Desjardins Group personal data leakAMF orders the Federation to comply with its sound and prudent management obligations
Deposit institutions Organization
Montréal – The Autorité des marchés financiers (the “AMF”) has ordered the Fédération des caisses Desjardins du Québec (the “Federation”) to put in place a series of corrective measures and robust internal controls to effectively mitigate the risk of operational incidents, including those related to privacy, and to comply with its legal obligation to apply sound and prudent management practices.
Pursuant to its powers under the Act respecting financial services cooperatives (the “Act”), the AMF has issued an order (pdf - 115 KB)This link will open in a new windowUpdated on December 13, 2020Ordonnance 567 de la loi sur les coopératives de services financiers, RLRQ, c. C-67.3 to the Federation setting out numerous findings from its supervisory work carried out in connection with the personal data leak announced in June 2019 (the “incident”). Upon completing its work, the AMF concluded that Desjardins Group had failed to comply with its legal obligation to apply sound and prudent management practices, which increased the odds of such an incident occurring. It has therefore ordered the Federation to take a series of corrective actions to properly address the identified failures and to provide a detailed report to its governance bodies and the AMF.
The AMF has taken note of the various measures implemented by Desjardins Group following the incident in order to take the required corrective actions and increase its overall level of information security and privacy maturity. While these measures are an undeniable improvement and demonstrate Desjardins Group’s desire to maintain the trust of its members and customers, the AMF is of the view that further measures are needed in order to fully meet its requirements and apply best practices observed in systemically important financial institutions. At the AMF’s request, Desjardins Group has therefore developed plans to strengthen its management and sound governance practices and properly manage information security and privacy risks.
Key findings and identified failures
As a result of the incident, the AMF required a detailed, comprehensive report from Desjardins Group to identify, with the assistance of independent external consultants, any additional measures or structural changes that needed to be implemented. The AMF also placed a supervisory team inside Desjardins Group to validate the thoroughness, adequacy and completeness of the measures taken.
This work led the AMF to conclude, among other things, that recommendations from its past supervisory activities had been only partially adopted at the time the incident occurred, contrary to what had been indicated in some of the progress reports provided by Desjardins Group.
Furthermore, the Federation had failed in its obligation to apply sound and prudent management practices ensuring, in particular, sound governance and compliance with the laws governing its activities, despite the many related findings and recommendations that had been issued by the AMF and Desjardins Group’s internal auditors.
The AMF also identified significant deficiencies in each of Desjardins Group’s three lines of defence: operational management, the oversight functions and internal audit. Furthermore, these three lines of defence failed to carefully coordinate their activities to better understand and manage the full range of risks related to achieving the financial institution’s objectives.
In light of these key findings, the AMF concluded that:
- the Federation had failed in its obligation to apply and ensure compliance with sound and prudent management practices;
- the Federation had failed to meet certain AMF expectations, as set out in several guidelines, by omitting to implement adequate internal controls within Desjardins Group; and
- the members of the Federation’s senior management, its board of directors and some of its statutory committees had failed in their obligation to act with prudence and diligence in the performance of their duties by not putting in place sufficiently robust governance measures and controls, particularly with respect to information security and human resources practices, and by not adequately monitoring the action plans established to implement the recommendations of the AMF and Desjardins Group’s internal auditors.
Some of the measures ordered
As a result of the various findings and identified failures, the AMF has ordered the Federation to, among other things:
- take the necessary steps to achieve full and prompt compliance with Desjardins Group’s obligations under the Act;
- put in place sufficiently robust internal controls, particularly with respect to information security, to effectively mitigate the risk of privacy incidents;
- implement human resource practices ensuring the accountability of the persons responsible in respect of the incident and those tasked with timely implementation of the corrective measures;
- prepare and submit to the AMF on a monthly basis a formal report showing the progress of the work required as part of the order, existing actual and residual risks, and the contemplated timeframes; and
- assume the fees of an AMF-approved firm of independent experts, whose mandate will be determined by the AMF and to which it will report directly, to supervise the governance and control mechanisms put in place in order to certify that Desjardins Group meets the expectations set out in the AMF’s guidelines and industry best practices.
About the power to issue orders
The Act does not provide for the possibility of attaching monetary penalties to the order rendered; however, a monetary penalty of $10,000 may be imposed on the Federation for each day of non-compliance.
The AMF will not be providing any further comments regarding its prudential supervisory work.
The Autorité des marchés financiers is the regulatory and oversight body for Québec’s financial sector.
– 30 –
Sylvain Théberge: 514-940-2176
Québec City: 418-525-0337
Twitter: @lautorite This link will open in a new window
LinkedIn: Autorité des marchés financiers (Québec) This link will open in a new window