CIRO Compliance Priorities Report for 2024: Helping Firms with Compliance

1. Firm Operations and Risk Management

1.1 T+1 Settlement

In 2024, Canada and the U.S. plan to shorten the normal trade settlement cycle from T+2 to T+1. This is a U.S.-led initiative intended to reduce systemic risk and inefficiencies in the investment industry. The scheduled date for the move to T+1 in Canada is May 27, 2024, and in the U.S. May 28, 2024. This enables the settlement cycles for our capital markets to continue to be harmonized.

We published Rules Bulletin 23-0150 and Guidance Notice 4800-23-001 in October 2023. The amendments signal regulatory certainty for all industry participants to plan and invest in system and process changes in preparation for the transition to T+1 settlement.

Our 2023 annual risk questionnaire included questions specific to dealers’ T+1 preparedness. We will continue to review the results of industry-wide surveys and testing to assess T+1 readiness.

1.2 Cybersecurity Risk

Cybersecurity remains a key business risk for all dealers regardless of size and complexity. Dealers need to have appropriate controls in place to safeguard client and personal information and assets, as well as their own critical systems and applications. We issued several communications to dealers alerting them to various cybersecurity threats and vulnerabilities.

CIRO is committed to supporting the industry with education on cybersecurity risk. In 2022, we provided a cybersecurity self-assessment tool for our dealers to assess their own cybersecurity preparedness and identify areas for improvements. There is also a webcast available that discusses the importance of conducting regular cybersecurity self-assessments and explains how to use the new self-assessment tool and interpret the results and the report. While the use of the tool is voluntary, we strongly recommend that all dealers conduct a cybersecurity self-assessment at least once every two years to assess their posture and maturity and identify any critical gaps.

In the fall of 2023, we conducted a cybersecurity table-top exercise for the small and medium-sized dealers. The exercise was designed as two separate case studies where participants discussed crisis responses in a group setting with subject matter experts. The goal was to help participants in cyber incident preparedness and mitigation to manage cybersecurity risk at their firm.

During regularly scheduled examinations for investment dealers, we continue to look at how:

• dealers demonstrate compliance with the cybersecurity incident reporting requirements,
• cybersecurity risk is managed, and
• we incorporate our assessment into the applicable risk score for the firm.

We continue to raise findings and make recommendations to members unable to sufficiently demonstrate compliance with CIRO’s cybersecurity incident reporting requirements, and we remind dealers that IIROC Guidance Note GN-3700-22-001 was issued in February 2022 to provide additional information on CIRO’s expectations.

The most common findings include:

• lack of adequate documentation in policies and procedures, such as:
  • no defined definitions of “substantial harm” and “material impact”, such that a reasonable person would be able to assess whether a particular cybersecurity incident meets the threshold requirements to be reported to CIRO.
  • the requirement to submit a preliminary report within three calendar days of discovering an incident.
  • the requirement to submit a final report within 30 days from discovery.
  • adequate tailoring to the dealer's operations. Policies and procedures are only effective when the dealer tailors and incorporates them in all relevant aspects of the business operations.
  • a cybersecurity incident log, or a log with insufficient details.
• the policies and procedures do not address the specific regulatory requirements related to the dealer where cybersecurity functions of a group of entities are centralized. This involves the dealer determining a separate assessment of materiality, substantial harm, significance, and other thresholds on a standalone basis.

1.3 Proposal to Modernize Back-Office Arrangements and Subordinated Debt Financing

During 2022 and 2023 we met with investment dealer representatives to consider developments in the industry as they relate to back-office activities and subordinated debt financing. These groups supported many proposals for change to the rules, agreements, and oversight processes that govern these arrangements. In 2024, we will survey mutual fund dealers and dual registered firms to see if similar opportunities exist to modernize arrangements for these firms. Upon completion of this exercise, we will create a detailed plan to reduce the regulatory burden for all CIRO dealers while maintaining an appropriate level of investor protection.

1.4 Credit Risk Management

On October 14, 2021, we issued IIROC Guidance Note GN-4200-21-001, to help dealers in assessing and maintaining adequate credit risk policies and procedures.

Management of credit risk is an important part of the overall risk management infrastructure. Each dealer should ensure that their credit risk management framework is specifically designed to oversee and control the risks of their business. This applies to all dealers, including type 2 introducing brokers, who are at risk for unsecured client accounts. All dealers should have credit risk policies and procedures designed to monitor and evaluate risk to counterparties with which they conduct securities-related business transactions. Counterparty risk is the most significant component of credit risk faced in trading activities due to failed settlements.

We will continue to review the dealers’ credit risk oversight, including institutional and type 2 dealers, in comparison with the “Best practices for credit risk management”.

1.5 Debt Securities Concentration Test

On February 18, 2021, IIROC issued Rule Notice 21-0028 regarding the securities concentration test and designated rating organizations. The main purpose of this amendment to the rules and Form 1 was to bring debt securities with a normal margin rate of 10% or less into the existing securities concentration test. It also added the concept of using credit ratings and references to credit rating agencies in the IDPC Rules and Form 1. These amendments became effective September 1, 2022.

We noted that a proper infrastructure was not in place at many investment dealers where an examination was conducted. Firms need to ensure that adequate reports are provided by their service provider and/or carrying broker to ensure debt securities concentration is monitored and reported to Form 1 and Monthly Financial Reports, where applicable.

We will continue to review the debt securities concentration infrastructure during our scheduled examinations of investment dealers, especially for firms where an examination has not been conducted since the implementation of this amendment to the rules.

2. Trading

2.1 Order Markers and Client Identifiers

Our reviews continue to identify challenges related to the accurate application of order markers, especially with respect to:

• client identifiers (a legal entity identifier or account number) when trading for a single client, and
• multiple clients (MC) and bundled (BU) order markers when trading for multiple clients or client types.

A variety of resources are available on the legacy IIROC website to help dealers understand and comply with these requirements.

Participants must have policies and procedures in place to determine which order markers are applicable to each order they enter on a marketplace. Regular internal testing, reflecting the written procedures, must be conducted to confirm proper application of order markers. Should the testing identify errors, entries to the Regulatory Marker Correction System (RMCS) must be made. While corrections after the fact are important to submit, accuracy at the time of entry is essential to enable proper supervision.

Trading Conduct Compliance (TCC) reviews a participant’s procedures to consider whether they include all applicable markers and if a process to look for and report issues is established and followed. In addition, the frequency of RMCS entries and any patterns of concern will be reviewed to assess whether the participant’s approach to ensuring accurate order markers at the time an order is entered on a marketplace is effective.

2.2 Internal Risk Assessments

Participants should identify and assess the risks associated with their trading-related activities to ensure supervision resources are focused on what matters most. While resources should be focused on higher risk activities, lower risk activities should also be identified and considered for review.

We will continue to request and review the risk assessment to consider if the approach is current, identifies all risk areas and that the participant’s policies and procedures address all identified risks.

2.3 Short Selling and Extended Failed Trades

Before entering a short sale order, participants must have a reasonable expectation to settle the resulting trade on the settlement date. As well, participants must have appropriate procedures and testing in place to ensure that short sales are properly marked when entered on a marketplace, and action must be taken to address any issues identified.

Participants must notify CIRO after a trade on a marketplace fails to settle for 10 trading days past settlement date, referred to as an extended failed trade report.

TCC will review the participant’s procedures and internal testing to confirm that proper processes are in place to prevent improper short sales and to report any extended failed trades.

3. Conduct and Supervision

3.1 Client Focused Reforms Phase I Sweep – Conflicts of Interest

In 2022, the predecessor SROs, MFDA and IIROC, along with the CSA conducted a detailed review of compliance with the Client Focused Reforms (CFR) Conflict of Interest (COI) requirements that came into effect on June 30, 2021. A final report, outlining the results and providing additional guidance on how regulators expect registrants to comply with the CFR COI requirements, was published in August 2023, Joint Canadian Securities Administrators/Canadian Investment Regulatory Organization – Staff Notice 31-363 Client Focused Reforms: Review of Registrants’ Conflicts of Interest Practices and Additional Guidance. As a critical component of the CFR, COI will continue to be an area of focus during examinations.

3.2 Client Focused Reforms Phase II Sweep

As a follow up to the COI sweep noted above, we are conducting a Phase II sweep, in coordination with the CSA, focused on assessing registrants’ compliance with other CFR obligations including: know your client, know your product and the suitability determination requirements that came into force on December 31, 2021.

We have already undertaken the testing for compliance with these CFR requirements in our examinations and will continue to focus on these areas in the year ahead:

• Ensuring registrants identify a reasonable range of alternatives when making recommendations and document their justification for selecting a particular option. What constitutes a reasonable range of alternatives will depend on the circumstances, including the securities and services offered, the registrant’s skill and proficiency and the client’s particular circumstances. We will be assessing the approach taken by firms in the following areas:
  • The scope of products considered as alternatives.
  • The timing of the identification of the reasonable range of alternatives.
  • What level of documentation is required for each recommendation regarding the alternatives selected and the reason for choosing the recommended security.
• Assessing a client’s risk capacity, along with client risk tolerance, in determining a client’s risk profile including:
  • The adequacy of the firm’s processes for collecting risk capacity (e.g., to what extent it is based on an objective and well documented process).
  • The firm’s documented process for determining the risk profile based on the lower of risk capacity and risk tolerance.
  • The firm’s process for reviewing all KYC information as per the mandated schedules: managed accounts annually and advisory accounts every three years.
• Conducting product due diligence (PDD) on all products on the dealer’s product shelf, and ensuring registrants are adequately trained to meet their Know Your Product (KYP) obligations. This will include the following:
  • The firm’s process for reviewing and approving all products on their product shelf. Firms may customize their PDD process such that a more in-depth process is required for individual complex products for which there is limited disclosure, and blanket approval may be given to less complex asset classes that have adequate public disclosure and are already subject to stringent listing standards (e.g., listed securities).
  • The KYP processes and procedures to monitor previously approved products for significant changes, and to notify registrants who have client accounts holding such products.

Throughout the sweep, CIRO is meeting regularly with the CSA to discuss specific findings and assess the overall level of industry compliance with the CFR requirements. The sweep will help broaden staff’s understanding of, and assess, the controls used by firms to comply with various CFR rules. This in turn will enable the CSA and CIRO to develop a consistent compliance approach when reviewing a firm’s compliance with the CFR requirements. A final report will be published outlining the findings and providing guidance regarding acceptable approaches to achieve compliance with these aspects of the CFR requirements.

3.3 Memorandum of Understanding with FINTRAC

The existing information sharing arrangements with the Financial Transactions and Reports Analysis Centre of Canada (“FINTRAC”) have been updated to reflect the IIROC/MFDA consolidation and new legal entity, CIRO. The information sharing arrangement with FINTRAC requires CIRO to provide information to FINTRAC where staff become aware of potential questions of compliance with AML requirements. Since January 2024, mutual fund dealers have been asked for additional information regarding their AML program during examinations. The current mutual fund dealers compliance examination processes will be enhanced to include additional testing for compliance with high level requirements under The Proceeds of Crime (Money Laundering) and Terrorist Financing Act (“PCMLTFA”).

3.4 Advisor Ranking Contests/Lists

On July 31^st, 2023, the CSA and CIRO sent an email to Chief Compliance Officers and Ultimate Designated Persons of all registrants reminding them of the requirement to ensure that advisor participation in any advisor ranking contest does not result in a compliance violation of existing rules regarding misleading communications. This includes CIRO Investment Dealer and Partially Consolidated Rule section 3640 and CIRO Mutual Fund Dealer Rule 1.2.5.

“If inclusion in such ranking contest/list is based partly or entirely on a registered individual’s sales activity, revenue generation or assets under management, then referencing the results of these ranking contests/lists on the firm’s website or a registered individual’s webpage, LinkedIn profile, or other sites accessible to the public will be considered a compliance deficiency. A registered individual must not use that award or recognition in client-facing interactions, including any marketing or client communications such as webpages or LinkedIn profiles.”

Dealers should have policies and procedures addressing compliance with this aspect of CIRO rules on misleading communications. The best practices we have seen include not allowing participation in such contests or requiring pre-approval before allowing participation in any contest. As part of our examinations, we will continue to review and evaluate the firms’ processes to ensure compliance with all requirements regarding misleading communications, including those relating to advisor participation in ranking contests. To provide additional clarity, a webinar on this topic will be made available in 2024. If necessary, guidance will also be published.

4. Registration and Proficiency

4.1 Relevant Investment Management Experience (RIME) for Associate Portfolio Managers and Portfolio Managers

Dealers are reminded to review the requirements for Associate Portfolio Managers and Portfolio Managers under IDPC Rule 2602(3)(xiv) and (xv), respectively, before applying for approval. RIME must be clearly outlined to support the application in order for staff to assess the submission in a timely manner. Dealers are encouraged to contact registration staff at CIRO if they need clarification on the required RIME and information that needs to be outlined in an application.

4.2 Experience Requirement for Supervisors

Dealers are reminded to review the proficiency requirements for the various Supervisor activities within IDPC Rule subsection 2602(3). Dealers must review the applicable requirements before submitting applications for Supervisors and ensure that the Supervisor’s education and experience meets the applicable proficiency requirements set out in IDPC Rule subsection 2602(3), and that the relevant education and experience are clearly outlined in the submission. Dealers are reminded that individuals returning to a supervisory role after a 90-day period are no longer considered to be continuing in the same role permitted under the IDPC Rule 2625(3) and are subject to the proficiency requirements in IDPC Rule 2602(3).1  Dealers are encouraged to contact registration staff of CIRO if they require clarification on whether the Supervisor meets the proficiency requirements before making a submission.

4.3 Notice of End of Individual Registration or Permitted Individual Status (formerly Notice of Termination) (F1)

When filing F1s, where the cessation relates to a firm’s only Registered Representative (RR), Investment Representative (IR), Supervisor or Executive, dealers must consider whether they still have the appropriate number and category of Approved Persons to carry out activities. We expect dealers to notify us immediately in cases where they are planning to terminate their only RR, IR, Supervisor, or key Executives (including the Chief Compliance Officer, Chief Financial Officer, Ultimate Designated Person), or where that individual has advised of their intent to resign.

We remind dealers that “cessation date” means the last day on which an individual had authority to act as a registered individual on behalf of their sponsoring firm or the last day on which an individual was a permitted individual of their sponsoring firm. An individual’s cessation date is not necessarily their last day of employment.

4.4 Competency Profiles and Proficiency Initiative

We published Competency Profiles for Approved Persons (Investment Dealers) | Canadian Investment Regulatory Organization (ciro.ca) on September 25, 2023.

We also published Consultation Paper – Proposed Proficiency Model- Approved Persons under the Investment Dealer and Partially Consolidated Rules | Canadian Investment Regulatory Organization (ciro.ca) on July 7, 2023. We received 27 comment letters in response to the consultation paper. We are reviewing the comments and considering revisions to our previously proposed proficiency model as needed. We plan to publish any related rule amendments in the summer of 2024.

Keeping in mind that our contract with the Canadian Securities Institute will end at the end of December 2025, we published a Request for Expressions of Interest in October 2022. We have proceeded to the Request for Proposal stage and will provide further updates in due course.

4.5 Proficiency Exemptions

We continue to receive deficient exemption applications. We also continue to see multiple exemption requests bundled under one filing on the National Registration Database (NRD), where a separate exemption needs to be filed. When filing an exemption application, refer to our notice on proficiency exemptions IIROC Registration ‑ Proficiency Exemption Requests | IIROC which outlines the comparative analysis that is needed in most cases. We encourage dealers to review the notice, and contact registration staff as needed, before submitting an exemption application.

4.6 Dual Registered Dealers

CIRO has now approved dual-registration applications for several dealers, allowing them to be registered as an investment dealer and mutual fund dealer within a single legal entity. CIRO staff continue to receive applications and expressions of interest regarding dual-registration.

Dealers interested in dual-registration should refer to the guidance on Becoming a Dual-Registered Firm, available on the CIRO website.

4.7 Proficiency for Alternative Mutual Funds

In 2022, the new MFDA Policy No. 11 Proficiency Standards for the Sale of Alternative Mutual Funds came into effect. MFDA Policy No. 11 is now Rule 1000 under CIRO Mutual Fund Dealer Rules. Dealers should ensure they are complying with these requirements as applicable. The additional proficiency requirements in the rule apply to both alternative mutual funds sold pursuant to a prospectus (i.e., liquid alternatives) and those sold under a prospectus exempt basis (i.e., hedge funds).

4.8 Quebec Mutual Fund Dealers – CIRO Oversight

On September 20, 2023, the Government of Québec approved the Autorité des marches financiers (AMF) decision to delegate the powers of registration of mutual fund representatives to CIRO, as well as the powers of examination of mutual fund dealers with activities in Québec.

Once implemented, the delegation of powers to register mutual fund representatives in Québec will align the application process for this category of registration with that used for investment representatives in most Canadian jurisdictions. Registration applications submitted to NRD by mutual fund dealers will then be processed by CIRO rather than by the AMF. Regarding the examination of mutual fund firms, CIRO would like to start carrying on its delegated powers in Québec this summer.

4.9 Continuing Education (CE) requirements

The first CE cycle for mutual fund dealers ended on November 30, 2023, and the CE cycle for investment dealers ended on December 31, 2023. We are pleased to report that there was a very high compliance rate for both investment dealer and mutual fund dealer Approved Persons. We noticed however that many individuals waited until closer to the end of the cycle to complete their CE requirements. This caused significant strain and burden on CIRO staff to follow-up with members and to respond to last-minute inquiries and requests. We would like to remind all individuals to plan to meet their CE requirements over the course of the two-year cycle to ensure that they are not increasing the risk of being non-compliant and adding undue burden. Similarly, we remind dealers to review and update, if necessary, their CE related policies and procedures to ensure a timely completion and reporting of CE.

5. Membership Issues

5.1 Review of Business Transactions

Dealers subject to the IDPC Rules are required to inform CIRO in writing before making any material changes to the firm’s business activities. Refer to Notice GN-2200-21-001 for more information regarding the purpose of notification, and which business changes CIRO must be notified of. Examples of business changes include the offering of an account service that the dealer has not previously offered, such as managed accounts, or making changes to business-related operational processes relating to order submission, trade execution or position custody functions. The timing of our review of the dealers’ proposal is largely dependent on the quality of that submission. To help ensure dealer members provide key information and the applicable supplementary materials for their proposed business change, CIRO has created a Request for Business Change template for dealers to use when submitting their requests to CIRO. Dealer members may refer to the Requesting Business Change page of CIRO’s website and Notifying CIRO of Business Changes webcast for further information.

• 1Plain Language Rule Book Project – Registration Changes