We are pleased to present IIROC’s annual Compliance Priorities Report: Helping Firms with Compliance for 2020/2021.
This year has been unlike any other in Canada – and throughout the world – with the COVID-19 pandemic yielding new challenges that required swift, decisive guidance and actions from the investment industry to better protect investors in Canada. This year’s report outlines IIROC’s ongoing response to the impacts of the pandemic, our upcoming policy initiatives, as well as initiatives to continue to support transformation and innovation in the industry.
This report also summarizes current issues and challenges that IIROC-regulated investment firms should focus on to improve investor protection and foster market integrity.
Pandemic (COVID-19) response
In response to the COVID-19 pandemic, financial services firms and regulators alike had to rapidly shift to remote work across virtually all functions. This included IIROC’s own seamless, secure move to a work-from-home environment, while maintaining continuous, rigorous oversight of Canada’s capital markets. IIROC-regulated firms also adapted quickly, engaging and updating their Business Continuity Plans (BCPs) to manage day-to-day operations in this new environment. IIROC continues to engage with member firms and demonstrate flexibility to help navigate through this challenging time while maintaining investor protection and market integrity.
Below you will find specific areas of response to the pandemic:
On March 31, 2020, IIROC published Rules Notice 20-0063, COVID-19 Related Exemptions from IIROC Rules. Exemptive relief is available to provide firms with the flexibility to serve their clients with mitigating controls or processes so long as they maintain investor protection. Exemptive relief is available in the following areas:
- Client document approvals
- Timelines for reporting obligations – relief from filing
- Form 1 audit procedures
- Pre-approval requirements (pre-trade approvals and approval of advertising and sales literature)
- Supervision requirements (daily and monthly trade reviews, branch-office reviews)
- Suspension of late filing fees
- Margin related matters
- Registration and proficiency
- Identity verification thresholds conformance to federal anti-money laundering legislation
Periodic updates regarding the number of applications received and exemptions granted are published on the COVID webpage of the IIROC website. Exemptions were generally granted for a period of six months. In September 2020, the IIROC Board authorized staff to extend exemptions, where warranted.
IIROC will continue to evaluate its rules to identify cases where permanent changes may be warranted to reflect the new realities of a post-pandemic world. For example, IIROC as well as most member firms, learned valuable lessons, and gained experience in operating in a remote fashion. When the pandemic ends, it is expected that remote working arrangements will continue to be far more common than in the past.
IIROC also issued a number of Notices, most notably about threats related to the pandemic and guidance on how to respond to these threats:
- COVID-19 and Cybersecurity (March 2020)
- Tips for Advisors and Employees (April 2020)
- Remote Access Services (May 2020)
- Supervision Related to Material Non-Public Information (November 2020)
- Business Locations - Work from home arrangements (December 2020)
Temporary Financial Relief
In addition to operational and procedural relief, IIROC took steps to provide temporary financial relief on its fees for small and medium-sized firms, which represent approximately 90% of the firms IIROC regulates. This relief for smaller firms helped them to better focus on serving investors, while still meeting regulatory and compliance obligations.
On March 16, 2020, IIROC announced a suspension of all on-site examinations and audit working paper reviews for Financial and Operations Compliance (FinOps), Business Conduct Compliance (BCC) and Trading Conduct Compliance (TCC) to allow time for investment firms to implement their BCP and focus on serving investors. On May 19, 2020, all examinations resumed on a fully remote basis.
We have maintained exam efficiency and quality in the work-from-home environment. IIROC’s investment in people and technology has meant that we continue all core, critical regulatory oversight and responsibilities, securely when working remotely. The collaboration with IIROC-regulated firms further contributed to making IIROC’s transition to remote examinations relatively seamless. Firms were able to provide us with access to electronic records, and communicated with us regularly using technology like WebEx, Teams and other secure solutions.
Prior to the pandemic, our compliance groups had experience conducting remote examinations. However, with the shift to conducting all examinations remotely, we have identified some best practices that generally help make remote examinations more efficient for both IIROC and IIROC-regulated firms including:
- Establishing and testing the tools that will be used to communicate. IIROC generally uses WebEx but we can also use other communications technology if it is secure.
- Communicating at the outset what information will be inaccessible or delayed.
- Making meetings more efficient and less burdensome by sending an agenda or discussion material in advance and limiting meetings to an hour at a time.
- Conducting regular touchpoints between IIROC staff and key coordinating staff at the member firm to follow-up on any recurring issues or requests that are delayed or outstanding.
IIROC will continue to monitor the developing situation to determine the most appropriate response in the interest of protecting the safety and well-being of both our employees and those of the member firms we regulate and their clients, while continuing to maintain investor protection and the integrity of our markets. We will inform member firms in advance of any changes to our current remote examination approach.
To assist firms with adapting to disruptions resulting from the pandemic, IIROC created a comprehensive webpage, on IIROC.ca that centralizes pandemic-related information. In particular, the webpage provides answers to Frequently Asked Questions (FAQ), as well as information about exemptive relief and cybersecurity risks resulting from remote working arrangements.
Highlights – IIROC Initiatives
Supporting Industry Transformation and the Evolution of the Self-Regulatory Model
As discussed in our Three-Year Strategic Plan and Priorities for Fiscal 2020 (Strategic Plan) and IIROC Priorities for 2021, we remain committed to supporting industry innovation. The COVID-19 pandemic has accelerated the adoption of technology by firms, investors and regulators alike. Accordingly, to enable firms to more effectively and efficiently meet the needs of Canadians, we will continue our efforts to identify and modernize rules that result in unnecessary processes or cost, or that limit the appropriate use of technology. One of the biggest potential areas for regulatory transformation in Canada relates to the consultation launched by the Canadian Securities Administrators (CSA) last year on the self-regulatory organization (SRO) framework. We believe that a consolidation of IIROC and the Mutual Fund Dealers Association of Canada (MFDA) could ultimately provide significant benefits to investors while also saving the investment industry potentially hundreds of millions of dollars over the next 10 years. We conducted extensive research, after fully engaging a number of stakeholders, to support our proposal1. A consolidation of the two SROs will help facilitate industry innovation and investment and make it easier for the industry to deliver the products and services that Canadians want.
IIROC has received interest from current and prospective firms about the potential regulation of crypto assets. We continue to work closely with the CSA to develop an appropriate regulatory framework for this growing market that addresses both market integrity and investor protection concerns. We expect to publish a joint notice with the CSA in the coming months to respond to comments received to Joint CSA/IIROC Consultation Paper 21-402 Proposed Framework for Crypto-Asset Trading Platforms. In October 2019, we created a Crypto-Asset Working Group (CWG) that includes members from various parts of the crypto-asset industry to advise on future proposed IIROC rules and policy matters related to the regulation of crypto assets, and any potential impact on investor protection and market integrity. We received input from this working group on a variety of topics including custody, insurance, trade surveillance, know your product requirements and proficiency. In December 2020, IIROC issued a second call for participants to join the CWG for a period of one year. Current members may re-apply and possibly serve longer than their initial one-year term.
Derivatives Rule Modernization
In November 2019, we published for public comment our first set of amendments designed to:
- ensure our rules continue to be materially harmonized with the equivalent CSA requirements as they apply to securities and derivatives
- more clearly specify which of the core regulatory obligations apply to securities, listed derivatives and OTC derivatives
- eliminate inconsistencies in the regulatory treatment of securities, listed derivatives and OTC derivatives, where justified
Due to the extent and the nature of these proposed amendments, the proposals will be published for public comment in two separate stages:
- Stage 1: November 2019 set of amendments, which includes all amendments we propose to make other than those relating to margin requirements
- Stage 2: amendments proposed for margin requirements
Within Stage 1, we are proposing to:
- expand, where appropriate, the scope of the IIROC Rules that apply only to:
- securities-related activities to also apply to derivatives-related activities
- activities involving futures and listed options to also apply to OTC derivatives, including contracts for difference (CFDs) and foreign exchange contracts (Forex)
- adopt, where appropriate, requirements/standards announced by other jurisdictions/bodies
Stage 2 will include proposed amendments to current margin requirements in order to adequately constrain leverage and address margin requirements. Stage 2 will be published for public comment at a later date.
Plain Language Rules
In August 2019, we announced the implementation of our Plain Language Rules (to be known as “IIROC Rules” going forward)2. On December 31, 2021,3 the existing Dealer Member Rules will be repealed and the IIROC Rules will become effective. Firms should review the IIROC Rules and the related Table of Concordance to ensure compliance with all applicable new and updated requirements as at their effective date.
Members will also find that the Plain Language Rules on our website has been rebuilt and redesigned to be searchable, accessible and user friendly. Members will find additional resources such as webcasts and guidance related to specific rules in one easy to access location.
The implementation date of December 31, 2021 was chosen in order to synchronize the timing of the IIROC Rules with the IIROC rule amendments related to the Client Focused Reforms (CFR). This will allow member firms to focus their efforts on one, rather than two, major implementation projects.
Risk Models and Examinations
IIROC uses models to assess each firm’s risk, and to inform the frequency and scope of our compliance examinations. As stated in our last annual Compliance Report, our risk models were updated to add measures that consider the potential impact of each member firm on market integrity and investor protection. As a result, we now consider both the risk and the impact of each member firm to determine how often we will examine them. The introduction of an impact factor to a firm’s risk rating has resulted in more frequent examinations for larger and integrated dealers, particularly for Business Conduct Compliance and Trading Conduct Compliance. In response we have created a new examination approach for larger and integrated firms to ensure a more efficient and effective examination process that leverages their existing enterprise risk management programs.
Together with our supplemental materials, regular contact, annual compliance conferences and other forums, this report helps firms focus their supervision and risk-management efforts to comply with our regulatory requirements in a way that is appropriate for their unique business models.
- 1. Refer to IIROC’s proposal Improving Self-Regulation for Canadians and Public submission to the CSA consultation for more information and supporting research.
- 2. See IIROC Rules Notice 19-0144, IIROC Dealer Member Plain Language Rule Book Implementation.
- 3. See IIROC Rules Notice 20-0079, Revised Implementation Date of the IIROC Dealer Member Plain Language Rule Book and Update on Client Focused Reforms, where it was announced that the effective date for the IIROC Rules has been delayed until December 31, 2021.
Financial and Operations Compliance (FinOps)
There was a significant increase in pandemic-related cybersecurity attacks not just in Canada but around the globe. Since March 2020, IIROC has seen an increase in cybersecurity incidents reported4. We continue to review incidents and guide firms, where necessary, to respond appropriately.
Cybersecurity is a business risk for all IIROC-regulated firms regardless of size and complexity. Each firm needs to have appropriate controls in place to safeguard client information and assets, as well as their own significant systems.
In the last year, we began reviewing how cybersecurity risk is being managed during regularly scheduled FinOps examinations. We incorporate our assessment into the FinOps risk score for the firm.
IIROC remains committed to educating the industry on cybersecurity risk. A new webpage on IIROC’s website is dedicated to cybersecurity, containing information about IIROC’s initiatives, including educational resources for our Dealers. Additionally, in January 2020, we published the IIROC Cyber Governance Guide as an update to the 2015 Cybersecurity Best Practices Guide.
IIROC issued cybersecurity Notices to firms on Cloud Services and Application Programming Interfaces (June 2020), and on Cybersecurity and Fraud – Protecting Clients (November 2020). In addition, we released two webcasts in October 2020 that were focused on:
Like most firms that we regulate, IIROC has adjusted its initiatives to respond to the unique issues that arose following the pandemic. We had initially planned a table-top exercise for small and medium-sized firms for the summer of 2020 following the success of the cybersecurity table-top exercise in 2018. However, it has now been postponed to 2021. Instead, as previously outlined, we focused on issuing Notices5, and on releasing webinars to support the industry’s education on cybersecurity threats and controls.
FinOps Examination Approach during COVID-19
For the large, integrated investment firms, FinOps put in place a revised Enterprise Risk Management (ERM) approach and focused on the firms’ BCP framework, pandemic-related issues, corporate governance and the firms’ risk management framework. Some of best practices observed for BCP were:
- Active oversight by the firms’ Board of Directors
- Assigning a business line owner to oversee the BCP
- Establishing a crisis management team that includes business heads
- Annual testing of BCP
For all other firms, while we also discussed how the firm was operating under its BCP, our risk-based approach remained unchanged from the previous year.
Monitoring Firms during COVID-19
The COVID-19 pandemic triggered market volatility, particularly in February and March 2020. As part of our regulatory oversight, we required firms to file weekly interim risk adjusted capital (RAC) reports for four weeks from March 13 to April 3. This allowed us to monitor IIROC-regulated firms’ current capital position and to obtain additional information about any operational issues and the implementation of business continuity plans (BCP). The responses showed that:
- the majority of the firms’ employees transitioned to work from home;
- there was increased trading and account opening activity at the firms;
- RAC remained at acceptable levels; and
- overall, from a financial and operational perspective, firms performed well.
Several firms were required to file an annual Form 1 during the COVID-19 pandemic. Given this timing, they requested exemptions to the year-end audit requirements covering counting of physical securities. IIROC granted temporary exemptions (as delegated to IIROC staff by IIROC’s Board of Directors)6 to such firms on the condition that the Panel Auditor performed sufficient alternative procedures to provide an unqualified audit opinion.
Some firms filed their audited Form 1 a few weeks later than the stipulated deadlines and we waived late filing fees, where appropriate. All Monthly Financial Reports (MFR), however, were filed on time.
Every firm must establish and maintain a BCP in the event of a significant business disruption as outlined in IIROC Rule 17.16. The Rule also requires an Annual CEO BCP Certification to be filed with IIROC certifying that the firm has conducted an annual review and test of its BCP. Due to the COVID-19 pandemic, IIROC accepted that firms implementing a current BCP constituted satisfying the requirement for an annual test. Going forward, we will continue our focus on firms’ BCP to address future significant business disruptions.
The pandemic has accelerated the pace of change and adoption of technology at many firms, particularly those that are small and medium sized. As part of our commitment to support industry transformation, we will publish guidance to firms on technology risk to ensure that the critical risks of such adoption and change are being properly managed. The guidance, which we expect to publish before March 31, 2021, will cover key risks and controls, and the importance of good governance.
We currently incorporate elements of technology risk into the FinOps risk model. By March 31, 2021, we will enhance this criteria, based on the guidance we publish, to better inform this risk assessment.
Trading Conduct Compliance (TCC)
Delegation of Responsibilities
In some instances, Participants have delegated supervisory controls or tasks to a third party or an affiliate. While this is permitted under UMIR, it is important to recognize that such delegation must be formally documented with as much detail as possible to ensure sufficient clarity of which tasks or controls are performed by which party. Regardless of the delegation of certain tasks or controls, the Participant retains all regulatory responsibility.
Short Selling and Failed Trades
All short sale orders entered on a marketplace must include the short sale marker and the firm must have reasonable expectation that sufficient securities are available to settle any subsequent execution. This may include confirmation that shares are available to borrow if required.
Participants must have policies and procedures in place to monitor this activity.
Supervision of Trading
All Participants are required to develop and maintain a supervision system that considers and addresses the risks associated with their business model. As this will vary by Participant, we expect that each will conduct an internal assessment to identify all risks. While it is important to note that lower risks should be considered, Participants should ensure that their supervision system focuses on the areas of greatest concern. This assists Participants to be more effective and efficient by concentrating their supervisory efforts on higher risks.
Amendments regarding client identifiers come into effect on July 26, 2021. With these amendments, each order for a listed security must include, among other things, a client identifier.
Given the high complexity and risks associated with this implementation, we remind member firms that it is important to have already started their implementation process. We strongly encourage each member firm to:
- consider the impact of the amendments on each business unit involved with client orders in listed securities;
- reach out to any necessary third-party vendors to ensure they are:
- aware of the upcoming implementation; and
- taking all appropriate steps to be able to comply with the Amendments by July 26, 2021.
To assist member firms with the implementation, IIROC has made a series of tools and resources available on its website. Firms are encouraged to visit the Client Identifiers page for more information regarding the implementation of these amendments.
Business Conduct Compliance (BCC)
Client Focused Reforms (CFR)
In November 2020, IIROC published amendments to IIROC rules required under the Client Focused Reforms (CFR). The objective of the CFR rule amendments is to better align the interests of member firms and Registered Individuals with the interests of their clients. The CFR rule amendments include changes to existing requirements involving Relationship Disclosure, Know-Your-Client, Suitability and Conflicts of Interest. In addition to specific requirements in each of these areas, the new suitability standard now includes the overarching requirement to put clients’ interests first when making a suitability determination. The CFR amendments also introduce a Product Due Diligence/Know-Your-Product provision and new rules regarding misleading titles. In order to assist member firms and their registrants with the implementation of the CFR rules, IIROC has published for comment new guidance pertaining to Product Due Diligence & Know Your Product. Additional guidance relating to KYC and Suitability will be published early in 2021.
In preparation for the implementation of the CFR rules, we are enhancing the BCC examination program to reflect the CFR amendments. We are also working closely with the CSA and the MFDA to ensure that regulatory examination standards are consistent across regulatory platforms.
Firms are reminded that the CFR amendments related to Conflicts of Interest are scheduled for June 30, 2021. Examination of firms’ processes for managing conflicts of interest, especially compensation related conflicts, has been a consistent focus of BCC for the past few years. BCC testing of compensation-related conflicts is grounded in Dealer Member Rule 42, Conflicts of Interest, (PLR Rule 3110-3114), clarified by guidance.7 The implementation of the CFR will play a key role in clarifying and codifying firms’ requirements, not only in terms of policies and procedures aimed directly at addressing conflicts of interest, but also in related areas such as relationship disclosure, suitability and product due diligence. In particular, the CFR raise the standards regarding the use of disclosure as a means of addressing conflicts of interest. The reliance on disclosure alone as a means of addressing conflicts will generally not be sufficient, and furthermore the nature of the disclosure must include a description of the manner in which the firm is addressing the identified conflict in the best interests of clients.
The remainder of the CFR rule amendments are scheduled for December 31, 2021 – IIROC has amended the implementation date of the Plain Language Rulebook to align with CFR. The simultaneous implementation of these two major initiatives will entail a significant amount of preparation on the part of member firms as well as IIROC. Member firms are reminded to focus adequate resources on these important initiatives and to raise any implementation questions with IIROC on a timely basis. To assist member firms in preparing for the launch of the Plain Language Rulebook, IIROC is planning additional webcasts to supplement the previous training provided in February 2020.
Order-Execution-Only (OEO) Trailer Ban
In September 2020, the CSA published final rules that implement a trailing commission ban (OEO Trailer Ban). This ban prohibits the payment of trailing commissions by fund organizations to investment firms and their registrants who do not make a suitability determination, such as OEO firms. The rule also prohibits the solicitation or acceptance of trailing commissions by such firms.8 The OEO trailer ban will come into effect on June 1, 2022 and affects all funds that pay trailing commissions including funds sold under the Deferred Sales Charge option. OEO firms will need to enhance their systems and processes to ensure compliance with the new rules. Compensation and fee arrangements will also need to be modified to reflect the new requirements. For its part, IIROC will also be required to update BCC examination processes to facilitate testing of firms’ compliance with the trailer ban rules. IIROC expects that interpretative questions and implementation issues will arise as firms develop their implementation plans. IIROC will continue to work closely with the CSA in addressing these issues.
Business Location Reviews
In addition to the general issues discussed in the introduction, there are specific items relating to remote supervision of business locations that require careful consideration. Given the challenges associated with the pandemic, it may be difficult for some firms to comply with their existing documented processes surrounding periodic on-site reviews of their business locations. IIROC-regulated firms should document alternate processes that are reasonable under the circumstances, and ensure adequate remote supervision and monitoring of the activities that occur at the business location. 9
Early Adoption of Certain Rules
With the IIROC Rules synchronized to CFR on December 31, 2021, the following new proficiency-related rules are implemented as of January 1, 2021:
- Registered Representatives, Investment Representatives and Supervisors may complete Level I or higher of the Chartered Financial Analyst (CFA) program, as an alternative to the Canadian Securities Course (CSC)
- Supervisors of Registered Representatives dealing with retail clients no longer need to complete the Effective Management Seminar (EMS)
- All courses required under Dealer Member Rule 2900 are valid for three years
- Any registrant involved in the trading or supervision of options or futures may complete the Derivatives Fundamentals and Options Licensing Course (DFOL) as an alternative to either the Derivatives Fundamentals Course (DFC) or Options Licensing Course (OLC).
For more information refer to IIROC Notice 20-0262, Early adoption of certain IIROC Rules into the Dealer Member Rules.
Covid-19 Related Proficiency Extensions
Due to health concerns related to attending physical testing facilities and the ongoing disruption of testing in certain centres, IIROC staff are continuing to support extensions for post licensing requirements where appropriate. Upgrade requirements under Dealer Member Rule 18.7 are being considered in a consistent manner with the above post licensing requirement extensions.
Canadian Securities Institute (CSI) Examinations
As of December 8, 2020 students may book a remotely proctored exam for all CSI exams. Please see CSI’s website for more information.
We continue to see filing deficiencies as highlighted in past Compliance Priorities Reports.
Our intention is to continue various outreach efforts to the Authorized Firm Representatives and Chief Compliance Officers of these firms, including training sessions with our Registration team to ensure they understand their obligations. We will review basic registration functions, as well as issues specific to the firm, to ensure that our expectations are clear and to outline the consequences of future non-compliance.
Once we have met with a firm, we will take a strict approach to compliance with our requirements and may take any or all of the following steps:
- reject deficient filings in their entirety
- impose terms and conditions on the firm
- refer matters to Enforcement for potential disciplinary action
We will provide the same training to other firms upon request. As this includes a review of basic registration functions, we will also provide it to new firms, either during the new membership process or shortly thereafter.
Notices of Termination (NOTs)
When filing NOTs, where the termination relates to a firm’s only Registered Representative (RR), Investment Representative (IR) or Supervisor, firms must consider whether they still have the appropriate number and category of Approved Persons to carry out activities. We expect firms to notify us immediately in cases where they are planning to terminate their only RR, IR or Supervisor, or where that individual has advised of their intent to resign.
We continue to receive deficient exemption applications. Before filing an exemption application, we encourage firms to refer to IIROC Notice 18-0236 IIROC Registration-Proficiency Exemption Requests. Registration staff would be pleased to discuss these requirements with firms generally, or in connection with specific applications, to provide additional guidance.
We are in the process of developing and publishing competency profiles for all IIROC Approved Person categories. We published our proposed competency profiles for RRs and IRs in IIROC Notice 20-0174.
We continue to work on the competency profiles for the other IIROC Approved Person categories with the next phase being for Executives, Directors, UDPs, CCOs and CFOs.
Review of Business Transactions
It is important to keep in mind that the process to work through significant transactions does take time. Please ensure that you factor in enough time for IIROC’s review and the receipt of any required approvals when planning the timeline for completion of any proposed transaction or business change.
In order that IIROC’s review may be conducted in an efficient manner, please ensure that your submission includes all relevant details regarding the transaction or business change and the relevant supporting documentation.
As can be seen clearly in this report, the investment industry is going through an unprecedented period of disruption and change. This challenging environment is inevitably resulting in considerable uncertainty for Members, their employees and the clients they serve. We would like to conclude this report by reminding all IIROC member firms that the best way to deal with regulatory uncertainty is to contact IIROC with any regulatory questions and concerns you may have. By maintaining open lines of communication with IIROC you will also assist us in understanding emerging issues that will need to be addressed. Effective communication between IIROC and our member firms will be essential in order to ensure that the investment industry emerges from this current period of disruption in a stronger and more resilient form that will better serve and protect Canadian investors.
- 4. We implemented Dealer Member Rule 3100 [PLR Rule Book 3703] in November 2019 requiring the mandatory reporting of cybersecurity incidents by firms to IIROC. See IIROC Notice 19-0194 Amendments Respecting Mandatory Reporting of Cybersecurity Incidents (November 14, 2019)
- 5. Three notices were issued related to the COVID-19 pandemic-related cybersecurity threats. See page 2 of this document under “Notices”.
- 6. Refer to IIROC Rules Notice 20-0063, COVID-19 Related Exemptions from IIROC Rules (March 31, 2020)
- 7. See IIROC Guidance Note 17-0093 – Managing Conflicts in the Best Interest of the Client – Compensation-related Conflicts Review, (April 27, 2017)
- 8. CSA Notice of Amendments to National Instrument 81-105, Mutual Fund Sales Practices and Related Consequential Amendments – Prohibition of Mutual Fund Trailing Commissions Where no Suitability Determination was Required. (September 17, 2020)
- 9. Refer to IIROC Guidance Note 20-0270, Business locations – Registration and Compliance approach to work from home arrangements, December 21, 2020