1. Financial and Operations Compliance (FINOPS)

1. Cybersecurity

Cybersecurity is a business risk for all IIROC Dealers regardless of size and complexity. Each Dealer needs to have appropriate controls in place to safeguard client information and their significant systems. IIROC is committed to supporting the cybersecurity resiliency of Dealers.

In November 2018, we sent a second self‐assessment survey and issued individual cybersecurity report cards in March 2019 to all Dealers. When compared to the survey results in 2016, the 2018 results showed marked improvements in the cybersecurity posture of Dealers. The majority of the shift was generated by small and medium-sized firms.

IIROC staff and a consultant specializing in cybersecurity risk management visited selected small and medium-sized firms this year. The purpose of the visits was to:

• discuss the results of the most recent cybersecurity report card,
• identify areas for improvement, and
• suggest recommendations and build a road-map to help firms improve their resilience.

We also engaged a consultant to update the 2015 Cybersecurity Best Practices Guide. It will be available in early 2020 on the IIROC website.

We are developing a new microsite (within the IIROC website) dedicated to cybersecurity that has information on all of IIROC’s initiatives including educational resources for our Dealers. It will be available in January 2020.

Following the success of the cybersecurity table-top exercise in 2018, we will be planning another similar exercise for small and medium-sized firms in 2020.

We recently implemented Dealer Member Rule 3100 [PLR Rule Book 3703] requiring the mandatory reporting of cybersecurity incidents by Dealers to IIROC. We also issued guidance in the form of frequently-asked questions to assist Dealers3 .

By March 31, 2020, we will be incorporating criteria to assess cybersecurity risk at all Dealers within the FINOPS risk model.

1. Fully-paid Securities Lending

IIROC issued a Notice4 on fully-paid securities lending (FPL) outlining a regulatory framework to address the risks associated with FPL. In the last year, IIROC has received requests from a few Dealers who want to implement FPL programs at their firms.

Dealers who would like to implement FPL programs must provide a formal request to IIROCfor an exemption from the current FPL rules. IIROC’s Board of Directors (Board) will approve acceptable programs and impose applicable terms and conditions. IIROC will review FPL programs at approved Dealers for compliance with the terms and conditions.

1. FINOPS Enterprise Risk Management (ERM) Examination Approach

We made formal changes to our risk-based examinations of large integrated Dealers that are subsidiaries of Canadian federally-regulated financial institutions. When an integrated Dealer has a mature ERM framework, as assessed by IIROC, we focus on how the Dealer identifies, mitigates and manages the risks associated with their financial and operational activities in compliance with IIROC rules. The ERM examination approach allows IIROC to leverage the Dealer’s existing ERM framework and make our examinations of large integrated Dealers more efficient and effective.

1. Customer Account Guarantees

The enforceability of customer account guarantees has been a key issue in some past Dealer insolvencies. Recent litigation by bankruptcy trustees has further demonstrated the need to review and strengthen how guarantees are used to support the capital position of Dealers.  

Our exams will continue to focus on:

• Dealers accepting waivers by account guarantors to not receive monthly customer statements of all accounts guaranteed
• insiders of a Dealer (partner, director, officer or employee) guaranteeing the indebtedness of a non-arm’s-length account rather than transferring cash from their trading account
• the misuse by owners of the Dealer of personal account guarantees to offset capital charges associated with Dealer indebtedness to circumvent the triggering of month-end early warning tests instead of recapitalizing.

1. Portfolio Manager (PM) Service Arrangements

IIROC issued a Notice in 2018 for Dealers that provide recordkeeping and custody services for individual clients of PM registrants5 . This complements CSA Staff Notice 31-347 “Guidance for Portfolio Managers with Service Arrangements with Dealer Members”.

Compliance with IIROC requirements, as outlined in the Notice, will continue to be an examination priority in 2020.

The Notice reminds Dealers that each individual client of the PM is considered a client of the Dealer for purposes of providing recordkeeping and custody services. Dealers should pay specific attention to the following minimum requirements:

• Written Agreements:  Dealers must execute agreements with each PM explaining the arrangement and clearly defining the roles and responsibilities of each party.
• Account Opening and Operation:  Each account must be opened in the client’s name and the PM must have trading authority over the account.
• Disclosure:  Dealers must provide clients with information as required under IIROC Dealer Member Rule 3500 [PLR Rule Book 3216].
• Client Confirmations and Statements:  Dealers are responsible for the custody of client investments and must send a monthly or quarterly statement.

1. Trading Conduct Compliance (TCC)

1. Trading Supervision Obligations under UMIR 7.1

We implemented changes to the supervision of trading requirements effective March 27, 20186 .

We will continue to encourage Dealers to apply a principles-based approach that addresses the specific risks associated with their business models and trading activity.  Dealers should assess and document the risks associated with their trading-related activities to determine where their compliance and supervisory efforts should be focused. Some of the factors to be considered would include:

• the Participant’s size (considering factors such as revenue, market share, market exposure and volume of trades)
• the Participant’s organizational structure
• number and location of the Participant’s offices
• the nature and complexity of the products and services offered by the Participant
• the number of registrants assigned to a location
• the disciplinary history of registered representatives or associated persons
• the risk profile  of the Participant’s business and any indicators of irregularities or misconduct i.e. “red flags”.

A Dealer may rely on an existing ERM program if the program includes its trading-related activities.

During our review, we will look at the assessments to ensure that the risks identified are addressed in the Dealer’s policies and procedures and are reflected in the supervision conducted.

1. Best Execution

We introduced changes to best execution requirements effective January 2, 20187 and continue to focus our reviews on the efforts undertaken by Dealers to address the changes in the requirements. 

Our areas of focus include:

• documented and implemented policies and procedures that consider the factors and elements that contribute to the best execution of client orders, 
• content and disclosure of best execution policies,
• governance around best execution decisions, and
• training conducted by the Dealer, including that training is provided to all employees who are involved in the best execution process.

We expect non-executing Dealers to have an informed understanding of how their executing Dealer achieves best execution and how the approach taken will reasonably achieve best execution for their clients.

1. Reporting Requirements

IIROC has recently introduced a number of changes further to the detail and manner of reporting for:

• Debt Transaction Reporting8 ,
• Short Position Reporting9 ,
• Certain Order Execution Only (OEO) Accounts10 , and
• Client Identifiers11 .

We encourage Dealers to ensure that they submit prompt and accurate information to IIROC as required. 

During our review, we will review and assess the changes that Dealers have implemented to address these regulatory requirements.

1. Business Conduct Compliance (BCC)

1. Automation of Supervisory Processes

As our industry evolves, Dealers have been looking at ways to use, or increase the use of, automation in their businesses, including to support their compliance activities. A number of Dealers have requested clarity about the use of automation (e.g. algorithm logic) in various supervisory processes, most notably the account opening approval process. As discussed in the recent report co-published by IIROC and Accenture12 , IIROC is supportive of industry efforts to “reduce unnecessary costs and pursue innovative ideas”, providing investor protection concerns are not compromised. As a first step to providing clarity in this area, in August 2019 IIROC published guidance addressing the use of automation in the account opening approval process, by OEO Dealers13 . As noted in the guidance, Dealers will not be required to make a business model change submission to IIROC concerning the use of automation that is within the scope of the Guidance Note. BCC will be reviewing such automated processes as part of regular OEO Dealer Examinations. To this end, BCC is enhancing our examination program to more effectively test for Dealer compliance in this area.

Although the guidance deals with the limited scenario involving OEO Dealers, we intend to publish in the future updated guidance directed at all Dealers with respect to reporting changes to business models, the introduction of new business lines and processes, and the use of automation more broadly. Generally, any significant automation of processes currently conducted by registered Supervisors, or their delegates, will require a business model change submission. In cases where there is doubt regarding whether a business model change submission is required or not, it is advisable to err on the side of caution and contact your BCC Manager.

1. Client Focused Reforms (CFR)

For the past two years, we have worked closely with the Canadian Securities Administrators (CSA) in developing a set of rule amendments designed to better align the interests of Dealers and Registered individuals with the interests of their clients. Under the IIROC CFR Amendments, Dealers will be required to:

• put the client’s interest first when making a suitability determination, and
• do more to clarify for clients what they should expect from their registrants.

In addition to amendments to existing requirements involving Relationship Disclosure, Know-Your-Client, Suitability and Conflict of Interests, the CFR amendments also introduce a Product Due Diligence/Know-Your-Product provision. This new rule codifies and expands upon our existing guidance in this area.

The proposed corresponding IIROC rule amendments will be submitted for approval the Board early next year. In preparation for the implementation of the CFRs we are enhancing the BCC examination program to reflect the CFR amendments. The enhancement of the BCC test program to incorporate the CFR amendments coincides with an extensive review of the effectiveness of our existing Conflict of Interest examination program. As mentioned in previous compliance reports, BCC has committed to strengthening our testing of compensation-related conflicts. BCC testing of compensation-related conflicts is grounded in Dealer Member Rule 42, Conflicts of Interest, supplemented by guidance.14  The implementation of the CFR will play a key role in clarifying Dealer requirements, not only in terms of policies and procedures aimed directly at addressing compensation-related conflicts, but also in related areas such as relationship disclosure, suitability and product due diligence.

1. Limitation of Liability Clauses in Retail Client Account Agreements

During reviews of various firms, BCC has identified clauses in retail client account agreements that raise regulatory concerns. These clauses limit a firm’s liability for losses, including those caused by the firm, or relieve a firm from its securities law obligations, such as suitability. On October 10, 2019, we published guidance regarding limitation of liability clauses in retail client account agreements15 . As noted in the guidance, when BCC staff identify questionable clauses as part of normal course examinations, business model change reviews or new member application reviews, we will take one or more of the following actions:

• recommend correcting the clauses identified as contrary to subsection 1402(1) of our Consolidated Rules and advising clients of such changes,
• decide to include such clauses as a finding under our consolidated rules, or 
• in more egregious cases, refer the matter to our Enforcement staff.

1. OEO Platforms– Online Tools

In April 2018, we published guidance regarding products and services offered on OEO platforms16 . Part of that guidance addressed issues associated with online tools provided by OEO Dealers to assist clients. Although many such tools provide useful information to clients, we have identified certain tools that go beyond merely providing information to actually providing advice and investment recommendations. The determination that a particular tool has crossed the line is often a function of various factors, including the context in which the tool is presented, whether information is pushed by the Dealer or pulled by the client, and the way in which filtering tools are used. BCC will continue to enhance its testing program to ensure consistency regarding the identification of non-compliant OEO tools. 

1. Registration

1. Deficient Filings

We continue to see filing deficiencies as highlighted in past Compliance Priorities Reports.

Our intention is to continue various outreach efforts to the Authorized Firm Representatives and Chief Compliance Officers of these Dealers including training sessions with our Registration team to ensure they understand their obligations.  We will review basic registration functions, as well as issues specific to the Dealer, to ensure that our expectations are clear and to outline the consequences of future non-compliance.

Once we have met with a Dealer, we will take a strict approach to compliance with our requirements and may take any or all of the following steps:

• reject deficient filings in their entirety,
• impose terms and conditions on the Dealer,
• refer matters to Enforcement for potential disciplinary action.

We will provide the same training to other Dealers upon request. As this includes a review of basic registration functions, we will also provide it to new Dealers, either during the new membership process or shortly thereafter.

1. Notices of Termination

When filing Notices of Termination, Dealers must consider whether they still have the appropriate number and category of Approved Persons to carry out its activities where the termination relates to a Dealer’s only Registered Representative (RR), Investment Representative (IR) or Supervisor. We expect Dealers to notify us immediately in cases where they are planning to terminate their only RR, IR or Supervisor, or that individual has advised of their intent to resign.

1. Proficiency Exemptions

We continue to receive deficient exemption applications. Before filing an exemption application,  we encourage Dealers to refer to Notice 18‑0236 IIROC Registration-Proficiency Exemption Requests.

1. Continuing Education

Dealers are reminded that Continuing Education Cycle 8 will begin on January 1, 2020 and will conclude on December 31, 2021. New amendments to our rules and updated guidance will come into effect on the first day of the cycle.

1. Pending New Rules

As discussed in Notice 19-0144, the new IIROC Rules will be effective on June 1, 2020.  The new rules include a number of changes to the registration requirements. We will shortly be publishing guidance that will include a discussion of the following:

• re-introduction of the categories of Associate Portfolio Managers and Portfolio Managers. Specific guidance is included in the above noted Notice on the steps the Dealer need to take in order to transition into the appropriate category, and
• changes to the proficiency (education and/or experience) requirements. 

1. Membership Issues

1. Supporting Industry Transformation

As stated above, IIROC recognizes the significant transformation underway across our industry. Investors are changing in terms of demographics and investing expectations and our Dealers are responding to these changes by implementing or exploring new advice and service offerings, processes and business models. Markets are evolving to accommodate new asset classes and trading platforms and other industry participants are looking at new ways of offering financial services. All these changes are testing our traditional regulatory regime and approach to regulation.

In our Strategic Plan, we outlined a number of things that we are focusing on over the next three years. Recently we have been working on responding to requests for clarification on how technology can be used to assist in compliance with our rules, and assessing areas within our rules where we can provide further clarification, reduce inappropriate barriers to innovation and regulatory burden.

We are assessing other areas in which Dealers may use or consider using technology to assist with compliance with our requirements where clarification would be helpful, or that involve IIROC requirements that may result in inappropriate barriers to innovation or inappropriate regulatory burden.

To facilitate the work we are doing on this key strategy, we established an internal Transformation Team which is a small group of senior IIROC staff. This Team will focus on providing clarity and responding to the issues arising from innovation within our industry.

We invite Dealers, the marketplaces we regulate and other industry participants to come talk with us about the new ways of carrying on business or new technology being used or explored in response to the changes in our industry. We are happy to discuss any issues you are facing in advancing your innovative ideas while complying with our requirements.

You can call your usual IIROC contact.

We look forward to speaking with you and working with industry participants on these evolving issues.

1. Review of Business Transactions

It is important to keep in mind that the process to work through significant transactions does take time. Please ensure that you factor in enough time for IIROC’s review and the receipt of any required approvals when planning the timeline for completion of any proposed transaction or business change.

1. IIROC’s Regulatory Documents – Purpose and Application

Our rules consist of both prescriptive and principles-based rules, both of which are enforceable by IIROC. In order to reflect the diversity of business models represented by our Dealers, and to better accommodate industry evolution and innovation, principles-based rules are often preferred as they can provide more flexibility. However, this flexibility can also lead to more uncertainty and inconsistent application.

To provide more certainty and foster consistent application of our rules, and to assist our Dealers with compliance, we publish guidance on our rules. Our guidance provides context for our rules and, in many cases, communicates our views on acceptable practices that Dealers may find useful in complying with our rules. Guidance is not intended to impose or imply specific additional requirements.

IIROC’s rules are currently comprised of:

1. IIROC’s Dealer Member Rules (DMRs),
2. IIROC’s Consolidated Enforcement, Examination and Approval Rules (Consolidated Rules),
3. Continuing Education Rules,
4. IIROC’s Universal Market Integrity Rules (UMIR), and
5. Transition Rule.

Upon the implementation of IIROC’s PLR Rule Book on June 1, 202017 , the DMRs, Consolidated Rules and Continuing Education Rules will be combined into one set of rules called IIROC Rules. This means that, as of June 1, 2020, IIROC’s requirements will be comprised of:

1. IIROC Rules,
2. UMIR, and
3. Transition Rule.

Our rules go through a rigorous rule development process which includes:

• public consultation, published in a document called Rules Notice - Request for Comments,
• IIROC advisory committee input,
• Board approval, and
• approval by our recognizing regulators in the CSA.

Our rules are enforceable by us and our Dealers are required to comply with them. Unless a Dealer has received an exemption from our rules, non-compliance can lead to us taking one or more of the following actions:

• issuing an examination finding,
• imposing terms and conditions,
• undertaking an enforcement investigation or commencing an enforcement proceeding.

The Board may grant exemptions18 to a Dealer from our rules where it is satisfied that to do so would not be prejudicial to the interests of the Dealer, its clients or the public. In granting an exemption, the Board may impose such terms and conditions, as it considers necessary. IIROC’s Market Regulation Policy typically grants exemptions from UMIR where, in their opinion, the exemption:

• would not be contrary to applicable securities legislation,
• would not be prejudicial to the public interest or the maintenance of a fair and orderly market, and
• is warranted under the particular circumstances.

To provide clarity and foster more consistent application of our rules, and to assist our Dealers with compliance, we publish non-mandatory material (collectively, supplemental material) which include but are not limited to:

• Guidance including bulletins, Compliance Interpretation Bulletins, and Financial Compliance Notices:
  Guidance is not intended to impose or imply specific requirements. It is to help our Dealers comply with our rules. Guidance is published by us as-needed and can, among other things:
  • explain our intent for a rule and our views on its application,
  • describe acceptable practices on how a rule may be met, including discussions of specific scenarios, or
  • provide an analytical framework to help in applying a rule to different scenarios.
• A Dealer can use guidance to assess the effectiveness of its policies and procedures in achieving and demonstrating compliance with our rules.
• Frequently-Asked Questions (FAQs):
  FAQs represent IIROC’s views and are intended to assist our Dealers with the implementation of our rules. They are published as-needed, are not required to be published for public comment, and do not require Board or CSA approval.
• Technical Notices:
  These documents provide information of a more administrative, technical or factual nature. They are published as-needed, are not published for comment and do not require Board or CSA approval.
• Educational Notices and other communications:
  These documents are published periodically to assist our Dealers in understanding IIROC, and our role and regulations.

As mentioned, supplemental material including guidance is not intended to impose or imply additional specific rule requirements, but rather indicate our views on acceptable practices to comply with a rule. However, when guidance refers to specific rule requirements, the Dealer is expected to comply with those rule requirements.

In the course of a compliance examination, or in other interactions with IIROC (for example, registration matters), we may refer to supplemental material, particularly guidance that sets out an acceptable practice, when assessing a Dealer’s compliance with a particular rule. We recognize there may be more than one way for a Dealer to comply with a rule. A Dealer not using an acceptable practice discussed in guidance will always have the opportunity to discuss with us how its practice achieves compliance with the rule. If a Dealer is not able to demonstrate that it has complied with a rule by whatever practice it uses, any ensuing examination finding, or other action, will be based on the applicable rule and not on non-compliance with guidance.  The determination of whether a Dealer has demonstrated compliance with a rule is at IIROC’s discretion.

Our supplemental material may not address every situation contemplated by our Dealers. In such cases, we invite Dealers to speak with their usual IIROC contact concerning the application of our rules.

• 3See IIROC Notice 19-0194 Amendments Respecting Mandatory Reporting of Cybersecurity Incidents (November 14, 2019)
• 4See IIROC Notice 19-0109 Fully-paid Securities Lending (June 17, 2019).
• 5See IIROC Notice 18-0242 Service arrangements between Dealer Members and Portfolio Managers (December 20, 2018).
• 6See IIROC Notice 17-0189 Amendments Respecting Trading Supervision Obligations (September 28, 2017)
• 7See IIROC Notice 17-0137 Amendments Respecting Best Execution (July 6, 2017)
• 8See IIROC Notice 19-0118 – Proposed Amendments Respecting Client Identifiers for Reportable Debt Transactions (July 11, 2019)
• 9See IIROC Notice 18-0062 – Short Position Calculation and Reporting (Mar 22, 2018)
• 10See IIROC Notice 19-0133 – Use of Identifiers and Notification Requirements Respecting Certain Order Execution Only Accounts (August 6, 2019)
• 11See IIROC Notice 19-0160 – Information on the Implementation of Client Identifier Amendments (September 6, 2019)
• 12See the IIROC & Accenture Research Report - Enabling the Evolution of Advice in Canada, (March 20, 2019)
• 13See IIROC Guidance Note 19-0153 – Order Execution Only Dealers and the use of automation in the account opening approval process, (August 28, 2019)
• 14See IIROC Guidance Note 17-0093 – Managing Conflicts in the Best Interest of the Client – Compensation-related Conflicts Review, (April 27, 2017)
• 15See IIROC Guidance Note 19-0177– Limitation of Liability Clauses, (October 10, 2019)
• 16See IIROC Guidance Note 18-0076 – Guidance on Order Execution Only Services and Activities, (April 9, 2018)
• 17See IIROC Notice 19-0144 IIROC Dealer Member Plain Language Rule Book Implementation
• 18Information on the process for requesting exemptions from our rules can be found at IIROC Notices 15-0191 (UMIR), 18-0080 (Dealer Member rules) and 18-0236 (Proficiency rules). IIROC also issues annual exemption reports summarizing the exemptions granted each year.