Firm Operations and Risk Management
Cybersecurity remains a key business risk for dealers regardless of size and complexity. Dealers need to have appropriate controls in place to safeguard client and personal information and assets, as well as their own critical systems and applications.
New SRO remains committed to supporting the industry with education on cybersecurity risk. We issued several communications to dealers alerting them to various cybersecurity threats and vulnerabilities.
In the summer of 2022, we published a cybersecurity self-assessment tool for Investment Dealers, which is now also available for Mutual Fund Dealers. Dealers can use the checklist free of charge to assess their own cybersecurity preparedness and identify areas for improvements. There is also a webcast available that discusses the importance of conducting regular cybersecurity self-assessments and explains how to use the new self-assessment tool and interpret the results and the report. While the use of the tool will be voluntary, we strongly recommend that all dealers conduct a cybersecurity self-assessment at least once every two years to assess their posture and maturity and identify any critical gaps. If you would like to access the tool, contact [email protected].
In fall of 2023, we intend to conduct a cybersecurity table-top exercise for the small and medium-sized dealers, whether mutual fund dealers or investment dealers. Stay tuned for details on the exercise.
During regularly scheduled examinations for investment dealers, we look at how:
- dealers demonstrate compliance with the cybersecurity incident reporting requirements,
- cybersecurity risk is managed, and
- we incorporate our assessment into the applicable risk score for the firm.
We continued to raise findings and make recommendations to dealers for being unable to sufficiently demonstrate compliance with IIROC’s cybersecurity incident reporting requirements. As a result, we issued IIROC Guidance Note GN-3700-22-001 to provide additional guidance to dealers. The most common findings include:
- lack of adequate documentation in policies and procedures, such as:
- the requirement to submit a preliminary report within three calendar days of discovering an incident.
- the requirement to submit a final report within 30 days from discovery.
- adequate tailoring to the dealer's operations. Policies and procedures are only effective when the dealer tailors and incorporates them in all relevant aspects of the business operations.
- a cybersecurity incident log, or a log with insufficient details.
- the policies and procedures do not address the specific regulatory requirements related to the dealer where cybersecurity functions of a group of entities are centralized. This involves the dealer determining a separate assessment of materiality, substantial harm, significance, and other thresholds on a standalone basis.
We also continue to review cybersecurity incidents reported by dealers.
Proposal to modernize back-office arrangements and subordinated debt financing
In July 2021, we announced a proposal to review whether our rules and requirements related to back-office arrangements and subordinated debt financing for investment dealers needed to be modernized. The objectives of any recommendations will be to ensure that investors are protected, rules are proportionate to the risk of the activity, and unnecessary regulatory burden is eliminated.
We created two industry working groups to discuss issues pertinent to these areas and commenced discussions in August. Both working groups raised several issues and provided helpful feedback and suggestions. We continue to work through these issues and feedback and will take into account the new membership under New SRO. We intend to publish the outcomes of these discussions along with a plan to address the key issues identified.
On March 31, 2021, we published a guide, Fundamentals of Technology Risk Management, to help dealers manage the critical risks of technology adoption, use and change. The guide covers key risks and controls, and the importance of good governance.
We continue to work on enhancing our examination procedures to ensure that dealers have designed and implemented controls to monitor their systems and applications for compliance with the relevant regulatory requirements.
As part of the review of technology risk, we continue to review supply chain risks and systemically important vendors to the industry with a view to considering ways in which to identify, assess and manage these risks.
In 2021, one of the predecessor organizations of New SRO, MFDA, issued a report (see MFDA Bulletin #0869-C) that summarizes the results of its targeted review of performance reporting. The report included details, and illustrative examples of various circumstances that caused unusual or incorrectly reported performance returns as well as key recommendations and best practices. Performance reporting remains an area of focus in our examinations as inaccurate reporting can significantly affect investment decisions. Dealers should carefully review and test their performance reporting and if unexpected or unusual returns are identified, investigate such instances to identify the specific cause and determine the extent of any issue. Dealers should sample test their reported performance returns including focusing on: (a) accounts with exceptionally high or low reported performance returns, (b) accounts that hold different investment products such as GICs or exempt securities, and (c) accounts with non-typical transactions such as adjustments, reversals and back dating.
The amendments regarding client identifiers came into effect in July 2021.
Dealers are reminded that each order sent to a marketplace must include:
- either a Legal Entity Identifier (LEI) or account number for that client when trading for a single client.
- either the MC (Multiple Client) or the BU (Bundled Order) marker when trading for multiple clients or client types (i.e., CL/NC/IN). In these cases, the LEI or client account number for each client involved must be available on request.
With the implementation of LEI’s, we discontinued the legacy process for the reporting of DEA ID’s to New SRO, with the exception of those DEA clients who are ineligible to receive a LEI. The current version of the form that reflects the current reporting obligations is available on the IIROC legacy website.
Dealers who provide Order Execution Only (OEO) access are also reminded that they must continue to advise us of the account number of each account:
- where an advisor themselves is a client or has been granted trading authority, direction, or control over an account of a client or,
- that exceeds a daily average of 500 orders per trading day in any calendar month.
In addition, each dealer offering OEO, must ensure that each order sent to a marketplace includes the required OEO flag.
We will continue to review for compliance with the new requirements. Dealers who are encountering challenges with the new requirements are encouraged to review the material on the IIROC legacy website and/or contact us for any additional clarifications.
Short Selling and Failed Trades
On August 17, 2022, guidance was issued to remind dealers that they must have a reasonable expectation to settle any resulting trade on settlement date prior to the entry of any short sale order on a marketplace. For example, short sales where a client expects to receive the covering securities (including distributions) after the settlement date of the trade are prohibited under UMIR Policy 2.2, Part 2 unless other arrangements have been made.
In addition, we expect that dealers will have robust monitoring and resolution practices in place regarding failed trades. This will include policies and procedures to restrict further short selling when a failed trade becomes reportable as an extended failed trade as required under UMIR 6.1 (6).
We will continue to review the procedures and testing in place for this activity.
Supervision of Trading
All Participants are required to develop and maintain a supervision system that considers and addresses the risks associated with their business model.
We continue to expect that each Participant will conduct and document an internal assessment to identify all trading related risks and to identify the risks that are most significant relative to its business. This will assist the firm in allocating resources to the areas of most impact, thus improving the efficiency and effectiveness of its supervision program. Lower risk areas cannot be fully ignored but can be reviewed with less frequency.
As part of our review practice, Trading Conduct Compliance will request a copy of your Internal Risk Assessment for review.
Delegation of Tasks
In some instances, Participants have delegated supervisory controls or tasks to a third party or an affiliate. While this is permitted under UMIR, we continue to identify instances where such delegation has not been formally documented in detail. This lack of coordination and understanding can lead to potential issues when it is not clear which party is performing certain tasks.
Regardless of the delegation of certain tasks or controls, the Participant retains all regulatory responsibility to ensure that all trading related activity that it has initiated is sufficiently monitored and supervised.
Conduct and Supervision
Client Focused Reforms (CFR) - Conflict of Interest Sweep
In 2022, the predecessor SROs, MFDA and IIROC, along with the CSA conducted a detailed review of compliance with the CFR Conflict of Interest (COI) requirements that came into effect on June 30, 2021. The objective of the review was to determine if dealers have met the spirit of the new COI rules and have implemented processes to address material conflicts in the best interest of clients. Although many dealers have implemented strong controls to identify, disclose and address conflicts of interest in the best interest of clients, there are still a few common weaknesses involving various aspects of the COI rules:
- Some dealers did not adequately document their assessment of material conflicts to provide evidence that they are in fact addressing the conflict in the best interest of the client, as required.
- COI disclosure did not always include the three components required under the rule, and commonly missed the 2nd and 3rd components below:
- the nature and extent of the conflict of interest,
- the potential impact on and risk that the conflict of interest could pose to the client,
- how the conflict of interest has been, or will be, addressed.
- COI rules are not satisfied solely by providing disclosure to the client. Dealers must also implement controls to address the conflict in the client's best interest. Although this applies to any type of COI, our review identified gaps in the controls, beyond disclosure, to address conflicts associated with the sale of proprietary products.
A joint report will be published by the CSA and New SRO providing greater details on the deficiencies identified across all platforms and some best practices observed during the sweep. We encourage dealers to review the report and assess their policies and procedures and disclosure relating to COIs. We will continue to test compliance with these requirements in our examinations.
CFR – Phase II
The remaining CFR provisions came into effect on December 31, 2021. These provisions involve rule amendments to Relationship Disclosure, KYC, Suitability, Product Due Diligence, Know Your Product and Misleading Communications. We have been testing compliance with these new requirements in our examinations and will continue to focus on these areas in the year ahead while also participating in a Phase II coordinated review with the CSA.
Phase II of the sweep will focus on some of the CFR rule enhancements including, for example, dealer processes for:
- ensuring Registered Representatives (RRs) identify a reasonable range of alternatives when making recommendations and document their justification for selecting a particular option.
- assessing a client’s risk capacity, along with client risk tolerance, in determining a client’s risk profile.
- conducting product due diligence on all products on the dealer’s product shelf, and ensuring RRs are adequately trained to meet their Know Your Product (KYP) obligations. The KYP process should also include procedures to monitor previously approved products for significant changes.
Order Execution Only – Digital Engagement Practices
During our examinations we review dealers’ digital engagement practices, including emerging trends such as the increasingly sophisticated use of social media for advertising purposes, and gamification.
Various research reports have recently been published both in Canada and internationally, that focus on the growing sophistication of digital engagement practices used by online dealers. Many of these practices are categorized under the general heading of “gamification”. Gamification refers to a variety of behavioural techniques that integrate game-related elements into non-gaming contexts and applications, with the purpose of improving user experience and engagement. Certain gamification strategies are designed to make investing less intimidating and more enjoyable, which can benefit investors. However, other gamification strategies can oversimplify complex products, give investors a false sense of confidence or encourage reckless behaviour, which can be detrimental to investors.
Given the rapid changes that are occurring, and the potential concerns surrounding improper advertising and sales communication practices, the trends and developments in this area are being closely studied by New SRO staff.
Order Execution Only – Service Level Review
In late 2021, we established an industry working group to review issues pertaining to service disruptions on OEO online platforms. Although many dealers have taken steps to address service-related issues that occurred during times of exceptional market activity in early 2021, the possibility exists that unforeseen market turbulence in the future could result once again in disruptions that have investor protection implications.
Dealers are required to ensure that they can carry on business after a significant business disruption and provide their clients with prompt access to their assets. Accordingly, Investment Dealer and Partially Consolidated (IDPC) Rule section 4711 stipulates requirements for dealers to have business continuity plans (BCP). IDPC Rule section 4712 further specifies that the dealer must identify procedures to deal with significant business disruptions and assess its key business functions and required levels of operation during the period of the disruption. The principle behind the BCP rules is to ensure that dealers can continue to meet their obligations to clients and capital markets counterparties in the event of unexpected operational disruptions.
At the next regularly scheduled field examination, staff will look at the BCP of OEO dealers to understand how such dealers:
- identify critical business activities, functions, systems, people, etc.,
- determine what constitutes significant business disruptions, and how they are detected, and
- develop workarounds to ensure that critical activities can continue until the firm gets back to normal operations.
In April 2022, we proposed IDPC Rule section 4716 (proposed as IIROC Rule section 4716) to require Dealer Members to report to us when a significant business disruption occurs, and when they invoke their BCP. This requirement, once implemented, will help us monitor business disruptions' impact on investors and inform future rule developments as we continue to assess service-level issues.
Elimination of the Deferred Sales Charge Option
Effective June 1, 2022, the payment of upfront sales commissions by fund organizations to dealers was prohibited, resulting in a ban on the deferred sales charge (DSC) option. Our examinations have included testing of sales practices leading up to the DSC ban to assess the suitability of any recommendations to purchase DSC funds considering, among other factors, a client’s age and investment time horizon. We will also be reviewing any changes to dealers’ compensation and incentive practices that followed the DSC ban to assess whether any new compensation or incentive practices have emerged which may present new conflicts of interest or other concerns.
Outside activities remain an area of focus in our examinations. Following the amendments to National Instrument 33-109 Registration Information and National Instrument 31-103 Registration Requirements, Exemptions and Ongoing Registration Obligations, the following guidance was updated with respect to disclosure and approval of outside activities
: Disclosure and approval of outside activities | IIROC and MSN-0040 | MFDA. The amendments include a new framework for reporting outside activities to regulators, a definition of “position of influence” and the codifying of client restrictions on registered individuals relating to positions of influence.
Dealers should have adequate procedures to supervise compliance with the restrictions relating to positions of influence, including, for example, obtaining acknowledgement from clients at account opening that they are not restricted clients.
Registration and Proficiency
Amendments to the registration proficiency rules
New rules were implemented on December 31, 2021, which included changes to the registration and proficiency requirements. The changes included transitioning RRs with portfolio management activities to the appropriate categories of Associate Portfolio Manager (APM) or Portfolio Manager (PM) and new requirements for those applying as an APM or PM.
Dealers should review the requirements for APMs and PMs under IDPC Rule clauses 2602(3)(xiv) and 2602(3)(xv), respectively when submitting applications for approval in these categories. We remind dealers that they need to demonstrate Relevant Investment Management Experience (RIME) for APM or PM in accordance with IDPC Rule clauses 2602(3)(xiv) and 2602(3)(xv), respectively. It is important to provide the necessary detailed information for staff to assess the submissions in a timely manner.
Dealers are reminded to also review the changes to the proficiency requirements for the various Supervisor activities within IDPC Rule subsection 2602(3) that were introduced as of December 31, 2021. We have noted an increased number of deficiencies in terms of the Supervisors, or disclosure of supervisory activities, where the individuals do not meet the proficiency (including experience) requirements. Dealers must review the applicable requirements before submitting applications for Supervisors, and ensure that the Supervisor’s education and experience meets the applicable proficiency requirements set out in IDPC Rule subsection 2602(3), and that the relevant education and experience are clearly outlined in the submission.
Amendments to National Instrument 33-109 and National Instrument 31-103 were published on December 16, 2021.
The new rules were effective June 6, 2022, and in accordance with the transition provision, individual registrants are required to update their information on the National Registration Database (NRD) where it states “There is no response to this question” by the earlier of (i) the date the individual registrants report a change to their registration information after June 6, 2022, and (ii) June 6, 2023.
The amendments have resulted in a substantial increase in the filings made on the NRD. Failure to respond to the new questions has resulted in a significant number of deficiencies. We remind dealers that they need to review the questions carefully and respond to the new questions, before making a submission.
As part of our review, we have identified a significant increase in deficient filings, in particular with respect to reportable activities.
Dealers need to review the amendments to the National Instruments, the IDPC Rules and the related materials.
We encourage you to review Appendix C of the Companion Policy of NI 33-109 which provides an illustration of the five categories of reportable activities, including positions of influence. We ask that dealers review the criteria carefully before making a submission in order to reduce the number of deficiencies that need to be addressed.
We also remind dealers that when disclosing and reviewing titles, they need to ensure that the titles used and reported are compliant with the requirements set out in the CFRs, and applicable provincial legislation.
Dealers need to conduct a review of the applicable requirements before submitting the relevant information on NRD.
Notice of End of Individual Registration or Permitted Individual Status (formerly Notice of Termination) (F1)
When filing F1s, where the cessation relates to a firm’s only RR, Investment Representative (IR), Supervisor or Executive, dealers must consider whether they still have the appropriate number and category of Approved Persons to carry out activities. We expect dealers to notify us immediately in cases where they are planning to terminate their only RR, IR Supervisor, or key Executives (including the Chief Compliance Officer, Chief Financial Officer, Ultimate Designated Person), or where that individual has advised of their intent to resign.
We remind dealers that “cessation date” means the last day on which an individual had authority to act as a registered individual on behalf of their sponsoring firm or the last day on which an individual was a permitted individual of their sponsoring firm. An individual’s cessation date is not necessarily their last day of employment.
Competency Profiles and proficiency initiatives
We have been in the process of developing and publishing competency profiles for all (investment dealer) Approved Person categories. We published our last set of proposed competency profiles for Supervisors, Traders, APMs and PMs on August 29, 2022.
We are planning to finalize and publish an updated version of the previously published competency profiles in and around fall of 2023.
As we look to finalize the competency profiles, keeping in mind that our contract with the Canadian Securities Institute will end at the end of December 2025, we have started the next step of our proficiency initiative. The first step of this was the publication of a Request for Expressions of Interest in October 2022.
We intend to make our final selection by the Spring 2024.
We continue to receive deficient exemption applications. Before filing an exemption application, we encourage dealers to refer to our notice on proficiency exemptions IIROC Registration ‑ Proficiency Exemption Requests | IIROC. This notice outlines the comparative analysis that is needed in most cases. We encourage dealers to review the notice prior to submitting an exemption application and reaching out to staff as needed in advance of submitting an exemption application.
Dual Registered dealers - NRD
As noted earlier, we published New SRO Interim Rules – Frequently Asked Questions | New Self-Regulatory Organization of Canada (newselfregulatoryorganizationofcanada.ca) with respect to dual registered dealers.
Decisions on applicants and Approved Persons
The IDPC Rules eliminated the District Council powers relating to approval, continued approval, and proficiency exemptions, for applicants and Approved Persons.
These decisions now are made by the Corporation being New SRO. We have implemented new internal policies and procedures relating to such decisions consistent with administrative law principles including the opportunity to be heard procedures set out in IDPC Rule 9400.
Proficiency for Alternative Mutual Funds
In 2022, the new MFDA Policy No. 11 Proficiency Standards for the Sale of Alternative Mutual Funds came into effect. MFDA Policy No. 11 is now Rule 1000 under the New SRO Mutual Fund Dealer Rules. Dealers should ensure they are complying with these requirements as applicable. The additional proficiency requirements in the rule apply to both alternative mutual funds sold pursuant to a prospectus (i.e., liquid alts) and those sold under a prospectus exempt basis (i.e., hedge funds).
Consistent with the proficiencies applicable to individuals registered with a mutual fund dealer, section 2603 of the IDPC rules include proficiencies for trading in Alternative Mutual Funds, as well as ETFs and Exempt Market Products for those subject to the IDPC whose activities are restricted to mutual funds.
Reporting Continuing Education (CE)
For investment dealers, the current CE cycle ends as of December 31, 2023. Dealers need to inform their Approved Persons of the end of each CE cycle in a timely manner. Failure to comply or report in accordance with the applicable rules may result in individual suspensions and firm fines. For more information on CE requirements applicable to investment dealers, please visit Continuing Education | IIROC.
CE requirements for mutual fund dealers and their Approved Persons came into effect December 1, 2021. The first CE cycle ends November 30, 2023. As the end of the CE cycle approaches, we recommend mutual fund dealers monitor the status of their Approved Persons’ completion of CE requirements on the CE Reporting and Tracking System (CERTS). We also recommend mutual fund dealers regularly update CERTS for Member accredited CE activities and leaves of absence. CERTS should also be updated for attendance at recognized CE activities. Prior to the end of the cycle, we will notify dealers with individuals who have not completed the required credits to alert them of situations of potential non-compliance.
In 2023, we will also be assessing dealers and third-party accreditor’s compliance with the accreditation standards applicable to mutual fund dealers. In this regard, we remind dealers to maintain records of their self-accreditation activity.
Further information on the MFD CE Program can be found in the CE Section of the MFDA website, including Bulletin 928-ME Continuing Education (CE) Program Update and related FAQs issued December 30, 2022.
Review of Business Transactions
Dealers subject to the IDPC Rules are required to inform the New SRO in writing before making any material changes to the firm’s business activities. The timing of our review of the dealers’ proposal is largely dependent on the quality of that submission. Dealers can avoid unnecessary delays in the review and processing of their submission by providing all relevant details and documentation regarding the proposed transaction or business change and responding to information requests from staff in a timely manner.
The process of working through significant transactions does take time, so it is important that the dealer factors in enough time for the New SRO review and the receipt of any required approvals when planning the timeline for completion of any proposed transaction or business change.