1. Financial and Operations Compliance (FinOps)

1. Cybersecurity risk

Cybersecurity remains a key business risk for firms regardless of size and complexity. Each firm needs to have appropriate controls in place to safeguard client and personal information and assets, as well as its own critical systems and applications.

During regularly scheduled FinOps examinations, we look at how:

• firms demonstrate compliance with the cybersecurity incident reporting requirements2 , and
• cybersecurity risk is managed,

and we incorporate our assessment into the FinOps risk score for the firm.

There has been an increase in findings and recommendations made to firms for being unable to sufficiently demonstrate compliance with IIROC’s cybersecurity incident reporting requirements. As a result, we issued IIROC Guidance Note GN-3700-22-001 to provide additional guidance to firms.

We also continue to review cybersecurity incidents reported by firms.

We remain committed to supporting the industry with education on cybersecurity risk. We issued several communications to firms over the last year alerting them to various cybersecurity threats and vulnerabilities.

Given the success of the first two cybersecurity self-assessment surveys conducted by IIROC and the importance of regular self-assessments to ensure effective management of cyber risk, we have engaged Deloitte to create cybersecurity self-assessment checklists for firms. Firms can use the checklist to assess their own cybersecurity preparedness and identify areas for improvements. While the use of the tool will be voluntary, we strongly recommend that all firms conduct a cybersecurity self-assessment at least once every two years to assess their posture and maturity and identify any critical gaps.

As we continue to monitor the effects of the pandemic and the restrictions that come with it, we are postponing our cybersecurity table-top exercise for small and medium-sized firms, which was initially planned for the summer of 2020, to tentatively in 2022.

1. Proposal to modernize back-office arrangements and subordinated debt financing

In July 2021, we announced a proposal to review whether our rules and requirements related to back-office arrangements and subordinated debt financing need to be modernized. The objectives of any recommendations will be to ensure that investors are protected, rules are proportionate to the risk of the activity, and unnecessary regulatory burden is eliminated.

We created two industry working groups to discuss issues pertinent to these areas and commenced discussions in August. Both working groups are raising a number of issues and providing helpful feedback and suggestions to IIROC. We intend to publish the outcomes of these discussions along with a plan to address the key issues identified.

1. Technology Risk

On March 31, 2021, we published a guide, Fundamentals of Risk Management, to help firms manage the critical risks of technology adoption, use and change. The guide covers key risks and controls, and the importance of good governance.

We have incorporated how firms rely on technology and manage the associated risks into the FinOps risk model. We are also enhancing our examination procedures to ensure that firms have designed and implemented controls to monitor their systems and applications for compliance with the relevant regulatory requirements.

As part of the review of technology risk, we intend to review supply chain risks and systemically important vendors to the industry with a view to considering ways in which to identify, assess and manage these risks.

1. Trading Conduct Compliance (TCC)

1. Client Identifiers

Amendments regarding client identifiers came into effect on July 26, 2021. With these amendments, each order for a listed security must include, among other things, a client identifier. Through our Trading Conduct Compliance program, we will be reviewing firm compliance with the new requirements and assisting firms with any outstanding implementation issues they may be experiencing. In addition, Dealers who are encountering challenges with the new requirements are encouraged to contact us for assistance.

1. Short Selling and Failed Trades

All short sale orders entered on a marketplace must include the short sale marker and the firm must have reasonable expectations that sufficient securities are available to settle any subsequent execution. This may include confirmation that shares are available to borrow if required.

Participants must have policies and procedures in place to monitor this activity and to implement further restrictions on further short selling activity as required under UMIR 6.1 (6).

1. Supervision of Trading

All Participants are required to develop and maintain a supervision system that considers and addresses the risks associated with their business model. As this will vary by Participant, we expect that each will conduct and document an internal assessment to identify all risks and to identify the risks that are most significant to the firm. While it is important to note that lower risks should still be considered and not entirely ignored, Participants should ensure that their supervision system reflects its internal assessment and focuses on the areas of greatest concern. This assists Participants to be more effective and efficient by concentrating their supervisory efforts and resources on higher risk areas.

1. Delegation of Tasks

In some instances, Participants have delegated supervisory controls or tasks to a third party or an affiliate. While this is permitted under UMIR, it is important to recognize that such delegation must be formally documented with as much detail as possible to ensure sufficient clarity including the specific tasks or controls performed and by whom. Regardless of the delegation of certain tasks or controls, the Participant retains all regulatory responsibility to ensure that all trading related activity that it has initiated is sufficiently monitored and supervised.

1. Business Conduct Compliance (BCC)

1. Client Focused Reforms (CFR) - Conflict of Interest Sweep

As mentioned in the Highlights section, with the CFR conflict of interest requirements (COI) that came into effect on June 30, 2021, IIROC, along with the CSA and the MFDA, is conducting a detailed review to assess the extent of Dealer compliance with the new COI requirements. The objective of the review is to determine if firms have met the spirit of the new COI rules and have implemented controls to address material conflicts in the best interest of clients, rather than continuing to default to disclosure which is not sufficient and must be used in conjunction with other controls. As a first step, the IIROC Annual Risk Questionnaire included high level questions regarding the implementation of the new COI provisions by Dealers. This information will be used to further refine and enhance BCC exam processes pertaining to Dealer management of conflicts of interest.

In addition to preparing for the post-implementation review of COI compliance, BCC has also enhanced internal test processes for the remaining CFR provisions that came into effect on December 31, 2021. These provisions involve enhancements to Relationship Disclosure, KYC, Suitability, Product Due Diligence, Know Your Product and Misleading Communications. A second phase of the post-implementation review, building upon insights from the first phase, will focus on KYC and Suitability compliance.

1. CFR – Misleading Communications & Titles

As noted above, the CFR amendments that came into effect on December 31st include new rules regarding misleading communications.

Section 1 of IIROC rule 3640(1) states that “An Approved Person must not hold themselves out […] in a manner that could reasonably be expected to mislead or deceive any person”, regarding “(i) the proficiency, experience, qualifications or category of registration or approval of the Approved Person”, or “(ii) the nature of the person’s relationship, or potential relationship, with the Dealer Member or the Approved Person”.

Further, section (2) of rule 3640 indicates that an Approved Person who interacts with clients must not use “a corporate officer title unless their Dealer Member has appointed that Approved Person to that corporate office pursuant to applicable corporate law”.

Taken together these requirements make it clear that simply granting a corporate title (typically done under a board resolution) without defined and substantive corporate responsibilities to certain individuals will not be acceptable. We believe appointments of this kind are inconsistent with the rule as the use of these titles could reasonably be expected to deceive or mislead the retail public as to the nature of the Approved Person’s relationship with the Dealer Member.

When reviewing the corporate titles used by Approved Persons, BCC exams will pay particular attention to the substance and nature of the relationship between an Approved Person and the Dealer Member where an Approved Person uses a corporate officer title in his or her dealings with clients. For example, BCC exams will assess whether the Approved Person performs the functions and has been granted the responsibility and powers typically associated with a corporate officer role, including, for example whether the Approved Person:

• has been delegated the authority to act independently on behalf of the Dealer Member in a manner that is significantly different than an Approved Person who has not been granted a corporate officer title;
• has the ability to bind the Dealer Member in ways that are more significant than those that flow from the registerable activities conducted by the Approved Person or Approved Persons who have not been granted a corporate officer title;
• is part of the “mind and management” of the Dealer Member, for example:
  • is responsible for making significant decisions on behalf of the Dealer Member;
  • is responsible for the overall direction and control of the Dealer Member’s operations or financial affairs.

1. Plain Language Rules Implementation

BCC has updated its exam program to review Dealer Member compliance with the IIROC Rules. The IIROC Rules now include a requirement for Dealers to ensure that any advice given by an Associate Portfolio Manager (APM) has first been pre-approved by a supervising Portfolio Manager (PM). IIROC Guidance Note GN-2500-21-009 describes potential scenarios where pre-approval of APM advice is needed, as well as certain scenarios where pre-approval is not required, (e.g. mechanical rebalancing). BCC will review for the establishment of an adequate oversight regime by Dealer to ensure that advice provided by APMs has been pre-approved and that the necessary documentation has been maintained.

Rule 1500, Managing Significant Areas of Risk, codifies the overarching principle for Dealers to develop and implement a supervisory framework to ensure proper management of all significant areas of risk within the firm. Dealers are required to identify all significant areas of risk specific to their business, have an appropriate Executive responsible for managing each significant area of risk and document this process. As these requirements are principles-based, firms have the flexibility to comply with these requirements in a way that reflects their unique business model and risk profile. This could potentially involve a combination of direct oversight by the assigned Executive of certain tasks, and delegation by the Executive of other tasks.

Under the IIROC Rules, an individual (the Delegator) can delegate the tasks or activities involved in performing a function they are required to do to another individual unless IIROC Rules specifically prohibit such delegation. However, the Delegator can never delegate responsibility for the required function. IIROC has recently published guidance to assist Dealers with the implementation of policies and procedures regarding the identification of significant areas of risk and the assignment of Executives to manage each such area of risk. Early in 2022 IIROC will publish additional guidance regarding delegation.

1. Protection of Older and Vulnerable Clients – Trusted Contact Person & Temporary Holds

On September 9, 2021 IIROC published Rules Notice 21-0159, regarding Housekeeping Amendments to IIROC Rules to enhance protection of older and vulnerable clients. The amendments are designed to make IIROC requirements uniform in all material respects with corresponding amendments made by the Canadian Securities Administrators (CSA) to National Instrument 31-103. The Housekeeping Amendments are intended to enhance investor protection by providing Dealers with tools to address situations involving diminished mental capacity or financial exploitation of their clients. These amendments relate to the collection of trusted contact information from clients and the placing of a temporary hold in circumstances of suspected financial exploitation of a vulnerable client. We have updated BCC exam processes to assess Dealer Member compliance with the amended rules.

1. Order-Execution-Only (OEO) – Service Level Review

Over the past few years, and especially in early 2021, we have seen an exponential increase in account openings and retail trading activity at OEO firms. We have also noticed a growing number of service complaints involving OEO firms, specifically the wait times for telephone access to a firm or the inability to access a web service or an application. As retail investors become increasingly reliant on automated online services, we are considering the extent to which failures in the provision of such services should be considered an Investor Protection issue. Accordingly, we initiated a project to review standards of service being provided by OEO firms, to assess whether a regulatory response is needed. As a first step we sent a survey to all OEO Dealers requesting information regarding various aspects of the technology services they provide to their clients. The survey responses provided insight into key factors that should be considered as part of a regulatory response to this increasing client reliance on technology. To move forward with developing new rules or guidance, an OEO Service Level Working Group, comprised of industry representatives and IIROC staff, has been established to discuss and explore possible regulatory responses.

1. Order-Execution-Only Advertising and Social Media

As noted above, we have recently seen a significant increase in account openings and retail trading activity at OEO firms. Although there may be many different factors driving this activity, the availability of investment opinions on various social media platforms, and the emergence of various unregistered individuals providing these opinions, (i.e., “Social Media Influencers”), are certainly some of the key drivers. In some cases, the quality of information being offered on these different social media platforms may involve inaccurate information, possibly intended for the purpose of market manipulation. The extent to which OEO Dealers interact with these different social media platforms and Influencers, and use social media for advertising purposes, are areas that IIROC will focus on in the coming year. Dealers are reminded that existing IIROC rules and guidance pertaining to advertising and conflict of interest management continue to apply regardless of the communication technology that is being used.

1. Order-Execution-Only Trailer Ban

In September 2020, the CSA published final rules that implement a trailing commission ban (OEO Trailer Ban). This ban prohibits the payment of trailing commissions by fund organizations to investment firms and their registrants who do not make a suitability determination, such as OEO firms. The rule also prohibits the solicitation or acceptance of trailing commissions by such firms. The OEO trailer ban will come into effect on June 1, 2022 and affects all funds that pay trailing commissions including funds sold under the Deferred Sales Charge option. OEO firms will need to enhance their systems and processes to ensure compliance with the new rules. BCC is updating exam processes in order to test for the successful implementation of the trailer ban requirements as they relate to existing positions held by all clients of OEO firms, as well as the ongoing compliance of firms with respect to new client purchases and funds transferred-in, after the ban takes effect. We expect that there will be interpretative questions and implementation issues that arise as firms prepare for the June implementation. IIROC will continue to work closely with OEO Dealers and the CSA in addressing these issues.

1. Registration

1. Implementation of the IIROC Rules

The IIROC Rules implemented on December 31, 2021, included changes to the registration and proficiency requirements.3 A summary of these changes is set out in Plain Language Rule Book Project – Registration Changes (iiroc.ca).

The changes included the introduction of the new Associate Portfolio Manager (APM) and Portfolio Manager (PM) approval categories. The IIROC Rules provide a transition period for Dealers to transition all Registered Representatives with a business type of portfolio management to either the APM or PM category. Dealers must assess the appropriate category based on the criteria set out in IIROC Rule 2629. While the IIROC Rules provide the transition period, we encourage Dealers to make these filings as quickly as possible and we will continue to work with firms to address their questions. Late filings will result in fines and a suspension of portfolio management activities. For individuals transitioning to the category of APM, Dealers should also review the individual’s title(s) to ensure they are not misleading and reflect their new approval category responsibilities.

In reviewing membership applications or changes to the composition of Executives at the Dealer, staff will be looking for compliance with IIROC requirements relating to Executives4 including the requirement in IIROC Rule subsection 3905(3) for a Dealer to “designate as many Executives as necessary to ensure compliance with IIROC requirements, considering the scope and complexity of the Dealer’s business”.5

As set out in the IIROC Policy Priorities – Update Report, we will be working on amendments to some of the registration and proficiency provisions within the IIROC Rules to clarify the intent of the IIROC Rules as currently drafted.

1. Reporting CE completions

Some individuals and firms did not comply with our CE requirements in cycle 8. The deadline for individuals to complete their CE requirements was December 31, 2021, and the deadline for firms to report completion within the cycle was January 17, 2022. We remind firms that they need to inform their Approved Persons of the end of each CE cycle in a timely manner and failure to comply or report in accordance with the applicable rules results in individual suspensions and firm fines.

1. Covid-19 Related Proficiency Extensions

With the availability of remote proctored exams by the Canadian Securities Institute, the number of COVID related exemptions and extensions decreased substantially in comparison to last year. However, there were a few online related issues which required consideration. We will continue to monitor this situation and review each matter on a case-by-case basis.

1. Competency Profiles

We are in the process of developing and publishing competency profiles for all IIROC Approved Person categories. We published our proposed competency profiles for Directors, Executives, UDPs, CCOs and CFO on August 31, 2021.

We continue to work on the competency profiles for the remaining IIROC Approved Person categories with the next phase being for Supervisors, APMs, PMs, and Traders.

1. CE Accreditation

IIROC’s new Continuing Education accreditation process was launched on January 1, 2022 as IIROC decided to assume direct responsibility over the accreditation of CE courses for a Dealer or an external course provider that wish to submit them, as per IIROC Rule 2703. Information on the CE accreditation process can be found in IIROC Notice 21-0196. For more information on this, Dealers and course providers can contact [email protected].

1. Deficient Filings

We continue to see filing deficiencies as highlighted in past Compliance Priorities Reports. Our intention is to continue various outreach efforts to the Authorized Firm Representatives and Chief Compliance Officers of these firms, including training sessions with our Registration team to ensure they understand their obligations. We will review basic registration functions, as well as issues specific to the firm, to ensure that our expectations are clear and to outline the consequences of future non-compliance.

Once we have met with a firm, we will take a strict approach to compliance with our requirements and may take any or all of the following steps:

• reject deficient filings in their entirety
• impose terms and conditions on the firm
• refer matters to Enforcement for potential disciplinary action.

We will provide the same training to other firms upon request. As this includes a review of basic registration functions, we will also provide it to new firms, either during the new membership process or shortly thereafter.

1. Notices of Termination (NOTs)

When filing NOTs, where the termination relates to a firm’s only Registered Representative (RR), Investment Representative (IR), Supervisor or Executive, firms must consider whether they still have the appropriate number and category of Approved Persons to carry out activities. We expect firms to notify us immediately in cases where they are planning to terminate their only RR, IR or Supervisor, or key Executives (including the UDP, CCO, or CFO) where that individual has advised of their intent to resign.

1. Proficiency Exemptions

We continue to receive deficient exemption applications. Before filing an exemption application, we encourage firms to refer to IIROC Registration ‑ Proficiency Exemption Requests | IIROC. Registration staff would be pleased to discuss these requirements with firms generally, or in connection with specific applications, to provide additional guidance.

1. Membership Issues

1. Review of Business Transactions

It is important to keep in mind that the process of working through significant transactions does take time. Please ensure that you factor in enough time for IIROC’s review and the receipt of any required approvals when planning the timeline for completion of any proposed transaction or business change.

In order that IIROC’s review may be conducted in an efficient manner, please ensure that your submission includes all relevant details regarding the transaction or business change and the relevant supporting documentation.

• 2We implemented Dealer Member Rule 3100 [PLR Rule Book 3703] in November 2019 requiring the mandatory reporting of cybersecurity incidents by firms to IIROC. See IIROC Notice 19-0194 Amendments Respecting Mandatory Reporting of Cybersecurity Incidents (November 14, 2019)
• 3Further to IIROC Rules, Form 1 and Guidance | IIROC,
• 4See IIROC Rules 1502, 2503, 3905, 3909
• 5See definition of Executive in IIROC Rule 1200