On March 20, 2023, the New Self-Regulatory Organization of Canada (New SRO) published its New SRO Compliance Priorities Report for 2022/2023: Helping Firms with Compliance. The report highlights what the New SRO believes are issues and challenges faced by the industry, and the key areas of focus of its compliance reviews in 2023.
In 2022, the New SRO’s predecessor self-regulatory organizations and the Canadian Securities Administrators (CSA) conducted a sweep of the industry to examine compliance with the Client Focused Reforms (CFR) Conflict of Interest (COI) requirements. The results of the sweep for dealer firms were promising, in that the New SRO praised the fact that most dealers had controls in place that satisfied the requirements to identify, disclose, and address conflicts while adhering to the best interest standard. However, consistent with findings from the CSA (see our bulletin last month for more information here), the report noted gaps relating to the sale of proprietary funds, deficiencies relating to undocumented assessments of material conflicts and insufficient disclosure to clients. More specifically:
- The assessments of material conflicts, and how the dealer (i.e., documented process steps) would address the conflicts in accordance with the best interest standard, were not adequately documented, and
- Mandated disclosure to clients missed key components, such as:
- the nature and extent of the COI;
- the potential impact on and the risk the COI posed to the client; and
- how the firm planned to address the COI, or how they had already dealt with the matter.
The report reminds readers that simply providing disclosure to clients does not in itself satisfy the requirements.
The CSA and the New SRO will publish a report later this year detailing the deficiencies found from their CFR reviews and provide further guidance for the industry. Firms are expected to review the guidance once published and review their policies and procedures, especially COI disclosures, and determine whether they may have gaps in their internal controls and remediate them accordingly.
Also later in 2023, as part of a co-ordinated review with the CSA, the New SRO will participate in “CFR-Phase II”, which we expect will assess compliance with, and internal processes relating to the following requirements: Relationship Disclosure, KYC, Suitability, Know Your Product/Product Due Diligence, Misleading Communications and Outside Activities.
In addition to its reminders with respect to conflicts of interest, the New SRO included a number of other items in its report. For example, the New SRO has placed continued emphasis on adequate education and reporting surrounding cybersecurity risks. The cybersecurity self-assessment tool published by IIROC in 2022 is now available to all dealers regulated by the New SRO, to help assess preparedness and identify areas of improvement related to cybersecurity risks. While the tool is not mandatory, the New SRO does recommend using it at least once every two years.
The New SRO will continue to conduct examinations on investment dealers to evaluate how dealers are demonstrating their compliance with the cybersecurity incident reporting requirements (CIRR) and how cybersecurity risks are being managed. The New SRO continues to find insufficient evidence from dealers to demonstrate their compliance with the CIRRs.
The report also advised that where the cybersecurity functions of a group of entities were centralized, policies did not address the specific requirement to conduct a separate assessment of materiality, substantial harm, significance, and other thresholds on an individual basis.
Following amendments to National Instrument 33-109, outside activities will also remain an area of focus during New SRO examinations. Dealers should be familiar with the new framework brought about by these amendments, particularly as it relates to the reporting of outside activities and the codification of new rules surrounding the definition and handling of positions of influence. The New SRO pointed to a significant increase in deficient filings uncovered as part of its ongoing reviews, particularly with respect to reportable activities.
Another item covered in the report included digital engagement practices. Given the increasing sophistication of digital engagement strategies, the New SRO will be closely monitoring potential instances of improper advertising and sales communication practices. This includes gamification strategies which may oversimplify complex products, encourage reckless behaviour, and imbue investors with a false sense of confidence.
Improper delegation was also noted; while delegation of supervisory controls/tasks is permitted under the Universal Market Integrity Rules, the New SRO continues to find instances where delegated responsibilities have not been formally documented in detail. Ambiguity around who is responsible for supervisory controls can have obvious negative consequences for investors and the market. As such, any such delegation must be clearly demarcated and well documented.
March 31, 2023