Joint Canadian Securities Administrators / Canadian Investment Regulatory Organization Staff Notice 31 – 368 Client Focused Reforms: Review of Registrants’ Know Your Client, Know Your Product and Suitability Determination Practices and Additional Guidance

OBSERVATIONS AND GUIDANCE

A. KNOW YOUR CLIENT (KYC) (Section 13.2 of NI 31-103, IDPC Rule 3200, MFD Rule 2.2.1)

KYC obligations require registrants to take reasonable steps to obtain and periodically update information about their clients to support suitability determinations. Registrants must take reasonable steps to ensure that they have sufficient information regarding all of the matters set out in paragraph 13.2(2)(c) of NI 31-103 (IDPC Rule 3202(1)(iii), MFD Rule 2.2.1(1)(b)).

The amount of detail required in the KYC information collected will vary based on the nature of the firm’s relationships with its clients, and the complexity of the securities and services offered by the firm. For example, more extensive KYC information is necessary for customized portfolio management or dealing or advising in complex, high risk, or illiquid securities. Registrants should exercise professional judgement to ensure they have sufficient KYC data to meet suitability determination requirements.

The reviews found that most firms had some processes in place to collect and periodically update KYC information. However, we identified key areas for improvement:

• many firms lacked an adequate process to collect sufficient information from clients about their risk tolerance and risk capacity, and to use that information to determine the client’s risk profile;
• some firms failed to collect adequate information about clients’ financial circumstances; and
• some firms had inadequate processes to keep KYC information current, including processes to document KYC updates.

1. Determination of risk profile (Subparagraph 13.2(2)(c)(v) of NI 31-103, IDPC Rule 3202(1)(iii)(a)(V), MFD Rule 2.2.1(1)(b)(v))

Firms must determine and document the risk profile of each of their clients. A client’s risk profile should consider two factors: a client’s “risk tolerance” (willingness to accept risk – i.e., the client’s subjective attitude towards risk) and “risk capacity” (ability to endure financial loss – i.e., a more objective consideration of how financial loss would impact a client having regard to the essential facts relative to the client, when considered as a whole).

(a) Issues identified

Issues relating to the determination of risk profile for clients noted in our reviews included:

• Unchanged KYC process for risk post-CFRs – Some registrants had not updated their KYC processes to assess both risk tolerance and risk capacity, instead continuing to rely only on risk tolerance (which was the focus of the requirement pre-CFRs). Additionally, some registrants adequately updated their risk profile process for new clients but did not follow that updated process for existing clients when updating KYC.
• Inadequate process to collect and verify risk capacity information – Some registrants assessed risk capacity by looking solely at a client’s personal and financial circumstances without obtaining any client input specifically on their risk capacity. Others relied solely on a client’s self-assessment without verifying and assessing financial circumstances and other relevant KYC information to ensure the client’s self-selected risk capacity was appropriate.
• Risk tolerance and risk capacity factors not considered separately – Some KYC forms combined these factors without distinguishing them clearly, leading to inaccurate risk profiles. Others provided limited response options that did not allow for different combinations of answers to be selected, such as “I am prepared to assume a high level of investment risk and volatile fluctuations in the value of my investment and am able to withstand losses”, without including other options to indicate any variations on that statement (e.g., that they have a low ability to withstand loss with a high risk tolerance).
• Inadequate information gathered about risk tolerance and risk capacity to support determination of risk profile – Some registrants used KYC forms with “low”, “medium” and “high” checkboxes for risk tolerance and risk capacity without explaining these terms or documenting how the risk profile was determined.
• No or inadequate process to determine an overall risk profile – Some registrants collected both risk capacity and risk tolerance information but had no process or had an inadequate process to arrive at an overall risk profile.
• Inconsistent risk profile determination process – While some firms had well-designed optional investor profile questionnaires (IPQs) that collected risk tolerance and risk capacity information and assisted registered individuals in determining their clients’ risk profiles, they lacked clear policies and procedures for registered individuals to follow when the standard IPQ was not used.
• Unresolved discrepancies between risk profile and other KYC information - Some registrants failed to address discrepancies between the client’s risk profile and other KYC information such as financial circumstances, investment objectives, time horizon or age and did not have documentation explaining the discrepancies and how they were addressed.
• No confirmation of risk profile by client - Some registrants had an adequate process to determine the client’s risk profile, but did not maintain documentation to support that the client had confirmed the accuracy of the KYC information collected, including the risk profile.

(b) Guidance

Registrants should collect and assess both risk tolerance and risk capacity to establish a client’s risk profile. Risk tolerance and risk capacity are separate considerations and should be assessed separately, and a client’s overall risk profile should reflect the lower of the two. If a registrant determines otherwise, the rationale should be clearly documented.

Clients should provide specific input on both their risk tolerance and risk capacity. Registrants should ensure that the information collected for both elements is detailed enough for a meaningful assessment. Registrants should have a consistent process, outlined in the firm’s policies and procedures, with clear criteria for determining a client’s overall risk profile. The process should be sufficiently detailed to ensure consistency in risk profile determinations and enable effective supervisory oversight.

Registrants should also reconcile any conflicting information between a client’s stated risk tolerance and risk capacity and other KYC information, inclusive of KYC information captured on client risk profilers or IPQs. Specifically, registrants should assess risk capacity in relation to other KYC information such as personal circumstances (including age and family situation), financial circumstances (including liquidity needs), investment objectives and investment time horizon, and any other relevant information from the client. Any inconsistencies should be discussed with the client, and the resolution should be documented.

Questionnaires can be a valuable tool for collecting and assessing the relevant information to determine clients’ risk profiles. If used, firms should design questionnaires to include separate questions for risk tolerance and risk capacity to ensure each are assessed independently. Additionally, registrants should appropriately weight these factors to arrive at a meaningful risk profile, and avoid, for example, scenarios where a client with a low risk capacity and high risk tolerance is determined to have a high risk profile, or where a client with a high risk capacity and low risk tolerance is determined to have a high risk profile.

The risk tolerance and risk capacity information collected and the overall risk profile determined should be documented. Risk profile is part of a client’s KYC information and, as with other KYC information collected, registrants must take reasonable steps to have the client confirm the accuracy of the information.

2. Collection of financial circumstances information (Subparagraph 13.2(2)(c)(ii) of NI 31-103, IDPC Rule 3202(1)(iii)(a)(II), MFD Rule 2.2.1(1)(b)(ii))

The guidance in the CFRs clarifies the financial information that registrants should consider to support suitability determinations, including annual income, liquidity needs, financial assets, net worth and whether the client is using leverage or borrowing to finance the purchase of securities. Registrants should take reasonable steps to collect and document sufficient details on each of these factors to properly assess clients’ financial circumstances and support their suitability determinations.

(a) Issues identified

Issues relating to the collection of financial circumstances information noted in our reviews included:

• Liquidity needs not collected – Some registrants did not collect information about a client’s liquidity needs, despite its importance in assessing whether a portion of client assets might be required to pay for near term expenses. This was especially concerning when clients were invested in securities that were illiquid or lacked redemption features.
• No or inadequate collection of net financial assets, net worth and annual income – Some registrants did not collect sufficient net financial assets, net worth, or annual income information, or did so in a way that lacked meaningful detail to make a suitability assessment in the cases reviewed. For example, some registrants collected this financial information in overly broad ranges, which made it challenging for those registrants to perform an accurate and meaningful concentration assessment when determining suitability. To illustrate: if the registrant collected net financial assets for a client as falling within the range of $1 million to $5 million, a $400,000 investment in a security could represent anywhere from 8% to 40% of the client’s net financial assets.
• Registrant did not obtain a breakdown of financial assets – Some registrants did not obtain an adequate breakdown of clients’ financial assets to enable them to discharge their suitability determination obligations in the circumstances. For example, in some cases where registrants offered illiquid securities or sector specific investments, the registrants did not obtain a detailed breakdown of a client’s financial assets, including cash instruments and securities invested in (such as mutual funds, listed securities and exempt securities) and assets held outside of the registrant. In these cases, the registrants were not able to adequately assess certain relevant types of concentration for clients, such as exposure to the exempt market or a particular sector.
• No or inadequate collection of individual KYC information - Some registrants failed to gather sufficient KYC information for each client when multiple family members had joint and individual accounts. For example, some firms collected risk tolerance, annual income and investment time horizon on only a combined basis for spouses and thus did not have adequate KYC information to support their suitability determinations on individual accounts held by each spouse.

(b) Guidance

To support sound suitability assessments, it is important for registrants to gather sufficiently detailed information about each client’s financial circumstances given the context. This includes understanding annual income, liquidity needs (such as ongoing and short-term expenses or financial obligations), financial assets, net worth and any use of leverage or borrowing to invest. Where information given by the client appears to be unclear or inaccurate, the registrant should make further inquiries or obtain corroborating details.

A breakdown of financial assets can provide a clearer understanding of clients’ financial circumstances. In certain cases, such as when a firm offers illiquid products or sector-specific investments, the firm should assess whether it may also be necessary to understand investments held outside the firm to perform an adequate suitability determination.

3. Keeping KYC information current (Subsections 13.2(4) and 13.2(4.1) of NI 31-103, IDPC Rule 3209(3) and (4), MFD Rule 2.2.4(b) and (f))

Registrants must take reasonable steps to keep KYC information current, including updating the information within a reasonable time after the registrant becomes aware of a significant change in a client’s information. In addition, the CFRs set minimum KYC review and update timelines:

• for managed accounts, no less frequently than once every 12 months;
• if the registrant is an exempt market dealer (EMD), within 12 months before making a trade for, or recommending a trade to, the client; and
• in any other case, no less frequently than once every 36 months.

Given that more than 36 months have elapsed since the effective date of these CFR provisions, KYC information maintained by all firms for their clients should now include all KYC information required under the CFRs.

(a) Issues identified

Issues relating to keeping KYC information current noted in our reviews included:

• KYC information not reviewed and updated at required minimum frequency – A number of firms had client files that did not have sufficiently up-to-date KYC information to comply with the required minimum update timelines.
• KYC information not updated after significant change – In some cases, firms were aware of a significant change in a client’s KYC information (e.g., loss of job, retirement, divorce), but did not collect updated KYC information after learning of the significant change, even though it could impact, for example, the client’s net worth, financial assets, annual income, liquidity needs, investment time horizon, risk profile or investment needs and objectives.
• Inadequate documentation of periodic KYC reviews and updates – Some registrants stated that they had met with clients within the time that periodic updates were required to confirm that KYC information had not changed, but did not have sufficient, or any, documentation to evidence that these meetings had occurred or what KYC information had been discussed.
• No client confirmation of changes – Some registrants did not take reasonable steps to have clients confirm the accuracy of changes and updates to KYC information, including in situations where significant changes were made to the information.

(b) Guidance

Registrants must take reasonable steps to keep their client KYC information current, including updating records promptly after learning of significant changes to enable them to make suitability determinations. Registrants must review and update KYC information at the required frequencies, or sooner if they learn that a client’s circumstances have significantly changed. Periodic KYC updates should evidence that the registrant turned their mind to reviewing all of the elements of a client’s KYC information after a meaningful interaction with the client.

Significant changes in a client’s circumstances include those that could impact a client’s risk profile, investment time horizon, investment needs and objectives, or financial circumstances. These and other significant changes may require the registrant to revisit its suitability determination for the client.

Registrants should be proactive in keeping KYC information up to date and periodically confirm with clients that the information they have on file remains current.

Registrants should document KYC updates with records that are dated and sufficiently support that a meaningful interaction took place. While professional judgement can be used to determine the level of detail in the documentation, retaining supporting evidence is important, even if the result of the interaction was that no changes needed to be made to the KYC information. A note stating only “no update” or “no changes” in the client file or on the KYC form is insufficient without other evidence that a meaningful interaction took place with the client, to avoid solely performing a perfunctory review.

Registrants must take reasonable steps, within a reasonable time, to confirm with their clients the accuracy of KYC information, including updates. Confirmation can be documented through various means like signatures, email confirmations, or detailed notes. Changes to significant KYC and account information, such as name, address, or banking details (or other information that poses a heightened risk for account security), should be formally documented, with the client’s written verification of the changes (e.g., a handwritten, electronic or digital signature) or other appropriate verification maintained.

If clients are unresponsive to KYC update requests, registrants should document their reasonable efforts to contact them, in order to meet the registrant’s compliance obligations. Where clients are unresponsive to KYC update requests for prolonged periods of time, registrants should consider account restrictions, such as limiting new trades outside of redemptions, until the KYC information is updated.

B. KNOW YOUR PRODUCT (KYP) (Section 13.2.1 of NI 31-103, IDPC Rule 3300, MFD Rule 2.2.5)

Registered firms must take reasonable steps to assess, approve and monitor the securities that they offer (for CIRO firms, this is the Product Due Diligence aspect of KYP), while registered individuals must take reasonable steps to understand the securities they transact in, or recommend to clients, in sufficient detail to allow them to meet their obligations in respect of conducting suitability determinations.

Our reviews found that firms have taken a range of different approaches to fulfilling their KYP obligations, such as carrying out all assessment, approval and monitoring obligations at the firm level through various committees, or delegating certain assessment, approval and monitoring obligations to registered individuals.

However, we also noted that:

• many firms lacked sufficient documentation to evidence the KYP assessments performed, including documenting the relevant aspects of the securities that were considered;
• in some cases, documentation evidencing that registered individuals took steps to discharge their own KYP obligations was lacking;
• some firms failed to document their approval of the securities;
• some firms had inadequate processes for monitoring securities for significant changes; and
• some firms had inadequate processes for performing KYP on securities transferred into the firm or acquired as a result of client directed trades.

1. KYP – Firm assessments (Paragraph 13.2.1(1)(a) of NI 31-103, IDPC Rule 3301(1)(i), MFD Rule 2.2.5(1)(a))

Registered firms must take reasonable steps to assess the key aspects of securities offered to clients, including their structure, features, risks, initial and ongoing costs and the impact of those costs.

(a) Issues identified

Issues relating to KYP assessments by firms and the documentation of those assessments noted in our reviews included:

• Lack of evidence of a review of KYP documents – As part of their due diligence, some firms collected and maintained key documents relating to an issuer (e.g., financial statements, website screenshots, analyst reports, Bloomberg screenshots) obtained from issuers or third parties but failed to document how this information was reviewed, who conducted the review and when it was conducted. While third-party reports can support KYP assessments, firms need to document their own analysis.
• No KYP assessment documented for related or connected issuers – Some firms did not assess securities of related or connected issuers or maintained only limited documentation. In some cases, firms incorrectly assumed that their involvement at the issuer level was sufficient to demonstrate that they had met the KYP assessment requirement.
• No KYP assessment documented for model portfolios – Some firms using model portfolios failed to assess and document their assessment of the model portfolios (e.g., investment objectives and strategies, composition, features, costs, risks and who they would be suitable for) before offering them to clients.
• Inappropriate reliance on KYP assessments done by an affiliate – For some large firms that work closely with registered affiliates, Staff observed instances where the firm relied solely on the affiliate’s KYP to discharge their own KYP assessment obligations.

(b) Guidance

Firms must ensure that all securities offered to clients, including those in model portfolios and those of related or connected issuers, are subject to an appropriate KYP assessment by the firm. The KYP assessment requirement is not limited to manufactured products such as investment funds. Model portfolios made available to clients are expected to be subject to an appropriate KYP assessment at the model portfolio level.

Securities of related and connected issuers should be subject to the same or similar KYP process as those of unrelated issuers (in addition to the firm discharging its obligations related to the distribution of related securities under the conflicts of interest requirements). While it is not expected that firms duplicate documentation that they created when acting as the manager of an issuer, firms are required to perform a KYP assessment of the securities of related or connected issuers, particularly when the firm’s client-facing registered individuals are not the same individuals who are involved in managing the issuer.

A firm’s KYP assessment process should align with its business model and the types of securities offered to clients. The depth of review required under the firm’s KYP assessment process may vary based on a security’s structure, complexity, risk level and transparency. A more streamlined review may be appropriate for less complex and lower risk securities, while a more in-depth review may be warranted for securities that are more complex or riskier, such as those that are novel, not transparent in structure, involve leverage, options or other derivatives, have limited liquidity or have limited disclosure available.

A firm’s KYP assessment process may involve a division of responsibilities between the firm (including a committee acting on behalf of the firm) and its registered individuals. The firm’s policies and procedures should clearly outline roles, steps, and controls and ensure consistent application of the KYP assessment process for similar securities.

It may be reasonable for a firm to group KYP assessments for similar, non-complex securities (for example, non-complex prospectus-qualified mutual funds from the same manufacturer), provided that the process is well-defined and ensures that the firm meets its KYP obligations to assess the relevant aspects of the grouped securities and the firm’s registered individuals have the information needed to comply with their KYP obligations.

Firms should keep relevant documentation to support their KYP assessments (e.g., such as issuer financial statements, prospectuses, offering memoranda, fund facts, annual and semi-annual reports, internal product due diligence reports, performance reports, filings and disclosures, etc.), and keep records showing the analysis conducted for all securities made available to clients. These records are required to support the decision to make a security available to clients and demonstrate that a reasonable review was conducted prior to approving the securities.

(c) Examples of firm practices

We saw a variety of acceptable KYP assessment and documentation practices in our reviews. Some firms tailored their assessment processes to their specific business models and types of securities offered as follows:

• Some large, integrated firms with many securities on their shelves established detailed processes setting out the type of KYP assessment required for different asset classes, as well as the committees and individuals responsible for the assessment. This helped ensure efficient implementation of the firm level KYP assessment.
• Some firms designated a committee to conduct firm level KYP assessments of certain types or groups of securities (e.g., all prospectus-qualified mutual funds from a specific manufacturer), and require registered individuals to conduct further product specific reviews to ensure all relevant aspects of the securities are assessed as required, and to support their own KYP responsibilities and suitability determinations.
• Certain firms that focus primarily on proprietary products managed certain risks associated with that business model in their KYP assessment process, in particular, conflicts of interest, by incorporating market comparisons with third-party products into their process.
• Certain portfolio manager (PM) firms that permit their advising representatives to choose from a wide universe of securities rather than from a shelf or product list put in place a process to reflect that the individual advising representatives are responsible for carrying out the KYP assessment of those securities, and the approval of the securities, on behalf of the firm.
• Several PM firms developed tailored KYP assessment processes supported by technical or algorithmic evaluations, documenting how selected securities align with investment criteria.
• Certain mutual fund dealers and investment dealers established different processes for KYP assessments based on whether a proposed fund is managed by a PM or an investment fund manager approved by the firm, and considering additional factors such as the risk level of the fund (e.g., prospectus qualified mutual fund vs. prospectus exempt alternative fund) and requiring additional review in the case of more costly funds.

Examples of acceptable KYP assessment documentation practices included:

• maintaining due diligence memos or summaries for all securities made available to clients (including those of related and connected issuers);
• completing tailored KYP forms outlining the elements of the security reviewed;
• leveraging technology that aggregates and updates key product information, particularly for publicly available products like prospectus-qualified mutual funds and exchange traded funds (ETFs), and integrating it into systems used by registered individuals;
• discussing key aspects and features of securities at investment committee meetings and maintaining detailed minutes or recordings;
• establishing a process where registered individuals research and document potential securities for investment, then present to the investment committee for consideration and approval;
• for larger firms, assigning research teams to prepare detailed reports on securities based on the nature and complexity of the security for use at investment committee meetings and by registered individuals.

2. KYP – Registered Individuals (Subsection 13.2.1(2) of NI 31-103, IDPC Rule 3302(1), MFD Rule 2.2.5(2))

Registered individuals must take reasonable steps to understand all securities, and are expected to understand all model portfolios, purchased or sold for, or recommended to, clients.

(a) Issues identified

Issues relating to registered individuals’ KYP obligations noted in our reviews included:

• Inadequate documentation to evidence that registered individuals discharged their KYP obligations – In some cases, firms conducted a centralized KYP assessment on securities that were approved to be made available to clients. However, there was no evidence to demonstrate that after that, the registered individuals that recommended or selected these securities from the approved list had taken sufficient steps (or been provided enough information/training by the firm) to discharge their own KYP obligations.
• No KYP assessment documented for model portfolios – Some registered individuals recommended model portfolios without showing they had taken reasonable steps to understand the model portfolios before recommending them to clients.

(b) Guidance

Reasonable steps must be taken by registered individuals to understand securities they recommend to or trade for clients, including their structure, features, risks, costs, and how those costs affect performance. More complex or higher risk securities may require a more detailed consideration.

Where clients invest in model portfolios offered by a firm, the KYP obligation for the firm’s client-facing registered individuals is to understand how the model portfolios are composed, their features and risks, and the types of clients for whom they may be suitable. Registered individuals responsible for selecting securities to be included within the model portfolios must take steps to understand each of the underlying securities within the models.

To assist registered individuals in complying with their own KYP obligations, firms should provide access to the information gathered through the firm’s KYP process, as well as providing any necessary training and tools to assist them.

An appropriate level of documentation must be maintained to demonstrate that registered individuals have taken reasonable steps to understand the securities and model portfolios they purchase or sell for, or recommend to, clients.

(c) Examples of firm practices

We noted that firms used various methods to assist registered individuals in meeting their requirements to understand the securities they purchase or sell for, or recommend to, clients including:

• providing technology to generate and record key information about securities, and requiring registered individuals to acknowledge reviewing the required information before making recommendations (this method was used more frequently for publicly available manufactured products such as prospectus qualified mutual funds and ETFs);
• requiring registered individuals to review due diligence memos or summaries for each security approved by the firm and to pass an examination set by the firm based on the content prior to recommending the security to clients, including re-examination when a significant change impacts the security (we noted this method was used by some EMDs);
• ensuring registered individuals have access to relevant information about the securities to assist them in undertaking and evidencing their own review by, for example:
  • distributing research reports on securities made available to clients prepared by a research team or centralized group, which are appropriately detailed given the nature and complexity of the security;
  • for some smaller firms, distributing the firm’s completed KYP assessments for securities by email, which summarize all relevant aspects of a security.

3. Approval of securities (Paragraph 13.2.1(1)(b) and subsection 13.2.1(3) of NI 31-103, IDPC Rule 3301(1)(ii) and (2), MFD Rule 2.2.5(1)(b) and (3))

Firms must ensure that all securities that they make available to clients are approved, and registered individuals must not purchase or sell a security for, or recommend a security to, a client unless the security has been approved by the firm.

(a) Issues identified

Issues relating to the approval of securities and the documentation of the approval noted in our reviews included:

• No evidence of approval – Some firms could not provide documentation evidencing approval of securities made available to clients despite representing to Staff that the securities had been approved. For example, some firms:
  • represented that their investment or other committees discussed and approved securities, but failed to maintain evidence of the discussion and the approval;
  • represented that the securities were added to an “approved list” without documenting the approval process, assessments or rationale for inclusion;
  • offered model portfolios managed by the firm or an affiliate and did not maintain evidence that the portfolios were approved to be made available to clients.
• Insufficient evidence of approval – In some cases, firms documented that certain securities were approved without documenting a reasonable KYP assessment or rationale.

(b) Guidance

Firms must establish approval processes for securities made available to clients and are also expected to have a process to approve model portfolios that are made available to clients. Processes and approval criteria may vary based on the firm’s business model and the complexity and risks of the securities offered. Policies and procedures should clearly define the approval process, and approvals should be appropriately supported and documented.

We noted that firms took various approaches to assigning approval responsibility, depending on their size, their business model and the complexity and risks of the securities offered, including designating committees (such as investment committees and product review committees) or individuals (such as the firm’s Chief Investment Officer, Chief Compliance Officer, Ultimate Designated Person, senior advising representatives or certain individual advising representatives).

Some PM firms using algorithmic models developed processes based on model outputs. In such cases, firms should document details of the model used, the resulting outputs and evidence of ongoing oversight to ensure it is functioning appropriately.

Approval documentation should show meaningful consideration by the individual or group approving the security (or, where appropriate, approving the group of securities), including key elements that were assessed and support for why the approval was appropriate. Simply stating that securities are “approved” or placing them on an “approved list” without evidence of a reasonable review process or criteria supporting that decision is insufficient to show that a meaningful consideration took place.

(c) Examples of firm practices

Acceptable firm practices regarding approvals of securities and the documentation of the approvals observed in our reviews included:

• recording sign-off or approval on the documentation that evidenced the assessment of the key elements of the security (e.g., directly on a due diligence memo, research report or KYP memo prepared for the security);
• maintaining detailed committee meeting minutes documenting discussions of the key elements of a security and committee approval;
• maintaining email records outlining the required information and approval confirmations;
• in the case of complex or high risk products, review and approval at many larger firms is completed and documented by a Product Review Committee;
• in cases where firms specialize in certain niche sectors (e.g., mining stocks), greater reliance is placed on the KYP assessments completed and documented by individuals with the necessary expertise such as engineers, and approval is often granted by a registered individual, such as a supervisor or the Chief Compliance Officer, based on a review of the KYP analysis prepared by the expert staff.

4. Monitoring for significant changes in securities (Paragraph 13.2.1(1)(c) of NI 31-103, IDPC Rule 3301(1)(iii), MFD Rule 2.2.5(1)(c))

Registered firms must take reasonable steps to monitor securities for significant changes. Monitoring should be applied to securities that are available for purchase through the firm, and, where a firm has an ongoing relationship with clients and is required to complete periodic suitability reassessments, to all securities that are held in clients’ accounts, even if those securities are no longer available for purchase through the firm.

(a) Issues identified

Issues relating to monitoring for significant changes in securities noted in our reviews included:

• No definition of “significant change” in a security – Many firms did not have an adequate monitoring process in place as they did not define what constitutes a significant change in a security and when it would trigger a reassessment of the security’s approval or suitability for clients holding the security. As a result, despite the firms having monitoring processes in place, there was no process to determine what action the firms may need to take when the monitoring indicated a change to a security.
• Inadequate monitoring frequency – Some firms monitored securities at a frequency that was inadequate for the type of security, including its risks and complexity. For example, we noted that certain EMDs offering risky, illiquid, and complex products monitored for significant changes only on an annual basis, which Staff found to be inadequate.
• Inappropriate reliance on issuers / product manufacturers for notification of changes – Some firms passively relied on issuers or product manufacturers to notify them of changes or required issuers or product manufacturers to confirm annually whether there had been any significant changes. These firms did not have their own proactive monitoring processes.
• No process to monitor or no evidence of monitoring – Some firms lacked a monitoring process altogether or failed to maintain evidence that securities or model portfolios were reviewed for significant changes that could affect client suitability. Some firms maintained up-to-date information on securities (e.g., updated issuer financials) but had no evidence it was reviewed or considered as part of their monitoring process.

(b) Guidance

Firms should define what constitutes a significant change for the types of securities they offer and implement a monitoring process that outlines how and at what frequency monitoring will occur. The definition of significant change and the monitoring frequency should reflect the nature of the securities, the firm’s business model, and investment strategy.

Examples of significant changes identified by firms include a change in:

• the risk rating of a security;
• the costs/fees associated with a security;
• the liquidity of a security;
• distribution and redemption privileges (e.g., redemptions suspended);
• the operations of an issuer;
• management or significant ownership of an issuer;
• the issuer’s credit rating;
• financial ratios;
• the geopolitical situation; and
• macroeconomic factors.

The greater the security’s risk or likelihood of significant changes, the more frequently and closely it should be monitored. In general, annual monitoring alone was not found to be sufficient. Firms should have written policies and procedures outlining their monitoring process and maintain evidence that the process was followed (e.g., records of information obtained and reviewed).

Where significant changes are identified, firms should document their assessment of those changes and consider appropriate responses where necessary, which may include:

• notifying registered individuals of the change,
• reassessing suitability for clients and taking corrective actions in client accounts as necessary,
• revisiting the firm’s approval of the security,
• implementing additional controls around the sale of the security (e.g., restricting new sales to certain types of investors).

Where corrective actions are limited due to the nature of the security (e.g., illiquid securities or redemption restrictions), appropriate responses may involve halting new sales and informing affected clients of the change.

(c) Examples of firm practices

Some examples of firms’ KYP monitoring processes included:

• periodically updating due diligence memos or key elements of KYP assessments to identify significant changes, informing all registered individuals of any significant changes, and retaining all document versions to evidence the process.
• using portfolio management software to create a tailored “watch list” or “approved list” that delivers daily updates on key metrics and news about issuers, enabling registered individuals to monitor for significant changes.
• implementing automated systems that track and flag significant changes to securities on a daily, weekly, or monthly basis, with updates provided to registered individuals for follow up where appropriate.

5. KYP – Transfers in and client directed trades (Paragraphs 13.2.1(1)(a) and (c) of NI 31-103, IDPC Rule 3301(1)(i) and (iii), IDPC Rule 3302, MFD Rule 2.2.5(1)(a) and (c))

KYP assessment and monitoring requirements apply to securities transferred into a firm or acquired through a client directed trade, though firms are not required to approve these securities if they are not otherwise made available to clients. Firms must assess these securities within a reasonable time after the transfer or trade and include them in their monitoring process for significant changes.

Registered individuals must take steps to understand all securities held in a client’s account to meet their suitability determination obligations. This includes understanding securities transferred into the firm or acquired through client directed trades within a reasonable time.

(a) Issues identified

We noted the following issues relating to KYP assessments for transferred securities or client directed trades:

• No KYP assessment performed on transferred in securities and client directed trades – Many firms and registered individuals failed to perform or document KYP assessments on securities transferred in or resulting from client directed trades within a reasonable time.
• Inappropriate exclusion of securities from KYP processes – Some firms excluded securities transferred in or from client directed trades from their KYP processes, citing the trade size being too small (e.g., below a defined threshold established by the firm) or trades being infrequent.

(b) Guidance

Registrants must assess securities transferred into the firm or resulting from client directed trades within a reasonable time. However, the depth of the KYP assessment may vary based on factors such as the nature of the securities, how long they will be held in the client account, the client’s circumstances and investment objectives, and the relationship between the client and the firm. Firms must not exclude these securities from their KYP assessment and monitoring processes.

The KYP assessment performed and the steps taken by the registered individual to understand the securities should be adequate to support suitability determinations, including decisions about whether to continue to hold or divest the securities in a client’s account, and should be documented.

C. SUITABILITY DETERMINATION (Section 13.3 of NI 31-103, IDPC Rule 3400, MFD Rule 2.2.6)

The suitability determination provisions require that, prior to taking any investment action, registrants must assess and determine whether the action is suitable for the client, considering specific factors, such as the client’s KYC information and the registrant’s KYP assessment. Registrants must also determine that the action puts the client’s interest first.

These provisions also establish requirements for periodic reviews of the suitability of client accounts (at a minimum, when the periodic KYC reviews occur as required under subsection 13.2(4.1) of NI 31-103 (IDPC Rule 3209(4), MFD Rule 2.2.4(f)), and set out the process for handling client directed trades and unsolicited orders.

Our reviews found that many firms had not updated their suitability determination processes to ensure they are complying with their enhanced obligations under the CFRs. In addition, we noted the following issues related to suitability determinations:

• inadequate consideration of certain specific factors when making a suitability determination;
• inadequate policies and procedures, as they lacked sufficient detail on the responsibility and timing for documenting factors considered in suitability assessments; and
• inadequate documentation of suitability determinations.

Similar issues were noted with periodic suitability reassessments and related documentation, as well as with suitability determinations for client directed trades and unsolicited orders.

1. Suitability determinations and factors to be considered (Subsection 13.3(1) of NI 31-103, IDPC Rule 3402(1), MFD Rule 2.2.6(1))

Before taking an investment action, registrants must assess and determine its suitability for the client, considering the factors in paragraph 13.3(1)(a) of NI 31-103 (IDPC Rule 3402(1)(i), MFD Rule 2.2.6(1)(a)):

• the client’s KYC information;
• the registrant’s KYP assessment or understanding of the security;
• the impact of the investment action on the client’s account, including concentration and liquidity;
• the potential and actual impact of costs on the client’s return on investment; and
• a reasonable range of alternative actions available to the registrant through the registered firm.

Registrants must also satisfy paragraph 13.3(1)(b) of NI 31-103 (IDPC Rule 3402(1)(ii), MFD Rule 2.2.6(1)(b)), by determining that the investment action puts the client’s interest first.

While not all factors may be equally relevant in every case, registrants should use their professional judgement and take reasonable steps to consider each factor’s relevance to the specific investment action being considered, and must always prioritize the client’s interest over their own or other competing considerations, such as a higher level of remuneration or other incentives, when choosing among suitable options.

(a) Issues identified

Issues relating to suitability determinations included:

• Incomplete consideration of factors included in paragraph 13.3(1)(a) of NI 31-103 (IDPC Rule 3402(1)(i), MFD Rule 2.2.6(1)(a)) – Some registrants lacked processes to ensure that all factors were considered prior to taking an investment action. While KYC and KYP factors were generally addressed, firms often failed to require registered individuals to consider:
  • the impact of the investment action on a client’s account, including concentration and liquidity of the securities within the account,
  • the impact of costs on the client’s returns, and
  • a reasonable range of alternative investment actions.
• No process in place to consider impact of an investment action across all of the client’s accounts – Some registrants did not have a process in place to consider whether a recommendation or decision for a client account would materially affect the concentration and liquidity of the client’s investments across all of the client’s accounts held at the firm, as applicable. Such a process is one of the ways a registrant can seek to determine whether an investment action puts the client’s interest first as required by paragraph 13.3(1)(b) of NI 31-103 (IDPC Rule 3402(1)(ii), MFD Rule 2.2.6(1)(b)).
• Inadequate suitability determination process for model portfolios – Some firms did not recognize that suitability determinations (including the consideration of a reasonable range of alternatives) are expected to be performed at different levels for model portfolios made available to clients:
  • at the model level (when constructing and managing the model portfolios) – suitability determinations are expected to be performed for securities selected for inclusion in the models or for other investment actions taken for the models, and
  • at the client-facing level – a suitability determination is expected to be performed when a particular model portfolio is selected for a client from other model portfolios available at the firm.
    
    Some firms also did not recognize that where registered individuals are permitted to substitute securities within a particular model portfolio or otherwise deviate from the model at the client-facing level, a suitability determination is expected to be performed on the substituted securities or in respect of the deviation from the model.
• Insufficient documentation processes – Some firms lacked adequate processes to identify and maintain appropriate documentation to support suitability determinations. For example, some firms:
  • had no processes for the documentation of suitability determinations,
  • had processes to maintain only limited documentation that did not evidence a reasonable basis for the suitability determinations made, or
  • relied on superficial tools (e.g., checklists) without supporting documentation of how factors were considered and decisions made.
• No or inadequate documentation to support suitability determinations – Some firms had little or no documentation or recorded only that an investment was “suitable” without showing the basis for that determination. While the level of detail may vary, documentation must always be sufficient to demonstrate a reasonable basis for the suitability determination. Centralized or periodic analysis may be relied on without repeating documentation for each recommendation, but where suitability is less clear, more detailed records are necessary.

(b) Guidance

Staff recognize that depending on the firm’s business model, the available securities, the characteristics of the firm’s client base and the nature of the clients’ relationship with the firm, as well as the investment action being considered, some factors in paragraph 13.3(1)(a) of NI 31-103 (IDPC Rule 3402(1)(i), MFD Rule 2.2.6(1)(a)) may be more relevant than others. Registrants should have processes in place to reasonably consider all suitability factors when making a suitability determination.

Overall documentation, achieved through relevant firm and individual processes, should be detailed enough to demonstrate meaningful suitability determinations. It should illustrate the reasonable basis for registrants’ determinations that investment actions taken are suitable for clients and put clients’ interests first, reflecting the understanding of the product, the risk, complexity, and uniqueness of recommendations, and enable robust supervisory review. Firms have flexibility to tailor their processes, using a mix of individual and centralized processes based on their business model. Some examples of acceptable centralized processes used at firms are provided in the “Examples of firm practices” section below.

Where an investment action for a client appears inconsistent with one or more factors, but there are competing considerations that make the investment action ultimately suitable for the client, more detailed documentation should be maintained to support the suitability determination and demonstrate that the client’s interests were put first.

Where firms offer model portfolios, we expect that the suitability determinations are performed at different levels: (i) at the model level (when constructing and managing the model portfolios), when suitability determinations are expected to be performed for securities selected for inclusion in the models or for other investment actions taken for the models, and (ii) at the client-facing level, when a suitability determination is expected to be performed when a particular model portfolio is selected for a client from other model portfolios available at the firm. If a registered individual substitutes securities within a particular model portfolio or if the registered individual otherwise deviates from the model at the client-facing level, a suitability determination is expected to be performed on the substituted securities or in respect of the deviation from the model.

We noted in our reviews that PM firms that maintained well-defined and comprehensive investment policy statements for clients that considered all accounts of the client, in conjunction with the use of effective automated pre-trade and post-trade compliance tools, were generally better positioned to demonstrate compliance with the suitability determination requirements. While the investment policy statements and trade controls alone were not sufficient to demonstrate that all factors had been considered by the registrant, these were supplemented by additional processes (for example, to consider a reasonable range of alternatives) to ensure that the suitability determination obligation was met.

(c) Examples of firm practices

We noted that some firms appropriately tailored their suitability determination and documentation processes for their business models and circumstances. Noted below are some examples of practices observed in our reviews where processes were appropriately tailored and registrants met their suitability determination and documentation obligations.

These practices were observed for PMs or investment dealers making identical decisions or recommendations for all client accounts following a particular mandate or strategy, or seeking a specific type of investment exposure. Depending on the firm’s business model, the complexity of securities and controls the firm had in place, Staff accepted certain practices based on the facts and circumstances presented during the reviews.

• Mandate-level suitability determinations – For firms making identical investment decisions for clients following a particular investment mandate (e.g., all clients having exposure to Canadian large cap equities in varying degrees), such as a decision to include a new security in the portfolios of all such clients, the firm completed and documented its suitability determination for the addition of the security at the mandate level and identified all of the client portfolios to which it applied. The firm had robust controls in place at the client level (e.g., to identify any concentration issues or investment restrictions) to ensure that the suitability determination was appropriate for all clients within that mandate. In addition, the firm had in place a robust periodic suitability reassessment process that was completed and documented for all clients, where the suitability of all securities in a client’s account / portfolio was comprehensively assessed.
  
  This approach relieved the firm and its registered individuals from the duplicative work of completing separate suitability determination documentation for all client accounts following the same mandate at the time of each investment action. The firm-level documentation maintained supported the investment action for individual securities held by the identified group of client accounts.
• Adjustments to existing securities – Where exposure to a security already held in a client account was changed, registrants documented their suitability determinations at a higher level where it was reasonable to rely on the prior suitability determination, provided the rationale was recently assessed or updated to confirm that no material changes had occurred.
• Account rebalancing – Staff noted that in cases where client accounts are periodically rebalanced to return to a target weighting with no changes to the specific securities in the accounts, it was appropriate for registrants to document their suitability determinations for the trades in a summary manner.

Registrants using tailored suitability determination and documentation processes similar to those above must maintain detailed policies and procedures to demonstrate how suitability determination requirements are met and to ensure periodic suitability reassessments are completed as required so that portfolio holdings continue to be suitable for clients and put their interests first.

2. Impact on client’s account or portfolio (Subparagraph 13.3(1)(a)(iii) and paragraph 13.3(1)(b) of NI 31-103, IDPC Rule 3402(1)(i)(c) and (ii), IDPC Rule 3402(4), MFD Rule 2.2.6(1)(a)(iii) and (b))

Registrants must assess how an investment action affects concentration and liquidity within a client’s account and, where clients hold multiple accounts, across the portfolio of all accounts held with the firm.

To meet these obligations, firms should set appropriate concentration and liquidity thresholds based on client circumstances and the types of securities held, and establish processes to monitor and manage them.

(a) Issues identified

Issues noted in our reviews of registrants’ consideration of the impact that a proposed investment action would have on a client’s account or overall portfolio held at the firm included:

• Lack of concentration and liquidity controls – Some firms failed to establish or apply thresholds or limits for investment concentration (such as with respect to the types of investments, issuers, sectors and asset classes) or liquidity and as a consequence they were unable to adequately assess the impact of investment actions on client accounts and portfolios.
  
  This included EMDs selling highly concentrated or illiquid investments without proper thresholds in place to assess the overall exposure that clients have to such investments (whether through investments held within or outside of the firm), and investment dealers lacking processes to identify, monitor, and control holdings in illiquid securities.
• Inadequate assessment and documentation of concentration and liquidity across multiple client accounts - Some firms did not assess concentration and liquidity across a client’s multiple accounts or lacked documentation to support asset allocation decisions made to strategically contain certain categories of securities in specific types of accounts (e.g., for tax planning purposes).
• Incomplete KYC information – Some EMDs did not collect sufficient information about clients’ external investments, preventing a proper assessment of liquidity and concentration risks in specific sectors or asset classes, particularly in exempt market products.

(b) Guidance

Registrants should have appropriate controls to calculate, monitor, and manage concentration in client accounts and portfolios, tailored to their business model and the securities offered. The higher the concentration in a particular type of security, sector or industry in a client’s account or across a client’s portfolio, the more steps the registrant should take, and appropriately document, to demonstrate that the investment was suitable for the client and put the client’s interest first.

If an investment holding exceeds internal concentration or liquidity thresholds but remains suitable for the client and puts the client’s interest first, registrants must document the rationale in detail. Firms with narrow or higher risk offerings (e.g., EMDs, specialized investment dealers) should gather thorough client financial circumstances information, including on external holdings, and assess issuer-specific, sector, and overall exempt product exposures and concentration relative to a client’s net financial assets and the internal thresholds set by the firm. Where clients withhold information, registrants should use their professional judgement to consider whether or not they have obtained sufficient KYC information on the client’s financial circumstances to meet the registrant’s suitability determination obligations, in respect of concentration and liquidity and otherwise.

Firms that maintain multiple accounts for clients should have processes to assess and monitor concentration and liquidity across the portfolio comprised by those accounts. We encourage you to review the guidance set out in Questions 71 – 77 in the CFRs FAQs on this topic.

(c) Examples of firm practices

Examples of effective processes adopted by firms to consider the impact of investment actions, including with respect to concentration and liquidity, both within and across client accounts, where applicable, included:

• Applying meaningful concentration and liquidity thresholds – Some firms set and monitor concentration and liquidity thresholds based on issuer, sector and asset class exposure relative to clients’ net financial assets. For example, some EMDs have implemented processes to consider issuer and sector concentration, as well as total concentration in exempt market investments, in relation to clients’ net financial assets, and assess those against firm thresholds when considering whether a distribution of a security would be suitable for a client and put the client’s interest first. These firms document their analysis as part of their suitability determination documentation for each distribution. In addition, some EMDs have implemented variable concentration and liquidity thresholds that are applied more conservatively to certain types of investors such as investors with lower risk tolerance and seniors.
• Use of portfolio management systems - Some firms use portfolio management systems that consolidate holdings across client accounts, allowing registered individuals to effectively assess and monitor concentration and liquidity across multiple accounts held by the client at the firm.

3. Impact of costs (Subparagraph 13.3(1)(a)(iv) of NI 31-103, IDPC Rule 3402(1)(i)(d), MFD Rule 2.2.6(1)(a)(iv))

As part of assessing suitability and prioritizing the client’s interest, registrants must, under subparagraph 13.3(1)(a)(iv) of NI 31-103 (IDPC Rule 3402(1)(i)(d), MFD Rule 2.2.6(1)(a)(iv)), consider the actual and potential impact of costs associated with an investment action on the client’s return on investment.

(a) Issues identified

Issues relating to registrants’ assessments of the potential and actual impact of costs included:

• No assessment of costs when multiple series are available to clients – Some firms made multiple series of the same security available to clients (e.g., Class A, B, and F of the same investment fund) where the costs of those series varied, but the registered individuals did not assess the impact of costs when selecting a particular series for the client.
• No requirement to consider lower cost options – Some firms lacked policies requiring registered individuals to consider lower-cost alternatives available through the firm as part of the assessment of a reasonable range of alternative actions under subparagraph 13.3(1)(a)(v) of NI 31-103 (IDPC Rule 3402(1)(i)(e), MFD Rule 2.2.6(1)(a)(v)). For example, registered individuals were not required to consider lower management expense ratio (MER) series of investment funds when making recommendations.
• No process to monitor eligibility for lower cost investments – Some firms failed to identify or monitor client accounts that could qualify for lower-cost investments, such as reduced MER fund series, once asset thresholds were met.

(b) Guidance

Registrants should have processes in place to assess all direct and indirect costs, fees, commissions, and registrant compensation associated with an investment action and compare them against other available options, based on the firm’s existing business model and securities made available to clients.

Given that costs can significantly affect client returns, registered individuals should consider the relative costs of investment options, including any compensation paid directly or indirectly to the firm or individual. They must put the client’s interest first when choosing among suitable options and document the rationale if recommending higher-cost products.

The relevance of cost considerations may depend on specific circumstances. For example:

• When investing solely in exchange-listed securities with uniform trading commissions, costs at the security level may have minimal impact. Unless the security has additional embedded costs (e.g., management fees, trailers), this assessment should require minimal documentation which can be completed by the firm in a centralized manner.
• When there are multiple series of the same investment available to the client and the costs between those series are different, registrants must assess the impact of costs in choosing a particular series over another, and the assessment and conclusion must be documented as part of the suitability determination for the series selected.

Suitability documentation related to assessing costs may be maintained at the individual recommendation level or through centralized processes beginning with the initial KYP assessment and updated on an ongoing basis as required to support suitability reassessments.

(c) Examples of firm practices

• Some EMDs with limited product shelves assessed and documented costs during their KYP process. Staff accepted this as sufficient where no similar alternative products were available on the firm’s shelf. However, where alternatives exist, registrants are expected to reassess costs during the suitability process, and not solely rely on the initial KYP assessment.
• Some firms used technology to compare costs across available securities and assess cost impact, supporting registered individuals in making their suitability determinations.

4. Reasonable range of alternative actions (Subparagraph 13.3(1)(a)(v) of NI 31-103, IDPC Rule 3402(1)(i)(e), MFD Rule 2.2.6(1)(a)(v))

When assessing a proposed investment action, registrants must, under subparagraph 13.3(1)(a)(v) of NI 31-103 (IDPC Rule 3402(1)(i)(e), MFD Rule 2.2.6(1)(a)(v)), consider a reasonable range of alternative actions available through their firm at the time. Registrants should have processes for determining the level of documentation required to demonstrate that a reasonable range of alternatives was considered as part of their suitability determinations.

(a) Issues identified

Issues relating to registrants’ assessments of a reasonable range of alternative actions included:

• Lack of documented process – Many firms did not have written policies and procedures that documented their process for assessing a reasonable range of alternatives when determining the suitability of an investment action for a client.
• No or inadequate documentation to demonstrate that a reasonable range of alternatives was considered – In many cases, registrants could not show evidence that a reasonable range of alternatives was considered at the time of the investment decision. Where this assessment is conducted and documented through a centralized or periodic process, that is generally acceptable. However, some firms indicated that registered individuals performed the assessment, yet no documentation was maintained to demonstrate it, even in cases involving higher-cost or more complex products.
• No documentation at the individual representative level – Some firms identified and assessed a reasonable range of alternatives for various products on their shelf at the firm level and created an “approved list” or “recommended list” of securities to assist their registered individuals, but no assessment of the alternatives included on the list appeared to have been made by registered individuals when making recommendations and no documentation was maintained.

(b) Guidance

Firms must have processes to ensure a reasonable range of alternatives is considered when making a suitability determination. Processes may vary based on business models, investment strategies and relationships with clients, but should clearly define:

• who is responsible for identifying and assessing alternatives and when comparisons take place (e.g., what is to be done at the firm level versus at the registered individual level, what is to be done on a periodic basis versus what is to be done at the time of each specific recommendation),
• the scope of products to be considered (e.g., defining the comparable alternatives and what constitutes a “reasonable” range), and
• what information should be included in the documentation.

Firms with broad product shelves (e.g., open architecture platforms) may design efficient processes to manage their offerings. These processes should be designed to ensure suitability requirements are met while giving registered individuals sufficient flexibility to evaluate alternatives and make personalized client recommendations. Documentation should reflect the complexity of the security.

Evaluating alternatives requires, among other things, assessing cost structures and returns, including management fees and transaction costs, to ensure alignment with clients’ interests. As part of the consideration of a reasonable range of alternatives, registered individuals should consider lower cost alternatives available through the firm and document the basis for their determinations when choosing among suitable alternatives.

(c) Examples of firm practices

We noted that different business models operationalized this requirement in different effective ways. For example:

• Use of centralized committees
  • In firms where investment decision-making was centralized, the reasonable range of alternatives was often assessed as part of the firm’s KYP process and documented at the firm level. This was common among investment dealers and PMs using centralized research departments to develop and communicate favoured mandate-level strategies, with registered individuals expected to apply these strategies as appropriate for clients. When client-specific needs required substitutions, registered individuals conducted and documented additional alternative analysis.
  • Some firms had a centralized group that periodically prepared an approved list of securities for client recommendations, requiring registered individuals to document how they selected a particular security from available alternatives on the list.
  • Some firms leveraged their centralized KYP and monitoring processes to periodically identify a reasonable range of alternatives for use in suitability determinations.
• Use of technology or tools
  • Some firms provided technology to help registered individuals identify and compare a range of alternatives, generating comparative analyses (including cost factors) that could be saved to document their recommendations.
  • Some firms developed policies and tools requiring individuals to compare key criteria, such as costs, across a minimum number of alternatives before making a recommendation and to facilitate documentation.
• Leveraging periodic review by registered individuals
  • We noted a firm that requires registered individuals to periodically perform and document their assessment of a reasonable range of alternatives (including KYP analyses) on a set number of security categories and options available to clients through the firm (e.g., five funds within each category, with the options including funds from different fund managers). Registered individuals can then rely on this analysis of alternatives when making their suitability determinations for multiple clients until the next review of the categories and options, which occurs on a basis that is sufficiently frequent given the type and complexity of the securities. The firm monitors all securities made available to clients on a weekly basis for significant changes, requiring registered individuals to update their KYP analysis and their analysis of alternatives when necessary due to the changes identified.

5. Inadequate suitability reassessments (Subsection 13.3(2) of NI 31-103, IDPC Rule 3402(2), MFD Rule 2.2.6(2))

Registrants must reassess a client’s account and holdings to ensure they remain suitable and continue to put the client’s interest first. At a minimum, suitability must be reassessed when the registrant conducts its periodic KYC review as set out in subsection 13.2(4.1) of NI 31-103 (IDPC Rule 3209(4), MFD Rule 2.2.4(f)).

Other suitability reassessment triggering events include:

• a change to the registered individual designated as responsible for the account,
• the registrant becomes aware of a KYP change in a security in the account that could result in the security or account not satisfying the suitability determination criteria, or
• the registrant becoming aware of a change in the client’s KYC information that could result in the security or account not satisfying the suitability determination criteria.

(a) Issues identified

Issues noted relating to periodic suitability reassessments included:

• Inadequate documentation of reassessments – Many firms failed to properly document periodic suitability reassessments or demonstrate that a full suitability review of the account and holdings had been conducted.
• No reassessment upon certain changes in a security – Some registrants did not reassess suitability when a significant KYP change occurred and it was a change that could result in the security or the account no longer being suitable for the client.
• No reassessment upon a change to the registered individual responsible for the client’s account – Some PM firms use a team-based approach but designate a key advising representative to maintain KYC information and manage the client relationship. We noted instances where firms changed the key representative without recognizing this triggered a requirement to reassess suitability, given the representative’s key role in the client relationship, including maintaining KYC information, which is an important input to suitability determinations.

(b) Guidance

Registrants are required to review the suitability of client accounts and the securities within the accounts according to the minimum time periods aligning with KYC reviews and updates, or more frequently if one of the prescribed triggering events occurs. These reviews should assess whether the account and the securities within the account continue to be suitable for the client and put the client’s interest first.

As a reminder, the suitability determination requirement applies to recommendations or decisions to continue to hold securities. Suitability reassessments should consider, for example:

• whether alternative securities would better serve the client’s interests (including consideration of, for example, transaction costs and tax implications).
• potential concentration or liquidity issues as a result of market movements.

The suitability reassessment process should align with the firm’s business model and client circumstances. For example, a detailed periodic suitability reassessment for client accounts is critical for firms that follow a buy and hold long-term strategy for clients with minimal or no trading on a regular basis.

In cases where EMDs have ongoing relationships with their clients but clients hold illiquid securities with minimal or no redemption features, we recognize that the extent of the reassessment of the suitability determination may be limited due to the illiquid nature of the securities. However, we expect that those registrants will take this fact into account when making future recommendations for their clients, including any additional investments. For EMDs that have only a transactional relationship with clients (as described in Appendix F of 31-103CP), the requirement to reassess suitability for a client is not applicable because there is no ongoing relationship or client account.

Records should show a meaningful reassessment; generic notes like “no changes” are insufficient. Firms need a process to ensure reassessments occur on time. If broader or centralized assessments are used (e.g., model portfolios), individual client suitability must still be reassessed and clearly documented.

6. Client directed trades (Subsection 13.3(2.1) of NI 31-103, IDPC Rule 3402(5), MFD Rule 2.2.6(2.2))

Registrants must assess whether a client directed trade is suitable for the client and whether it would put the client’s interest first. If the trade would not be suitable or put the client’s interest first, the registrant must:

• inform the client of the determination and its basis;
• recommend an alternative action that is suitable and puts the client’s interest first; and
• if the client still wishes to proceed, confirm and document the client’s instruction to proceed.

(a) Issues identified

Many firms reviewed were unaware of the steps and documentation requirements for accepting client directed trades. Some specific issues noted during the reviews included:

• Lack of documentation for suitability determination – Many registrants did not document the suitability determination they had performed prior to proceeding with the client requested investment action.
• Inadequate suitability determination – Some registrants performed a general suitability determination on the proposed investment action but did not consider all of the suitability determination criteria, including a consideration of a reasonable range of alternative actions.
• No suitability determination for certain trades – Some firms had inappropriately excluded certain client directed trades from their suitability determination processes, citing the trade size being too small (e.g., below a defined threshold established by the firm), and permitted the trades to be made without complying with the applicable requirements for accepting client directed trades.

(b) Guidance

When an instruction for a client directed trade is received, the registrant must first assess the suitability of the proposed investment action with consideration of all suitability criteria in subsection 13.3(1) of NI 31-103 (IDPC Rule 3402(1), MFD Rule 2.2.6(1)). If the action is not suitable or does not put the client’s interest first, the registrant must follow the steps set in subsection 13.3(2.1) of NI 31-103 (IDPC Rule 3402(5), MFD Rule 2.2.6(2.2)) and maintain appropriate documentation. Simply noting that the client directed the trade is insufficient. If the proposed investment action is unsuitable and no suitable alternatives are available through the firm, the firm should recommend that the client not make the investment.

D. COMPLIANCE SYSTEM AND TRAINING (Section 11.1 of NI 31-103, IDPC Rule 1407 and 3904, MFD Rule 1.2.4(1), MFD Rule 2.5.1, and MFD Rule2.10)

Section 11.1 of NI 31-103 (IDPC Rule 3904, MFD Rule 2.5.1 and 2.10)) requires firms to establish, maintain and apply policies and procedures that establish a system of controls and supervision sufficient to provide reasonable assurance that the firm and each individual acting on its behalf complies with securities legislation, including KYC, KYP and suitability determination requirements. In addition, subsection 11.1(2) of NI 31-103 (IDPC Rule 1407, MFD Rule 1.2.4(1)) explicitly requires registered firms to provide training to their registered individuals on compliance with securities legislation, including KYC, KYP and suitability determination obligations.

In our reviews, Staff identified issues with respect to the KYC, KYP and suitability determination policies and procedures of many firms. Staff also identified various issues related to training.

1. Policies and procedures (Subsection 11.1(1) of NI 31-103, IDPC Rule 3904(1) and (2), MFD Rule 2.5.1 and 2.10)

(a) Issues identified

Issues identified with KYC, KYP and suitability determination policies and procedures included the following:

• Outdated policies and procedures – Some firms’ policies and procedures had not been updated to reflect the new requirements under the CFRs.
• Policies and procedures not sufficiently tailored or detailed – Some firms’ policies and procedures were generic in nature and not tailored to their operations and lacked sufficient detail to enable individual registrants to understand their responsibilities. In some cases, firms’ policies and procedures simply repeated the rule requirements without any detail regarding how compliance is to be achieved at the specific firm and what level of documentation is required to provide evidence of compliance.

(b) Guidance

Firms’ policies and procedures should be comprehensive, up to date to reflect regulatory requirements, and tailored to their businesses. Policies and procedures that are intended to reflect the new KYC, KYP and suitability determination requirements under the CFRs should, at a minimum, cover the following areas:

KYC:

• how KYC information (including personal circumstances, financial circumstances, investment needs and objectives, investment knowledge, risk profile and investment time horizon) is collected for clients and how the registrant ensures a meaningful interaction with clients;
• the appropriate depth of KYC information that must be collected given the firm’s business model, including the nature of the firm’s relationships with its clients and the securities and services it offers;
• how to ensure that sufficient financial circumstances information is collected, including a client’s:
  • annual income,
  • liquidity needs,
  • financial assets,
  • net worth, and
  • whether the client is using leverage
• when distributing prospectus-exempt securities, the inquiries to be made and information to be documented relating to other exempt market investments held by the client;
• the process to determine the client’s risk profile, including the process to obtain and confirm information from the client relating to both the client’s risk tolerance and risk capacity, and how to resolve any potential conflicts between these elements when determining the client’s risk profile;
• the process to have clients confirm the accuracy of all KYC information within a reasonable time after collecting the information;
• the process for reviewing clients’ KYC information, including a process to ensure that any inconsistency in KYC information collected is identified and resolved, and a process to ensure that any inconsistencies between a client’s KYC information and information documented in client agreements or investment policy statements are identified and resolved;
• the process for keeping KYC information collected current, including:
  • the process to ensure periodic updates to KYC information are completed as required,
  • describing what the registrant considers to be a significant change to client KYC information, and the process for updating the information within a reasonable time after the registrant becomes aware of a significant change, and
  • setting out how KYC updates must be documented including the level of detail required and client confirmation of updated information.

KYP:

• the aspects of the firm’s KYP process that are to be carried out by the firm and registered individuals, respectively; all processes used by the firm should be clearly described (e.g., if a firm uses centralized groups or automated systems to assist with aspects of its KYP obligations, the process followed should be set out in detail) and the individuals who are responsible for carrying out and supervising each process should be clearly identified;
• how the relevant aspects of the securities will be assessed, including:
  • the structure, features and risks of the security, including the complexity of the security,
  • the initial and ongoing costs of the security, and the impact of those costs,
  • the parties involved in the security (e.g., management of the issuer, portfolio manager, product manufacturer, guarantors or significant counterparties), and
  • whether there are any conflicts of interest inherent in the security (e.g., arising from compensation structure, related party issues or other factors);
• if the firm’s KYP assessment varies for different types of securities or asset classes based on, for example, complexity, a clear and specific description as to what aspects are relevant for the different types of securities when performing the assessment;
• the process to perform KYP on model portfolios offered by the firm and the specific responsibilities of registered individuals in respect of KYP (i.e., performing KYP at the model portfolio level versus at the level of individual securities in the model portfolio), where applicable;
• if the reasonable range of alternatives for securities are identified and assessed during the KYP process, a clear description of the firm level process, as well as the process for documenting this and how it is incorporated into the suitability determination process;
• the approval process for the securities (or model portfolios, where applicable) to be made available to clients including specifying who is authorized to provide the approval and how evidence of approval will be maintained;
• a description of what the firm considers to be a significant KYP change to the securities that are made available to clients;
• the process to monitor the securities that are made available to clients for significant changes, including the frequency for monitoring and the criteria for revisiting the approval of the securities where appropriate;
• the process to notify registered individuals of any significant KYP change to a security so that the individuals can reassess their suitability determinations for client accounts as may be required;
• the process to ensure all registered individuals understand the relevant aspects of the securities made available to clients prior to purchasing, selling or recommending those securities to clients, including any necessary training for registered individuals;
• the books and records the firm must maintain to demonstrate compliance with KYP obligations, as well as the records registered individuals are expected to maintain to demonstrate compliance with their own KYP obligations;
• the process for assessing securities transferred into the firm from another registrant, as well as those that are a result of a client directed trade, within a reasonable time after the transfer or trade.

Suitability determinations:

• the basis upon which the firm makes a suitability determination for investment actions taken for clients, including when it is performed and criteria used;
• a description of how the necessary criteria are considered when making a suitability determination, including:
  • the KYC information collected, ensuring that it is sufficiently up to date,
  • the registrant’s KYP assessment or understanding of the security,
  • the process for assessing the potential impact of the investment action on the client’s account, including the concentration and liquidity in an account, and any concentration and liquidity thresholds used by the registrant,
  • the process for assessing the potential and actual impact of costs of the investment action on the client’s return on investment,
  • the process for considering a reasonable range of alternative actions available to the registrant through the firm,
  • the process to ensure that all accounts of a client at the registrant are considered when making a suitability determination (e.g., in respect of concentration and liquidity);
• a description of how the registrant puts the client’s interest first when making a suitability determination, including the process to consider whether a recommendation or decision for a client account would materially affect the concentration and liquidity of the client’s investments across all of the client’s accounts held at the firm, as applicable;
• triggering events that require the registrant to reassess suitability for a client;
• records to be maintained when documenting suitability determinations (including any periodic reassessments) including records of key assumptions, scope of data considered, and analysis performed before making a suitability determination;
• supervision of the suitability determination process to ensure that it is being consistently applied across the firm including, if applicable, a process to periodically review client files or a reasonable sample of client files;
• process to follow when a client directed trade is requested, including when the registrant has determined that the trade is unsuitable and/or does not put the client’s interest first.

2. Training (Subsection 11.1(2) of NI 31-103, IDPC Rule 1407 and 3904(3), MFD Rule 1.2.4(1))

(a) Issues identified

Staff identified the following issues in firms’ training programs in relation to KYC, KYP and suitability determination requirements:

• Inadequate training – For some firms, the training provided was not comprehensive and did not cover key components of KYC, KYP and suitability determination requirements and the firms’ processes to ensure compliance. For example, the following topics were frequently not addressed in training materials:
  • KYC
    • the appropriate level of KYC information to be collected
    • the frequency and procedures for KYC updates, including when there is a significant change
    • what constitutes a significant change to a client’s KYC information
    • how to determine a client’s risk profile, including how to collect and assess both risk tolerance and risk capacity information from clients
    • how to obtain clients’ confirmation of KYC information
  • KYP
    • how to assess key features of securities
    • where appropriate (e.g., for new or complex products), detailed security specific training that enables registered individuals to discharge their individual KYP obligations
    • the requirement to assess and understand securities transferred in
  • Suitability determinations
    • the factors that need to be considered to determine suitability and how to assess suitability
    • what types of changes to client KYC information require a suitability reassessment
    • what types of KYP changes to securities in the account require a suitability reassessment
    • when periodic suitability determinations are required
    • the need to perform a suitability determination on a client directed trade regardless of the value or frequency of the trade,
    • examples of what it means to put a client’s interest first when determining suitability
    • how to document suitability determinations
• Inadequate training from service providers – Some firms relied on third-party service providers to provide training; however, in some cases, the third-party training was found to be insufficient (i.e., did not cover all key components of KYC, KYP and suitability determination requirements and processes to ensure compliance), inaccurate or not tailored to the firm’s operations.
• Training not provided to all registered individuals - For some firms, no training was provided to registered individuals who deal only with institutional clients.
• Training was optional – For some firms, the training sessions provided on KYC, KYP and suitability determinations were optional and the firm did not ensure that all its registered individuals received the required training.
• Inadequate evidence that training occurred – In some cases, although firms represented to Staff that training was provided, there was no or inadequate documentation maintained to evidence the content of training and that the training was provided.
• Inadequate evidence of attendance or completion – In some cases, although there was evidence that firms provided training, there was no documentation maintained to evidence that each of the firm’s registered individuals had completed the training.

(b) Guidance

To comply with the requirements in subsection 11.1(2) of NI 31-103 (IDPC Rule 1407 and 3904(3), MFD Rule 1.2.4(1)), training provided by a registered firm should be tailored to the firm’s operations and be appropriate for its size. Where the firm outsources its training program, the firm is responsible for assessing the adequacy of the third-party training provided, including ensuring that it is accurate, sufficient and tailored to the operations of the firm.

Training on KYC, KYP and suitability determination requirements, as well as other required training, should be comprehensive and cover all key elements of the requirements, with relevant examples where applicable. This training should be mandatory for all registered individuals, and firms should keep records of the training provided, including training content and attendance, to demonstrate that they have met the requirements.

Specific to KYP requirements, where new or complex securities are approved by firms to be made available to clients, firms should consider whether additional product specific training is necessary for registered individuals to reasonably understand the securities and make appropriate suitability determinations.

The firm should consider assessing whether its registered individuals understood the training. An effective practice observed in our reviews included firms that required a quiz to be completed by registered individuals at the end of the training, and a minimum mark (e.g., over 75%) on the quiz was required to evidence that the registered individual completed the training successfully.

NEXT STEPS

All registrants must have policies, procedures and systems that are appropriate to their business models to successfully comply with regulatory requirements. The observations and practices identified in this Notice are intended to provide additional Staff guidance on how we expect registrants to comply with the enhanced KYC, KYP and suitability determination requirements that came into effect as part of the CFRs, while keeping in mind efficiencies that may arise by registrants tailoring their processes to reflect their business models. Staff will continue to review and evaluate firms’ compliance with securities legislation, including all CFR requirements, during regular compliance examinations and will use all regulatory tools available to address any non-compliance or other issues identified.

The CFRs Implementation Committee was established in 2020 to consider operational challenges industry stakeholders were facing when implementing the CFRs. A list of questions received by the CFRs Implementation Committee and our responses can be found at CFRs FAQs. Registrants are encouraged to refer to this CFRs FAQs document for additional guidance on complying with the CFRs.

Joint CSA / CIRO Staff Notice 31-363 Client Focused Reforms: Review of Registrants’ Conflicts of Interest Practices and Additional Guidance can also be referred to for additional guidance on compliance with the conflicts of interest requirements that came into effect as part of the CFRs.

Firms can also keep up to date on regulatory developments by reviewing Staff notices and publications, participating in information outreach sessions organized by, and signing up for mailings from, the various CSA members and CIRO.

CSA and CIRO staff will continue to identify best practices for different regulatory platforms and business models as part of ongoing reviews, and additional guidance will be published where appropriate. CIRO, for its part, will be publishing further guidance on KYC, KYP and suitability, based not only on findings from examinations of CIRO member firms, but also to reflect the Consolidated Rulebook that will be published in the future.

QUESTIONS