1

Breach awareness training

2012

2

IntroductionWelcome to The Company annual Business Unit Breach Awareness trainingYou may be asking yourself: What are breaches and why do I need to be aware of them?A breach is defined as the failure to observe a rule or policy. Breaches can have a serious impact on our business and customers. At Sun Life, we must manage breaches effectively to protect these valuable assetsThis course will teach you how to identify, report, and resolve breaches in your day-to-day operations. You will learn

– How a breaches are defined and how to identify them– What to do when you identify a breach– The steps in the breach management process

3

ObjectivesThis course contains three lessons, a scenario, and an assessment. It should take you approximately 20-30 minutes to complete the whole course. Lessons include;

– What are the FSA Principles for Business and the Sun Life Code of Business Conduct?

– How do you define and identify breaches?– What is the Breach Management Process?

At the end of each lesson you will be presented with a knowledge check to assess your understanding of the materials presented. Knowledge checks are not scored, but you must answer the question to proceed to the next lesson. After you have completed the course, there is an assessment that must be passed to receive credit for completion of the course.

4

FSA principlesWhat is the FSA?The Financial Services Authority (FSA) is the primary regulatory body for the Financial Services Industry. The FSA operates through a principles-based regulatory system.The FSA’s 11 Principles for Business are:1. Integrity. A firm must conduct is business with integrity2. Skill, Care and Diligence. A firm must conduct its business with due skill, care

and diligence3. Management and Control. A firm must take reasonable care to organise and

control its affairs responsibly and effectively, with adequate risk management systems.

4. Financial Prudence. A firm must maintain adequate financial resources5. Market Conduct. A firm must observe proper standards of market conduct6. Customers’ Interests. A firm must pay due regard to the interests of its

customers and treat them fairly

5

FSA principlesThe FSA’s 11 Principles for Business are:7. Communication with Clients. A firm must pay due regard to the information

needs of its clients, and communicate information to them in a way that is clear, fair and not misleading

8. Conflicts of Interest. A firm must manage conflicts of interest fairly, both between itself and its customers, and between customers and other clients

9. Customers: Relationships of Trust. A firm must take reasonable care to ensure the suitability of its advice and discretionary decisions for any customer who is entitled to rely upon its judgement

10. Clients’ Assets. A firm must arrange adequate protection for clients’ assets when it is responsible for them

11. Relations with Regulators. A firm must deal with its regulator in an open and cooperative way, and must disclose anything that the FSA would expect to know.

For further reference, these principles are provided in the FSA Handbook

6

FSA principlesThe FSA has a wide range of regulatory tools that it can use to enforce compliance with the principles. If we do not comply with the principles, the FSA can;

– withdrawal its permission to conduct regulated business– prohibit individuals from working in the industry– impose specific requirements on firms– fine both individuals and firms based on the severity of the breach– make investigations and findings public– give private warnings to the person or firm responsible to make them aware

that they may face formal action

7

Knowledge CheckLet’s check your understanding about the Principles. Choose the right answer and select Done. If you need to start again, choose Reset.

As the primary regulator of the Financial Services Industry, the FSA’s 11 Principles for Business apply to all financial services firms. Breaches can occur when The Company employees do not comply with the principles

TRUE – That’s correct. All firms regulated by the FSA are required to comply with the 11 Principles for Business. Since the FSA regulates The Company, all The Company employees are expected to comply with the Principles in their work.

FALSE

8

Sun Life Code of Business ConductThe Sun Life Code of Business Conduct is available for your reference on the INTRANET LINK. The Company takes breaches of the Code seriously and investigates all reports discreetly.Click the images to view examples of potential breaches of the Code• Failure to safeguard customers’ personal data• Failure to detect and fight money laundering or fraud• Failure to identify and manage conflicts of interest

9

Sun Life Code of Business ConductNon-compliance with the FSA Principles for Business and the Sun Life code of Business Conduct is considered a breach. If you suspect that a breach has occurred, you must report it immediatelyThe reporting of all breaches is vital to maintaining effective operational systems, controls and processes. Reporting breaches ensure that we treat our customers fairly and fulfil our responsibilities to our regulatorsThe Company prohibits retaliation against staff for reporting concerns in good faith. No action will be taken against you, even if your concern cannot be corroborated.However, a mischievous or malicious allegation of a breach is itself a breach of the Code and could result in disciplinary actions.

• What if you’re not sure whether a breach has occurred? If in doubt report

• How will reporting a breach impact you? Reporting breaches in good faith will not impact you negatively

10

Sun Life Code of Business ConductDisclosing a breach of the CodeIf you suspect a breach of the Code, promptly report your concerns to:• Your manager• Local Compliance Officer• Local Human Resources Director• A member of the Internal Audit department• A member of the Legal department• Any of the people listed in the Contracts List• The Employee Ethics Hotline by telephone or intranet; you can report it

anonymously if you wish.Under the Public Information Disclosure Act, you have the right to disclose any matters of concern to the FSA since it is our regulator for financial services and markets issues.The Code and details for the Employee Ethics Hotline can be found on the Intranet under CODE OF BUSINESS CONDUCT LINK

11

Knowledge CheckLet’s check your understanding of the Principles and the CodeReporting breaches of the Code is necessary in order to maintain Sun Life’s operations and fulfil our regulatory responsibilities. If you suspect a breach of Sun Life’s Code of Business Conduct, to whom should you report your concerns? Select all that applyA. A member of the Internal Audit departmentB. Local newspaperC. Your managerD. Any of the people listed in the Contacts ListE. The Employee Ethics HotlineF. A member of the Legal departmentG. Local Compliance OfficerH. Local Human Resources DirectorAnswer is all of the above except B

12

Definition of a breachThe definition of a breach is not precise and relies on the judgement of local experts and Compliance.

Click the images to learn how breaches are defined

• An event that causes a serious financial loss to customers or The Company

• An event that can have a negative impact on The Company’s reputation or relationship with its customers or regulator; an event that can attract negative media attention

13

Types of breachesIt is impossible to define breaches precisely because every breach has a unique set of circumstances.

These breach types will help you identify breach occurrences in your business area:

• Failure to identify a complaint or complete an anti-money laundering (AML) identification check

• Failure to identify persistent issues and prevent them from continuing

• Consistent failure to identify other customers who might also be affected

• A single, one-off event that impacts a large number of customers

14

Knowledge CheckLet’s check your understanding about defining breaches.Defining breaches precisely is impossible because every breach occurs under unique circumstances. How would these two breach types be defined? Drag and drop the breach type to the appropriate definition.A. Failure to identify a complaint or complete an AML identification check

A. An event that causes serious financial loss to customers or The Company

B. Failure to identify persistent issues and prevent them from continuingA. An event that can have a negative impact on The Company’s reputation or relationship with its

customers or regulators; an event that can attract negative media attention

15

How to identify a breachHow can we identify breaches? First, we have to name them. Breaches can be identified as one-off and/or significant.Please note: if a breach is identified as one-off, that does not necessarily mean that it is not significant. A breach may be one-off and significant. It depends on the particular circumstances of the breach.A one-off is an event that is linked to a specific, singular occurrence. One-off breaches may also be significant and have a broad, serious impact. Examples of a one-off breach include:• Failure to identify a complaint• Failure to complete an AML identification checkA significant breach can be very complex and linked to a number of factors. When a breach is significant it may;• Involve a large number of customers• Impact customers in a negative wayAll breaches, regardless of their significance, need to be identified and promptly reported.

16

Significant breachesBreaches, whether one-off and/or significant, can have a serious impact on both customers and The Company if they are not identified.The identification and reporting of significant breaches is extremely important. A breach is considered significant if;• There is the potential for financial losses to customers or to The Company• The breach has occurred more than once• There are implications of The Company’s systems and controls• There are delays in identifying or rectifying the breach

17

Questions to considerTake a moment to consider these questions;

• What breaches could occur in your business area?

• What would a one-off breach look like?

• What would a significant breach look like?

• What controls are in place to prevent breaches?

• What would you do if you identified a breach?

18

Knowledge checkLet’s check your understanding about identifying breaches.

It is important that breaches are properly identified. Who is responsible for identifying and reporting breaches? Select only one answer

A. Human Resources

B. Compliance

C. Your manager

D. All Sun Life employees

Answer is D

19

Your role and responsibilitiesThe identification, reporting, and resolution of breaches is the responsibility of all staff. When you identify a breach, whether it is significant or one-off, your role is to discuss your concerns with your line manager and fill out a breach notification form.In this section, you will learn how to address your role and responsibilities in the breach management process. You will also learn how your role fits into the overall process and steps that are taken.

20

Breach management process stepsIn the previous lesson, you learned how breaches are defined and how to identify a breach. This chart shows what happens next in the breach management process.

MHTML Document

21

Step 1: IdentificationWhen you identify a potential breach, whether it’s a one-off or significant, you must:

• Discuss the potential breach with your line manager

• Fill out a BREACH NOTIFICATION FORM LINK

To walk through completing a breach notification form, click Resources. For further assistance completing the form, go to BUSINESS UNIT PROCEDURES LINK on the Intranet

22

Step 2: reportingOnce you identify a breach, the next step is reporting.

The line manager must;

• Email the breach notification form to Compliance Enquiries@The Company.co.uk

• Copy the Head of Function on the email

All breaches are urgent, therefore the breach notification form must be emailed within 48 hours of the breach identification.

23

Step 3: recordingWhen the breach notification form is received, Compliance Advisory will record the full details of the breach.

The Head of Compliance will;

• Report to UK Leadership Team (UKLT) and the Company Board of Directors, including status updates of significant breaches

• Determine whether the breach should be reported to the FSA

If a breach is determined to be highly significant, Compliance will consider whether it should be reported to the FSA. As a regulated firm, The Company is duty bound to inform the FSA of any matters that are considered to be of material significance.

It is therefore essential that all breaches must be reported to Compliance Advisory.

24

Step 4: allocation of a breach ownerOnce a breach has been recorded, Compliance Advisory will allocate a Company employee as the breach owner. The breach owner will located in the relevant department, depending on the type of breach reported.

Once a breach owner has been allocated, Compliance will;

• Arrange a meeting with the breach owner

• Inform the breach owner of the details of the breach

• Confirm the frequency of regular updates (minimum monthly)

Compliance Advisory responsibilities include;

• Track progress towards resolution and raise concerns if necessary

• Maintain a breach database including regular updates

• Provide advice and guidance on the next steps

25

Breach owner responsibilitiesIt is the breach owner’s responsibility to;• Conduct appropriate investigations to understand the cause and

impact of the breach• Ensure timely resolution• Liaise with the appropriate Outsourcer Service Provider (OSP), if

applicable• Provide regular updates to Compliance (minimum monthly)• Ensure that corrective actions address the root cause of the breach• Implement interim control measures if there is a risk of reoccurrence• Provide documentary evidence to support closure of the breach• Ensure fair treatment of customers during the breach resolution

26

Step 5: investigationAll breaches require full investigation. The breach owner is required to conduct the investigation.

What actions should an investigation include

During the investigation the breach owner must:

• Find out why the breach occurred

• Determine whether there may be other customers in similar circumstances

• Identify and implement preventative measures where reoccurrence is likely

• Implement changes to procedures, update training materials, plan for training or re-training

• Provide feedback to the staff who caused the breach

• Request system changes, as required

• Analyse the root cause of the breach

27

Step 6: resolutionThe actions involved in breach resolution will be particular to every breach however, during resolution you many need to;

• Notify affected customers of the breach and its impact upon them, provide details of the circumstances and the actions being taken to resolve the breach

• Implement corrective actions to put the customer back in the position they were in before the breach occurred, such as paying redress or crediting a policy, if appropriate

• Take immediate action to prevent further breaches from occurring

• Assess the impact of the breach on customers in similar circumstances and consider the need to take corrective actions for all affected customers

• Ensure fair treatment of customers during the resolution process

• Address any specific actions or requirements raised by the regulator

All actions for resolving breaches should be agreed upon with Compliance Advisory. If there are differences in opinion on the actions that should be taken, the breach will be escalated to the Head of Compliance

28

Step 7: closureThe actions taken during the resolution process must address the root cause of the breach to prevent the breach from happening again. When a breach approaches closure, the;

• Breach owner must provide documentary evidence to Compliance Advisory to enable closure of the breach

• Compliance Advisory Manager will approve and provide sign-off for closure of all breaches

29

Escalation of a breachOccasionally, breaches may need to be escalated to the Head of Compliance.

When is escalation of a breach necessary

Click the images to find out

• If the breach is deemed to be significant, Compliance Advisory will escalate concerns to the Head of Compliance

• If progression towards closure does not occur in a timely manner, the Compliance Advisory Manager must be informed to determine whether this needs to be escalated

• If the delay will warrant further escalation, the Head of Compliance will be advised, particularly if the breach has been reported to the FSA

30

Knowledge checkLet’s check your understanding of the breach management process.The steps in the breach management process contain many actions t be taken by various employees. Who is responsible for each action in the breach management process? Match the actions with the person responsible. Drag and drop the appropriate employee to each of the actions being completed in the process.Question Answer

Allocating a breach owner Compliance Advisory

Signing off on breach closure Compliance Advisory

Submitting the breach notification form within 48 hours The line manager

Completing the breach notification form All The Company employees

Identifying a breach All The Company employees

Escalating a breach Compliance Advisory

Reporting a breach to the FSA Head of Compliance

Conducting an investigation The breach owner

31

ScenarioRead the following scenario to walk through the breach management process for a specific case. Once you have read the scenario, you will be asked to answer a few questions. These questions are not scored, but you must answer them to proceed.

Upon reviewing the terms and conditions of a whole of life policy, a member of the Actuarial Team established that IT systems used incorrect rates to calculate premiums on plan reviews.

Click the steps on the breach management process chart to find out what actions the Actuarial team took.

32

ScenarioStep 1: identification• The Actuarial Team established with their line manager that the rates used

were incorrect

Step 2: reporting• The line manager sent a breach notification form to Compliance Advisory

within 48 hours of identification

Step 3: recording• Compliance recorded the details of the breach

Step 4: allocating a breach owner• Compliance allocated a member of staff in the Actuarial Team as the breach

owner. It was agreed that fortnightly updates would be provided to Compliance initially

33

ScenarioStep 5: investigation• The breach owner investigated the breach and reported these findings to

Compliance– Because the rates were incorrect we were asking policyholders to increase their premiums

– This affected approximately 2500 policyholders who had been overcharged (their premiums were higher than they should have been)

Step 6: resolution• Having agreed on the actions with Compliance, the breach owner arranged for the;

– Loading of the correct rats onto the illustration system

– Undertaking of calculations to put policyholders back in the position they would have been in had the rates been up to date

This included

– Adjusting units held within the policy which meant that the level of cover would continue for longer

– Obtaining Compliance approval to notify affected policyholders

– Writing to all policyholders to advise of the mistake and corrective action that has been put in place

In order to prevent this problem from reoccurring, the Actuarial Team agreed to implement additional controls around the loading of rates into IT systems.

34

ScenarioStep 7: closure

The breach owner provided the appropriate information to the Compliance Advisory Manager for sign-off;• Confirmation of the date the correct rates were loaded onto the system• Management information determining the final number of policies affected, the

date adjustments to their policies were made, and the dates that policyholders were contacted with the letter of explanation

• A copy of the approved letter to policyholders• Confirmation that the agreed additional controls had been implemented

Escalation to the Head of Compliance

The Compliance Advisory Manager determined that this breach may need to be reported to the FSA and escalated the matter to the Head of Compliance, who;• Sought internal agreement to notify the FSA• Made a submission to the FSA supervisor• Provided regular progress updates to the FSA until closure

35

ScenarioNow that you have read the scenario, please answer these case study questions.

A number of steps were taken to manage this breach. What steps were taken in the process? Select all that apply.

A. Definition

B. Identification

C. Investigation

D. Resolution

E. Escalation

F. Closure

Answer is B through F. Only A. definition was not covered in the scenario

The Actuarial Team identified the breach. The breach owner investigated and worked with Compliance to resolve the matter. The Compliance Advisory Manager escalated the breach to the Head of Compliance, who sought internal agreement to notify the FSA. Finally, the breach owner provided the appropriate documentation for closure and Compliance signed off on it.

36

ScenarioThe actions contained in each step were taken by various people and departments. What actions were the responsibility of the breach owner? Select all that apply.

A. Completing a breach notification form and submitting it to Compliance

B. Investigating the breach and reporting the findings to Compliance

C. Notifying all policyholders in writing about the breach and the corrective actions being taken

D. Reporting the breach to the FSA

Answer is B & C

It is the breach owner’s responsibility to investigate the breach and report the findings to Compliance. In this scenario, the breach owner also notified the affected policyholders about the breach and informed them of the corrective actions being taken

37

ScenarioResolution consists of a number of actions by various people. Who was involved in the resolution process? Select all that apply

A. The Actuarial Team

B. The line manager

C. The breach owner

D. Compliance

E. The FSA

Answer is A, C & D

The breach owner worked with Compliance to take corrective actions and notify the policyholders. The Actuarial Team agreed to implement the changes decided upon by the breach owner and Compliance

38

ScenarioThe actions contained in each step were taken by various people and departments. What actions were the responsibility of the breach owner? Select all that apply.

A. Completing a breach notification form and submitting it to Compliance

B. Investigating the breach and reporting the findings to Compliance

C. Notifying all policyholders in writing about the breach and the corrective actions being taken

D. Reporting the breach to the FSA

The answer is B & C

It is the breach owner’s responsibility to investigate the breach and report the findings to Compliance. In this scenario, the breach owner also notified the affected policyholders about the breach and informed them of the corrective actions being taken.

39

ScenarioThis scenario demonstrated how the steps in the breach management process are followed.

The Actuarial Team identified the breach and the line manager reported it to Compliance Advisory, who then recorded the breach information and allocated a breach owner within the Actuarial Team.

The breach owner investigated the breach, and took actions to resolve it.

In this scenario, the Compliance Advisory Manager determined that the breach required escalation to the Head of Compliance.

Finally, the breach owner supplied the appropriate documentation for closure and the Compliance Advisory Manager signed off on closure of the breach.

40

SummaryThank you for taking the Company Breach Awareness Training Course. In this course, you learned;

• How breaches are caused by non-compliance with the FSA Principles for Business and the Sun Life Code of Business Conduct

• How breaches are defined and how to identify them

• How to understand your role and responsibilities and how the process works

Your should now be able to effectively identify and manage breaches in your business area with the advice and guidance of Compliance.

Please take the assessment to conclude this course.

41

Assessment introductionThe assessment contains 10 questions and should take you approximately 5 to 10 minutes to complete. You must answer 8 of the 10 questions correctly to pass the assessment and conclude this course. You may take the assessment as many times as you need in order to achieve a passing score.