CLHIA Process on Electronic DeclarationsRelease Date: 12/24/2019 Staff Reference: Kate Walker
Electronic insurance business practices evolve alongside advances in technology. Canadian life and health insurance companies (“Insurers”) and other entities such as third party administrators, employers, and group policyholders/plan sponsors (“Third Parties”) involved in the administration of insurance and group benefits on behalf of Insurers must ensure these business practices comply with all applicable laws as well as meet regulatory expectations.
Purpose and Scope
The CLHIA Process on Electronic Declarations (“Process”) sets out recommended processes that Insurers and Third Parties acting on behalf of Insurers (collectively “Company” or “Companies”) may consider when collecting, using, and retaining declarations electronically. Companies must make their own determination whether they will accept, retain and use declarations electronically and the manner in which they choose to do so.
Each Company’s process for collecting, using, and storing the electronic declaration must contain reasonable safeguards to protect the integrity of the electronic declaration.
The process should:
1. Be supported by an electronic system designed, adopted by, or otherwise approved by a Company, which is capable of accepting and storing declarations made by an individual policy owner or for group insurance the group life insured (collectively “Insured”). Where a Company chooses to accept more complex declarations electronically, such as declarations that may involve multiple signatories or contingent beneficiaries, the system should be appropriately robust to accommodate these additional requirements. In all cases, the information should be kept secure at all times in accordance with the Company’s own requirements for the electronic storage of personally identifying information.
2. Capture the declaration(s) and require the Insured(s) to confirm their intent to make the declaration by way of an electronic signature1, captured by the system in accordance with the requirements of the applicable electronic commerce legislation.
3. Utilize appropriate technology which captures the declaration, and the Insured’s signature in electronic form. When such signature is used it, or the process used to obtain it, should have the following characteristics:
- (i) it is uniquely linked to the Insured;
(ii) it is capable of identifying the Insured;
(iii) if subject to the use of authentication credentials or factors, such credentials or factors can be maintained under the Insured’s sole control; and
(iv) it is linked to the declaration or similar document (such as an application or enrolment form) to which it relates in such a manner that any subsequent change of the data is detectable.
4. Provide assurances of the Insured’s identity through a verification system allowing:
- a) the identity of the person and their link to the document, to be confirmed by having appropriate authentication safeguards such as the use of:
- i. password log-ins;
ii personal verification questions; or
iii. other logical and operational security measures; and
5. Provide a mechanism for the declaration to be:
- a) accessible to the Insured at the time the declaration is made, so that the Insured can take appropriate action to ensure it is available for subsequent reference;
b) stored (electronically) so as to be protected against unauthorized access; and
c) acknowledged by electronic or other means as received by the Company.
The characteristics of a process, as described immediately above, provide greater clarity and outline appropriate safeguards where the Insured chooses to utilize electronic means and
where the Company chooses to accept electronic declarations and has reliable procedures in place.
Companies should have their electronic declaration processes reviewed by experienced information security professionals both before implementation and on a regular basis
thereafter to ensure they have considered the recommended processes set out above.
As technology evolves and the law changes, Companies are responsible for ensuring that their own electronic processes remain up-to-date and compliant with the law. Companies
should self-evaluate in this respect as part of the Company’s Regulatory Compliance Management System with appropriate approval at a senior level (e.g. Chief Compliance
Officer, Chief Risk Officer).
Special consideration should be given to irrevocable beneficiary designations where additional processes may be required.
This document is not a substitute for legal advice. Companies should obtain independent legal advice.
Applicable law takes precedent over any conflict between the provisions of this Process and any applicable law.
December 24, 2019
1 A signature is not specifically required for a declaration made under the laws of Quebec. An electronic declaration must comply with articles 2446 of the Civil Code of Quebec, L.Q. 1991, c. 64, and with the Act to establish a legal framework for information technology, CQLR c C-1.1