Chapter 10 - Recordkeeping Requirements.pdf

Transcript

Recordkeeping Requirements 10

CONTENT AREAS

General Procedures Required for Recordkeeping

Regulatory Recordkeeping Requirements

Record Retention and Accessibility

LEARNING OBJECTIVES

1 | Discuss a dealer member’s non-financial recordkeeping obligations.

2 | Describe the records dealer members are required to maintain.

3 | Discuss recordkeeping accessibility.

© CANADIAN SECURITIES INSTITUTE
 CHAPTER 10      RECORDKEEPING REQUIREMENTS 10 3

INTRODUCTION
In the previous chapter, we discussed the key issues and processes involved in the opening and maintenance of
client accounts, with emphasis on compliance risk. In the process, we briefly touched on the requirements by CIRO
regarding recordkeeping. The focus of this chapter is a detailed view of the procedures that dealers must have in
place to meet requirements for proper retention of records.
Good recordkeeping is required by regulators. It is also critical to the dealer member in relation to investigations,
disciplinary actions, litigation, and other business issues. The documentation maintained by a firm of its activities is
essential to the firm’s ability to demonstrate its compliance with the law. This requirement applies, by extension, to
every registered person at the firm, in particular with respect to dealings and communications with clients.
In this chapter, we first discuss general good practices for recordkeeping, and then we explore in detail the individual
requirements of the various regulators. We also discuss the types of records that are not mandated by regulation,
but that should be maintained for internal purposes and made available to regulators upon request. Finally, we
discuss the requirements for proper storage and maintenance of records so that they are easily accessible when the
need arises.

GENERAL PROCEDURES REQUIRED FOR RECORDKEEPING

1 | Discuss a dealer member’s non-financial recordkeeping obligations.

Dealer members must have policies and procedures in place to meet requirements for proper retention of records.
Their records are essential to regulators and government agencies, including the provincial securities administrators,
CIRO, and non-securities-related government agencies such as the Canada Revenue Agency, FINTRAC, and the
Office of the Privacy Commissioner (OPC).
Recordkeeping requirements extend not only to day-to-day business records, but also to compliance, supervision,
complaints, and investigative matters. The requirements are dynamic and may vary between laws and regulatory
agencies. The compliance department should therefore maintain an up-to-date schedule of requirements applicable
by regulator but also by the type of information that is being retained. In larger dealer members, compliance
staff often relies on the legal department to keep them informed about changes to recordkeeping requirements,
including changes to limitations periods.
Registrants must maintain records for two reasons: to accurately record their business practices, financial affairs,
and client transactions; and to demonstrate the extent of the dealer member’s compliance with applicable securities
legislation. The manner in which the firm keeps its records is as important as the record itself. It must be stored in
a safe location in “durable form”, and in such a way that it can be quickly and easily provided to a regulator upon
request.

DID YOU KNOW?

Under CIRO Rules, a “record” is defined as books, records, client files and information and other
documentation, including electronic documents, related to the Regulated Person’s business.

GENERAL RECORDKEEPING FORMATS
Dealer members’ records are increasingly maintained in electronic format only, although paper recordkeeping still
exists at some firms. Regulators do not dictate the format of records; they only require that they be accessible.
In some cases, they may ask for a copy of the original document; in others, information alone is enough. When

© CANADIAN SECURITIES INSTITUTE
10 4 CHIEF COMPLIANCE OFFICERS QUALIFYING EXAMINATION      SECTION 4

implementing recordkeeping systems, the firm must consider the regulators’ expectations for each type of
information.
Some records are created and maintained offsite, such as records of supervision of a dealer member’s business
locations. In such cases, the firm should implement a policy dictating the format and method of storage such that
the record can be retrieved in a reasonable period of time. Similarly, if the firm permits business location staff to
circulate preliminary prospectuses, it should also dictate the procedure and format for recording the names of the
recipients. This requirement ensures that final prospectuses are also circulated.
Every recordkeeping procedure should require identification of the record’s location and of the person or persons
responsible for creating it. Recordkeeping procedures in general should be designed to eliminate ambiguity and
assist in achieving consistency throughout all business locations. This consistency can subsequently be tested
through business location compliance audits.

DID YOU KNOW?

The Canadian General Standards Board (CGSB) has prepared a national standard for electronic records
with the goal of meeting legal evidence requirements. The CGSB standard can be accessed through the
Government of Canada website.

REGULATORY RECORDKEEPING REQUIREMENTS

2 | Describe the records dealer members are required to maintain.

The various regulators have specific recordkeeping requirements that are suitable to their needs. The different sets
of requirements are discussed below.

REQUIREMENTS OF CIRO RULES
Under CIRO’s general requirements to maintain records, a dealer member must maintain current records that:
properly record its business activities, financial position, financial operating results and client transactions,
and demonstrate the dealer member’s compliance with securities laws and CIRO requirements. The records
required under CIRO rules include, but are not limited to, those that demonstrate compliance with the following
requirements:

The dealer member’s policies and procedures
Know-your-client and suitability requirements
Complaint handling requirements

Records must document the following information:

Opening of client accounts, including any agreements with clients
Correspondence with clients
Compliance and supervision actions taken by the dealer member

Generally, these records must be retained for seven years.

© CANADIAN SECURITIES INSTITUTE
 CHAPTER 10      RECORDKEEPING REQUIREMENTS 10 5

DIVE DEEPER

IDPC Rule section 3803, General requirements for record retention periods, states:
A Dealer Member must retain copies of all records in a safe location required under CIRO requirements,
in durable and accessible form, for a minimum of seven years from the date the record is created unless
CIRO requirements or securities laws relating to the specific type of record require a different retention
period.
For complete requirements, visit CIRO’s website.

MATTERS REPORTED TO CIRO
An Approved Person must report to the dealer member if he or she is the subject of a written client complaint. The
dealer member is required to designate a person or department to whom these reports must be made, who must
then notify CIRO within the prescribed timeframe.
In most cases, reporting is made through ComSet. Failure to report on time may subject the dealer member to an
administrative penalty. All reported information is used to assist CIRO in fulfilling its regulatory role by identifying
areas for compliance review, matters that should be investigated, industry trends, and regional issues. For each
client complaint file, a dealer member must maintain a copy for seven years in a location that is quickly and easily
retrievable.
Complaint handling is discussed in greater detail further on in the course.

COMPLIANCE AND SUPERVISION RECORDKEEPING
As discussed previously, CIRO rules require dealer members to establish and maintain a written compliance
governance document setting out the organizational structure and reporting relationships that support required
compliance arrangements. These requirements encompass more than the Ultimate Designated Person and CCO.
CIRO rules also require that supervisors be designated to perform or oversee specific compliance activities.
Dealer members must take steps to ensure that they have appropriately defined the responsibilities of the relevant
designated person and have assigned them within the organization. CIRO requires that firms maintain records of
supervisory review for seven years. These important records must include the following information: who conducted
the review, when it was conducted, what enquiries were made, what replies were received, and what actions were
taken.

DIVE DEEPER

Under IDPC Rule section 3916, Governance document, a dealer member must file with CIRO:
i. a copy of a current governance document that sets out the organizational structure and reporting
relationships required under Rule 3900, and
ii. notice of any material changes to the organizational structure and reporting relationships set out in
the governance document.

For complete requirements see www.CIRO.ca

On a routine supervisory audit, compliance staff must try to verify evidence of daily and monthly account activity
supervision. Supervisors commonly report that they have reviewed the daily exception reports and applicable
monthly statements, but they did not record any enquiries because it was clear there were no problems.
In the past, business location supervisors may have evidenced supervision by making notes on daily and monthly
commission runs or exception reports. Although this can be effective if done thoroughly and diligently, the method

© CANADIAN SECURITIES INSTITUTE
10 6 CHIEF COMPLIANCE OFFICERS QUALIFYING EXAMINATION      SECTION 4

has several drawbacks. The notes often show that transactions have been reviewed, but they do not always show
the type of enquiries made and, more importantly, any responses to enquiries. Furthermore, the volume of such
reports makes it difficult to record all enquiries and responses because it means returning to the correct place in the
report to record the note. Demonstrating evidence of supervision also involves reviewing up to thousands of pages
of reports to determine when and where enquiries and reviews were conducted.
This problem can be mitigated, though not eliminated, by introducing labour-saving templates, such as the pre-
formatted supervision log shown in Table 10.1.

Table 10.1 | Daily Trading Review

DATE:

BUSINESS LOCATION SUPERVISOR:

REGISTERED REPRESENTATIVE TRANSACTION NATURE OF ENQUIRY RESPONSE/ACTION TAKEN

Electronic access to such forms fosters efficient communication between head office and distant business locations.
A requirement to complete the form daily and file it in an accessible location ensures an appropriate record of
supervision which can also be easily retrieved upon a request from the compliance department or CIRO.
Email can also maintain evidence of supervision and can be used in conjunction with a log; however, email volumes
must be well managed for this system to be effective.

EXAMPLE
If a business location supervisor or compliance officer is communicating with an RR concerning trade or
transaction reviews, a follow-up strategy is necessary to ensure that emails are not sent and promptly forgotten.
Similarly, an email response to an enquiry should be maintained in an accessible file. Supervisors can keep
an email folder for each RR they supervise as evidence of supervision, provided that enquiries and responses
are appropriately filed. In this case, procedures should be implemented to ensure that emails are accessible.
The departure of a business location supervisor or compliance staff should not compromise the firm’s ability
to provide evidence of supervision. Procedures might involve periodically archiving email folders that contain
supervisory correspondence. Third-party supervisory systems are now readily available in the marketplace which
significantly automate the supervision process and, furthermore, the documentation of supervision. These types
of systems also incorporate workflow processes to enable automatic follow-up to ensure queries regarding
trading have been addressed in a timely manner.

Staff should be cautioned that email has all the attributes of written correspondence, including longevity. Email
communications are legally discoverable and have become key evidence in litigation. CIRO requires investment
dealers to archive all business-related emails, including emails sent by mobile wireless devices. Retention of other
internal emails may also warrant consideration.
Although CIRO sets out the minimum standards regarding the creation of exception reports, a dealer member can
prepare additional reports to assist in performing its supervision responsibilities.
Minimum standards currently require that equity trades over $5,000 in stocks trading at under $5 per share be
reviewed as part of daily supervision. A dealer member might decide that this report will be more helpful if sorted
by exchange or currency, or between exchanges and over-the-counter markets. Other types of custom supervision
might include a review of all third-party transactions or, alternatively, specific trades that meet particular criteria.
For example, a report that discloses all trades for clients of a particular age (e.g., 65 and up) that have aggressive
growth noted as an investment objective) might be worthwhile in the context of analyzing risk exposure for

© CANADIAN SECURITIES INSTITUTE
 CHAPTER 10      RECORDKEEPING REQUIREMENTS 10 7

potential client complaints. If this type of report reveals a high number of these accounts with a particular RR,
further investigation should continue to determine if the RR is engaging in a meaningful discovery process. It might
also produce additional reports with different thresholds. In all cases, the minimums must be preserved.
Maintaining business location client files can also help demonstrate supervision, and failure to maintain them can
be viewed in an audit as poor supervision. These files contain client documentation and communications. In most
instances, RRs’ client files contain information exchanged directly between the RR and the client. However, any
client communication directed to the dealer member should be included in the business location client file.
Effective recordkeeping requires clear and enforced policies. It is relatively easy to establish guidelines and policies.
However, it is the evidence of supervision that is required in almost every sales compliance audit, both internal and
external. It may be acceptable to miss issues during a supervisory review, but it is not acceptable to fail to conduct
the review. Where there is no evidence of a review, the auditors will most likely conclude that a review did not take
place. The CCO must ensure both that rules and policies are in place, and that evidence of compliance with the rules
and policies exists.

REQUIREMENTS OF THE UNIVERSAL MARKET INTEGRITY RULES
CIRO’s Universal Market Integrity Rules set out audit trail and recordkeeping requirements with respect to orders
and trades in Sections 10.11 and 10.12. UMIR requires that records be retained for seven years, and that be kept in a
readily accessible location for the first two years. However, UMIR includes other requirements regarding markers to
be added when specific types of orders are transmitted to a marketplace.
UMIR Rule 10.16, Gatekeeper Obligations, requires that any Participant or Access Person who notes conduct
that might involve a potential breach of UMIR or other SRO rules and by-laws immediately report the matter
to their supervisor or compliance staff. If a supervisor or compliance employee receives a report, a review must
be conducted in accordance with the dealer member’s Trade Desk Policies and Procedures, adopted under UMIR
Rule 7.1. For more information regarding gatekeeper obligations, refer to Market Integrity Notice No. 2006-007,
Gatekeeper Reporting Obligation.
If the person doing the review concludes that a potential violation has occurred, he or she must take the following
actions:

Make a written record of the report and the review.
Diligently investigate the activity.
Make a written record of the findings of the investigation.
If a violation is identified, report the findings to CIRO no later than the 15th day of the month following the
month in which the findings were made. CIRO also encourages the reporting of instances where a violation may
have occurred.

Dealer members must retain the records of reports, reviews, and findings for at least seven years from the creation
of the record. It must also allow CIRO to inspect and make copies of its records at any time during normal business
hours. These review and reporting requirements are in addition to any others contained in securities legislation or
SRO rules.

REQUIREMENTS OF THE FINANCIAL TRANSACTIONS AND REPORTS
ANALYSIS CENTRE OF CANADA
Businesses and industries that must report to FINTRAC must also abide by regulations under PCMLTFA. This
legislation imposes direct reporting, client identification and recordkeeping requirements on securities dealers.
These requirements support the detection, investigation, and prosecution of money laundering and terrorist
financing offences.

© CANADIAN SECURITIES INSTITUTE
10 8 CHIEF COMPLIANCE OFFICERS QUALIFYING EXAMINATION      SECTION 4

All securities dealers in Canada are required to implement a compliance regime in accordance with FINTRAC
guidelines. The first step in fulfilling the requirements is to appoint a compliance officer to oversee the development
and implementation of a dealer member’s money laundering and terrorist financing prevention program. This
person is sometimes referred to as the chief anti-money laundering officer and is usually the dealer member’s CCO.
Under PCMLTFA, dealer members must retain records in such a way that they can be provided to FINTRAC within
30 days of a request to examine them. Under the regulations, signature cards, account operating agreements, and
account application forms must be kept for five years from the day of closing of the account to which they relate. In
the case of records to confirm the existence of an entity (including a corporation) and beneficial ownership records,
they have to be kept for five years from the day that the last business transaction was conducted.
Dealer members must comply with several reporting requirements with respect to money laundering and terrorist
financing activities, some of which are described below. Firms should carefully review the PCMLTFA to ensure that
all reporting requirements are being met. In addition, they should register with FINTRAC to ensure that electronic
reports can be filed in a timely manner.

SUSPICIOUS TRANSACTIONS
Dealer members are required to submit reports to FINTRAC when there are reasonable grounds to suspect that a
transaction or attempted transaction is related to money laundering or terrorist financing. The same requirement
applies when a transaction or attempted transaction is related to property in the firm’s possession that appears to
be owned or controlled by a suspected terrorist or a terrorist group. Dealer members are required to submit the
report to FINTRAC as soon as practicable after reasonable grounds for suspicion have been determined. Reports are
typically submitted electronically (but may be submitted in paper format if the reporting entity in question does not
have the technical capability to submit electronically).

TERRORIST PROPERTY HOLDINGS
If property under a dealer member’s possession or control is known to be owned or controlled by a terrorist or
a terrorist group, a terrorist property report must be submitted without delay to FINTRAC, the RCMP, Canadian
Security Intelligence Service (CSIS), and CIRO. Furthermore, if it is known that a transaction is related to property
owned or controlled by a terrorist or a terrorist group, the transaction should not be completed and the property in
question must be frozen immediately.

DID YOU KNOW?

Dealer members are required to submit a monthly report to CIRO or the appropriate securities
administrator disclosing any property owned or controlled by or on behalf of a “listed person” that the
firm is in possession or control of. The report also requires dealer members to indicate whether the
RCMP and CSIS have been notified about the person and their property, and whether the assets have
been frozen.

LARGE CASH TRANSACTIONS
Anti-money laundering legislation requires dealer members to submit reports to FINTRAC when $10,000 or more
in cash (or its equivalent in another currency) is received in a single transaction. In addition, a report must be
submitted to FINTRAC when any two or more transactions of $10,000 or more in cash are received from the same
beneficial owner within a 24-hour period. If the dealer member has policies against accepting large amounts of cash
(as it should), these policies must be communicated to everyone involved in accepting client deposits.

© CANADIAN SECURITIES INSTITUTE
 CHAPTER 10      RECORDKEEPING REQUIREMENTS 10 9

CROSS-BORDER CURRENCY AND MONETARY INSTRUMENTS
If $10,000 or more in cash or monetary instruments is being imported or exported, whether by mail, courier, or
physically, this fact must be reported to a customs officer. An exemption exists for securities being imported to
Canadian dealer members by courier or mail. Securities cage staff should be aware of the reporting requirements.
Items that are not properly recorded can be seized at the border, with recovery being subject to a fine.
Chief financial officers should familiarize themselves with all issued guidelines from FINTRAC, which are readily
accessible on the agency’s webpage. In particular, Guideline 4 requires dealer members to implement a compliance
regime, and they must review this regime every two years to test its effectiveness.

REQUIREMENTS OF PRIVACY LEGISLATION
Part of the mandate of OPC is to oversee compliance with PIPEDA, which sets out rules regarding the collection,
use, and disclosure of clients’ personal information. To be compliant with PIPEDA and with similar provincial privacy
legislation in Quebec, British Columbia, and Alberta, dealer members must have policies and procedures in place to
govern the management of personal information.
A dealer member’s privacy policy should set specific limits for the amount and type of personal information that
can be collected based on what is necessary for a specific purpose. Collecting only required information reduces the
risk of inappropriate use and disclosure of the information.
Dealer members must also have procedures in place to handle requests from clients for access to their personal
information. When a request is made, a privacy officer appointed by the firm (typically the CCO) must ensure that
all front-line employees have the resources available to handle such requests. After a dealer member has confirmed
that it has personal information about a client, the firm must provide access to this data within 30 days of the
request. Dealer members must also tell clients how personal information about them is being used and to whom it
will be disclosed.
Because of requirements to provide information, dealer members must advise clients that their personal
information might be given to regulators upon request. The firm must decline to accept or administer the account
of clients who do not consent to have their personal information collected, used, or disclosed as necessary by the
firm to the regulators.
The dealer member’s privacy officer must establish timelines for the retention and destruction of all personal
information collected. In general, all information that is no longer required for its original purpose should be
destroyed, deleted, or rendered anonymous. The firm should have specific procedures for the safe destruction of
personal information.
The privacy officer must also develop safeguards that protect the sensitivity and maintain the confidentiality of any
personal information that the dealer member collects. This security can be achieved by limiting access to personal
information, storing files and documentation in a secure manner, having in place appropriate security measures
for personal information sent over the Internet or an intranet, and making sure that paper and electronic data are
disposed of properly.
Fines for violations of the privacy legislation are significant and criminal charges may proceed either by summary
conviction or an indictable offence. It is also an offence under the privacy legislation to destroy personal information
that a client has requested, to dismiss or harass an employee who has complained to the Privacy Commission, or to
obstruct a complaint investigation or audit.

© CANADIAN SECURITIES INSTITUTE
10 10 CHIEF COMPLIANCE OFFICERS QUALIFYING EXAMINATION      SECTION 4

OTHER RECORDKEEPING REQUIREMENTS
The following types of records are not specifically mandated by regulation; however, they may be necessary for
regulatory or other legal purposes, and can be beneficial to the conduct of the CCO:

Records of changes to policies and procedures can be useful in resolving litigation and investigations,
particularly those policies and procedures that were in place at the time of the incidents in question. This type of
recordkeeping or tracking is similar to a table of concordance. It allows a dealer member to know with certainty
what policies were in place at what time, as well as when the policy manual was updated.
Statistical records of client complaints and settlements can be useful in determining the appropriateness of
changes in supervisory requirements and in policies and procedures.
Records of market research and recommendations, and their effective dates, can be useful and sometimes
necessary in resolving litigation and client complaints.
Records of approvals (or non-approvals) can be useful when compliance department approval is required for
internal purposes. Less formal forms of recordkeeping should also be subject to policies and procedures for
records retention.
Due diligence should also be conducted on distributions of securities. Dealer member policies vary on the issue
of due diligence records retention. Some firms maintain all records; others have detailed policies governing
which records must be maintained. The CCO must ensure that the dealer member’s policy governing records
retention can demonstrate due diligence during an audit and that the firm adheres to the policy.

EXAMPLE
Most RRs keep personal records such as day-timers and client books that can be useful in settling disputes.
Similarly, written or electronic calendar entries and emails that are not otherwise required to be retained can
prove useful. During an investigation or dispute, it may be necessary to show that the person who kept such a
record did so as a matter of practice; otherwise, it may be construed that records shown as evidence were made
up to serve the purpose.
Regardless of the manner in which a record is kept, RRs should maintain consistent recordkeeping practices.
To promote good recordkeeping and retention, they should be encouraged to maintain detailed notes about
the client relationship in whatever manner is most convenient to them. The timing of the record’s creation is as
important as the record itself. A record that is made during or immediately following an event in question is more
likely to convince the investigator that it is accurate and that the RR’s system of recordkeeping is valid.

RECORD RETENTION AND ACCESSIBILITY

3 | Discuss recordkeeping accessibility.

Of critical importance to a dealer member is a master schedule showing what records exist, where they are, and
who is responsible for their maintenance. If records cannot be easily located and easily produced upon request,
regulators will assume that they do not exist. The recordkeeping responsibilities of individual employees should be
included in the dealer member’s policies and procedures, as well as in their job descriptions or similar procedural
directions. The schedule should be updated as required and should form the basis for internal audits to ensure that
the procedures are being followed.
The dealer member’s record retention policy should deal with records normally held by individuals, such as day-
timers, journals, and electronic records of advisors. Many advisors take these records with them upon leaving the
firm. In some cases, advisors own the computers that they use regularly. Retention of electronic records can be
simplified by having network backups of whatever information is stored on personal devices.

© CANADIAN SECURITIES INSTITUTE
 CHAPTER 10      RECORDKEEPING REQUIREMENTS 10 11

Handwritten records can be more difficult to deal with. If it is understood that the advisor can take such records
upon leaving the dealer member, and if there is no regulatory obligation for the dealer member to retain the
records, the dealer member should at the very least have a contractual right of access to the records for a
reasonable period.
Retention of records of compliance and supervision is also important, but it is sometimes overlooked, particularly at
branch locations. There may be a practice of throwing out paper commission or exception reports, even those that
contain notes or comments as the only record of issues raised, questions asked, and answers given. Even if retained,
such records in paper form are bulky. A later search through numerous boxes of records for notes or comments that
may or may not exist is time-consuming and costly. It is generally more effective to keep electronic records. Paper
records on which notes are made should be stored separately by date, or all such notes and reports should be put
into client files.

© CANADIAN SECURITIES INSTITUTE
10 12 CHIEF COMPLIANCE OFFICERS QUALIFYING EXAMINATION      SECTION 4

SUMMARY
In this chapter, we discussed the procedures that dealers must have in place to meet requirements for proper
retention of records.
We discussed that recordkeeping procedures should be designed to eliminate ambiguity and achieve consistency
throughout all business locations, with the aim of assisting compliance audits.
We also discussed that the various regulators have specific recordkeeping requirements. For example, CIRO’s
requirements focus on a dealer member’s providing evidence of adequate supervision. This evidence becomes
especially important when a client complaint leads to an investigation and possible disciplinary action. FINTRAC, on
the other hand, focuses its recordkeeping requirements on the prevention and detection of money laundering and
terrorist financing.
A critical aspect of recordkeeping is the means of retention and the accessibility of records. We discussed the types
of records that should be retained, the importance of having someone in charge of maintaining them, and the
methods used to ensure that they can be made accessible when necessary. A key point to remember is that even the
personal devices and handwritten records of employees should not be off-limits in an investigation, and contracts
with employees should be written up with this fact in mind.
The essential nature of a dealer member’s records becomes most apparent when a client is unhappy about some
aspect of his or her dealings with a firm. Those records are an integral part of the processes and procedures that
every dealer member must have for handling client complaints. In the next chapter, we discuss those processes and
procedures in detail.

© CANADIAN SECURITIES INSTITUTE