lists the Principal Broker’s responsibilities. Duty re compliance 2. (1) The Principal Broker of a brokerage shall take reasonable steps to ensure that the brokerage, and each broker and agent authorized to deal or trade in mortgages on its behalf, complies with every requirement established under the Act. O. Reg. 410/07, s. 2 (1). (2) The Principal Broker shall ensure that the brokerage takes reasonable steps to deal with any contravention of a requirement established under the Act by the brokerage or by a broker or agent authorized to deal or trade in mortgages on its behalf. O. Reg. 410/07, s. 2 (2). Duty re policies and procedures 3. (1) The Principal Broker of a brokerage shall review the policies and procedures of the brokerage to determine whether they are reasonably designed to ensure, (a) that the brokerage, and each broker and agent authorized to deal or trade in mortgages on its behalf, comply with every requirement established under the Act; and (b) that each broker and agent authorized to deal or trade in mortgages on behalf of the brokerage is adequately supervised. O. Reg. 410/07, s. 3 (1). (2) The Principal Broker shall recommend to the brokerage that it make changes in its policies and procedures, if necessary, to ensure that the standards described in clauses (1) (a) and (b) are achieved. O. Reg. 410/07, s. 3 (2). Duty re trust statement 5. The Principal Broker of a brokerage shall sign and date any trust account reconciliation statement prepared by the brokerage to indicate that they have reviewed it and certifies that it is accurate. O. Reg. 410/07, s. 4.

Chapter 5: Role of the Principal Broker

5.4

49

Policies and Procedures: Required Elements & Purpose

Very simply, the Principal Broker is responsible for the policies and procedures for determining if an agent or broker is hired, and once hired, how those agents and brokers do business within the brokerage. These policies and procedures have a direct impact on every mortgage agent and broker who is licensed under the brokerage. These include: 1. Hiring requirements: to ensure processes are in place to hire suitable candidates 2. Insurance policies: to ensure the brokerage has the appropriate E and O, as well as any other necessary insurance 3. Performance review polices: to ensure processes are in place to adequately supervise agents and brokers 4. Training policies and procedures: to provide training to correct non-compliant activities as required and update agents and brokers on current compliance standards/best practices, etc. 5. Supervision of brokers/agents policies: to ensure those responsible for the supervision of agents and brokers have clear direction on what is required 6. Privacy policy and procedures: to ensure privacy legislation is adhered to 7. Investor/lender suitability policies: to ensure compliance 8. Borrower, investor and lender disclosure policies and procedures: to ensure compliance; the brokerage is responsible for ensuring that all borrowers, investors, and lenders receive the correct disclosure. For example, section 31. (1) of Regulation 188/08: Mortgage Brokerages: Standards of Practice, states that, “A brokerage shall give each lender or investor the following information and documents with respect to a mortgage or a trade in a mortgage that the brokerage presents for the consideration of the lender or investor: A completed disclosure form, in a form approved by the Chief Executive Officer, signed by a broker. 9. Conflict of interest policies: to ensure compliance 10. Identification verification policies: to prevent fraud 11. Fraud detection and prevention policies: to prevent fraud 12. Trust fund policies: to ensure compliance 13. Consumer complaints procedures: to provide complaints process that is compliant 14. File submission policies: to ensure transactions are compliant 15. Public relations (includes advertising, marketing, etc.) policies and procedures: to ensure compliance 16. Company regulatory reporting requirements policies: to ensure compliance 17. Accounting policies and procedures: to ensure the brokerage has clear direction and safeguards in place 18. Credit report policies: to ensure credit reports are obtained legally and with appropriate documentation 19. Required documents policies: to ensure compliance 20. Document retention policies: to ensure compliance 21. Compliance manual review policies: to ensure compliance policies and procedures are current

5.5

Policies and Procedures: Staying up to date

The Principal Broker must ensure that all employees, brokers, and agents are aware that the brokerage is committed to the successful implementation, enforcement and maintenance of its Policies and Procedures program. This can be achieved through: 1. Communicating the importance of the brokerage’s policies and procedures

Chapter 5: Role of the Principal Broker 2. 3. 4. 5.

50

Mandatory ongoing training Internal communications/updates Mandatory reviews of the business practices of agents and brokers Annual performance reviews

It is the responsibility of the Principal Broker as well as the brokerage’s agents and brokers to ensure that they are up to date on all of the brokerage’s policies and procedures.

Chapter 6: Cybersecurity

51

Chapter 6: Cybersecurity 6.1

Learning Outcome

Brokers and agents understand and apply best practices, as appropriate, in their daily operations to protect against cyber-attacks and prevent harm to clients’ interests.

6.2

Learning Objectives

Successful understanding of the concepts presented in this chapter will enable the learner to: 1. Define cybersecurity. 2. Explain the purpose of cybersecurity and how it reduces consumer harm. 3. Describe the potential effects of cybersecurity breach on the brokerage, mortgage agent, and mortgage brokers. 4. Describe where can licensees learn about the cybersecurity policies and procedures at their brokerage. 5. Describe the key areas that should be included in a brokerages’ policies and procedures. 6. Describe who is responsible for the review of the cybersecurity policies and procedures in a brokerage. 7. Describe what licensees should do to ensure they meet all their brokerage’s requirements for cyber security preparedness. 8. Describe why brokerage should notify FSRA of a material cybersecurity incident. 9. Describe the mortgage brokerage processes to notify FSRA of any material cybersecurity incident they experience. 10. Discuss the requirements for mortgage brokerages, mortgage agents and brokers to be transparent with FSRA regarding material cybersecurity incidents. 11. Discuss the expectation that mortgage brokerages, mortgage agents and brokers will assist FSRA in identifying high risk areas that can help prevent future incidents in a timely manner. 12. Describe FSRA’s Market Conduct Protocol for Cybersecurity including the information that the regulator would ask for in the event of a cybersecurity event.

6.3

Cybersecurity – An Overview

6.3.1 What is Cybersecurity? y y Cybersecurity refers to the body of technologies, processes, and practices designed to protect computers, servers, mobile devices, electronic systems, networks, and data from malicious attacks. It involves implementing measures to prevent unauthorized access, use, disclosure, disruption, modification, or destruction of information. The main aim of cybersecurity is to provide a safe environment for computers, servers, and networks to operate while ensuring the confidentiality, integrity, and availability of data.

6.3.2 Whyy is Cybersecurity y y Necessary? y Cybersecurity is necessary due to the increasing reliance of organizations on networked technologies for their operations. As these technologies are used, they can become targets for cybercriminals, leading to

Chapter 6: Cybersecurity

52

potentially costly cybersecurity incidents. These incidents can affect organizations of all types and sizes, including universities, hospitals, schools, and businesses. A cybersecurity breach can have numerous detrimental effects on an organization. Some of the most common and obvious ones include a loss of business, damage to the organization's reputation, and potential legal liability. However, there can also be less obvious consequences that can be just as damaging. For example, a cybersecurity incident could cause a company's stock market price to fall, disrupt agreements with third parties, or even lead to the unintended disclosure of trade secrets. Moreover, extensive media coverage and scrutiny of the cyber incident can worsen the situation, leading to a decrease in employee morale and customer satisfaction, and negatively impacting the organization's goodwill. A well-managed communication strategy can help mitigate some of this negativity. In addition, a cybersecurity incident that results in a data breach can compromise the personal information of customers, employees, or other individuals. This can lead to severe consequences for the individuals whose information is compromised, including financial loss, mental anguish, or embarrassment. Organizations may also face negative reputational costs, loss of trust in the business, and potentially costly lawsuits, such as class actions. In addition to protecting against external threats, cybersecurity measures also help monitor insider threats. This includes applying technical controls and fostering a culture of inclusiveness to ensure employees are trained to recognize cyber threats. Furthermore, in today's Information Age, the value of organizations is often determined by the information they store and process. This makes cybersecurity one of the top risks to organizations, and it is essential to evaluate these risks and take meaningful actions to address them. Lastly, cybersecurity measures also include ensuring the physical security of computer systems, protecting against damages caused by employees' errors, natural disasters, or power outages.

6.3.3 Cybersecurity y y responses p – 2021 Annual information return According to Statistics Canada, businesses within the Finance and insurance and Real estate and rental and leasing industries experienced an increase in cybersecurity incidents of 9.5 per cent and 6.7 per cent, respectively, between 2019 and 2020. 26

Cybersecurity questions and responses In the 2021 Annual Information Return (AIR), FSRA asked licensed mortgage brokerages and administrators two general questions pertaining to cybersecurity: x x

Does the brokerage/administrator have cybersecurity Policies and Procedures in place? Does the brokerage have cybersecurity insurance?

74.6 per cent of brokerages and 57.7 per cent of administrators reported having written policies and procedures to address cybersecurity. When compared to Canadian businesses in general, 18% of

26

Statistics Canada, https://www150.statcan.gc.ca/t1/tbl1/en/tv.action?pid=3310035801

Chapter 6: Cybersecurity

53

businesses had written policies in place to manage cybersecurity risks or to report cybersecurity incidents in 2019. 27 42.4 per cent of brokerages and 85.4 per cent of administrators reported having cybersecurity insurance in their 2021 AIR. In comparison to business in general, 17 per cent of Canadian businesses reported having insurance policies to protect against cybersecurity risks and threats. 28 When looking at the two questions in conjunction, 77.3 per cent of brokerages and 87.8 per cent of administrators reported having policies and procedures to address cybersecurity and/or cybersecurity insurance coverage.

Cybersecurity incidents In 2021, four mortgage brokerages reported a cybersecurity incident where a data breach occurred. Two of these brokerages had production volumes over $1 billion each and indicated that they had over 1,000 clients in their respective databases. The incidents included compromised agent e-mail accounts resulting in spam being sent and attempts to access systems and manipulate the funding of a mortgage. It is important to recognize that cyber threats are a growing risk for everyone, including the mortgage brokering sector. Managing this risk proactively helps protect against attacks that seek to compromise or steal electronic information. Cybersecurity incidents happen to businesses of all sizes. Should a security event occur, it could pose reputational risk or temporarily impact the ability to conduct business if systems are compromised.

27 28

Statistics Canada, https://www.statcan.gc.ca/o1/en/plus/514-cybersecurity-risks-impact-canadian-businesses Ibid

Chapter 6: Cybersecurity Figure 3 - Mortgage Brokerage Cybersecurity Policies & Procedures and Insurance Coverage

54

Chapter 6: Cybersecurity Figure 4 - Mortgage Administrator Cybersecurity Policies & Procedures and Insurance Coverage

55

Chapter 6: Cybersecurity

56

Figure 5 - Mortgage Brokerage - AIR Cybersecurity Responses

Figure 6 - Mortgage Administrator - AIR Cybersecurity Responses

6.4 Types of Threats Cyber threats come in different forms, threatening different aspects of a business. Here are a few examples of the many types of cyber threats that exist. The landscape of cyber threats is constantly

Chapter 6: Cybersecurity

57

evolving as new technologies emerge and cybercriminals find innovative ways to breach systems and steal data.

6.4.1 Malware This is a general term for malicious software, including viruses, worms, trojans, and ransomware. Malware is often used to damage or disrupt systems, steal sensitive data, or gain unauthorized access to networks. Ransomware is a type of malicious software, or malware, that encrypts a victim's files. The attacker then demands a ransom from the victim to restore access to the data upon payment. Users are shown instructions for how to pay a fee to get the decryption key. The costs can range from a few hundred dollars to thousands, payable to cybercriminals typically in Bitcoin. There are two types of ransomware in circulation: Encrypting ransomware, which incorporates advanced encryption algorithms. It's designed to block system files and demand payment to provide the victim with the key that can decrypt the blocked content. Examples include CryptoLocker, Locky, CrytpoWall, and more. Locker ransomware, which locks the victim out of the operating system, making it impossible to access the desktop and any apps or files. The files are not encrypted in this case, but the attackers still ask for a ransom to unlock the infected computer. Examples include the police-themed ransomware or Winlocker. Another version of ransomware is Master Boot Record (MBR) ransomware. The MBR is the section of a PC’s hard drive which enables the operating system to boot up. When MBR ransomware strikes, the boot process can't complete as usual, and prompts a ransom note to be displayed on the screen. Examples include Satana and Petya ransomware. Ransomware attacks are typically carried out using a Trojan that is disguised as a legitimate file that the user is tricked into downloading or opening when it arrives as an email attachment. However, one highprofile ransomware attack, the "WannaCry worm", traveled automatically between computers without user interaction. Due to the lucrative nature of ransom demands, ransomware attacks have become increasingly common in the cybercrime world and pose a significant risk to businesses and individuals alike. Example The following is a recent article on ransomware by Christine Dobby, Business Reporter for the Toronto Star, that highlights some of the serious threats posed by ransomware.

The high cost of cyberattacks. Report finds most firms hit by ransomware pay up — and the price has risen dramatically 29 Indigo refused to pay when a ransomware attack took down its e-commerce platform — losing millions in the process. Christine Dobby

29

Toronto Star, https://www.thestar.com/business/2023/07/04/the-high-cost-of-cyber-attacks-report-finds-mostfirms-hit-by-ransomware-pay-up-and-the-price-has-risen-dramatically.html

Chapter 6: Cybersecurity

58

By Christine Dobby, Business Reporter Tue., July 4, 2023 Indigo Books & Music is still tallying up the staggering costs of a ransomware attack that temporarily took down its e-commerce platform, left it unable to process payments in its retail stores for three days, and knocked its website offline for about a month earlier this year. The retailer lost $42.5 million in its most recent quarter, $19 million more than it lost in the same period last year, and said last week that while it doesn’t have an exact figure, the majority of that expanded loss was because of the cyberattack. Indigo refused to pay a ransom to the criminals who used a type of software called LockBit to illegally tap into its network, saying it could not be “assured that any ransom payment would not end up in the hands of terrorists or others on sanctions lists.” But according to a new report from the law firm Blakes, the majority of Canadian companies hit by ransomware attacks do pay up — and those ransoms now cost businesses far more than in years past. Ransomware attacks occur when hackers use malware to break into companies’ IT systems, lock up or steal information and then demand a ransom payment for its return. In the fourth edition of an annual report on cybersecurity trends, Blakes said it found that in 2022, two thirds of firms hit by ransomware attacks ultimately paid, up from 56 per cent in 2021. The median ransom paid was $546,000, a steep increase from $100,000 two years earlier. “The threat actors — the bad guys — are getting to be quite sophisticated in their attacks,” said Sunny Handa, a partner at Blakes who leads the firm’s technology practice. “They are taking a lot of data, they are targeting sensitive data and they are publishing that data … they’re (also) hunting down the backups and they’re destroying backup systems.” Handa, who acts as “breach counsel,” advising clients on how to respond to cyberattacks, said that once hackers have encrypted a business’s networks, “you basically can’t run your company anymore.” Cyberattacks on firms has become an industry “So, that is also pushing people to pay the ransom, because otherwise they will lose days, weeks, months of operations.” The dollar value of the ransoms is ever increasing, he says, in part because it’s become an industry. “(The hackers are) investing a lot more and they’re realizing that there’s a market here where people will pay so they’re asking for more.” Blakes bases its report on cyberattacks that are disclosed by publicly traded companies on the Toronto Stock Exchange, as well as the information of its own clients, citing the “large number of breaches that were handled by the Blakes cybersecurity team.” It tracked breaches from Sept. 1, 2021 to Dec. 31, 2022. Handa said the report does not represent every data breach in Canada but is meant to reflect trends in the space.

Chapter 6: Cybersecurity

59

It’s unclear exactly how many incidents there are each year — many companies never disclose cyberattacks — but he puts the figure at somewhere in the thousands. The financial hit companies take when facing a data breach is not limited to paying ransoms, Handa said. First there are the “hard costs” of paying someone like himself as well as a forensic team and communications professionals. Then there are the “opportunity costs” of lost business and the public relations hit your company might take. In Indigo’s disclosures last week, it said it spent $5.2 million on costs to respond to the ransomware attack, including legal and professional fees, “data remediation costs, hardware and software restoration and incremental inventory scrap,” among other things. On top of that, the company said the attack meant it wasn’t able to process sales and also caused significant operational disruptions. Indigo said it has cyber insurance coverage and is working with its insurer to make claims under the policy but expects a time lag between the costs it has incurred and any insurance proceeds it will receive. Last week, Calgary-based Suncor was hit by a cyberattack that the company said is likely to cost it millions of dollars. Canada’s electronic spy agency, the Communications Security Establishment, also revealed last week in its annual report that it blocked 2.3 trillion “malicious actions” against the federal government over the last fiscal year.

6.4.2 Phishing g Phishing is a type of cyber attack that involves fraudulent attempts to obtain sensitive information such as usernames, passwords, credit card numbers, and other personal details by disguising as a trustworthy entity in an electronic communication. This is usually done through email spoofing or instant messaging, and it often directs users to enter personal information at a fake website which matches the look and feel of the legitimate site. Phishing is one of the oldest types of cyberattacks, dating back to the 1990s, and it remains one of the most widespread and pernicious. There are several different types of phishing attacks, including: Spear Phishing: These attacks are personalized to their victims. Because of this personal level, they can be more difficult to recognize as phishing attempts. Whaling: This is a type of phishing attack that targets high-profile employees, such as the CEO or CFO, in order to steal sensitive information from a company, as these high-profile individuals have access to a great deal of sensitive company information. Smishing and Vishing: Smishing is a type of phishing attack where text messages are sent to users. Vishing, on the other hand, is a type of phishing attack that is conducted by phone. Pharming: This type of phishing attack automatically directs users to a fraudulent website. Phishing attacks can lead to serious consequences such as financial losses, identity theft, and data loss. It's important for individuals and organizations to be aware of phishing techniques and to implement measures to prevent such attacks.

Chapter 6: Cybersecurity

60

Example Imagine you receive an email that appears to come from your bank. The email might have the bank's logo, official-looking text, and even an email address that looks legitimate at first glance. The email informs you that your account has been compromised and that you need to verify your account immediately to protect your funds. The email includes a link to what appears to be your bank's website, where you're asked to log in with your username and password. However, the website is actually a fake created by the attacker, and when you enter your login details, they're sent directly to the attacker. This is a classic example of a phishing attack. The attacker has used a deceptive email and a fake website to trick you into revealing your login details. With this information, the attacker can now access your real bank account. It's important to note that a legitimate bank would never ask you to verify your account details via email. If you receive an email like this and you're unsure whether it's legitimate, you should contact your bank directly using the contact information provided on their official website or on the back of your bank card. Never click on the link provided in the email.

6.4.3 Man-in-the-Middle (MitM) ( ) Attacks A Man-in-the-Middle (MitM) attack is a type of cyber attack where the attacker secretly intercepts and potentially alters the communication between two parties who believe they are directly communicating with each other. In a MitM attack, the attacker makes independent connections with the victims and relays messages between them to make them believe they are talking directly to each other over a private connection, when in fact the entire conversation is controlled by the attacker. The attacker might inject new messages, modify the content of existing ones, or even reroute the communication to a different endpoint entirely. This allows the attacker to eavesdrop on the communication, steal sensitive information, or deliver malicious payloads. Here are a few types of MitM attacks: IP Spoofing: The attacker alters packet headers by using a forged IP address to trick the recipient into thinking the packet came from a trusted source. Email Hijacking: Attackers gain access to a user's email account and monitor transactions between the user and a financial institution or other entity to gather information they can use for fraudulent activities. Wi-Fi Eavesdropping: Attackers set up Wi-Fi connections with very legitimate sounding names, often in public places. When a user connects to the attacker's network, the attacker gains full access to the user's sensitive information. HTTPS Spoofing: The attacker sets up a phishing site that looks exactly like the original, but with a different URL. The attacker then tricks the victim into clicking the link to the fraudulent site, resulting in the attacker gaining access to the victim's sensitive information.

Chapter 6: Cybersecurity

61

MitM attacks can be very effective and dangerous because they give the attacker the ability to capture and manipulate sensitive information in real-time. The key to mitigating such attacks is strong encryption, rigorous authentication protocols, and user awareness. Example Imagine you're at a coffee shop and you connect to the free Wi-Fi. Unbeknownst to you, a cybercriminal is also connected to the same network. The attacker has set up a fake Wi-Fi network that appears to be the coffee shop's legitimate network. When you connect to the fake network, the attacker can now see and intercept all the data you send over the internet, such as the websites you visit, the information you input into these websites, and even your login credentials. This is a classic example of a MitM attack. The attacker has inserted themselves between you and the internet, and can now eavesdrop on your online activity. They can potentially steal sensitive information, such as your credit card details or social security number, or they can inject malicious content into your web traffic. To protect yourself against MitM attacks, it's important to be cautious when using public Wi-Fi networks. Avoid accessing sensitive services, like online banking, when connected to a public network. Use a Virtual Private Network (VPN) to encrypt your internet traffic, making it much harder for an attacker to intercept your data. Also, ensure that the websites you visit use HTTPS, which also encrypts the data sent between your device and the website.

6.4.4 Denial-of-Service (DoS) ( ) or Distributed Denial-of-Service ((DDoS)) Attacks A Denial-of-Service (DoS) attack is a type of cyber attack in which the perpetrator seeks to make a machine, network, or service unavailable to its intended users by temporarily or indefinitely disrupting services of a host connected to the Internet. This is typically accomplished by flooding the targeted machine or resource with superfluous requests in an attempt to overload systems and prevent some or all legitimate requests from being fulfilled. In a DoS attack, an attacker uses a single Internet connection to either exploit a software vulnerability or flood a target with fake requests—usually in an attempt to exhaust server resources (e.g., bandwidth, disk space, or processor time). There's also a variant of DoS attack known as a Distributed Denial-of-Service (DDoS) attack. In a DDoS attack, the incoming traffic flooding the victim originates from many different sources – potentially hundreds of thousands or more. This effectively makes it impossible to stop the attack simply by blocking a single IP address, plus it's very difficult to distinguish legitimate user traffic from attack traffic when spread across so many points of origin. The primary impact of DoS and DDoS attacks is the disruption of services, which can lead to significant financial loss and damage to a company's reputation. These attacks are common in the world of cybersecurity, and organizations often have measures in place, such as firewalls and traffic filtering, to mitigate their effects. Example Imagine a popular e-commerce website that gets thousands of visitors each day. One day, an attacker decides to launch a DoS attack against this website. The attacker uses a network of compromised computers, known as a botnet, to send a massive amount of traffic to the website all at once.

Chapter 6: Cybersecurity

62

This flood of traffic overwhelms the website's servers. The servers can't handle the sudden increase in requests, and as a result, they slow down significantly or even crash completely. Legitimate users trying to access the website find that it's extremely slow or completely inaccessible. This is a classic example of a DoS attack. The attacker has effectively denied service to the legitimate users of the website by overwhelming the website's servers with traffic. The consequences can be significant, especially for an e-commerce website that relies on online sales. The website might lose sales during the attack, and it might also suffer damage to its reputation.

6.4.5 SQL Q Injection j SQL Injection is a code injection technique that attackers use to insert malicious SQL statements into input fields for execution by the underlying SQL database. This type of attack exploits vulnerabilities in a web application's database query software, and can potentially allow an attacker to view, manipulate, and delete data stored in the database. In an SQL Injection attack, the attacker uses malicious SQL code in a user input field, or in the URL's query string, to trick the application into running unauthorized commands. If the application doesn't properly validate and sanitize the user input, the malicious SQL code is passed to the database and executed. For example, consider a simple website login form that checks the supplied username and password against a database. An attacker might input a specially crafted username or password that alters the SQL query used to check the login details. Instead of just checking the credentials, the altered query could potentially give the attacker access to additional information in the database, or control over the entire system. Example Let's say there's a website with a login form that asks for a username and password. When you enter your username and password, the website creates an SQL query to check the credentials against the database. A simplified version of this query might look something like this: SELECT * FROM users WHERE username = '[your username]' AND password = '[your password]' Now, imagine an attacker comes along and instead of a username, they enter the following: ' OR '1'='1 The SQL query now becomes: SELECT * FROM users WHERE username = '' OR '1'='1' AND password = '[whatever]' Because '1'='1' is always true, this query will return all users, effectively bypassing the username check. If the website is poorly designed and automatically logs in the first user returned by this query, the attacker will be logged in as the first user in the database, who is often the administrator. This is a simple example of an SQL Injection attack. The attacker has manipulated the SQL query to gain unauthorized access to the system. In a real-world scenario, an attacker could use more complex queries to not only bypass login mechanisms, but also to view, modify, or delete data in the database. To prevent SQL Injection attacks, it's important for developers to properly validate and sanitize all user inputs, use parameterized queries or prepared statements, and employ other secure coding practices.

Chapter 6: Cybersecurity

63

SQL Injection attacks can lead to serious consequences, including data breaches and unauthorized access to sensitive information. To prevent these attacks, it's important for developers to validate and sanitize all user inputs, use parameterized queries, and employ other secure coding practices.

6.4.6 Zero-day y Exploits p A zero-day exploit is a cyber attack that occurs on the same day a weakness, or vulnerability, is discovered in a software program. At that point, it's exploited before a fix becomes available from its creator. The term "zero-day" refers to the fact that the developers have "zero days" to fix the problem that has just been exposed — and perhaps already exploited by hackers. Zero-day exploits can be used to take advantage of software, data, or a network. They can also be used to install malware, which can range from mild adware to ransomware or other malicious software that can cause serious damage to a system or network. Example An example of a zero-day exploit was the Stuxnet worm, discovered in 2010. Stuxnet exploited zero-day vulnerabilities in Microsoft Windows to attack Iran's nuclear program. The worm was able to spread via USB drives and over local networks, and it was used to cause significant damage to Iran's nuclear centrifuges. Another example is the WannaCry ransomware attack in 2017. The attack exploited a zero-day vulnerability in Microsoft's Server Message Block (SMB) protocol, which allowed the ransomware to spread across networks without user interaction. The vulnerability was actually patched by Microsoft before the attack began, but many systems hadn't been updated with the patch and were therefore vulnerable. Zero-day exploits are a serious security concern because they can be difficult to defend against due to their very nature — they exploit previously unknown vulnerabilities. This is why keeping software and and updates is so important. systems up to date with the latest patches p

6.4.7 DNS Tunneling g DNS tunneling is a method used to send data over the Domain Name System (DNS) protocol, which was not designed for this purpose. It involves encoding the data of other programs or protocols in DNS queries and responses. DNS tunneling can be used for legitimate purposes, such as circumventing network censorship, but it can also be used maliciously to exfiltrate data or command and control communication in malware. Example Let's say an attacker has managed to install malware on a computer within a company's network. The company has a firewall in place that blocks all outgoing traffic that isn't web or DNS traffic. The attacker wants to exfiltrate sensitive data from the infected computer, but can't send it out directly due to the firewall. To bypass this, the attacker uses DNS tunneling. The malware encodes the sensitive data into DNS queries, which are sent to a DNS server controlled by the attacker. Since DNS queries are allowed by the firewall, the queries pass through without issue. The attacker's DNS server receives the queries, decodes the data from the queries, and thus obtains the sensitive information. The server can also send commands back to the malware by encoding them in DNS responses.

Chapter 6: Cybersecurity

64

This is a simplified example, but it illustrates how DNS tunneling can be used to bypass network security measures. To defend against this type of attack, organizations can monitor DNS traffic for anomalies, limit which DNS servers are allowed to be contacted, and use intrusion detection systems that can identify DNS tunneling.

6.4.8 Cross-Site Scripting p g (XSS) ( ) Cross-Site Scripting (XSS) is a type of security vulnerability typically found in web applications. XSS attacks enable attackers to inject client-side scripts into web pages viewed by other users. This allows an attacker to execute malicious scripts in the victim's browser, which can hijack user sessions, deface websites, or redirect the user to malicious sites. Example Let's say there's a website with a search function, and the search terms are included in the URL of the search results page (e.g., www.example.com/search?term=your_search_term). An attacker could craft a URL with a search term that includes a piece of JavaScript code. For example, the URL might look like this: www.example.com/search?term= If the website doesn't properly sanitize the search terms before including them in the search results page, the JavaScript code will be executed in the browser of anyone who visits the crafted URL. For instance, the malicious code could be designed to steal the user's cookies, which might include session tokens or other sensitive information. The attacker could then use this information to impersonate the user or perform actions on the website on their behalf. To prevent XSS attacks, it's important for web developers to properly sanitize all user inputs and use output encoding when displaying user-generated content. Additionally, modern web browsers have security features that can help protect against XSS attacks, but these are not a substitute for secure coding practices.

6.4.9 Cryptojacking yp j g Cryptojacking is a type of cyber attack in which a hacker secretly uses a victim's computing power to mine cryptocurrency. The attacker typically accomplishes this by either infecting the victim's computer with a malicious program or by embedding a script on a website that executes when the victim visits the site. Example Let's say you visit a website for streaming videos. Unbeknownst to you, the website has been compromised by an attacker who has embedded a cryptojacking script into the site's code. When you load the website in your browser, the script automatically starts running. This script uses your computer's processing power to solve complex mathematical problems, a process known as mining, which is used to generate new units of cryptocurrency. The results of this mining process are then sent back to the attacker. While the script is running, you might notice that your computer is slower than usual, your battery drains more quickly, or your device overheats. This is because the mining process is using a significant amount of your device's resources.

Chapter 6: Cybersecurity

65

The attacker benefits from this process because they receive the newly mined cryptocurrency without having to use their own resources. Meanwhile, you're left with a slower device and potentially higher electricity bills (since the mining process uses a lot of power). To protect against cryptojacking, it's important to keep your software and devices updated, use reliable antivirus software, and consider using a browser extension that blocks cryptojacking scripts.

6.4.10 Advanced Persistent Threats (APTs) ( ) Advanced Persistent Threats (APTs) are complex, long-term cyber attacks where an attacker gains access to a network and remains undetected for an extended period of time. The primary purpose of an APT attack is usually to monitor network activities and steal information rather than to cause damage to the network or organization. APT attacks are typically targeted towards organizations in sectors with highvalue information, such as national defense, manufacturing, and the financial industry. Example Consider a global corporation with valuable intellectual property. An attacker, which could be a statesponsored group with significant resources, decides to target this corporation to steal its intellectual property. The attacker begins by researching the organization, its employees, and its network. They might use spearphishing emails targeted at specific employees to gain initial access to the network. Once inside, they install malware that allows them to maintain access, move laterally across the network, escalate their privileges, and avoid detection. Over the course of several months or even years, the attacker quietly observes the network, identifies where the valuable data is stored, and gradually exfiltrates this data. Because the attacker is careful to avoid detection, the organization may not realize that they've been compromised until the stolen data is used elsewhere or until they're alerted by an external entity such as law enforcement. Defending against APTs requires a combination of strong security measures, including regular network monitoring and analysis, employee training, prompt patching and updating of software, and incident response planning.

6.5

Steps in Cybersecurity

Cybersecurity involves a variety of steps that aim to protect an organization's information technology assets and mitigate risks. One of these steps is increasing visibility across an enterprise and using that visibility to gather better data. This data can then inform security decisions, including what tools and services can augment an organization's own capabilities. Another crucial step is getting the right tools. The cybersecurity market is vast, and there are many security tools available, both for sale and freely via open-source licensing. These tools can generally be categorized into three types: data collection, analysis, or prevention. The type of tools implemented should be selected to complement your organization's priorities, current capabilities (both technological and human), and architecture. In certain circumstances, a freely available tool may be just as effective as an expensive product with a relatively low entry cost. However, there is no such thing as a tool that will stop all malware or threat actor activity. The same goes for the development of documentation to prepare for a breach. There are

Chapter 6: Cybersecurity

66

many organizations that will develop customized documents for organizations based upon tooling, priorities, and requirements. Still, there are several freely available templates where you can develop your own policies, plans, and playbooks. Finally, organizations need to adopt a three-tiered risk management approach that focuses on business, process, and technology risks. This approach involves the coordination of intra-tier and inter-tier communication with the shared objective of the organization to improve its business goals. This approach, along with the other steps mentioned, can significantly limit the fallout from a cyber incident, showcase an organization's good-faith efforts, and successfully continue its operations.

6.5.1 Steps p in Preventing g a Cybersecurity y y Breach Preventing a cybersecurity breach requires a comprehensive approach that involves several steps: 1. Risk Evaluation: Cybersecurity starts with understanding and mitigating risks related to the use of information technology. This is not a task to be taken lightly and requires the same preparation as a business continuity or disaster recovery plan. 2. Increase Visibility: This involves gaining a comprehensive understanding of the organization's network and systems. Increased visibility allows for better data collection, which in turn informs security decisions. 3. Implementing Technical Controls: This involves using the right tools and services to augment the organization's cybersecurity capabilities. This includes systems for data collection, analysis, and prevention. 4. Employee Training: Employees need to be informed about the appropriate use of workplace technology and trained to recognize cyber threats. They should also be made aware of the organization's cybersecurity protocols and the consequences of not adhering to them. 5. Monitor Insider Threats: Organizations need to apply technical controls and foster a culture of inclusiveness to minimize the risk of insider threats. 6. Legal Counsel: Legal counsel should be involved early on to address privacy and privilege concerns. 7. Insurance Coverage: Organizations need to identify and address any gaps in their current insurance coverage related to cybersecurity incidents. 8. Collaboration: This process requires an enterprise-wide effort with input from different departments to ensure all aspects of the organization's operations are considered. By following these steps, organizations can significantly limit the fallout from a cyber incident, showcase their good-faith efforts, and successfully continue their operations.

Chapter 6: Cybersecurity

6.6

67

MBRCC Principles for Cybersecurity Preparedness for the Mortgage Brokering Sector 30

6.6.1 Purpose p This guidance provides Information on FSRA’s: x adoption of the Mortgage Broker Regulators’ Council of Canada’s Principles for Cybersecurity Preparedness for the Mortgage Brokering Sector (“MBRCC Cybersecurity Guidance”) into FSRA’s regulatory framework x “Market Conduct Protocol for Cybersecurity” which is activated for engagement with licensees that experience a cybersecurity incident that could have a material impact on client information The MBRCC Cybersecurity Guidance was developed to help enhance cybersecurity preparedness within the mortgage brokering sector through the creation of suggested leading practices for preventing cybersecurity incidents and appropriately responding to them when they occur.

6.6.2 Scope p This guidance affects the following individuals and entities regulated by FSRA: x mortgage agents x mortgage brokers x mortgage brokerages x mortgage administrators

6.6.3 Rationale and background g Cyberattacks represent a significant risk in the sectors which FSRA regulates. The flow of information between mortgage brokerages, administrators, lenders / investors, borrowers, and third-party service providers is vulnerable to interference or being compromised. Cybersecurity is the application of technologies, processes and controls to protect infrastructure such as systems, networks, programs, devices and data. It aims to reduce the likelihood and impact of cyberattacks which could result in unauthorized access to sensitive client information and disruption of business activities due to interference with critical infrastructure and corporate networks. For some entities, cybersecurity risk management should be a component of Information Technology (IT) risk management policies and procedures, targeted to mitigate internal and external threats to their IT systems, infrastructure and data. The MBRCC Cybersecurity Guidance, and FSRA’s adoption of the guidance, is intended to support cybersecurity preparedness within the mortgage brokering sector by providing leading practices for preventing cyber incidents and appropriately responding to them when they occur. As a Market Conduct regulator FSRA’s goal is to protect unauthorized access to sensitive client information. For the purposes of this guidance client information refers to all consumer information, including for borrowers, lenders / investors, and prospective clients.

30

FSRA, https://www.fsrao.ca/industry/mortgage-brokering/regulatory-framework/guidance-mortgagebrokering/mortgage-broker-regulators-council-canada-principles-cybersecurity-preparedness-mortgage-brokeringsector

Chapter 6: Cybersecurity

68

6.6.4 FSRA mandate In supervising and regulating the mortgage brokering sector, FSRA aims to achieve its statutory objects, which for the purposes of informing this Guidance, include: x contribute to public confidence in the mortgage brokering sector x monitor and evaluate trends in the mortgage brokering sector x cooperate and collaborate with other regulators where appropriate x protect the rights and interests of consumers

6.6.5 Information

Legal framework for personal information The Canadian legal framework requires the protection of personal information. Under the federal Personal Information Protection and Electronic Documents Act and the proposed federal Consumer Privacy Protection Act, all businesses, including mortgage brokerages and administrators, have obligations to protect specific personal client information. For example, personal data collected must be maintained securely and protected from personal loss, unauthorized access, and data theft.

MBRCC Code of Conduct for the Mortgage Brokering Sector Under Principle 8 of the MBRCC Code of Conduct for the Mortgage Brokering Sector, “regulated persons and entities must protect their clients’ information. They must use and disclose it only for purposes for which the client has given consent or as compelled by law.”

MBRCC cybersecurity guidance To support FSRA licensed entities with these obligations and to effectively manage cybersecurity risks, FSRA expects entities to implement the “Principles” identified in the MBRCC Cybersecurity Guidance. The Principles describe the outcomes that regulated entities should achieve to ensure cybersecurity preparedness, without prescribing how they should be achieved. This principles-based approach enables regulated entities to achieve the outcomes in a manner that is suitable to the size and structure of their business. The MBRCC Cybersecurity Guidance includes a checklist to help entities self-assess their cybersecurity preparedness.

Continuing education requirement Under section 9 of Ontario Regulation 409/07 (O. Reg. 409/07) under the Mortgage Brokerages Lenders, and Administrators Act (2006), FSRA has the authority to establish continuing education (CE) requirements for mortgage agents and brokers. Agents and brokers seeking to renew a licence must successfully complete the CE requirement approved by the Chief Executive Officer (CEO) of FSRA. FSRA’s CE requirements include cybersecurity education/topics, as needed. The objective of this CE is to ensure that each licensee understands how to identify and take action to protect against cybersecurity threats. For mortgage brokerage and administrator operations, FSRA wants to support industry in ensuring processes are in place to identify, monitor and respond to cybersecurity risks, to help ensure the protection of client information.

Chapter 6: Cybersecurity

69

FSRA’s Market Conduct Protocol for Cybersecurity Notification of cybersecurity incidents Mortgage brokerages and administrators should notify FSRA at [email protected] if they experience a cybersecurity incident that could have a material impact on client information, as FSRA wants to ensure: x appropriate steps are taken to protect clients x the regulator has up to date information to address any public inquiries x there is consistent messaging by the regulator and the licensee to prevent undue alarm Notification to the regulator should occur as soon as a licensee determines a cybersecurity incident could have a material impact on clients. The following are indicators that a cybersecurity incident could have a material impact on clients: x the security breach impacted a system or database that stores a large amount or a sizable proportion of sensitive client information x if the mortgage brokerage or administrator would, in the normal course of operations, escalate the matter to or inform senior management accountable for information security x the security incident requires non-routine measures or resources by the mortgage brokerage or mortgage administrator x the security incident has resulted in a cyber insurance claim being initiated x the breach is a repeat incident and could have a material impact on a cumulative basis

Activation of FSRA’s Market Conduct Protocol for Cybersecurity When FSRA becomes aware of a cybersecurity incident through notification by a licensee, market intelligence, a tip or complaint, it will activate FSRA’s Market Conduct Protocol for Cybersecurity.

6.6.6 FSRA’s Market Conduct Protocol for Cybersecurity. y y The protocol outlines FSRA expected engagement with the licensee[1] to monitor the entity’s actions in investigating and responding to the incident. The engagement is continuous, until FSRA has: x a complete understanding and knowledge of the extent of the potential data breach and what information was accessed x confirmation that any corrupted information has been restored and/or that the breach has been mitigated or contained x confirmation that all systems are back online and fully functional x ĐŽŶĨŝƌŵĂƚŝŽŶƚŚĂƚĂůůථĂĨĨĞĐƚĞĚstakeholders, including clients and relevant privacy regulators, have ďĞĞŶŶŽƚŝĨŝĞĚ͕ĂŶĚථƌĞĂƐŽŶĂďůĞƐƚĞƉƐŚĂǀĞďĞĞŶƚĂŬĞŶďLJƚŚĞůŝĐĞŶƐĞĞƚŽථůŝŵŝƚƉŽƚĞŶƚŝĂůĐůŝĞŶƚŚĂƌŵ x a complete understanding and knowledge of the safeguards that have been put in place to ensure the licensee is protected from similar future breaches FSRA will maintain confidentiality of incidents reported to the extent allowed by the law. Incident response typically proceeds in phases similar to the pattern below: Phase 1: Receive immediate information from the licensee about what they know about the nature and extent of the cybersecurity incident, what they have done to recover and respond, and what additional actions are planned. Phase 2: As more complete information becomes available, receive regular updates from the licensee on the extent/impact of the incident on its clients and services. Information requested depends on the nature

Chapter 6: Cybersecurity

70

of the incident. For example, in the case of a data breach, FSRA will seek a clear understanding of the nature and extent of the data breach and the risks it presents to client information. Phase 3: FSRA receives the licensee’s plan to prevent a similar cybersecurity incident in the future. FSRA’s level / frequency of engagement with a licensee reflects the nature and impact of the cybersecurity incident and will consider resources required of the licensee to respond to the incident.

Effective date and future review This guidance is effective August 18, 2022 and will be reviewed no later than August 18, 2025.

About this guidance This document is consistent with FSRA’s Guidance Framework. As Information guidance, it describes FSRA’s views on certain topics without creating new compliance obligations for regulated persons.

References x x

MBRCC Principles for Cybersecurity Preparedness MBRCC Code of Conduct

Effective Date: August 18, 2022

6.7

MBRCC Principles for Cybersecurity Preparedness 31

6.7.1 Purpose p The MBRCC is a forum for Canadian mortgage brokering regulators to collaborate and promote greater regulatory consistency to serve the public interest. The purpose of this guidance is to support cybersecurity preparedness in the mortgage brokering sector by proposing practices to avoid cybersecurity incidents and properly respond to them when they occur. Cyber threats are a growing risk for everyone, including the mortgage brokering sector. Managing this risk proactively helps protect against attacks seeking to compromise or steal electronic information. Cybersecurity is the application of technologies, processes, and controls to defend infrastructure such as systems, networks, programs, devices, and data. It aims to reduce the likelihood and impact of cyberattacks that could lead to unauthorized access to sensitive client information and the disruption of business activities due to interference in critical infrastructure and corporate networks. This guidance supports the Security and Confidentiality Principle (Principle 8) of the MBRCC Code of Conduct. This Principle states that “regulated persons and entities must protect their clients’ information. They must use and disclose it only for purposes for which the client has given consent or as compelled by law.”

31

MBRCC, https://www.mbrcc.ca/Documents/View/8203

Chapter 6: Cybersecurity

71

Federal and provincial legislative frameworks require the protection of personal information. At the federal level, the Personal Information Protection and Electronic Documents Act (PIPEDA) requires all businesses, including mortgage brokerages and administrators, to protect specific personal client information. For example, collected personal data must be protected from loss, unauthorized access and data theft. This guidance does not create new obligations. MBRCC considers this guidance to be aligned with, and therefore can be interpreted in a manner consistent with, all existing requirements, rules, and standards of conduct.

6.7.2 Approach pp This guidance provides four Principles describing the outcomes that regulated entities should achieve to ensure cybersecurity preparedness. It does not prescribe the way the Principles must be achieved. This principles-based approach offers regulated entities the flexibility to achieve the outcomes in a manner that is suitable for the size and structure of their business. The guidance includes a checklist in Appendix A to help entities self-assess their cybersecurity preparedness. Appendix B lists leading cybersecurity standards that MBRCC referenced while developing these Principles.

6.7.3 Principles p for Cybersecurity y y Preparedness p The common principles for mortgage brokering cybersecurity preparedness are: 1. Responsibility and Resourcing Regulated entities should appoint a person responsible for overseeing cybersecurity risk to ensure accountability. Responsibility for complying with safe cybersecurity practices applies to all people in an organization, even if they do not have oversight roles. Entities should invest and assign all the resources needed to develop and maintain effective cybersecurity safeguards to protect client information, particularly personal information. Regulated entities should: x Develop cybersecurity preparedness policies and procedures. x Require that individuals responsible for overseeing cybersecurity maintain their skillset and understanding of cybersecurity risks including ways to mitigate these risks through ongoing education. x Raise awareness of cybersecurity risk by providing guidance to staff and management (as applicable) to ensure cybersecurity preparedness. This may include training and reminders of cybersecurity risks. x Consider purchasing insurance for cybersecurity liability that is appropriate to their needs. 2. 2. Identification and Prevention of Risks Regulated entities should: x Identify key cybersecurity risks like loss of client information or system access issues related to: o Access granted to staff; o Use of third-party service providers; and o Safeguarding of processes, technology hardware or facilities. x Have appropriate “endpoint” risk detection protections, such as regularly updated anti-virus and malware scanning software.

Chapter 6: Cybersecurity

72

x

Conduct a cyber incident business impact assessment and ensure cybersecurity risks are part of the business continuity plan. x Take adequate steps to minimize the likelihood and impact of a risk once identified. x Determine the entity’s comfort with identified risks (“risk tolerance”). Regulated entities are third-party service providers to financial institutions. Regulated entities should ensure that they understand and are compliant with a financial institution’s expectations of third-party service providers regarding cybersecurity and, more broadly, information security. 3. Incident Monitoring, Detection and Response Regulated entities should have a protocol for monitoring, detecting and responding to cybersecurity incidents as part of their policies and procedures for cybersecurity preparedness. The entity should have an incident response plan to protect client information and minimize service disruptions if an incident is detected. Aspects of this plan may include: x Suspending some business processes to limit information vulnerability. x Sharing relevant information about incidents with clients, third parties (including mortgage lenders) and regulators (as requested or, in some jurisdictions, required). x Determining if the criteria for return to business as usual have been met. x Restoring lost or corrupt data, processes and/or systems that would enable a return to business as usual. 4. Third-Party Management Regulated entities are responsible for protecting their clients’ information against cyber incidents by ensuring that their third-party service providers have cybersecurity preparedness practices in place. The mortgage brokering sector works within a network of providers; more complex and extensive networks increase cybersecurity risk. Careful relationship management is important to minimize vulnerabilities and to help ensure the protection of client information. Relationship management may include parties formally establishing processes and procedures for managing cybersecurity risks.

6.7.4 Appendix pp A – Cybersecurity y y Preparedness p Checklist Below is a basic cybersecurity32 preparedness checklist. It may be useful for an entity without established cybersecurity preparedness practices. This checklist is not comprehensive and does not cover all potential cybersecurity risks, However, it should help identify and address many of the basic risks related to mortgage brokering activities. Any gaps/issues identified when going through the checklist should be prioritized based on the potential impact, likelihood of an incident and resources available. The gaps/issues should be addressed by a designated employee within a specific timeline. Do you have a person or people responsible for managing the organization’s cybersecurity risks? Do you have an inventory of all computing devices used within the organization? For each device, document: x Type of device (smart phone, tablet, desktop, laptop, server, etc.) x Model number x Serial number

32

Financial and Consumer Services Commission of New Brunswick, https://www.fcnb.ca/sites/default/files/inlinefiles/Notice-regarding-cybersecurity-risk.pdf

Chapter 6: Cybersecurity

73

x User responsible for the device x Operating system and relevant applications installed on the device x Whether the device is encrypted Do you have a list of all types of electronic records and data maintained on the organization’s computer systems (“electronic assets”) and where they are stored? Are electronic assets classified based on whether they contain any of the following: x Personally identifiable information (PII)? x Proprietary information? x Sensitive financial information (for example, credit card information)? x Transaction data? Have electronic records and data on the list that are important to the organization’s ability to operate been identified? Has the backup and recovery process for electronic records and data been reviewed, updated and tested? Do you have policies and procedures to restrict and/or monitor the collection, storage, and use of sensitive client data? Has the information network been mapped for the organization (for example, how are computers and other computing devices connected? What servers/storage devices are on the network? How is the network connected to the internet, etc.?)? Has a risk assessment of computing devices, electronic assets and network topology been conducted by identifying: x Which devices and assets are attractive attack targets? x What attack vectors are there for gaining access to these devices and/or assets? x Which actors may be seeking to attack the organization? x What is the likelihood of a breach via a particular attack vector? x What would be the impact of such a breach? x How can the risk of a breach be reduced or perhaps eliminated? Has a remote management tool been adopted to manage the organization’s computing devices outside the organization’s offices? Has a review of who has access to the organization’s electronic assets been undertaken to ensure “least privilege”33 access? Has cybersecurity awareness training been offered to employees, preferably on an ongoing basis? Have you reviewed or created key cybersecurity policies for the organization, including: x Cybersecurity best practices o Multi-factor authentication o Passwords o Clean desk o Using computing devices outside the office x Acceptable use of IT resources x New employee intake and exit x Acceptable use of personal devices for business purposes x Third parties and IT vendors x Has the organization’s physical security been reviewed? Are the following controls in place to limit physical access to the organization’s office(s)/building(s) to only the appropriate employees, including key card access, ID badges and visitor access rules?

33

An employee only has access to the information needed to do his or her work, and nothing more.

Chapter 6: Cybersecurity

74

Does the organization have requirements for or agreements with independent contractors that address cybersecurity best practices? Does the organization verify that the disposal process for physical assets (old hardware, paper records, etc.) ensures all important records are properly destroyed or shredded at the end of life? Has the organization’s network architecture been reviewed? Are proper firewall solutions, intrusion detection systems, server configurations and encryption mechanisms in place? Have the operating systems and network enabling applications been reviewed to ensure they are up to date and properly patched, and that an appropriate update schedule is in place and followed? Has up-to-date anti-virus/malware software been installed on all devices with access to electronic assets? Does your organization have proper insurance for cybersecurity liability? Has a cybersecurity breach incident response plan been established and tested? Has a business continuity plan and a disaster recovery plan been established and tested?

6.7.5 Appendix pp B – Other Cybersecurity y y Standards Examples p The MBRCC Principles for Cybersecurity Preparedness were developed by MBRCC regulators based on leading practices. Referenced below are some of the resources referenced in developing this guidance x International Organization of Standardization (ISO) - ISO/IEC 27001 — Information security management, https://www.iso.org/standard/27001 x Cybersecurity Framework | National https://www.nist.gov/cyberframework

Institute

of

Standards

and

Technology,

Technology and Cyber Risk Management (osfi-bsif.gc.ca) – Office of the Superintendent of Financial Institutions, https://www.osfi-bsif.gc.ca/Eng/fi-if/rg-ro/gdn-ort/gl-ld/Pages/b13.aspx

75

PART 2 BROKERS

Chapter 7: Fostering a Culture of Compliance and Consumer Protection

76

Chapter 7: Fostering a Culture of Compliance and Consumer Protection 7.1

Learning Outcome

Principal Brokers promote proactive agent and broker compliance with the MBLAA and its Regulations, FSRA Rules and Guidance and the policies and procedures of the mortgage brokerage.

7.2

Learning Objectives

Successful understanding of the concepts presented in this chapter will enable the learner to: 1. Describe how each of the following brokerage factors may impact supervision of brokers and agents by the Principal Broker: a. Brokerage business/operational model (including compliance mandate and Principal Broker b. authority/independence for decision-making). c. Number of authorized brokers and agents. d. Geographical spread of agents/brokers, including interprovincial business/operations. e. Number of mortgage transactions. f. Compliance resources (number and expertise of compliance team). g. Products offered. h. Consumer demographics. 2. Apply processes to ensure policies and procedures manuals are specific to their brokerage and its business activities. 3. Recommend strategies for effectively communicating the brokerage’s policies and procedures (i.e., throughout the brokerage and to external stakeholders, as appropriate). 4. Apply processes for monitoring brokering activities, in particular dealing/trading/lending in private mortgages, to ensure compliance with regulatory requirements (e.g., disclosures and suitability assessments). 5. Apply strategies for supervising an agent/broker who has been required to be placed under supervision by the Regulator. 6. Recommend processes for supporting brokers and agents with their mortgage transactions (including recruiting, training, mentoring, coaching). 7. Evaluate the behaviour of brokers and agents to assess their compliance with the MBLAA and its Regulations and the brokerage’s policies and procedures. 8. Conduct a self-assessment of steps taken to ensure PB obligations are fully met.

7.3

Introduction

Arguably the most influential and consequential position in a mortgage brokerage, the Principal Broker has a great deal of responsibility to the brokerage, the regulator, and the consumer. In this section, the role of the Principal Broker will be discussed from the perspective of fostering a culture of compliance and consumer protection within the brokerage.

Chapter 7: Fostering a Culture of Compliance and Consumer Protection

7.4

77

Supervision of Brokers and Agents

The Principal Broker’s ultimate duty is to supervise the business conduct of the brokerage’s licensees to ensure compliance, including fair treatment of consumers. As brokerages evolve, FSRA is concerned that they may not have adequate resources to ensure their brokers and agents are complying with regulatory requirements and putting an adequate focus on their customers’ needs and circumstances. The supervisory role of the Principal Broker is highlighted in the Mortgage Brokerages, Lenders and Administrators Act, 2006 (“MBLAA” or the “Act”) and its Regulations. Most specifically, O. Reg. 410/07: Principal Brokers: Eligibility, Powers and Duties, section 2 clearly articulates that the Principal Broker is responsible for ensuring the compliance of each broker and agent authorized (licensed) under the brokerage. In addition, section 3(1) establishes that the Principal Broker is required to ensure that the brokerage’s policies and procedures are designed to ensure that all brokerage licensees (a) comply with all requirements established by the Act and its Regulations, and (b) are adequately supervised. The Principal Broker must take reasonable steps to ensure that the brokerage and all of its licensees comply with the Act and its Regulations and that all licensees are adequately supervised. Principal Brokers play a key role in promoting good conduct and deterring deceptive or fraudulent conduct within the sector, therefore contributing to public confidence in the mortgage brokering industry. 34 The following list explains the factors that may impact supervision of brokers and agents by the Principal Broker, and why: a) Brokerage Business/Operational Model (including compliance mandate and Principal Broker authority/independence for decision-making) The business and operational model of a brokerage must allow for the Principal Broker to have the authority and independence to implement the policies and procedures they feel is necessary to meet the regulatory requirements of ensuring that the brokerage and all of its agents and brokers comply with the MBLAA and its Regulations. b) Number of Authorized Brokers and Agents The greater the number of brokers and agents, the greater the likelihood that adequate supervision will require additional resources. It is the responsibility of the Principal Broker to ensure that the brokerage is meeting this regulatory requirement. c) Geographical Spread of Agents/Brokers, including interprovincial business/operations If a brokerage has agents and brokers working remotely, in other words at a distance from their main place of business, the Principal Broker must ensure that the brokerage has the means to adequately supervise them. This may include a heavier reliance on technology, such as using online meetings to meet and communicate with these agents and brokers on a regular basis. By having agents and brokers who work remotely, the brokerage takes on the additional responsibility of having to ensure that they are as adequately supervised as if they were at the brokerage’s principal place of business. It is a brokerage’s sole decision to employ remote agents and brokers, and as such it is the brokerage’s sole responsibility to ensure adequate supervision. d) Number of Mortgage Transactions

34

FSRA, https://www.fsrao.ca/industry/mortgage-brokering/regulatory-framework/supervision/principal-brokersupervision

Chapter 7: Fostering a Culture of Compliance and Consumer Protection

78

The greater the number of transactions, the greater the degree of oversight that is required by the brokerage. This may require the brokerage to hire additional compliance review staff to review the greater number of transactions to ensure the brokerage remains compliant. e) Compliance Resources (including number and expertise of compliance team) To ensure adequate supervision, the Principal Broker must ensure that the brokerage’s compliance team is large enough and has the appropriate resources to review its agents’ and brokers’ activities and compliance with all applicable laws. The question that needs to be answered is, “is our supervision adequate to ensure compliance?” Having more agents and brokers than can be adequately supervised is a recipe for potential contraventions of the Act and its Regulations. f) Products Offered The more products offered by a brokerage, through its agents and brokers, the more oversight is required. For example, brokering in private mortgages requires a different level of knowledge than simply brokering in institutionally funded mortgages. The same applies to the offering of commercial mortgages, bridge financing, syndicated mortgages, etc. The greater the complexities, the greater the requirement for oversight to ensure consumer protection and compliance with the Act and its Regulations. g) Consumer Demographics Consumer demographics play a role in compliance. For example, as the population ages the popularity of reverse mortgages may increase. If these products are being offered by the brokerage through its agents and brokers, this requires the brokerage to have the expertise to ensure that its marketing and consumer interactions meet regulatory requirements. If you are a Principal Broker or a key compliance resource at your brokerage, consider your brokerage’s approach to ensuring that broker/agent business conduct is supervised for compliance with the Act and its regulations. Ask: x x

7.5

What supervision practices have we put in place? Are we fostering a culture of compliance?

Brokerage Specific Policies and Procedures

Each Principal Broker and brokerage is responsible for ensuring its policies and procedures reflect its specific business model. The Act and its Regulations require the specific outcome of compliance, but the principle’s-based nature of the legislation allows for a brokerage to tailor its policies and procedures to meet that outcome. The following list is provided by the regulator as examples of some of the types of practices, activities and/or standards that can be included in a brokerage’s policies and procedures. Not all of these examples may apply to every brokerage, and more may be required to meet the specific needs of a brokerage’s specific business model, including the products it offers by its agents and brokers. x x x x x

Procedures for handling complaints. Policies for fees (include the maximum amount for fees, when and what fees can be charged, and rules for setting fees and charges). Policies for collecting supporting documents. Mortgage Brokers and Agents must complete a checklist for each mortgage file. Mortgage Brokers and Agents must verify each client’s identification and inform the client/lender/investor about the risk involved with the mortgage.

Chapter 7: Fostering a Culture of Compliance and Consumer Protection x x x x

x x x x x x x x

7.6

79

Policies and procedures for office administration, loan origination, software, mortgage life insurance, ministry regulations and best practices. Policies and procedures for advertising, co-brokering, ethics, best practices, websites, and guidelines. A code of conduct, ethics code, audit requirements, file completion requirements, employment equity standards, an internal dispute resolution process, customer complaint process, etc. Policies and procedures for establishing documentary requirements for confirming the identities of potential borrowers, establishing credit guidelines and approval levels, and setting requirements for using appraisers via a national, neutral vendor that objectively selects and vets appraisers. Policies and procedures on ethics, disclosure, and privacy of information. Mandatory workshops/orientation for new Mortgage Brokers/Agents. Require Mortgage Brokers and Agents to attend mandatory meetings each month to review the Mortgage Brokerage’s regulations, policies, and procedures. Policies and procedures on privacy, payroll processes and emergency procedures. Mortgage Agents should complete an agency agreement with borrowers, like the real estate industry. Obtain credit bureau information only after an applicant signs the Mortgage Brokerage’s approved mortgage application form. Store confidential client data in a secure cabinet that is locked upon leaving the premises. Mortgage Brokerage, Broker and Agent licence numbers need to appear on public relations material (e.g., business cards, letterhead, cheques, web sites etc.)

Communicating Policies and Procedures

The Principal Broker must ensure that all employees, brokers, and agents are aware that the brokerage is committed to the successful implementation, enforcement and maintenance of its Policies and Procedures program. This can be achieved through: 1. Communicating the importance of the brokerage’s policies and procedures 2. Mandatory ongoing training 3. Internal communications/updates 4. Mandatory reviews of the business practices of agents and brokers 5. Annual performance reviews It is the responsibility of the Principal Broker as well as the brokerage’s agents and brokers to ensure that they are up to date on all the brokerage’s policies and procedures. An important component of the implementation process is the education of all employees, brokers, and agents, especially those whose responsibilities will be directly affected. All employees, brokers and agents should be required to attend an initial training seminar in which the program’s purpose and management's expectations are presented. Once fully implemented, ongoing training must be provided to ensure familiarity with current events and to reinforce the brokerage’s ongoing commitment to the program. In addition, all new hires must be given appropriate training on the brokerage’s compliance program. The training should be conducted by the Principal Broker, the compliance officer or other individual responsible for the program, or an outside vendor. Attendance should be monitored by sign-in sheets requiring signatures and other identifying information. The training should be conducted in a location that is convenient for all to attend and should be offered at several different times for the training should be offered to ensure accessibility to all employees, brokers, and agents.

Chapter 7: Fostering a Culture of Compliance and Consumer Protection

80

For agents and brokers unable to attend in person, the Principal Broker should determine an appropriate means to ensure that they receive training sufficient to meet the requirements of effective supervision, as detailed in the MBLAA and its Regulations. Suggestions may include webinars or other online meetings that have the capability to verify attendees. In all circumstances the brokerage should implement a strategy that ensures its ability to confirm that all of its agents and brokers have attended the requisite training. There are four strategies to document that the required training has occurred. 1. Self-reporting 2. Attendance records 3. Attendee’s signatures confirming understanding 4. Testing to confirm understanding

7.6.1 Self-reporting p g The easiest, and most ineffective way, of ensuring that an agent or broker has taken and understood the material is through self-reporting. The brokerage may provide a hard copy manual or a link to a manual and require the agent or broker to attest that they have read and understood the material. Without confirmation this method is clearly open to abuse. The brokerage will be unable to determine who has actually read and understood the material. While self-reporting may appear to put the responsibility on the shoulders of the agent or broker to ensure compliance, it may not meet the requirements of Regulation 410/07 which requires the Principal Broker to take reasonable steps to ensure the brokerage and each broker and agent comply with the legislation. In addition, if the brokerage is serious about ensuring compliance, consumer safety, suitability for borrowers and investors, etc., self-reporting may not be the most effective method of doing so.

7.6.2 Attendance records While it’s an improvement over self-reporting, taking attendance at an in person or online presentation in and of itself does not confirm the identity of attendees, ensure that attendees were present throughout, or if they listened and understood the material. If the brokerage isn’t concerned about the impact of this training (and it should be) and it just wants basic proof that the training took place, attendance records can work.

7.6.3 Attendees’ signatures g confirming g understanding g This strategy, like self-reporting, requires the attendee to attest to understanding the material presented. Again, this attempts to put the responsibility for understanding the material clearly on the shoulders of the attendee. However, while this may meet regulatory requirements (although this is not guaranteed) it will do little to ensure attendees have the knowledge to prevent acts of non-compliance, including harm to the public. If the brokerage is determined to ensure that attendees have the knowledge to increase the likelihood of full compliance with the MBLAA and its Regulations, this may not be the most effective means to do so.

Chapter 7: Fostering a Culture of Compliance and Consumer Protection

81

7.6.4 Testing g to confirm understanding g By far the most effective method of ensuring understanding of the material being tested on, it must still include best practices to be effective. These include having a properly designed test that meets minimum educational standards administered in a properly supervised manner, along with acceptable methods of identity verification. This method is also arguably the least popular since it takes time and resources to develop and in reality, no one likes to take a test. However, this method can provide the highest level of assurance that the brokerage is serious about its responsibilities to the industry, regulators, investors, borrowers, and the general public.

7.6.5 Periodic Communication of Policies and Procedures The brokerage should have its Policies and Procedures, designed in a clear and concise manner, available in person or electronically to every member of the brokerage, (including external stakeholders, where appropriate), and should be communicated to them in an effective manner periodically. This may include by email or letter on a regular basis, such as monthly.

7.7

Monitoring Agents and Brokers for Compliance

Reviewing files for completion after a transaction has been completed is necessary to ensure that the file has the required documentation to be maintained over time, and that it has been completed in a way that meets all regulatory requirements. However, this strategy simply tracks compliance, it does not ensure it. It allows the brokerage to correct any recordkeeping issues and to make sure that all disclosures are properly signed. It does not ensure that the transaction, while it was occurring, was compliant. In fact, many transactions are never completed; therefore, a brokerage that only requires post compliance reviews is failing to ensure that its agents and brokers are conducting business in a compliant fashion. In other words, transactions that are never reported to the brokerage are never reviewed. This may lead to several compliance issues. How can a brokerage know if any of the following issues are occurring? Keep in mind that the Act and its Regulations require that the Principal Broker take reasonable steps to ensure that “the brokerage, and each broker and agent authorized to deal or trade in mortgages on its behalf, comply with every requirement established under the Act” Are there any additional reasonable steps that a brokerage can take, in addition to a post compliance review? The answer is, undoubtedly, yes. The brokerage must determine what it believes is reasonable. Here is a list of some examples of how a brokerage may monitor its agents and brokers for compliance. 1. Require new agents to submit all stages of an application to the principal broker or other person tasked with ensuring compliance. 2. Monitor and review submissions via the brokerage’s mortgage origination software. 3. Have the broker supervising a new agent review all aspects of every transaction until a track record of compliance can be established. 4. Once a track record of compliance has been established, secret shop (conduct anonymous, random spot checks) agents and brokers to ensure ongoing compliance. 5. Establish risk-based monitoring. In other words, identify agents and brokers who conduct higherrisk transactions, such as private lending, and require heightened oversight. 6. Require transactions to be transparent. In other words, the brokerage has access to each step of a transaction remotely, so that the principal broker or compliance personnel may review for compliance.

Chapter 7: Fostering a Culture of Compliance and Consumer Protection

82

7. Perform periodic, random spot checks of an agent’s or broker’s files in progress. 8. Require agents and brokers to attend mandatory training on policies and procedures specific to their area of business, such as private lending, reverse mortgages, etc. 9. Focus on assisting agents and brokers who make honest errors, ensuring they are corrected in all cases to protect consumers. These can be used as learning tools to prevent future errors. 10. Ensure that all agents and brokers understand that non-compliance will not be tolerated. Have a clearly laid out process to enforce the brokerage’s policies and procedures, including a clear policy on penalties for infractions. While brokerages may have “rogue” agents/brokers, (or agents or brokers who refuse to follow the brokerage’s policies and procedures), it is much less likely if the brokerage has a robust monitoring regimen in place.

7.8

Supervision of Agents and Brokers under Supervision by FSRA

If an agent or broker has been placed under supervision by FSRA, it is important to ensure that corrective actions are taken immediately. An effective first step in this process is called an employee counselling session. An employee counseling session is an opportunity for the principal broker or a member of the compliance team, acting on behalf of the principal broker, to meet with the agent or broker and discuss the specific aspect that has resulted in being placed under supervision by FSRA. It is not a form of punishment, but rather a way to ensure that the non-compliant behaviour is corrected. The session is a vital step in the process, and can, if inadequately performed, undermine the attempt to correct the non-compliant behaviour. Most sessions are designed to provide feedback on performance and provide a plan for future development and improvement. To achieve this goal the following guidelines should be considered when the session is conducted. Preparation It is beneficial that all parties understand the reason(s) for the session. This will provide an opportunity for introspection and remove the stress often associated with employee counselling sessions by clearly stating the reason(s) for the session. It also gets the broker/agent involved in the process, creating an opportunity for discussion as opposed to simply listening to the rationale for the session. Participation The compliance personnel should limit the amount of time that they talk, instead providing the broker/agent an opportunity to participate in the session by asking open-ended questions. Studies show that the more an individual participates in the session the more they will feel that the process was fair. In addition, it’s important to allow the broker/agent to express their understanding of any issues and be an active participant in creating the necessary plan that will be used to rectify the non-compliance issue(s). Appreciation Positive feedback is a strong motivator, and while it should never be disingenuous, the compliance personnel should be prepared to begin the interview with positive reinforcement of behaviours that the broker/agent is performing well. For each item being reviewed the compliance personnel should remain on topic, praising where necessary and offering constructive criticism where appropriate.

Chapter 7: Fostering a Culture of Compliance and Consumer Protection

83

Constructive Criticism Constructive criticism can end up being negative if not used appropriately. Even the most positive broker/agent can begin to feel defensive if the criticism takes over the session. To avoid this, the compliance personnel should consider exactly what criticisms are necessary, avoiding those that are not necessary for the broker/agent to improve their performance. The goal should be to change the behaviour that is negatively affecting performance, not simply defining that behaviour at length. Change Behaviour When dealing with a broker/agent whose performance is non-compliant (or lacking in one or more areas – this strategy can be used for performance appraisals as well), the goal is to change the behaviour that caused the non-compliance. For example, if the broker/agent has been submitting files for compliance review that have had omissions or errors, it is not helpful to tell the individual that they are sloppy or lack attention to detail. By focusing on the behaviour, the compliance personnel might say, “Three of your last six files have had deficiencies.” This will focus both the compliance personnel and the broker/agent on the behaviour that needs modification and not on the individual’s personality traits, because while the broker/agent may be sloppy, that personality trait is not what needs to be altered; rather the broker/agent’s file submissions need to be corrected. Solve Problems There is often a tendency to try to assign blame for poor performance. For example, the broker/agent may state that their files are incomplete when being submitted for compliance because the brokerage’s policy on required documents is inadequate. While this may or may not be true, it is irrelevant as these are two separate issues. The compliance personnel must help the broker/agent solve this specific problem to ensure that the files are submitted properly and can take the broker/agent’s feedback and make changes to the brokerage’s policies, when necessary. If the broker/agent doesn’t clearly understand those policies, the compliance personnel must suggest ways to improve that understanding, perhaps by going through the compliance process with the principal broker, thereby solving this specific area of poor performance. Whatever the solution, it should be narrowly focused on improving the broker/agent’s performance in the area that has been identified. Support A common complaint from employees, including brokers and agents is that there is a lack of support, perceived or real. When discussing ways to address performance issues one of the best questions that compliance personnel can ask is, “What can I do to help you?” This will focus the dialogue on solutions and contribute to the overall feeling that the broker/agent is being provided the necessary support to improve their performance. Set Goals For key items being reviewed, set goals that reflect the broker’s/agent’s strengths, rather than focusing on goals that emphasize the broker’s/agent’s weaknesses. Those weaknesses or areas of improvement are addressed in the discussion on improving those specific behaviours and will be reflected in the achievement of those goals. For example, having a goal of 100% compliance for file submissions is a goal that will be supported by implementing the solutions discussed. A goal that states that the broker/agent must reduce the number of compliance issues, while basically designed to obtain the same goal as 100% compliance, focuses on reducing the negative rather than increasing the positive. A broker/agent who has a 95% rate of compliance in their file submissions should focus on increasing that positive number rather than focusing on decreasing the 5%. This may seem like

Chapter 7: Fostering a Culture of Compliance and Consumer Protection

84

simple semantics but can have a significant impact on how constructively the broker/agent interprets the goal and therefore their level of dedication to that goal. Follow-up If either the manager and broker/agent look at the appraisal interview as a painful task that they wish to complete quickly or simply “get it over with,” the likelihood that the process will be ineffective increases. This can be overcome by implementing the previous guidelines and following up on the broker/agent’s performance on a regular basis. By providing positive feedback as the broker/agent improves performance, the issue will not likely arise again. By simply completing the interview and waiting until the next interview to review the results, the broker/agent will likely feel that there is no commitment to assisting in improving performance, making the entire process, in their opinion, a waste of time. The counselling session is an ongoing commitment to improving performance and not just an exercise performed once or twice a year. A strong follow-up process may end up identifying behaviours that have not been corrected. For example, certain behaviours that threaten consumer protection or the brokerage’s compliance with FSRA, if not immediately corrected, pose a significant risk, and cannot be allowed to continue. This may result in the necessary termination of the broker’s/agent’s contract, an unfortunate but necessary step.

7.9

Supporting Agents and Brokers

One of the most effective ways of supporting agents and brokers is through a performance appraisal. The performance appraisal is best defined as a process designed to help employees, in this case brokers and agents, understand their success, strengths and weaknesses in relation to their roles, objectives and performance. While brokers/agents are typically deemed to be successful simply based on total annual funding of mortgage transactions, this is only one barometer of a broker/agent’s success. Failure to meet the goals of all of the core competencies, as defined by the brokerage in its hiring policies, can see the broker/agent’s production suffer, almost unexpectedly. In many cases this decrease in production hasn’t been, nor could it have been, anticipated because only the total annual production was being appraised. Take for example, the financial crisis that began with the sub-prime mortgage meltdown. On its surface, the market was booming. Record numbers of mortgage loans were being made, along with year over year increases in housing prices that resulted in many believing the economy was not only sound but virtually unstoppable. However, these barometers were only part of the equation. The other indicators were failing, and while those who assessed all of the key indicators of the economy warned of the eventual crisis, those who simply assessed the economy by its overall production were caught unaware. The same can be said for broker/agent production. For example, as the market shifts from having easily accessible money for virtually any type of borrower to a tighter lending environment, those who are proficient in most of the core competencies required to be a successful broker/agent are more insulated from this dramatic shift because the fundamentals of how they do business are sound. This is typically evidenced in major downturns in the real estate market. While the market is booming more individuals become licensed real estate agents and make a good living. However, as soon as the market takes a downturn the number of agents decreases, sometimes significantly. What factors determine who stays in the market and who leaves? Why is an agent who is wildly successful in a hot market suddenly looking for another career in a cold market? While these

Chapter 7: Fostering a Culture of Compliance and Consumer Protection

85

questions may seem puzzling, in fact they’re not. The answer is that most of those agents who leave were not practicing the fundamentals of their business that would provide longevity regardless of the market. These fundamentals, or core competencies, are therefore even more important in slower markets. Scoring highly in these competencies can be a solid indication of the sustainability of a sales force and therefore of the entire brokerage. When implemented effectively, low scores in these competencies simply identify areas needing attention. Coupled with an internal process designed to address weaknesses, the brokerage can quickly identify areas needing improvement and plug the broker/agent into the applicable program. Brokerages that do not offer such internal programs should have a list of external resources that their brokers/agents can make use of, such as specific training programs, while other brokerages may require a combination of internal and external programs.

7.9.1 Benefits of Effective Appraisal pp Programs g From the perspective of the sales management process effective performance appraisals serve several functions. They are capable of: x Providing performance feedback x Identifying individual strengths and weaknesses x Identifying individual training needs x Determining the brokerage’s training needs x Improving communication From the perspective of the compliance management process effective performance appraisals are capable of: x Evaluating performance for compliance and legality x Assessing the ongoing suitability of brokers/agents x Determining the training needs regarding compliance and other legal issues such as privacy and hiring

7.9.2 Reasons for ineffective performance p appraisal pp programs p g Those are the results expected from effective performance appraisals, however many performance appraisals end up being ineffective. The reasons behind ineffective appraisals will be listed first to ensure that they are avoided when developing the appraisal program. Some of the most common reasons include: x There is a lack of understanding of the purpose of the appraisal. While many brokerages define success simply as the number of or volume of mortgages funded, if that is the only criteria for success brokers/agents who are meeting those objectives will not see the benefits of a performance appraisal, while those underperforming will see the appraisal as simply a way to reinforce that lack of production. In essence the same argument the industry attempts to make to consumers, that it’s not all about rate, is the same argument that must be made to brokers/agents: it’s not all about the bottom line. If a brokerage uses its core competencies when hiring and has laid out clear expectations regarding those competencies its sales force will be more inclined to view the appraisal process as a beneficial function of their development as opposed to a meaningless exercise imposed by management. x

The sales force is not given clear objectives. If the objectives or core competencies that are to be measured aren’t provided from the date of hiring, the broker/agent may be unaware of the brokerage’s expectations. By clarifying these objectives from the beginning the broker/agent will have a clearly defined set of standards which will be appraised, and which brokers and agents will work towards meeting.

Chapter 7: Fostering a Culture of Compliance and Consumer Protection

86

x

Subjective or vague language is used in written appraisals. The broker/agent must understand the appraisal and the criteria used must be quantifiable and verifiable. Opinions are irrelevant in performance appraisals. Facts are essential.

x

There is inadequate preparation on the part of the manager. Performance appraisals take time and will be considered a waste of that time if the person performing the appraisal isn’t properly prepared. This will often mean obtaining appraisal information from other individuals who have had contact with the broker/agent. Failure to be properly prepared with meaningful information will virtually always result in the failure of the appraisal program.

x

There is no follow-up or coaching after the appraisal. While identifying strengths is conducive to good morale and can reinforce productive behaviour, simply identifying weaknesses is not enough. The appraiser must not only identify the areas requiring improvement but should also provide ways in which the broker/agent may improve and provide coaching to that end. Telling an agent that they have consistent problems with the files they submit after the mortgage has been funded is an example. Giving the agent the tools to improve their performance in this area as well as following up when necessary are both essential to the success of the both the appraisal process and the agent.

x

Managers only use the process for underperforming brokers/agents. The appraisal process, as discussed earlier, is not designed simply to be used on brokers/agents who appear to be underperforming. It is necessary that the appraiser, most often the manager, believe in the benefits of an appraisal program and actively ensure that it is properly implemented.

7.9.3 Guidelines for an effective performance p appraisal pp process p Before choosing who will conduct the appraisal and how, it is necessary to set the guidelines to be used in the appraisal program. These guidelines will help determine who will conduct appraisals and how the program will be implemented. To be effective, in fact, an appraisal should meet these guidelines: x The broker/agent must be given a copy of the appraisal form before the appraisal takes place. This will provide the broker/agent the opportunity to rate themself ahead of time. By having time to reflect the broker/agent may arrive at some of the same conclusions as the appraiser and will have time to think about their performance and areas where he or she might need additional training. x Performance ratings must be strictly job related. x Whoever conducts the appraisal must have had sufficient opportunity to observe the broker/agent. If there hasn’t been sufficient opportunity because the manager is new, for example, they should solicit input from the previous manager or others who have had contact with the broker/agent. If this is not possible the manager cannot effectively appraise the broker/agent’s performance. x Whoever conducts the appraisal must be trained on completing the appraisal. The brokerage must ensure that if it has more than one person conducting appraisals (for example if there are several managers with sales teams) that all of these individuals have been properly trained. Without this assurance there is no way to determine that the entire sales force has been appraised using the same standards. This may result in one sales force being appraised completely differently than another sales force, making comparison impossible. x Appraisals should be discussed openly with the broker/agent. The appraisal process is not a secret process, rather it is designed to identify strengths and weaknesses and help the broker/agent improve their performance. The end result is to help brokers/agents be more successful in their careers.

Chapter 7: Fostering a Culture of Compliance and Consumer Protection x

87

An appeals process should be in place. If a broker/agent strongly disagrees with their performance appraisal there should be a process in place by which the broker/agent can provide their comments for inclusion in the appraisal. While the goal is to reach an agreement of performance levels and a plan to improve deficiencies, that is not always possible and in these rare circumstances the broker/agent must have an alternative solution available.

7.9.4 Deciding g who should perform p the appraisal pp The Manager/Supervisor Appraisal In the traditional approach for conducting a performance appraisal the manager/supervisor is typically the person who comes into the most frequent contact with the broker/agent within the brokerage. For most small to mid-sized brokerages this will be the chosen method of appraisal, providing a sufficient level of oversight to meet the standards of compliance management while still providing the broker/agent with the necessary feedback to be sufficient for sales management. The manager/supervisor should make inquiries to other sources of information if their interaction with the broker/agent isn’t sufficient to appraise them. While there are several competencies that are appraised in a performance appraisal there are also several people who can be chosen to perform the appraisal, depending on the scope of the appraisal. The 360degree appraisal is a form of appraisal that solicits and combines information from several sources, not just the broker/agent’s direct supervisor. While this type of appraisal may provide the most detailed appraisal, it is also the most time consuming and its results may be more or less accurate than having the appraisal done by one person. The brokerage must therefore decide on who will conduct the appraisal and the sources of information that will be relied upon for the appraisal. In all circumstances the person providing information to be included in a 360-degree appraisal must be assured of confidentiality. Failure to do so can result in skewed responses because of fear of reprisals from the broker/agent. The manager/supervisor must also review the information for biases that may be present and should rely more heavily on his or her own interactions with the broker/agent when weighting the value of information provided by others.

Chapter 7: Fostering a Culture of Compliance and Consumer Protection

88

What follows is a review of the possible contributors to the 360-degree appraisal process. Self-Appraisal The self-appraisal is part of the overall appraisal process and requires the broker/agent to complete the appraisal form before meeting with the manager/supervisor. This is one of the best ways to generate a dialogue during the appraisal interview since the broker/agent will have to have given thought to the appraisal before the interview. When a broker/agent rates him or herself higher than his or her manager/supervisor, the self-assessment becomes an important part of the discussion of gaps between the broker’s/agent’s perceptions of performance and the expectations of the brokerage.

Manager

Compliance Dep't

Self

Broker/Agent

Peers

Clients

Lenders

Peer Appraisal While providing a broker/agent’s peer(s) with the appraisal form and having it completed anonymously can provide interesting feedback and sometimes more in-depth insight into the broker/agent, this process is often very time consuming and may be compromised by disinterested peers or peers who may wish to inflate or degrade the broker/agent. For this reason, they may be excluded from the process. In a 360 appraisal, if peers do contribute, their observations are only one element of an overall snapshot of performance. Compliance Department/Person The input of whoever performs the compliance function for the brokerage, whether it’s a department in a large brokerage or the sole proprietor of a small brokerage, is vital to the compliance management portion of the appraisal and should always be included. Clients Some companies will include client feedback as part of the appraisal process, often sending a questionnaire that can be completed online to the broker/agent’s clients. While this can be helpful

Chapter 7: Fostering a Culture of Compliance and Consumer Protection

89

ensuring that an appropriate cross section of clients is obtained, including those who closed their transaction with the broker/agent as well as those who didn’t, getting a response to the questionnaire may be difficult. However, this information can be used to gauge the broker/agent’s interactions with the public from both a sales and compliance viewpoint and client feedback can be crucial to determining the type of reputation the brokerage’s brokers and agents are creating in the market for the brokerage. Lenders Information requested of lenders, or those employees who come into contact with the broker/agent on a regular basis, should be considered in the broker/agent’s appraisal since lenders are a major client of the brokerage and these opinions can impact the future of the brokerage. Whether or not a traditional approach is taken or a 360-degree approach, for compliance management, the individual who processes the broker/agent’s files should always be included in the process. This person will be able to provide feedback as to the broker/agent’s performance in ensuring that all aspects of compliance are met in regard to the broker/agent’s paperwork, disclosures, etc. and this information must be incorporated into the appraisal. If there is a separate person responsible for marketing, their input should be required to ensure that the broker/agent is meeting their compliance requirements in this regard as well. Whenever an individual is responsible for ensuring compliance in dealing with the broker/agent, their input must be sought and included in the appraisal. This will ensure that the brokerage is conducting the proper oversight of the broker/agent and that any shortcomings are identified and rectified. Once the brokerage has decided who will be conducting the appraisal and the sources of information that will be included in the appraisal, the next step is to decide how the broker/agent will be appraised.

7.10 Performance Appraisal Methods There are several methods that can be used to appraise a broker/agent’s performance. The following figure is a sample of a performance appraisal that incorporates both sales and compliance management to provide an overall evaluation of the broker/agent using three common methods of appraisal. The brokerage must determine the items to be appraised, but the sample performance appraisal provides three common methods used and focuses on production, technical proficiency, and core competencies.

7.10.1 Management g byy Objectives j (MBO) ( ) This method is referred to as management by objectives or MBO. MBO employs a philosophy that establishes goals for the broker/agent such as overall production, creditor sales, renewal penetration or other goals that are easily quantifiable. This method involves setting the brokerage’s common goals and objectives and appraising brokers/agents on their ability to meet those goals and objectives. The goals and objectives are modified on a periodic basis to reflect the realities faced by the brokerage. The goals and objectives are discussed and modified until they are agreed upon by both the broker/agent and the manager. The actions required to meet these goals and objectives are discussed and are also agreed upon. At the end of a specified period of time, usually every six months, the broker/agent performs a self-appraisal that is used in the appraisal interview. During the interview the goals and objectives are once again reviewed and modified, if necessary for the following six-month period. The following tips can assist in developing an effective MBO appraisal:

Chapter 7: Fostering a Culture of Compliance and Consumer Protection

90

1. Managers and brokers/agents must be willing to work together to set the goals and objectives. This will help the broker/agent focus on key tasks to meet these objectives and establishes a level of accountability to which the broker/agent will agree. 2. Objectives should be easily quantifiable and measurable and should describe how to attain the goal. For example, it may be necessary to determine how many applications the broker/agent must obtain to achieve a funding. This ratio will assist the broker/agent in determining the number of applications required to meet their targets. 3. Results must be under the broker/agent’s control. This may require modifications to the targets if there are unexpected changes in the economy.

7.10.2 Graphic p Rating g Scale (GRS) ( ) The second method involves a graphic rating scale (GRS). This method uses a scale on which the appraiser indicates the degree to which the broker/agent meets the trait being rated. While there are many variations of this method, as with the other two methods it is important to provide both the manager and the broker/agent with room to make comments on the behaviour associated with each trait.

7.10.3 Behavioural Observation Scale (BOS) ( ) The third method involves a behavioural observation scale (BOS). This method is designed to measure how frequently each behaviour has been observed. This allows the appraiser to play the role of observer rather than judge, thus allowing them to provide constructive feedback more easily to the broker/agent. This method is effective in allowing the appraiser to maintain objectivity, distinguish good performers from poor performers, provide feedback and identify training needs. The sample appraisal form which follows illustrates how all three methods may be incorporated into one appraisal form: Section One (Production) – appraised by MBO Section Two (Technical Proficiency) – appraised by a Graphic Rating Scale (GRS) Section Three (Core Competencies) – appraised by a Behavioural Observation Scale (BOS). Note that section one (MBO) compares the agent’s performance to stated, quantifiable goals, section two (GRS) requires that the agent’s performance be indicated on a scale of above average to unacceptable and section three (BOS) requires an assessment according to how frequently certain competencies are observed (almost always to almost never). One or several examples have been provided in each section to illustrate the use of the three methods. This form could be adapted for the unique targets and competencies of a specific brokerage.

Chapter 7: Fostering a Culture of Compliance and Consumer Protection

91

Figure 7 – Sample Performance Appraisal Form

2024 Agent Performance Appraisal Name: Manager Name: Position Agent

Date: Mid-Year Review Year-End Review

Mid-Year Review

Jan. 2024 July 2024 Nov 2024

Year-End Review Instructions

Beginning of Year The manager and agent meet to discuss and agree on the objectives, competencies, weights, and performance expectations. In section one performance should be defined at both plan and target levels while section two evaluates technical proficiency and section three rates competencies. In sections one and two each item should be assigned a weight to indicate the relative importance of the objective. Weights should be stated as a percentage, and the sum of the weights for all objective/competency should equal 100%. Mid-Year and Year-End Review Check the “Mid-Year Review” box or the “Year-End Review” box above. The agent documents accomplishments made during the review period, assigning a rating to each item. The agent sends the completed form to their manager to add comments and ratings for each item. The manager and agent meet to discuss progress on each item and agree on the performance ratings. The manager completes the Overall Rating. Both the agent and manager must sign and date the form. If required, the manager and agent agree on solutions to rectify any item with ratings of 2 or lower in section one, average or below average in section two, and 3 or lower in section three. Performance Review Ratings Ratings

Behaviour

5. Above Target

Accomplishments exceed the standards defined for Target level performance

4. Target

Significant stretch above basic performance expectations

3. Above Plan

Performance level is between Plan and Target levels

2. Plan

Basic objectives and standards are met – minimum acceptable performance

1. Below Plan

Accomplishments are less than the standards defined at Plan level

Section One: Appraisal: Production 1. Objective: Overall Fundings Actions

Plan: $4,500,000 OR 18 transactions

Weighting: 25%

Target: $5,175,000 OR 21 transactions

Chapter 7: Fostering a Culture of Compliance and Consumer Protection Agent’s comments/examples/suggested corrective measures:

Agent’s Rating

Manager’s comments/examples/suggested corrective measures:

Manager’s Rating

2. Objective: Creditor Insurance Sales Actions

Plan:

Weighting: 25%

Target:

Agent’s comments/examples/suggested corrective measures:

Agent’s Rating

Manager’s comments/examples/suggested corrective measures:

Manager’s Rating

3. Objective: Actions

Plan:

Weighting:

Target:

Agent’s comments/examples/suggested corrective measures:

Manager’s comments/examples/suggested corrective measures:

Agent’s Rating

Manager’s Rating

Section Two: Appraisal: Technical Proficiency 1. Competency: Product Knowledge Details:

Weighting

Agent’s Above Average Average Below Average Rating Agent’s comments/examples/suggested corrective measures:

Unacceptable

Manager’s Above Average Average Below Average Rating Manager’s comments/examples/suggested corrective measures:

Unacceptable

2. Competency:

92

Chapter 7: Fostering a Culture of Compliance and Consumer Protection Details:

93

Weighting

Agent’s Above Average Average Below Average Rating Agent’s comments/examples/suggested corrective measures:

Unacceptable

Manager’s Above Average Average Below Average Rating Manager’s comments/examples/suggested corrective measures:

Unacceptable

3. Competency: Details:

Weighting

Agent’s Above Average Average Below Average Rating Agent’s comments/examples/suggested corrective measures:

Unacceptable

Manager’s Above Average Average Below Average Rating Manager’s comments/examples/suggested corrective measures:

Unacceptable

Section Three: Appraisal: Core Competencies Almost Always 1. Submits all files in full compliance with company policies and procedures

5

Almost Never 4

3

2

1

4

3

2

1

Agent’s comments/examples/suggested corrective measures:

Manager’s comments/examples/suggested corrective measures:

2. Submits all marketing materials for approval before publication

5

Agent’s comments/examples/suggested corrective measures:

Manager’s comments/examples/suggested corrective measures:

Chapter 7: Fostering a Culture of Compliance and Consumer Protection 3. Handles all complaints in full compliance with company policies and procedures

5

94

4

3

2

1

4

3

2

1

4

3

2

1

4

3

2

1

4

3

2

1

Agent’s comments/examples/suggested corrective measures:

Manager’s comments/examples/suggested corrective measures:

4. Expresses ideas in writing in a clear, concise and organized manner for a variety of audiences.

5

Agent’s comments/examples/suggested corrective measures:

Manager’s comments/examples/suggested corrective measures:

5. Demonstrates an understanding of industry trends, business concepts and economic development.

5

Agent’s comments/examples/suggested corrective measures:

Manager’s comments/examples/suggested corrective measures:

6. Demonstrates an understanding of financial management policies, principles, processes and the impact of decisions in a public sector environment.

5

Agent’s comments/examples/suggested corrective measures:

Manager’s comments/examples/suggested corrective measures:

7. Is a self starter; seeks out and/or willingly accepts new challenges, responsibilities, and assignments.

5

Chapter 7: Fostering a Culture of Compliance and Consumer Protection Agent’s comments/examples/suggested corrective measures:

Manager’s comments/examples/suggested corrective measures:

Section Four: Summary and Review Agent’s summary/examples/suggested corrective measures:

Manager’s summary/examples/suggested corrective measures:

Agent’s Signature

Date:

Manager’s Signature

Date:

95

Chapter 7: Fostering a Culture of Compliance and Consumer Protection

96

7.11 Assessing Agents and Brokers for Compliance As discussed in section 6.5, monitoring agents and brokers for compliance with the Act and its Regulations is key to the brokerage’s success in ensuring compliance. The following Compliance Checklist for Mortgage Brokerages, Brokers & Agents 35 was developed by the regulator to assist in complying with the Act and its Regulations. All of these requirements are set out in the law – they are not suggestions.

7.11.1 Customer Relations ‫ ٯ‬Ensure the mortgage product presented is suitable for your customer. Consider the needs and circumstances of the borrower, lender, or investor to ensure that any mortgage or mortgage investment presented is suitable for your customer. This requirement does not apply if the customer is another Mortgage Brokerage or financial institution. ‫ ٯ‬If asked, provide the name in which you are licensed along with your Mortgage Brokerage/Broker/Agent licence number. ‫ ٯ‬Prominently disclose the Mortgage Brokerage’s authorized name and licence number in all public relations materials. If the name of a Mortgage Broker or Agent is included, use the name in which he/she is licensed and the title “Mortgage Broker”, “Broker”, “Mortgage Agent” or “Agent.” ‫ ٯ‬If the Mortgage Brokerage is a franchise, clearly indicate that it is independently owned and operated. The public relations materials must clearly indicate that the company is independently owned and operated if the Mortgage Brokerage’s authorized name is the name of a franchise or includes the name of a franchise. ‫ ٯ‬Disclose the role in which the Mortgage Brokerage is acting. x Disclose in writing to the borrower or lender whether the Mortgage Brokerage is acting for the lender, the borrower, or both the borrower and the lender without preference to the interests of either. x This requirement does not apply when the Mortgage Brokerage is the lender. x Disclosure must be in plain language that is clear and concise. It should not include false, misleading, or deceptive information. ‫ ٯ‬Use plain language and be clear, brief and logical in written disclosures, consents and acknowledgements. ‫ ٯ‬Issue a receipt upon receiving trust funds. Indicate the amount that was received, the date, the name of the individual/ business that provided the funds, the purpose of the funds, the Mortgage Brokerage’s terms for holding the funds, and the name of the Mortgage Broker/Agent who received the funds. ‫ ٯ‬Return original documents to their owners when requested, at no charge. ‫ ٯ‬Provide a written response to a written complaint. Tell the client that they may contact FSRA if they are not satisfied with your response and believes the law has not been followed.

35

FSRAS, https://www.fsrao.ca/media/4571/download

Chapter 7: Fostering a Culture of Compliance and Consumer Protection

97

7.11.2 Disclosure ‫ ٯ‬Disclose in writing to the borrower the number of lenders on whose behalf the Mortgage Brokerage acted during the previous fiscal year and whether the Brokerage itself was a lender. Upon request, disclose in writing the name of the lender, if any, with whom the Brokerage arranged more than 50 per cent of the total number of mortgages and mortgage renewals during the previous fiscal year. Or whether the Mortgage Brokerage itself was the lender of more than 50 per cent of the total number of mortgages and mortgage renewals ‫ ٯ‬Disclose information about fees the Mortgage Brokerage receives or will/may receive from others. Disclose in writing to the borrower whether fees are payable by others to the Mortgage Brokerage in connection with the mortgage. Include the person/entity paying the fees, the basis for calculating the amount of the fee, and if a benefit other than money, the nature of that benefit. Also disclose whether the Mortgage Agent/Broker receives or may receive any incentive from another person/entity, and who that person/entity is. Obtain written acknowledgement from the borrower. ‫ ٯ‬Disclose information about fees the Mortgage Brokerage is paying. Disclose to the borrower in writing whether the Mortgage Brokerage has paid, may pay, or will pay a fee to another person/entity in connection with the mortgage, the name of person/entity receiving the fee, and the basis for calculating the fee or other remuneration. If it is a benefit other than money, disclose the nature of the benefit. Obtain written acknowledgement from the borrower. ‫ ٯ‬Disclose information about referral fees the Mortgage Brokerage is receiving. Disclose in writing to the borrower whether the Mortgage Brokerage is receiving, directly or indirectly, a fee for referring a borrower, lender, or investor to another person/entity for a fee or other remuneration. Include a description of the Brokerage’s relationship with the other person/entity. ‫ ٯ‬Disclose material risks. Disclose in writing to the borrower, lender or investor the material risks of the mortgage or mortgage investment. Get written acknowledgement that the customer has received this disclosure. This disclosure requirement does not apply to designated classes of lenders and investors defined in Section 2 of Ontario Regulation 188/08. ‫ ٯ‬Disclose potential conflicts of interest. Disclose in writing to a borrower, lender or investor, any conflict of interest that the Mortgage Brokerage, Broker or Agent may have in connection with the mortgage or trade in a mortgage. This does not apply if the lender is another Mortgage Brokerage, or if the investor is another Brokerage or financial institution. Obtain written acknowledgement of the disclosure. ‫ ٯ‬Disclose the cost of borrowing to the borrower. Provide the borrower a written disclosure statement on the cost of borrowing as detailed in the Cost of Borrowing and Disclosure to Borrowers (Ontario Regulation 191/08), Sections 8 and 9. Provide this disclosure at least two business days before the borrower makes any payment in relation to the mortgage or enters into the mortgage agreement. This timing requirement does not apply if the borrower consents in writing before the earliest of these dates described. ‫ ٯ‬For reverse mortgages, ensure the borrower provides a signed statement from a lawyer stating that the lawyer has provided independent legal advice to the borrower. ‫ ٯ‬Disclose information based on an estimate or assumption. Inform the borrower/lender/investor in writing that the information is an estimate, or is based on an assumption.

Chapter 7: Fostering a Culture of Compliance and Consumer Protection

98

‫ ٯ‬Inform the lender as soon as possible, if you doubt the borrower’s legal authority to mortgage a property, or if you doubt the accuracy of the borrower’s application or supporting documentation. ‫ ٯ‬Verify the identity of each borrower, lender, and investor. Advise the borrower, lender, or investor, as the case may be, if you are unable to verify the identity of another party to the transaction. Do this before the borrower enters into the mortgage agreement, submitting the borrower’s mortgage application to a lender, or the trade completion date of a mortgage investment. ‫ ٯ‬Disclose to an investor if a mortgage has been in default during the past 12 months. Include the amount and duration of the default in the disclosure. Get written acknowledgement that the investor has received this information. ‫ ٯ‬Give a completed Investor/Lender Disclosure Statement to the investor/lender. Include all relevant documentation and provide disclosure at least two business days before: x the Mortgage Brokerage receives funds from the lender/investor; x the Mortgage Brokerage enters into an agreement to receive funds from the lender/investor; x the lender enters into an agreement to enter into a mortgage, or the investor enters into an agreement to purchase/ exchange/sell a mortgage; x the borrower receives funds for their mortgage; x the trade completion date. This waiting period may be reduced to one business day if the lender/investor consents in writing. ‫ ٯ‬For mortgage renewals, provide the lender a completed Renewal Form and supporting documents.

7.11.3 Business Practices ‫ ٯ‬Mortgage Brokers/Agents can work for only one Mortgage Brokerage at a time. ‫ ٯ‬If you are operating another business, make sure it does not jeopardize your Mortgage Brokerage’s integrity, independence, or competence. ‫ ٯ‬Do not use any information that was obtained while carrying on Mortgage Brokerage business for any other purpose, without first obtaining the written consent of the individual or business who is the subject of the information. ‫ ٯ‬Notify FSRA’s online Licensing Link within five days of changes to your contact information or status. A Mortgage Broker/Agent must notify FSRA of changes to their mailing address, e-mail address, telephone, or fax number, and if they are no longer authorized to act on behalf of a Mortgage Brokerage. Late notifications by Mortgage Brokers/Agents may result in a $250 penalty.

7.11.4 Prohibited Activities The Mortgage Brokerages, Lenders and Administrators Act, 2006 and regulations, prohibit: x Trading or dealing in mortgages without a licence —as of July 1, 2008, all Mortgage Brokerages, Administrators, Brokers, and Agents must be licensed with FSRA to carry on business in Ontario, unless an exemption applies. x Using an unauthorized name — you can use only the name in which you are licensed.

Chapter 7: Fostering a Culture of Compliance and Consumer Protection x

x x x x x

99

Collecting advance fees for mortgages of $300,000 or less — if the principal amount of the mortgage is $300,000 or less, the Mortgage Brokerage cannot require or accept an advance payment/deposit for services to be rendered and expenses to be incurred by the Brokerage or any other person. Receiving funds from investors/lenders in advance — the Mortgage Brokerage cannot receive funds from an investor unless an existing mortgage is available, or from a lender unless a mortgage application has been made on a specific property. Indicating that Mortgage Brokerage fees are approved by the government — you cannot claim that Mortgage Brokerage fees are approved by a government authority. The only exception is fees under the Land Titles Act or the Registry Act. Offering guarantees to lenders/investors — you cannot offer a guarantee to a lender/investor regarding a mortgage loan or mortgage investment. Engaging in tied selling — borrowers/lenders/investors cannot be required to obtain a product or service as a condition for obtaining another product or service from the Mortgage Brokerage. Acting for a borrower/lender/investor if you believe a mortgage is unlawful.

7.12 Self-Assessment to ensure Principal Broker Obligations are met To ensure that the Principal Broker’s obligations are being met, the brokerage should use the following self-assessment tool on a periodic basis. This tool can be used in conjunction with a periodic performance review of the principal broker, as well as proactively in the principal broker hiring process by outlining the expectations and responsibilities of this role. To be effective, this tool should be: x Used regularly, for example quarterly, or where necessary, more frequently x Used by an independent evaluator(s), or by several members of the brokerage’s compliance department or management team with relevant experience to make the review meaningful and accurate x Consistent: the brokerage should use the same measurements, data sources, metrics, and methodology to create results that can be compared over different time periods. This will provide the brokerage with information to gauge the effectiveness of its policies and procedures x Taken seriously: failure to take compliance reviews seriously may result in a culture that sees compliance as less important than other metrics, such as production x Used to determine corrective actions where non-compliance, or the potential for non-compliance is identified

7.13 Compliance Checklist for Managing the Mortgage Brokerage as of January 1, 2009 36 This Compliance Checklist was developed by the Financial Services Commission of Ontario (FSCO) to assist Mortgage Brokerages in complying with new regulations relating to standards of practice (Ontario Regulation 188/08) and reporting requirements (Ontario Regulation 193/08) under the Mortgage Brokerages, Lenders and Administrators Act, 2006 (the Act). All of these requirements are set out in the law — they are not suggestions.

36

FSRA, https://www.fsrao.ca/media/4566/download

Chapter 7: Fostering a Culture of Compliance and Consumer Protection

100

7.13.1 Managing g g the Mortgage g g Brokerage g Establish and implement policies and procedures to supervise and ensure the Mortgage Brokerage and its Mortgage Brokers and Agents comply with the law. Include policies and procedures on: • The description and disclosure of the Mortgage Brokerage’s role in relation to borrowers and lenders. • Verifying the identity of borrowers, lenders, and investors. • Determining the suitability of a mortgage or mortgage investment for a borrower, lender, or investor. • Identifying material risks and disclosing them to the borrower, lender, or investor. • Identifying and disclosing potential conflicts of interest to the borrower, lender, or investor. • Receiving incentives other than money from other persons and entities. • Providing incentives other than money to Mortgage Agents and Brokers of other Mortgage Brokerages. Screen and monitor all your Mortgage Brokers/Agents. Immediately notify FSRA if a Mortgage Broker or Agent is not suitable for licensing. Establish a complaints process for resolving complaints from the public. • Designate an employee or someone authorized to act on behalf of the Mortgage Brokerage to receive and attempt to resolve complaints from the public. • Provide a written response to each written complaint. • Keep a record of all written complaints received from the public and all written responses. Maintain errors and omissions insurance. Each Mortgage Brokerage is required to have errors and omissions insurance covering fraudulent acts. The insurance must cover a minimum of $500,000 for any one occurrence and $1 million for all occurrences during a 365-day period. Notify FSRA if errors and omissions insurance is cancelled or not renewed. Failure to notify FSRA may result in a $1,000 penalty. File an Annual Information Return by March 31st each year. Late filings may result in a $1,000 penalty. Maintain a mailing address in Ontario that is suitable for service by registered mail. A valid e-mail address is also required. Failure to comply with this requirement may result in a monetary penalty. Notify FSRA within five days of the following changes: • A change in the location of your principal place of business, or the opening or closing of any other office that is open to the public. • A change in your mailing address, e-mail address, telephone number or fax number. • A change in a Director, Officer, Partner, or Principal Broker. • A Mortgage Broker or Agent that is no longer authorized to act on behalf of your Mortgage Brokerage. A late notification may result in a $500 penalty

7.13.2 Keeping p g Records Maintain complete and accurate records of: • Financial records for all mortgage brokering activities in Ontario. (Financial records must distinguish between deemed trust funds and other assets). • Every mortgage application, instrument and renewal agreement that is received or arranged.

Chapter 7: Fostering a Culture of Compliance and Consumer Protection

101

• •

Mortgage Brokerage agreements on dealing/trading in mortgages and mortgage lending. All documents and written information given to and received from clients and prospective clients. Take adequate precautions to guard against falsification of records or improper access to clients’ personal information. Retain all records that the Mortgage Brokerage is required to maintain for at least six years: • After the maturity or expiry of mortgage agreements and mortgage renewals. • After completion or other expiry of a purchase, sale, or trade of a mortgage. Store all records at your main office. Inform FSRA if you are storing your records in a different location. Electronic records do not need to be stored at your main office as long as they can be quickly retrieved.

7.13.3 Trust Funds The following checklist only applies to Mortgage Brokerages that receive trust funds. Notify FSRA within five days if you are required to establish a trust account. Late notifications may result in a $1,000 penalty. Hold deemed trust funds in a trust account. Money received from borrowers/lenders/investors for dealing/trading in mortgages needs to be held in a trust account. Other funds do not need to be placed in a trust account: • Funds earned by the Mortgage Brokerage for rendered services. • Funds for reimbursing expenses. • Funds payable to the Mortgage Brokerage as a mortgage lender. Maintain a trust account in a bank, credit union, or loan and trust company in Ontario. Conduct the following activities when administering the trust account: • Deposit trust funds within two business days. • Keep trust funds separate from other funds. • Pay any interest earned to the beneficial owner, unless otherwise agreed upon in writing. • Disburse trust funds according to the terms under which the funds were received. Keep records of transactions related to trust funds. • Keep a copy of the receipt the Mortgage Brokerage provided when the funds were received. • For deposits — note the amount, date, name of the person/business from whom the money was received and purpose of the deposit (including particulars of the mortgage). • For disbursements — note the amount, date, name of the person/business to whom funds were disbursed, as well as the purpose (including particulars of the mortgage). • For interest payments — identify the particular deposit of deemed trust funds to which the interest payment relates, the amount of interest associated with the deposit, and the date the interest was paid. Prepare a monthly reconciliation statement for the trust account.

Chapter 7: Fostering a Culture of Compliance and Consumer Protection •

•

102

The statement should be signed by the Mortgage Brokerage’s Principal Broker certifying it is accurate. This must be done within 30 days of receiving the monthly account statement from your financial institution (if statements are received), or 30 days after the month ends. The reconciliation statement must set out any differences between the Mortgage Brokerage’s records and the financial institution’s records. It also needs to report the balance owing to each person/business, as of the date of the monthly account statement (if statements are received), or the last day of the month.

Notify FSRA immediately if there are any shortfalls in the trust account. Prepare an annual trust account reconciliation within 90 days of fiscal year end. A Mortgage Brokerage that is required to prepare monthly reconciliation statements during the fiscal year must also prepare an annual reconciliation statement for that year. The annual reconciliation statement must summarize the contents of each required monthly reconciliation statement. It is not required to be filed with FSRA.

Index

103

Index 2 2024 Agent Performance Appraisal, 91

5

Customer Relations, 96 Cybersecurity – An Overview, 51 Cybersecurity incidents, 53 Cybersecurity Preparedness Checklist, 72 Cybersecurity responses – 2021 Annual information return, 52

50 per cent disclosure rule, 11

A Accountability, 19 Administrative Penalties, 14 Administrative Penalties: Amounts, 15 Advanced Persistent Threats (APTs), 65 Agreement of Purchase and Sale, 26 Areas of supervision focus 2022-2023, 42 Assessing Agents and Brokers for Compliance, 96 Attendance records, 80

B Behavioural Observation Scale (BOS), 90 Benefits of Effective Appraisal Programs, 85 Borrower, 26 Broker/agent is the lender or a member of a syndicate lender, 13 Broker/agent obtaining a benefit from the borrower, 14 Broker/agent related to the borrower, 14 Broker/agent related to the lender, 13 Broker/agent will acquire the mortgage after funding, 14 Brokerage Specific Policies and Procedures, 78 Budget, 26 Business conflicts of interest, 12 Business Practices, 98

C Capacity/Affordability, 25 Code of Conduct for the Mortgage Brokering Sector, 18 Communicating Policies and Procedures, 79 Competence, 19 Competencies, 90, 93 Complaints handling, 21 Compliance, 88 Compliance / Outcomes, 19 Compliance Checklist for Managing the Mortgage Brokerage, 99 Conflict of interest, 9 Conflict of Interest Policies, 16 Conflicts due to compensation, 10 Conflicts due to multiple roles, 10 Conflicts due to relationships, 10 Co-operation with Regulators, 19 Cross-Site Scripting (XSS), 64 Cryptojacking, 64

D Deciding who should perform the appraisal, 87 Declaration of Compliance, 36 Denial-of-Service (DoS), 61 Disclose a Conflict of Interest – 3 Simple Steps, 17 Disclosure, 19, 97 Disclosure of conflicts of interest, 12 Distributed Denial-of-Service (DDoS), 61 DNS Tunneling, 63 Duties and Responsibilities of the Principal Broker, 48

E Enforcement and Monitoring, 41 Enforcement and suitability, 22 Exit Strategy, 32

F FSCO, 25, 30, 84 FSRA mandate, 39 FSRA regulated or registered, 38 FSRA’s Market Conduct Protocol for Cybersecurity, 69

G Graphic Rating Scale (GRS), 90 Guidelines for an effective performance appraisal process, 86

H Honesty, 19

I Identification, 30 Industry Values, 18 Innovation Office, 41

K Keeping Records, 100 Know Your Client (KYC) form, 30

L Legislative mandate, 38

Index

M Malware, 56 Management by Objectives (MBO), 89 Management of Conflicts of Interest:, 19 Managing the Mortgage Brokerage, 100 Man-in-the-Middle (MitM) Attacks, 60 MBLAA, 25, 30 MBRCC cybersecurity guidance, 68 MBRCC Principles for Cybersecurity Preparedness, 70 MBRCC Principles for Cybersecurity Preparedness for the Mortgage Brokering Sector, 67 Mortgage Agent, 34 Mortgage Broker, 30 Mortgage Brokerage, 30 Mortgage Characteristics Affecting Suitability, 22 Mortgage Suitability: Borrower, 23 Mortgage Suitability: Investor/Lender, 29

N Needs and Circumstances, 31

O Offence re standards of practice, 16 Offences, 15 Other Cybersecurity Standards Examples, 74

P Peer Appraisal, 88 Penalties for offences, 16 Performance appraisal, 86 Periodic Communication of Policies and Procedures, 81 Personal conflicts of interest, 11 Phishing, 59 PIPEDA, 34 Points programs, 13 Policies and Procedures: Required Elements & Purpose, 49 Policies and Procedures: Staying up to date, 49 Principles, 39

104 Principles-based aspect of the MBLAA, 37 Product Knowledge, 24 Prohibited Activities, 98

R Reasons for ineffective performance appraisal programs, 85 Record-keeping Requirements, 46 Regulation 188/08, 30 Reporting Requirements, 43 Reporting Requirements for Licensees, 43 Risk, 31

S Security and Confidentiality, 19 Self-Assessment to ensure Principal Broker Obligations are met, 99 Self-reporting, 80 Show your work, 28 SQL Injection, 62 Standards of Practice, 30 Staying up to date on Regulatory Requirements, 42 Steps in Cybersecurity, 65 Steps in Preventing a Cybersecurity Breach, 66 Stewardship, 19 Strategies, 34 Suitability, 19 Supervision of Brokers and Agents, 77 Supervisory and complaints findings, 21 Supporting Agents and Brokers, 84

T Technical Proficiency, 90, 92 Testing to confirm understanding, 81 Trust Funds, 101

Z Zero-day Exploits, 63

Table of Figures

105

Table of figures Figure 1 – Sample Borrower Budget....................................................................................................... 27 Figure 2 – Sample Know Your Client Form for Investors ......................................................................... 33 Figure 3 - Mortgage Brokerage Cybersecurity Policies & Procedures and Insurance Coverage................ 54 Figure 4 - Mortgage Administrator Cybersecurity Policies & Procedures and Insurance Coverage .......... 55 Figure 5 - Mortgage Brokerage - AIR Cybersecurity Responses ............................................................... 56 Figure 6 - Mortgage Administrator - AIR Cybersecurity Responses ......................................................... 56 Figure 7 – Sample Performance Appraisal Form..................................................................................... 91