Financial and Operations Compliance (FinOPS)
Cybersecurity threat is a business risk for all IIROC dealers regardless of size and complexity. Each dealer must have appropriate controls in place to safeguard customer information that is under its custody and control.
As part of our ongoing commitment to support the cybersecurity resiliency of dealers, IIROC organized tabletop exercises in Toronto and Calgary in 2018 for small and mid-sized dealers facilitated by consultants from Juno Risk Management. At these sessions, we simulated three scenarios. Together, the learnings from these scenarios highlighted:
- Corporate governance is the cornerstone for developing and maintaining a robust cybersecurity program tailored to the specific business profile of the firm.
- An effective incident response management plan must be detailed and specific, and identify and define each team member’s role and responsibilities.
- Employee training and awareness are low‐cost, high‐impact ways to mitigate the risk of insider threats.
- Cyber insurance is a cost‐effective way for small and mid‐sized dealers to mitigate and transfer a portion of their cybersecurity risk by providing immediate access to legal counsel and forensic investigators.
- Other notable best practices include routine network penetration testing, external third-party review and risk assessments, and third‐party vendor diligence. Important technical controls include:
- Data Loss Prevention (DLP)
- Multi‐factor Authentication (MFA)
- access permissions
- suspicious e-mail blocking
- data encryption.
In November 2018, we sent a second self‐assessment survey to all dealers. The results will help us assess whether the recent tabletop exercise and other IIROC initiatives have helped dealers strengthen their cybersecurity resilience.
Portfolio Manager (PM) Service Arrangements
IIROC issued regulatory guidance for dealers that provide recordkeeping and custody services on behalf of clients of PM Registrants
. This guidance complements CSA Staff Notice 31-347, “Guidance for Portfolio Managers with Service Arrangements with Dealer Members”.
Compliance with this guidance will be an examination priority in 2019. Dealers should pay specific attention to the following minimum requirements:
- Written Agreements: Dealers must execute agreements with each PM explaining the arrangement and clearly defining the roles and responsibilities of each party.
- Account Opening and Operation: Each account must be opened in the client’s name and the PM must have trading authority over the account.
- Disclosure: Dealers must provide clients with information as required under DMR 3500.
- Client Confirmations and Statements: Dealers are responsible for the custody of client investments and must send a monthly or quarterly statement.
FinOps Risk-based Approach
In 2018, we made changes to our risk-based approach to conducting dealer examinations. When a dealer has in place an operationally mature, enterprise-wide risk-management framework, we focus on how the dealer identifies, mitigates and manages the risks associated with their financial and operational activities in compliance with IIROC rules. This approach is consistent with domestic and international banking regulatory authorities and was launched by FinOps in 2017-18 at all the large integrated dealer subsidiaries of Canadian federally regulated financial institutions.
Customer Account Guarantees
The enforceability of customer account guarantees has been a central issue in the events leading up to some past insolvencies. Recent litigation by bankruptcy trustees resulting from the collapse of a dealer also demonstrates the need to review and strengthen certain aspects of how guarantees are used to support the capital position of dealers.
To that end, our exams are focusing on:
- the implications of Dealer Member Rule 42, Conflicts of Interest on account guarantees between advisors of the dealer and their clients
- dealers accepting waivers by account guarantors to not receive monthly customer statements of all accounts guaranteed
- insiders of a dealer (partner, director, officer or employee) guaranteeing the indebtedness of a non-arm’s-length account rather than transferring cash from their trading account
- the misuse by owners of the dealer of personal account guarantees to offset capital charges associated with dealer indebtedness to circumvent the triggering of month-end early warning tests instead of recapitalizing.
Trading Compliance (TCC)
Trading Supervision Obligations under UMIR 7.1
We implemented changes to the supervision of trading requirements on March 27, 2018
We encourage dealers to apply a principles-based approach that addresses the specific risks associated with their business models and trading activity. Dealers should assess and document the risks associated with their trading-related activities to determine where their compliance and supervisory efforts should be focused. A dealer may rely on an existing enterprise risk management program if the program includes its trading-related activities.
During our review, we will look at the assessments to ensure that the risks have been identified and the dealer’s policies and procedures address those risks.
While in certain circumstances dealers may authorize a third party to perform a specific risk management or supervisory control or activity, we continue to identify authorizations that do not comply with IIROC’s requirement. We remind dealers that a written agreement must be in place for each risk-management or supervisory control before authorizing a third party to perform the control. At least annually, the dealer must confirm that the terms of the agreement continue to be met. We note that the dealer retains full responsibility for the control or supervisory activity despite having authorized its performance by a third party.
We introduced changes to best execution requirements on January 2, 2018. We will focus our reviews on the efforts undertaken by dealers to address the changes in the requirements.
Our areas of focus include:
- documented and implemented policies and procedures that consider the factors and elements that contribute to the best execution of client orders
- content and disclosure of best execution policies
- governance around best execution decisions
- training conducted by the dealer, including that training is provided to all employees who are involved in the best execution process.
We expect non-executing dealers to have an informed understanding of how their executing dealer achieves best execution and how the approach taken will reasonably achieve best execution for their clients.
We continue to see issues with dealers’ electronic trading controls required under the electronic trading rules. Specifically, we continue to see:
- credit/capital limits that do not consider the unique needs of their clients and traders
- limits set well in excess of what would be appropriate or effective.
We will continue to focus on a dealer’s risk controls and whether the limits are set appropriately for their firm and clients.
IIROC considers any trade printed on a marketplace that does not result in a change in beneficial or economic ownership to be a wash trade. We understand that in an automated electronic trading environment some wash trading with non-manipulative or deceptive intent may occur. However we expect each dealer to:
- monitor both client and proprietary wash trading activity
- take reasonable steps to minimize this activity
- use available tools that reduce or prevent the occurrence of wash trading where appropriate.
Each dealer must report any trade not cancelled by the marketplace through a gatekeeper report. The dealer can file a gatekeeper report on a monthly basis listing all wash trades not cancelled on a marketplace during that month.
Business Conduct Compliance (BCC)
Compensation-related Conflicts of Interest
BCC continues to focus on compensation-related conflicts of interest. In April 2017, IIROC published guidance that outlines the findings of our review of compensation-related conflicts at dealers
. The review identified significant deficiencies in a number of areas, including:
- over-reliance on disclosure as a means of addressing compensation-related conflicts
- poor quality of disclosure
- failure to implement effective monitoring of conflicts associated with fee-based accounts.
To strengthen our effectiveness in examining compensation-related conflict management, BCC developed and implemented a dedicated conflict-of-interest test module, which includes testing for:
- general conflict-of-interest management
- corporate-level issues (affiliates, referral arrangements, supervisory practices)
- compensation programs, compensation grids and recruitment practices
- sales targets
- product-related conflicts.
We implemented this module over the last year and the most common finding to date is that many firms have not implemented an effective process for identifying and managing compensation-related conflicts. IIROC requires that dealers maintain policies and procedures to identify and manage all real and potential material conflicts of interest.
In the coming year, BCC will continue to strengthen the effectiveness of our examination process by collecting data related to conflict-of-interest findings and assessing it for:
- potential systemic issues
- areas to increase focus
- identification of best practices.
BCC examiners will also focus on more complex conflicts including:
- non-monetary incentives
- sales targets
- mutual-fund sales incentives.
BCC has developed a testing module for automated/online-advice services offered directly to clients by IIROC dealers. The module examines a number of different risk factors that are relevant in the context of online advice, including the:
- quality of relationship-disclosure information as it pertains to describing any limitations in products and services provided
- adequacy of the Know Your Client (KYC) and risk-tolerance information collected, relative to the complexity of products offered
- quality of supervisory reviews of new client applications
- process for ensuring ongoing KYC updates occurs as client circumstances change
- controls around the testing and approval of software enhancements pertaining to KYC, suitability assessment, anti-money laundering, etc.
BCC will also continue to enhance its testing to address a growing number of business models involving strategic alliances, referral arrangements, and automated advice tools used by advisors.
Order-Execution-Only (OEO) Platforms
In April 2018, we published guidance that sets out IIROC’s expectations and the regulatory requirements applicable to all OEO firms
. The guidance discusses the scope of tools, services, activities and information that we consider consistent with the OEO regulatory framework in the areas of:
- the meaning of a recommendation
- pricing incentives
- hyperlinks and portals
- social media
- integrated tools
- trading tools
- filtering tools
- automatic rebalancing alerts and tools
- research reports
- portfolio analyzer tools & model portfolios.
Whether or not a particular tool is appropriate under the OEO regulatory framework depends on the relevant facts and circumstances. We have enhanced BCC test processes to consider the different factors outlined in the guidance to determine whether any particular tool is acceptable or not. We encourage OEO firms to contact their IIROC BCC manager with any questions.
We continue to see filing deficiencies as highlighted in past Compliance Priorities Reports, including:
- deficiencies with Notices of Terminations and filings relating to outside business activities
- late and incomplete disclosures about regulatory, civil, criminal and financial disclosure items
- repeat and on-going deficiencies in the timeliness, accuracy and completeness of routine filings
- slow or uncooperative responses to our requests for additional information or corrected filings.
We plan to deliver training in early 2019 to dealers with repeat deficiencies. The Authorized Firm Representatives (AFRs) and Chief Compliance Officers (CCOs) of these dealers will be required to attend a training session with our Registration team to ensure they understand their obligations. We will review basic registration functions, as well as issues specific to the dealer, to ensure that our expectations are clear and to outline the consequences of future non-compliance.
Once we have met with a dealer, we will take a strict approach to compliance with our requirements and may take any or all of the following steps:
- reject deficient filings in their entirety
- impose terms and conditions on the dealer
- refer matters to Enforcement for potential disciplinary action.
We will provide the same training to other dealers upon request. As this includes a review of basic registration functions, IIROC will also provide it to new dealers, either during the new membership process or shortly thereafter.
Notices of Termination
Dealers must make reasonable efforts to provide true and complete information in their Notice of Termination (NOT) filings. The dealer must carefully consider the questions contained in the NOT and accurately state the reason(s) for the cessation/termination of employment. The cessation date should reflect the day on which the individual ceases to have authority to act as a registered individual with the dealer. The dealer must consider whether it still has the appropriate number and category of Approved Persons to carry out its activities where the NOT relates to a dealer’s only Registered Representative (RR), Investment Representative (IR) or Supervisor. We expect dealers to notify us immediately in cases where they are planning to terminate their only RR, IR or Supervisor, or that individual has advised they will resign.
Disclosure of Outside Business Activities
Approved Persons must disclose their Outside Business Activities (OBAs) under item 10 of Form 33-109F4 (Form 4) within 10 days of starting the activity. Also, before engaging in the OBA, RRs and IRs must disclose and obtain approval from their dealer, under IIROC Dealer Member Rule 18.14(c).
Dealers should require Approved Persons to provide periodic attestations regarding OBAs and to notify them of any material change to their OBAs.
Dealers must provide sufficient detail when describing an OBA and must address the potential for conflicts of interest or client confusion that may arise in the specific case (instead of providing “boilerplate” disclosure). If the dealer determines an OBA does not result in any conflicts of interest or client confusion, the dealer must outline their reasons for this conclusion.
OSC Staff Notice 33-749 recently stated that activities such as coaching recreational or “house league” sports do not generally require reporting. IIROC shares this view and agrees that these activities do not amount to a position of influence. Guidance about what is a reportable OBA is available in the Companion Policy to NI 31-103, in previously published IIROC guidance
, and CSA Staff Notice 31-326 - Outside Business Activities.
Approved Persons must disclose material changes concerning the following disclosures, within 10 days of the change:
- item 13 (regulatory disclosure)
- item 14 (criminal disclosure)
- item 15 (civil disclosure)
- item 16 (financial disclosure).
Dealers should file supporting documentation with a material change notice, rather than wait for IIROC to request this information. These delays affect our ability to conduct a “fit and proper” review and can be misleading to clients.
False and Misleading Disclosure
We continue to see applications for approval that are missing financial disclosure, criminal disclosure and regulatory reporting of disciplinary actions, including those levied by other licensing agencies (e.g. insurance). IIROC shares the views contained in CSA Staff Notice 33-320 - The Requirement for True and Complete Applications for Registration - that a false or misleading application is a serious regulatory issue.
Dealers need to ensure their applicants and Approved Persons understand the questions in Form 4 in order to provide accurate and complete information when submitting filings. Individuals must also ensure they have an opportunity to discuss the questions in Form 4 with the dealer to ensure they respond to questions correctly. Carelessness or misunderstandings are not satisfactory explanations for non-disclosure.
Discretionary Exemptions for Portfolio Management
We continue to receive deficient exemption applications for Portfolio Management. Dealers should review the email sent to all CCOs on December 4, 2017 before submitting an application. This approval category has the most onerous proficiency requirements because of the discretion the position affords. Individuals who seek an exemption must demonstrate a high level of experience that is clearly relevant to discretionary portfolio management activities.
Individuals seeking approval in this category may either (a) meet IIROC’s current requirements under Dealer Member Rule 2900, Part I. A. 6, or (b) seek exemptive relief from Dealer Member Rule 2900, Part I. A. 6, on the basis that they have both:
- a CIM (either the Canadian Investment Manager or Chartered Investment Manager) designation in good standing, and
- 48 months of Relevant Investment Management Experience (RIME), with 12 months gained in the 36-month period before applying for registration.
We also remind dealers that IIROC has arranged a 50% enrolment price discount for certain people rewriting courses within 10 years of previously writing them. For more information, please visit the applicable course enrolment page at www.csi.ca.
Approved Persons and dealers must be aware of their post-licensing requirements. IIROC automatically suspends anyone who does not complete the requirements within the relevant time period.
RRs must complete the Canadian Securities Course, Conduct and Practices Handbook Course and 90-Day Training Program to be eligible for approval. They have 30 months after approval to complete the Wealth Management Essentials course. If incomplete, dealers should be aware that suspension is automatic under Dealer Member Rule 18.4. Similarly, Supervisors have 18 months to attend the Effective Management Seminar. RRs and Supervisors should schedule attendance at a seminar well in advance of the expiration of 18 months. This is particularly critical for dealers that do not have other Supervisors to cover the functions of a suspended Supervisor. If incomplete, dealers should be aware that suspension is automatic under Dealer Member Rule 38.3(b).
Our view is that RRs and Supervisors have adequate time to complete these requirements and that dealers have more than enough time to ensure that they do so. However, we receive an unacceptable number of applications for extensions without compelling reasons. We are unlikely to grant extensions unless there are extreme extenuating circumstances. We will not grant extensions simply because a dealer does not have another Supervisor to assume the functions.
Continuing Education Requirements for Designated Supervisors
In February 2018, we issued guidance requesting that dealers provide IIROC a list of individuals approved as designated Supervisors
. We used this data to update CE requirements in IIROC Services. This information was due to IIROC by March 31, 2018.
To date, we have not received lists from all dealers. Any firms that have not provided this information should review the Notice, which outlines our expectations on this matter.
We remind Dealer Members that they must comply with IIROC notice and approval requirements, including allowing enough time for staff review and District Council approval, as applicable, in advance of a transaction, particularly for significant equity interests in a Dealer Member and new related or associated companies.