Oversight Review Report of
the Investment Industry Regulatory Organization of Canada
Issued: April 26, 2018
Table of Contents
III. Risk Assessment and Fieldwork
A. Financial & Operations Compliance
I. Executive Summary
In accordance with their mandates under the securities legislation of their respective jurisdictions, the Recognizing Regulators[1] of the Investment Industry Regulatory Organization of Canada (IIROC) have jointly completed an annual risk-based oversight review (the Review) that targeted specific processes within the following functional areas:[2]
• Financial and Operations Compliance
• Corporate Governance
• Risk Management
• Financial Operations
Other than the findings noted below, staff of the Recognizing Regulators (Staff) did not identify concerns with IIROC meeting the relevant terms and conditions of the Recognizing Regulators’ recognition orders (the Recognition Orders) in the functional areas reviewed. Staff make no other comments or conclusions on IIROC operations or activities that are outside the scope of the Review.
As a result of the Review, Staff have identified one finding which applies to all of their respective jurisdictions and one Québec-specific finding.
The first finding relates to the incomplete internal approval process pertaining to the documentation used by IIROC to authorize the use of monies from its restricted fund.[3] The second finding relates to the lack of written procedures used to monitor compliance with legal requirements of general application in Québec. The first finding has been prioritized as Medium while the second finding has been prioritized as Low.[4]
Staff require IIROC to resolve the findings and will continue to monitor and follow up on IIROC’s progress in taking specific and timely corrective action on the findings in accordance with the priority assigned to them. The findings are set out in the Findings section of the report.
Staff have also set out certain other expectations in regard to various practices and procedures carried out by IIROC across the functional areas reviewed. These expectations are identified for IIROC to take note of and use as a basis for seeking improvements going forward. The expectations are set out in the Risk Assessment and Fieldwork section of the report.
Lastly, Staff acknowledge that IIROC has made sufficient progress in resolving the findings which were cited in previous oversight reports and which were followed up by Staff within the scope of the Review. All findings cited in the 2017 Oversight Report[5] that were not within the scope of the Review, primarily due to the time commitment required by IIROC to fully implement acceptable action plans, are being separately tracked by Staff.
II. Introduction
A. Background
IIROC is the national self-regulatory organization (SRO) that oversees all investment dealers and trading activity on debt and equity marketplaces in Canada.
IIROC is recognized as an SRO by the Alberta Securities Commission (ASC), the Autorité des marchés financiers (AMF), the British Columbia Securities Commission (BCSC), the Financial and Consumer Affairs Authority of Saskatchewan (FCAA), the Financial and Consumer Services Commission of New Brunswick (FCNB), the Manitoba Securities Commission (MSC), the Nova Scotia Securities Commission (NSSC), the Office of the Superintendent of Securities, Service Newfoundland and Labrador, the Ontario Securities Commission (OSC), and the Prince Edward Island Office of the Superintendent of Securities, collectively, the Recognizing Regulators. IIROC’s head office is in Toronto with regional offices in Montréal, Calgary and Vancouver.
The Review was conducted jointly by staff of the ASC, AMF, BCSC, FCAA, FCNB, MSC, NSSC and the OSC. The Review covered the period from August 1, 2016 to August 31, 2017 (the Review Period).
This report details the Review’s objectives, the fieldwork conducted by Staff, including the key inherent risks which informed it, and Staff’s findings. The methodology, report format, scope and an explanation of the priority of findings are set out in Appendix A. A description of the applicable regulatory requirements and functional areas are set out in Appendix B.
B. Objectives
The objectives of the Review were to evaluate whether selected regulatory processes were effective, efficient, and were applied consistently and fairly, and whether IIROC complied with the terms and conditions of the Recognition Orders.
III. Risk Assessment and Fieldwork
A. Financial & Operations Compliance
|
As part of the annual risk assessment process, Financial & Operations Compliance (FinOps) was determined to be an area with an above average adjusted risk score.[6] In so determining, Staff identified the following key inherent risks[7] that were the focus of Staff’s on-site examination work:
• Inadequate or incomplete resolutions to previously identified findings from the 2014 Oversight Report • Discretion inappropriately applied in connection with Member firms not being designated in Early Warning or non-imposition of Early Warning restrictions and reporting requirements • Untimely modifications to the departmental risk model which may result in inputs that do not adequately capture risks • Inappropriate deferral of examinations resulting in Member examinations not being aligned with their applicable risk rating • Inadequate FinOps Managers’ desk review and assessment of Members’ monthly financial reports (MFRs) which could increase the risk of Member insolvencies and claims to the Canadian Investor Protection Fund (CIPF)
To ensure that IIROC has controls in place to mitigate the key inherent risks identified, Staff focused the Review on: • Assessing whether the findings from the 2014 Oversight Report[8] had been adequately resolved • Assessing the adequacy of policies and procedures and file documentation relating to discretion applied by authorized FinOps senior management when imposing Early Warning designations, restrictions and reporting requirements[9] • Assessing the progress and timeliness of externally recommended modifications which are designed to enhance the effectiveness of the risk model • Assessing the adequacy of file documentation substantiating changes in examination schedules (e.g. deferring review of high risk Member firms) to ensure examinations are not deferred inappropriately resulting in examinations not being aligned with their applicable risk rating • Assessing the adequacy of FinOps Managers’ MFR review process and documentation to determine whether the risk of Member insolvencies and claims to the CIPF is adequately mitigated
In carrying out the above, Staff utilized the methodology set out in Appendix A.
Based on the work performed, Staff are satisfied that IIROC has adequate processes in place to mitigate the key inherent risks Staff identified.
Nevertheless, specific to IIROC’s Prairie Region Office (PRO), Staff noted that the average length of time taken to issue FinOps Member examination reports during the Review Period was almost twice as long as the time taken by the other IIROC offices. While Staff recognize that the PRO is making efforts to address this disparity, Staff expect the PRO to consider whether alternative measures should be adopted to ensure appropriate staffing levels are maintained and that the timing of issuing PRO FinOps Member examination reports is more consistent with other IIROC offices.
|
B. Risk Management
|
As part of the annual risk assessment process, Risk Management was determined to be an area with an above average adjusted risk score. In so determining, Staff identified the following key inherent risks that were the focus of Staff’s on-site examination work: • Inadequate or incomplete resolution to the previously identified finding from the 2014 Oversight Report • Ineffective processes and controls related to IIROC’s Enterprise Risk Management (ERM) program
To ensure that IIROC has controls in place to mitigate the key inherent risks identified, Staff focused the Review on: • Assessing whether the High priority finding cited in the 2014 Oversight Report had been adequately resolved • Evaluating the effectiveness of specific ERM processes and controls to ensure adequate performance of IIROC’s regulatory responsibilities, including: o Risk Governance, o Risk Strategy, and o Risk Execution
In carrying out the above, Staff utilized the methodology set out in Appendix A.
Based on the work performed, Staff are satisfied that IIROC has adequate processes in place to mitigate the key inherent risks Staff identified.
Staff note that in one ERM working paper file (which reported on the adequacy of specific controls), the backup documentation to support IIROC staff’s conclusion that no exception had been found was not specifically maintained or referenced in the file. Although Staff acknowledge that the documentation was separately maintained and subsequently provided, going forward Staff expect IIROC staff to include or reference documentation in ERM working papers to fully substantiate their conclusions.
|
C. Corporate Governance
|
As part of the annual risk assessment process, Corporate Governance was determined to be an area with a low adjusted risk score. However, as Staff are required to examine each functional area at least once in a 5-year cycle, Staff ensured that mitigating controls were in place for the following key inherent risks: • Inadequate or incomplete resolutions to previously identified findings from the 2014 Oversight Report • Ineffective succession planning process for the Board of Directors (Board) and its committees • Inadequate processes and guidelines in place to ensure that Board members possess adequate skills and experience to fulfill IIROC’s mandate • Inadequate procedures and controls in place to ensure that fines and payments made under settlement agreements entered into by IIROC are used as prescribed by the terms and conditions of the Recognition Orders • Inadequate processes and guidelines to review and support Member exemption approvals • Ineffective procedures and controls related to the new process to address and respond to identified issues raised from Staff oversight reviews and other areas within IIROC
As a result, Staff’s on-site examination work focused on: • Assessing whether the Medium priority finding from the 2014 Oversight Report had been adequately resolved • Assessing and evaluating the effectiveness of specific processes, guidelines and controls pertaining to: o Board and committee succession planning o Board skills matrix and self-assessment o the use of fines collected by IIROC as prescribed by the terms and conditions of the Recognition Orders o granting exemptions from specific Dealer Member Rules (DMRs) or Universal Market Integrity Rules (UMIRs) • Assessing whether the new process to address and respond to identified issues raised from Staff oversight reviews and other areas within IIROC is adequate
In carrying out the above, Staff utilized the methodology set out in Appendix A.
Based on the work performed, Staff are satisfied that IIROC resolved the findings cited in the 2014 Oversight Report.
However, Staff’s review of the Corporate Governance area resulted in a Medium priority finding pertaining to the internal approval process for the use of monies from the restricted fund and a Low priority finding relating to a lack of written procedures to monitor compliance with legal requirements of general application in Québec. They are both set out in the Findings section.
Regarding IIROC’s new process to identify and track the resolution of issues, going forward Staff expect IIROC’s General Counsel’s Office (GCO) to ensure that each business unit provides GCO with evidence of completion of remediation plans prior to notification of the completion being reported to applicable stakeholders. Furthermore, Staff expect IIROC to update its written procedures to ensure they remain consistent with actual practice.
Staff also acknowledge that IIROC has an adequate succession planning process for its Board. Going forward, Staff expects IIROC to develop applicable written procedures for the Board succession planning process.
Lastly, Staff expects IIROC to continue with the timely development of its new centralized tracking system for DMR exemptions.
|
D. Financial Operations
|
As part of the annual risk assessment process, Financial Operations was determined to be an area with a moderate adjusted risk score. However, given that Staff are required to examine each functional area at least once in a 5-year cycle, Staff ensured that mitigating controls are in place for the following key identified risks:
• Inadequate budgeting methodology • Inadequate communication and authorizations among financial staff and with the Board
As a result, Staff’s on-site examination work focused on:
• Assessing the adequacy of budgeting methodology, especially in regard to budgeting for capital projects and operating revenue and expenses • Assessing the adequacy of communication and authorizations between financial staff and, ultimately, with the Board
In carrying out the above, Staff utilized the methodology set out in Appendix A.
Based on the work performed, Staff are satisfied that IIROC’s Finance Department has adequate processes in place to mitigate the key inherent risks Staff identified.
Staff noted that, for the FY2018 budget, IIROC used a mix of criteria from an internal document to evaluate, prioritize and approve capital expenditure projects. Going forward, Staff expect IIROC to clarify what specific criteria will be used. Furthermore, Staff expect IIROC to continue to review the relevance of the criteria on an annual basis and update them as needed.
Staff also noted that IIROC is currently developing a new post-completion review process to ensure consistent reviews of completed capital expenditure projects. Staff expect IIROC to complete and implement the new process on a timely basis.
|
IV. Findings
A. Incomplete Internal Approval Process Pertaining to the Documentation for Restricted Fund Proposals
|
IIROC must maintain a separate fund for fines collected and payments made under settlement agreements. This restricted fund may only be used for reasonable costs associated with the administration of hearing panels, the development of systems or other non-recurring capital expenditures that are necessary to address emerging regulatory issues, the education of securities market participants and members of the public, or other uses authorized under the Recognition Orders. The use of this restricted fund must be approved by IIROC’s Corporate Governance Committee (the CGC).
During the Review Period, IIROC management submitted a written proposal to the CGC recommending the CGC to approve funding from the restricted fund for a project. The written proposal stated that IIROC management believed the amount requested was an authorized expenditure under one of the categories listed in the Recognition Orders and referred the CGC to a business case which included information on current issues, challenges and impacts, as well as a description of the proposed solution and anticipated outcomes.
The written proposal and the business case did not specifically identify the information being relied upon to demonstrate how the project met the criterion in the Recognition Orders. Also, IIROC’s Restricted Fund Policy does not require IIROC management to provide a detailed analysis to the CGC when recommending the use of monies from the restricted fund.
Furthermore, contrary to IIROC’s Restricted Fund Policy which states that the process to allocate restricted funds should be available on the IIROC website, Staff were informed that the process had been inadvertently removed from IIROC’s website. Staff acknowledge that a copy of the Restricted Fund Policy was subsequently added to the IIROC website.
|
|
|
Why this is Important |
IIROC could make an incorrect decision regarding the use of monies from the restricted fund if all the necessary documentation demonstrating why a project met the criterion in the Recognition Orders is not included within a funding proposal.
|
|
Priority
|
Medium
|
|
Requirement
|
Please describe the action plan that IIROC will take to address this finding, including a timeline for resolution.
|
|
IIROC’s Response
|
We acknowledge the finding and will ensure that each request for funding from the restricted fund clearly documents management’s analysis of the basis on which the proposed use meets the criteria for use of restricted funds, and the information being relied upon for that analysis.
We have amended the Restricted Fund Policy to require that requests for funding must detail the manner in which a proposed project complies with IIROC’s recognition orders. The Corporate Governance Committee approved the amended Restricted Fund Policy in November 2017.
|
|
Staff Comments and Follow-up |
Staff acknowledge IIROC’s response and are encouraged that the Restricted Fund Policy has already been amended to state that requests for funding must detail the manner in which they comply with the permitted uses set out in IIROC’s Recognition Orders. Accordingly, no further follow-up is required.
|
B. Lack of Written Procedures – Québec Specific Requirement
|
During the Review, Staff inquired with IIROC’s GCO to understand the procedures in place to ensure that IIROC complied with legal requirements of general application in the province of Québec.[10]
Staff acknowledge that the risk of non-compliance with this requirement was identified by IIROC’s GCO and, as part of IIROC’s ERM process, was reported to the Finance, Audit and Risk Commmittee and ultimately to the Board both prior to and during the Review.
Furthermore, Staff confirmed with IIROC’s GCO that a number of procedures were being followed to mitigate the risk, such as:
• IIROC GCO staff and lawyers from other departments subscribe to external feeds and receive external regulatory updates from law firms relating to changes to existing legal requirements or new requirements that could affect IIROC • GCO staff conduct environmental scans of legislation and regulatory updates • GCO staff consult with external counsel, on an “as needed” basis Nevertheless, during the on-site examination portion of the Review, IIROC GCO staff confirmed that those procedures were not formally written.
|
|
|
Why this is Important |
In the absence of written procedures, IIROC could incorrectly or inconsistently apply the controls it has in place to ensure it complies with legal requirements of general application in Québec.
|
|
Priority
|
Low
|
|
Requirement |
Please describe how IIROC will resolve the finding. |
|
IIROC’s Response
|
We acknowledge the finding and have documented the steps that we follow to monitor changes to legal requirements of general application, including those in the province of Quebec.
|
|
Staff Comments and Follow-up |
Staff acknowledge IIROC’s response and have no further comment.
|
APPENDIX A
1. Methodology
The Recognizing Regulators have adopted a risk-based methodology to determine the scope of the Review. On an annual basis, the Recognizing Regulators:
• Identify the key inherent risks[11] of each functional area or key process based on:
o reviews of internal IIROC documentation (including management self-assessments and risk assessments);
o information received from IIROC in the ordinary course of oversight activities (e.g. periodic filings, discussions with Staff);
o the extent and prioritization of findings from the prior oversight review; and
o the impact of significant events in or changes to markets and participants to a particular area
• Evaluate known controls for each functional area
• Consider relevant situational/external factors and the impact of enterprise wide risks on IIROC as a whole or on multiple departments
• Assign an initial overall risk score for each functional area
• Collaborate with IIROC to identify and assess the effectiveness of other mitigating controls that may be in place in specific functional areas
• Assign an adjusted overall risk score for each area
• Use the adjusted risk scores to determine the scope of the Review
Once the scope of the Review was determined, Staff conducted on-site examinations at IIROC’s Toronto, Montréal, Calgary and Vancouver offices. These on-site examinations involved reviewing specific documents pertaining to the Review Period and interviewing appropriate IIROC staff in order to:
• Confirm that mitigating controls were in place for the key inherent risks identified, and
• Assess the adequacy and efficacy of those mitigating controls
2. Report Format
In keeping with a risk-based approach, this report focuses on those functional areas or key processes with findings that require corrective action. While each finding may require an IIROC response and description of the corrective action to be taken, not all findings were made in each regional office where a particular IIROC functional area or process was sampled for testing. However, as applicable, Staff require that IIROC take corrective action that will ensure nationwide consistency in IIROC’s approach.
3. Scope
Considering the status of the resolution of findings from prior oversight reviews and the challenging issues that may impact IIROC, Staff utilized the risk assessment process to identify specific processes and activities within the following above average risk areas as the focus for the Review. There were no functional areas identified as High risk.
Above Average
• Financial & Operations Compliance
- Risk Management
However, as each functional area must be examined at least once in a 5-year cycle, the following Moderate and Low risk areas were included within the scope of the Review:
Moderate
- Financial Operations
Low
- Corporate Governance
Also, through the risk assessment process, Staff determined that the following Moderate and Low risk areas would not be examined during the Review:[12]
Moderate
• Business Conduct Compliance
• Enforcement
• Information Technology
- Equity Market Surveillance
- Debt Market Surveillance
- Policy
- Trading Conduct Compliance
- Trading Review & Analysis
Low
- Membership & Registration
4. Priority of Findings
Staff prioritize findings into High, Medium and Low, based on the following criteria:
|
High |
Staff identify an issue that, if unresolved, will result in IIROC not meeting its mandate, or one or more of the terms and conditions of the Recognition Orders, or other applicable regulatory requirements. IIROC must immediately put in place an action plan (with any supporting documentation) and timelines for addressing the finding that are acceptable to Staff. If necessary, compensating controls should be implemented before the finding is resolved. IIROC must report regularly to Staff on its progress. |
|
Medium |
Staff identify an issue that, if unresolved, has the potential to result in an inconsistency with IIROC’s mandate, or with one or more of the terms and conditions of the Recognition Orders, or with other applicable regulatory requirements. IIROC must put in place an action plan (with any supporting documentation) and timelines for addressing the finding that are acceptable to Staff. If necessary, compensating controls should be implemented before the finding is resolved. IIROC must report regularly to Staff on its progress. |
|
Low |
Staff identify an issue requiring improvement in IIROC’s processes or controls and raise the issue for resolution by IIROC’s management. |
|
Repeat Finding |
A finding that was previously identified by Staff and not resolved by IIROC will be categorized as a repeat finding in the report and may require that the level of priority be raised from the initial level noted in the previous report.
|
APPENDIX B
Applicable Regulatory Requirements and Functions
Financial and Operations Compliance
Under Term & Condition 8(b) of the Recognition Orders, IIROC must administer and
monitor compliance with securities laws and IIROC Rules by Dealer Members and others
subject to its jurisdiction, including Alternative Trading Systems.
In order to ensure Member compliance with prudential requirements, IIROC’s FinOps staff are responsible for:
• reviewing and analyzing Members’ financial filings to ensure each Member maintains and accurately reports adequate capital in accordance with IIROC Rules
• conducting on-site financial examinations of Members
• reviewing working paper files of the Members’ auditors
Corporate Goverance
Term & Condition 3 and Criterion 1 of the Recognition Orders set out the specific requirements pertaining to the composition of IIROC’s Board. The composition of the Board, as well as the Board’s powers, and the powers and duties of directors and officers, is defined more specifically in IIROC’s By-law No. 1. In the province of Québec, Condition 13.j. of Appendix A of IIROC’s recognition order requires that IIROC must comply with all applicable laws in Québec.
IIROC aims to have governance practices that:
• are commensurate with best practices and governance structures of Canadian public companies and public entities
• promote the effective oversight of IIROC
• ensure a fair, meaningful and diverse representation on the Board
• result in a Board that is composed of representative individuals who are fit and proper
Furthermore, IIROC maintains a separate fund for fines collected and payments made under settlement agreements. This restricted fund may only be used for reasonable costs associated with the administration of hearing panels, the development of systems or other non-recurring capital expenditures that are necessary to address emerging regulatory issues, the education of securities market participants and members of the public, or other uses authorized under the Recognition Orders. The use of this restricted fund must be approved by IIROC’s CGC.
Risk Management
Under Term & Condition 11 (a) (ii) and Term & Condition 12 (f) of the Recognition Orders, IIROC is required to have controls in place to manage the risks associated with its operations, including an annual review of its contingency and business continuity plans; and to perform a self-assessment of its regulatory responsibilities.
In terms of IIROC’s risk management framework:
• the Executive Management Team (CEO, SVPs, Regional VPs) is responsible for the identification of the principal risks of the organization’s business and ensuring that these risks are managed
• the SVP, Finance & Administration is responsible for reporting on Risk Management to the Finance, Audit and Risk Committee (FAR)
• the mandate of the FAR (as documented within the FAR Charter) includes assisting the Board in its oversight of IIROC’s processes relating to risk management and control systems
• an annual Risk Management Report which summarizes a review of IIROC’s risks and outlines strategies to address those risks is presented to the Board
• the approach used for the Risk Management Report includes internal and external risk categories, a likelihood assessment and an impact assessment
Financial Operations
Under Criterion 6 of the Recognition Orders, IIROC must have sufficient financial resources for the proper performance of its functional areas and to meet its responsibilities.
As part of its framework, IIROC:
• has been set up as a not-for-profit corporation and manages its operations on a cost-recovery basis
• has designated the Finance and Administration Department to monitor the financial operations and report to the FAR, which in turn reports to the Board on at least a quarterly basis
• derives fees from Dealer and Marketplace Members as its key source of revenue
• maintains various types of corporate insurance policies
[1] See Part II. Introduction Section A. Background for the regulators that recognize IIROC
[2] See Appendix A, Section 3 for a detailed description of the scope for the Review
[3] The restricted fund is a fund administered by IIROC under the Recognition Orders and is explained in more detail in Appendix B Corporate Governance
[4] See Appendix A, Section 4 for the criteria used to prioritize findings
[5] Published on July 4, 2017
[6] See Appendix A, Section 1 for a detailed description of the risk-based methodology used in all functional areas
[7] See Appendix A, Section 1 for the methodology used to identify key inherent risks in all functional areas
[8] Published on December 4, 2014
[9] In accordance with IIROC Rule 30
[10] Condition 13.j. of Appendix A of Québec’s recognition order provides that IIROC must comply with all applicable laws in Québec
[11] Inherent risk is the assessed level of the unrealized potential risk, taking into account the likelihood of and impact if the risk was realized prior to the application of any mitigating controls.
[12] The areas continue to be subject to oversight by the Recognizing Regulators through ongoing mandatory reporting by IIROC as required by the Recognition Orders, as well as regularly scheduled and ad hoc meetings between the Recognizing Regulators and IIROC staff.