C & C Insurance Consultants Ltd is committed to excellence and innovation in all the services we provide to our clients. We are dedicated to the highest standards of service and total accountability.
At C & C we recognize that no two clients are the same and that each solution we provide must be the right solution for each individual client. We will continue to identify emerging challenges and the opportunities for our clients and provide innovative solutions and strategies.
Policy
All staff of C & C will advocate for the best interests of our clients and will reinforce the client’s right to be heard. C & C will strive to resolve client complaints promptly and fairly using established lines of communication.
Procedures
1. Clients will be provided with an opportunity to express concerns directly to the C & C Employee.
2. Clients can request a meeting with the HR Representative or President.
3. A request to resolve a specific concern or complaint may be made, in writing, by the client directly orby another person representing the client. Such complaints will be directed to the HR Representative.
4. Upon receipt of a written complaint to the HR Representative, the matter will be discussed with the pertinent employees.
5. A written report of the review will be prepared for the HR Representative and will be shared with the client. This review will be completed within Five (5) calendar days of the request.
6. If this does not resolve the issue to the client’s satisfaction, a further review may be requested of theHR Representative who will complete the review within five (5) calendar days.
7. If the matter is still unresolved, upon further written notification, the HR Representative and thePresident will review the matter. The client will be informed in writing of the findings.
8. The client’s complaint and the subsequent actions and review findings will be written up in the form of an incident report with a copy going in the client file and the original going in the incident report file.
Policy
Staff of C & C will exercise due regard for the retention of client-sensitive material in any form, including paper, computer, audiotape, videotapes, or verbal communication. For the purposes of this policy, rough notes are considered a part of the client record. Client confidentiality remains the overriding principle in dealing with client records. C & C is in compliance to the principles of PIPEDA, The Personal Information Protection and Electronic Documents Act, as well as to those regulations of the act to which it is subject.
Confidentiality is outlined in the Confidentiality Policy. (Policy 2-09)
PurposeAll employees, at one time or another may receive personal, privileged, and/or confidential information concerning clients. The purpose of the Client Information Policy and Procedure is to preserve the privacy of clients by outlining employee obligations and procedures for dealing with personal, privileged, and/or confidential information.
Responsibility
Employees are responsible for:
- Collecting all required information and keeping their client information up-to-date.
- Being familiar with and following policies and procedures regarding personal information.
- Obtaining the proper consent and authorization prior to disclosure of personal, privileged and/or confidential information;
- Immediately reporting any breaches of confidentiality to their Team Leader;
- Explaining this policy to clients;
- Relinquishing any person, privileged, confidential, or client information in their possession before or immediately upon termination of employment.
Team Leaders are responsible for:
- Ensuring policies and procedures regarding collection, use and disclosure of information are consistently adhered to;
- Responding to requests for disclosure after the proper release is obtained;
- Cooperating with the HR Representative to investigate complaints or breaches of policy.
Procedure
Every individual must complete all appropriate forms/paper work before he/she begins their employ with C & C.
Hard copies of appointment schedules, calendars, notices of meetings, dates and time of contacts, and documents of significant events will be shredded if they contain information that might identify a client; discretion should be used to ensure the contents of these materials are kept confidential.
Telephone and other message slips, reports, letters, handwritten, or rough notes containing relevant information will be summarized in the appropriate database and the hard copies destroyed by shredding.
Copies, duplicates – if no longer in use must be shredded.
Material prepared for reviews – this is usually a summary of reports and documents already contained in the file. The original copy of the summary will be retained in the client file, along with a note about the outcome of the review; draft copies and rough notes to prepare the summary will be shredded.
Every contact with the client will be recorded in the appropriate database. This will ensure comprehensive monitoring of the client.
All information pertaining to the client will also be in appropriate databases.
The passwords given to individuals authorized to view client files on the database software will remain private and are not to be shared with any other individual.
All interventions must be updated.
Information stored on computer
Automated client information shall be subject to at least the same confidentiality protocols as those, which apply to written records (Confidentiality Policy 2-09).
Relevant passwords shall be changed whenever an employee ceases employment at C & C. Relevant passwords shall also be changed whenever there is an indication of a breach of security. If an employee feels their password(s) have been compromised, he/she is required to request it be changed immediately.
Closing a File
Files are kept for seven (7) years after the case is closed. At this time, representatives of the company will retain no personal notes or other information and any duplicated material will be shredded.
Policy
C & C is committed to both the letter and spirit of the Personal Information Protection and Electronic Documents act. C & C safeguards the privacy of client information. With the passage of the act C & C has taken the opportunity to further strengthen those safeguards and heighten staff awareness of the importance of the protection of client information.
Responsibility
While final responsibility for security of personal information of both staff and clients falls upon the HR Representative, each staff member will act as a Compliance Officer, in keeping with the act.
Procedures
1) C & C will create and maintain a document entitled, Purpose and Procedure for Collection of PersonalInformation, which will outline what information will be collected, why it is collected, how it will be stored, and what safeguards are maintained. This document will be available to all staff and clients who request it.
2) The HR Representative, acting as the Compliance Officer, will conduct an annual audit of C & C’s privacy policies and practices in order to ensure that the principles of PIPEDA are carried out.
3) Each orientation session with new employees will contain a section on privacy and the collection and protection of personal information, along with a review of the 10 basic principles foundational to the PIPEDA act.
4) All client complaints and requests will be handled expeditiously by the Compliance Officer, and should be directed to their attention. Client complaints will be dealt with according to the timelines and procedures detailed in the Purpose and Procedure for Collection and Security of Personal Information document.
The following outline is policy and procedures that every employee of C&C Insurance Consultants Ltd. must adhere to involving the 3 sections pertaining to our type of entity and the services we provide, and the most recent amendments on June 23, 2008, to the Proceeds of Crime (Money Laundering) and Terrorist Financing Act 2001. These policies and procedures are not intended as a substitute for FINTRAC Guidelines, which can be accessed by visiting www.FINTRAC.gc.ca, nor the companies we may represent. Be aware that the policy and procedures guideline will be under ongoing review, development and documentation as required under the legislation.
Our employees will review and update as necessary and each member will be obligated to sign off that they have reviewed and understood this policy and procedure. A record of these updates will be kept.
Record Keeping and Client Identification
When processing any Segregated Fund business there is a section on the application that pertains to “Political Exposed Individuals”, “Third Party” involvement, Insider Information, knowing that if the client answers “yes” to any of these questions, then a Politically Exposed Foreign Person (PEFP) and Third Party Disclosure form must be completed and immediately sent to the appropriate compliance department.
We ensure that we shall use our in-house Client and Third-Party Identity Verification form (Attachment “A”) if another entities form is not available.
All client’s files must include a copy of the current cheque, money order, or bank draft that accompanies each transaction. We will check if the financial institution is a major Canadian institution by referencing the federal (OSFI) or applicable provincial list.
At no time, will any persons affiliated with our office accept cash for any transaction or product. There is to be no exception to this rule, regardless of the company that we are doing business with or representing.
Because we never accept cash, we do not have to keep a separate “Large Cash Transaction Record”.
Each Client’s file will include a legible photocopy of a government issued identification that was taken when the client opened their account and was also verified by the advisor. Watch for flaws or any obvious alterations to the identification and it must be valid and current, for example, we cannot accept expired drivers’ licenses or passports.
On accounts that were opened before this legislation, a photocopy of client Identification should be at the time of file updates or the next meeting with that client. Please review the file for updated photocopy of government issued identifications.
In the case of corporate accounts (non-individual accounts), officers with signing authority for the corporation must provide their personal client identification for their file, along with the corporate resolution, business number (BN or BIN), and copies supporting the identification of the corporate entity.
Suspicious Transactions or Attempted Suspicious Transactions
Per FINTRAC’s Guideline 2: Suspicious Transactions, there is no minimum dollar amount threshold for reporting suspicious transactions or attempted transactions. Although the business conducted under our office would be a very minimum risk, we cannot stress enough the importance of always knowing the identity of the person we are conducting business with. Even if we know our client well and would never deem him/her to be suspicious, we always look at the overall picture and consider if the transaction itself is unusual or otherwise, not a normal type of transaction for that client. It is our practice to be on the lookout for suspected 3rd party involvement.
If we should ever find himself or herself with suspicion towards a suspicious transaction or attempted a transaction, we shall within 30 days, from the date your suspicion occurred, to file a STATR (Suspicious Transaction or Attempted Transaction Report).
Jacob Campbell, as appointed Compliance Officer will be notified immediately and the Compliance Officer will in turn, notify FINTRAC of the transaction in question, along with the details.
Terrorist Property Reports
The OSFI terrorist list, (both individual and non-individual) will be reviewed annually to determine if any of our clientele appears on these lists. If we identify, or have reason to believe, any of our clients are on these lists, we will immediately contact FINTRAC providing them with the names and identifying any property (accounts) associated with these clients and completing a Terrorist Property report.
At no time, would we alert the client to our suspicions, or disclose the fact that we have made a report, nor can the contents of the report be disclosed.
Management is responsible for the detection and prevention of fraud, misappropriations, and other inappropriate conduct. Fraud is defined as the intentional, false representation or concealment of a material fact for the purpose of inducing another to act upon it to his or her injury. Each member of the management team will be familiar with the types of improprieties that might occur within his or her area of responsibility, and be alert for any indication of irregularity. Any fraud that is detected or suspected must be reported immediately to Jacob Campbell, who coordinates all investigations with the Legal Department and other affected areas, both internal and external.
Actions Constituting Fraud
The terms defalcation, misappropriation, and other fiscal wrongdoings refer to, but are not limited to:
• Any dishonest or fraudulent act
• Forgery or alteration of any document or account belonging to the Company
• Forgery or alteration of a check, bank draft, or any other financial document
• Misappropriation of funds, securities, supplies, or other assets
• Impropriety in the handling or reporting of money or financial transactions
• Profiteering as a result of insider knowledge of company activities
• Disclosing confidential and proprietary information to outside parties
• Disclosing to other persons securities activities engaged in or contemplated by the company
• Accepting or seeking anything of material value from contractors, vendors or persons providing services/materials to the Company. Exception: Gifts less than $50 in value.
• Destruction, removal or inappropriate use of records, furniture, fixtures, and equipment; and/or
• Any similar or related inappropriate conduct
Investigation Responsibilities
Jacob Campbell has the primary responsibility for the investigation of all suspected fraudulent acts as defined in the policy. If the investigation substantiates that fraudulent activities have occurred, Jacob Campbell will issue reports to the President. Decisions to prosecute or refer the examination results to the appropriate law enforcement and/or regulatory agencies for independent investigation will be made in conjunction with legal counsel and the President, as will final decisions on disposition of the case.
Confidentiality
Jacob Campbell treats all information received confidentially. Any employee who suspects dishonest or fraudulent activity will notify Jacob Campbell immediately, and should not attempt to personally conduct investigations or interviews/interrogations related to any suspected fraudulent act. Investigation results will not be disclosed or discussed with anyone other than those who have a legitimate need to know. This is important in order to avoid damaging the reputations of persons suspected but subsequently found innocent of wrongful conduct and to protect the Company from potential civil liability.
Reporting Procedures
Great care must be taken in the investigation of suspected improprieties or wrongdoings so as to avoid mistaken accusations or alerting suspected individuals that an investigation is under way. An employee who discovers or suspects fraudulent activity will contact Jacob Campbell immediately. The employee or other complainant may remain anonymous. All inquiries concerning the activity under investigation from the suspected individual, his or her attorney or representative, or any other inquirer should be directed to the Investigations Unit or the Legal Department. No information concerning the status of an investigation will be given out. The proper response to any inquiries is: “I am not at liberty to discuss this matter.” Under no circumstances should any reference be made to “the allegation,” “the crime,” “the fraud,” “the forgery,” “the misappropriation,” or any other specific reference.
The reporting individual should be informed of the following:
• Do not contact the suspected individual in an effort to determine facts or demand restitution.
• Do not discuss the case, facts, suspicions, or allegations with anyone unless specifically asked to do so by the Legal Department or Jacob Campbell
Termination
If an investigation results in a recommendation to terminate an individual, the recommendation will be reviewed for approval by the designated representatives from Human Resources and, if necessary, by outside counsel, before any such action is taken.
C&C Insurance Consultants Ltd. value honesty, integrity, transparency and professionalism in dealings with clients, suppliers, competitors and government officials alike. The Company has zero tolerance for corrupt activities of any kind. Bribes or other improper or unauthorized payments, or acts that create the appearance of promising, offering, giving or authorizing such payments, are prohibited by this Policy. Company Personnel are expected to adhere to both the spirit and the letter of this Policy with respect to the Company’s business anywhere in the world.
Failure to comply with this Policy or Anti-Corruption Laws will be grounds for disciplinary action up to and including termination of employment or other relationship with the Company, may require restitution and may lead to civil or criminal action against individual Company Personnel. If Company Personnel are in or aware of a situation that they believe may violate or lead to a violation of this Policy, they must ask for guidance from their manager or from Jacob Campbell.
Company Personnel are prohibited from engaging in corrupt practices, including bribes, in the Company’s business dealings both in the private and government sectors and such conduct will often constitute a violation of one or more Anti-Corruption Laws.
Given the broad prohibitions under the CFPOA and the FCPA and other Anti-Corruption Laws, Company Personnel must not directly or indirectly make, offer or promise to make, or authorize any bribes, kickbacks or other improper payments, benefits or advantages to any person, individual, entity or organization, including, but not limited to, any Public Official or any employee, official, representative or agency of any:
• government (including any government-owned or affiliated entity);
• government (including any government-owned or affiliated entity);
• public international organization (such as the United Nations or the World Bank);
• political party, including the party itself as well as candidates for public office;
• non-governmental organization; or
• private-sector company,
For any improper purpose, including for the purpose of influencing, inducing or rewarding any act, omission or decision to secure an improper advantage or to obtain or retain business.
This Policy also prohibits “quid pro quo” payments, meaning that the payment is made with the expectation of receiving in return an improper benefit or advantage.
A violation of this Policy can occur even if the bribe or other corrupt practice fails to achieve the purpose for which it was intended. Under this Policy (and under applicable Anti-Corruption Laws) the fact of an offer or promise of a bribe will typically be sufficient to constitute a violation, and this Policy applies whether or not Company funds are used to finance the improper payment or other benefit.
Company Personnel are also prohibited from soliciting or accepting any bribe, kickback or other improper payments or benefits from the Company’s vendors or other persons in relation to the Company’s business.
The areas where corruption, including bribery, can most often occur include:
• Gifts and Entertainment;
• Facilitation Payments; and
• Political, Community, and Charitable Contributions.
It is the responsibility of Company Personnel to be aware of how these situations may violate or lead to a violation of this Policy and Anti-Corruption Laws. Please consult with your manager or other personnel in a superior position for further guidance.
Gifts and Entertainment
Gifts and entertainment are commonly offered as gestures of gratitude or tokens of appreciation. The Company allows these tokens and gestures when they are reasonable, proportional, made in good faith and in compliance with the Company’s Code of Business Conduct and Ethics and this Policy.
Examples of gifts and entertainment include the receipt or offer of gifts, meals or items of limited value as well as invitations to events, functions or other social gatherings related to the Company’s business.
However, the CFPOA, FCPA and other Anti-Corruption Laws prohibit the provision or acceptance of money or things of value for corrupt or improper purposes. Therefore, Company Personnel must ensure that any gifts or entertainment are of a value that is in proportion to the situation at hand and should be occasional to avoid being interpreted as an attempt to influence a decision or act.
In addition to complying with the CFPOA, FCPA and other Anti-Corruption Laws, Company Personnel must also ensure that the provision of a gift or entertainment or any other benefit does not violate local laws or policies that apply in the country where the recipient is located. Some countries impose express limits on the value of gifts, entertainment or other benefit that a recipient can accept. This Policy prohibits gifts of cash or gift certificates or instruments that are easily convertible into cash in all instances.
Company Personnel should consult with their manager or other personnel in a superior position for further guidance on giving or accepting gifts or forms of entertainment or hospitality in most circumstances, but they must consult with their manager or other personnel in a superior position prior to providing any gifts or entertainment to any Public Official.
Reporting and Assistance
If any Company Personnel are approached by a Public Official, client or supplier representative, or any other person and is asked, directly or indirectly, to make a questionable payment or gift, the occurrence should be promptly and fully reported to their manager or to Jacob Campbell.
Policy for C & C Insurance Consultants Ltd., hereinafter referred to as the “Corporation”.
This policy is intended to ensure that the Corporation is prepared if a security incident were to occur. It details exactly what must occur if an incident is suspected, covering both electronic and physical security incidents.
Overview
A security incident can come in many forms: a malicious attacker gaining access to the network, a virus or other malware infecting computers, a stolen laptop containing confidential data or an unintentional leak of confidential information. A well-thought-out Incident Response Policy is critical to successful recovery from an incident. This policy covers all incidents that may affect the security and integrity of the Corporation’s information assets, and outlines steps to take in the event of such an incident.
Types of Incidents
A security incident, as it relates to the Corporation’s information assets, can take one of two forms. For the purposes of this policy a security incident is defined as one of the following:
• Electronic: This type of incident can range from an attacker, user or innocent third-party gaining access to the network or network information for unauthorized/malicious/unintentional purposes, to a virus outbreak, to a suspected Trojan or malware infection.
• Physical: A physical IT security incident involves the loss or theft of a laptop, mobile device, PDA/Smartphone, portable storage device, or other digital apparatus that may contain theCorporation’s information.
Preparation
Work done prior to a security incident is arguably more important than work done after an incident is discovered. The most important preparation work, obviously, is maintaining good security controls that will prevent or limit damage in the event of an incident. This includes technical tools such as firewalls, intrusion detection systems, authentication, and encryption; and non-technical tools such as good physical security for laptops and mobile devices.
Additionally, prior to the incident, the Corporation must ensure that the following is clear to IT personnel:
• What actions to take when an incident is suspected?
• Who is responsible for responding to an incident?
The Corporation needs to make aware to its IT personnel and employees of any contractual obligations it may have with clients and/or 3rd parties with any additional requirements for reporting and managing of incidents.The Corporation must review any industry or governmental regulations that dictate how it must respond to a security incident, and ensure that its incident response plans adhere to these regulations.
Confidentiality
All information related to an electronic or physical security incident must be treated as confidential information until the incident is fully contained. This will serve both to protect employees' reputations (if an incident is due to an error, negligence, or carelessness), and to control the release of information to the Corporation’s customers.
Electronic Incidents
When an electronic incident is suspected, the Corporation’s goal is to recover as quickly as possible, limit the damage done, and secure the network. The following steps should be taken in order:
1. Remove the compromised device from the network by unplugging or disabling network connection. Do not power down the machine.
2. Disable the compromised account(s) as appropriate.
3. Immediately report the incident to IT personnel.
4. Backup all data and logs on the machine, or copy/image the machine to another system.
5. Determine exactly what happened and the scope of the incident. Was it an accident? An attack? A Virus? Was confidential data involved? Was it limited to the system or customer in question or was it more widespread?
6. Notify the Corporation’s management/executives as appropriate and prepare the incident report as required.
7. Contact legal counsel as needed.
8. Determine how the attacker gained access and disable this access.
9. Rebuild the system, including a complete operating system reinstall.
10. Restore any needed data from the last known good backup and put the system back online.
11. Take actions, as possible, to ensure that the vulnerability (or similar vulnerabilities) will not occur again.
12. Reflect on the incident. What can be learned? How did the Incident Response team perform? Was the policy adequate? What could be done differently?
13. Consider a vulnerability assessment as a way to spot any other vulnerabilities before they can be exploited.
Physical Incidents
Physical security incidents are challenging, since often the only actions that can be taken to mitigate the incident must be done in advance. This makes preparation critical. One of the best ways to prepare is to mandate the use of strong encryption to secure data on mobile devices. Applicable policies, such as those covering encryption and confidential data, should be reviewed.
Physical security incidents are most likely the result of a random theft or inadvertent loss by a user, but they must be treated as if they were targeted at the Corporation.
The Corporation must assume that such a loss will occur at some point, and periodically survey a random sampling of laptops and mobile devices to determine the risk if one were to be lost or stolen. This should be done at least once annually.
Response
Establish the severity of the incident by determining the data stored on the missing device. This can often be done by referring to a recent backup of the device. Two important questions must be answered:
1. Was confidential data involved?
(a) If not, refer to "Loss Contained" below.
(b) If confidential data was involved, refer to "Data Loss Suspected" below.
2. Was strong encryption used?
(a) If strong encryption was used, refer to "Loss Contained" below.
(b) If not, refer to "Data Loss Suspected" below.
Loss Contained
First, change any usernames, passwords, account information, WEP/WPA keys, passphrases, etc., that were stored on the system. Notify the Corporation’s IT personnel. Replace the lost hardware and restore data from the last backup. Notify the applicable authorities is a theft has occurred.
Data Loss Suspected
First, notify the executive team, legal counsel, and/or public relations group so that each team can evaluate and prepare a response in their area.
Change any usernames, passwords, account information, WEP/WPA keys, passphrases, etc., that were stored on the system. Replace the lost hardware and restore data from the last backup. Notify the applicable authorities as needed if a theft has occurred and follow disclosure guidelines specified in the notification section.
Notification
If an electronic or physical security incident is suspected to have resulted in the loss of third-party data, customer data or customer leak, follow applicable regulations and/or industry breach disclosure laws.
Managing Risk
Managing risk of a security incident or data loss is the primary reason to create and maintain a comprehensive security policy. Risks can come in many forms: electronic risks like data corruption, computer viruses, hackers, malicious users or employee error; or physical risks such as loss/theft of a device, hardware failure, fire, or a natural disaster. Protecting critical data and systems from these risks is of paramount importance to the Corporation.
Risk Assessment
As part of the risk management process, the Corporation must conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of the Corporation’s critical or confidential information. The process must include the following steps:
(a) Scope the assessment. Determine both the physical and logical boundaries of the assessment.
(b) Gather information. Determine what confidential or critical information is maintained by the Corporation. Determine how this information is secured.
(c) Identify threats. Determine what man-made and natural events could affect the Corporation’s electronic information.
(d) Identify vulnerabilities. After threats have been identified, determine the Corporation’s exposure to each threat. External assessments may be useful.
(e) Assess security controls. After vulnerabilities have been cataloged, determine the efficiency of theCorporation’s security controls in mitigating that vulnerability.
(f) Assess security controls. After vulnerabilities have been cataloged, determine the efficiency of theCorporation’s security controls in mitigating that vulnerability. Determine the potential impact of each vulnerability being exploited. Would the event result in loss of confidentiality, loss of integrity, or loss of availability of the information?
(g)Determine the Corporation’s level of risk. Based on the information gathered in the previous steps, make a determination to the Corporation’s level of risk of each event.
(h) Recommended security controls. Security controls that will mitigate the identified risks are evaluated during this step. Consider cost, operational impact, and effectiveness of each control.
(i) Document the risk assessment results. The final step is to document the risk assessment, including the results of each step.
Risk Management Program
A formal risk management program must be implemented to cover any risks known to the Corporation (which should be identified through a risk assessment), and insure that reasonable security measures are in place to mitigate any identified risks to a level that will ensure the continued security of the Corporation’s confidential and critical data.
Enforcement
This policy will be enforced by the Corporation’s IT personnel and/or Executive Team. Violations may result in disciplinary action, which may include suspension, restriction of access, or more severe penalties up to and including termination of employment. Where illegal activities or theft of the Corporation’s property (physical or intellectual) are suspected, the Corporation may report such activities to the applicable authorities.
Definitions
Encryption: The process of encoding data with an algorithm so that it is unintelligible without the key. Used to protect data during transmission or while stored.
Malware: Short for "malicious software." A software application designed with malicious intent. Viruses and Trojans are common examples of malware.
Mobile Device: A portable device that can be used for certain applications and data storage. Examples are PDAs or Smartphones.
PDA: Stands for Personal Digital Assistant. A portable device that stores and organizes personal information, such as contact information, calendar, and notes.
Smartphone: A mobile telephone that offers additional applications, such as PDA functions and email.
Trojan: Also called a "Trojan Horse." An application that is disguised as something innocuous or legitimate, but harbors a malicious payload. Trojans can be used to covertly and remotely gain access to a computer, log keystrokes, or perform other malicious or destructive acts.
Virus: Also called a "Computer Virus." A replicating application that attaches itself to other data, infecting files similar to how a virus infects cells. Viruses can be spread through email or via network-connected computers and file systems.
WEP: Stands for Wired Equivalency Privacy. A security protocol for wireless networks that encrypts communications between the computer and the wireless access point. WEP can be cryptographically broken with relative ease.
WPA: Stands for WiFi Protected Access. A security protocol for wireless networks that encrypts communications between the computer and the wireless access point. Newer and considered more secure than WEP.
