You just got a formal request from the Ontario Securities Commission (OSC) that they would like to come by for a visit, accompanied by a request for all the inner workings of your firm, what do you do?! First, respond. Second, get ready, any regulatory review will be much smoother if you are prepared. Below are a few frequently asked questions we receive from firms.
Question: Why Me? Why is the OSC Targeting Our Firm?
Answer: The OSC is required to review each registered firm on a regular basis. With more than 1000 registered firms, it is impossible to review all firms each year. To narrow their focus, one technique employed by the OSC is to send out risk assessment questionnaires (RAQ) to the industry, and firms are then risk ranked based on their responses. Selections are then made from each registration category. Registrants can also be subject to a targeted review or “sweep”, specific to an issue/trend in the industry. Over the last three years the OSC has focused their sweeps on issues such as the following: seniors/vulnerable investors, crypto currency use, continuous disclosures, marketing/sales practices, and derivatives use. Registrants could also be selected due to a complaint received, a referral from another regulatory body, or randomly.
Question: What Do They Typically Ask For and Do During a Compliance Review?
Answer: The OSC will send a written notice to the CCO requesting the firm’s Books and Records (lists per registration category are posted on the OSC website), for a specified period. The OSC will schedule a kick-off meeting with senior management. A typical OSC review can take six weeks to conclude (especially if the firm has branch offices) but in our experience can go on for even longer depending on the complexity of the organization. During the review the OSC will want to interview senior management and key employees, assess the firm’s compliance systems, disclosures, internal controls, marketing materials, and all policies and procedures, as well as any outstanding deficiencies noted during a previous review.
Question: What Happens After the Review?
Answer: Once the OSC has completed the assessment portion of the review, they will schedule an exit interview with senior management to go over their preliminary findings. The OSC typically takes about three to five weeks to send their final written report. If they have identified significant deficiencies during their review, they will inform the firm immediately. There will usually be a deficiency report advising the firm of the deficiencies that have to be addressed, and the time within which the firm must either correct and/or correct and send proof of the required changes. If the deficiency is significant (i.e. a material breach of securities law) then OSC staff can take stricter action, such as impose terms and conditions on the firm’s registration or activities, refer the matter to the Enforcement Branch, or even suspend or revoke the registration of the firm or impacted individual.
Question: What Are the Top Deficiencies Identified by the OSC?
While each audit and audit results are unique, firms that require some remediation of their compliance activities could expect at least some of the following deficiencies to be noted on an audit report:
Compliance Systems and Supervision
- Out of date, or inadequate compliance manuals/policies and procedures;
- Inadequate disclosures, no or insufficient internal mechanisms to report and address conflicts of interest;
- Misleading or inaccurate statements in marketing materials and inappropriate sales practices, or materials lacking appropriate approvals from management; and
- Insufficient oversight over service providers.
Registration and Business Operations
- Inadequate monitoring for insider trading and early warning reporting (e.g. with respect to personal trading monitoring); and
- Client confusion regarding services provided by the firm and services provided by a referral agent.
Know Your Client (KYC), Know Your Product (KYP) & Suitability
- Missing or inadequate collection and documentation of KYC information and financial circumstances resulting in the inability to truly assess suitability;
- Missing proof that client is an accredited investor to qualify for the accredited investor prospectus exemption (if applicable);
- Missing or incomplete Investment Policy Statement (IPS) or Investment Management Agreement (IMA) or an incomplete suitability assessment;
- Missing or inadequate relationship disclosure information (RDI); and
- Missing or inadequate disclosure to clients in respect of referral arrangements.
AUM Law has extensive experience helping firms prepare for and respond to regulatory audits. Please contact your usual lawyer at AUM Law for more information.
April 29, 2022