Chapter 2 - Formal Compliance Structure.pdf

Transcript

Formal Compliance Structure 2

CONTENT AREAS

Overview of a Formal Compliance Structure

Roles and Responsibilities

Creating a Senior-Level Compliance Structure

Relationships with Regulators and Other Parties

Introducing Broker/Carrying Broker Arrangements

Compliance Governance Document

LEARNING OBJECTIVES

1 | Discuss the mandate and responsibilities of a compliance department, and distinguish between
supervision and compliance.

2 | Describe the role and responsibilities of a chief compliance officer, a board of directors, and other
designated persons.

3 | Discuss and differentiate between the components of a senior-level compliance structure.

4 | Describe the chief compliance officer’s role in maintaining relationships with regulators and with
internal and external parties.

5 | Describe the four types of introducing broker/carrying broker arrangements under the Canadian
Investment Regulatory Organization Rules, and list the responsibilities of the introducing broker
and the carrying broker for each type.

6 | Develop a compliance governance document.

© CANADIAN SECURITIES INSTITUTE
 CHAPTER 2      FORMAL COMPLIANCE STRUCTURE 2 3

INTRODUCTION
In the previous chapter, we discussed the importance of having a properly working compliance function and
department at an investment dealer member of CIRO. We focused particularly on the need for a culture of
compliance. We also examined how the nature of compliance and the roles of key internal players at a dealer
member have evolved to meet the current expectations of regulators in the securities industry.
In this chapter, we discuss the formal compliance structures mandated by securities regulation and those that are
less formal but dictated by good business practices. The second type may exceed, but not fall short of, regulatory
expectations. They are put in place to reflect the acceptable risk profile mandated by the dealer member.
In general, this chapter treats the compliance department as a dedicated resource separate from business
operations, with full-time staff under the direction and authority of a full-time chief compliance officer. In some
dealer members, particularly smaller firms, compliance is carried out by one or more persons who also have
business line responsibilities and possibly other operational responsibilities.

OVERVIEW OF A FORMAL COMPLIANCE STRUCTURE

1 | Discuss the mandate and responsibilities of a compliance department, and distinguish between
supervision and compliance.

A formal compliance structure at a dealer member is made up of a compliance function and a compliance
department. As discussed in Chapter 1, the compliance function refers to the various staff members who carry out
compliance responsibilities at a dealer member. The compliance department is a business unit whose role is to
identify, assess, advise on, act on, communicate, monitor, escalate, and report on the dealer member’s compliance
with regulatory requirements. General compliance concepts and certain specific requirements apply equally to all
dealer members, but the manner in which they are applied depends on the characteristics of the individual firm.
For example, a large, integrated, full-service dealer member typically would have an extensive and complex
supervisory and compliance control environment because of the many services and products it offers through
various channels. A boutique dealer member specializing in a limited range of product and service offerings would
have a considerably different structure, as would an introducing broker that relies on its carrying broker to carry out
specified activities.
Surveillance and monitoring are seen as the primary functions of the compliance department. However, it is also
the department’s role to interpret rules and to address and explain compliance issues. Furthermore, the CCO and
the compliance department are only part of an effective compliance risk management structure. The department
should operate within formal and informal relationships both inside and outside the firm.

DID YOU KNOW?

The compliance department, and in particular the CCO, is typically the lead relationship contact with all
regulators with authority over the dealer member.

When designing a formal compliance structure, CCOs should consider the dealer member’s business, corporate
structure, and governance framework, which are designed to meet business objectives. They should then define
and document the department’s mandate in the context of the total environment. Ultimately, the most effective
compliance structure complies with regulatory and risk management requirements in a way that aligns with
business objectives. It is important for firms to design a compliance mandate based on business that is actually
carried out. The same holds true for supporting documents such as the policy and procedure manual. A pre-ordained
compliance structure that is not based on the business actually carried on by the firm will not support the firm in
meeting regulatory and compliance expectations.

© CANADIAN SECURITIES INSTITUTE
2 4 CHIEF COMPLIANCE OFFICERS QUALIFYING EXAMINATION      SECTION 1

The terms used and roles played by various departments of a dealer member are not always clear because they vary
in the way functional responsibilities are allocated. The term risk management, for example, is used by insurance
underwriters, lenders, derivative traders, and compliance officers to mean different things. Similarly, the role of
an internal audit department is often confused with the role of the compliance department. Regardless of the
differences, however, all departments must be clear about their responsibilities.
Dealer members are subject to numerous compliance requirements beyond those imposed by securities regulations.
Not all requirements are necessarily the responsibility of the CCO or the compliance department. Non-securities-
related requirements include legal and regulatory requirements imposed by employment and corporate statutes,
anti-money laundering and terrorist financing regulations, and privacy laws. A firm’s structure and business may
impose further obligations.

EXAMPLE
Client accounts must be handled in accordance with relevant tax regulations overseen by the Canada Revenue
Agency. If a dealer member has an agreement with the United States Internal Revenue Service, it must comply
with these obligations as a Qualified Intermediary. A dealer member or its parent may also have issued securities
to the public and be subject to the obligations of a reporting issuer. The CCO and the compliance department are
unlikely to have the necessary expertise or authority to address such issues.

A dealer member and its CCO should agree on the CCO’s legal and regulatory responsibilities across the firm. A
less-than-explicit statement of a CCO’s mandate can lead to compliance gaps when unanticipated problems arise.
A regulator may hold the compliance department or CCO responsible for a compliance failure if responsibility has
not been assigned elsewhere. Typically, the CCO’s mandate is stated in his or her job description but it should also
be specified in public or firm-facing documentation so that other departments and business units understand the
mandate of the compliance department.
Each dealer member must assign specific responsibilities to the CCO, and either the board of directors or the
UDP should see to it that all other compliance responsibilities are assigned elsewhere. All requirements should be
documented, including expectations as well as responsibilities. For example, it should be made clear that the CCO
is expected to provide advice when requested and to identify control vulnerabilities within the firm, even those that
are not his or her direct responsibility.

CONTROL FUNCTIONS AT A DEALER MEMBER
Certain securities regulatory functions may be performed by the compliance department or may be assigned to
other areas. Typical compliance department functions include the following activities:

Developing and maintaining compliance policies and procedures, which typically are published and updated in
the dealer member’s policy and procedure manual
Monitoring and surveillance (including supervision of Tier 2 trading and onsite business location reviews)
Conducting certain pre-clearance and approval activities
Providing compliance training, education, awareness, and support
Dealing with regulatory examinations, inquiries, and issues
Monitoring, participating in, and providing advice on regulatory developments
Handling complaints
Conducting internal reviews and investigations
Maintaining regulatory relationships
Reporting internally on compliance matters to management and the board of directors

© CANADIAN SECURITIES INSTITUTE
 CHAPTER 2      FORMAL COMPLIANCE STRUCTURE 2 5

Reporting externally on compliance matters to regulatory authorities
Managing registration-related issues

Other control functions mandated by securities regulations or other authorities are described below.

FINANCE AND ACCOUNTING
CIRO requires that dealer members appoint a chief financial officer (CFO) who is typically responsible for managing
the firm’s financial and accounting functions. Responsibilities include the maintenance and monitoring of the firm’s
capital position as required by regulations. The CFO also oversees activities that are integral to the firm’s business
activities, such as budgeting, expenditure controls, and cash management.
The regulatory framework does not explicitly distinguish the CFO’s area of accountability from the CCO’s, although
accepted industry practice usually draws a distinction between financial compliance and business conduct
compliance. However, some operational areas fit equally well under the compliance monitoring of either the CCO
or the CFO. Therefore, it is important that the dealer member delineates between the responsibilities of the two
positions.

CREDIT
The credit area of a dealer member typically establishes margin policies and rates to the extent that the firm uses
rates lower than those mandated by regulation. It also monitors and enforces firm and client adherence to credit
policies and related matters, such as those related to sell-outs and the issuance of margin calls, accounts that are
under-margined, and accounts that are in a debit position.

AUDIT
Dealer members must have periodic external audits of their financial statements and specific financial, operational
and control procedures. Larger dealer members may also have an internal audit function that reviews the firm’s risk
management, reporting, and control environment. Typically, internal audit departments are aligned with finance
departments with a direct reporting link to the audit committee of the board of directors. An audit department
might also audit a compliance department, conduct its own business locations audits, or participate in sales
compliance audits led by a compliance department.

REGISTRATION
Most dealer members have a specialist group that handles various firm and individual registration applications,
changes, renewals, terminations, and related filings required under securities regulations. This function may exist
under the compliance department or the legal department, or it may be a stand-alone department, depending on
the complexity of the dealer member’s business model.

LEGAL
The need for specialist legal resources varies significantly between dealer members, depending on the nature of
their business and size. In addition, the CCO may sometimes have a legal background. Legal services are usually
required when drafting standard-form client documents and agreements, providing advice on the legal aspects of
new products, services and business initiatives, and during litigation and other legal processes. Firms may rely on
external counsel or hire internal counsel, either within the compliance department or through a separate general
counsel or legal department.
If a lawyer within a compliance department (including a CCO who is also a lawyer) provides legal advice to the
dealer member, such services must be clearly distinguished from compliance activities. This distinction is necessary
to avoid confusion as to whether the advice is being provided by a lawyer or by the CCO. The distinction also
preserves the legal privilege of materials, which protects a client’s dealings with a legal advisor from being disclosed
without the client’s permission.

© CANADIAN SECURITIES INSTITUTE
2 6 CHIEF COMPLIANCE OFFICERS QUALIFYING EXAMINATION      SECTION 1

Although not required, the legal department is often set up as a separate function from the compliance department
for this reason. In such cases, the compliance department operates as a client department, similar to all other
departments. In this manner, when required, the compliance department can seek legal advice from the law
department and be afforded similar privilege and confidentiality protections that clients typically enjoy.

CORPORATE SECRETARY
The corporate secretary is responsible for official documents, such as the official seal, records of shares issued, the
dealer member’s corporate minute book, and minutes of all board or committee meetings. The secretary usually
supports the firm’s governance by organizing meetings, compiling and distributing meeting materials, making sure
that certain required resolutions are submitted to the board of directors, and similar administrative functions. This
person may also be responsible for filings required by corporate law.

RISK MANAGEMENT AND INSURANCE
The risk management function is noteworthy because securities regulations impose specific fidelity bond and mail
coverage requirements. Risk management is also a key element of the dealer member’s control environment as it
relates to trading and credit exposure.
Some or all of these responsibilities may be integrated within the compliance department, or the compliance
department may form part of these functional areas. Regardless of the structure adopted, the dealer member’s
overall compliance framework should delineate the relevant responsibilities. The CCO should act to ensure that
internal reporting and communication lines are coordinated so that information is shared between compliance and
other departments.
The cyclical nature of the investment industry often leads to reductions or increases in staff as the market shifts.
CIRO expects its dealer members to maintain effective compliance programs in all market conditions. The firm
may have some flexibility in determining the compliance structure, but it must always have adequate staff and
resources to meet compliance and control functions. This consideration is particularly important in the context of
restructuring.

EXAMPLE
In many dealer members, various other departments are aligned with the compliance function and share
compliance responsibilities. For example, the following three departments share some degree of responsibility:

The finance department is generally responsible for ensuring adherence to regulatory capital rules.
Interaction with compliance on issues relating to capital is inevitable.
The credit department is responsible for the timely settlement of securities trades and for monitoring the use
of margin. Many private client compliance problems are complicated by credit issues.
Larger dealer members have internal audit departments that conduct audits of head office departments and
business locations to assist in ensuring compliance with the internal control standards of the industry. These
audits often overlap with sales compliance audits conducted by the compliance department.

ROLES AND RESPONSIBILITIES

2 | Describe the role and responsibilities of a chief compliance officer, a board of directors, and other
designated persons.

CIRO’s IDPC rules set out the dealer member’s obligation to supervise its business and operations and establish
a system of controls designed to provide reasonable assurance that the dealer member and its employees are
complying with CIRO requirements. Further obligations are imposed by the Universal Market Integrity Rules

© CANADIAN SECURITIES INSTITUTE
 CHAPTER 2      FORMAL COMPLIANCE STRUCTURE 2 7

(UMIR) and by other securities regulatory authorities. These regulatory requirements provide a framework for a
dealer member’s formal compliance structure that encompasses the roles, responsibilities, and relationships of
the compliance department. Within this framework, the dealer member must create, maintain, and apply written
policies and procedures that establish a system of controls and supervision. As part of this system, it must also
establish a mechanism to ensure that all registrants are capable of complying with applicable CIRO requirements.
This mechanism will typically take the form of ongoing and current training for registrants to support their
understanding and awareness of regulatory obligations.

DIVE DEEPER

IDPC Rule section 3901 (2) states:
Appropriate supervision of all aspects of a Dealer Member’s business and operations is a fundamental
responsibility of the Dealer Member. The Dealer Member’s policies and procedures that specifically
address its supervision system must remain up to date at all times, based on current CIRO requirements
and applicable laws.
Complete requirements in this regard can be found on CIRO’s website.

DISTINCTION BETWEEN SUPERVISORY AND COMPLIANCE FUNCTIONS
The supervisory function is very similar, but not identical, to the compliance function. CIRO distinguishes between
supervision and compliance as follows:

Compliance staff identifies issues and typically refers them to the appropriate supervisor for resolution.
Supervisors resolve issues after they have been identified.

The supervisor is generally part of the business unit in which the compliance issue occurred. The logic of this
arrangement is that the business unit is best able to supervise its own activities.
Compliance operates at arm’s length from the business unit and relies on sampling and other techniques to identify
compliance issues. It does not normally review every transaction.

DIVE DEEPER

CIRO guidance further articulates the nuances that distinguish the two functions. See Guidance
Note 1400-21-002, The Role of Compliance and Supervision. This Guidance Note relates to
Rule 3900, Supervision, and to Rule 1400, Standards of Conduct.
For complete requirements see www.CIRO.ca

CIRO permits dealer members to combine compliance and supervision. For example, compliance officers may be
assigned responsibility for approving new accounts, which is a supervisory responsibility that requires registration. In
determining whether a person has supervisory responsibility, CIRO looks at the person’s responsibilities, authority,
and functions, and any documentation describing the person’s responsibilities and authority. We examine these
roles and responsibilities below.

THE DEALER MEMBER
Each dealer member must establish, implement, communicate, and maintain effective programs to ensure
compliance with applicable rules and regulations. It must also appoint as many supervisors as necessary to properly
supervise the business of the firm. Finally, the compliance and supervisory regime must take into account the scope
and complexity of the firm’s business.

© CANADIAN SECURITIES INSTITUTE
2 8 CHIEF COMPLIANCE OFFICERS QUALIFYING EXAMINATION      SECTION 1

BOARD OF DIRECTORS
Under IDPC Rule section 3915, the CCO must report to the board of directors (or its equivalent) about the status
of compliance at the dealer member. Reporting must occur as often as necessary, typically on a quarterly basis,
but at least annually. The very detailed reports should provide a status report on the state of compliance matters
within the firm. The board is required to review the reports and, if any compliance deficiencies are noted, it must
decide what actions are necessary to rectify them. It must then make sure that the actions deemed necessary are
carried out.
The responsibilities of the board in relation to trading are detailed in UMIR under Part 1 Responsibility for Supervision
and Compliance of Policy 7.1 Trading Supervision Obligations. This provision restates the dealer member’s obligation
to supervise the actions of its employees, directors, and officers to ensure that trading is carried out in accordance
with regulatory requirements.
The applicable sections of Policy 7.1 read as follows:
An effective supervision system requires a strong overall commitment on the part of the Participant, through
its Board of Directors, to develop and implement a clearly defined set of policies and procedures that are
reasonably designed to prevent and detect violations of Requirements. The Board of Directors of a Participant
is responsible for the overall stewardship of the firm with a specific responsibility to supervise the management
of the firm. On an ongoing basis, the Board of Directors must ensure that the principal risks for noncompliance
with Requirements have been identified and that appropriate supervision and compliance procedures to manage
those risks have been implemented.
Management and the Board of Directors must ensure that the compliance department is adequately funded,
staffed and empowered to fulfill these responsibilities.
In performing the trading supervision obligations, the Participant will act as a “gatekeeper” to help prevent and
detect violations of applicable Requirements.

MANAGEMENT
Each dealer member management team is responsible for supervising and directing the activities of the dealer
member, as well as the individuals within the dealer member, to ensure compliance with the rules governing those
activities within their management responsibility.

COMPLIANCE DESIGNATIONS
A number of formal compliance designations are required, some of which depend on the types of business
conducted by the dealer member. Some designations may require specific registration approval by a regulatory
authority; others are assigned by the firm. The firm must maintain particulars of the persons who have
accountability. Key designated persons include the positions described below, among others.

ULTIMATE DESIGNATED PERSON
CIRO requires that each dealer member have only one person approved in the category of UDP. It also requires that the
designated UDP be the chief executive officer (CEO) or a person who acts in a similar capacity. The CCO is permitted
to also serve as the UDP, but this arrangement typically occurs only in smaller firms. It is more likely that investment in
compliance will be treated as a high priority when the business head is appointed to the position of UDP.
The UDP is responsible for the conduct of the dealer member and the supervision of its employees. The UDP is
also responsible for developing and implementing policies and procedures that adequately reflect the regulatory
requirements of the firm.

© CANADIAN SECURITIES INSTITUTE
 CHAPTER 2      FORMAL COMPLIANCE STRUCTURE 2 9

CHIEF COMPLIANCE OFFICER
The dealer member must appoint a CCO, which is an integral position in the firm’s executive management team.
Certain functions and activities are assigned to the CCO by regulation, and responsibilities are further defined by the
firm’s organizational structure. See Exhibit 2.1 below. The person in this role must implement compliance systems
and establish and maintain policies and procedures for assessing compliance by the firm and by persons acting on its
behalf. The CCO is also responsible for monitoring and assessing compliance with all of the firm’s requirements and
applicable rules.
Regardless of the role of the CCO at any given dealer member, the function should interact with business areas
across the organization. The CCO must have access to the UDP and the board of directors (or equivalent) when the
CCO considers it necessary or advisable in view of his or her responsibilities.

Exhibit 2.1 | Excerpt from IDPC Rule section 3912, Responsibilities of the Chief Compliance Officer

The Chief Compliance Officer must:
1. Establish and maintain policies and procedures to assess compliance by the Dealer Member and individuals
acting on its behalf with CIRO requirements and securities laws;
2. Monitor and assess compliance by the Dealer Member, and individuals acting on its behalf, with CIRO
requirements and securities laws; and
3. Report to the Ultimate Designated Person as soon as possible if there is any indication that the Dealer
Member or any individual acting on its behalf may be in noncompliance with CIRO requirements
or securities laws and (A) the noncompliance creates a reasonable risk of harm to a client; (B) the
noncompliance creates a reasonable risk of harm to the capital markets; or (C) the noncompliance is part of
a pattern of noncompliance.

DESIGNATED SUPERVISORS
CIRO requires that a dealer member appoint as many supervisors as necessary to properly supervise its various lines
of business. CIRO requires designated supervisors to be responsible for functions including:

Opening new accounts and supervising account activity
Supervising options and futures accounts
Pre-approving advertising, sales and literature, and correspondence materials

An individual may be designated as a supervisor in more than one category. For example, a supervisor at a business
location may be the designated supervisor for account openings, options accounts, and certain types of marketing
and advertising.

ACCOUNTS SUPERVISOR
Dealer members must appoint one or more supervisors who are responsible for approving the opening of new
accounts and for establishing and maintaining procedures relating to the supervision of accounts and account
activity.
CIRO rules permit a hierarchy for the approval of new accounts and supervision of ongoing account activity. These
responsibilities are shared by a few persons in a small dealer member; larger firms with more locations may require
a more elaborate supervisory structure. The CCO typically assesses whether the adopted processes are operating as
they should. In the case of larger firms with several business locations, the CCO’s assessment may involve periodic
onsite reviews of business location supervision and recordkeeping as required. Alternatively, small firms may choose
to assign supervisory responsibility for account opening and activity directly to a centralized compliance function.

© CANADIAN SECURITIES INSTITUTE
2 10 CHIEF COMPLIANCE OFFICERS QUALIFYING EXAMINATION      SECTION 1

RESIDENT SUPERVISORS
CIRO rules do not refer to branch managers as part of a formal compliance structure; however, the resident
supervisor’s role is similar to that of a branch manager. CIRO considers that a resident supervisor is in the best
position to know the registrants (e.g., RRs and IRs) in the office, to know or meet many of the clients, to understand
local conditions and needs, to facilitate business by quickly approving new accounts, and to respond immediately to
questions or problems.
CIRO rules do not require a resident supervisor for a business location; however, they do contemplate certain factors
that dealer members should consider in determining whether a resident supervisor is required. Once a formal
business location and head office supervisory structure is in place, the firm and its registrants must verify that it
works to ensure that business conduct across the entire firm is in compliance with CIRO rules.

EXAMPLE
To illustrate the flexibility of the rules with respect to implementing a system of supervision, some dealer
members will have regional supervisors for each province who are based centrally, but who travel to the business
locations within their supervision territory frequently. Each dealer member must make sure that such a system
works effectively once it is put into place.
Alternatively, some dealer members take a more location-centric approach by maintaining enough supervisors
in each business location to meet certain criteria. Criteria might relate to the number of registrants, the types of
business carried out (e.g., options or commodities), and factors such as previous client complaints or registrants
on heightened supervision.
The rules have been tailored to ensure flexibility in recognition of the differing business models that exist among
dealer members of CIRO, so that each member may implement a system that is best suited to its business
model.

OPTIONS SUPERVISORS
Dealer members that deal in options must appoint a qualified supervisor to monitor options trading, to approve
customer accounts, and to establish and maintain appropriate supervisory procedures pertaining to options trading.

FUTURES SUPERVISORS
Dealer members that deal in futures must appoint a qualified supervisor to monitor trading in futures contracts, to
approve customer accounts, and to establish and maintain appropriate supervisory procedures pertaining to futures
trading.

TRADING SUPERVISOR
Section 7.1 of UMIR requires that each dealer member appoint a head of trading to oversee supervision of the firm’s
trading activities in the marketplace. The head of trading must also make sure that all employees are supervised for
compliance with UMIR.

SUPERVISOR OF ADVERTISING, SALES LITERATURE, AND CORRESPONDENCE
Dealer members must designate one or more supervisors to be responsible for supervising advertising, sales
literature, and correspondence distributed by the firm and its employees. These supervisors must make sure that all
materials, both hard copy and electronic, comply with applicable regulatory standards and the firm’s own policies
and procedures. They must also approve specified materials prior to publication or use.

© CANADIAN SECURITIES INSTITUTE
 CHAPTER 2      FORMAL COMPLIANCE STRUCTURE 2 11

OTHER DESIGNATIONS
Other designations may be required, depending on a dealer member’s business. For example, dealer members must
designate one or more supervisors to be responsible for reviewing and approving research reports, and dealers
offering managed or discretionary accounts must assign responsibility to qualified supervisors for such activities.
Appointment of a chief officer of anti-money laundering/anti-terrorist financing (AML/ATF), a chief privacy officer,
and a designated complaints officer is also required.
Qualified staff must be appointed to each designated position, but overlap is permitted. For example, the chief
privacy officer might also be the chief AML/ATF officer. However, it would not be appropriate for a credit clerk, for
example, to serve as chief AML/ATF officer because such a person is unlikely to be qualified.

CHIEF ANTI-MONEY LAUNDERING/ANTI-TERRORIST FINANCING OFFICER
The chief AML/ATF officer is responsible for the dealer member’s compliance with the federal Proceeds of Crime
(Money Laundering) and Terrorist Financing Act (PCMLTFA) and its regulations. This position is required pursuant to
the PCMLTFA. The AML/ATF compliance officer should have the authority and the resources necessary for proper
discharge of responsibilities. The appointed person should be a senior-level officer with direct access and must
provide regular reporting to senior management and the board of directors.

CHIEF PRIVACY OFFICER
The chief privacy officer must implement and supervise the dealer member’s privacy policy. This officer must
make sure that the privacy policy complies with both the federal Personal Information Protection and Electronic
Documents Act (PIPEDA) and provincial privacy legislation. The regulations prescribe how private sector
organizations may collect, use, or disclose personal information in the course of commercial activities. The firm’s
privacy officer may also be responsible for ensuring the firm’s compliance with Canada’s anti-spam laws.

DESIGNATED COMPLAINTS OFFICER
Dealer members are required by CIRO rules to appoint an individual to act as a designated complaints officer for the
firm. The person in this role may be a supervisor or other registrant in the compliance department. This position is
discussed in greater detail further on in the course.

CREATING A SENIOR-LEVEL COMPLIANCE STRUCTURE

3 | Discuss and differentiate between the components of a senior-level compliance structure.

The UDP and the CCO roles at a dealer member form the senior-level components of a formal compliance structure.
The UDP is in a position of accountability, whereas the CCO’s position is one of day-to-day responsibility. The CCO
advises management on compliance issues and must report to the UDP and the board of directors regarding the
status of compliance at the firm. The UDP is ultimately responsible to the SROs for the conduct of the firm and the
supervision of its employees. The dealer member must allow its UDP and CCO to directly access the firm’s board of
directors whenever either person considers it necessary or advisable in view of their responsibilities. We will further
explore the relationship between the CCO and UDP after looking at other components of a compliance structure,
below.

REPORTING REQUIREMENTS
Because the CCO has access, and reports at least annually, to the board, he or she is able to establish a working
relationship with the directors. The mandate of the CCO is to provide the board with reasonable assurance that
all standards and requirements of applicable securities laws and regulations are met, along with the firm’s own

© CANADIAN SECURITIES INSTITUTE
2 12 CHIEF COMPLIANCE OFFICERS QUALIFYING EXAMINATION      SECTION 1

requirements. CIRO expects that the CCO’s report to the board will identify and discuss material findings contained
within the following articles:

CIRO compliance reports
Early warning designations
Gatekeeper reports
Disciplinary actions
Compliance risk trend reports
Any other relevant findings

When the CCO reports compliance deficiencies to the board, it is the board’s responsibility to determine what
actions are necessary and make sure they are carried out. However, it usually looks to the CCO for guidance.
Regardless of whether the board requests it, CIRO rules require a CCO to report on the sufficiency and effectiveness
of actions taken. The CCO works with management and other relevant parties to arrive at a mutually satisfactory
approach to resolving compliance issues. If differences cannot be resolved through escalation to the UDP and other
executive management, the CCO must advise the board of his or her concerns. Board reporting is discussed in
greater detail further on in this course.

AUDIT COMMITTEE
The boards of directors of all public companies (and many private companies) have audit committees that consider
the reports and recommendations of external auditors. This committee can also consider the reports of the
internal audit department and the compliance department. However, because these procedures meet only the
minimum requirements, they are not sufficient for a large firm. In such cases, as part of its corporate governance
responsibilities, the board should request follow-up reports on major issues highlighted in the annual report. In
other words, an annual report requirement does not mean that compliance issues are only discussed once a year. A
compliance or business conduct committee of the board is another feasible means of board oversight that reinforces
the importance of compliance.

DOCUMENT RETENTION
The CCO should maintain documentary evidence of compliance for the mandatory seven years from the date the
record is created. Firms should also consider specific document retention policies, including those applicable to
electronic records such as email. The ability to prove compliance with the applicable rules is as important as actual
compliance with the rules. The documentation requirement applies particularly to the following activities:

Client account openings
Compliance with the Know Your Client (KYC) rule and suitability requirements
Correspondence with clients
Compliance and supervision activities of the firm

COMBINING THE UDP AND CCO ROLES
The regulatory framework permits a firm to designate the same person as both UDP and CCO. This combined role
may be appropriate in small firms where the nature, extent, and complexity of business activities do not warrant
retaining a full-time CCO. In those circumstances, it generally works best for the CEO to serve as both UDP and
CCO because it sends a strong message about the importance of compliance. It is also a more effective option
than having a junior employee in the same position who may lack the seniority, authority, experience, and skills
necessary to properly perform the CCO function.

© CANADIAN SECURITIES INSTITUTE
 CHAPTER 2      FORMAL COMPLIANCE STRUCTURE 2 13

There are significant disadvantages, however, to combining the UDP and CCO roles. UDPs have other obligations
that may prevent them from devoting sufficient time to the CCO function. It also takes time for the UDP to become
technically proficient in the CCO role and familiar with the applicable regulations. Before deciding to combine the
two roles, it is important to consider the amount of time required to be an effective CCO.
In addition, segregation of functions is a key internal control principle. Combining the UDP and CCO roles eliminates
the benefits of having a separate risk assurance function that can conduct independent assessments of the firm’s
activities and supervisory processes. If the UDP has a potential conflict of interest in relation to compliance, such
a structure can remove the balance that might otherwise exist—in extreme situations, it can result in issues being
neglected or concealed.
A UDP who also acts as CCO assumes full responsibility for advising management about compliance issues and
for allocating resources to address deficiencies. In other words, the person in the combined role assumes full
regulatory liability for compliance failures that could have been prevented through the exercise of reasonable
care.

IDENTIFYING POTENTIAL CONFLICTS OF THE UDP
In conjunction with their regulatory responsibilities, UDPs must balance the diverse interests of clients, employees,
shareholders, creditors and other stakeholders. They must also focus on various business outcomes, including sales,
profitability, and shareholder return. In setting regulatory compliance and risk management goals, the CCO must
take all such objectives and stakeholders into consideration.
For example, a UDP who is also the CEO is directly responsible for the firm’s capital markets business.
However, it may not be possible for that person to have an arm’s-length relationship between the business and
compliance functions. Arguably, this conflict is acceptable because business decisions should always be made
with full knowledge of, and appropriate regard for, compliance accountability. However, such is not always the
case.
Particularly problematic are situations where the UDP or other senior management or board members have a
business interest on the firm’s side and a personal interest on the other side of a transaction.
The CCO should be aware of any situation where there is a strong financial incentive by a person in a position of
authority to breach regulatory or fiduciary standards in pursuit of personal profit. The CCO should notify the UDP
of the conflict of interest and report it to the board, if necessary. Such conflicts may come to light through the
following means:

Registrants’ declaration of conflicts under securities and corporate laws
Ongoing compliance surveillance and monitoring
Informed internal or external parties
The CCO’s own knowledge of the firm’s business

The CCO cannot ignore a substantiated concern about illegal or improper activities by the UDP or by any other
member of senior management or the board. Depending on the situation, the CCO should confront the relevant
party or formally escalate the matter to executive management or the board (assuming there is no evidence
of complicity). In some cases, the CCO’s only option is to resign and seek legal counsel. The resignation must
be accompanied by a full, written description of reasons for doing so. The CCO must also notify the securities
regulatory authorities and, if necessary, the police.

© CANADIAN SECURITIES INSTITUTE
2 14 CHIEF COMPLIANCE OFFICERS QUALIFYING EXAMINATION      SECTION 1

RELATIONSHIPS WITH REGULATORS AND OTHER PARTIES

4 | Describe the chief compliance officer’s role in maintaining relationships with regulators and with
internal and external parties.

Maintaining relationships with federal and provincial regulators and with the SRO is a crucial function of the CCO.
These relationships help the CCO to acquire and maintain industry knowledge, to shape industry regulation, and
to ensure that effective lines of communication are open when issues arise at the firm. A first step in fostering such
relationships is to identify the bodies that regulate the businesses of the dealer member, including the following
organizations, among others:

CIRO
Provincial securities administrators
Ombudsman for Banking Services and Investments (OBSI)
Financial Transactions and Reports Analysis Centre of Canada (FINTRAC)

CIRO supports a Compliance and Legal Section that has the following mandate:

It advises on the development of rules and policies on business conduct, registration, and enforcement-related
matters affecting dealer members.
It provides a forum for the exchange of information related to complying with CIRO, as well as other
requirements regarding business conduct, registration, and enforcement-related matters.

CIRO’s Conduct, Compliance and Legal Section (CCLS) is one of many CIRO Advisory Committees. CCLS may
have subcommittees that focus on issues such as education; institutional, retail, and order-execution-only lines of
business; money laundering; registration; and seniors’ issues. Dealer members have the opportunity to nominate
representatives for these committees. The representatives, in turn, provide opportunities for input on industry-
specific issues.
The CCO is often the primary interface between the regulatory bodies and the dealer member. Managing these
interfaces is an important and occasionally challenging task, especially in the context of regulatory enquiries,
investigations, and disciplinary actions. The CCO should develop policies to guide the firm’s interaction with
regulators, especially for regulatory activities. For example, if a regulator begins an investigation into a business or
activity of the firm, someone at the firm must be in a position to coordinate the regulatory enquiry. To maintain
good relations with the regulators, the firm is obliged to readily cooperate with investigations and respond quickly
to enquiries and requests for records.
A policy dealing with regulatory interface should address the following items:

The identity of a department or person at the dealer member who is the single point of contact with the
regulators (typically the CCO for all regulators)
A protocol regarding actions to be taken in the face of a regulatory audit or investigation
Educational measures regarding these same actions
Recordkeeping requirements to ensure that regulatory enquiries are addressed fully and on time, and that
records of responses are maintained

When regulatory audits take place at the dealer member, additional direction must be provided to staff during the
audit process regarding such things as communications and clean desk policy.

© CANADIAN SECURITIES INSTITUTE
 CHAPTER 2      FORMAL COMPLIANCE STRUCTURE 2 15

RELATIONSHIPS TO LINE MANAGEMENT, EXECUTIVE MANAGEMENT
Certain aspects of the relationship between compliance and business unit management should be reflected in the
formal compliance structure adopted by the dealer member. The CCO should be involved in the firm’s strategic
decisions about issues—both narrow and broad. A narrow issue, for example, might be the offer of a new product
or service, whereas a merger with a competitor or the creation of a new business division has broader implications.
Ideally, the CCO should be perceived not only as the source for identifying regulatory issues and concerns about
business decisions, but also as a constructive and creative problem solver. It is much easier to provide input at the
early stages of a business decision than to address concerns that arise after the fact.
CCOs must establish a free flow of information between the compliance department and business line managers.
Because of its monitoring and surveillance activities, the compliance department is often in the best position to
identify actual or potential problems. Such risk situations should be reported to the appropriate management
supervisory personnel. The compliance department often provides support in any further investigation and offers
advice about remedial actions. If the business unit cannot resolve an issue, it should be escalated.
The compliance department must understand the structure and activities of the business in order to design
appropriate oversight mechanisms and identify problems and issues. Through involvement in new business
activities, the department can assess relevant risks and requirements and report them to management. Likewise,
business unit managers, supervisors, and other personnel should be encouraged to contact the compliance
department when any compliance questions arise. However, the compliance department’s role is to advise rather
than dictate. Final decision-making authority should reside with the business unit manager or supervisor, or with
someone further up the line of accountability. The compliance department should maintain its independence in the
process.
However, should a business unit manager choose to ignore the advice of the compliance department, the dialogue
that has taken place surrounding the issue itself should be clearly documented. Documentation should include the
recommendation of the compliance department and the ensuing decision of the business unit to ignore that advice.
In such instances, the escalation of such issues to the UDP and other senior management may be warranted.

REPORTING TO MANAGEMENT
A key responsibility of the CCO is to ensure effective and prompt reporting of compliance-related matters and
to properly escalate problems and issues when necessary. The CCO is also expected to act professionally and in a
manner appropriate to the seniority of the role when giving recommendations and advice on how such matters can
be resolved.

PROMOTING THE BENEFITS OF COMPLIANCE
A properly designed compliance system minimizes regulatory problems, litigation, and client complaints. However,
it is difficult to measure the value of effective compliance in precise terms. The significant costs associated with
compliance failures usually become apparent only when they occur.
Therefore, the CCO should promote the benefits of compliance across the organization. As much as possible, the
CCO should provide measurements using trend analysis, peer group comparisons, and other techniques. Advocacy
of compliance can also be premised on regulatory necessity and ethical imperatives; however, advocates are most
effective when they define and quantify the benefits of good compliance.

RELATIONSHIPS WITH EXTERNAL PARTIES
As indicated earlier, it will be important for the compliance department—and the CCO in particular—to manage
several internal relationships within a dealer member as part of effective introduction and maintenance of a culture
of compliance within the firm. In addition to internal relationships, dealer members also have external relationships
with service providers. These service providers form part of the dealer member’s compliance infrastructure.

© CANADIAN SECURITIES INSTITUTE
2 16 CHIEF COMPLIANCE OFFICERS QUALIFYING EXAMINATION      SECTION 1

Examples of external relationships that require management, and that are also subject to CIRO rules, are
the introducing and carrying broker relationship that a dealer member maintains. In addition to this specific
relationship, CIRO also provides guidance on its expectations when a dealer member chooses to outsource certain
functions (i.e., retain an external party to provide operational services). Both of these subjects are discussed below.

INTRODUCING BROKER/CARRYING BROKER ARRANGEMENTS

5 | Describe the four types of introducing broker/carrying broker arrangements under the Canadian
Investment Regulatory Organization Rules, and list the responsibilities of the introducing broker and
the carrying broker for each type.

In order to manage back office expenses, dealer members may enter into arrangements that involve back office
service sharing with another organization. This includes an arrangement between an introducing broker (introducer)
and a carrying broker (carrier), which raises important compliance considerations.
Introducing broker/carrying broker (IB/CB) relationships are regulated under CIRO rules. In this context, an
introducer is an investment dealer who contracts out its recordkeeping, clearing, settlement, and custody functions
to another dealer member—the carrier. An introducer can also contract out other services to the carrier, such as the
provision of margin on client purchases.
The combination of services and the assignment of responsibilities determine the type of IB/CB arrangement that
is in place. Simply put, the services provided by the carrier include both maintenance of the introducer’s books and
records and custody of its clients’ assets.
IDPC Rule 2400, Acceptable Back Office Arrangements, delineates four types of IB/CB arrangements and describes
the responsibilities of each party for each type, as well as the requirements for documentation and disclosure to
clients. CIRO provides a standard agreement for each type of arrangement. The commercial terms agreed to, such
as fees and comfort deposits by the introducer, are included as appendices to the agreements. Some variable and
critical items, such as the reports to be provided to the introducer, are also listed in the appendices and present an
important issue for CCOs, given that these reports may be used to carry out critical compliance and supervision
functions. Some carriers also provide back-up compliance services to their introducers, even when they carry no
formal compliance responsibility. The CCOs of both parties must be aware of the services being provided and the
extent of the responsibility undertaken by the carrier.
To the extent that an introducer does not take responsibility for the capital required by clients’ accounts, and
because it does not handle client assets, it may be subject to lower capital and insurance requirements.

TYPES OF INTRODUCING BROKER/CARRYING BROKER ARRANGEMENTS
There are four major types of IB/CB arrangements. Each type is described in detail below.

TYPE 1 ARRANGEMENT
In a Type 1 arrangement, the introducer conducts business under its own name at a location similar to the carrier’s.
The carrier provides for margin requirements, funding of client accounts, security, and free-credit segregation. It also
handles all cash and security transactions on behalf of the introducer, including both trading and settlement. The
introducer and carrier are jointly responsible for supervision and compliance.

© CANADIAN SECURITIES INSTITUTE
 CHAPTER 2      FORMAL COMPLIANCE STRUCTURE 2 17

The arrangement is initially disclosed to the client when an account is opened and it appears on all statements,
trade confirmations, and correspondence. Because the carrier is responsible for all matters affecting capital and has
joint and several responsibility for supervision and compliance, the minimum risk-adjusted capital (RAC) for a Type 1
introducer is $75,000, instead of the usual $250,000.
Type 1 introducers can have only one carrier and must do all business through that dealer member. An exception is
allowed for commodity futures, if the carrier does not provide that service.

TYPE 2 ARRANGEMENT
In a Type 2 arrangement, the introducer is solely responsible for supervision and compliance requirements.
Disclosure of the arrangement can be made either when the account is opened and annually thereafter, or on a
continuous basis, as with Type 1 arrangements. The minimum RAC for a Type 2 introducer is $250,000; however, the
introducer does not have to provide capital for client margins.
A Type 2 introducer must also do all its business through one carrier only, with the same exception for commodity
futures that applies to Type 1 relationships.

TYPE 3 ARRANGEMENT
In a Type 3 arrangement, the introducer is responsible for reporting client account balances and providing for client
margin. The introducer is also responsible for reporting concentrated security positions contained in the serviced
client accounts.
In this type of arrangement, the introducer is solely responsible for supervision and compliance. The arrangement is
disclosed either when an account is opened and annually thereafter, or on a continuous basis.
A Type 3 introducer can have more than one carrier. It can also carry some types of accounts solely on its own
books, if it can show a business need to do so, and it can consolidate the various books and records for capital
supervision and reporting purposes.

TYPE 4 ARRANGEMENT
In a Type 4 arrangement, the introducer has all the responsibilities of a Type 3 introducer and is also responsible for
segregation of client free-credit balances. It can provide its own financing directly through the use of margined and
inventory securities, although this is usually done through the carrier. A Type 4 introducer can also have more than
one carrier or carry some types of accounts solely on its own books, subject to the same conditions that apply in a
Type 3 relationship.
Table 2.1 summarizes the current rules relating to IB/CB requirements, as codified in the various sections of
Rule 2400.

© CANADIAN SECURITIES INSTITUTE
2 18 CHIEF COMPLIANCE OFFICERS QUALIFYING EXAMINATION      SECTION 1

Table 2.1 | Introducing Broker/Carrying Broker Requirements Under IDPC Rule 2400

Standards and Type 1 Type 2 Type 3 Type 4
Responsibilities

Minimum capital $75,000 $250,000 $250,000 $250,000

Client account The carrier reports The carrier reports Introducers must report Introducers must report
reporting client account balances client account balances client account balances client account balances
for introduced for introduced of their own introduced of their own introduced
accounts. accounts. accounts. accounts.

Client margining The carrier is The carrier is The introducer is The introducer is
responsible. responsible. responsible. responsible.

Compliance Introducers and The introducer is The introducer is The introducer is
supervision carriers have joint responsible. responsible. responsible.
responsibility.

Introducers entering Multiple IB−CB Multiple IB−CB Multiple IB−CB Multiple IB−CB
into multiple IB/CB arrangements are arrangements are arrangements are arrangements are
arrangements not allowed, with not allowed, with allowed when the allowed when the
the exception of an the exception of an introducer can show introducer can show
additional arrangement additional arrangement the following meets the following meets
entered into exclusively entered into exclusively three requirements: three requirements:
for trading in futures for trading in futures
and options. and options.
It has a separate It has a separate
product line. product line.
It has appropriate It has appropriate
systems in place to systems in place to
monitor the KYC monitor the KYC
rule. rule.
It can report It can report
customer cash customer cash
balances and balances and
securities positions securities positions
on a combined on a combined
basis. basis.

These rules include These rules include
the arrangement for the arrangement for
trading in futures and trading in futures and
options. options.

Introducer fully Same as above Same as above Same as above Same as above
servicing a line of
business

Client Required Required Not required Not required
acknowledgement at
the opening of client
accounts

Appendix A, at the end of this chapter, provides a more detailed chart that summarizes the current IB/CB rules.

© CANADIAN SECURITIES INSTITUTE
 CHAPTER 2      FORMAL COMPLIANCE STRUCTURE 2 19

CHARACTERISTICS OF A CARRYING BROKER
To qualify as a carrying broker, a dealer member must meet the following conditions:

It must be a CIRO dealer member.
It must be approved in the province in which the carrier’s head office is located.
It must otherwise be in compliance with applicable CIRO rules and any requirements of the regulatory authority
in the jurisdiction of the introducing broker.

A carrier can carry the accounts of clients introduced to it by another CIRO dealer member. Because of the unique
fiduciary responsibilities inherent in the financial services industry, when choosing a carrier, an introducer should
consider factors such as the carrier’s industry reputation, financial strength, knowledge, experience, service
assurances, and commitment to business.
Chief compliance officers should be aware of the levels of service and technology that carriers can provide to help
them maintain compliance and supervision at all levels. The following characteristics of the carrier are important
considerations:

Credit policies
Procedures manuals
Forms (which should be compatible with the introducer’s approach to client documentation and supervision)
Internal control policy statements
Registration
Business continuity plan
Daily trade and month-end statement review reporting
Exception reports
Back-up compliance reviews and advice (which is often an added service, without carriers being responsible for
correcting problems, unless they raise a credit issue or other issues of concern to the carrier)
Anti-money laundering and privacy guidelines

REPORTING REQUIREMENTS
Carriers are considered the gatekeepers in an IB/CB relationship. Their responsibility lies in ensuring that introducers
abide by CIRO rules. This responsibility varies depending on the requirements and the nature of the activity.
The only introducers that share equal responsibility for client supervision regarding KYC rules are Type 1 introducers.
Both parties in a Type 1 arrangement must understand the day-to-day division of functions and maintain clear lines
of communication.
Carriers are obliged under CIRO rules to ensure that introducers have the necessary system requirements, forms,
and other reports required to abide with the regulations. This obligation is one of the benefits for the introducer
of entering into an IB/CB relationship: it is the carrier’s responsibility to ensure that any affected internal control
systems are aligned with new or amended rules.
The carrier in a Type 1 relationship conducts daily trade and month-end client statement reviews at the head office
level under CIRO rules. It might also perform these reviews in other types of arrangements as a service to the
introducer, but it would generally do so without dealing with identified problems because it is not required to under
CIRO rules.

© CANADIAN SECURITIES INSTITUTE
2 20 CHIEF COMPLIANCE OFFICERS QUALIFYING EXAMINATION      SECTION 1

PRIVACY REQUIREMENTS
Canada’s federal privacy law, PIPEDA, imposes certain obligations on both introducers and carriers. Under PIPEDA,
each dealer member must appoint an individual who is responsible for ensuring that the dealer member is in
compliance with PIPEDA. A carrier cannot dictate who the introducer appoints; however, as a service, it might
prepare a memorandum highlighting important aspects of PIPEDA, to help the introducer deal with the impending
changes. The carrier can also provide examples of documents or training that it intends to use to ensure compliance
with PIPEDA.

FOREIGN AFFILIATES
An exemption in the CIRO rules allows carrying brokers to enter into an IB/CB relationship with a foreign affiliate.
This exemption exists only for foreign affiliates of the carrier, with the following conditions:

The foreign affiliate must disclose the relationship to its clients.
It must obtain approval from the requisite authority in its jurisdiction.

The carrier must apply for this exemption, documenting the services provided and the completion of the necessary
conditions. Some jurisdictions, including the United States, permit this arrangement, but only for the purpose of
institutional delivery-against-payment business (in which payment for securities is due at the time of delivery). For
retail business, the foreign affiliate must have a U.S. carrier operating under U.S. requirements.

OUTSOURCING ARRANGEMENTS
Generally, arrangements in which recordkeeping services and custodial services are not provided are not subject to
the IB/CB rules. They are, however, subject to CIRO’s guidance on outsourcing arrangements. CIRO Guidance Note
2300-21-003 notes that although outsourcing arrangements have existed for many years, business cost pressures
are leading dealer members to outsource non-traditional functions. CIRO expresses concerns that without adequate
safeguards, this trend could lead to incremental investor protection risk, market reputation risk, credit risk, and
systemic risk.
In general, regulators use the distinction between core and non-core functions in their discussions about
outsourcing. The International Organization of Securities Commissions describes a core function as one that is
“critical to the ongoing viability of an entity as well as meeting its regulatory obligations to customers”. Regardless
of this distinction, the industry acknowledges that some core functions can be outsourced, providing that adequate
controls are in place.
In the past, outsourcing has included the following arrangements:

Back office sharing with an affiliated Canadian financial institution
IB/CB arrangements
Security custody arrangements
External portfolio management arrangements

The Canadian Securities Administrators introduced general principles about the internal controls that should
accompany outsourced functions. These principles are included in Part 11 of the Companion Policy to National
Instrument 31-103. It states that registered firms (including dealer members) continue to be responsible and
accountable for outsourced functions. Outsourcing arrangements should be set out in a written, legally binding
contract that includes mutual expectations. Due diligence should be conducted of prospective third-party service
providers, including their affiliates. This diligence should include an assessment of the service provider’s reputation,
financial stability, relevant internal controls, and ability to deliver the services.

© CANADIAN SECURITIES INSTITUTE
 CHAPTER 2      FORMAL COMPLIANCE STRUCTURE 2 21

The registered firm should also have the following cautionary measures:

Assurance that the service provider has a business disruption recovery plan and safeguards to protect the
privacy of client information
Ongoing quality reviews of the outsourced functions
A tested business continuity plan in case the service provider fails to deliver the contracted services
Proper acknowledgement of privacy and other laws when entering into the arrangement

The registered firm, its regulators, and auditors should have access to the work product of the service provider. Also,
a control list of all outsourcing arrangements, including effective dates, must be maintained by the registered firm.

OUTSOURCING OF CORE VERSUS NON-CORE FUNCTIONS
CIRO states that the following core functions may not be outsourced:

The account opening process
Suitability assessments
The handling of client complaints

However, the following core activities may be outsourced:

Investment decisions for managed accounts
Certain client account-related functions, such as the clearing and settlement of trades
Administration of margin and other account loans
Management and maintenance of information systems
Preparation of client account statements, regulatory financial reports, non-financial regulatory reports,
registration filings and database maintenance activities, treasury functions, corporate finance activities, research
reports and marketing, and professional services such as accounting and internal audit services

The following non-core functions may also be outsourced:

Office service management
The procurement of external consultant services
Human resources management

DUE DILIGENCE EXPECTATIONS
CIRO notes that detailed requirements exist for specific outsourcing arrangements, including IB/CB arrangements,
security custody arrangements, and external portfolio management arrangements. In considering whether other
functions may be outsourced, CIRO proposes the following due diligence expectations of dealer members, when
making a decision about outsourcing a service or function:

A dealer member should have a comprehensive outsourcing policy that guides its due diligence process in
making an outsourcing decision.
A dealer member should not outsource a function if it diminishes its ability to meet its obligations to its clients
and regulators, impedes its effective supervision by regulators, or unduly concentrates outsourced functions
with one service provider.
A dealer member should report new outsourced functions to CIRO in accordance with IDPC Rule section 2246.
See Guidance Note 2200-21-001, Reporting of Material Changes to Business Activities for more details.

© CANADIAN SECURITIES INSTITUTE
2 22 CHIEF COMPLIANCE OFFICERS QUALIFYING EXAMINATION      SECTION 1

A dealer member that has outsourced functions should perform the following measures:

Enter into comprehensive, written outsourcing contracts.
Maintain a centralized list of core activities that have been outsourced.
Establish a comprehensive risk management program that addresses the risks associated with the outsourced
functions and the service provider.

EXAMPLE
Outsourcing risks to be managed include reputation risk, compliance risk, exit strategy risk, data and information
access risk, and the concentration risk of the industry as a whole to the service provider. Dealer members should
have a robust procurement system relating to critical services such as information technology to ensure that
appropriate due diligence is conducted on all service providers, and due diligence in this regard should be updated
frequently. This is particularly important given the recent increase in cybersecurity risks in the investment industry.

COMPLIANCE GOVERNANCE DOCUMENT

6 | Develop a compliance governance document.

Dealer members must establish and maintain a written compliance governance document setting out the
organizational structure and reporting relationships that support required compliance arrangements. These
requirements encompass more than the UDP and CCO. As discussed previously, CIRO rules require that supervisors
be designated to perform or oversee specific compliance activities.
Dealer members must take steps to ensure that they have appropriately defined the relevant responsibilities of the
designated persons and have assigned them within the organization. CIRO requires that dealer members maintain
records of supervisory review for seven years. These important records must include the following information: who
conducted the review, when it was conducted, what enquiries were made, what replies were received, and what
actions were taken.

CONTENT OF THE COMPLIANCE GOVERNANCE DOCUMENT
The compliance governance document of a dealer member must be in writing and must set out the organizational
structure and the reporting relationships that support the compliance function, as required.
Because no mandatory form or content applies to the document, dealer members have a great deal of flexibility
when creating it. At a minimum, the following information should be included:

A list of all roles required by regulation (UDP, CCO, and supervisor)
A clear description of what each role requires
The identity and role of the person to whom each required role reports
A list of the procedures and responsibilities used to designate persons to fill the required roles
The identity and role of the person responsible for approving the compliance governance document and
reviewing it periodically for necessary amendments
The reporting relationship of the CCO to the board of directors of the firm

The dealer member should consider incorporating policy statements of any business unit positions for which the
incumbent will be designated to fulfill a regulatory role. Such a statement might read as follows: “The person occupying
the office of the CEO shall be designated as, and assume the responsibilities of, the firm’s Ultimate Designated Person.”

© CANADIAN SECURITIES INSTITUTE
 CHAPTER 2      FORMAL COMPLIANCE STRUCTURE 2 23

A more general statement may be appropriate where it is not possible to identify everyone who may, from time to
time, be required to assume a specific designated role.
The firm must maintain accessible records of all designated supervisors to ensure compliance with CIRO rules. The
firm should also maintain accessible records of compliance governance documents and related items. Such records
must include changes to designated supervisors, delegations of functional responsibility, and similar material. These
records must be maintained for seven years.
The board of directors should approve the corporate governance document, and the document must be filed
with CIRO. A copy of the document should be given to specific people with designated roles. Only the people’s
designated roles should be named, so that the document does not have to be amended when other staff changes.
Each current designated role must be documented, as well as records of historical assignments and any changes to
these assignments.
The document may also address how often the CCO must report to the board and any board structures related to
compliance (i.e., the role of the executive committee acting on behalf of the board when dealing with compliance
issues).

REVIEWS AND UPDATES
The compliance governance document should be reviewed and updated when necessary. For example, a change
in a dealer member’s management structure or the organization of the business unit organization may necessitate
revisions. An approval process should be defined for such changes, and notice of any material changes must be filed
with CIRO.

RELATIONSHIP TO POLICIES AND PROCEDURES MANUAL
The compliance governance document should refer to and be consistent with a dealer member’s written policies
and procedures manual. The same holds true for other documented descriptions of roles and responsibilities, such
as board of directors’ mandates and descriptions of individual position.
The primary role of the governance document is to identify the people who have regulatory roles in a dealer
member and provide an overview of their responsibilities. On the other hand, the policies and procedures manual
identifies the people responsible for specific activities and supervisory functions, describes in detail all requirements
for the roles, and explains how they are conducted.

© CANADIAN SECURITIES INSTITUTE
2 24 CHIEF COMPLIANCE OFFICERS QUALIFYING EXAMINATION      SECTION 1

SUMMARY
In this chapter, we discussed the formal compliance structure of a dealer member, beginning with the compliance
department’s mandate that forms the basis of such a structure. We described the control functions and
the assignment of compliance responsibilities to different areas of the dealer member. These functions and
responsibilities are mandated by CIRO or other securities regulatory authorities. Additionally, CIRO distinguishes
between the supervisory and compliance functions of a dealer member.
We explored the various regulated roles that make up the framework of a dealer member’s formal compliance
structure and the basic duties required of the appointees. Specifically, we explained the obligations of the firm itself,
the board of directors, the CCO, the UDP, management, and the various designated persons in compliance and
supervisory roles. Some designations require specific registration approval by a regulatory authority, whereas others
are assigned by the firm to suit its particular business model.
This chapter also provided a detailed description of the CCO’s role and responsibilities from a hiring perspective.
This information should help you explain the experience, skills, and industry knowledge a CCO should bring to
the dealer member. It is important to remember, however, that no one job description or candidate profile can be
uniformly applied to the CCO role, because no two dealer members are exactly alike.
Just as no single job description applies to the CCO’s role, no single organizational structure fits all compliance
departments. Nevertheless, although dealer members vary in their management structure, business lines, and
strategies, the different units of a firm share typical features in their organizational charts. CIRO requires dealer
members to establish and maintain a written compliance governance document setting out the organizational
structure and reporting relationships.
This chapter brings us to the end of Section 1: The Role of Compliance and Formal Compliance Structure. By now, you
should have a good understanding of the compliance mechanisms of a dealer member and how they are influenced
by securities regulation. With this knowledge, you are ready to begin the first chapter of Section 2, in which you will
learn more about Canada’s regulatory environment and basic securities law.

© CANADIAN SECURITIES INSTITUTE
 CHAPTER 2      FORMAL COMPLIANCE STRUCTURE 2 25

APPENDIX A
The following chart summarizes the current rules relating to IB/CB requirements, as codified in the various sections
of IDPC Rule 2400.

Standards and Type 1 Type 2 Type 3 Type 4
Responsibilities

Minimum capital $75,000 $250,000 $250,000 $250,000

Client account The carrier reports The carrier reports Introducers must report Introducers must report
reporting client account client account client account balances client account balances
balances for balances for of their own introduced of their own introduced
introduced accounts. introduced accounts. accounts. accounts.

Client margining The carrier is The carrier is The introducer is The introducer is
responsible. responsible. responsible. responsible.

Segregation of The carrier is The carrier is The carrier is responsible. The carrier is responsible.
comfort deposits responsible. responsible.
and securities

Segregation of The carrier is The carrier is The carrier is responsible. The introducer is
client-free credit responsible. responsible. responsible.

Insurance Both introducers and Both introducers and Both introducers and Both introducers and
coverage carriers must provide carriers must provide carriers must provide carriers must provide
the necessary the necessary the necessary insurance the necessary insurance
insurance coverage. insurance coverage. coverage. Introducers coverage. Introducers
Introducers must Introducers must must include client net must include client net
include client net include client net equity in calculating their equity in calculating their
equity in calculating equity in calculating insurance coverage. insurance coverage.
their insurance their insurance
coverage. coverage.

Disclosure of IB/CB Ongoing disclosure Annual disclosure is Annual disclosure is Annual disclosure is
arrangement is required, as well as required, as well as required, as well as required, as well as
when the account is when the account is when the account is first when the account is first
first opened. first opened. opened. opened.

Compliance Introducers and The introducer is The introducer is The introducer is
supervision carriers have joint responsible. responsible. responsible.
responsibility.

CIRO membership With the exception With the exception With the exception of With the exception of
of foreign of foreign foreign subsidiaries and foreign subsidiaries and
subsidiaries and subsidiaries and foreign affiliates, both the foreign affiliates, both the
foreign affiliates, foreign affiliates, introducers and carriers introducers and carriers
both the introducers both the introducers must be CIRO dealer must be CIRO dealer
and carriers must and carriers must members. members.
be CIRO dealer be CIRO dealer
members. members.

© CANADIAN SECURITIES INSTITUTE
2 26 CHIEF COMPLIANCE OFFICERS QUALIFYING EXAMINATION      SECTION 1

Standards and Type 1 Type 2 Type 3 Type 4
Responsibilities

CIRO approval The firms must have The firms must have The firms must have a The firms must have a
a written contract, a written contract, written contract, and written contract, and
and CIRO approval and CIRO approval CIRO approval must be CIRO approval must be
must be obtained to must be obtained to obtained to enter into an obtained to enter into an
enter into an IB/CB enter into an IB/CB IB/CB arrangement. IB/CB arrangement.
arrangement. arrangement.

Introducers Multiple IB/CB Multiple IB/CB Multiple IB/CB Multiple IB/CB
entering into arrangements are arrangements are arrangements are allowed arrangements are allowed
multiple IB/CB not allowed, with not allowed, with when the introducer can when the introducer can
arrangements the exception the exception show the following three show the following three
of an additional of an additional requirements: requirements:
arrangement entered arrangement entered
into exclusively for into exclusively for
It has a separate It has a separate
product line. product line.
trading in futures and trading in futures and
options. options. It has appropriate It has appropriate
systems in place to systems in place to
monitor the KYC rule. monitor the KYC rule.
It can report It can report
customer cash customer cash
balances and balances and
securities positions securities positions
on a combined basis. on a combined basis.
These rules include the These rules include the
arrangement for trading arrangement for trading
in futures and options. in futures and options.

Introducer fully Same as above Same as above Same as above Same as above
servicing a line of
business

Introducers clearing Not allowed Not allowed Allowed Allowed
trade settlements
on its own

Exemption from Exemption is allowed Exemption is allowed Exemption is allowed Exemption is allowed
Rule 2400 at the discretion of at the discretion of at the discretion of the at the discretion of the
the CIRO. the CIRO. CIRO. CIRO.

Client Required Required Not required Not required
acknowledgement
at the opening of
client accounts

© CANADIAN SECURITIES INSTITUTE