The Canadian Investment Regulatory Organization (CIRO) released its latest annual compliance report (the Report). The Report details some of the current issues which CIRO regulated dealers should focus on for their supervision and risk management efforts.
Completed CIRO integrations to date
The Report begins by discussing some of the compliance integration work already completed by CIRO, including:
- The integration of the former investment dealer and mutual fund dealer compliance teams;
- New oversight of mutual fund dealers with a head office in Québec;
- Aligned information requests via the annual dealer questionnaire, together with a new questionnaire platform;
- New harmonized risk models for Business Conduct, Financial & Operations and Trading Conduct Compliance;
- Aligned dealer examination cycles with each compliance area using a 1–4-year cycle, and more frequent examinations for dealers assessed a higher-risk score and impact; and
- The provision of a risk trend report to all dealers, which includes a high-level assessment of how a dealer is doing with respect to governance, internal controls, and risk-management practices in relation to its peers.
CIRO findings – Dealer operations and risk management
Turning to some of the recurring issues discovered in CIRO examinations, the Report discusses cybersecurity incident reporting and the increased number of reports involving third-party service providers. Dealers are reminded of Guidance Note GN-2300-21-003: Outsourcing Arrangements, which outlines CIRO’s expectations for managing risks related to the use of third-party services. Managing cybersecurity risks can directly impact a dealer’s risk score during scheduled CIRO examinations. Common findings in examinations included a lack of adequate policies and procedures, such as a lack of specific criteria used when assessing if a cybersecurity incident met the reporting threshold. Dealers that are part of an organization with a centralized cybersecurity function must be able to demonstrate where the function resides and how CIRO’s requirements are being addressed by the dealer.
Credit risk management is called out as another crucial aspect of a dealer’s risk management framework, particularly for investment dealers that have risks associated with unsecured client accounts and counterparties in securities transactions due to potential failed settlements. CIRO suggests best practices, including processes for reviewing credit limits and establishing a framework for monitoring trading activities.
Mutual fund dealers are reminded that nominee name positions and trust bank accounts must be reconciled monthly, and this process will be a focus of future CIRO examinations.
No examination of operations and risk management is complete without a mention of algorithmic trading. The Report is no exception and indicates that dealers must enhance their oversight and have a comprehensive framework to manage the risks of algorithmic trading. These risks include the potential for biased data inputs which exacerbates financial risks, misinterpreting market opportunities leading to substantial financial loss, and amplified market volatility caused by an algorithm’s unpredictable reactions.
CIRO findings – Trading rules
CIRO also reviews compliance with various trading rules during examinations. The Report mentions the new requirement, effective as of April 4, 2025, for CIRO Participants to have a reasonable expectation to settle before they can enter an order that would result in a short sale on a marketplace. It is noted such Participants also need updated policies and procedures that reference this requirement. Non-Participant dealers that send orders to executing firms must also supervise failed trades.
Pre-sweep findings
Many market participants are awaiting the published results of the CIRO and Canadian Securities Administrators (CSA) Client Focused Reforms (CFRs) sweep on know-your-client (KYC), know-your-product (KYP) and suitability matters. The Report discusses some aspects of CIRO’s findings to date, primarily relating to missing information from dealers’ updates to their policies and procedures. CIRO noted that many policies and procedures were missing details of:
- A consistent process for assessing risk tolerance and risk capacity, including the required documentation to support the dealer’s analysis;
- Clear descriptions of the level of due diligence required for different groups or types of securities on the product shelf with respect to KYP obligations and the process to ensure that Approved Persons have adequate KYP knowledge for securities they advise on; and
- The process for identifying and assessing a reasonable range of alternatives when making recommendations, including the scope of products considered, the timing and responsibility for identifying alternatives and specifics of when a further analysis of comparable products may be required based on a client’s unique situation.
BCC reviews
Recent reviews by Business Conduct Compliance (BCC) Staff found issues relating to KYC obligations. Specifically, there were deficiencies related to the reasonability of KYC information provided by clients, which should have been queried by compliance Supervisors but was not. The Report notes when reviewing KYC information, Supervisors should address any concerns noted on its reasonability.
BCC staff also noted inadequate controls over employees' social media accounts used for business purposes and observed that some dealers did not have policies to identify relevant employee social media use, or controls in place to detect, approve, monitor, or record such use.
Another area for improvement is the requirement under the Proceeds of Crime (Money Laundering) and Terrorist Financing Act to conduct a comprehensive effectiveness review of a dealer’s Anti-Money Laundering/Anti-Terrorist Financing (AML/ATF) compliance program at least once every two years. Some dealers had not conducted these reviews within the required period. We have developed a highly structured approach to conducting efficient AML/ATF effectiveness reviews, building on our years of experience in carrying them out for many securities registrants, and we would be pleased to discuss these services with registered dealers further.
While the need to update policies and procedures to reflect regulatory or business changes might seem obvious, CIRO emphasized that it is essential that any such policy changes be provided to all relevant employees to ensure they are equipped to comply with them. CIRO suggests that regular communication and training on these updates will reduce the risk of non-compliance.
Registration and proficiency
Many changes are coming with respect to the registration process for CIRO firms and individual registrants as the Ontario Securities Commission intends to delegate the registration function for investment dealers, mutual fund dealers, and the individuals who act on behalf of mutual fund dealers to CIRO, effective as of Spring 2025. The CSA is concurrently considering delegating certain registration functions and powers to CIRO. We are closely following what impact, if any, these changes will have on the process and timing of individual registrations.
CIRO notes in the Report that prior to applying for approval as a Portfolio Manager or Associate Portfolio Manager, investment dealers should review the IDPC Rules for the specific relevant investment management experience (RIME) requirements and appropriately document the RIME in the candidate’s application. CIRO will assess whether an individual has acquired RIME on a case-by-case basis consistent with the approach outlined in Part 3 of NI 31-103 Registration Requirements, Exemptions and Ongoing Registrant Obligations and related guidance.
The Report ends with a reminder to inform CIRO in writing before making any material changes to an investment dealer’s business activities. Investment dealers are referred to the Business Changes for Dealer Members page of CIRO’s website for additional information. As we have detailed in other bulletins, we recommend all dealer members take a prudent and conservative approach when discerning if a change is a material change to its activities or operations. We are happy to assist dealer members in providing guidance on what, in our experience, constitutes a “material change”.
What’s next?
CIRO’s Report highlights areas of concern, providing firms with a roadmap for strengthening their compliance programs and underscoring the risk of deficiencies appearing repeatedly. Taking steps to proactively address these issues will help dealers be better positioned to navigate future regulatory examinations and demonstrate a commitment to regulatory best practices.
Contact us if you have any questions or would like any assistance with a CIRO examination, AML review, employee training or updates to your policies and procedures.
