Investor Alert:
CIRO is issuing a warning to Canadian investors regarding Canada Token Trade.
Effective Date: December 31, 2021
The objectives of this Guidance Note are to:
Background information and context are also provided on the development of regulatory principles governing outsourcing arrangements by regulated entities and relevant financial sector guidance published on this subject matter.
The concept of outsourcing is not new in the securities industry. The IIROC Rules set out the requirements for many of the common outsourcing arrangements that are entered into by Dealers, including:
However, as firms face increasing competitive pressures to contain and reduce costs, there is a corresponding trend to outsource more business functions, activities and processes to third-party service providers through arrangements that IIROC Rules do not adequately address.
In recent years, there has been an evolution of outsourcing arrangements put in place between Dealers and regulated/unregulated entities that may or not be affiliated, and that may be foreign or domestic. For example, employees of Canadian banks, that own a Dealer, conduct certain back-office operational functions on behalf of the Dealer and the parent bank charges the Dealer for those services rendered, pursuant to a service agreement. Similar arrangements exist for US FINRA-registered parent companies of Dealer subsidiaries.
There is a growing interest by self-clearing Dealers to outsource the daily management of books and records, including the reconciliation of bank account balances, positions held in custody, dividend/interest income received, and stock reorganizations, to both domestic and foreign unregulated, third-party service providers. Without adequate safeguards, this industry trend may give rise to incremental investor protection, market reputation, credit and systemic risks.
Dealers are reminded of their obligation to provide IIROC with advance notification of material changes in their business model, including operations-related changes, pursuant to subsection 2246(2) of the IIROC Rules1 .
The term “outsourcing” is not currently defined within the IIROC Rules. A report prepared in 2005 by the International Organization of Securities Commissions (the “IOSCO Report”) sets out the following definition for outsourcing:
“…outsourcing is defined as an event in which a regulated outsourcing firm contracts with a service provider for the performance of any aspect of the outsourcing firm’s regulated or unregulated functions that could otherwise be undertaken by the firm itself. It is intended to include only those services that were or can be delivered by internal staff and management… the service provider may be a related party within a corporate group, or an unrelated outside entity. The service provider may itself be either regulated (whether or not by the same regulator with authority over the outsourcing firm), or may be an unregulated entity …. outsourcing would not cover purchasing contracts, although as with outsourcing, firms should ensure that what they are buying is appropriate for the intended purpose. Purchasing is defined as the acquisition from a vendor of services, goods or facilities without the transfer of the purchasing firm’s non-public proprietary or customer information”.2
The IOSCO Report makes an important distinction between “core” and “non-core” functions of a firm and describes a core function as one that is:
“...critical to the ongoing viability of an entity as well as meeting its regulatory obligations to customers”.
The IOSCO Report also sets out guiding principles that financial intermediaries should follow when planning and arranging for the outsourcing of both core and non-core activities, functions and/or processes (for simplicity referred to collectively as “activities” throughout the remainder of this guidance note). These guiding principles are included as Appendix A.
As IIROC has no current definition for the term “outsourcing” and wishes to focus its regulatory efforts on the outsourcing of critical or “core” activities, the definitions of the terms “outsourcing”, “core” and “non-core”, where used throughout the remainder of this notice, are the same as the definitions contained in the IOSCO Report.
As previously mentioned, the IIROC Rules set out the requirements for many of the common outsourcing arrangements that are entered into by Dealers. These arrangements are as follows:
This rule allows an affiliated Canadian financial institution to handle the clearance and settlement of trades, as well as the preparation of related books and records and the performance of related operational functions, on behalf of the Dealer, provided that proper segregation of the Dealer and Dealer client account assets is maintained.
These rules permit a Dealer, the introducing broker, to outsource certain back office functions to another Dealer, the carrying broker. The rules contemplate four different types of introducing broker/carrying broker arrangements that can be entered between two IIROC Dealers.3
For each permitted arrangement, the rules list the various activities that are to be carried out by the carrying broker for the introducing broker as well as activities that will continue to be carried out by the introducing broker.
Consistent with other outsourcing arrangements, the introducing broker retains the responsibility for ensuring that all activities are performed properly and in compliance with relevant IIROC requirements, including those activities carried out by the carrying broker on its behalf. In addition, since the outsource services provider is another IIROC Dealer, the carrying broker also assumes the responsibility for ensuring that all activities it has agreed to perform on behalf of the introducing broker are performed properly and in compliance with relevant IIROC requirements4
.
These rules require a Dealer to establish, maintain and comply with adequate policies and procedures for the segregation and safekeeping of client account assets. In meeting these obligations, the requirements allow the Dealer to outsource the security custody activity to an external custodian provided:
Where a Dealer uses an external custodian, it retains the responsibility for ensuring that all custody activities are performed properly and in compliance with relevant IIROC requirements.
This rule allows a Dealer to outsource its discretionary authority with respect to some or all of its managed accounts to an external portfolio manager, provided:
Under such arrangements, the IIROC Dealer retains the responsibility for ensuring that all managed account activities are performed properly and in compliance with relevant IIROC requirements.
Other than the rules that are in place that govern these specific arrangements, there are no other IIROC Rules that directly reference outsourcing arrangements.
When National Instrument 31-103 was implemented in September 2009, Part 11 of its Companion Policy introduced general principles for the establishment and maintenance of internal control systems at registrants with specific reference to the need to follow prudent business practices and to conduct a due diligence analysis when considering whether or not to outsource.
The guidance set out in the Companion Policy states that registered firms are responsible and accountable for all functions that they outsource to a service provider. Further, the functions outsourced should be set out in a written, legally binding contract between the outsourcing party and the service provider that sets out the expectations of each of the parties to the outsourcing arrangement. The guidance also requires that registered firms conduct a due diligence analysis of prospective third-party service providers, including affiliates of the firm. This due diligence analysis should include an assessment of the service provider’s reputation, financial stability, relevant internal controls and ability to deliver the services being outsourced.
The guidance also states that a registrant firm should:
Finally, the guidance specifies that the registrant firm and its regulator and auditors should have the same access to the work product of a third-party service provider as they would if the firm itself performed the activities. Firms should ensure this access is provided and should include a provision requiring it in any contract entered into with a service provider.
A Dealer who outsources activities to an outsource service provider retains the responsibility to ensure that those activities are conducted in accordance with the requirements set out in the applicable IIROC Rules and securities legislation, whether or not the outsource service provider is also a Dealer. To carry out this responsibility, Dealers must, at a minimum, supervise the activities performed on their behalf by the outsource service provider in manner that is similar to the type of supervision that would be required if the activities were performed by the Dealer itself.
Since the IIROC Rules do not specifically refer to outsourcing, the only IIROC Rules that effectively prohibit the outsourcing of certain activities are those rules which require certain functions or activities to be performed by specific Approved Persons as defined in IIROC Rule 1200.
Given that apart from Dealer partners, directors and certain officers an Approved Person of a Dealer must be an individual that is an employee or agent of a Dealer, all IIROC Rules that require that a certain Approved Person perform a certain activity or function are effectively prohibiting the outsourcing of that activity or function. The result of this restriction (i.e. who can be an Approved Person) is that the IIROC Rules effectively prohibit the outsourcing of most client-facing activities of the Dealer (all of which would be considered to be “core” activities) including:
An exception to the general prohibition against the outsourcing of client-facing activities is the outsourcing of the performance of investment decision making in managed accounts. As previously mentioned, section 3279 specifically allows for the outsourcing of managed account investment decision making to an external portfolio manager hired by the Dealer.
Not all Dealer activities that are eligible to be outsourced under IIROC Rules are of equal importance and impact. Some activities are immaterial to the overall operations of the Dealer and/or are more routine/administrative in nature than others. These activities therefore pose less risk to the Dealer and/or its clients. In addition to focusing on material outsourcing arrangements, IIROC supports the approach taken in the IOSCO Report (i.e. distinguishing between the outsourcing of “core” and “non-core” activities) and intends to focus its regulatory resources on the review of material outsourcing arrangements involving core activities. To facilitate this regulatory focus, IIROC has performed a high-level analysis of Dealer activities and categorized these activities as either:
Core activities of a Dealer that are eligible to be outsourced include the following:
Where any of these activities are to be outsourced, including where activities are outsourced to another Dealer, consistent with the guidance set out in the Companion Policy to National Instrument 31-103:
Non-core activities of the Dealer that are eligible to be outsourced under the applicable IIROC Rules, and that would not give rise to regulatory concern if they were outsourced, include the following:
Similar to the outsourcing of core activities, where any of these activities are to be outsourced IIROC expects the Dealer to formally assess the initial and ongoing appropriateness of the outsource service provider (see section 6 of this notice for further details).
As discussed in section 2 above, certain IIROC Dealer Member Rules set out detailed requirements for specific outsourcing arrangements but do not set out general requirements to be met when considering whether or not to enter into an outsourcing arrangement. On the other hand, the CSA expectations in Part 11 of the Companion Policy to National Instrument 31-103, set out general principles for the establishment and maintenance of internal control systems at registrants with specific reference to the need to follow prudent business practices and to conduct a due diligence analysis when considering whether or not to outsource.
In order to address these CSA expectations, we recommend that Dealers adopt formal due diligence policies and procedures relating to outsourcing arrangements. To facilitate Dealers’ efficient assessment of individual proposed outsourcing arrangements, it would be acceptable for Dealers to adopt policies and procedures that acknowledge that the extent of due diligence work performed may be proportionate to the materiality and risk of the functions/activities that are proposed to be outsourced. Dealers are encouraged to consider and include, where appropriate, the following as part of their due diligence policies and procedures.
A Dealer should have a comprehensive outsourcing policy that guides the performance of due diligence assessment(s) that will underlie decisions regarding whether, and how, certain activities can be appropriately outsourced.
As part of the comprehensive outsourcing policy, an initial assessment should be made as to whether the Dealer has the internal expertise that is necessary to perform the due diligence assessment(s) and, if not, the Dealer should identify and obtain third party expertise to perform or assist in the performance of the due diligence assessment(s).
A Dealer should never enter into an outsourcing arrangement that:
A Dealer should inform IIROC of any new outsourcing arrangements involving core Dealer Member activities that are being entered into by a Dealer, in accordance with subsection 2246(2).
A Dealer that has outsourced one or more activities should:
The risks associated with the outsourcing relationship that need to be managed by the Dealer include:
See Appendix B for a more complete list of the key risks associated with outsourcing and the major concerns associated with these risks,
The guidance set out in this notice covers both arm’s length and non-arm’s length outsourcing arrangements. In addition, in the case of non-arm’s length outsourcing arrangements, such as arrangements involving affiliates, Dealers should be mindful of the access risk that flows from the affiliated nature of the parties. Specifically, Dealers should consider ensuring that the outsourcing arrangement with an affiliate includes procedures designed to limit the access and control that affiliate employees, as well as Dealer employees who are dually employed by the affiliate, may have over Dealer and Dealer client account data, records and assets.
Without such procedures in place, employees acting in the best interests of their affiliate employer may be able to make material changes to Dealer data and records or move Dealer and/or Dealer client account assets without considering or acting in the best interests of the Dealer and its clients.
IIROC Rules this Guidance Note relates to:
This Guidance Note replaces IIROC Rules Notice 14-0012 - Outsourcing arrangements.
This Guidance Note was published under Notice 21-0190 - IIROC Rules, Form 1 and Guidance.
Excerpts from report entitled “Principles on Outsourcing of Financial Services for Market Intermediaries” issued by the IOSCO Technical Committee Standing Committee on the Regulation of Market Intermediaries (SC3) in February 2005
...
III. Outsourcing Principles
Topic 1: Due diligence in selection and monitoring of service provider and service provider's performance
Principle: An outsourcing firm should conduct suitable due diligence processes in selecting an appropriate third party service provider and in monitoring its ongoing performance.
...
Means for Implementation
It is expected that outsourcing firms will implement appropriate means, such as the following, for ensuring that they select suitable service providers and that service providers are appropriately monitored, having regard to the services they provide:
Topic 2: The contract with a service provider
Principle: There should be a legally binding written contract between the outsourcing firm and each third party service provider, the nature and detail of which should be appropriate to the materiality of the outsourced activity to the ongoing business of the outsourcing firm.
...
Means for Implementation
An outsourcing firm is expected to have a written, legally binding contract between itself and the third party service provider, appropriate to the materiality of the outsourced activity to the ongoing business of the firm. The contract may include, as applicable, provisions dealing with:
Topic 3: Information Technology Security and Business Continuity at the Outsourcing Firm
Principle: The outsourcing firm should take appropriate measures to determine that:
...
Means for Implementation
Outsourcing firms are expected to take appropriate steps to require, in appropriate cases based on the materiality of the function that is being outsourced, that service providers have in place a comprehensive IT security program. These steps may include:
Topic 4: Client Confidentiality Issues
Principle: The outsourcing firm should take appropriate steps to require that service providers protect confidential information regarding the outsourcing firm’s proprietary and other information, as well as the outsourcing firm’s clients from intentional or inadvertent disclosure to unauthorized individuals.
...
Means for Implementation
Regulated firms that engage in outsourcing are expected to take appropriate steps to confirm that confidential firm and client information is not misused or misappropriated. Such steps may include insertion of provisions in the contract with the service provider that:
Outsourcing firms should also consider whether it is appropriate to notify clients that client data may be transmitted to a service provider, taking into account any regulatory or statutory provisions that may be applicable.
Regulators should seek to become aware of whether outsourcing firms within their jurisdiction are taking appropriate steps to monitor their relationships with service providers with respect to the protection of confidential firm and client information.
Topic 5: Concentration of Outsourcing Functions
Principle: Regulators should be cognizant of the risks posed where one service provider provides outsourcing services to multiple regulated entities.
...
Means for Implementation
Regulators should consider the following means for addressing concentration risk:
Where a regulator has identified a possible concentration risk issue, outsourcing firms should consider taking steps to ensure, to the degree practicable, that the service provider has adequate capacity to meet the needs of all outsourcing firms, both during normal operations as well as unusual circumstances (e.g., unusual market activity, physical disaster).
Topic 6: Termination Procedures
Principle: Outsourcing with third party service providers should include contractual provisions relating to termination of the contract and appropriate exit strategies.
...
Means for Implementation:
Outsourcing firms are expected to take appropriate steps to manage termination of outsourcing arrangements. These steps may include provisions in contracts with service providers such as the following:
Topic 7. Regulator's and Intermediary’s Access to Books and Records, Including Rights of Inspection.
Principle: The regulator, the outsourcing firm, and its auditors should have access to the books and records of service providers relating to the outsourced activities and the regulator should be able to obtain promptly, upon request, information concerning activities that are relevant to regulatory oversight.
...
Means for Implementation:
Outsourcing firms are expected to take steps to ensure that they and their regulators have access to books and records of service providers concerning outsourced activities, and that their regulators have the right to obtain, upon request, information concerning the outsourced activities. These steps may include the following:
Regulators should consider implementation of appropriate measures designed to support access to books, records and information of the service provider about the performance of regulated activities. These measures may include:
While the outsourcing of certain activities can be beneficial to a financial services organization, outsourcing can give rise to risks which need to be managed effectively.
Risk |
Major Concerns |
Client harm risk |
|
Strategic risk |
|
Reputation risk |
|
Compliance risk |
|
Operational risk |
|
Exit strategy risk |
|
Counterparty risk |
|
Country risk |
|
Contractual risk |
|
Access risk |
|
Individual firm concentration risk |
|
Industry concentration and systemic risk |
|