CIRO Compliance Report for 2025: Helping Dealers with Compliance

25-0035
Type: Administrative Bulletin >
General
Distribute internally to
Corporate Finance
Institutional
Internal Audit
Legal and Compliance
Operations
Registration
Regulatory Accounting
Research
Retail
Senior Management
Trading Desk
Training
Rulebook connection
IDPC Rules
UMIR
MFDR

Contact

Alexandra Williams
Senior Vice-President, Member Regulation, Member Policy and Corporate Strategy
Karen McGuinness
Senior Vice-President, Finance, Investor and Member Relations

Executive Summary

We are pleased to present our annual Compliance Report for 2025: Helping Dealers with Compliance. This report summarizes current issues and challenges that dealers1 regulated by CIRO should focus on to improve investor protection and foster strong market integrity.

This report helps dealers focus their supervision and risk-management efforts to comply with our regulatory requirements in a way that is appropriate for their unique business models.

We also encourage dealers to contact us when considering changes to their operations so we can provide additional support and assistance.

CIRO Framework

Established in 2023, the Canadian Investment Regulatory Organization (CIRO) is the pan-Canadian self-regulatory organization that oversees investment dealers, mutual fund dealers and trading activity on Canada’s debt and equity marketplaces.

CIRO was formed through the amalgamation of the Investment Industry Regulatory Organization of Canada and the Mutual Fund Dealers Association of Canada. CIRO’s mission is to promote healthy capital markets by regulating fairly and effectively so that investors are protected and feel confident investing in their futures.

On April 24, 2024, we released our inaugural Three-Year Strategic Plan which reflects the significant transformation already underway across the industry, that is being driven by the changing needs and expectations of Canadians, and the ways that technology is facilitating innovation. CIRO, like all regulators, has a primary responsibility of delivering its regulation efficiently and effectively. Our Strategic Plan lays the foundation for further efficiencies, including the first year of the Strategic Plan which is focused on integration.

We continue to concentrate efforts on the integration of our compliance groups and to harmonize our work, internally and externally. CIRO was created to improve elements of the Canadian capital markets system by working to fill the gaps in regulation and reduce duplication and overlaps which exist in many areas, including compliance. We believe successful integration is necessary for us to deliver consistent, effective and efficient regulation and to bring increased simplicity to the industry.

The following sets out some of the compliance integration work completed to date:

1. Compliance Structure

The former investment dealer and mutual fund dealer compliance teams have been integrated and are now collectively referred to as:

  • Business Conduct Compliance (BCC),
  • Financial & Operations Compliance (FinOps), and
  • Trading Conduct Compliance (TCC).

The Compliance Modernization Group (CMG) will continue to support all compliance groups.

With the integration of the compliance teams, we have also restructured some accountabilities internally to gain efficiencies and to effectively leverage the skills and knowledge of our staff. Previously, for mutual fund dealers defined as Level 2 and 3 the financial examinations were conducted by the former Sales Compliance team (now BCC). These examinations will now be conducted separately by FinOps. Further, Level 4 financial examinations previously conducted by the (MFDA) Toronto office will now be conducted by the applicable regional office. Mutual fund dealers are not subject to a TCC examination.

2. Oversight of Quebec Mutual Fund Dealers

Effective September 1, 2024, CIRO’s Montreal office became responsible for the oversight of all mutual fund dealers having their head office in Quebec. This includes performing the BCC and FinOps compliance examinations for the head offices. The Montreal office will also perform BCC examinations of business locations for all Quebec-based mutual fund dealers under powers delegated by the Autorité des marchés financiers (AMF).

3. Annual Risk Questionnaire (ARQ)

As noted in last year’s report, we have reviewed and aligned the objectives, uses, processes and information requested formally via the investment dealer ARQ and the mutual fund dealer Annual Questionnaire (AQ). On October 15, 2024, all dealers received an invitation to complete the new and improved 2024 ARQ, including mutual fund dealers. We also introduced a new ARQ platform where dealers could directly complete the questionnaire, upload documents, and obtain a copy of their responses.

The objectives of the ARQ are to:

  • Inform the annual compliance risk assessments,
  • Inform the planning for examinations and avoid duplication in requests for information by the compliance groups, and
  • Allow for annual updates from dealers with minimal disruption to their business activities.

Thank you to everyone for completing the survey. We hope you have found the new system to be an improvement on the previous way that we interacted with you.

4. Risk Models

One of CIRO’s priorities noted last year was to determine the approach to integrating the risk models in place at both legacy organizations. New harmonized risk models have been completed for Business Conduct, Financial & Operations and Trading Conduct Compliance. A new model was also put in place to help assess the risk of and prioritize the review of business locations as part of BCC examinations.

The annual member risk assessment will be completed using the new risk models as of December 31, 2024.

5. Examination Cycles

As part of the integration of risk models, we also reviewed the frequency of conducting examinations. Based on a dealer’s risk rating and pre-determined impact factors, their examination cycle will vary, with dealers assessed with a higher-risk score and impact on a shorter cycle and dealers assessed with a lower-risk score and impact on a longer cycle. We have aligned examination cycles, with each compliance area now using a one- to four-year exam cycle. The changes include the following:

  • Business Conduct Compliance (BCC): the former mutual fund dealers’ cycle of two and four years will now be aligned to the investment dealers’ cycle with a one- to four-year cycle.
  • Financial & Operations Compliance (FinOps): the former mutual fund dealers’ cycle of one and two years for level 4 dealers will now be aligned to the investment dealers’ cycle that has moved to a one- to four-year exam cycle, from a one- to three-year cycle.
  • Trading Conduct Compliance (TCC): maintains a one- to four-year cycle.

With these changes we continue to have appropriate oversight of dealer operations and ensure investor protection. The changes enable CIRO to allocate and prioritize examination resources efficiently to better manage regulatory costs, while focusing appropriately on riskier activities and high impact dealers. The BCC examination cycle will enable greater coverage of dealers' business locations.

6. Risk Trend Reports (RTRs)

The objective of Risk Trend Reports is to encourage dealers, particularly those designated as high-risk, to strengthen their governance, internal controls, and risk-management practices. RTRs also provide a high-level assessment of how a dealer is doing in relation to its peers and the industry, along with key recommendations on how it can reduce its risk with respect to its BCC, FinOps and TCC compliance.

All dealers will receive a 2024 RTR based on the newly created harmonized risk models. The RTR will inform dealers of their risk ranking and their respective examination cycle.



Tremendous effort has gone into these many integration initiatives. With the groundwork laid and a clear path forward, we are already seeing the benefits of these efforts.

We want to thank our compliance staff for their ongoing commitment along with our Data Analytics team for their contribution and support. We are excited to begin the next phase which will be focused on the unification of our internal compliance systems.

Table of contents

1. Dealer Operations and Risk Management

1.1 T+1 Settlement

In 2024, several jurisdictions, including Canada and the U.S., shortened the normal trade settlement cycle from T+2 to T+1. This was a U.S.-led initiative intended to reduce systemic risk and inefficiencies in the investment industry. Canada officially moved to T+1 on May 27, 2024, and the U.S. followed on May 28, 2024. This enabled the settlement cycles for our capital markets to continue to be harmonized with the U.S.

We monitored our investment dealers during this time to assess the impact of the change to T+1. Overall, the transition was smooth and did not lead to significant fail rates. There were minor issues that slowed processing, but they had limited market impact.

1.2 Cybersecurity Risk

Cybersecurity continues to be a key business risk for all dealers, regardless of size and complexity, due to its potential impact on operations. Dealers must implement the necessary controls to protect clients, personal information and assets, as well as their own critical systems and applications.

Investment Dealer and Partially Consolidated (IDPC) Rule 3703 mandates that investment dealers report any cybersecurity incidents that meet specific criteria. While we have observed a consistent flow of incident reports, there has been an increase in cases involving third-party service providers affecting our dealers. Fortunately, most have managed to minimize significant disruptions to their operations. When engaging with third-party service providers, it is crucial for dealers to assess risks at all stages: before, during, and after the engagement. To assist in this, we issued Guidance Note GN-2300-21-003: Outsourcing Arrangements, outlining what functions can be outsourced and our expectations for managing risks associated with the use of third-party services.

The most valuable asset in managing cybersecurity risk is a dealer’s personnel. While many dealers have implemented effective preventative and detective measures, inadequate training can make staff the weakest link in cybersecurity. We have seen instances where employees have fallen victim to phishing attempts, allowing unauthorized access to dealer systems. Continuous training for all staff is highly recommended to enhance awareness and reduce vulnerability to these attacks.

During regularly scheduled examinations for investment dealers, we continue to look at how:

  • dealers demonstrate compliance with the cybersecurity incident reporting requirements,
  • cybersecurity risk is managed,
  • we incorporate our assessment into the applicable risk score for the dealer.

We continue to raise findings and make recommendations to investment dealers unable to sufficiently demonstrate compliance with CIRO’s cybersecurity incident reporting requirements. We also remind dealers that Guidance Notice GN-3700-22-001: Compliance with IIROC’s Cybersecurity Incident Reporting Requirements, issued in February 2022, provides additional information on CIRO’s expectations in this area.

The most common findings include:

  • lack of adequate documentation in policies and procedures, such as:
    • definitions of “substantial harm” and “material impact” such that a reasonable person would be able to assess whether a particular cybersecurity incident meets the threshold requirements to be reported to CIRO,
    • the requirement to submit a preliminary report within three calendar days of discovering an incident,
    • the requirement to submit a final report within 30 days from discovery,
    • a cybersecurity incident log, or a log with insufficient details,
  • policies and procedures do not adequately address the specific regulatory requirements related to the dealer where cybersecurity functions of a group of entities are centralized. This involves the dealer determining a separate assessment of materiality, substantial harm, significance, and other thresholds on a standalone basis.

1.3 Crypto Asset Trading Platforms (CTPs)

The process for onboarding CTPs into CIRO membership is ongoing. CTPs go through a rigorous review process led by the Membership Intake team. CIRO CTPs, offering retail trading services, currently operate with exemptive relief from certain acceptable securities locations and insurance rule requirements. These exemptions come with imposed Terms and Conditions.

We completed our first examination of a CTP in fiscal 2024 and will be completing two field examinations in the current fiscal year. We focus on the CTP’s compliance with the FinOps related Terms and Conditions in addition to our standard examination program. We take a top-down, risk-based approach recognizing the higher inherent risk associated with CTPs. CIRO-regulated CTPs operate with proprietary books and records systems developed to meet the specific needs for the trade, settlement, and custody of crypto assets. Annually, we review independently prepared system control reports on these books and records systems.

In addition to the Monthly Financial Reports that all dealers file, CTPs also file a monthly asset location report. This monthly reporting allows FinOps staff to monitor crypto assets held at crypto custodians.

1.4 Credit Risk Management

On October 14, 2021, we issued Guidance Notice GN-4200-21-001: Best practices for credit risk management to help investment dealers in assessing and maintaining adequate credit risk policies and procedures.

Effective management of credit risk is a crucial aspect of the overall risk management framework. Each investment dealer must ensure that their credit risk management strategy is tailored to address the specific risks associated with their operations. This is particularly relevant for all investment dealers, including Type 2 introducing brokers, who face risks related to unsecured client accounts. All investment dealers are required to have robust credit risk policies and procedures in place to monitor and assess risks associated with their counterparties in securities transactions. Counterparty risk represents the most significant element of credit risk in trading activities, especially due to potential failed settlements.

Over the past year, we have reviewed the credit policies of institutional firms and identified several best practices for managing credit risk related to institutional clients, including:

  • review the institutional client's corporate governance,
  • assess the institutional client's key person risk,
  • ensure policies and procedures are in place to restrict trading following failed trades.

Additionally, we encourage the implementation of processes for reviewing credit limits and establishing a framework for monitoring trading activities against these limits. Credit policies should also include mechanisms for managing client delinquency, particularly in cases of frequent failed trades.

We will continue to assess investment dealers’ credit risk oversight, including that of institutional and type 2 introducing brokers, in relation to the previously mentioned guidance documents.

1.5 Securities Concentration

On February 27, 2024, CIRO issued Rules Bulletin Notice 24-0085: Client excess margin adjustment to amount loaned for purposes of determining concentration exposures, which clarified the requirements for calculating client excess margin adjustments to the amount loaned when investment dealers are determining concentration exposures. Although Form 1 Schedule 9 allows an investment dealer to exclude excess margin in a client’s account when determining the amount loaned on a position exposure, Schedule 9 methodology does not allow client margin excess to be reused for multiple security exposures.

We met with impacted investment dealers and service providers to explain the correct methodology and to ensure that their systems produce accurate reports.

1.6 Reconciliations at Mutual Fund Dealers

During recent financial compliance examinations of Level 4 mutual fund dealers, deficiencies were identified regarding the reconciliations of assets held by dealers on behalf of clients. Deficiencies ranged from (i) no supervisory review and approval to (ii) reconciliations not prepared on a timely basis, to (iii) no reconciliations prepared at all for non-Fundserv positions. Mutual Fund Dealer Rules require nominee name positions and trust bank accounts be reconciled monthly, and senior personnel are required to review and approve the reconciliations. In addition, margin for adverse unresolved differences or unconfirmed positions must be provided in accordance with the Notes and Instructions to Statement B of Form 1.

Mutual fund dealers are reminded to reconcile client assets to third-party information at least monthly. To the extent that assets are unresolved or unconfirmed, dealers must be prepared to maintain sufficient regulatory capital to cover the required margin provisions. The monthly reconciliation process will remain a focus of future examinations.

1.7 Interim Risk Adjusted Capital (RAC) Calculations at Mutual Fund Dealers

Mutual Fund Dealer Rules require that the dealers’ capital position be calculated at least monthly. To avoid or correct any potential capital deficiencies, more frequent intra-month RAC estimates should be calculated when items could significantly affect the capital position. Planned business activities requiring capital should be included in RAC estimates well before the actual month-end filing requirement. Maintaining or operating at only the minimum capital levels bears the risk of triggering early warning and the imposition of restrictions under Mutual Fund Dealer Rules.

Dealers are responsible for always having and maintaining RAC greater than zero. Examinations will review whether the dealers’ internal controls over monitoring capital are appropriate compared to the business activity.

1.8 Algorithmic Trading Controls

Rigorous testing and vetting of algorithms are critical in today’s financial landscape, particularly in algorithmic trading, where untested or inadequately reviewed algorithms can misinterpret market opportunities, leading to substantial trading losses and capital deficiencies. Implementing robust controls to validate data inputs is essential for ensuring accuracy and reliability in trading decisions. Additionally, the quality and potential bias of data must be closely monitored, as flawed data can exacerbate financial risks. Algorithms can also amplify market volatility, especially during crises, by reacting in ways that human traders may not anticipate.

Investment dealers must enhance oversight and develop comprehensive frameworks to effectively manage the inherent risks of algorithmic trading. Regular reviews of algorithms are necessary to ensure their ongoing effectiveness and to mitigate risks associated with illusory opportunities. Furthermore, the emergence of artificial intelligence presents both exciting opportunities and complex challenges, necessitating even more stringent controls and continuous monitoring to uphold market integrity.

The FinOps department, in collaboration with the TCC department, review controls to mitigate risks related to proprietary and third-party algorithms, ensuring that appropriate supervision is in place.

1.9 Registered Education Savings Plans (RESPs)

Dealers offering RESPs are reminded of their obligation to establish and maintain an adequate system of controls and supervision to ensure that requests are submitted for Canada Education Savings Grant (CESG) payments on behalf of eligible clients who have contributed to a RESP for a child. The CESG is a widely used program whereby the Government of Canada will make monetary contributions to RESP accounts based on the contributions made by the account holders and is designed to encourage Canadians to save for their children’s post-secondary education. Dealers offering RESPs are expected to have appropriate controls to ensure that client accounts are assessed for eligibility for CESG payments and, where accounts are eligible, applications for CESG payments are submitted on a timely basis. Where dealers offering RESPs become aware of potential regulatory issues with respect to their controls and supervision relating to CESG payments or RESPs, dealers should report these matters to CIRO.

2. Trading

2.1 Order Markers and Client Identifiers

Since July 2021, investment dealers have been required to include client identifiers on applicable client orders for listed securities. Our reviews continue to identify challenges related to the accurate application of order markers, especially with respect to:

  • client identifiers (a legal entity identifier or account number) when trading for a single client,
  • Direct Electronic Access (DEA), Routing Arrangement (RA), Foreign Dealer Equivalent (FDE) and Order Execution Only (OEO) tags on applicable client orders.

A variety of resources are available on the CIRO website to help dealers understand and comply with these requirements.

Investment dealers that are Participants must have policies and procedures in place to determine which designations and identifiers are applicable to each order they enter on a marketplace. Regular internal testing, reflecting the written procedures, must be conducted to confirm proper application of the designations and identifiers. Should the testing identify errors, entries to the Regulatory Marker Correction System (RMCS) must be made. While corrections after the fact are important to submit, accuracy at the time of entry is essential to enable proper supervision.

TCC reviews a Participant’s procedures to consider whether they include all applicable designations and identifiers and if an appropriate process to look for and report issues is established and followed. In addition, the frequency of RMCS entries and any patterns of concern will be reviewed to assess whether the Participant’s approach to ensuring accurate designations and identifiers at the time an order is entered on a marketplace is effective.

2.2 Short Selling and Extended Failed Trades

The issues of short selling and extended failed trades have been an area of particular focus at CIRO.

Changes that were approved by the Canadian Securities Administrators (CSA) on November 15, 2024, established requirements under UMIR 3.3, which will take effect April 4, 2025. CIRO published Rules Notice 24-0394: Amendments Respecting the Reasonable Expectation to Settle a Short Sale that set out more detail on the implementation of these changes. Participants will have a new positive requirement to have a reasonable expectation to settle before entering an order that would result in a short sale on a marketplace. Participants must ensure they update their policies and procedures to comply with this requirement. CIRO also published Guidance Note GN-URPart3-24-002: Guidance on UMIR Requirements Related to Short Selling and Failed Trades to provide guidance and further clarification on how Participants can comply with UMIR requirements related to short selling and failed trades.

As well, Participants must have fulsome procedures and testing in place to ensure that short sales are properly marked and are in compliance with the rules. Should issues be identified, we expect prompt action to be taken that effectively mitigates and prevents further occurrences.

UMIR 7.10 requires a Participant to report to CIRO if a trade that was executed on a marketplace has failed to settle on the settlement date and remains unresolved 10 trading days following the settlement date. As such, each Participant must ensure that failed trades are properly reviewed to determine the cause and what action must be taken to resolve the issue. Non-Participant dealer members that send orders to an executing firm are also expected to supervise this activity under the IDPC rules.

TCC will review a Participant’s procedures and internal testing to confirm that proper processes are in place to prevent improper short sales and to address and report any extended failed trades.

2.3 Automated Order System and Risk Management Controls

Part 8 of UMIR 7.1 establishes requirements on the use of automated order systems. A Participant is required to take all reasonable steps to ensure that any use of an automated order system either by itself or by any client does not interfere with fair and orderly markets. Participants must have policies and procedures reasonably designed, in accordance with prudent business practices, to ensure effective management of the financial, regulatory and other risks associated with the use of an automated order system. This includes knowledge of, and regular testing of, automated order systems used by the Participant or any client of the Participant. It also includes the development of internal parameters to prevent, on a real-time basis, the entry of orders and execution of trades by an automated order system that exceed certain volume, order, price or other limits. Participants must also have the ability to immediately override or disable automatically any automated order system and thereby prevent orders generated by the automated order system from being entered on any marketplace. This provides the Participant with the ability to intervene in the event of a malfunction or a situation where an automated order system was being used improperly.

As noted in 1.8 above, TCC, in collaboration with FinOps, will review the risk management and supervisory controls of Participants to ensure that the proper controls and processes noted above are in place. This includes, but is not limited to, having:

  • real-time and post-trade monitoring procedures,
  • appropriate pre-trade limits and filters for automated order systems, and
  • adequate documentation of all testing conducted for automated order systems.

3. Conduct and Supervision

3.1. Client Focused Reforms – Phase 2 Sweep

In collaboration with the CSA, BCC conducted the Phase 2 Client Focused Reforms (CFR) sweep, focused on evaluating registrants' compliance with all CFR requirements, including Know Your Client (KYC), Know Your Product (KYP), and suitability determination rules, which came into effect on December 31, 2021.

It is anticipated that a joint report with the CSA will be published in the first half of 2025, summarizing the findings from the sweep and offering additional guidance for registrants on fulfilling CFR obligations. CFR requirements are primarily principles-based and allow dealers greater flexibility in how they comply based on their business model, product and service offerings, and client base. However, the sweep identified instances where dealers’ updates to their Policies and Procedures (P&P) merely restated the principles-based rules without detailing how the dealer intends to comply. We expect dealers to provide sufficient detail in their P&P, particularly in the following areas:

  • Risk Capacity and Risk Profile: The P&P should outline a consistent process for assessing both risk tolerance and risk capacity for each client, especially when a standardized questionnaire is not used. For example, if advisors analyze client financial information to determine risk capacity, the P&P should specify the financial factors considered and their relative importance. The P&P should also detail the required documentation to support this analysis. Additionally, the P&P should describe the dealer’s approach to determining the client’s risk profile, incorporating both risk tolerance and risk capacity.
  • Product Due Diligence (PDD) & Know Your Product (KYP): Dealers may customize their PDD process such that a more in-depth security-by-security process is required for individual securities that are complex and for which there is limited disclosure. Dealers may customize a less extensive process that would be appropriate for groups or types of securities that are less complex and for which fulsome public disclosure is available. The dealer’s P&P should clearly describe the level of due diligence required for each group or type of security on the product shelf and outline the process to ensure that all Approved Persons possess adequate KYP knowledge for the securities they advise on.
  • Suitability and Reasonable Range of Alternatives: The P&P should detail the dealer’s process for identifying and assessing a reasonable range of alternatives when making recommendations. Given the principles-based nature of this requirement, dealers have flexibility, but their P&P should address the following:
    • The scope of products considered as part of the reasonable range of alternatives. This may vary depending on the firm’s business model and the types of products and services offered.
    • The timing and responsibility for identifying alternatives. In some cases, such as for standardized client needs, a centralized group might periodically perform this analysis (e.g., as part of the initial product due diligence process or quarterly reviews). For more unique client situations, the advisor might need to conduct further analysis of comparable alternatives at the time of a specific recommendation. The P&P should document any centralized process used and specify when more individualized analysis is required.
    • Documentation requirements for different types of scenarios for justifying the choice of recommended securities. For example, depending on the circumstances (e.g. recommendations across a group of clients following a specific mandate/rebalancing transactions), the P&P can provide for a higher level of documentation for the recommendation.

Prior to the sweep, we had already begun testing for CFR compliance during our BCC examinations and we will continue emphasizing CFR requirements in the year ahead. One key area of focus in upcoming exams will be ensuring dealers have developed appropriate Policies and Procedures that effectively implement the CFR requirements.

3.2. Derivatives Rule Modernization

Following the publication of proposed National Instrument 93-101 – Derivatives: Business Conduct (NI 93-101) and proposed National Instrument 93-102 – Derivatives: Registration (NI 93-102) by the CSA, CIRO conducted a comprehensive review of all rules related to Investment dealers. This review led to the Derivatives Rule Modernization Project, which had the following objectives:

  • Ensure our rules remain substantially harmonized with the corresponding CSA requirements for both securities and derivatives,
  • Clearly define which core regulatory obligations apply to securities, listed derivatives, and over the counter (OTC) derivatives,
  • Remove inconsistencies in how securities, listed derivatives, and OTC derivatives are regulated, where appropriate.

The final amendments to CIRO’s rules were published in Rules Bulletin 24-0014: Derivatives Rule Modernization, on January 18, 2024. Along with this bulletin, CIRO issued two guidance notes: GN-1200-24-001: Applying and interpreting the definitions of “hedger” and “institutional client” and GN-3200-24-001: Derivatives Risk Disclosure Statement. These amendments and guidance notes took effect on September 28, 2024, in alignment with the effective date of CSA Multilateral Instrument 93-101 – Derivatives: Business Conduct. The BCC examination processes have been updated to reflect these new requirements. In the coming year, BCC exams will focus on reviewing how dealers offering derivatives products to clients are applying the updated rules.

3.3 Focused Sales Practices Review

In November 2024, the Ontario Securities Commission and CIRO launched a coordinated review into sales practices at Canadian bank branches, following reports of alleged high-pressure tactics in mutual fund sales. The initial phase, focused on gathering information about sales culture and potential issues, will continue into 2025 to guide future actions.

3.4 BCC Examinations

This section highlights selected observations from recent BCC examinations that could impact investors. They are not exhaustive and should not be viewed as the only areas of focus. Dealers are encouraged to review their policies, procedures and practices considering these observations to ensure compliance with regulatory requirements and the protection of investor interests.

Account Supervision – Timely & Adequate Resolution of Queries

It is important to maintain a robust account supervision process to ensure timely identification and resolution of supervisory queries. Dealers must establish clear procedures for addressing queries promptly and ensure that any unresolved issues are followed up systematically. A defined escalation process should be in place for unresolved queries, ensuring that they are addressed at appropriate levels within the organization. Additionally, dealers should maintain a comprehensive audit trail documenting the resolution of each query. We have observed instances where supervisory queries have not been addressed in a timely or adequate manner, underscoring the need for improved oversight in this area.

Account Suitability - Reasonability of KYC

It is critical to review KYC information for reasonability to meet suitability obligations. Recent examinations have identified deficiencies in KYC and suitability information, including issues related to the reasonability of data provided by clients. In our review of client accounts, which considered factors such as client age, KYC information on file, and account type, we observed instances where KYC information should have been queried for reasonability, but it was not. We also identified cases where the KYC details, when compared to the client’s age and financial circumstances, have raised concerns and were not adequately addressed. When reviewing KYC information, Supervisors should address any concerns noted on the reasonability of the KYC information.

Use of Social Media

It is essential for dealers to establish and maintain sound Policies and Procedures regarding the use of social media for business purposes by their Approved Persons. As social media platforms offer various methods of communication with clients, dealers should ensure that they have clear guidelines on permissible methods and channels for such interactions. Policies should address not only the appropriate use of social media but also the requirements for maintaining proper books and records to capture communications in compliance with regulatory obligations. Additionally, adequate supervision must be in place to ensure that social media interactions are conducted in a manner consistent with regulatory standards and the dealer’s internal policies.

We identified cases where dealers' controls over employees' social media accounts used for business purposes were inadequate. Specifically, dealers lacked adequate P&Ps to identify relevant employee social media use, there were no controls in place to detect, approve, or monitor such use and there was no evidence of ongoing review and supervision of these accounts. Establishing clear policies and implementing effective controls are essential to mitigating the risks associated with social media communications and ensuring compliance with regulatory requirements.

Anti-Money Laundering Program – Two-Year Effectiveness Review

Under the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA), dealers are required to conduct a comprehensive review of their Anti-Money Laundering (AML) and Anti-Terrorist Financing (ATF) compliance programs at least once every two years. The purpose of an effectiveness review is to determine whether your compliance program (policies and procedures, risk assessment, ongoing training program and plan) has gaps or weaknesses that may prevent your business from effectively detecting and preventing money laundering, terrorist activity financing and sanctions evasion. We have identified instances where some dealers have not conducted these reviews within the required timeframe. Failure to conduct timely and thorough reviews exposes your firm to both operational and regulatory risks. For further information concerning the two-year effectiveness review requirement, please visit FINTRAC’s compliance guidance.

Policies and Procedures - Updating for Rule Changes and Current Practices

Regular updates to P&Ps are essential to reflect regulatory changes and ensure alignment with the dealer’s current practices. We have identified instances where some dealers have failed to update their policies and procedures for new rule requirements or maintain policies and procedures that accurately reflect current practices within the dealer. As the regulatory landscape evolves, dealers must not only remain compliant with new and amended rules but also ensure that their internal procedures reflect day-to-day business operations. Inadequate or outdated policies can lead to regulatory breaches, operational inefficiencies, and risks to both the dealer and its clients.

A structured process should be in place for reviewing, updating, and implementing P&Ps in response to regulatory changes and to ensure they are consistently followed across the organization. It is essential that dealers disseminate these policy changes to all relevant employees to ensure that they are fully informed and equipped to comply with updated requirements. Regular communication and training on policy updates support consistent adherence across the organization and reduce the risk of non-compliance.

4. Registrationand Proficiency

4.1 Delegation of Registration Categories – CIRO Oversight

Transformational changes towards a more effective registration framework outlined in CIRO’s Strategic Plan were announced on November 24, 2024.

The Ontario Securities Commission (OSC) announced its plan to delegate the registration function for investment dealers, mutual fund dealers, and the individuals who act on behalf of mutual fund dealers, effective Spring 2025. The OSC had already delegated the registration function for investment dealer individual registrants. At the same time, the Canadian Securities Administrators (CSA) announced that it will be considering delegating certain registration functions and powers to CIRO. The Government of Québec previously approved the Autorité des marchés financiers’ (AMF) decision on September 20, 2023, to delegate the powers of registration of mutual fund representatives to CIRO, as well as the powers of examination of mutual fund dealers with activities in Québec.

The delegation to CIRO of these additional registration responsibilities supports a consistent and harmonized approach to registration and will create efficiencies in line with the evolving needs of investors and dealers across Canada.

4.2 Relevant Investment Management Experience (RIME) for Associate Portfolio Managers (APMs) and Portfolio Managers (PMs)

Before submitting an application for approval as an APM or PM, investment dealers should review the RIME requirements for APMs and PMs under IDPC Rule 2602(3)(xiv) and (xv), respectively. Specific instructions for documenting RIME/experience requirements are found in Form 33-109F4, Schedule F Proficiency, Item 8.4 Relevant securities industry experience.

RIME must be clearly outlined to support the application in order for staff to assess the submission in a timely manner. For example, if the applicant’s experience was obtained from various roles, details relating to those roles and details of relevant investment management activities conducted, including the dates and timeframe of the experience, must be provided.

CIRO will assess whether an individual has acquired RIME on a case-by-case basis consistent with the approach outlined in Part 3 of NI 31-103 Registration Requirements, Exemptions and Ongoing Registrant Obligations, its Companion Policy (CP) 31-103CP, and CSA Staff Notice 31-332 Relevant Investment Management Experience for Advising Representatives and Associate Advising Representatives of Portfolio Managers.

Investment dealers are encouraged to contact registration staff at CIRO if they need clarification on the required RIME and information that needs to be outlined in an application.

4.3 Experience Requirement for Supervisors

Investment dealers must review the applicable requirements before making submissions for Supervisors to ensure that the Supervisor’s education and experience meets the applicable proficiency requirements set out in Rule subsection 2602(3), and that the relevant education and experience are clearly outlined in the submission. If an individual begins Supervisor-related activity and it is identified that they did not meet the requirements, then dealers will be asked to have the individual cease and desist the activity immediately. Dealers and Approved Persons are reminded that it is their obligation to ensure that the information submitted is true and complete in all cases.

Individuals returning to a Supervisory role after a 90-day period are no longer considered to be continuing in the same role as permitted under the IDPC Rule 2625(3) and are subject to the proficiency requirements in IDPC Rule 2602(3).2 Investment dealers are encouraged to contact CIRO’s registration staff if they require clarification on whether the Supervisor meets the proficiency requirements before making a submission.

4.4 Notice of End of Individual Registration or Permitted Individual Status (formerly Notice of Termination) (F1)

When filing F1s, where the cessation relates to an investment dealer’s sole Registered Representative (RR), Investment Representative (IR), Supervisor or Executive, investment dealers must consider whether they still have the appropriate number and category of Approved Persons to carry out activities. We expect investment dealers to notify us immediately in cases where they are planning to terminate their sole RR, IR, Supervisor, or key Executives (including the Chief Compliance Officer, Chief Financial Officer, Ultimate Designated Person), or where that individual has advised of their intent to resign.

We remind investment dealers that “cessation date” means the last day on which an individual had authority to act as a registered individual on behalf of their sponsoring firm or the last day on which an individual was a permitted individual of their sponsoring firm. An individual’s cessation date is not necessarily their last day of employment.

4.5 Enhanced Proficiency Model

On July 4, 2024, we published an Administrative Bulletin 24-0206 : Rule amendments — Request for comments — Proposed Proficiency Model — Approved Persons under the Investment Dealer and Partially Consolidated Rules, seeking public comment on our proposed new, assessment-centric proficiency model. We received 17 comment letters in response to the Bulletin. Keeping in mind that our contract with the Canadian Securities Institute will end at the end of December 2025, and the significance of this project and its impact on the industry, we have started working on many different aspects of this initiative. More information is available on our dedicated Proficiency website.

4.6 Proficiency Exemptions

We remind dealers that before filing an exemption application, they should review our Guidance Notice on proficiency exemptions, Guidance Notice GN-2600-21-007: IIROC Registration ‑ Proficiency Exemption Requests | Canadian Investment Regulatory Organization which outlines the comparative analysis that is needed in most cases. We encourage dealers to review the notice, and contact registration staff as needed, before submitting an exemption application.

4.7 Dual-Registered Dealers

CIRO has approved dual-registration applications for several dealers, allowing them to be registered as an investment dealer and mutual fund dealer within a single legal entity. This has included approval of exemptive relief from certain IDPC Rule requirements to minimize disruption to the dealers’ existing business operations. Further information on the exemptions granted is available in the Exemptions Granted by CIRO in 2023 summary. CIRO staff continue to receive applications and expressions of interest regarding dual-registration.

Dealers interested in dual-registration should refer to the guidance on Becoming a Dual-Registered Firm, available on CIRO’s website and the CSA Dual Registered Firm - Guide.

4.8 Continuing Education (CE) Requirements

The end of the current CE cycle is November 30, 2025, for Mutual Fund Dealer Approved Persons and December 31, 2025, for Investment Dealer Approved Persons.

We would like to remind all individuals to plan to meet their CE requirements over the course of the two-year cycle to ensure that they are not increasing the risk of being non-compliant and adding undue burden. Similarly, we remind dealers to review and update, if necessary, their CE related policies and procedures to ensure a timely completion and reporting of CE. Please refer to the CE Page and related rules for more information on each CE program.

5. Membership Issues

5.1 Review of Business Transactions

IDPC Rules require investment dealers to inform CIRO in writing before making any material changes to their business activities. Refer to Guidance Notice GN-2200-21-001: Reporting of material changes to business activities for more information regarding the purpose of notification, and which business changes require notice to CIRO. The timing of our review of the dealer's proposal is dependent on the quality of their submission and responsiveness to follow-up queries from CIRO staff. We encourage dealers to refer to the Business Changes for Dealer Members page of CIRO’s website and Notifying CIRO of Business Changes webcast for further information and guidance on submitting a proposed business change to CIRO.


1 Throughout this report “dealers” refers to both mutual fund and investment dealers. Where applicable, specification is indicated (i.e. “investment dealers” or “mutual fund dealers”).

2 Plain Language Rule Book Project – Registration Changes | Canadian Investment Regulatory Organization

25-0035
Type: Administrative Bulletin >
General
Distribute internally to
Corporate Finance
Institutional
Internal Audit
Legal and Compliance
Operations
Registration
Regulatory Accounting
Research
Retail
Senior Management
Trading Desk
Training
Rulebook connection
IDPC Rules
UMIR
MFDR

Contact

Alexandra Williams
Senior Vice-President, Member Regulation, Member Policy and Corporate Strategy
Karen McGuinness
Senior Vice-President, Finance, Investor and Member Relations

Other Notices associated with this Enforcement Proceeding:

Welcome to CIRO.ca!

You can find the Canadian Investment Regulatory Organization (CIRO) at CIRO.ca with our fresh look and feel.

The following sections of the legacy mfda.ca and iiroc.ca sites have been migrated to ciro.ca:

  • Enforcement
  • Hearings
  • Consultations
  • A unified member directory (Dealers We Regulate)
  • Advisor Report

We will continue moving items off MFDA and IIROC in 2024. Stay tuned for future updates.