1. Financial and Operations Compliance (FinOps)

1. Cybersecurity

There was a significant increase in pandemic-related cybersecurity attacks not just in Canada but around the globe. Since March 2020, IIROC has seen an increase in cybersecurity incidents reported4. We continue to review incidents and guide firms, where necessary, to respond appropriately.

Cybersecurity is a business risk for all IIROC-regulated firms regardless of size and complexity. Each firm needs to have appropriate controls in place to safeguard client information and assets, as well as their own significant systems.

In the last year, we began reviewing how cybersecurity risk is being managed during regularly scheduled FinOps examinations. We incorporate our assessment into the FinOps risk score for the firm.

IIROC remains committed to educating the industry on cybersecurity risk. A new webpage on IIROC’s website is dedicated to cybersecurity, containing information about IIROC’s initiatives, including educational resources for our Dealers. Additionally, in January 2020, we published the IIROC Cyber Governance Guide as an update to the 2015 Cybersecurity Best Practices Guide.

IIROC issued cybersecurity Notices to firms on Cloud Services and Application Programming Interfaces (June 2020), and on Cybersecurity and Fraud – Protecting Clients (November 2020). In addition, we released two webcasts in October 2020 that were focused on:

• Cybersecurity Governance
• Cybersecurity Threat Landscape

Like most firms that we regulate, IIROC has adjusted its initiatives to respond to the unique issues that arose following the pandemic. We had initially planned a table-top exercise for small and medium-sized firms for the summer of 2020 following the success of the cybersecurity table-top exercise in 2018. However, it has now been postponed to 2021. Instead, as previously outlined, we focused on issuing Notices5, and on releasing webinars to support the industry’s education on cybersecurity threats and controls.

1. FinOps Examination Approach during COVID-19

For the large, integrated investment firms, FinOps put in place a revised Enterprise Risk Management (ERM) approach and focused on the firms’ BCP framework, pandemic-related issues, corporate governance and the firms’ risk management framework. Some of best practices observed for BCP were:

• Active oversight by the firms’ Board of Directors
• Assigning a business line owner to oversee the BCP
• Establishing a crisis management team that includes business heads
• Annual testing of BCP

For all other firms, while we also discussed how the firm was operating under its BCP, our risk-based approach remained unchanged from the previous year.

1. Monitoring Firms during COVID-19

The COVID-19 pandemic triggered market volatility, particularly in February and March 2020. As part of our regulatory oversight, we required firms to file weekly interim risk adjusted capital (RAC) reports for four weeks from March 13 to April 3. This allowed us to monitor IIROC-regulated firms’ current capital position and to obtain additional information about any operational issues and the implementation of business continuity plans (BCP). The responses showed that:

• the majority of the firms’ employees transitioned to work from home;
• there was increased trading and account opening activity at the firms; 
• RAC remained at acceptable levels; and
• overall, from a financial and operational perspective, firms performed well.

Several firms were required to file an annual Form 1 during the COVID-19 pandemic. Given this timing, they requested exemptions to the year-end audit requirements covering counting of physical securities. IIROC granted temporary exemptions (as delegated to IIROC staff by IIROC’s Board of Directors)6 to such firms on the condition that the Panel Auditor performed sufficient alternative procedures to provide an unqualified audit opinion.

Some firms filed their audited Form 1 a few weeks later than the stipulated deadlines and we waived late filing fees, where appropriate. All Monthly Financial Reports (MFR), however, were filed on time.

Every firm must establish and maintain a BCP in the event of a significant business disruption as outlined in IIROC Rule 17.16. The Rule also requires an Annual CEO BCP Certification to be filed with IIROC certifying that the firm has conducted an annual review and test of its BCP. Due to the COVID-19 pandemic, IIROC accepted that firms implementing a current BCP constituted satisfying the requirement for an annual test. Going forward, we will continue our focus on firms’ BCP to address future significant business disruptions.

1. Technology Risk

The pandemic has accelerated the pace of change and adoption of technology at many firms, particularly those that are small and medium sized. As part of our commitment to support industry transformation, we will publish guidance to firms on technology risk to ensure that the critical risks of such adoption and change are being properly managed. The guidance, which we expect to publish before March 31, 2021, will cover key risks and controls, and the importance of good governance.

We currently incorporate elements of technology risk into the FinOps risk model. By March 31, 2021, we will enhance this criteria, based on the guidance we publish, to better inform this risk assessment.

2.   Trading Conduct Compliance (TCC)

1. Delegation of Responsibilities

In some instances, Participants have delegated supervisory controls or tasks to a third party or an affiliate. While this is permitted under UMIR, it is important to recognize that such delegation must be formally documented with as much detail as possible to ensure sufficient clarity of which tasks or controls are performed by which party. Regardless of the delegation of certain tasks or controls, the Participant retains all regulatory responsibility.

1. Short Selling and Failed Trades

All short sale orders entered on a marketplace must include the short sale marker and the firm must have reasonable expectation that sufficient securities are available to settle any subsequent execution. This may include confirmation that shares are available to borrow if required. 

Participants must have policies and procedures in place to monitor this activity.

1. Supervision of Trading

All Participants are required to develop and maintain a supervision system that considers and addresses the risks associated with their business model. As this will vary by Participant, we expect that each will conduct an internal assessment to identify all risks.  While it is important to note that lower risks should be considered, Participants should ensure that their supervision system focuses on the areas of greatest concern. This assists Participants to be more effective and efficient by concentrating their supervisory efforts on higher risks.

1. Client Identifiers

Amendments regarding client identifiers come into effect on July 26, 2021. With these amendments, each order for a listed security must include, among other things, a client identifier.

Given the high complexity and risks associated with this implementation, we remind member firms that it is important to have already started their implementation process. We strongly encourage each member firm to:

• consider the impact of the amendments on each business unit involved with client orders in listed securities;
• reach out to any necessary third-party vendors to ensure they are:
  • aware of the upcoming implementation; and
  • taking all appropriate steps to be able to comply with the Amendments by July 26, 2021.

To assist member firms with the implementation, IIROC has made a series of tools and resources available on its website. Firms are encouraged to visit the Client Identifiers page for more information regarding the implementation of these amendments.  

3. Business Conduct Compliance (BCC)

1. Client Focused Reforms (CFR)

In November 2020, IIROC published amendments to IIROC rules required under the Client Focused Reforms (CFR). The objective of the CFR rule amendments is to better align the interests of member firms and Registered Individuals with the interests of their clients. The CFR rule amendments include changes to existing requirements involving Relationship Disclosure, Know-Your-Client, Suitability and Conflicts of Interest. In addition to specific requirements in each of these areas, the new suitability standard now includes the overarching requirement to put clients’ interests first when making a suitability determination. The CFR amendments also introduce a Product Due Diligence/Know-Your-Product provision and new rules regarding misleading titles. In order to assist member firms and their registrants with the implementation of the CFR rules, IIROC has published for comment new guidance pertaining to Product Due Diligence & Know Your Product. Additional guidance relating to KYC and Suitability will be published early in 2021.

In preparation for the implementation of the CFR rules, we are enhancing the BCC examination program to reflect the CFR amendments. We are also working closely with the CSA and the MFDA to ensure that regulatory examination standards are consistent across regulatory platforms.

Firms are reminded that the CFR amendments related to Conflicts of Interest are scheduled for June 30, 2021. Examination of firms’ processes for managing conflicts of interest, especially compensation related conflicts, has been a consistent focus of BCC for the past few years. BCC testing of compensation-related conflicts is grounded in Dealer Member Rule 42, Conflicts of Interest, (PLR Rule 3110-3114), clarified by guidance.7 The implementation of the CFR will play a key role in clarifying and codifying firms’ requirements, not only in terms of policies and procedures aimed directly at addressing conflicts of interest, but also in related areas such as relationship disclosure, suitability and product due diligence. In particular, the CFR raise the standards regarding the use of disclosure as a means of addressing conflicts of interest. The reliance on disclosure alone as a means of addressing conflicts will generally not be sufficient, and furthermore the nature of the disclosure must include a description of the manner in which the firm is addressing the identified conflict in the best interests of clients.

The remainder of the CFR rule amendments are scheduled for December 31, 2021 – IIROC has amended the implementation date of the Plain Language Rulebook to align with CFR. The simultaneous implementation of these two major initiatives will entail a significant amount of preparation on the part of member firms as well as IIROC. Member firms are reminded to focus adequate resources on these important initiatives and to raise any implementation questions with IIROC on a timely basis. To assist member firms in preparing for the launch of the Plain Language Rulebook, IIROC is planning additional webcasts to supplement the previous training provided in February 2020.

1. Order-Execution-Only (OEO) Trailer Ban

In September 2020, the CSA published final rules that implement a trailing commission ban (OEO Trailer Ban). This ban prohibits the payment of trailing commissions by fund organizations to investment firms and their registrants who do not make a suitability determination, such as OEO firms. The rule also prohibits the solicitation or acceptance of trailing commissions by such firms.8 The OEO trailer ban will come into effect on June 1, 2022 and affects all funds that pay trailing commissions including funds sold under the Deferred Sales Charge option. OEO firms will need to enhance their systems and processes to ensure compliance with the new rules. Compensation and fee arrangements will also need to be modified to reflect the new requirements. For its part, IIROC will also be required to update BCC examination processes to facilitate testing of firms’ compliance with the trailer ban rules. IIROC expects that interpretative questions and implementation issues will arise as firms develop their implementation plans. IIROC will continue to work closely with the CSA in addressing these issues. 

1. Business Location Reviews

In addition to the general issues discussed in the introduction, there are specific items relating to remote supervision of business locations that require careful consideration. Given the challenges associated with the pandemic, it may be difficult for some firms to comply with their existing documented processes surrounding periodic on-site reviews of their business locations. IIROC-regulated firms should document alternate processes that are reasonable under the circumstances, and ensure adequate remote supervision and monitoring of the activities that occur at the business location. 9

4. Registration

1. Early Adoption of Certain Rules

With the IIROC Rules synchronized to CFR on December 31, 2021, the following new proficiency-related rules are implemented as of January 1, 2021:

• Registered Representatives, Investment Representatives and Supervisors may complete Level I or higher of the Chartered Financial Analyst (CFA) program, as an alternative to the Canadian Securities Course (CSC)
• Supervisors of Registered Representatives dealing with retail clients no longer need to complete the Effective Management Seminar (EMS)
• All courses required under Dealer Member Rule 2900 are valid for three years
• Any registrant involved in the trading or supervision of options or futures may complete the Derivatives Fundamentals and Options Licensing Course (DFOL) as an alternative to either the Derivatives Fundamentals Course (DFC) or Options Licensing Course (OLC). 

For more information refer to IIROC Notice 20-0262, Early adoption of certain IIROC Rules into the Dealer Member Rules.

1. Covid-19 Related Proficiency Extensions

Due to health concerns related to attending physical testing facilities and the ongoing disruption of testing in certain centres, IIROC staff are continuing to support extensions for post licensing requirements where appropriate. Upgrade requirements under Dealer Member Rule 18.7 are being considered in a consistent manner with the above post licensing requirement extensions.

1. Canadian Securities Institute (CSI) Examinations

As of December 8, 2020 students may book a remotely proctored exam for all CSI exams. Please see CSI’s website for more information.

1. Deficient Filings

We continue to see filing deficiencies as highlighted in past Compliance Priorities Reports.

Our intention is to continue various outreach efforts to the Authorized Firm Representatives and Chief Compliance Officers of these firms, including training sessions with our Registration team to ensure they understand their obligations. We will review basic registration functions, as well as issues specific to the firm, to ensure that our expectations are clear and to outline the consequences of future non-compliance.

Once we have met with a firm, we will take a strict approach to compliance with our requirements and may take any or all of the following steps:

• reject deficient filings in their entirety
• impose terms and conditions on the firm
• refer matters to Enforcement for potential disciplinary action

We will provide the same training to other firms upon request. As this includes a review of basic registration functions, we will also provide it to new firms, either during the new membership process or shortly thereafter.

1. Notices of Termination (NOTs)

When filing NOTs, where the termination relates to a firm’s only Registered Representative (RR), Investment Representative (IR) or Supervisor, firms must consider whether they still have the appropriate number and category of Approved Persons to carry out activities. We expect firms to notify us immediately in cases where they are planning to terminate their only RR, IR or Supervisor, or where that individual has advised of their intent to resign.

1. Proficiency Exemptions

We continue to receive deficient exemption applications. Before filing an exemption application, we encourage firms to refer to IIROC Notice 18-0236 IIROC Registration-Proficiency Exemption Requests. Registration staff would be pleased to discuss these requirements with firms generally, or in connection with specific applications, to provide additional guidance.

1. Competency Profiles

We are in the process of developing and publishing competency profiles for all IIROC Approved Person categories. We published our proposed competency profiles for RRs and IRs in IIROC Notice 20-0174.

We continue to work on the competency profiles for the other IIROC Approved Person categories with the next phase being for Executives, Directors, UDPs, CCOs and CFOs.

5. Membership Issues

1. Review of Business Transactions

It is important to keep in mind that the process to work through significant transactions does take time. Please ensure that you factor in enough time for IIROC’s review and the receipt of any required approvals when planning the timeline for completion of any proposed transaction or business change.

In order that IIROC’s review may be conducted in an efficient manner, please ensure that your submission includes all relevant details regarding the transaction or business change and the relevant supporting documentation.

6. Conclusion

As can be seen clearly in this report, the investment industry is going through an unprecedented period of disruption and change. This challenging environment is inevitably resulting in considerable uncertainty for Members, their employees and the clients they serve. We would like to conclude this report by reminding all IIROC member firms that the best way to deal with regulatory uncertainty is to contact IIROC with any regulatory questions and concerns you may have. By maintaining open lines of communication with IIROC you will also assist us in understanding emerging issues that will need to be addressed. Effective communication between IIROC and our member firms will be essential in order to ensure that the investment industry emerges from this current period of disruption in a stronger and more resilient form that will better serve and protect Canadian investors.  

• 4We implemented Dealer Member Rule 3100 [PLR Rule Book 3703] in November 2019 requiring the mandatory reporting of cybersecurity incidents by firms to IIROC. See IIROC Notice 19-0194Amendments Respecting Mandatory Reporting of Cybersecurity Incidents (November 14, 2019)
• 5Three notices were issued related to the COVID-19 pandemic-related cybersecurity threats. See page 2 of this document under “Notices”.
• 6Refer to IIROC Rules Notice 20-0063, COVID-19 Related Exemptions from IIROC Rules (March 31, 2020)
• 7See IIROC Guidance Note 17-0093 – Managing Conflicts in the Best Interest of the Client – Compensation-related Conflicts Review, (April 27, 2017)
• 8CSA Notice of Amendments to National Instrument 81-105, Mutual Fund Sales Practices and Related Consequential Amendments – Prohibition of Mutual Fund Trailing Commissions Where no Suitability Determination was Required. (September 17, 2020)
• 9Refer to IIROC Guidance Note 20-0270, Business locations – Registration and Compliance approach to work from home arrangements, December 21, 2020