Pursuant to section 11.1 of National Instrument 31-103 Registration Requirements, Exemptions and Ongoing Registrant Obligations (NI 31-103), a registered firm is required to establish, maintain and apply policies and procedures that establish a system of controls and supervision sufficient to provide reasonable assurance that the firm and each individual acting on its behalf complies with securities legislation, and to manage the risks associated with its business in accordance with prudent business practices. This means that registrants should review and update their policies and procedures regularly to ensure that their business practices continue to address their obligations with respect to evolving securities laws (and other applicable legislation).
There have been several changes in the legal landscape over the past year that require registrants to revisit their policies and procedures, make any necessary changes, and update their policies and procedures compliance manuals.
In addition to a general review, we suggest you target the following written policies and procedures to assess whether they require updating:
- Cybersecurity. The recent Ashley Madison hack certainly serves as a reminder of the importance of cybersecurity. As discussed in our June 2015 bulletin and as highlighted in the Ontario Securities Commission’s (OSC) June 24, 2015 outreach seminar, this area of focus in compliance and risk management is gaining momentum in the financial industry, which is the number one target industry for cyber criminals. Registrants should review their cybersecurity policies and procedures in light of this heightened focus. Strong and tailored cybersecurity measures are an important element of your controls, operational reliability and protection of confidential information. Please contact a member of our Regulatory Compliance Group for information about our fixed-fee cybersecurity services module, aimed to help registrants meet their internal control obligations and stay ahead of cybersecurity risks.
- NI 45-106 exemptions and new risk acknowledgement form. Effective May 5, 2015, a number of important changes to National Instrument 45-106 Prospectus Exemptions were implemented to address investor protection concerns, facilitate capital raising and further harmonize existing exemptions. Issuers and registrants should ensure that all of their compliance and client disclosure documents are updated to reflect those changes (including offering memoranda, subscription agreements, investment management agreements, and policies and procedures compliance manuals). For more information, see our February 2015 and March 2015 bulletins, and our April 2015 video presentation, or call us.
- Outside business activities (OBAs). In January 2015, the OSC announced that registered firms with registered or permitted individuals may apply for late fee relief for changes to OBAs that were previously reported on item 10 of Form 33-109F4 Registration of Individuals and Review of Permitted Individuals. In light of this focus on compliance with the OBA reporting requirement and the hefty late filing fees for noncompliance, registrants should review their policies and procedures compliance manuals with respect to OBAs to ensure they understand what is required to be filed, and the prescribed filing deadlines. For more information, see our January 2015 bulletin or call us.
- Expense allocation. Securities regulators in the United States and Canada have recently signalled (through staff guidance, and compliance and enforcement actions) that they are increasingly concerned about perceived issues with fund manager expense allocation practices. In light of these developments, fund managers should review their written expense allocation practices to ensure that they manage – and are seen to appropriately manage – the conflicts of interest that may arise with expense allocation practices. In addition, fund managers should ensure they are able to demonstrate that the allocation of expenses between the manager and the funds it manages, and across multiple funds, is consistent with the fund manager’s written policies and procedures. See our November 2014 bulletin for more information.
- Canada’s Anti-Spam Legislation (CASL). Effective July 2014, CASL applies to all electronic communications sent with a commercial purpose from Canada or accessed in Canada. As a result, many everyday activities such as sending emails or electronic newsletters to clients are subject to the new legislation. To avoid hefty penalties, registrants will want to ensure that their policies and procedures have been updated to reflect this important change in business practices. See our August 2014 nutshell for more information.
- Ombudsman for Banking Services and Investments (OBSI). As of August 2014, all registered dealers and advisers outside of Québec are required to use OBSI as their independent dispute resolution services provider. Disputes that arise in Québec continue to be administered by the Autorité des marchés financiers (AMF). Registrants will want to ensure that their policies and procedures compliance manuals reflect their current dispute resolution regime. See our January 2014 bulletin and May 2014 nutshell for more details.
- CRM2. As discussed above, CRM2 is the Canadian Securities Administrators’ (CSA) client relationship model project, developed to enhance the relationship disclosure obligations set out in NI 31-103 by imposing additional reporting requirements in four transitional periods between 2013 and 2016. December 31, 2015 marks the effective date of the next phase of CRM2 and the last phase comes into effect on July 15, 2016. See our January 2014 nutshell for more details.
- Anti-money laundering and anti-terrorist legislation. In February 2014, amendments to the Proceeds of Crime (Money Laundering) and Terrorist Financing Regulations (AML Regulations) came into force for registrants (as described in our January 2014 bulletin). Among other obligations, the amendments require registrants to collect certain information at the account opening stage. Registrants should ensure that their policies and procedures reflect those obligations. In addition, on July 4, 2015, long-awaited amendments to the AML Regulations were published for comment. Policies and procedures compliance manuals will likely require revisions when these amendments are expected to come into force. See our July 2015 bulletin for more information.
- FATCA. The Foreign Account Tax Compliance Act (FATCA) is a complex reporting and withholding regime enacted by the US government in March 2010. Investment fund managers, portfolio managers and exempt market dealers are subject to FATCA, and may have reporting requirements under the regime. Registrants will want to ensure that their written policies and procedures with respect to FATCA reflect their current business practices. See our April 2015, May 2014 and December 2014 bulletins for more details.
- Privacy policies and procedures. Registrants that handle personal information in the course of their commercial activities will want to undertake a review of their privacy policies and security safeguards in light of the new measures now in force under the Digital Privacy Act that introduce new provisions to the Personal Information Protection and Electronic Documents Act. See our June 2015 bulletin for more information.