Insurance advisors are falling short of their requirements related to protecting client privacy, and now regulators are warning advisors to get in line or face disciplinary action.

This past summer, the Insurance Council of British Columbia (ICBC) issued a notice revealing that some insurance advisors in that province had disclosed or transferred client information to third parties without the required client consent.

"We've dealt with a number of issues," says Gerald Matier, executive director of the ICBC. "Making sure your clients are aware of how their information is being moved and used, and who has it, is prudent. Agents run the risk of getting themselves in trouble if they're not disclosing this to the client."

The ICBC warns that when it identifies a breach of confidentiality, it will consider suspending an advisor's licence and issue fines of up to $10,000 for advisors and $20,000 for agencies.

"Licensees can expect to face discipline for failing to maintain client confidentiality," Matier says.

Other regulators identify compliance gaps in this area, as well. For example, the Financial Services Commission of Ontario found during its 2015-16 on-site examinations of insurance advisors that 17% of advisors were not able to demonstrate compliance with their requirements under the Personal Information Protection and Electronic Documents Act, the federal privacy law for private-sector organizations.

Given the private nature of information the life insurance industry handles, the prospect of inadequate privacy controls is a key concern.

"This [prospect of privacy violations] concerns regulators in the insurance industry because of the amount and the type of very sensitive information we deal with. It's personal; it's financial; it's health [and] medical; and lifestyle," says Earleen Moulton, vice president of compliance with BridgeForce Financial Group Inc. in London, Ont. "It doesn't get much more personal and confidential than that."

Privacy has become a primary concern in an era in which cybersecurity breaches have become common, Moulton adds.

Some of the scenarios in which the ICBC has identified problems with the handling of confidential client information include advisors buying or selling books of business, consulting or working with other advisors on client cases, and switching managing general agencies (MGAs).

For example, some clients have notified the ICBC that they have been contacted by an advisor or an MGA those clients have never heard of, offering to become their new agent of record after their previous advisor left the MGA. Often, though, those clients still work with their original advisor, just through a different MGA, Matier says.

Although MGAs usually reassign clients to a new advisor when the original advisor no longer represents the MGA or has left the industry, Matier says, advisors and firms need to consider the privacy implications of that practice.

"Consumers are saying, 'How did they get my information?'," he says. "If you're my client, and you meet with me, it's important that you know if I work with an agency, and what my agency is, and if I choose to leave that agency and go to another agency, how your information is going to be handled."

The variety of players in the independent life insurance distribution channel creates certain challenges in ensuring compliance with privacy rules. A client's personal information potentially can be accessed by the insurance carrier, the advisor, one or more MGAs - and, in some cases, third-party service providers such as software companies. Thus, advisors must ensure clients provide the appropriate consent for all of those entities to access the client's information.

Life insurance applications typically include a section in which clients must provide consent for the use of their information by the insurance carrier. However, that document alone is not sufficient for advisors to comply with the privacy rules.

Advisors also must get clients' consent for the advisor's own collection and usage of clients' personal information, as well as consent on behalf of the MGAs and other third-party entities with which the advisor might share that information.

This is where some advisors are falling short, Matier says: "Somewhere along the line, the client has to consent to [his or her] information being given to a third party."

In the cases the ICBC has identified in which advisors disclosed client information without the necessary consent, "the intentions of the [advisors] appeared to have been genuine and intended to serve the insurance needs of the clients," the ICBC's notice says. Nonetheless, the regulator's statement adds, the consent failures are contrary to the ICBC's rules.

In addition to facing disciplinary action from insurance regulators, advisors who are involved in a breach of client privacy could face the possibility of legal action, says Alex Cameron, partner and leader of the privacy and information protection group at law firm Fasken Martineau DuMoulin LLP in Toronto.

Civil litigation related to privacy breaches has become "very common," he says, and, in some cases, damages are awarded even when clients haven't suffered compensable harm because of the breach. "These issues are taken seriously," Cameron says. "The breach of your privacy itself is something that you could obtain damages for."

Before disclosing any client information, he says, advisors should always ensure the client has provided the appropriate consent.

Some MGAs and carriers are taking steps to help advisors meet these regulatory responsibilities. BridgeForce, for example, recently updated its privacy consent template to reflect all of the entities with which client information could be shared, including third-party service providers.

© 2017 Investment Executive. All rights reserved.