Security: It's About You

Identity theft occurs when your personal information (e.g., name, address, driver's license, date of birth, social insurance number, account information or family identifiers) is stolen and used illegally. That illegal activity often has financial implications as thieves use your information to open accounts, charge your credit cards and even take out loans in your name, among other things.

Keep yourself safer from identity theft by following some simple steps:

• Don't include your social insurance number or driver's license number on sensitive documents, unless you understand why they are needed and consent to it.
• Do not keep a hard copy of any ABM PINs or passwords.
• Get a safe deposit box to store your important documents.
• Don't respond to unsolicited requests for personal or account information.
• Review your credit report at least once a year.
• Always sign the back of your credit and debit cards. This lowers the chance of others being able to use them.
• Cancel and destroy all unused cards and cheques.
• Report lost or stolen credit and debit cards right away.
• Shred all documents containing personal information before throwing them out.
• Drop your outgoing mail in an official postal mailbox.
• Shred or destroy any junk mail before you throw it away.
• Don’t leave incoming mail in areas where others can access it.
• Check your online financial accounts to watch for any transactions that may have been made fraudulently.

Being online puts your computer at risk for information breaches. Hackers can potentially access your system without your knowledge and use your personal information for illegal activities.

Here are some tips that can help you to improve the overall security of your computer:

• Clear the web browser cache and cookies when using a public or shared computer.
• Do not share your Personal Verification Question answers with anyone.
• Only open emailed attachments from trusted sources after you have virus scanned them.
• Protect your computer from attack by using a personal firewall.
• Ensure your anti-virus and security patches are up to date.
• Never respond to spam e-mails; doing so confirms that your e-mail address is valid.
• Do not click on any links in unsolicited e-mail as this could inadvertently download a virus or spyware to your computer.
• Use a spam filter.
• Type the web address into your browser instead of following a link. If you use a website often, create a bookmark to access it.
• Be cautious of the e-mails you send as their content may be forwarded or copied.

You may have been asked to give personal and/or financial information via the Internet by a company or organization that you don’t necessarily recognize as being legitimate. If you have, then you may have been targeted by a phishing or pharming scheme.

Phishing is the act of tricking you into giving out confidential information. With this information, fraudsters can access your online accounts to withdraw money, make purchases, or even open new accounts in your name.

Be wary of e-mails that ask for personal information and never provide your personal passwords, personal identification numbers, or login information for any personal account.

Remember, Eclipse will never, under any circumstance, send any e-mail that:

• Asks you to provide, confirm, or update personal records.
• Claims to have been sent from a third-party address or link to a third-party site on Eclipse’s behalf and asking for personal or financial information.
• Contains no information about why you are receiving the e-mail from Eclipse.
• Requires an urgent response.

Your passwords are an incredibly important tool in maintaining the security of your personal and financial information. A strong password has at least 8 characters and is made up of letters AND numbers. You should always change your passwords on a regular basis.

Additionally:

• Do not store your passwords in a computer file.
• Do not leave your computer unattended while connected to any sensitive, private information whether financial or otherwise.
• Do not tell your passwords to anyone.
• Do not keep a hard copy of your passwords.
• Do not use the same password more than once.

The risk of falling victim to a scam is real. With clever telephone, internet, and mail fraudsters posing as reps from legitimate organizations often making attractive offers, it can happen to anyone. Being certain with whom you are dealing is a key factor in protecting yourself.

And remember, if something seems too good to be true, it probably is.

Here are some ways to confirm the identity of individuals and organizations:

• Do not provide personal and account information over the phone until you have confirmed the identity of the organization. If you receive a phone solicitation, call the organization back using a number you know to be legitimate.
• Only subscribe to Internet-based newsletters from organizations you trust. You can check the third-party site certificate to verify authenticity of the website.
• If you see an advertisement for a loan or mortgage in a local newspaper, check out the source through the Canadian Council of Better Business Bureaus (Canada) or Better Business Bureau (United States).

This Code has been developed to meet the standards set out in Canada’s Personal Information Protection and Electronic Documents Act (“PIPEDA”) and similar applicable provincial legislation. The Code describes the principles MCAP will use to protect the privacy of personal information we possess about our clients and establishes ethical and fair information management practices with respect to personal information collected, used, or disclosed by the MCAP Group. The Code informs customers and borrowers, and our investors and business associates, how personal information is handled within the MCAP Group.

Privacy is a sensitive topic. Many Canadians have raised concerns about the privacy of their personal information. At MCAP, we strive to understand what customers, clients, and investors deem to be reasonable and then apply the principles in this Code in accordance with PIPEDA.

MCAP endorses and has adopted the privacy principles described in Schedule 1 of the Personal Information Protection and Electronic Documents Act (PIPEDA). These privacy principles embody sound and prudent information management practices. These practices will provide the necessary assurances that personal information obtained and utilized by MCAP in the course of its business activities will be accurate, held in confidence, and be retained in a secure environment.

Below is a brief summary of how MCAP adheres to the PIPEDA privacy principles.

Principle 1 — Accountability

MCAP takes responsibility for protecting and maintaining personal information under its control and has appointed a CPO to ensure compliance with these principles and PIPEDA.

Principle 2 — Identifying the Purposes for Collecting Personal Information

MCAP will identify and disclose the reasons for which personal information is collected and used by MCAP at or before the time the information is collected.

Principle 3 — Consent

MCAP will obtain an individual’s informed consent for the collection, use, or disclosure of personal information by MCAP, except as otherwise required or permitted by law.

Principle 4 — Limits to the Collection of Personal Information

MCAP will limit the amount and type of personal information collected to what is necessary for its intended purposes. Personal information will be collected by fair and lawful means.

Principle 5 — Limits to the Use, Disclosure, and Retention of Personal Information

MCAP will not use or disclose personal information for purposes other than those for which it was collected, except with the consent of the individual or as required or permitted by law. Personal information will be retained only as long as it is necessary to fulfill those purposes.

Principle 6 — Accuracy

To minimize the possibility of inappropriate information being considered in its decision-making processes, MCAP will keep personal information as accurate, complete, and up-to-date as necessary for its intended purposes. To ensure accuracy we request that you provide us with any changes to your personal information, including your contact information, as soon as possible.

Principle 7 — Safety & Security

MCAP maintains appropriate safeguards to protect personal information from loss or theft, unauthorized access, disclosure, copying, use, or modification regardless of the format in which it is retained.

Principle 8 — Openness

MCAP will inform its customers, clients, and employees about its policies and procedures regarding the management of personal information. MCAP will ensure that these policies and procedures are easily understood and readily available.

Principle 9 — Individual Access

Upon request, MCAP will inform an individual of the existence, use, and disclosure of his or her personal information and will provide the individual access to that information to verify and or update its accuracy and completeness.

Principle 10 — Handling Inquiries

An individual will be able to direct an issue or concern regarding compliance with the above principles, or MCAP’s practices, to MCAP’s CPO or to other accountable employees.

MCAP wants to work with you to help you achieve your goals, to provide you with value-added service on an ongoing basis, and to establish a lasting relationship with you as your needs grow and change. The better MCAP knows you, the better we can serve you. MCAP therefore asks you for your personal information for the following purposes:

• to establish and confirm your identity;
• to protect you and us from error, fraud, and criminal activity;
• to understand your financial needs;
• to evaluate your current and ongoing creditworthiness;
• to maintain the accuracy and integrity of information held by credit bureaus;
• to determine the suitability of our products and services for you;
• to determine your eligibility for our products and services;
• to provide you with ongoing service and information related to the products and services you have with us;
• to collect amounts owing to us, enforce obligations, and to manage and assess risk;
• to provide you with information and offers on products and services that MCAP believes may be of interest to you;
• to understand our customers and to develop and tailor our products and services; and
• to comply with applicable laws.

You can choose not to provide us with some or all of your personal information. However, if you make this choice, MCAP may not be able to provide you with the product, service, or information that you requested or that was or could be offered to you.

MCAP will make sure you are aware of the purposes for collecting information when you apply for any of our products or services. Self-evident purposes should be clear, but if you have any questions or require assistance in understanding the scope of consent being sought, just ask us. If a new purpose for using your personal information develops, MCAP will ask for your consent again.

The most common reason for release of your personal information is that you have given your consent. For example, when you apply for a mortgage and accept our commitment letter, you give your consent to the exchange of information about you with a credit bureau, other credit grantors, credit insurers including mortgage and portfolio insurers and other lenders who invest in or fund our mortgage products.

Other reasons may include if we have a legal obligation, such as a court order, or if we need to protect assets (e.g. collection of overdue accounts) or the public’s interest. For example, we may release personal information about a customer to legal authorities in cases of criminal activity or for the detection and prevention of fraud. If we release information for any of these reasons, we keep a record of what, when, why and to whom such information was released.

We do not keep a record of why your personal information is disclosed to third parties for routine purposes such as reporting to Canada Customs and Revenue Agency (T5 and other reports), regular update reports to a credit bureau, credit insurers and investors / lenders, and reporting to third parties when cheques are returned NSF (i.e. for insufficient funds).

If you have a mortgage or other product or service which is connected to another person (e.g. a co-borrower or guarantor for a mortgage), or you add and authorize a third party to your account, we may share certain details of your personal information with that person in connection with your mortgage. We may also share your personal information with your beneficiaries or estate representatives where reasonably necessary following your death to help in the administration of your mortgage, your insurance products, or your estate’s financial affairs.

MCAP does not sell lists of our customers to others for their use.

Your personal information is shared, to the extent permitted by law, and to the extent necessary to provide you with the best service, within the MCAP Group and our institutional business affiliates in order to provide mortgages, insurance and other products and services. This sharing is limited to a ”need to know” basis. With our various departments having a more comprehensive understanding of your requirements, we are better able to meet your needs as they grow and change.

MCAP routinely collects and collates anonymous, non-personal information that is not traced back to a specific individual or business client. This includes individual and cumulative transaction and settlement records with our various investors. This type of information is considered necessary and consistent with MCAP’s business activity.

MCAP has an information security program that includes policies, procedures, technical controls, and physical controls designed to ensure the confidentiality, integrity and availability of information in our care and to protect against unauthorized use, alteration, duplication, destruction, disclosure, loss or theft of, or unauthorized access to, your personal information (“MCAP Security Program”). MCAP’s networks, systems, applications, and services that are used to collect, store, process or transmit information are managed under the MCAP Security Program. The MCAP Security Program is designed to identify and protect against potential threats or hazards to our data. MCAP may use service providers to provide certain services to you on our behalf. In such cases, we will have contracts in place holding these service providers to the same high standards of confidentiality by which we are governed and requiring that any information provided by us must be kept strictly confidential and used only for the purposes of the contract.

MCAP and our service providers may process and store your personal information outside of your province of residence and/or Canada.

MCAP also has agreements in place with credit insurers and institutional investors/lenders, which also require that any information provided by us must be maintained in strict confidence.

MCAP has procedures in place when destroying, deleting, or disposing of personal information when it is no longer required for the purposes as set out in this Code, or by law, to prevent unauthorized access to such personal information.

Each time you visit an MCAP website, our servers may record certain information on how you interacted with the MCAP website, including, but not limited to, your IP address, your internet service provider, the date and time of your visit, the pages you visited, the searches you performed, and the webpage that led you to the MCAP website,

As well, when you log into an account on a MCAP website, such as a homeowner portal account, we may link your activity on that website with your user account. For example, we may track your document downloads, self service requests, and banner clicks and associate this information with your user account information.

MCAP uses this information to: (i) maintain the security of MCAP websites and our products and services, (ii) improve and optimize our website and product and services, (iii) detect, investigate, and prevent fraud and (iv) comply with regulatory record keeping requirements.

MCAP and our third-party service providers may also use cookies, pixels, and other tracking mechanisms to evaluate how you use our websites or other online services and to personalize products and services in which you might be interested in based on your browsing and purchase history.

A cookie is a file containing a small amount of data that your web browser stores on your computer or mobile device when you visit certain websites (“Cookies”). Cookies can either be a first party cookie (i.e. the cookie is created by the website you’re visiting) or a third-party cookie (i.e. the cookie is created by a different website than the one you’re visiting).

Cookies are also either “persistent” cookies or “session” cookies, depending on how long they are used.

• Persistent cookies remain on your device after you have closed your browser and allow a website to remember your actions and preferences. They are activated each time you visit the website where the cookie was generated. Sometimes persistent cookies are used by websites to provide targeted advertising based on the browsing history of the device. They are stored by the browser and remain valid until their set expiry date (unless deleted by the user before the expiry date).
• Session cookies only last for the duration of your visit and are deleted when you close your browser. They facilitate tasks such as allowing a website to identify that a user of a particular device is navigating from page to page, supporting website security or basic functionality.

For further information about cookies, including how to see what cookies have been set on your device and how to manage and delete them, visit www.allaboutcookies.org.

Cookies may also work in conjunction with pixels, web beacons, clear GIFs, and other similar technologies (‘Pixels’). Pixels are small snippets of code that are loaded when a user visits a website and are used to provide information about how you interact with a website. In contrast to Cookies, which are stored on your computer’s hard drive, Pixels are embedded invisibly on web pages. We may use Pixels, in connection with our websites or other online services to, among other things, track the activities of visitors, help us manage content, and compile statistics about usage. We and our third-party service providers also use Pixels in HTML emails to our users to help us track email response rates and identify when our emails are viewed.

More About the Cookies, Pixels and Other Tracking Technologies MCAP Uses

MCAP uses Cookies, Pixels, and other tracking technologies for the following purposes:

Essential Cookies

Essential Cookies are first-party cookies necessary for using MCAP websites and cannot be disabled without impairing the optimal functioning of our websites. They allow, among other things, access to areas of MCAP websites that require a log-in, changes to the appearance of MCAP websites, and storage of your language preferences.

Analytics Cookies

MCAP is always looking to improve its customer experience and to measure and improve the performance of MCAP websites. To do so, MCAP employs analytics Cookies and Pixels from third-party service providers like Google Analytics and Meta Business Tools to gather information on how you use MCAP websites. The information includes your IP address, which pages you visit, the links you click, and the length of time you spent on a particular page. This enables us to better understand the visitors who come to MCAP websites, where they come from, and what content on our site is of interest to them.

This Policy does not cover such third parties’ use of data. For more information on how Google Analytics handles the information it collects, please see Google’s privacy policy at Google Privacy Policy. To opt-out of having your data collected by Google Analytics, you can install the Google Analytics Opt-out Browser Add-on.

For more information on how Meta handles the information it collects, please see Meta’s privacy policy at Meta Privacy Policy.

Marketing and Advertising Cookies

MCAP also works with third-party advertising service providers like Google to use information gathered from your MCAP website browsing activity to provide tailored online advertising on third-party websites. MCAP uses Google’s Remarketing with Google Analytics feature to provide targeted Google Ads to previous visitors to certain MCAP websites. As well, if you click an MCAP advertisement, we may also track the response rate and the website activity associated with it to evaluate the effectiveness of our online marketing campaigns.

Opting Out - Marketing and Advertising Cookies

To opt out of receiving online behavioural advertisements from participating third-party interest-based advertising companies, you can visit the Digital Advertising Alliance of Canada (DAAC) Self-Regulatory Program for Online Interest-Based Advertising at DAAC Opt Out Tools. You may also go to the Network Advertising Initiative (“NAI”) Consumer Opt-Out Page for information about opting out of targeted advertising and the choices you have regarding information circulated among NAI members.

Please note that when using these ad industry opt-out tools, you may need to execute the opt-out on each browser or device that you use.

Opting out from one or more companies listed on the DAAC Opt-Out Tools or the NAI Consumer Opt-Out Page will opt you out from those companies’ delivery of targeted content or ads, but it does not mean you stop receiving ads through our website or on other websites. You may continue to receive ads, for example, based on the particular website that you are viewing. Also, if your browsers are configured to reject cookies when you opt out on the DAAC or NAI websites, your opt-out may not be effective.

You can also adjust your Google Ads settings directly with Google at Google Ad Settings or by installing the Google Analytics Opt-Out.

Opting out will also block these third-party cookies on other non-MCAP websites. Because online behavioural advertising opt-outs use Cookies that tell the various third-party advertising companies that you have opted-out, your choice will generally only apply to the web browser you used to opt-out. You must opt-out from each web browser from which you do not want to participate in online behavioural advertising.

MCAP may make decisions based exclusively on automated processing of your personal information (“Automated Decisions”). These Automated Decisions include responding to certain credit and mortgage applications. If this is the case, we will inform you during the process or at the time the Automated Decision is communicated to you.

MCAP only keeps your personal information for as long as we need it to meet the purposes set out in this Code and in accordance with MCAP’s record retention policy. The length of time we retain your personal information is also affected by: (1) the type of product or service you have with us, and (2) any legal requirements we may have to meet such as regulatory file retention periods or for being able to respond to any concerns you may have, even if you are no longer an active customer of ours.

You can choose not to provide us with some or all of your personal information. This may, however, severely restrict the products and services MCAP can then provide.

You can also withdraw your consent to our use of your personal information, if you give us notice in writing, addressed to:

Your withdrawal of consent is subject to any legal, regulatory, or contractual restrictions. For instance, you cannot withdraw your consent if it results in our or your inability to fulfill any contract already in place with us. Your withdrawal of consent also does not apply to a credit product we have granted to you where we are required to collect and exchange some or all of your personal information, on an ongoing basis, with credit insurers, other investors/lenders, or a credit bureau. We continue to disclose your personal information to credit bureaus to maintain the integrity of the credit-granting system and the completeness of information held by a credit bureau.

To withdraw your consent from any electronic marketing communications, you can use the unsubscribe mechanism included in our electronic marketing communications or you may contact us directly. You may however continue to receive electronic transactional and account related communications from us.

If you want to review or verify your personal information or find out to whom we have disclosed it as permitted by this Code, you can call and speak to one of our service representatives. At that time, if it is not something that can be simply answered over the phone, we will provide you with a form to sign and will help you complete the specific information we will need from you to enable us to search for, and provide you with, the requested personal information we hold about you. We may charge you a fee to do this and will advise you of the fee in advance.

There are a few instances where we will not be able to provide the personal information, we hold about you that you request. Some of these instances include, if:

• it contains references to other persons;
• it is subject to solicitor-client or litigation privilege;
• it contains our own proprietary information that is confidential to us;
• it has already been destroyed due to legal requirements or because we no longer needed it for the purposes set out in this Code;
• it is too costly, in our determination, to retrieve;
• we are prohibited by law from disclosing to you.

If we are unable to provide you with access to your personal information, we will explain the reason why.