Effective Date: December 31, 2021
This Guidance Note sets out IIROC’s expectations regarding the compliance functions at Dealer Members (Dealers) as well as the role, responsibility and accountability of the Dealers, their board of directors, management, Compliance Departments and compliance officers.
Responsibility for compliance
A strong culture of compliance, which focuses not only on compliance with applicable rules and regulations but also emphasizes the importance of personal integrity and the need to deal with clients fairly, honestly and in good faith at all times, is the responsibility of each individual acting on behalf of a firm. Toward that end, and as noted in the Companion Policy of National Instrument 31-103 (NI 31-103), the existence of an Ultimate Designated Person (UDP), Chief Compliance Officer (CCO), Chief Financial officer (CFO), Compliance Department and other staff with compliance responsibilities does not relieve anyone else of the obligation to act on or escalate compliance issues. Everyone at the Dealer should understand the standards of conduct of their role, including the board of directors (or equivalent), employees and agents, whether or not they are registered and/or approved.
Furthermore, compliance should not be viewed as an isolated activity of the Compliance Department but as an integral part of a Dealer’s general business activities. As such, it is the responsibility of the UDP, CCO, CFO, Executives, Directors, management and Supervisors to consider and implement advice provided by those performing a compliance function.1 The role of the Compliance Department is to identify, assess, advise on, act on, communicate, monitor, escalate and report on the Dealer’s compliance with regulatory requirements.
Industry compliance professionals play an important role in the system of securities regulation. IIROC and industry compliance professionals share a common objective to promote compliance at their member firms and set high industry standards. In order to achieve this objective, IIROC needs to clearly communicate their expectations of the Dealers including their respective Board of Directors (or equivalent), UDP, CCO, CFO, Compliance Department, Executives, management, Supervisors and other individuals at the Dealer. The purpose of this Guidance Note is to provide Dealers with IIROC expectations of the compliance function at Dealers and the role, responsibility and accountability of the above noted individuals.
There are specific IIROC Rules that deal with supervisory and compliance responsibilities. This Guidance should be read in conjunction with those regulatory instruments.
Distinction between supervisory and compliance roles
Compliance Departments and compliance officers, while they carry out similar functions across Dealers, have responsibilities tailored to the size, resources and business needs of the particular Dealer. In some cases their sole responsibility will be fulfilling the compliance function; in others they may also have supervisory roles.
In contrast to the compliance role, a person in the role of “Supervisor” has responsibility and authority and is approved to manage the day-to-day activities of other employees and Approved Persons of the Dealer so as to ensure their compliance with all applicable rules and regulations. Dealers should note that within the context of the IIROC Rules and this Guidance Note, Supervisors are Approved Persons within the specific category of Supervisor, as defined in subsection 1201(2) of the IIROC Rules.2
Consistent with section 3906, each Supervisor must fully and properly supervise each employee and Approved Person of the Dealer in accordance with the supervisory responsibilities assigned to the Supervisor, the Dealer’s policies and procedures and IIROC requirements and securities laws. A Supervisor must have sufficient authority to take effective and timely remedial action where account activity or any other matter under his or her supervision falls or appears to fall outside the bounds of conduct, just and equitable principles of trade or good business practice or violates of any applicable rules and regulations.
The difference between a supervisory and compliance role is defined by who has the authority to resolve issues once they are identified. If a compliance officer has the authority to resolve issues themselves, then he or she is also acting in a supervisory role; if the compliance officer’s authority and ability to resolve issues is limited to escalating the matter to a Supervisor or Executive, then he or she is executing a compliance function.
IIROC will, when determining whether an individual is acting in a supervisory role, look at the individual’s responsibilities, authority and the functions he or she performs for the Dealer, not simply at his or her title. While IIROC will consider documentation setting out an individual’s responsibilities and authority, they will also look to confirm whether these are reflected in the day-to-day operations of the firm. In other words, it is a two-fold test: documentation and practice.
The activities of those exercising compliance functions should not be viewed by Supervisors as a substitute for them discharging their responsibility to supervise the business activities of the Dealer. Having said that, a Supervisor may delegate specific supervisory functions to compliance officers provided that:
- the person to whom such functions are delegated is qualified by virtue of training or experience or registration to properly execute them; and
- the Supervisor conducts sufficient follow up and review to ensure that the person to whom the functions have been delegated is properly executing them.
In those circumstances however, Supervisors will remain responsible for the performance of the supervisory activities delegated to compliance personnel.3
Role of the Dealer, board of directors, management and the compliance officer
Each Dealer is responsible for establishing, implementing, communicating and maintaining effective compliance programs to ensure compliance with applicable rules and regulations. As mandated by subsection 3905(2), each Dealer must appoint as many Supervisors as necessary to properly supervise the employees and Approved Persons of the Dealer, taking into account the scope and complexity of its business to ensure that the businesses of the Dealer are carried out in compliance with all applicable rules and regulations. The Dealer’s responsibilities extend to all Directors of the Dealer with respect to their corporate governance responsibilities and to all Executives (including the CCO and CFO) of the Dealer with regard to areas of their management responsibility.
The board of directors
Each member4 of a Dealer’s board of directors (or equivalent) must ensure that the Dealer maintains a compliance program that identifies and addresses material risks of non- compliance and that appropriate supervision and compliance procedures to manage those risks have been implemented. Consistent with subsection 3915(3), the board of directors must review the reports of the CCO and the CFO and, based on their recommendations, must determine what actions are necessary to rectify any compliance deficiencies noted in the report and ensure that such actions are carried out. Certain members of the board of directors such as the Chair and Vice Chair may be Executives, in addition to being Directors, and accordingly may have additional responsibilities flowing from their Executive role.
Each member of a Dealer’s management, including Executives and Supervisors, are responsible for supervising and directing the activities of the Dealer, as well as the individuals within the Dealer in order to ensure compliance with applicable rules and regulation with respect to areas of their management responsibility. Certain management members such as the UDP, CCO and CFO have specific responsibilities under NI 31-103 and/or the IIROC Rules.
While the general roles and responsibilities of Supervisors and Executives are set out above, we have set out the specific roles and responsibilities of the UDP, CCO and CFO, who are also Executives, below:
The Ultimate Designated Person
As noted in NI 31-103 and section 3910, the UDP must supervise the activities of the Dealer that are directed towards ensuring compliance with the Corporation’s requirements and all applicable securities laws by the Dealer and the individuals acting on its behalf. The UDP must also promote compliance by the Dealer, and individuals acting on its behalf, with the Corporation’s requirements and all applicable securities laws. As highlighted in the Companion Policy of NI 31-103, a firm’s UDP is responsible for the compliance culture at the firm, including the establishment and maintenance of an effective compliance system. IIROC expects the UDP to communicate and reinforce the importance of compliance within the firm on an ongoing basis. Furthermore, as part of his or her ultimate responsibility for compliance at a firm, the UDP is responsible for ensuring that all staff understand the importance of consulting with the Compliance Department on all relevant matters. To ensure the effectiveness of the compliance system, the UDP is also expected to ensure that there are effective procedures for identifying and escalating all instances of non-compliance. The UDP must ensure all instances of non-compliance are resolved in a timely and effective manner.
The Chief Compliance Officer
The CCO is an integral part of a Dealer’s Executive management team. As such, the CCO must establish and maintain policies and procedures for assessing compliance by the Dealer and the individuals acting on its behalf, which is expressly codified in both NI 31-103 and section 3912. The CCO is responsible for monitoring and assessing compliance with all of the Corporation’s requirements and applicable securities laws (other than requirements and laws relating to financial matters) and must report the results of their assessment to the board of directors (or equivalent) at least annually.
The CCO must report all material incidents of non-compliance with the Corporation’s requirements and applicable securities laws to the Dealer’s UDP as soon as possible after becoming aware of the matter, including any incidents of non-compliance which creates a reasonable risk of harm to clients or the capital markets, or where non-compliance is part of a pattern of non-compliance. In light of this obligation, the CCO must have direct access to the UDP and the board of directors (or equivalent), as needed, to report significant issues as they arise.
The mandate of the CCO is also to provide the board of directors (or equivalent) with reasonable assurance that all standards and requirements of applicable securities laws and regulations, and the Corporation’s requirements, are met. IIROC therefore expects that a CCO’s annual report will identify and discuss material findings contained within IIROC compliance reports, early warning designations, gatekeeper reports, disciplinary actions, compliance risk trend report results as well as any other relevant findings or reports.
The Chief Financial Officer
The CFO is an integral part of the Executive management at each Dealer. The CFO is responsible for establishing and maintaining policies and procedures for the Dealer relating to financial requirements and must report the results of their assessment to the board of directors (or equivalent) at least annually.
The CFO must monitor adherence to the Dealer’s policies and procedures as necessary to provide reasonable assurance that the Dealer complies with all relevant requirements including the financial rules set out by IIROC including:
- maintaining proper system of books and records,
- regulatory accounting and reporting infrastructure,
- internal controls that enable effective monitoring of the Dealer’s capital adequacy at all times, and
- responsibility over various business activities and back office operations of a Dealer that have direct capital implications.
The CFO must report all material incidents of non-compliance with the Corporation’s financial requirements and applicable securities laws to the Dealer’s UDP as soon as possible after becoming aware of the matter, including any incidents of non-compliance which creates a reasonable risk of harm to clients or the capital markets or to the solvency of the firm, or where non-compliance is part of a pattern of non-compliance. In light of this obligation, the CFO must have direct access to the UDP and the board of directors (or equivalent), as needed, to report significant issues as they arise.
The mandate of the CFO is also to provide the board of directors (or equivalent) with reasonable assurance that all financial standards and requirements of applicable securities laws and regulations, and the Corporation’s requirements, are met. IIROC therefore expects that a CFO’s annual report will identify and discuss material financial findings contained within IIROC compliance reports, early warning designations, gatekeeper reports, disciplinary actions, compliance risk trend report results as well as any other relevant findings or reports.
As previously noted, compliance is a firm-wide responsibility. Everyone in the firm should understand the standards of conduct applicable to their role. More specifically:
The compliance officer
Although compliance officers, with the exception of the CCO, are not typically registrants with the securities commissions and/or IIROC Approved Persons, they have certain responsibilities in executing their function as a compliance officer. These responsibilities are in addition to any other responsibilities that a compliance officer may have as a result of them holding other roles (e.g. if a compliance officer is also approved as a Supervisor and as such performs a supervisory function in addition to their compliance role).
Compliance officers are responsible for monitoring compliance but they cannot simply identify compliance issues. Compliance officers must also take appropriate steps to ensure that necessary corrective measures are taken by Supervisors or Executives to remedy any compliance issues that have been identified. Compliance officers should therefore, after communicating their findings to the appropriate Supervisor(s) or Executive(s) who have the authority to effect the changes necessary to address the compliance issue, monitor the corrective measures taken. If Supervisors fail to adequately address an issue identified by a compliance officer, the compliance officer must escalate the issue as appropriate. Escalation procedures should be detailed in the Dealer’s internal procedures. In some cases the compliance officer may raise the issue with a higher level Supervisor or Executive, in others, to the CCO or CFO, who in turn should escalate the issue to the UDP or, where appropriate, the board of directors. The steps taken by compliance officers and corrective actions taken by Supervisors and Executives must be documented, maintained and verifiable.
All other individuals at the Dealer, regardless of whether they are registered as an IIROC Approved Persons, are expected to comply with all applicable rules and regulations, as well as the Dealer’s internal policies and procedures including its compliance program. Pursuant to the Companion Policy of NI 31-103, the existence of a UDP and CCO, or a compliance department and/or other supervisory staff does not relieve anyone else in the firm, whether registered or not, of the obligation to act on or escalate compliance issues.
Dealers should note that they may be held responsible for the failures of their employees and/or agents, irrespective of whether these individuals are registered or not.
In addition to having an internal escalation process all individuals at a Dealer should be made aware of IIROC’s Whistleblower service.
When individuals with compliance or supervision responsibilities may be subject to enforcement action by IIROC
Under appropriate circumstances, IIROC may initiate enforcement proceedings relating to compliance or supervisory matters against one or more of a Dealer’s Directors, Executives, UDP, CCO, CFO, Supervisors, or any other Approved Persons if:
- they violate securities laws and/or the Corporation’s requirements or aid and abet another in such violations, or
- they fail to satisfy their supervisory obligations.
In each case, the individuals’ conduct will be judged by reference to reasonably proficient and diligent individual holding the same position. Given that the standard is an objective one; it is not what the respondent actually knew or did but rather what he or she ought to have known or done. It is always open to an individual to demonstrate that they exercised due diligence to prevent the harm that occurred.
Dealers are reminded that they are responsible for the actions of all of their employees and for ensuring that they carry out their mandate, including regulatory responsibilities. As such, IIROC may initiate enforcement proceedings against the Dealer in cases where, for instance, a compliance officer:
- fails to identify rule violations according to the standard of a reasonably proficient and diligent compliance officer, or
- after identifying the violation, fails to escalate a matter in accordance with the firm’s established escalation procedures.
Creating an effective compliance program
In order to be effective, compliance programs must be reasonably designed to identify and control the risk of compliance failure that could result in investor and/or market harm and financial losses and reputational damage to the Dealer.
Dealers have an obligation to establish, maintain and apply policies and procedures that establish an effective compliance system that provides assurance that the firm and individuals acting on its behalf comply with the securities legislation and regulatory requirements, and manages the business risk in accordance with prudent business practices. This includes allocating sufficient resources, creating measures and systems that encourage and reward compliant behaviour and discourage non-compliant behaviour, and ensuring that compliance officers have appropriate access to Supervisors and Executives. There are many other steps that a Dealer can take to promote the importance of compliance, including the following:
- Promote a culture of compliance by clearly identifying, prioritizing and communicating compliance goals.
- Insist on compliance with high ethical standards throughout the Dealer with Executives leading by example.
- Ensure that effective execution of compliance and supervisory roles is an explicit element of compensation and promotion decisions.
- Ensure that others in the firm have a clear understanding of the role of compliance within the firm including the roles of the UDP, CCO, CFO, compliance officers and the Compliance Department.
- Communicate compliance and regulatory information to individuals within the Dealer. Emphasize compliance and regulatory subjects in training. Training should include educating individuals about their compliance responsibilities on an ongoing basis.
- Make available to all individuals an effective means of communicating (confidential or anonymous, if appropriate) compliance, regulatory or ethical concerns to compliance officers, Supervisors, Executives or the board of directors if necessary without fear of retaliation.
- Encourage the development, training, professionalism and retention of the Dealer’s compliance officers with compensation, benefits and recognition in keeping with their contributions and implement sanctions or other corrective actions for non-compliant behaviour. Further, staff the Compliance Department with sufficient, qualified, experienced and knowledgeable professionals.
- Ensure sufficient access to information for compliance officers to enable them to carry out their responsibilities.
- Develop a cooperative relationship between regulators and Dealers.
Tips for compliance officers
There are many steps that compliance officers can take to ensure that they have discharged their responsibilities in connection with regulatory expectations including the following:
- Ensure that they have a clear understanding of the nature of their responsibilities. This includes having a detailed job description with clearly established reporting lines and a clear understanding of whether they are expected to act in a supervisory capacity.
- Maintain written records that detail all steps that were taken to either correct report or escalate issues that were identified along with any supporting documentation which demonstrates actions taken.
- Lawyers who perform compliance functions in addition to legal functions should make it clear to other individuals when they are acting as legal counsel and providing legal advice.
- Compliance officers should be active in promoting compliance related initiatives both inside and outside the Dealer and be available to individuals within the Dealer for consultation on compliance issues.
- Ensure steps in the compliance process are appropriately tailored to the size and nature of the Dealer’s business and that they are tested to ensure that they adequately address any compliance gaps.
- Ensure that IIROC rule changes, bulletins and notices are reviewed and incorporated into the Dealer’s compliance policies and procedures in a timely and effective manner which addresses the nature and size of the Dealer’s business.
- Compliance policies and procedures should be tested to ensure that existing procedures continue to effectively reflect the business practices of the Dealer and are in compliance with new rules and regulations.
- Periodically review the websites of provincial regulators and IIROC and where possible attend IIROC meetings or seminars devoted to regulatory issues. Doing so will give compliance officers advance notice of proposed and imminent rule changes that may affect the compliance officer and the Dealer.
- Develop a cooperative relationship between regulators and Dealers.
IIROC Rules this Guidance Note relates to:
- Rules 1400, and
- Rules 3900.
Previous Guidance Note
This Guidance Note replaces 12-0379 – Rules Notice – Guidance Note – Dealer Member Rules – The Role of Compliance and Supervision.
This Guidance Note was published under Notice 21-0190 - IIROC Rules, Form 1 and Guidance.
- 1The UDP, CCO, CFO, Executives, Directors and Supervisors are IIROC Approved Persons. The terms Executives, Supervisors and Approved Persons are defined in the IIROC Rules.
- 2In this Guidance, all rule references are to the IIROC Rules unless otherwise specified.
- 3See Rule 3907.
- 4All members of a Dealer’s board of directors are IIROC Approves Persons as “Directors”.