Guidelines to help businesses develop corporate compliance programs
1. The purpose of this information bulletin is to provide general guidance and best practices for businesses on the development of corporate compliance programs. These programs may help businesses facilitate compliance with the Rules1 and/or CASL.2 Specifically, the bulletin describes important components of an effective corporate compliance program and provides guidance to develop such a program. The tools outlined in the bulletin should not be seen as prescriptive, but rather as illustrative. The bulletin is also not intended to be exhaustive, since businesses may take other reasonable steps to comply with the Rules and/or CASL. Further, the content of this bulletin is not intended to serve as legal advice. Businesses seeking legal advice regarding the development of a corporate compliance program should obtain independent legal advice.
2. The Commission recognizes that each organization is different. Depending on the size and risk exposure of the organization, not all the components of a corporate compliance program described below may be necessary, particularly in the case of small and medium-sized businesses. The Commission also recognizes that small and medium-sized businesses do not have the resources that large corporations have. As such, while compliance is required regardless of the business’s size, compliance programs will vary widely. The Commission will assess compliance with the Rules and CASL on a case-by-case basis. The Commission recommends that businesses adapt the components described below to their particular circumstances.
1“The Rules” refers to the Canadian Radio-television and Telecommunications Commission Unsolicited Telecommunications Rules.
2 CASL, also commonly referred to as “Canada’s anti-spam legislation,” refers to An Act to promote the efficiency and adaptability of the Canadian economy by regulating certain activities that discourage reliance on electronic means of carrying out commercial activities, and to amend the Canadian Radio-television and Telecommunications Commission Act, the Competition Act, the Personal Information Protection and Electronic Documents Act and the Telecommunications Act, S.C. 2010, c. 23, and the associated regulations made thereunder.
Why is a corporate compliance program important?
3. Non-compliance with the Rules and/or CASL may expose businesses to significant administrative monetary penalties (AMPs) and other costs, such as legal fees and reputational damage. The development and proper implementation of a documented and effective corporate compliance program is a useful risk-management strategy: it may (i) reduce the likelihood of businesses violating the Rules and/or CASL, and (ii) help businesses establish a due diligence defence in the case of a violation of the Rules or CASL.
4. Commission staff may take into consideration the existence and implementation of an effective corporate compliance program if the business presents the program as part of a due diligence defence in response to an alleged violation of the Rules or CASL. Although the pre-existence of a corporate compliance program may not be sufficient as a complete defence to allegations of violations under the Rules or CASL, a credible and effective documented program may enable a business to demonstrate that it took reasonable steps to avoid contravening the law. Thus, the program may support a claim of due diligence. As well, Commission staff can take the existence of such a program into consideration when determining whether a violation of the Rules or CASL is an isolated incident or is systemic in nature, and whether sanctions against a business should include AMPs.
Components of a corporate compliance program
Senior management involvement
5. In the case of large businesses, the business’s senior management should consider playing an active and visible role in fostering a culture of compliance within their organization. Rules and policies by themselves have a greater chance of success in preventing misconduct when senior management strongly conveys that violations of the Rules and/or CASL are not acceptable. In addition, a member of senior management could be named as the business’s chief compliance officer, who is responsible and accountable for the development, management, and execution of the business’s corporate compliance program.
6. In the case of small and medium-sized businesses, the business could identify a point person who is responsible and accountable for compliance with the Rules and/or CASL.
7. The chief compliance officer or point person should consider conducting a risk assessment to determine which business activities are at risk for the commission of violations under the Rules and/or CASL. The chief compliance officer or point person should then develop and apply policies and procedures to mitigate those risks.
Written corporate compliance policy.
8. After conducting a risk assessment, the chief compliance officer or point person should consider developing a written corporate compliance policy. The business should make this policy easily accessible to all employees, including managers. The business could update the policy as often as necessary to keep pace with changes in legislation, non-compliance issues, or new services or products. The policy may also:
- establish internal procedures for compliance with the Rules and/or CASL;
- address related training that covers the policy and internal procedures;
- establish auditing and monitoring mechanisms for the corporate compliance program;
- establish procedures for dealing with third parties (for example, partners and subcontractors) to ensure that they comply with the Rules and/or CASL;
- address record keeping, especially with respect to consent; and
- contain a mechanism that enables employees to provide feedback to the chief compliance officer or point person.
9. Good record-keeping practices may help businesses (i) identify potential noncompliance issues, (ii) investigate and respond to consumer complaints, (iii) respond to questions about the business’s practices and procedures, (iv) monitor their corporate compliance program, (v) identify the need for corrective actions and demonstrate that these actions were implemented, and (vi) establish a due diligence defence in the event of complaints to the Commission against the business.
10. As a business, consider maintaining hard copy and/or electronic records of the following:
Relating to the Rules
- your telemarketing policies and procedures;
- all National Do Not Call List registration and subscription information (required by law for at least 36 months);
- all internal do not call requests and actions;
- all evidence of express consent (e.g. audio recordings or forms) by consumers who agree to be contacted via an automatic dialing-announcing device;
- call records/logs;
- call scripts; and
- scrubbing procedures to remove from calling lists numbers that also appear on both a company’s internal do not call list and the National Do Not Call List.
Relating to CASL
- your commercial electronic message policies and procedures;
- all unsubscribe requests and actions;
- all evidence of express consent (e.g. audio recordings or forms) by consumers who agree to be contacted via a commercial electronic message;
- commercial electronic message scripts; and
- actioning unsubscribe requests for commercial electronic messages.
Relating to both the Rules and CASL
- campaign records;
- staff training documents;
- other business procedures; and
- official financial records.
11. Effective training of staff at all levels on what constitutes prohibited conduct and on what could be done if they witness prohibited conduct is integral to the implementation of a credible corporate compliance program. Effective training helps employees determine roles and responsibilities, and when to seek advice from senior management. For the training to be effective, links should be made between the business’s policies and procedures, and the situations that employees may face in their daily activities.
12. The chief compliance officer or point person should consider developing and implementing a training program, including refresher training, regarding the corporate compliance policy for current and new employees, including managers. After training, employees could provide written acknowledgment that they understand the corporate compliance policy, and these written acknowledgments should be recorded and maintained. The business could also monitor employee comprehension of the corporate compliance policy, and the training program could be adapted and re-administered accordingly. The business could re-administer training following important modifications or updates to the corporate compliance policy. The chief compliance officer or point person could evaluate the effectiveness of this training at regular intervals.
13. The chief compliance officer or point person should also consider monitoring any legislative or regulatory changes, and modifying or updating the corporate compliance policy and the related training accordingly.
14. When assessing what to include in the training program, consider the following:
- requirements and related liabilities – to provide an understanding of what is required in the legislation and the penalties for not meeting those requirements;
- policies and procedures associated with the business; and
- background information on the legislation and the Rules.
Auditing and monitoring
15. Auditing and monitoring mechanisms help (i) prevent and detect misconduct, and (ii) assess the effectiveness of the corporate compliance program. The implementation of these mechanisms also reminds employees and managers that they are subject to oversight. The chief compliance officer or point person could be responsible for ensuring that audits are conducted at regular intervals with or without external help. Auditing may involve developing and implementing a quality assurance program that would, for example, monitor a statistically significant percentage of the business’s telephone or email marketing campaigns. The results of all audits should be recorded, maintained, and communicated to senior management. Following an audit, the business should address any recommendations and modify or update the corporate compliance policy as appropriate.
16. The chief compliance officer or point person could put in place a complaint-handling system to enable customers to submit complaints to the business. The business should respond to and resolve complaints within a reasonable or predetermined period of time. The Commission notes that the complaint-handling system should not be confused with the requirements in the Rules and CASL regarding the withdrawal of consent.
Corrective (disciplinary) action
17. Businesses could have an organizational disciplinary code to address contraventions. This code would help (i) demonstrate a business’s credibility regarding its corporate compliance policy, and (ii) deter against possible employee contraventions of the corporate compliance policy. Businesses should consider taking corrective or disciplinary action, or providing refresher training, as appropriate, to address contraventions of the corporate compliance policy. Businesses could maintain a record of the contravention and the action taken in response to the contravention.
- Review of the Unsolicited Telecommunications Rules, Compliance and Enforcement Regulatory Policy CRTC 2014-155, 31 March 2014
- Electronic Commerce Protection Regulations (CRTC), Telecom Regulatory Policy CRTC 2012-183, 28 March 2012
- Unsolicited Telecommunications Rules framework and the National Do Not Call List, Telecom Decision CRTC 2007-48, 3 July 2007, as modified by Telecom Decision CRTC 2007-48-1, 19 July 2007