(Updated on April 7, 2022)
This guideline, entitled Ligne directrice sur les agents d’évaluation du crédit, sets out the AMF’s expectations regarding several practices. In this instance, rather than adopting various guidelines devoted to specific topics, such as operational risks, the management of outsourcing risks and those related to information security, the AMF elected to consolidate its expectations of credit assessment agents in a single guideline.1
This guideline is pursuant to the Credit Assessment Agents Act (the Act). Adopted in 2020, the Act provides a framework for the commercial and management practices of credit assessment agents. It also creates rights for the benefit of persons on whom credit assessment agents have constituted a file. In addition, the Act makes the AMF responsible for the supervision and control of the commercial and management practices of credit assessment agents. Among other things, it gives the AMF the power to issue written instructions, guidelines and orders, and to impose administrative monetary penalties.
What is a credit assessment agent?
It is up to the AMF to designate, on its own initiative, an enterprise as a credit assessment agent.2 These designations are public and are entered on a register. The qualification of a credit assessment agent thus results from a proactive designation by the AMF. This designation makes the designated enterprise subject to the Act and to the AMF’s supervision, and thereby imposes new obligations on it.
Credit assessment agents are enterprises whose commercial activities consist of constituting files on persons and preparing and providing credit reports on the character, reputation and solvency of those persons.
Such enterprises must have significant business relationships with financial institutions. In other words, having business relationships with financial institutions is a fundamental criterion for being designated a credit assessment agent.
Recap of the protective measures created by the Credit Assessment Agents Act
The Act creates three main protective measures, which must be implemented by credit assessment agents at the request of either the person on whom they hold a file, that person’s representative, or the person having parental authority, if applicable.3 These measures have impacts not only on the individuals for whose benefit the file was constituted, but also on the financial institutions and other organizations that consult credit files. These measures are a credit freeze, a security alert and an explanatory note.
The purpose of a credit freeze is to prohibit the agent from providing information in the file to third parties, in connection with the conclusion of a new:
- credit contract or credit-limit increase
- long-term contract of lease of property (e.g. an automobile)
- contract of successive performance provided at a distance (e.g. cellular phone or internet service contract)4
The freeze will thus not apply, for example, in the context of an insurance contract. Nor will it apply where a lender wishes to add information to the credit file on the payment habits of a borrower. It will apply however where a lender wishes to obtain the credit score for the purposes of an application to increase a credit card limit.
For the moment, credit freeze measures are not yet in force, in order to give sufficient time to all stakeholders to implement any operational measures required for its implementation. The use of the credit freeze measure may be subject to fees, which must be reasonable,5 and for which a maximum ceiling may be imposed by regulation. The regulation could even require it to be free of charge.6
A security alert allows a person to add, without charge, a notice to their file, including a telephone number that can be used to confirm their identity.7 When the security alert is in place, the credit assessment agent will so inform anyone requesting information in the person’s file and advise that reasonable measures must be taken to verify the person’s identity before entering into a contract with that person.8
Finally, any person can have an explanatory note added to their file in the event of a disagreement on its content.9 This note may be consulted by any enterprise that takes cognizance of the file.10
Content of the Guideline on credit assessment agents
It should first be borne in mind that a guideline adopted by the AMF is intended to inform persons under its jurisdiction of its views on the measures that they may adopt in order to comply with their obligations under the Act.11 It should also be noted that the AMF’s guidelines do not have the same authority as a statute or regulation, and are drafted in a distinct style.12
In this case, the adoption of a guideline was expected, as the Act imposes obligations that are vaguely and broadly drafted and that consequently require further clarification on compliance. For example, the Act requires that “sound commercial practices” be adhered to, and that “fair treatment” be provided to the persons concerned,13 without any indication of how these terms are defined.
The guideline is divided into seven distinct sections: (1) governance, (2) sound commercial practices, (3) management of operational risk, (4) management of risks related to information and communications technologies, (5) management of outsourcing risk, (6) business continuity, and (7) monitoring of appropriate management practices and sound commercial practices. The content of these sections is dealt with in more detail below.
The guideline emphasizes the importance of a business culture based on ethical organizational conduct.14 This is an expectation already articulated regarding other persons subject to the authority of the AMF, for example in the Governance Guideline. The concept of ethical organizational conduct is not specifically defined, but stems from the G20/OECD Principles of Corporate Governance, which provide additional information in this regard. For example, these principles specify that the ethical standards of a company may be set out in a code of conduct adopted by the board of directors, and add that “an overall framework for ethical conduct goes beyond compliance with the law, which should always be a fundamental requirement.”15
Since credit assessment agents interact with financial institutions and manage sensitive information, the AMF suggests that they draw inspiration from the three lines of defence model for risk management, and emphasizes that it expects credit assessment agents to base themselves on the same standards as their principal business partners. This is presumably a reference to the standards used by financial institutions for risk management and is intended to be evolutive, as these standards will necessarily evolve over time.16
The three lines of defence model is recognized and applied by financial institutions in Québec and Canada. It was originally developed by the Institute of Internal Auditors in 2013,17 and was updated in 2020.18
2. Sound commercial practices
The guideline sets out that the information provided to individuals should be communicated in simple, clear and precise language, regardless of the means of communication used. It also calls for consumers to be provided with means of communication that allow rapid and effective contact to be established, adding that these means should be varied (e.g. telephone, email). It also recommends that these communication methods be easily identifiable on all platforms, such as the agent’s website and social media accounts.
The guideline also expressly provides that advertising should be accurate, clear and not misleading.
With respect to data management, the guideline specifies that the agent should adopt operating procedures to ensure that the information it provides is up-to-date and accurate.
In addition, the guideline sets out certain expectations regarding the management of complaints, including that they be dealt with fairly and equitably, and in a manner that is simple and accessible for consumers. It also specifies that the AMF expects credit assessment agents to adopt, in accordance with the Act, a complaint management and dispute resolution policy, and to keep a register of complaints.19 It adds that a complaint management officer should be appointed, and that a summary of the complaint management policy should be available to consumers on the agent’s website.
3. Operational risk management
The section on operational risk specifies that the agent should adequately manage this risk, in a manner consistent with the strategy developed for that purpose. The guideline also indicates that the organizational culture should promote adequate risk management and should emanate from the agent’s decision-making bodies.
4. Management of risks related to information and communications technologies
The guideline indicates that the information security function should be well defined in order to promote its independence and objectivity, while specifying that it should not be responsible for internal audit work. In other words, this means ensuring a certain independence of the security functions and the information technology teams dedicated to the development of the enterprise’s IT tools. The guideline also specifies that management of the risks related to information and communications technologies should be based on recognized sources, recommendations and standards, such as those of the OECD, the G7, NIST, ISACA-COBIT or the ISO.
In this regard, it is recommended that a member of senior management be assigned to oversee and deploy the framework for information security, and that another senior management member, such as a chief data officer, be responsible for the framework for receiving, storing and using data within the organization. Among the measures to be put in place, the credit assessment agent should implement a process of periodic identification of information assets and their vulnerabilities, and ensure that access privileges are granted in accordance with the “least privilege” principle and the segregation of duties principle.
5. Management of outsourcing risks
The requirements of the guideline specifically address outsourcing risks that may affect the protective measures created by the Act. The scope of the requirements in this regard is different than that of the more general requirements that may apply to financial institutions under the AMF’s authority in virtue of the Outsourcing Risk Management guideline. For example, in the case of a credit assessment agent, the AMF’s recommendations may apply to the outsourcing of some or all of its internal processes related to a credit freeze.
The guideline also sets out that any outsourcing agreement with a supplier operating outside Canada, or who processes, stores or moves data outside of Canada, should be disclosed to the AMF on request, to the extent that the agreement relates to consumers’ rights that arise under the Act.
6. Business continuity
With respect to business continuity, the guideline emphasizes in particular the importance of establishing a continuity plan for critical business activities and of documenting in detail the activities required by the plan, including regarding cybersecurity events. It also specifies that the AMF wishes to be notified in the event that the business continuity plan is activated.19
7. Monitoring of appropriate management practices and sound commercial practices
The guideline specifies that the AMF will assess compliance with the principles set out therein, particularly by evaluating the effectiveness and relevance of the strategies, policies and procedures put in place, as well as the quality of the supervision and control exercised by the decision-making bodies. It also encourages credit assessment agents to base themselves on best practices for the subjects covered by the guideline and to implement them if they meet their needs.
More regulated and defined practices
In conclusion, the adoption of this guideline completes the exercise of establishing a framework for certain practices of credit assessment agents following the adoption of the Act. The next step in the deployment of the measures created by the Act will be the coming into force of the credit freeze rules. A decree published in the April 6 edition of Part II of the Gazette officielle du Québec establishes February 1, 2023 as the date of the coming into force of the credit freeze.