Compliance programmes

Programme requirements

What requirements exist concerning the nature and content of compliance and supervisory programmes for each type of regulated entity?


Prudential regulators such as OSFI have an interest in ensuring the sound financial management of FIs. This is achieved by publishing guidelines and advisories. Legislation also requires FIs to adopt their own policies that are best suited to their business and operations. Therefore, rather than prescriptive rules, prudential regulators in Canada adopt a regulatory approach based on principles. As an example, the policies and procedures that OSFI expects FRFIs to adopt include:

  • capital adequacy requirements;
  • prudential limits - relating to commercial lending, lending exposures, assets securitisation and related-party transactions;
  • sound business and financial practices which cover corporate governance, outsourcing arrangements, regulatory compliance management, operational risk management, use of derivatives, residential mortgage underwriting, interest rate risk and AML/TF and reinsurance;
  • accounting, financial reporting and disclosure; and
  • cybersecurity and reports of data breaches.

Securities registrants

Legislation applicable to securities registrants is more prescriptive and sets out requirements for these firms to have in place an internal control system, adequate policies and procedures and a qualified chief compliance officer responsible for monitoring compliance with their policies and procedures.


The PCMLTFA requires reporting entities, FIs and securities registrants to maintain compliance programmes designed to properly ascertain the identity of customers, assess transaction risk and report suspicious and other transactions to FINTRAC. Regulated entities are also required to have adequately trained employees in order to recognise risks of money laundering for their particular industry or sector.


How important are gatekeepers in the regulatory structure?

Gatekeepers are personnel and have an important role to play at both FIs and securities registrants and where gatekeepers fail in their internal control and oversight responsibilities, the FI or securities registrant in question can be subject to administrative sanctions if financial markets or customers are unduly put at risk. Gatekeepers are often chief compliance officers, internal auditors, company risk managers, members of the board of directors and even personnel who deal directly with customers, such as investment advisers.


OSFI has published guidelines on corporate governance and operational risk management. In this latter guideline, OSFI set out the concept of the three lines of defence, which is a structure to establish an appropriate accountability to manage operational risks.

The first line of defence refers to a business line and it is responsible for planning, directing and controlling the day-to-day operations of the FRFI and for identifying and managing its inherent operational risks, products, activities, processes and systems. The second line of defence is the oversight function and it concerns specialised reviews with respect to operational risks by such persons as compliance personnel and risk managers. The third line of defence is the internal audit function, which is responsible for objectively reviewing and testing the risk management controls, processes and systems of FRFIs.

Securities registrants

Securities regulators enforce the rules applicable to securities intermediaries. These rules include National Instrument 31-103 Registration Requirements, Exemptions and Ongoing Registrant Obligations, which imposes requirements on securities intermediaries to have a compliance system in place as well as qualified compliance officers and representatives. The disciplinary decisions of SROs such as IIROC and MFDA often identify failures of gatekeepers to protect customers or the integrity of financial markets. We have noted greater emphasis on the role of gatekeepers since the publication of National Instrument 31-103.

Directors' duties and liability

What are the duties of directors, and what standard of care applies to the boards of directors of financial services firms?

Directors of corporations have duties under common law and corporate statutes to act honestly and in good faith with a view to the best interests of the corporation, and to exercise the care, diligence and skill that a reasonably prudent person would exercise in comparable circumstances. This standard or care is integrated in the provisions of the Bank Act, the Insurance Companies Act and the TLCA. In reviewing the conduct of directors, Canadian courts will apply the ‘business judgement’ rule, whereby the courts defer to the judgement of management, as long as the decision lies within a range of reasonable alternatives and is not dictated by a regulatory requirement.

Under federal FI legislation, directors have a general duty to manage or supervise the management of the business and affairs of the FRFI. Directors also have specific duties to establish an audit committee and a conduct review committee, and to maintain policies for, among other things, disclosure to customers, resolving conflicts of interest, and dealing with complaints (see Bank Act, section 157; TLCA, section 161).

Most securities registrants are required to designate a responsible officer who is required, along with certain other officers and directors of these firms, to complete the partners, directors and officers course, which securities regulators expect directors and officers to apply to their oversight of their firms.

When are directors typically held individually accountable for the activities of financial services firms?

Members of the board of directors of FIs and securities registrants can be held personally responsible for infractions under FI and securities legislation as a result of provisions providing that offences can be imputed to officers and directors who participate in the offence or assent to or encourage the commission of the offence. Directors can also be held personally liable where they fail to act in good faith and knowingly turn a blind eye on or allow an offence to continue to be committed.

Private rights of action

Do private rights of action apply to violations of national financial services authority rules and regulations?

FI legislation does not provide a regime for private rights of action. However, customers of FIs have rights to file complaints with regulators, such as the FCAC as well as with independent complaint bodies including the Ombudsman of Banking Services and Investment (OBSI). FIs are required to use the services of a complaints body, but they are not required to accept a complaint body’s recommendations to settle a complaint.

Securities legislation introduces various private rights of action, including rights of action for misrepresentation in primary and secondary markets, and rights of action for insider trading. The OSC, the AMF and the ASC have established formal whistle-blowing regimes.

Customers have a common right to damages from financial services firms for breaches of privacy legislation in certain jurisdictions and can make complaints to the different privacy commissioners in Canada.

Standard of care for customers

What is the standard of care that applies to each type of financial services firm and authorised person when dealing with retail customers?

FIs are not subject to a statutory standard of care in dealing with retail customers. The FCAC, on the other hand, promotes and applies voluntary codes of conduct that, when applied to FRFIs, require them to adhere to the recommended conduct by the FCAC, including providing full, clear and understandable disclosure to customers. Securities regulators proposed certain regulatory amendments that would place a statutory standard of care but such changes were not adopted. In Quebec, securities registrants are required by law to deal in good faith with their clients.

Does the standard of care differ based on the sophistication of the customer or counterparty?

The level of sophistication does not affect the standard of care from a regulatory perspective. The courts have taken such factors into consideration in cases relating to the liability of financial advisers. The extent to which a customer relies on the expertise, and management of the adviser, such as a full discretionary portfolio manager, can have an important impact in determining liability and whether there was contributory negligence on the part of the customer (Laflamme v Prudential-Bache Commodities Canada Ltd., [2000] 1 SCR 638; Financière Banque Nationale inc. c Dussault, 2009 QCCA 1594).

Pursuant to securities legislation, the sophistication of customers has an impact on the availability of exemptions from prospectus requirements and regulations.

Rule making

How are rules that affect the financial services industry adopted? Is there a consultation process?

In general, amendments to existing regulation and new regulations to FI regulation are proposed in consultations conducted by the Minister of Finance (federal) or by provincial governments, subject to a public comment period that can vary between 60 and 120 days. Comments are reviewed and the resulting text of the amendments is adopted by the government (federally, it is the Governor in Council; provincially, it can be the Minister of Finance of the province). It is common for the amendments to come into force following a transition period that can be up to 12 months or longer in order to give the sector time to prepare for the changes.

The process is similar in the case of securities regulation and for changes to SRO rules. The consultation, if required, is conducted by the securities regulators, which publish substantive amendments for comment.