On December 20, 2019, the Investment Industry Regulatory Organization of Canada (IIROC) published its annual compliance report, which covers recent and current initiatives as well as 2020 priorities. And on January 9, 2020, the U.S. Financial Industry Regulatory Authority (FINRA) published its 2020 Risk Monitoring and Exam Priorities Letter (Letter). Although the Notice and Letter will be of most relevance to firms supervised by these regulators, we think that the supervisory trends highlighted below will also be of interest to all Canadian-registered firms.
A. IIROC’s Compliance Report
IIROC’s focus areas for compliance in the coming year include the following:
- Cyber-security risks and controls: IIROC plans to publish updated cyber-security “best practices”, incorporate criteria to assess cyber-security risk into its FINOPS risk model, and conduct a cyber-security “table-top” exercise for small and medium-sized firms.
- Client-focused reforms (CFRs): IIROC is preparing the IIROC rule amendments needed to implement the rule amendments recently adopted by the Canadian Securities Administrators. It also will be enhancing its examination program to reflect the CFR amendments.
- Best execution: IIROC is focusing on the content and disclosure of best execution policies, how firms are documenting and implementing policies and procedures that consider the factors and elements that lead to best execution, governance around best execution, and firms’ training for employees involved in the best execution process.
- Automation of supervisory processes: IIROC is enhancing its examination program to test the effectiveness of automated supervisory processes being used by order execution only (OEO) dealers and is planning to expand its existing guidance (which deals only with OEO dealers) to cover all dealers and the use of automation more broadly.
B. FINRA Letter
The FINRA Letter is detailed and includes questions that firms can incorporate into self-assessments. Although some of the topics are specific to the US regulatory framework, we think that the Letter it is worth skimming, especially the sections covering the following topics:
- Sales Practices: FINRA plans to continue focusing on firms’ sales practices (and supervision of sales practices) with respect to complex products, private placements, representatives acting in positions of trust or authority, senior investors, variable annuities, and fixed income mark-up/mark-down disclosures. In addition, FINRA plans to assess firms’ preparedness for the implementation of Reg BI, which comes into effect in June 2020.
- Communications through Digital Channels: FINRA notes that firms’, registered representatives’ and customers’ use of an increasingly broad array digital communication channels presents challenges for firms to comply with obligations relating to the review and retention of such communications. (We discussed similar issues in our September 2019 case comment on the Ontario Securities Commission’s settlements with the Royal Bank of Canada and The Toronto-Dominion Bank over inadequate supervision of chatrooms.) FINRA’s Letter sets out helpful questions for firms to consider in this area, such as whether the firm: (1) has a process to evaluate new tools to determine which should be included in the firms’ reviews and captured in its records; (2) periodically tests its systems to ensure these communications are being captured; and (3) has identified red flags indicating that a representative might be communicating through unapproved channels and whether the firms’ supervisors are following up on such red flags during their reviews.
- Trading Authorization: FINRA plans to assess whether firms’ supervisory systems are reasonably designed to detect and address representatives exercising discretion without their client’s written authorization.
- Best Execution: FINRA will focus on a number of best execution themes, including whether conflicts of interest are affecting firms’ order-routing decisions.
- Digital Assets: FINRA will look closely at firms’ digital asset activities, including whether the firm has adequate controls and procedures to facilitate digital asset transactions and whether its marketing materials and any retail communications adequately address the risks presented by such assets.
- Cybersecurity and Technology Governance: FINRA will continue to assess whether firms’ policies and procedures are reasonably designed to protect customer records and information. It also will look at firms’ technology governance, especially their change and problem management practices and whether their business continuity plans (BCP) have been updated to reflect any material changes in the firm’s business.