High

The issue is significant or is a significant repeat finding. IIROC should take immediate corrective action and regularly report on its progress.

Medium

The issue is moderately significant. IIROC should resolve the issue within a reasonable timeframe and periodically report on its progress.

Low

The issue is less significant. Staff raise the issue with IIROC management for resolution.

Terms & Conditions 5 and 8 of the Recognition Order require IIROC to enforce compliance with its rules by Dealer Members, Alternative Trading Systems (ATSs), registrants and others subject to its jurisdiction. 

To meet its regulatory requirements, IIROC Enforcement staff are organized into the following groups:

o   case assessment

o   investigations

o   litigation

A group to handle client complaints and inquiries is separate from the Enforcement Department, although the Director of the group is also the Director of Case Assessment.

Enforcement staff are primarily responsible for:

• performing a preliminary assessment of case files
• investigating complaints or referrals about possible regulatory misconduct
• taking disciplinary action when misconduct has taken place

The 2014 oversight review identified three high priority findings (i.e. the number of Market conduct cases, the effectiveness of the investigative process and access to the new enforcement database).  Since then, many of the factors that increased risk to investors and impacted the integrity of capital markets persist.  Unsettled global economic conditions, stresses within specific sectors in Canada (e.g. oil and gas) and a low interest rate environment may distort asset prices while simultaneously contracting yields on many traditional product classes.  These types of difficult economic conditions may lead many investors and their advisors to use other products and trading strategies that carry risks that are not well understood and possibly unsuitable.  In this environment, IIROC must continue to allocate appropriate resources to ensure that Enforcement staff quickly yet prudently identify, investigate and prosecute cases of investor harm. 

As a result, Staff focused their review on:

• following up on the progress IIROC has made in addressing findings from the 2014 oversight report
• evaluating how IIROC identifies emerging trends and how they are integrated into the departmental processes
• reviewing how IIROC appoints staff to make decisions and to assess if the internal approval processes are appropriate and timely.

Staff reviewed the following documents:

• statistical data for and a sample of Member and Market conduct cases
• statistical data for and a sampling of hearing panel decisions
• a sample of case files referred from other departments
• an internal approvals list which documents who has authority for specific provisions within IIROC’s By-laws and Rules
• senior staff job descriptions
• policies and procedures manuals
• the Enforcement Case Management (ECM) reference guide

IIROC implemented procedures to better identify, monitor and resolve issues relating to the number of Market conduct cases finding as described in the 2014 oversight report.  However, Staff noted that other significant findings from the previous oversight review were not resolved. Those and other noted issues are detailed in the high and medium priority findings below.  Given the important role of the Enforcement department for investor protection, Staff will continue to monitor the level of Enforcement activities and assess trends as part of our ongoing oversight process.

(1) Finding – Managing ECM Access

IIROC did not restrict access to the case management database to manage potential conflict issues involving the system users, which include Enforcement and Compliance staff.  A similar finding was noted in the 2014 oversight report, and in its response IIROC noted that a business case was going to be made for the required changes to ECM as part of the capital budgeting process for the 2016 fiscal year.  However, IIROC did not approve and proceed with these changes in the 2016 fiscal year, or implement additional compensating controls to properly manage ECM user perceived or actual conflicts of interest.

Risk Implication

IIROC not implementing necessary compensating controls continues to enable users with a perceived or actual conflict of interest to have the opportunity to access information on ECM to their benefit.

Priority

High^[3]

Requirement

Please describe the plan for immediate corrective action that IIROC will take to address this significant repeat finding, including a timeline for resolution. 

IIROC’s Response

We acknowledge the finding. Our President & CEO has identified this initiative as a priority and we have budgeted for the changes noted in the finding. A renewed capital expenditure request for the fiscal year beginning April 1, 2016 will be submitted to the IIROC Board for approval. We would also like to note that timing for the changes to the ECM system are somewhat dependent on other system changes that must be completed before we will be able to proceed with these.

We would also like to note that although we did not change our database, we have implemented certain compensating controls in the interim that were described in the previous 2014 oversight report:

“In the interim [prior to the long term IT solution], we note that there are other measures in place to identify and manage potential staff conflicts.  Specifically, as per IIROC policy, a positive obligation is placed upon all employees to disclose all actual or potential conflicts to the organization on an ongoing basis, which is documented.  As such, Enforcement management are aware of any conflicts or potential conflicts specific to ongoing Enforcement files and take the necessary steps to properly manage these conflicts.”

Going forward, until the long term IT solution is in place, we will also remind staff that IIROC has the ability to track and report on historical access to files and to take action as necessary.

Staff Comments and Follow-up

Staff acknowledge IIROC’s response to address the matter.  In addition to obligating staff to disclose actual or potential conflicts, Staff continue to expect IIROC to take further necessary steps to properly manage ECM user perceived or actual conflicts of interest.

(2) Finding – Case File Standards

Staff reviewed a sample of case files from the Case Assessment and Investigation groups.  In some cases within the sampling, Staff noted that the required level of management review and approval was not consistently documented.  A similar finding was noted in the 2014 oversight report, and in its response IIROC recognized the need to improve documentation standards and noted that the new ECM system would address the issue.

Risk Implication

Staff continue to have concerns that the inconsistent application of file standards may not provide a proper level of assurance that the necessary approvals are in place.

Priority

High^[4]

Requirement

Please describe the plan for immediate corrective action that IIROC will take to address this significant repeat finding, including a timeline for resolution. 

IIROC’s Response

We acknowledge the finding. However, we would also like to note that the required level of management review and approval was obtained in all cases, although it was not consistently documented in ECM.

To resolve the issue, an IIROC staff working group was formed in July 2015 to address the issue of document management standards in ECM and SharePoint (the system used for electronic document management of Enforcement files). The objective is to provide clarity and consistency of procedures across the department and regional offices relating to electronic storage of file documents, including document naming conventions, and we expect to finalize the new protocol in January 2016 and to present it to staff in the latter half of February.  This timing is tied to expected upgrades to SharePoint.

Staff Comments and Follow-up

Staff acknowledge IIROC’s response to address the absence of documented approvals within the ECM system.  Going forward, Staff expect IIROC to monitor the effectiveness of the new protocol, and to take action as necessary.

(3) Finding – Written Policies and Procedures – Market Conduct Cases

Staff confirmed that at the case assessment level, there were no written policies and procedures pertaining to Market conduct case files.

Risk Implication

The lack of written policies and procedures may result in the ineffective or inconsistent treatment of case files.

Priority

Medium

Requirement

Please describe the action IIROC will take to address this matter, including a timeline for resolution.

IIROC’s Response

We acknowledge the finding. We would also like to note that within the Investigations section of the Enforcement manual, it does state that the Manager, Market Investigations shall conduct an initial review to determine whether an investigation is warranted.  Although this does not constitute comprehensive written policies and procedures, this effectively summarizes the case assessment function performed on market conduct case files.

To resolve the issue, Enforcement management recently conducted a review of this procedure and determined that, due to the initial assessment already conducted by IIROC’s Trading Review & Analysis team (TR&A), it was not necessary to conduct an initial case assessment within Enforcement for referrals received from TR&A.  Instead, TR&A will refer market conduct cases directly to Investigations.  This mirrors the process for referrals of member conduct cases from other IIROC supervisory departments to Investigations.

This new practice has already begun informally.

While the vast majority of market conduct cases are referred by TR&A, there are occasions where market referrals are received from sources both external and internal to IIROC. For internal referrals received from IIROC’s Trade Conduct Compliance department, those cases are directly sent to Investigations, whereby an investigation file is opened.  Again, this mirrors the process for referrals of member conduct cases from other IIROC supervisory departments. 

For referrals made by a provincial regulatory authority, those matters will be directly sent to Investigations.  For any other external referrals involving market issues, the Manager, Market Investigations will continue to conduct a preliminary case assessment and obtain the necessary supervisory review and management approval.  The process involved will generally adopt the framework set out in the Case Assessment Section of the Enforcement manual.  

All manual updates to reflect and clarify the above procedures will be completed by February 1, 2016.

Staff Comments and Follow-up

Staff acknowledge IIROC’s response and have no further comment.

(4) Finding – Supervisory Review and Approval

Staff noted that prior to January 2015 at the case assessment stage, IIROC did not require a Market conduct case manager to obtain a supervisory review and approval for Market conduct case files that were completed and self-assessed by the same manager. 

Risk Implication

The lack of an independent review mechanism may compromise file documentation standards and may result in the impartiality of the assessor being questioned.

Priority

Medium

Requirement

Please describe any further actions IIROC may take to resolve the issue.

IIROC’s Response

We acknowledge the finding. Given that TR&A will refer market conduct files directly to Investigations, a case assessment by or within Enforcement will no longer be necessary for these referrals, which comprise the vast majority of Enforcement’s market cases. In those limited circumstances where a preliminary assessment is still required, a supervisory review and management approval will be required. See response to item 3 above for further details. 

Staff Comments and Follow-up

Staff acknowledge IIROC’s response and have no further comment.

Under Term & Condition 11 of the Recognition Order, IIROC must ensure critical technology systems have appropriate (i) internal controls to ensure the integrity and security of information and (ii) capacity; as well as controls that manage the risks associated with its operations.

IIROC’s Information Technology (IT) department is responsible for the overall design, maintenance, delivery and security of technology related applications and systems required to support IIROC’s business operations and strategic goals.

With the growing complexity, integration and reliance on technological systems, IIROC like many other firms within the financial industry continues to face the challenge of retaining and allocating adequate resources to meet varied and increasing risks (e.g. cyber and information security).  This is an area of focus for IIROC in light of the loss of a portable device in early 2013 and the fact that the organization was still facing at the time of the review a potential class-action related lawsuit.  Subsequent to the end of the review period, the Quebec Court of Appeal dismissed the appeal of the Quebec Superior Court’s decision not to authorize the class-action.  However, IIROC was recently served with a motion to authorize a new class action lawsuit.

As a result of the above, Staff focused their review on:

• reviewing the information security policies and procedures in place and their dissemination across the organization
• assessing the design and integration of the IT Risk Register within the overall Enterprise Risk Management (ERM) framework
• evaluating key roles and responsibilities and staffing proficiencies and overall governance within the department
• reviewing IIROC’s progress on multiple IT related projects

Staff reviewed the following documents:

• information security policies and procedures and related training materials
• security plan progress reports
• the IT Risk Register
• the departmental organizational chart
• annual Information Security Report and other reports
• Board of Director (Board) and Finance Audit & Risk (FAR) Committee meeting minutes

Within the review period, Staff noted that IIROC hired a new Chief Information Officer (CIO) to oversee the IT department.  Staff also noted that during the review period  IIROC enhanced the IT Risk Register.  The register identifies relevant risks and mitigating controls and monitors the progress of applicable resolution plans to decrease IT risks to an acceptable level in keeping with IIROC’s new ERM framework.  However, as a result of our review, Staff identified the following medium priority findings.

(1) Finding – Information Security Implementation Plan – Board Oversight

Staff noted that a process to document a change resulting from a key Board decision related to information security and to report on the effectiveness of the change was not sufficient.

A progress plan was previously developed and approved for IIROC staff to track, manage and subsequently report to the Board on the resolution of key security risks identified on at least a quarterly basis.  After January 2015, these progress plan updates were not provided, although many projects approved by the Board in order to resolve the identified risks were not fully implemented. 

Staff were informed by IIROC senior management that because progress had been made on a majority of the projects, the Board agreed that further updates would be included in other operational reports provided by the FAR Committee or CIO, rather than through the specific security implementation progress plan.  Staff were also informed that in subsequent meetings, the Board had not objected to the change in reporting.  However, despite the importance of information security to the IIROC Board, the January 2015 Board meeting minutes did not reflect their intention to change the format and method to manage and report on the remaining projects.  Furthermore, the changes occurred even though some projects did not meet their targeted completion date as described in the last January 2015 progress plan update.

Risk Implication

Inadequate processes and documentation of Board decisions may lead to ineffective Board oversight and inconsistent implementation of Board decisions.

Priority

Medium

Requirement

Please describe the action IIROC will take to address this matter, including a timeline for resolution. 

IIROC’s Response

We acknowledge the finding. We would also like to note that although the format of a consolidated report was discontinued, the IIROC Board has, at all times, received comprehensive and timely information concerning the information security implementation plan. The information that has been provided to the Board since January 2015 on these important issues includes:

•      reports to the Finance, Audit and Risk Committee (“FAR”) from Information Security staff, which are then summarized and reported to the whole Board by the FAR Chair;

•      the FAR Chair’s update to the Board on the internal audit results relating to information security, which included a detailed summary of the report presented to FAR by the internal auditor;

•      regular status reports included in the quarterly operations report, which include a comprehensive list of policies developed in the period, updates on projects to implement operational changes, and training programs; and .

•      at the September 2015 Board meeting, the Board decided that, with respect to reporting on Information Security to the Board: (i) a dashboard of the information security report will be included with the quarterly FAR materials; (ii) a management report to FAR will be provided semi-annually; and (iii) the Board will receive the dashboard semi-annually unless additional reporting is necessary.

Going forward, the Board will continue to be kept fully apprised concerning the status of all ongoing projects and initiatives including, and in particular, those where target completion dates have been adjusted.  Furthermore, where the Board decides to change the type and/or frequency of reporting it receives on key matters, that decision will be documented in the applicable minutes.

Staff Comments and Follow-up

Staff acknowledge IIROC’s response and have no further comment.

(2) Finding – Required Competencies

Staff confirmed that adequate personnel proficiencies, abilities and / or expertise as at the end of the review period were not in place for the following:

• Vendor Management,
• Enterprise Architecture, and
• Project Management

Staff acknowledge that IIROC is currently evaluating these requirements, which were in part identified by IIROC as a result of an internal audit assessment. 

Risk Implication

Gaps in required competencies may result in IIROC not proactively addressing IT requirements, which may lead to an ineffective allocation of resources that could expose IIROC to unnecessary risks.

Priority

Medium

Requirement

Please describe the action IIROC will take to address this matter, including a timeline for resolution. 

IIROC’s Response

We acknowledge the finding. To resolve the issue, we have enhanced our internal expertise relating to vendor management, including the development and implementation of templates and other resources to standardize our procurement processes. These have already been used in a number of procurements to date.

We have also hired staff with specific expertise in several areas.  For example, we completed the recruitment for the position of Director, Enterprise Architecture in November 2015. We hired additional project managers in November 2015 for our Project Management Office and implemented enhanced project management processes to facilitate planning, improved project management and reporting.

Staff Comments and Follow-up

Staff acknowledge IIROC’s response and have no further comment.

(3) Finding – Information Security Policies, Procedures, Standards, and Guidelines (IS Policies)

Staff confirmed that written policies and procedures in place during the review period to provide guidance for the development and management of the specific IS Policies were not sufficiently comprehensive.  As a result, certain IS Policies available to IIROC employees as at the end of the review period were outdated.

Risk Implication

In many areas, IIROC staff may not have adequate guidance to effectively categorize and secure information.

Priority

Medium

Requirement

Please describe the action IIROC will take to address this matter, including a timeline for resolution. 

IIROC’s Response

We acknowledge the finding. However, we would also like to note that of our 11 information security policies, 9 were developed and implemented during the review period.  We acknowledge that the remaining two policies have not been updated: these will be updated in 2016, but, in the meantime, we believe the existing policies do not pose risks.  It should be noted that an internal audit conducted in December 2014 and January 2015 of our information security policies resulted in no high- or medium-priority findings.

As set out in all of the new policies, IIROC is committed to reviewing all information security policies at least once every two years to ensure they remain relevant and up to date.

We would also like to note that IIROC applies the ISO 27001 standard in developing its information security policies.  The requirements under the ISO standard are very detailed and we are committed to finalizing in 2016 a comprehensive written internal policy and procedures to create, review and approve such IS policies.  Furthermore, it has taken longer to revise and align some IIROC policies to these requirements, but we felt it was important to do it correctly and thoughtfully to ensure that we set and meet high standards. While this process has led to some inconsistencies between newer IIROC policies and those that were in place before work on the ISO standard commenced, we are confident that we have significantly enhanced our overall approach to information security. To avoid inadvertently creating gaps in policy coverage, we have kept older policies in place while we confirm that any potential gaps have been addressed.

Staff Comments and Follow-up

Staff acknowledge IIROC’s response and have no further comment.

Under Term & Condition 8(b) of the Recognition Order, IIROC must monitor compliance with its Rules and securities laws by Members and others subject to its jurisdiction, including ATSs.

Business Conduct Compliance (BCC) staff monitor Members’ compliance with all non-financial regulatory requirements.  For example, by way of on-site examinations, BCC staff assess Dealer Members’ compliance with requirements pertaining to the suitability of investments, account opening documentation, supervision of (i) advisors, (ii) other staff and (iii) business locations, personal trading and outside business activities.  Depending on a particular Dealer Member’s business model, BCC staff may also assess its corporate financing, proprietary trading and other firm specific activities.

The 2014 oversight review identified two high priority findings (inadequate resolution of Dealer Member report findings and no formal business location review policy).  Since then, economic conditions have continued to challenge Dealer Members and their advisors, potentially impacting the products and services offered to clients. As well, changing investor demographics, needs and expectations are in turn leading to domestic and possibly international changes in the regulatory landscape that may further challenge IIROC Members, and possibly the way IIROC regulates Members.

As a result, Staff focused their review on:

• following up on IIROC’s progress in resolving findings from the 2014 oversight report
• evaluating changes to the risk-based examination methodology
• assessing amended examination modules and specific procedures developed and implemented to integrate Phase 1 Client Relationship Model (CRM) requirements
• evaluating the departmental annual review of the criteria and components for the Member Information and Risk Assessment (MIRA) model
• reviewing how IIROC appoints staff to make decisions and to assess if the internal approval processes are appropriate and timely.

Staff reviewed the following documents:

• program module changes within the review period
• statistical data and a sampling of examination files
• policies and procedures manuals
• the internal approvals list
• senior staff job descriptions
• MIRA related information

Staff are satisfied that IIROC has made good progress in implementing suitability related examination procedures to resolve the findings as described in the 2014 oversight report, though further improvements to the BCC examination program are required (re:  finding 1 below).  Staff also noted another issue detailed in the second medium priority finding.

(1) Finding – Examination Procedures

Given the importance of suitability, Staff noted the following procedures were insufficient to direct BCC examiners to:

• review client managed accounts that are highly concentrated in particular issuers or industries for suitability, to

o       identify advisors recommending high risk products across client managed accounts when the Dealer Members’ policy and procedures for identifying, managing and monitoring sources of risk other than for investment funds were inadequate,

• determine if Dealer Members are establishing the suitability of positions held in a client’s managed account and if the managed account continues to be suitable for the client when certain triggering events occur,
• review whether Dealer Members’ supervisory regimes appropriately assess a client’s investment portfolio against the client’s risk profile and investment allocation parameters, and
• review know your client (KYC) information obtained by the Dealer Member when assessing whether a client qualifies as an accredited investor.

Risk Implication

Without clear and specific guidance and procedures in place, BCC staff may not consistently test or identify relevant issues. 

Priority

Medium

Requirement

Please describe the action IIROC will take to address this matter, including a timeline for resolution.

IIROC’s Response

We acknowledge the finding and fully support the points made in the Report regarding the importance of suitability. Suitability concerns have been and remain a focal point of our BCC examination processes. We have therefore made a number of changes to the BCC examination procedures to address the issues raised in the finding:

•      While testing for concentration in retail client advisory accounts has been a part of the compliance examination module for some time, we did not update the Managed Accounts examination module to test for concentration in issuers or industries. We have now updated our examination procedures and guidance to direct BCC examiners to consider for sample selection managed accounts that are highly concentrated (including particular issuers or industries) for suitability testing.

•      We have updated our examination procedures and guidance to direct BCC examiners to identify advisors recommending high risk products across client managed accounts when the Dealer Member’s policy and procedures for identifying, managing and monitoring sources of risk other than for investment funds are inadequate.

•      Our Retail Accounts examination module had already been updated to include the CRM suitability triggers prior to the review period.  We have now also updated our Managed Accounts examination module.

•      We test currently whether Dealer Members’ supervisory regimes appropriately assess a client’s investment portfolio against the client’s risk profile and investment allocation parameters. However, our focus has been on situations where the portfolio appears to be higher risk than the client’s risk profile. Where the portfolio holdings are significantly lower risk than the client’s risk profile, we will make further inquiries with the Dealer Member concerning the reasons for the variance and whether the client was informed of the variance.  Our exam procedures have been updated accordingly.

Lastly, we have changed the BCC procedures to ensure that we compare the subscription form against the NCAF when assessing whether a client qualifies as an accredited investor, rather than saying examiners should consider comparing the forms.

Staff Comments and Follow-up

Staff acknowledge IIROC’s response and have no further comment.

(2) Finding – Approvals List

IIROC maintains an approvals list which identifies internal authorities^[5].  Staff noted that:

• the process to approve and update the document of internal authorities on at least an annual basis was inadequate, and
• the process to delegate the specific powers and duties to vice-presidents and other officers was not necessarily followed in all cases. 

Consequently, Staff found evidence of inconsistencies between the internal document and actual BCC departmental practices in place.

Risk Implication

Certain BCC staff may not have the appropriate authority to grant approvals, which may expose IIROC to unintended risks, including the risk that the validity of a decision may be in question.

Priority

Medium

Requirement

Please describe the action IIROC will take to address this matter, including a timeline for resolution.

IIROC’s Response

We acknowledge the finding. We would also like to note that the list was developed by the General Counsel’s Office and approved by the President & CEO. The combined effect of IIROC’s General By-law and the terms of the President & CEO’s appointment** is that the President & CEO has plenary authority to manage the business and affairs of IIROC, including assigning duties to vice-presidents and other officers, within an organizational structure that establishes appropriate reporting and accountability.

Going forward, we will specifically evidence the President & CEO’s approval of the list, as it constitutes a delegation of powers and duties to the vice-presidents, other officers and staff members identified in the list.

As well, while we acknowledge that the approvals list was not updated as of December 31, 2014 according to our established annual schedule, upon updating the list in August, 2015 we determined that no changes were required.

With respect to BCC departmental practices, we have concluded that in the vast majority of instances where Corporation approval is required, such approval could be (and typically is) obtained at the time of a new membership application, or a change to a Dealer Member’s business model. It is the Vice President, BCC or Regional VP who signs off on new membership applications or changes to business models. In cases where deficiencies are found during a compliance review of a Dealer Member with respect to any of the topics listed on the approvals list, the examination report citing the deficiency is also reviewed and approved by the Vice President, BCC or Regional VP.

However, we have determined that in some instances, trade names submitted by Dealer Members under Dealer Member Rule 29.7A(9) were not approved by the relevant Vice President. We have revised our BCC procedures so that, going forward, approvals will be provided by the Vice President, BCC or Regional VP in all cases.

**Section 8.3 of the General By-law provides that “The Board shall appoint a President, who shall also be appointed as the chief executive officer.  The President shall have such powers and duties as the Board may specify.” Section 8.4 of the General By-law provides that a vice-president shall have such powers and duties as the Board or the President may specify, and Sections 8.5 and 8.6 are to identical effect with respect to the secretary and other officers. The terms of employment for IIROC’s President & CEO (as approved by the Board) include plenary responsibility for the management of the business and affairs of IIROC, and specifying the powers and duties of vice-presidents (including the Senior Vice Presidents), the secretary and other officers.

Staff Comments and Follow-up

Staff acknowledge IIROC’s response to address the matter.  Going forward, Staff expect IIROC to put in place a more formal process to manage the approval and update of the document, as well as the delegation of specific powers and duties.