Oversight Review Report of the Canadian Investment Regulatory Organization
Issued: March 28, 2024
Table of Contents I. Executive Summary ................................................................................................ 1 II. Introduction ............................................................................................................... 2 A. Background ........................................................................................................ 2 B. Objectives ........................................................................................................... 2 III. Risk Assessment and Oversight Review ............................................................. 3 A. Corporate Governance ..................................................................................... 3 B. Trading Review and Analysis (TR&A) ........................................................... 4 C. Financial & Operations Compliance (FinOps) and Financial Compliance 5 IV. Findings .................................................................................................................... 6 A. Incomplete Policies and Procedures to Notify all Recognizing Regulators about Early Warning Letters Issued to Investment Dealer Members ....... 6 B. Inadequate Policies and Procedures to Designate Mutual Fund Dealer Members in Early Warning During Compliance Exams .............................. 7 APPENDIX A..................................................................................................................... 9 1. Methodology ....................................................................................................... 9 2. Report Format .................................................................................................... 9 3. Scope ................................................................................................................ 10 4. Priority of Findings .......................................................................................... 11 APPENDIX B................................................................................................................... 12 Applicable Regulatory Requirements and Functions ........................................... 12
Executive Summary
In accordance with their mandates under the securities legislation of their respective jurisdictions, the Recognizing Regulators 1 of the Canadian Investment Regulatory Organization (CIRO) have jointly completed an annual risk-based oversight review (the Review) that targeted specific processes within the following functional areas:
• Corporate Governance, • Trading Review and Analysis (TR&A), and • Financial & Operations Compliance (FinOps) and Financial Compliance.
Other than the findings noted below, staff of the Recognizing Regulators (Staff) did not identify concerns with CIRO meeting the relevant terms and conditions of the Recognizing Regulators’ recognition orders (the Recognition Orders) in the functional areas reviewed. Staff make no other comments or conclusions on CIRO operations or activities that are outside the scope of the Review.
As a result of the Review, Staff have identified two medium priority findings. 4 The first finding relates to incomplete written procedures in the FinOps department to notify all relevant Recognizing Regulators of early warning letters or capital deficiency letters sent to Dealer Members. The second finding relates to inadequate written policies and procedures in CIRO’s Financial Compliance department to designate Dealer Member firms into early warning when issues at the Dealer Member are identified during compliance examinations.
Staff require CIRO to resolve the findings and take specific and timely corrective action on the findings in accordance with the priority assigned to them. The findings are set out in part IV Findings of the report.
Staff have also set out certain other expectations regarding various practices and procedures carried out by CIRO across the functional areas reviewed. These expectations are identified for CIRO to take note of and use as a basis for seeking improvements going forward. The expectations are set out in part III Risk Assessment and Oversight Review of the report.
1 See part II Introduction, section A. Background of the report for the regulators that recognize CIRO. 2 See Appendix A, section 3 for a detailed description of the scope of the Review. 3 CIRO’s FinOps and Financial Compliance departments monitor the solvency of investment dealers and mutual fund dealers respectively and ensure that business activities are conducted within prescribed capital limits. 4 See Appendix A, section 4 for the criteria used to prioritize findings.
- 1 -
Lastly, Staff acknowledge that CIRO made sufficient progress in resolving the findings which were cited in previous oversight reports, and which were followed up by Staff prior to the Review.
II. Introduction A. Background CIRO is the national self-regulatory organization (SRO) that oversees all mutual fund dealers, investment dealers and trading activity on equity and debt marketplaces in Canada.
CIRO is recognized as an SRO by the Alberta Securities Commission; the Autorité des marchés financiers; the British Columbia Securities Commission; the Manitoba Securities Commission; the Financial and Consumer Services Commission of New Brunswick; the Office of the Superintendent of Securities, Digital Government and Service Newfoundland and Labrador; the Office of the Superintendent of Securities, Northwest Territories; the Nova Scotia Securities Commission; the Office of the Superintendent of Securities, Nunavut; the Ontario Securities Commission; the Prince Edward Island Office of the Superintendent of Securities; the Financial and Consumer Affairs Authority of Saskatchewan; and the Office of the Yukon Superintendent of Securities (collectively, the Recognizing Regulators). 5 CIRO’s head office is in Toronto with regional offices in Calgary, Montréal and Vancouver.
This report details the Review’s objectives and the key areas that formed the basis of the Review conducted by Staff. The period covered by the Review (the Review Period), methodology used, report format and scope are set out in Appendix A. A description of the applicable regulatory requirements and functional areas are set out in Appendix B.
B. Objectives The objectives of the Review were to evaluate whether selected regulatory processes were effective, efficient, and were applied consistently and fairly, and whether CIRO complied with the terms and conditions of the Recognition Orders.
5 The Recognizing Regulators recognized CIRO (formerly the New Self-Regulatory Organization of Canada) effective January 1, 2023. CIRO consolidates the functions previously performed by the Investment Industry Regulatory Organization of Canada (IIROC) and the Mutual Fund Dealers Association of Canada (MFDA).
- 2 -
III. Risk Assessment and Oversight Review A. Corporate Governance
As part of the annual risk assessment process, Corporate Governance was determined to be an area with a moderate adjusted risk score. In so determining, Staff identified the following areas that became the focus of the Review:
• CIRO’s communications, training and compensation structures in relation to its public interest mandate, • The development of diversity and inclusion policies and processes for CIRO’s Board of Directors’ (the Board) appointments, self-assessment and succession planning, and • The development of mandates for the Regional Councils and the National Council and mechanisms to provide advice or raise issues to the Board.
To ensure that CIRO has the applicable controls in place, Staff reviewed: Public interest mandate • CIRO’s communications with stakeholders that inform stakeholders of CIRO’s public interest mandate and corporate governance structure, • training materials provided to the Board, senior management, and staff in interpreting CIRO's public interest mandate, and • CIRO Executive Officers and senior management’s compensation structure and its link to the effective delivery of CIRO's public interest mandate.
Board appointments and self-assessment • CIRO’s progress in developing, maintaining and complying with diversity and inclusion policies, and • the processes and procedures relating to self-assessment and succession planning of the Board and various Board committees.
Regional Councils and National Council • the transfer of regulatory decision-making functions from IIROC District Councils to CIRO, 6 • the mandates of CIRO’s Regional Councils and the National Council, and • the mechanisms for Regional Councils and National Council to provide advice or raise issues to the Board, executives and senior management.
6 In CSA Position Paper 25-404 New Self-Regulatory Organization Framework, one of the Improving Governance solutions relates to the “Transferring all current IIROC District Council regulatory decision-making functions to the board and staff of the New SRO. IIROC District Councils and MFDA Regional Councils will retain their advisory role with respect to regional issues, as well as the provision of regional perspective on national issues. This would involve ensuring an escalation mechanism within the New SRO as applicable.”
- 3 -
Based on the work performed, Staff are satisfied with CIRO’s progress in developing adequate processes in the Corporate Governance area and establishing Regional Councils and the National Council. Staff acknowledge that CIRO has held initial training sessions for the Board, executives, senior management, and staff, which have addressed the public interest guiding principles set out in the Recognition Orders. Staff expect CIRO to continue to provide appropriate training to employees and the Board, including the development of a broader training program directed at all aspects of the public interest mandate.
Respecting the Regional Councils and National Council, CIRO is on track and progressing in developing the mandates and mechanisms for Regional Councils and the National Council to provide advice and raise issues to the Board, executives and senior management. Staff expect that the process be clearly documented and written reports from Regional Councils or the National Council be provided to the Board.
Trading Review and Analysis (TR&A)
As part of the annual risk assessment process, TR&A was determined to be an area with a moderate adjusted risk score. In so determining, Staff identified the following areas that became the focus of the Review: • The criteria for referrals to the Recognizing Regulators and whether files were appropriately referred to all applicable Recognizing Regulators, and • The quality of referrals to the Recognizing Regulators.
To ensure that CIRO has the applicable controls in place, Staff reviewed and assessed: • the referral criteria, including any applicable policies, procedures, manuals, templates, etc. and determined whether these processes were sufficient and applied appropriately, and • the quality of referrals.
Based on the work performed, Staff identified opportunities to further enhance the existing TR&A processes for providing relevant information to the Recognizing Regulators. Staff expect CIRO to:
i) notify the relevant Recognizing Regulators of any reviews of alleged securities acts violations (e.g., insider trading, amongst others) that have reached the “Case” stage in a review’s lifecycle 7 on a monthly basis, and ii) provide the resulting case report in a timely manner upon request.
7 Other than those TR&A files that have been or are being referred to the relevant Recognizing Regulators or closed at an earlier stage in a review’s lifecycle.
- 4 -
TR&A’s written policies and procedures cover a range of referral scenarios at a general level and CIRO has processes in place to refer to the appropriate Recognizing Regulators allegations of potential securities legislation violations by non-registrants. However, Staff expect the written policies and procedures to be enhanced to include more details of those existing processes for referrals of non-registrants.
Financial & Operations Compliance (FinOps) and Financial Compliance
As part of the annual risk assessment process, FinOps and Financial Compliance were determined to be areas with a moderate adjusted risk score. In so determining, Staff identified the following areas that became the focus of the Review: • CIRO’s processes for designating or removing Dealer Member firms from early warning on a timely basis, and • CIRO’s use of discretion to designate or remove a Dealer Member firm from early warning.
To ensure that CIRO has the applicable controls in place, Staff reviewed: • the FinOps and Financial Compliance policies and procedures for reviewing Dealer Members’ financial filings, designating and removing Dealer Members from early warning, including on a timely basis as a result of issues identified during compliance examinations, • system generated reports used by FinOps and Financial Compliance to designate and remove Dealer Members from early warning, • early warning letters sent to Dealer Member firms as a result of issues identified during compliance examinations conducted by FinOps and Financial Compliance, and • FinOps and Financial Compliance staff’s use of discretion to designate or remove Dealer Members from early warning.
Based on the work performed, Staff are satisfied that CIRO has adequate processes and procedures in place in the identified areas, except for two medium priority findings set out in part IV Findings of the report.
- 5 -
IV. Findings A. Incomplete Policies and Procedures to Notify all Recognizing Regulators about Early Warning Letters Issued to Investment Dealer Members
CIRO has policies and procedures in place to notify relevant stakeholders when it issues an early warning or capital deficiency letter 8 to a Dealer Member. The Recognizing Regulators of the jurisdictions in which the Dealer Member is registered are to be notified when an early warning or capital deficiency letter is issued to the Dealer Member, however, the FinOps procedures did not require notification to all relevant Recognizing Regulators.
Staff reviewed a sample of early warning letters sent to Investment or Mutual Fund Dealer Member firms during the Review Period. Staff noted that not all relevant Recognizing Regulators were notified when CIRO issued early warning letters to Investment Dealer Member firms registered in those jurisdictions.
Staff acknowledge that after the Review, FinOps staff revised the relevant FinOps policies and procedures.
Why this is Important
Priority Requirement CIRO’s Response
Staff Comments and Follow-up
The Recognition Orders require CIRO to provide Recognizing Regulators with prompt notice and provide timely updates of situations that would result in material misstatement of the Dealer Member's financial statements or that would reasonably be expected to raise concerns about a Dealer Member's continued viability, including but not limited to, capital deficiency and early warning triggers. Recognizing Regulators that are not notified of early warning or capital deficiency letters sent by CIRO to Dealer Members may be unable to adequately perform regulatory oversight of CIRO and its Dealer Members.
Medium Please describe how CIRO will resolve the finding. We acknowledge the finding. We have updated our policies and procedures manual to include all required regulators to be notified.
Staff acknowledge CIRO’s response and note that the FinOps policies and procedures have been adequately updated to address the finding. Staff have no further comments.
8 Early warning and capital deficiency letters typically place restrictions on the Dealer Member to contain financial related concerns in accordance with CIRO rules.
- 6 -
Inadequate Policies and Procedures to Designate Mutual Fund Dealer Members in Early Warning During Compliance Exams
CIRO’s Financial Compliance department performs financial related compliance examinations of Mutual Fund Dealer Members. Financial Compliance has policies and procedures to use discretion 9 to designate a Dealer Member into early warning for, among others, financial or operational difficulties that may come to the attention of Financial Compliance staff and concerns with the completeness/accuracy of the Dealer Member’s books and records. However, as a result of Staff’s review, it was confirmed that Financial Compliance did not have written policies and procedures to designate a Dealer Member into early warning on a timely basis, if during compliance examinations:
a) Financial Compliance staff determine that the Dealer Member triggered an early warning test or is capital deficient,
b) Financial Compliance staff identify serious deficiencies in supervision or internal controls that may result in material misstatement of the Dealer Member's financial statements, or
c) the Dealer Member fails to promptly provide Financial Compliance staff with books and records to enable Financial Compliance staff to determine if the Dealer Member has triggered an early warning test or is capital deficient.
Staff reviewed two letters designating Dealer Members into early warning on a discretionary basis as a result of issues identified by Financial Compliance staff during compliance examinations. One of the letters designating the Dealer Member into early warning was issued to the firm several months after the end of fieldwork for the compliance examination as indicated by Financial Compliance records.
Staff acknowledge that after the Review, the relevant Financial Compliance written policies and procedures were updated to address this matter.
Why this is Important
Failure to designate a Dealer Member firm into early warning on a timely basis could exacerbate existing issues, could result in material financial loss to the Dealer Member or its clients and could give rise to compensation claims being made to the Canadian Investor Protection Fund (CIPF) in the event of an insolvency of the Dealer Member.
9 In accordance with MFD Rule 3.4.2(a)(v)
- 7 -
Priority Requirement CIRO’s Response
Staff Comments and Follow-up
Medium Please describe how CIRO will resolve the finding. We acknowledge the finding. We have updated our policies and procedures manual to provide additional guidance to staff.
Staff acknowledge CIRO’s response and note that the Financial Compliance policies and procedures have been adequately updated to address the finding. Staff have no further comments.
- 8 -
1. Methodology The Recognizing Regulators have adopted a risk-based methodology to determine the scope of the Review. On an annual basis, the Recognizing Regulators: • Identify the key inherent risks 10 of each functional area or key process based on: o reviews of internal CIRO documentation (including management self-assessments and risk assessments), o information received from CIRO in the ordinary course of oversight activities (e.g., periodic filings and discussions with Staff), o the extent and prioritization of findings from the prior oversight review, and o the impact of significant events in or changes to markets and participants to a particular area. • Evaluate known controls for each functional area, • Consider relevant situational/external factors and the impact of enterprise-wide risks on CIRO as a whole or on multiple departments, • Assign an initial overall risk score for each functional area, • Identify and assess the effectiveness of other mitigating controls that may be in place in specific functional areas, • Assign an adjusted overall risk score for each area, and • Use the adjusted risk scores to determine the scope of the Review.
Once the scope of the Review is determined, Staff conduct the Review which involves reviewing specific documents pertaining to the Review Period and interviewing appropriate CIRO staff in order to: • Confirm that mitigating controls were in place for the key inherent risks identified, and • Assess the adequacy and efficacy of those mitigating controls.
2. Report Format In keeping with a risk-based approach, this report focuses on three functional areas and key processes that were deemed warranted to be part of the Review.
10 Inherent risk is the assessed level of the unrealized potential risk, taking into account the likelihood of and impact if the risk was realized prior to the application of any mitigating controls.
- 9 -
3. Scope There were no functional areas identified as above average or high risk. Considering the timing of prior oversight reviews and the recent amalgamation of IIROC and the MFDA to create CIRO, Staff utilized the risk assessment process to identify specific processes and activities within the following moderate risk areas as the focus for the Review:
Moderate • Corporate Governance • TR&A • FinOps and Financial Compliance
The Review Period for the three functional areas was: • Corporate Governance - January 1, 2023 to July 31, 2023 • TR&A - April 1, 2018 to July 31, 2023 • FinOps and Financial Compliance: o FinOps - September 1, 2017 to July 31, 2023 o Financial Compliance - February 1, 2017 to July 31, 2023
Also, through the risk assessment process, Staff determined that the following moderate and low risk areas would not be examined during the Review: 11
Moderate • Business Conduct Compliance (BCC)/Sales Compliance 12 • Debt Market Surveillance • Equity Market Surveillance • Enforcement • Information Technology • Membership Intake, Registration, and Member Services & Innovation • Office of the Investor • Policy • Trading Conduct Compliance
Low • Data Analytics • Risk Management • Financial & Project Management
11 These areas continue to be subject to oversight by the Recognizing Regulators through ongoing mandatory reporting by CIRO as required by the Recognition Orders, as well as regularly scheduled and ad hoc meetings between the Recognizing Regulators and CIRO staff. 12 CIRO’s BCC and Sales Compliance departments monitor business conduct related activities of investment dealers and mutual fund dealers respectively and their registered individuals.
- 10 -
Staff prioritize findings into High, Medium and Low, based on the following criteria:
High
Staff identify an issue that, if unresolved, will result in CIRO not meeting its mandate, or one or more of the terms and conditions of the Recognition Orders, or other applicable regulatory requirements. CIRO must immediately put in place an action plan (with any supporting documentation) and timelines for addressing the findings that are acceptable to Staff. If necessary, compensating controls should be implemented before the finding is resolved. CIRO must report regularly to Staff on its progress.
Medium Staff identify an issue that, if unresolved, has the potential to result in an inconsistency with CIRO’s mandate, or with one or more of the terms and conditions of the Recognition Orders, or with other applicable regulatory requirements. CIRO must put in place an action plan (with any supporting documentation) and timelines for addressing the findings that are acceptable to Staff. If necessary, compensating controls should be implemented before the finding is resolved. CIRO must report regularly to Staff on its progress.
Low
Staff identify an issue requiring improvement in CIRO’s processes or controls and raise the issue for resolution by CIRO’s management.
Repeat A finding that was previously identified by Staff and not resolved by Finding CIRO is categorized as a repeat finding in the report and may require that the level of priority be raised from the initial level noted in the previous report.
- 11 -
APPENDIX B Applicable Regulatory Requirements and Functions
Corporate Governance Term & Condition 4(1) of the Recognition Orders states that CIRO must act in the public interest. In ensuring it meets the public interest mandate, CIRO must:
(a) articulate in its constating documents and inform its stakeholders, and the public in general, of its public interest mandate
(b) take reasonable steps to ensure that appropriate training is provided to its Directors, Board committee members, senior management, and staff in interpreting CIRO's public interest mandate, and
(c) ensure that the compensation structure of its Executive Officers and senior management is appropriately linked to the effective delivery of CIRO's public interest mandate.
Term & Condition 10(1)(d) of the Recognition Orders states that CIRO must ensure that it maintains appropriate term limits for the Board.
Term & Condition 10(1)(e) of the Recognition Orders states that CIRO must ensure that it develops, maintains and complies with diversity and inclusion policies.
Term & Condition 10(3) of the Recognition Orders states that CIRO will establish Regional Councils according to its by-laws. The Regional Councils will serve an advisory role to CIRO to provide regional perspective on national or any other issues. CIRO will allocate sufficient resources to the Regional Councils to ensure they can meaningfully fulfil their responsibilities. The Regional Councils will report to the Board at least annually.
Term & Condition 15(4) of the Recognition Orders states that CIRO, through its directors, officers and employees, must be responsible for all membership matters while giving consideration to any regional issues raised by the Regional Councils on an advisory basis.
Term & Condition 21(2) of the Québec Recognition Order states that the Québec Chapter maintains a place of business in Québec and any decisions regarding the supervision of its self-regulatory activities and Quebec Dealer Members, Member Markets and Authorized Persons are made primarily by persons residing in Quebec.
Subsection 1(1) of Schedule 1 Criteria for Recognition of the Recognition Orders provides public interest guiding principles.
- 12 -
Section 13 of Schedule 1 Criteria for Recognition of the Recognition Orders states that the constituting documents, by-laws and Rules of CIRO must allow that the power to make decisions relating to the supervision of its activities in Québec will be exercised mainly by persons residing in Québec.
CIRO’s Corporate Secretary Office is responsible for providing corporate secretarial services to the Board and to the committees of the Board. The Corporate Secretary Office supports the Board and Board committees in ensuring that the governance framework for CIRO operates effectively and efficiently and complies with the Terms and Conditions and Criteria for Recognition in the Recognition Orders.
TR&A Term & Condition 15(2) of the Recognition Orders states that CIRO must administer and monitor compliance with both the applicable Rules and Canadian securities legislation by Members and others subject to its jurisdiction and enforce compliance with the Rules by Dealer Members, including alternative trading systems, and others subject to its jurisdiction.
Term & Condition 15(3) of the Recognition Orders states that in its capacity as a regulation services provider, CIRO must administer, monitor and/or enforce rules pursuant to a regulation services agreement.
Term and Condition 15(11) of the Recognition Orders requires CIRO provide to the Commission any data, information or records concerning marketplace activity in order, among other things, to facilitate the efficient identification and analysis of market misconduct and improvement of the insight into Canadian capital markets and market structures.
TR&A conducts trade analysis and preliminary investigations to ensure that trading on all Canadian marketplaces is carried out in accordance with Universal Market Integrity Rules (UMIR) and applicable provincial securities law.
TR&A has two main responsibilities: 1. To conduct preliminary investigations of potential violations of UMIR. 2. To conduct post-trade surveillance of the Canadian equity markets.
FinOps and Financial Compliance Term & Condition 15(2) of the Recognition Orders states CIRO must administer and monitor compliance with both the applicable Rules and Canadian securities legislation by members and others subject to its jurisdiction and enforce compliance with the Rules by Dealer Members.
- 13 -
Paragraph 1(1)(l) of Schedule 1 Criteria for Recognition of the Recognition Orders states CIRO must act in the public interest by administering robust compliance and enforcement processes.
Paragraph 3(1)(h) of Schedule 2 Reporting Requirements of the Recognition Orders requires CIRO provide Recognizing Regulators with prompt notice and provide timely updates of actual or apparent misconduct or non-compliance by Dealer Members, Approved Persons, marketplace participants, or others, where investors, clients, creditors, Members, CIPF or CIRO may reasonably be expected to suffer material damage as a consequence thereof, including but not limited to: • where there is an inadequate compliance system or the Ultimate Designated Person or Chief Compliance Officer fail to perform their responsibilities, or • where serious deficiencies in supervision or internal controls exist.
Paragraph 3(1)(i) of Schedule 2 Reporting Requirements of the Recognition Orders requires CIRO provide Recognizing Regulators with prompt notice and provide timely updates of situations that would result in material misstatement of the Dealer Member's financial statements or that would reasonably be expected to raise concerns about a Dealer Member's continued viability, including but not limited to, capital deficiency, early warning, and any condition which, in the opinion of CIRO, could give rise to payments being made out of CIPF, including any condition which, alone or together with other conditions, could, if appropriate corrective action is not taken, reasonably be expected to: • inhibit the Dealer Member from promptly completing securities transactions, promptly segregating clients' securities as required or promptly discharging its responsibilities to clients, other members, or creditors, or • result in material financial loss to the Dealer Member or its clients.
Paragraph 3(1)(j) of Schedule 2 Reporting Requirements of the Recognition Orders requires CIRO to provide Recognizing Regulators with prompt notice and provide timely updates of any action taken by CIRO with respect to a Dealer Member in financial difficulty.
The role of FinOps and Financial Compliance is to assess whether Dealer Members (Investment Dealers and Mutual Fund Dealers, respectively) have enough capital for the type and scope of their business activities. FinOps and Financial Compliance monitors Dealer Members for compliance with CIRO’s financial requirements in the Investment Dealer and Partially Consolidated Rules and the Mutual Fund Dealer Rules to reduce the possibility of financial failure due to excessive leverage or risky business practices.
- 14 -
The main elements of FinOps and Financial Compliance’s work are: 1. Review of Dealer Members’ financial regulatory filings 2. Conducting financial compliance examinations of Dealer Members 3. Review of audit working papers of Dealer Members’ auditors
- 15 -