Category: Cyber-security and Data Privacy

BLG’s Resource Corner

Our colleagues at BLG have provided the following insights we thought might interest our readers:

We hope you received your invitation to attend (either in person or virtually), BLG’s Investment Management Group annual fall educational seminar and reception. Amongst BLG speakers, two AUM Law speakers will be participating. Bill Donegan will be presenting on implications of the SRO consolidation that can be expected next year and Jason Streicher will be participating on a registrant regulation panel. We hope to see you at BLG’s House for some “Late Night Talking”!

For more information, please visit the BLG website or contact us for details on the seminar.

October 31, 2022

No Laughing Matter: OSFI Releases Final Guideline for Technology and Cyber Risk

The Office of the Superintendent of Financial Institutions (OSFI) has released its final Guideline B-13 Technology and Cyber Risk Management, which sets out OSFI’s expectations for federally regulated financial institutions (FRFIs) with respect to how they should manage technology and cyber risks. The guideline is organized into the following three parts: Governance and Risk Management, Technology Operations and Resilience and Cyber Security.

The section on Governance and Risk Management covers topics such as expectations for the accountability and organizational structure regarding the management of technology and cyber risks by senior officers, the preparation of a strategic technology and cyber plan, and the establishment of a technology and cyber risk management framework. The section on Technology Operations and Resilience discusses the implementation of a technology architecture framework, maintaining an inventory of all technology assets supporting business processes or functions, and change and release management. With respect to Cyber Security, the Guideline references the importance of conducting intelligence-led threat assessment and testing, and ensuring FRFIs maintain situational awareness of the cyber threat landscape. Regular testing of employees to assess cyber threat awareness is also mentioned.

The Guideline will be effective for FRFIs as of January 1, 2024. For additional information and commentary, please see the article included in BLG’s Resource Corner below. While the Guideline does not apply to non FRFIs, securities dealers and advisers may still find some of the recommendations for managing technology assets, as well as the guidelines for cyber security management, helpful.

August 17, 2022

No Interference – IIROC Sets Priorities for 2023

As we reported in our May 2022 Bulletin, the Canadian Securities Administrators (CSA) are consulting on the application to consolidate the Investment Industry Regulatory Organization of Canada (IIROC) with the Mutual Fund Dealers Association of Canada (MFDA) by the end of the year. Within the context of this transaction, IIROC released a notice summarizing the initiatives it intends to prioritize in the next year, which includes advancing commitments related to investor protection, supporting industry transformation, and working towards the closing of the amalgamation and creating a new, enhanced self-regulatory organization.

Amongst other activities relating to investor protection, IIROC is looking at the potential to return disgorged funds collected from disciplined firms and advisors to harmed investors and anticipates publishing a proposal later this year. A working group has also made recommendations on how to improve IIROC’s current arbitration program and plans to seek stakeholder comments on issues such as increasing the award limit and publication of decisions later on this year. Staff are also continuing their review of order-execution only services, particularly the point at which interrupted access would become an explicit investor protection issue. IIROC has paused its work on its Expert Investor Issues Panel in light of the new, proposed Investor Advisory Panel that will be established by the new SRO.

With respect to supporting industry innovation, IIROC created a new membership intake team to review new member applications (including with respect to crypto asset trading platforms) with the intent to increase review process efficiencies. IIROC has similarly created a compliance modernization group to look at ways to streamline activities across compliance teams. IIROC has also created cybersecurity self-assessment checklists for IIROC firms to assist them in building operational resilience.

Other previously announced priorities that IIROC will continue to work on include its derivatives rule reform, proposed competency profiles for supervisors, portfolio managers, associate portfolio managers and traders, and its EDI and Anti-Racism programs.

June 30, 2022

Make Time for IIROC’s Compliance Priorities Report

Earlier in March, the Investment Industry Regulatory Organization of Canada (IIROC) released its 2021/2022 Compliance Priorities Report, outlining its past actions and current issues that are impacting IIROC-regulated firms that should be a compliance focus for those firms in 2022. The report notes that these initiatives, including those related to cybersecurity, client focused reform sweeps and proficiency requirement updates, are in the context of the ongoing SRO consolidation with the Mutual Fund Dealers Association of Canada (MFDA), which is currently scheduled to occur by year-end.

In connection with the work of the Financial and Operations Compliance group (FinOps), the report noted that cybersecurity remains a key risk for all dealer firms and thus FinOps looks at how such risks are managed during regularly scheduled reviews. The importance of self-assessments is mentioned, as is the fact that IIROC has engaged Deloitte to create a cybersecurity self-assessment checklist for firms to assess their own risk and identify potential improvements. The reliance on technology and associated risks has also been incorporated into the FinOps risk model. It is noted that FinOps intends to review supply chain risks, and systemically important vendors to the industry, with a view to identifying and managing these risks.

The report indicates that IIROC, together with the Canadian Securities Administrators (CSA) and the MFDA, is conducting reviews to look for compliance with the new conflict of interest requirements that were enacted in connection with the client focused reforms back in June 2021. The objective of the review is stated to be to determine if dealers have met the “spirit” of the new rules and implemented controls to address material conflicts in the best interest of clients (rather than disclosure alone, which is not sufficient). IIROC (and we suspect, the CSA), will focus next on KYC and suitability requirements. IIROC, along with the CSA, has a prohibition on using a corporate officer title unless a person has been appointed as an officer pursuant to corporate law. In its reviews, the Business Conduct Compliance (BCC) group of IIROC will also look at the substance and nature of the relationship between an Approved Person and the dealer where the person uses a corporate officer title in dealing with clients to ensure it is appropriate – such as whether the individual is really part of the mind and management of the dealer. In its exams, BCC staff will also assess compliance with the amended rules regarding older and vulnerable clients, which are intended to address issues of diminished mental capacity and/or financial exploitation of clients.

Dealers are required to have a supervisory framework to ensure management of all significant areas of risk within a firm. IIROC has existing guidance to help dealers with these policies and procedures, and it is expected to publish additional guidance regarding permitted delegation of the responsibilities of executives to manage these risks shortly. IIROC will also be focusing in on order-execution-only firms and any advertising done through social media platforms.

Finally, the report notes that IIROC is working on amendments to some of the registration and proficiency provisions within the IIROC rules, to clarify expectations. In addition, while draft competency profiles have been released for Directors, Executives, UDPs, CCOs and CFOs, IIROC is continuing to work on all other approved person categories (i.e. supervisors, associate PMs, PMs and traders). There is a lot for dealers to focus on in 2022, in addition to any forthcoming changes in advance of the SRO consolidation.

March 31, 2022

BLG’s Resource Corner

Our colleagues at Borden Ladner Gervais LLP publish a wealth of information every month. All are available on the BLG’s website, under Insights. Some selected Insights published in June that may be of interest to you include a primer on M&A in Canada, an update on privacy legislation in Ontario and an article and webinar on the future of Ontario’s new iGaming markets. For more information, please visit the following links:

June 30, 2021

Social Media and Market Manipulation

In case you missed it, the Canadian Securities Administrators (CSA) and the Investment Industry Regulatory Organization of Canada (IIROC) published a joint statement on February 1, 2021 around the time when trading in GameStop Corp., AMC Entertainment Holdings Inc., BlackBerry Ltd. and other out-of-favour stocks were hot topics. The CSA and IIROC stated that they were closely monitoring how extreme price movements of certain stocks were contributing to volatility in Canada’s capital markets.

Just prior to the CSA-IIROC joint statement, the U.S. Securities and Exchange Commission (SEC) published an investor alert on January 30, 2021 warning investors of the significant risks of short-term investing in individual stocks based on social media, especially in volatile markets and provided tips for long-term investing. Shortly after, the SEC suspended trading on February 11 of one of those stocks, SpectraScience Inc., and on February 26 the SEC suspended trading in 15 more companies because of questionable trading and social media activity. At that time, the SEC stated that is was proactively monitoring for suspicious activity tied to stock promotions on social media and reminded investors to exercise caution before investing in companies promoted on social media.

All registrants should ensure that they have policies and procedures in place relating to the social media activity of their employees, in part to ensure that securities regulations are being followed and that social media posts are not used inappropriately. The use of social media by registrants was discussed in AUM Law’s Social Media FAQ. Other guidance on the use of social media can be found in CSA Staff Notice 33-321 Cyber Security and Social Media and CSA Staff Notice 31-325 Marketing Practices of Portfolio Managers.

Issuers should also be aware of Proposed BC Instrument 51-519 Promotional Activity Disclosure Requirements reported in our May 2021 AUM Law Bulletin that would provide investors with improved transparency about the source and reliability of promotional activity. This is a continuation of the trend of increasing regulatory scrutiny on all types of social media activity including promotional activity by issuers. See also CSA Staff Notice 51-348 Staff’s Review of Social Media Used by Reporting Issuers.

AUM Law offers a fixed-fee social media review module where we can review your use of social media including considerations around possible misuse. If you are interested in learning more about how to train your staff about the appropriate use of social media, AUM Law is here to help.

June 30, 2021

Government Introduces Bill Proposing Significant Changes to Federal Privacy Legislation

The Government of Canada has big plans for privacy protection in Canada. It has proposed the Digital Charter Implementation Act, which is a Bill that would enable the government to establish a new privacy law for the private sector called the Consumer Privacy Protection Act.

The effect of this new law would be to increase protections to Canadian’s personal information by giving them more control and greater transparency when companies handle their personal information.

For example, the new law contains modernized meaningful consent rules regarding the use of personal information, transfer rights to move personal information from one organization to another, the ability to dispose of personal information and withdraw consent to its use, rules regarding de-identification of information, among other changes.

The new law would also provide significant new consequences for non-compliance, including allowing the Privacy Commissioner to force organizations to comply or to order a company to stop collecting data or use personal information. It also would grant the Privacy Commissioner the ability to impose administrative monetary penalties of up to 3% of global revenue or $10 million for non-compliant organizations and the ability to impose a maximum fine of 5% of global revenue or $25 million for certain serious contraventions of the law.

For now, you should stay tuned to the implementation of these changes and continue to treat personal information in your control carefully (of course).

December 11, 2020

Regulatory Highlights from 2020

How do you summarize a year like no other in history? Well, the shift to a remote work environment didn’t do much to slow our regulators who, along with the Canadian asset management industry, rose to meet the multi-faceted challenges presented by the COVID-19 pandemic.

A. Burden Reduction and Capital Markets Modernization Initiatives

Regulators moved forward with initiatives intended to reduce regulatory burdens and modernize the regulatory framework, including the following:

Crowdfunding: In February, the Canadian Securities Administrators (CSA) proposed a harmonized, start-up crowdfunding regime. In July, after the comment period closed on the CSA proposal, the Ontario Securities Commission (OSC) issued an interim class order (Order) providing prospectus and registration exemptions for start-up crowdfunding that are similar to the exemptions already in place in a number of other provinces. The Order is expected to remain in place until the earlier of the date the new CSA regime is adopted or January 31, 2022.

SRO Reform: When market participants and regulators weren’t coming to grips with remote work arrangements, they were debating whether and how to reform Canada’s self-regulatory organizations (SROs) for registrants. The Mutual Fund Dealers Association of Canada (MFDA) kicked things off in February when it published its Proposal for a Modern SRO. The CSA followed up in June with its own consultation paper on SRO reform, and the Ontario Government’s Capital Markets Modernization Task Force (Task Force) set out its draft recommendations on the subject in its July consultation report.

OSC Burden Reduction Initiatives: In early 2019, the OSC kicked off a multi-year process to identify and implement actions to reduce regulatory burdens in Ontario and improve the investor experience. Check out our December 2019 regulatory recap if you’d like to refresh your memory. In May 2020, the OSC provided a progress report on its regulatory burden reduction initiatives and provided a further update in the June 2020 Interim Progress Report on its 2019-2022 priorities. We also reported on several specific projects, including the following:

  • In June, the CSA announced changes designed to make it easier for advising representatives (ARs) of portfolio managers (PMs) to register as client relationship management (CRM) specialists.
  • In July, the CSA published guidance on flexible CCO arrangements.
  • In August, the CSA published final amendments that raise the threshold for when non-venture reporting issuers are required to file business acquisition reports.
  • In October, the Ontario government proposed changes to the Business Corporations Act (OBCA) that, if enacted, will eliminate director residency requirements for OBCA corporations and introduce a more flexible regime for privately held OBCA corporations regarding written shareholder resolutions.

B. Business Continuity and Risk Management

Business continuity planning and risk management have been top of mind for firms and regulators this year, and not just because of the COVID-19 pandemic.

  • In March we discussed pandemic-related business continuity issues for firms to consider in the short and medium and term.
  • In July, we highlighted an interesting publication by the North American Association of Securities Administrators (NAASA) focusing on the need for firms to be prepared to deal with colleagues experiencing diminished capacity.
  • In September, we discussed the CSA’s guidance on liquidity risk management for investment fund managers as well the discussion paper issued by Office of the Superintendent of Financial Institutions (OSFI) on core principles for operational resilience in a digital world.

C. Crypto Assets

Crypto-currency issues remained in the news in 2020.

  • In January, we highlighted CSA Staff Notice 21-327 Guidance on the Application of Securities Legislation to Entities Facilitating the Trading of Crypto Assets.
  • In February, we discussed U.S. Securities and Exchange Commission (SEC) Commissioner Hester Pierce’s informal proposal for a safe harbour for token offerings.
  • In July, we wrote about the OSC’s approval of a settlement agreement with Coinsquare Ltd and its executives regarding market manipulation on a crypto-asset trading platform.
  • In August, we highlighted the CSA’s first decision registering a crypto-asset trading platform under its regulatory sandbox program.
  • In October, we discussed the settlement reached by Kik Interactive with the SEC regarding its unregistered token offering.


Regulators responded to the COVID-19 pandemic in impressive fashion by, among other things, extending regulatory deadlines, granting temporary relief from certain requirements, and scaling back certain initiatives. They also turned their attention to compliance and other risks affecting market participants that were specific to, or exacerbated by, the pandemic.

A number of the pandemic-related regulatory actions we wrote about in 2020 were temporary in scope, so we have highlighted below the pandemic-related articles we wrote in 2020 that continue to be relevant for market participants.

  • In March, we wrote about factors for registered firms to consider in the short to medium term after they activated their business continuity plans.
  • In April, we reported that the CSA had extended the deadline for implementing the CFRs concerning conflicts of interest and related relationship disclosure information (RDI) reporting requirements by six months to June 30, 2021.
  • In May, we wrote about guidance provided by the Financial Services Regulatory Authority of Ontario (FSRA) to mortgage brokers and administrators regarding their disclosure and other obligations in respect of mortgage-based investments during significant market disruptions, such as the COVID-19 pandemic.
  • In August, we wrote about the U.S. SEC’s risk alert on COVID-related compliance risks relevant to dealers and advisers as well as the task force established by the North American Securities Administrators Association (NASAA) to target COVID-19 fraudsters.
  • The CSA and FSRA extended the expected deadline for implementation of changes to the regulatory framework for syndicated mortgages in April and again in August. As recently announced, the new framework is now expected to take effect on July 1, 2021.
  • In October, we wrote about the CSA’s biennial report on their continuous disclosure review program, which included guidance for reporting issuers on how to disclose COVID-19 impacts.

E. Cyber-Security and Data Privacy

Cyber-security and data privacy continued to be hot topics, with the shift to remote work arrangements due to the pandemic presenting increased risks for inadvertent cyber-security failures as well as opportunities for hacking. AUM Law addressed these and other privacy and cyber-security issues in a number of articles, including the following:

  • Cyber-Resilience: We touched on cyber-resilience in our March FAQ on business continuity planning and wrote a more detailed article in our April bulletin. In September, we reported on the Office of Superintendent of Financial Institutions’ consultation paper on operational resilience in a digital world, which includes recommendations regarding cyber-resilience, and in October, we reported that the international Financial Stability Board (FSB) had finalized its cyber incident recovery and response toolkit.
  • Artificial Intelligence: In February we wrote about the consultation paper on the regulation of artificial intelligence published by the federal Office of the Privacy Commissioner (OPC), and in June we discussed the consultation paper published by the International Organization of Securities Commissions (IOSCO) regarding potential regulatory measures addressing asset managers’ and market intermediaries’ use of artificial intelligence.
  • Privacy: In August, we reported that the Ontario government had launched a consultation to determine whether reforms to Ontario privacy legislation are warranted. See also our article in this bulletin regarding the Canadian government’s proposed Digital Charter Implementation Act, 2020.

F. Compliance Review and Enforcement Report Cards

The summary reports that regulatory staff publish about their oversight of market participants are valuable tools that can help firms learn more about recent and proposed regulatory initiatives, what staff consider to be problematic (or, conversely, beneficial) practices, and how staff interpret legislation and rules. In 2020, we wrote about:

  • Alberta Securities Commission (ASC) staff’s review of issuers’ and registrants’ compliance with the offering memorandum exemption (January);
  • Insights from staff of the OSC’s Compliance and Registrant Regulation (CRR) Branch regarding their compliance program, shared during a webinar hosted by the Portfolio Management Association of Canada (PMAC) in May;
  • The annual enforcement report published by the Investment Industry Regulatory Organization of Canada (IIROC) in May;
  • The CRR Branch’s annual Summary Report for Dealers, Advisers and Investment Fund Managers (September) – a ‘must read’;
  • The CSA’s biennial report card on reporting issuers’ continuous disclosure practices (October); and
  • The OSC’s Corporate Finance 2020 Annual Report (discussed later in this bulletin).

G. Cases and Enforcement Sweeps

In 2020, we wrote about a number of regulatory decisions that we think offer lessons for our readers.

  • In January, we wrote about IIROC’s decision to fine a representative for his failure to follow through on red flags regarding a client account being handled under a power of attorney.
  • In March, we discussed the IIROC decision to fine TD Waterhouse $4 million for deliberate non-compliance with relationship disclosure information requirements. In the same month, the Ontario Court of Appeal upheld Daniel Tiffin’s conviction for trading in promissory notes without registration and distributing securities without a prospectus, but overturned the lower court’s decision sentencing him to six months in jail. (PS: if you’re ever tempted to conclude that a particular instrument is not a security, first read Tiffin).
  • In May, we highlighted the enforcement action initiated by OSC staff against a mutual funding dealing representative who agreed to serve as executor for a client’s will even though he was alleged to have known that he was a beneficiary under that will. We also discussed undertakings given by two issuers to the Alberta Securities Commission (ASC) regarding internal controls, training and other requirements to ensure compliance with prospectus exemptions.
  • In June, we discussed a significant decision issued by the Federal Court of Appeal regarding the constitutionality and application of Canada’s Anti-Spam Legislation (CASL).
  • in July, we wrote about the OSC’s approval of a settlement agreement with Coinsquare Ltd and its executives regarding market manipulation on a crypto-asset trading platform.
  • In September, we reported that the Financial Institutions Regulatory Authority of Ontario (FSRA) had fined Fortress Real Developments for operating without a license.
  • And, as mentioned in Section C above, we wrote about two crypto-asset-related enforcement decisions, concerning market manipulation on a crypto-asset trading platform (Coinsquare) and an unregistered token offering in the U.S. (Kik Interactive).


In 2020, we published a number of FAQs offering practical insights on various topics. Although many of them touched on issues arising out of the COVID-19 pandemic, we think the insights will continue to have relevance in other contexts.

  • In January, we discussed whether an advising representative (AR) can act as the executor of an estate on behalf of a client.
  • In February, we discussed things to watch out for when firms describe themselves and their representative on social media.
  • In March, we outlined issues for registered firms to consider, in light of the COVID-19 pandemic, regarding their know-your-client (KYC) and suitability determination obligations.
  • In April, we discussed the use of electronic signatures for subscription documents, investment management agreements and similar agreements with the firm’s clients.
  • In May, we addressed the issue of whether an associate advising representative can work remotely or in a one-person branch office.
  • In July, we described how a registered firm’s ultimate designated person (UDP) can certify the firm’s RAQ responses if they do not have online access to the survey.
  • In July, we also discussed whether registered individuals (and applicants for registration) have to disclose offenses they have been charged with, if the matter hasn’t adjudicated yet. (This issue was also covered later in the year in an Advisor’s Edge interview with our Erez Blumberger).

In 2019, the CSA published its own FAQ guidance, this time focusing the client-focused reforms (CFRs). We discussed those FAQs in our September and October bulletins.


Although the COVID-19 pandemic delayed implementation of the revised oversight framework for syndicated mortgages to July 2021, the good folks at FSRA kept busy in 2020 with a number of initiatives, including:

  • In August, FSRA published for comment an oversight framework, including proposed rules and guidance, regarding the use of financial planner and financial titles.
  • Also in August, FSRA and the OSC published for comment proposed local rules and guidance regarding syndicated mortgages, while the CSA finalized its amendments for the syndicated mortgages regime.
  • In September, FSRA published proposed service standard for comment.
  • In October, FSRA published its 2021-22 Statement of Priorities for comment.

December 11, 2020

FSB Finalizes Its Cyber Incident Recovery and Response Toolkit

In April, we wrote that the Financial Stability Board (FSB) was seeking comment on 46 recommended cyber incident response and recovery (CIRR) practices for financial institutions. On October 19, the FSB published its final “toolkit” consisting of 49 recommendations (Report). Although the FSB tends to focus more on systemically important financial institutions, we think that all capital markets participants will find it worthwhile to read the final Report. The FSB expects that firms of various sizes and with different business models will choose to adopt, and adapt, some or all of the recommendations as appropriate, taking into account their size, complexity and risks to the financial system.

AUM Law can help you assess and enhance your cyber security policies and procedures and conduct training in this area for your employees. Please contact us to find out more about our services in this area.

October 30, 2020

OSFI Consults on Core Principles for Operational Resilience in a Digital World

On September 15, the Office of the Superintendent of Financial Institutions (OSFI) published Developing Financial Sector Resilience in a Digital World: Selected Themes in Technology and Related Risks (Discussion Paper) for comment. Although OSFI’s mandate concerns federally regulated financial institutions, we believe that the Discussion Paper’s themes are relevant to the wider financial services sector including securities dealers, advisers and investment fund managers. Among other things, the Discussion Paper discusses the evaluation of technology risks in light of supervisory trends that are shifting from process-based, operational risk management (ORM) to more holistic and outcome-oriented operational resilience. OSFI then proposes three sets of core principles focusing on:

  • Cyber-security (principles relating to confidentiality, availability, and integrity);
  • Advanced analytics (principles relating to soundness, explainability and, and accountability); and
  • The third-party ecosystem (principles relating to transparency, reliability, and substitutability).

The Discussion Paper includes references to OSFI standards as well as research, standards and proposals published by international organizations such as the Financial Stability Board and therefore represents a useful compilation of research and standards in this field.

September 30, 2020

Ontario Consults on Potential Reforms to Privacy Legislation

On August 13, the Ontario Ministry of Government and Consumer Services (Ministry) launched a consultation (Consultation) regarding potential reforms to Ontario’s privacy laws. Currently, the principal legislation governing privacy matters in Ontario’s asset management sector is the federal Personal Information Protection and Electronic Documents Act (PIPEDA). The Ontario government is considering whether there is a need for Ontario legislation or other measures to address potential legislative gaps or provide enhanced protections for individuals in Ontario.

This initiative is at an early stage of development, with the Ministry is seeking feedback on general concepts, including the following:

  • Increase transparency: Provide individuals with more detail about how their information is being used by businesses and organizations;
  • Enhance consent provisions allowing individuals to revoke consent at any time and establishing an opt-in model for secondary uses of their information;
  • Introduce a right to be forgotten so that individuals can request that information relating to them be deleted;
  • Introduce standards for de-identified data (i.e. anonymized data derived from personal information) to clarify how privacy protections apply;
  • Introduce data portability standards, giving individuals greater freedom to change service providers without losing their data;
  • Create a legislative framework for data trusts so that, for example, an organization’s data could be governed by a third party to ensure the data is used in a transparent and accountable way; and
  • Increase the Information and Privacy Commissioner’s enforcement powers including the introduction of penalty powers.

Many of these themes overlap with issues being considered by the Government of Canada as part of its initiative to modernize PIPEDA, which we discussed in our May 2019 bulletin.

In Ontario, the Ministry has launched a survey to collect individuals’ views on privacy issues. Organizations are invited to make written submissions on the Consultation by October 1, 2020. If you want to make a submission or learn more about how existing privacy legislation and potential reforms may affect your business, please do not hesitate to contact us.

August 31, 2020

IOSCO Consults on Regulatory Measures for Asset Managers’ and Market Intermediaries’ Use of Artificial Intelligence

On June 25, the International Organization of Securities Commissions (IOSCO) published a draft report and proposed guidance (Report) regarding asset managers and market intermediaries’ use of artificial intelligence (AI), including machine learning (ML). It’s a useful reference document to help you stay informed on evolving firm practices, as well as regulatory concerns and approaches, in this area.

The Report is based on IOSCO’s survey of and discussions about AI and ML with asset managers and market intermediaries. It analyzes how firms are using the relevant technologies, outlines the potential benefits and risks, and describes how firms are addressing those risks. The report also includes appendices describing how various regulators (including Canadian securities regulators) are addressing AI and ML risks and summarizes guidance in this area published by international organizations such as the Financial Stability Board.

IOSCO is seeking feedback on six proposed regulatory measures (Measures). Three of the measures are framed as proposed requirements that IOSCO believe regulators should adopt:

  • Test and monitor algorithms: Regulators should require firms to test and monitor the algorithms to validate the results of any AI and ML technique on a continuous basis. Testing should be conducted in an environment that is segregated from the live environment before deployment to ensure that AI and ML behave as expected in stressed and unstressed market conditions and operate in a way that complies with regulatory obligations.
  • Competence: Regulators should require firms to have adequate skills, expertise and experience to develop, test, deploy, monitor and oversee the controls over the AI and ML that the firm uses. Compliance and risk management functions should be able to understand and challenge the algorithms that are produced and conduct due diligence on any third-party provider, including on the level of knowledge, expertise, and experience present.
  • Oversight of third parties: Regulators should require firms to understand their reliance upon, and manage their relationship with, third party providers, including monitoring their performance and conducting oversight. This includes having clear service-level agreements and contracts that clarify the scope of any outsourced functions and the third party’s responsibilities and that specify clear performance indicators and “sanctions” for poor performance.

The other proposed Measures are framed in softer language, which may indicate a lack of consensus among IOSCO members regarding the universal necessity for such requirements:

  • Senior management responsible for AI/ML and its controls: Regulators should consider requiring firms to have designated senior management responsible for overseeing the development, testing, deployment and monitoring of, and controls for, AI and ML. This includes having a documented internal governance framework and having appropriately senior individuals with relevant skills and knowledge sign off on the technology’s initial deployment and any substantial updates.
  • Disclosure and regulatory reporting: Regulators should consider what level of disclosure they should require firms to provide about their use of AI and ML. Among other things, regulators should consider:
    • Requiring firms to disclose meaningful information to customers and clients around their use of AI and ML that impact client outcomes; and
    • What information the regulators may require from firms using AI and ML to ensure they can have appropriate oversight of those firms.
  • Data quality controls: Regulators should consider requiring firms to have appropriate data quality controls so that data on whose performance the AI and ML depends is of sufficient quality to prevent bias and sufficiently broad to ensure a well-founded application of AI and ML.

Although the Measures won’t be binding on IOSCO member regulators, we expect that the Ontario Securities Commission (OSC) and other Canadian securities regulators likely will take the final version of the Measures into account when they interpret existing rules and consider regulatory reforms.

The comment deadline is October 26, 2020. If you have questions about the Report or are interested in discussing how evolving regulatory expectations in this area might affect your business, please contact us.

June 30, 2020

Cyber-Security During the COVID-19 Pandemic and Beyond

As we mentioned in last month’s article on business continuity plans (BCPs), the COVID-19 pandemic has brought with it heightened cyber-security risks. Now more than ever, registered firms need to maintain robust cyber-security policies and procedures, monitor employees’ compliance with them, and adapt their policies and procedures to address emerging or changing risks. Recently, financial sector regulators have published warnings and guidance for firms about how to address cyber-security risks. This article highlights several publications that we think our readers will find useful.

  • IIROC Offers Practical Tips: On April 21, the Investment Industry Regulatory Organization of Canada (IIROC) published a notice with practical tips for advisory firms and their employees regarding the kinds of cyber-security risks they face while operating remotely during the COVID-19 pandemic. Among other things, it describes common, COVID-19 relate phishing and social engineering attacks that some firms are observing.
  • FSB Consults on Cyber Incident Response and Recovery (CIRR): On April 20, the Financial Stability Board (FSB) published a consultation paper outlining 46 effective CIRR practices for financial institutions to consider. Although the FSB tends to focus more on systemically important financial institutions, we think that all capital markets participants will find it worthwhile to skim the consultation paper. The recommended CIRR practices relate to such topics as how firms organize and manage CIRR, how they ensure effective response, mitigation and recovery activities, how to coordinate and communicate with stakeholders, and how to establish processes to learn from past cyber incidents. In addition to requesting feedback on the specific practices described in its consultation paper, the FSB wants to know what firms are learning from their response to the COVID-19 pandemic. Comments are requested by July 20.
  • Updated Baseline Controls for Small and Medium-sized Enterprises (SMEs): The Canadian Centre for Cyber Security (Centre), established by the federal government, updated its Baseline Controls for Small and Medium Organizations (Baseline Controls) earlier this year. Noting that some of national and global cyber-security standards likely are beyond the financial and human resource means of most SMEs, the Centre developed the Baseline Controls with the 80/20 rule (i.e. that 80% of the benefit can be achieved through 20% of the effort) in mind. We recommend that firms read Annex A, which summarizes the Baseline Controls.

Given the regulators’ growing concerns about pandemic-related cyber-threats, we believe that cyber-security is likely to become a focus area for securities regulators in compliance reviews. AUM Law can help you assess and enhance your cybersecurity policies and procedures and conduct training in this area for your employees. Please contact us to find out more about our services in this area.

April 30, 2020

You’ve Activated Your Business Continuity Plan. What’s Next?

In light of the COVID-19 outbreak, many registered firms are implementing their business continuity plans (BCPs) and having their employees work from home, except where certain individuals need to access office facilities to ensure continued service to clients. In this article, we’ll address some issues for registered firms to consider in the short and medium term while operating in such conditions. We emphasize that firms and regulators are facing an unprecedented and constantly changing situation, and so our initial views on the issues below may change as circumstances evolve and regulators issue new or updated guidance or rules.

If my firm is covered by an “essential service” exemption from a government order to close businesses, why not carry on as usual from our office? Workplaces can contribute to the spread of the virus that causes COVID-19, and so a firm needs to evaluate the occupational health and safety, public health and litigation risks of having employees work from its offices or meet physically with clients, etc. The Government of Canada has published Risk-Informed Decision-Making Guidelines for workplaces and businesses during the pandemic. If you need legal advice on employment or occupational health and safety matters, AUM Law can source, evaluate and help you retain appropriate counsel and then manage the provision of that advice so that you can focus on running your business. From a securities regulatory compliance perspective, we think that a registered firm that requires all or most of its employees to work onsite instead of working from home could attract scrutiny from securities regulators due to concerns that the firm’s BCP is not functioning effectively.

Should my firm contact the securities regulator because we have activated our BCP? Activating your BCP does not, in itself, trigger an obligation to notify the Ontario Securities Commission (OSC). If, however, your firm finds that it might not be able to meet one or more of its regulatory obligations on a timely basis because of the pandemic, then that might trigger a filing obligation and we encourage you to speak to your usual lawyer at AUM Law as soon as possible. (See also our article in this bulletin on the blanket orders issued by members of the Canadian Securities Administrators (CSA) extending certain filing deadlines for registrants, investment funds and others.) We can advise you on your options and liaise with regulators on your behalf.

Do the home offices of registered individuals need to be approved as branch offices? Technically, having registered employees work from a location other than the address indicated on their Form 33-109F4 (Form F4), could be viewed as requiring an updated filing and/or approval of new “branch offices”. However, in light of the recent government orders and recommendations requiring or asking people to stay at home as much as practicable, we believe that at least in the short term, it is unlikely that OSC staff will expect registered firms to update Form F4s or seek approval for branch offices, provided that registered individuals are not meeting with clients in their homes or bringing home physical files that contain sensitive client information.

Cross-training: Are there functions at your firm that only one or two employees know how to perform? If you haven’t done so lately, we encourage you to review and update your list of key tasks and deadlines and the individuals responsible for performing those tasks. Identify a back-up person for each task and deadline (or group of related tasks and deadlines) and, if necessary, train that back-up person.

BCP considerations for “one-registrant” firms: If a registered firm has only one registered individual (One-Registrant Firm) to serve clients, we encourage the firm to have a plan to address a scenario where that individual is absent or incapacitated for weeks or months. We recommend that One-Registrant Firms, at a minimum, prepare standing instructions for the firm’s administrative staff and legal representatives to follow if the registered individual is absent or incapacitated for more than a brief period. Such firms also might wish to explore the feasibility of negotiating, in advance, a formal agreement with another registered firm (Temporary Successor). Such an arrangement could be a reciprocal one between two One-Registrant Firms seeking to address the same business continuity issue. Under such an agreement, the Temporary Successor would step into the shoes of the registered individual, for certain purposes, if that individual was unable to perform their duties for more than a brief period. The purpose of the agreement would only be to communicate with service providers and clients as the clients decide how best to address their account assets.

Technology risks including cyber-security and privacy risks: The rapid shift to remote work arrangements has resulted in some issues arising with respect to technology slowdowns, disruptions and hacking. Some firms are deploying new software or devices (including virtual meeting systems) that employees are having to become familiar with quickly, and many employees are dealing with the challenge of handling matters discreetly with family members or roommates present. There also are reports of some public, virtual meetings and conferences conducted over Zoom and similar systems being hacked. Finally, some employees are experiencing anxiety and confusion because of the pandemic. All these circumstances increase the risks of inadvertent cyber-security failures and opportunities for hacking. Maintaining robust cyber-security policies and procedures, adapting them as needed to address emerging or changing risks, reminding employees of the need to take precautions, and monitoring employees’ compliance with such policies and procedures are essential actions at this time both from a regulatory compliance and litigation risk perspective.

Communications with clients: Pandemic conditions and their knock-on effects in financial markets may result in a significant increase in customer call volumes or online account usage. Registered firms should review their BCPs and assess the effectiveness of their systems and processes to handle this level of increased activity. If your firm is experiencing difficulty serving customers in a timely way, please contact us to discuss measures you should undertake (including communication strategies) to address the situation. (On a related subject, please see our FAQ in this bulletin focused on ensuring that you’ve got current know-your-client (KYC) information for clients whose life situations may be changing dramatically.)

Supervision, compliance and internal controls during the new “work from home” normal: As we all adjust over the next month or so to the “new normal” of working remotely as much as practicable for an unknown period of time, we think that regulators will begin expecting to see registered firms consider whether they need to adapt their policies, procedures and controls to address any new or magnified regulatory compliance risks. AUM Law can help you assess whether  your existing supervisory system, compliance manual, procedures and internal controls should be revised to ensure compliance while many employees are operating from remote locations.

We can help: At AUM Law, we are experienced in reviewing BCPs from a regulatory compliance perspective. We can draft or update your BCP to ensure that it addresses a scenario like this one. Please don’t hesitate to contact us.

March 31, 2020