Compliance programmes

Programme requirements

What requirements exist concerning the nature and content of compliance and supervisory programmes for each type of regulated entity?

Financial institutions

Prudential regulators, such as the Office of the Superintendent of Financial Institutions (OSFI), have an interest in ensuring the sound financial management of financial institutions. This is achieved by publishing guidelines and advisories. Legislation also requires financial institutions to adopt their own policies that are best suited to their business and operations. Therefore, rather than prescriptive rules, prudential regulators in Canada adopt a regulatory approach based on principles. As an example, the policies and procedures that OSFI expects federally regulated financial institutions (FRFIs) to adopt include:

  • capital adequacy requirements;
  • prudential limits relating to commercial lending, lending exposures, assets securitisation and related-party transactions;
  • protection of financial consumers;
  • sound business and financial practices, which covers:
    • corporate governance;
    • outsourcing arrangements;
    • regulatory compliance management;
    • operational risk management;
    • use of derivatives;
    • residential mortgage underwriting;
    • interest rate risk;
    • anti-money laundering and terrorist financing (AML/TF); and
    • reinsurance;
  • accounting, financial reporting and disclosure; and
  • cybersecurity and reports of data breaches.


Under requirements for capital adequacy, banks are required to maintain adequate capital as well as adequate and appropriate forms of liquidity pursuant to section 485(1) of the Bank Act. This is measured by compliance with OSFI’s Capital Adequacy Requirements Guideline. Minimum capital requirements are greater for certain large financial institutions in Canada. OSFI designates banks that are domestic systemically important banks, which are of domestic systemic importance based on OSFI’s assessment of a range of indicators such as asset size, intra-financial claims and liabilities, and the banks’ roles in domestic financial markets and in financial infrastructures.


Securities registrants

Legislation applicable to securities registrants is more prescriptive and sets out requirements for these firms to have in place an internal control system, adequate policies and procedures, and a qualified chief compliance officer responsible for monitoring compliance with their policies and procedures.



The Proceeds of Crime (Money Laundering) and Terrorist Financing Act requires reporting entities, financial institutions and securities registrants to maintain compliance programmes designed to properly ascertain the identity of customers, assess transaction risk and report suspicious and other transactions to the Financial Transactions and Reports Analysis Centre of Canada. Regulated entities are also required to have adequately trained employees to recognise risks of money laundering for their particular industry or sector.


How important are gatekeepers in the regulatory structure?

Gatekeepers are personnel that have an important role to play at both financial institutions and securities registrants. Where gatekeepers fail in their internal control and oversight responsibilities, the financial institution or securities registrant in question can be subject to administrative sanctions if financial markets or customers are unduly put at risk. Gatekeepers are often chief compliance officers, internal auditors, company risk managers, members of the board of directors and even personnel who deal directly with customers, such as investment advisers.


Financial institutions

Federal financial institution legislation requires financial institutions to establish committees including:

  • an audit committee;
  • a conduct review committee designated for questions of self-dealing; and
  • committees charged with the duties of:
    • monitoring procedures relating to the identification and resolution of conflicts of interest;
    • disclosure of required information to customers; and
    • dealing with customer complaints.


OSFI has published guidelines on corporate governance and operational risk management. In these guidelines, OSFI set out the concept of the three lines of defence, which is a structure to establish an appropriate division of accountability to manage operational risks.

The first line of defence refers to a business line, which is responsible for planning, directing and controlling the day-to-day operations of the FRFI, as well as for identifying and managing its inherent operational risks, products, activities, processes and systems. The second line of defence is the oversight function, which concerns specialised reviews with respect to operational risks by persons such as compliance personnel and risk managers. The third line of defence is the internal audit function, which is responsible for objectively reviewing and testing the risk management controls, processes and systems of FRFIs.


Securities registrants

Securities regulators enforce the rules applicable to securities intermediaries. These rules include National Instrument 31-103 – Registration Requirements, Exemptions and Ongoing Registrant Obligations (NI 31-103, in force as of 28 September 2009 and subsequently amended), which imposes requirements on securities intermediaries to have a compliance system in place as well as qualified compliance officers and representatives. The disciplinary decisions of self-regulatory organisations such as the Investment Industry Regulatory Organization of Canada and the Mutual Funds Dealers Association often identify failures of gatekeepers to protect customers or the integrity of financial markets. We have noted greater emphasis on the role of gatekeepers since the publication of NI 31-103.

Directors' duties and liability

What are the duties of directors, and what standard of care applies to the boards of directors of financial services firms?

Directors of corporations have duties under common law and corporate statutes to act honestly and in good faith with a view to the best interests of the corporation, and to exercise the care, diligence and skill that a reasonably prudent person would exercise in comparable circumstances. This standard of care is integrated in the provisions of the Bank Act, the Insurance Companies Act, and the Trust and Loan Companies Act (TLCA). In reviewing the conduct of directors, Canadian courts will apply the ‘business judgement’ rule, whereby the courts defer to the judgement of management provided that the decision lies within a range of reasonable alternatives and is not dictated by a regulatory requirement.


Financial institutions

Under federal financial institution legislation, directors have a general duty to manage or supervise the management of the business and affairs of the financial institution. Directors also have specific duties to establish an audit committee and a conduct review committee, and to maintain policies for, among other things, disclosure to customers, resolving conflicts of interest and dealing with complaints (see Bank Act, section 157; TLCA, section 161).

According to OSFI, the hallmarks of an effective board of directors include demonstrating sound judgement, initiative, proactiveness, responsiveness and operational excellence. Board members should strive to facilitate open communication, collaboration and appropriate debate in the decision-making process.

OSFI expects directors to demonstrate relevant financial industry and risk management expertise. Collectively, the directors should be independent from management and the operations of the financial institution. Finally, OSFI promotes diversity on boards.


Securities registrants

Most securities registrants are required to designate a responsible officer who is required, along with certain other officers and directors of these firms, to complete the partners, directors and officers course, which securities regulators expect directors and officers to apply to their oversight of their firms. They also expect directors of registered firms to maintain a high level of integrity.

When are directors typically held individually accountable for the activities of financial services firms?

Members of the board of directors of financial institutions and securities registrants can be held personally responsible for infractions under financial institution and securities legislation as a result of provisions to the effect that offences can be imputed to officers and directors who participate in the offence, or assent to or encourage the commission of the offence. Directors can also be held personally liable where they fail to act in good faith and knowingly turn a blind eye or allow an offence to continue to be committed.

Private rights of action

Do private rights of action apply to violations of national financial services authority rules and regulations?

Financial institution legislation does not provide a regime for private rights of action. However, customers of financial institutions have rights to file complaints with regulators, such as the Financial Consumer Agency of Canada (FCAC) as well as with independent complaint bodies, including the Ombudsman of Banking Services and Investment. Financial institutions are required to use the services of a complaints body, but they are not required to accept a complaint body’s recommendations to settle a complaint. The Bill C-86 amendments to the Bank Act will come into force on 30 June 2022.

Securities legislation introduces various private rights of action, including rights of action for misrepresentation in primary and secondary markets, and rights of action for insider trading. The Ontario Securities Commission, the Financial Markets Authority and the Alberta Securities Commission have established formal whistle-blowing regimes.

Customers have a common right to damages from financial services firms for breaches of privacy legislation in certain jurisdictions and can make complaints to the different privacy commissioners in Canada.

Standard of care for customers

What is the standard of care that applies to each type of financial services firm and authorised person when dealing with retail customers?

Financial institutions are not subject to a statutory standard of care in dealing with retail customers. Amendments to the Bank Act, which are due to come into force on 30 June 2022 by virtue of Bill C-86, among other provisions favourable to financial consumers:

  • prohibit banks from taking advantage of a person;
  • prohibit banks from imposing undue pressure or coercing them for any purpose; and
  • require banks to assess the appropriateness of products and remuneration.


FCAC is responsible for the enforcement of these financial consumer provisions.

FCAC also promotes and applies voluntary codes of conduct that, when applied to FRFIs, require them to adhere to the recommended conduct by FCAC, including providing full, clear and understandable disclosure to customers.

Securities regulators have proposed certain regulatory amendments that would place a statutory standard of care, but such changes were not adopted. In Quebec, securities registrants are required by law to deal in good faith with their clients.

Does the standard of care differ based on the sophistication of the customer or counterparty?

The level of sophistication does not affect the standard of care from a regulatory perspective. The courts have taken such factors into consideration in cases that relate to the liability of financial advisers. The extent to which a customer relies on the expertise and management of an adviser, such as a full discretionary portfolio manager, can have an important impact in determining liability and whether there was contributory negligence on the part of the customer (Laflamme v Prudential-Bache Commodities Canada Ltd [2000] 1 SCR 638 and Financière Banque Nationale inc c Dussault, 2009 QCCA 1594).

Pursuant to securities legislation, the sophistication of customers has an impact on the availability of certain exemptions from prospectus and registration requirements and regulations.


How are rules that affect the financial services industry adopted? Is there a consultation process?

In general, amendments to existing regulation and new regulations to financial institution regulation are proposed in consultations conducted by the federal Minister of Finance or by provincial governments, subject to a public comment period that can vary between 60 and 120 days. Comments are reviewed and the resulting text of the amendments is adopted by the government (federally, it is the Governor in Council; provincially, it can be the Minister of Finance of the province). It is common for the amendments to come into force following a transition period that can be up to 12 months or longer to give the industry time to prepare for the changes.

The process is similar in the case of securities regulation and for changes to self-regulatory organisation rules. The consultation, if required, is conducted by the securities regulators, which publish substantive amendments for comment.