Chapter 7 - Development of Policies and Procedures.pdf

Transcript

Development of Policies
and Procedures 7

CONTENT AREAS

Overview of Policies and Procedures

Developing and Amending Policies and Procedures

Writing and Formatting Policies and Procedures

Disseminating Policies and Procedures

Implementing Policies and Procedures

LEARNING OBJECTIVES

1 | Describe the key principles used in developing policies and procedures.

2 | Explain the key elements of writing policies and procedures.

3 | Identify the major considerations when creating or reviewing policies and procedures.

4 | Discuss various methods of approving and disseminating new or changed policies and procedures.

5 | Describe the important considerations when implementing policies and procedures.

© CANADIAN SECURITIES INSTITUTE
 CHAPTER 7      DEVELOPMENT OF POLICIES AND PROCEDURES 7 3

INTRODUCTION
In the previous chapter, we explored the subject of ethics and its role in compliance with securities regulation. We
discussed the fact that an effective ethics program helps create a strong corporate culture where values play a
critical role. We also discussed the code of conduct at a dealer member, which is typically supplemented by a set of
policies and procedures based on industry regulations. Those policies and procedures are the subject of this chapter.
Whereas code of conduct is a set of guiding principles defining compliant behaviour in broad terms, a policies and
procedures manual is a detailed set of rules governing every aspect of the firm’s operations. It is used to assist in
training employees and to serve as a reference point for the activities of the firm. Without well-crafted policies and
procedures, employees must rely on their own judgment or on their interpretation of vaguely written guidelines.
Good policies and procedures that are communicated to, and understood by, all staff members helps to protect the
dealer member itself and the industry as a whole from risk.
This chapter focuses on the key principles underlying written policies and procedures. It also provides resources for
you to consider, along with ideas for policy and procedure design, approval, and dissemination, as well as issues
relating to their development and implementation.

OVERVIEW OF POLICIES AND PROCEDURES

1 | Describe the key principles used in developing policies and procedures.

A key component of a culture of compliance at a dealer member is a set of policies and procedures that are
written clearly and communicated throughout the firm. The goal of having policies and procedures is to establish
compliance and performance standards for the firm. Policies and procedures also provide a useful means for
compliance staff to explain why certain rules exist – a question often asked by registrants when discussing a
particular issue. The compliance department should be prepared to provide background as to what the particular
rule or regulation is, why it is in place, and how it then comes to exist in the firm’s policy manual. A dealer member
can choose to have policies and procedures that are stricter than a particular industry rule; however, it is necessary
to understand the basis of the rule in order to help registrants understand, and ultimately agree with, the direction
they receive from the compliance department.
Some policies and procedures have the direct or indirect effect of protecting the interests of clients. An employee of
the dealer member who fails to comply with the policies can bring adverse decisions against the firm in an action by
the client. Suppose, for example, that a commodity futures trading firm has a policy of requiring updated financial
information when a client meets or exceeds loss limits. If the firm fails to obtain this information, the client might
legitimately bring an action to recover trading losses, with negative consequences for the firm.
A regularly cited deficiency among regulators is poorly written or out-of-date policies and procedures. At some
errant firms, policies exist but have not been written down in a policy manual. At other firms, policies are in place
but simply are not followed.

REGULATORY REQUIREMENTS FOR POLICIES AND PROCEDURES
CIRO rules require that dealer members create, maintain, and apply written policies and procedures that establish
a system of controls and supervision regarding securities regulation. The policies and procedures must be sufficient
to provide reasonable assurance that the dealer member and its employees and Approved Persons comply with
CIRO requirements and securities laws. The dealer member’s policies and procedures that specifically address its
supervision system must remain up to date at all times based on current CIRO requirements and applicable laws.
CIRO rules also require policies and procedures governing specific processes, such as retail account supervision and
trading.

© CANADIAN SECURITIES INSTITUTE
7 4 CHIEF COMPLIANCE OFFICERS QUALIFYING EXAMINATION      SECTION 3

DIVE DEEPER

IDPC Rule section 3945, Daily and monthly trade supervision, states the following:
A dealer member with retail client accounts must have policies and procedures in place that specifically
address daily and monthly supervision of trading activity in those accounts. These policies and
procedures must outline actions to deal with problems or issues identified by the review.
For complete requirements, visit www.ciro.ca

CIRO does not dictate the specific content of policies and procedures, nor does it review or approve policies,
procedures, or amendments prior to their implementation. However, CIRO may perform post-implementation
reviews, such as a business conduct or financial compliance reviews, which tend to focus more on policies than on
procedural details. During such reviews, if CIRO finds that there are serious gaps in a firm’s policies and procedures,
it can require that they be rectified. The same requirement applies for firms registered with other regulators, such as
the provincial securities commissions.
CIRO provides guidance as to what areas a dealer member’s policies should cover and how those policies relate to
the relevant regulatory requirements. Under CIRO guidelines (and generally speaking), if a firm does not engage
in a particular regulated activity, its policy manual should include a statement to that effect. For example, the
statement No options trading is permitted in a firm’s policy manual makes it clear that no additional policies are
required to address options trading. Including such a statement is a prudent practice for the sake of warning
employees that certain conduct is prohibited. It is also important for the firm to specify which lines of business it
engages in and which areas are not a part of its operations.

DISTINGUISHING POLICY FROM PROCEDURE
The terms policy and procedure have distinct meanings. Generally, a policy describes a rule designed to address a
particular risk and is likely based on a regulatory rule or pronouncement. A procedure is a written set of instructions
that describes the action or actions required to implement the policy. In other words, a dealer member’s policies are
a set of rules, and its procedures explain how to comply with those rules.

EXAMPLE
Policy
Short sales require the pre-approval of the securities lending department.

Procedure
Registered representatives proposing to make a short sale must complete Pre-approval Form 41-16.
Completed forms must be faxed or emailed to the securities lending department at telephone number
555-xxxx or email address [email protected].

Procedures should exist for all major processes conducted at a dealer member. They need not be static or restrictive,
but they should establish consistent standards and maintain quality control. They have tangential benefits as a
resource to new employees and in analyzing what went wrong when a problem arises.
Furthermore, procedures should evolve over time to reflect any change in operations or in the rules behind the
procedures. To avoid significant delays, is critical that investment advisors and their assistants clearly understand
what is required of them. For example, when opening accounts, they must know what forms to complete and how
to complete them, and they must know what information they need to provide. Employees who omit information
without explanation may impede the account opening process.
Policies are usually determined by the dealer member’s senior management, whereas procedures are generally
prepared at the departmental level and circulated to a wider audience for approval. It is a common failing for a firm

© CANADIAN SECURITIES INSTITUTE
 CHAPTER 7      DEVELOPMENT OF POLICIES AND PROCEDURES 7 5

to have policies without corresponding departmental procedures (i.e., the firm has a policy, but it is not in writing or
has not been properly communicated). This lapse is commonly found in business conduct examinations.

EXAMPLE
Your securities firm has a policy requiring that copies of written client complaints be forwarded to the compliance
department. However, during a business conduct examination, you discover that the firm has not developed
written procedures that govern how the compliance department must process these complaints.

DID YOU KNOW?

Every dealer member must have procedures in place to ensure that the following requirements are met:

Each employee and Approved Person of the dealer member must understand his or her
responsibilities under the written policies and procedures.
Written policies and procedures of the dealer member must be amended, as appropriate, within a
reasonable time after changes in applicable laws, rules, regulations, or policies, and such changes
must be communicated to all relevant personnel.

DEVELOPING AND AMENDING POLICIES AND PROCEDURES

2 | Explain the key elements of writing policies and procedures.

The process for developing, approving, implementing, amending, and updating policies and procedures is itself a
matter of policy and procedure. The process should address the following issues:

Why is the policy or procedure necessary?
Who will be affected by it?
What are the staffing requirements for implementation?
What information technology requirements are necessary for implementation or for monitoring performance?
What training needs apply?
What are the expense or revenue implications?
What are the risks of inaction?
Have all alternatives been considered?

The answers to these questions help to determine who should create policies and their procedures, when they
should be created, who must approve them, how they will be implemented, and how often updates are to take
place. It is always important to note that a policy and procedures manual is not a static document; it is constantly
evolving as a function of the environment in which the securities industry exists.
The chief compliance officer must be familiar with, and typically approves, all policies that address securities
regulatory requirements within the scope of compliance. Certain types of regulation-related policies or procedures
may be left entirely to others. For example, financial and operational controls fall under the authority of the chief
financial officer. However, policies and procedures can originate from any department and may have regulatory
aspects that are not apparent to all. It is useful, therefore, for the CCO to be familiar with developments in other
departments.

© CANADIAN SECURITIES INSTITUTE
7 6 CHIEF COMPLIANCE OFFICERS QUALIFYING EXAMINATION      SECTION 3

EXAMPLE
Dealer members have a regulatory obligation regarding document retention, which also applies to electronic
mail. The CCO must take steps to ensure that the head of information technology is familiar with such
requirements to ensure proper email archiving in particular and document retention generally.

Policies and procedures should have an owner within the firm. Usually the owner is the manager of the business
or a specific functional area. Policies and procedures are often prepared by the staff of the departments that are
affected. Along with the owner, these staff members are primarily responsible for the maintenance and application
of policies. The CCO and the compliance department may provide advice and guidance during the development
process, but they are not necessarily the primary responsible positions.
Other areas of the dealer member often have a direct interest in the application of policies. It is necessary to
identify these areas to ensure that the policy is appropriately drafted and implemented. Draft policies should be
circulated to the management teams that will be affected by them. Procedures might be circulated to the people
who will primarily use them to solicit feedback and ensure their acceptance. A post-implementation review with the
same group can help identify areas for improvement. This type of review with the user group is particularly valuable
when procedures are amended.
Managers and staff must be trained and informed about all established guidelines for the development of policies
and procedures. Proper training will prevent problems such as employees choosing to establish their own ad hoc
policies to make their jobs easier.

EXAMPLE
Leon, a head office employee at a securities firm, feels constantly overworked and under pressure to perform. In
an effort to limit his workload, Leon advises his supervisor that documents received after 2:00 p.m. cannot be
processed on that day. The supervisor complains to senior management about this new restriction. After some
discussion, senior management decides that a training program is needed to educate employees about the firm’s
development and approval process for policies and procedures.

WRITING AND FORMATTING POLICIES AND PROCEDURES

3 | Identify the major considerations when creating or reviewing policies and procedures.

Depending on a dealer member’s business, its policy manual may include sections on the following topics, among
others:

Corporate policies, which include the firm’s mission statement and code of conduct and might include policies
regarding ethical business practices and privacy
Compliance policies for registrants, which might include policies aimed specifically at certain categories of
registrants and their respective obligations, as well as policies regarding anti-money laundering and other
gatekeeper responsibilities
Compliance policies for supervisors, which might include the supervisory responsibilities for other business locations
Credit and margin policies
Client accounts policies, which might include policies regarding account opening and approval, as well as
changes to information
Operations policies, which might include various head office functions such as credit, stock borrowing and
lending, securities receipts and deliveries, and account transfers
Sales policies, including retail and institutional

© CANADIAN SECURITIES INSTITUTE
 CHAPTER 7      DEVELOPMENT OF POLICIES AND PROCEDURES 7 7

Trading and order execution policies, including policies regarding equity, debt market, and derivatives
Investment banking and syndication policies, which might include a firm’s firewall guidelines
Research policies
Human resources policies, which might include specific sections addressing registrants, business locations, and
head office staff, as well as the firm’s policies regarding anti-discrimination, harassment, and appropriate email
and Internet use
Policies for other support services, which might include subsections relating to banking, payroll, information
systems, and facilities management

Procedures should generally accompany policies. Although departmental procedures do not need to be circulated as
broadly as policy manuals, they are extremely important at a departmental level.

WRITING GUIDELINES
The following guidelines are designed to facilitate well-written policy and procedure manuals:

Write policies for specific readers, but acknowledge that a wider audience may have access to the material. For
example, if a policy directed at clerical staff includes abbreviations that may be unfamiliar to some employees,
spell out the full term the first time it is used.
Write in the present tense using plain language and active verbs.
Be concise and precise.
Do not use information that can quickly become outdated, such as the names of persons in certain positions;
use titles relating to positions, rather than named individuals.
Adopt a consistent format and consider obtaining outside expertise to ensure that the writing is grammatically
correct and that the font is easily readable.
Use numbering system for ease of reference and for tracking historical changes to policies and procedures.
When a policy or procedure is eliminated, do not reuse its reference number.

EXAMPLE
A policy statement such as “All incoming mail should be reviewed for compliance purposes” is concise but vague.
For this statement to be useful, precise details are required.
The example below, on the other hand, is both concise and precise:

Policy
All incoming mail, including personal mail addressed to employees, shall be opened and reviewed by
qualified business location staff reporting to the supervisor. Employees are strongly discouraged from
receiving personal mail at the firm’s address.

Procedure
Incoming business location correspondence, including faxes and correspondence marked personal or
confidential, shall be brought to a secure location upon delivery to the business location.
The business location administrator or a qualified designated supervisor, shall open and review such
correspondence and direct the contents as follows:
Cheques, post-dated cheques, negotiable instruments, securities certificates, completed forms, and other
sensitive materials shall be delivered to the cage for deposit or similar appropriate action.
Client complaints shall be directed to the business location supervisor or designate.

© CANADIAN SECURITIES INSTITUTE
7 8 CHIEF COMPLIANCE OFFICERS QUALIFYING EXAMINATION      SECTION 3

DISSEMINATING POLICIES AND PROCEDURES

4 | Discuss various methods of approving and disseminating new or changed policies and procedures.

Accessibility and utility must be considered when policies and procedures are disseminated. Policies and procedures
that govern employee behaviour should be kept up to date and made readily accessible. Relevant information
should be easy to locate.
Some dealer members circulate bulletins throughout the year describing policy or procedure changes without
making corresponding changes to their manuals. Policy and procedure manuals are increasingly available online,
where revisions can easily be made whenever a policy or procedure changes. For this reason, online manuals are
usually reasonably up to date.
Another advantage of a manual in electronic format is that it can be made well-indexed and searchable, so that
employees can easily find references to specific policies and procedures. Most employees need to access to only
those policies and procedures that directly affect them. They may be reluctant to consult a comprehensive print
manual that is mostly irrelevant to their specific needs.
Dealer members must provide sales and supervisory personnel with sales practices policies and procedures relevant
to their functions. Dealer members must also obtain and record acknowledgement that these personnel have read
and understood the policies and procedures relevant to their respective roles and responsibilities.
It may be appropriate for a dealer member to request such an acknowledgement at any of the following times:

When first employed
At annual intervals
In the context of internal discipline
When a major policy or procedure is revised

Records of acknowledgement should be maintained for the purpose of internal sales compliance and audits.
Once obtained, these acknowledgements may be kept in business locations or specific departments. Checking of
acknowledgements may be done during internal sales compliance or internal audits, for example.

REVIEWING, REVISING, AND ARCHIVING POLICIES AND PROCEDURES
Policies and procedures should be reviewed regularly according to established guidelines. For example, a
comprehensive review of all policy and procedure manuals at a particular firm might be undertaken every three
to five years. Current best practices suggest that policy and procedure manuals should be updated annually, in
particular if changes have occurred during the previous calendar year. In these circumstances, a firm may issue
numerous compliance bulletins during the year that reflect ongoing changes to the regulatory landscape. Such
bulletins are standalone policies that must eventually be integrated into the main policy manual. The logical time
for such inclusion is during the firm’s annual policy and procedure updating process. This process should allow major
revisions from bulletins to be included, along with necessary minor corrections and edits.
Manuals should refer to all previous revision dates, even if no changes are made. The particular “issue” date of a
manual is of critical importance, in particular if a firm or a registrant is ever subject to a regulatory investigation.
CIRO, or another regulator, may request a copy of the firm’s policy and procedure manual that was in force at the
time that an infraction, or alleged infraction, occurred. By being able to readily point to the correct version, the
CCO demonstrates the firm’s commitment to ensuring that an up-to-date policy manual is available and provides
evidence of the firm’s updating process. Policy and procedure manuals often include a “table of concordance” or
“table of changes”, indicating which aspects of the manual have changed from the previous version.

© CANADIAN SECURITIES INSTITUTE
 CHAPTER 7      DEVELOPMENT OF POLICIES AND PROCEDURES 7 9

Review and revision may also be prompted by particular events, including the following occurrences:

Changes to the business, including the introduction of new products or services
Regulatory initiatives
Significant regulatory decisions made by legislation or a self-regulatory organization
Any audit that identifies policy or procedure deficiencies

All prior versions of policies and procedures should be archived to assist in resolving disputes, responding to
litigation undertakings and regulatory inquiries, and developing revisions. A dealer member should determine who is
responsible for archiving and what process is most appropriate.

IMPLEMENTING POLICIES AND PROCEDURES

5 | Describe the important considerations when implementing policies and procedures.

A firm’s policy development guidelines should include a strategy for implementation. New policies or procedures
usually take time to implement. For significant changes, a written plan should be developed that identifies
responsibilities and major inter-dependencies, and sets out appropriate steps to be taken.
Some policies can be more effectively launched over time or in successive geographic regions. For example, a policy
change to eliminate a product or service might begin with discontinuing new sales, followed by a grace period to
facilitate a staged exit over time. Similarly, a new procedure requiring systems support might be field-tested in a
few regions to ensure that the systems work effectively, before being rolled out across the firm.
Education and training are also essential components of effective implementation. With some policies and
procedures, such as those relating to anti-money laundering, firewalls, and privacy, education and training are
mandated by regulation. The compliance department is usually involved in training related to compliance-related
policies. At many firms, compliance training is combined with other departmental training.

EXAMPLE
A securities firm requires all new employees to participate in a joint training session with human resources staff
and compliance staff. During these sessions, the new employees learn about human resources policies and
procedures. They also receive training and education on business ethics, privacy, gatekeeper responsibilities, and
anti-money laundering requirements.

Any new policy or procedure that might have a significant impact on the dealer member should be approved by
executive management, and in some cases, by the board, prior to implementation. This requirement includes
policies dictated by regulatory change. Management must be able to address any resource implications or adverse
responses to policy or procedure changes. An endorsement from senior management is often important to the
personnel affected. Similarly, when an announcement of an important new policy comes from the board of directors
or the chief executive officer, it emphasizes the importance of compliance to all personnel.
Some policy or procedure changes may affect outside parties and their policies and procedures. Dealer members
that provide carrying services should consider the impact of such an effect and notify their introducing brokers as
soon as possible. They should also assist them with any implementation problems that may arise. This need may be
particularly relevant with respect to policies that the carrying broker has ultimate responsibility over. For example,
a rule change regarding the taxation of registered products, such as registered retirement savings plans and tax-free
savings accounts, can affect the carrying broker’s policies and procedures. In turn, such a change can also affect the
introducing broker.

© CANADIAN SECURITIES INSTITUTE
7 10 CHIEF COMPLIANCE OFFICERS QUALIFYING EXAMINATION      SECTION 3

RESOURCES
Useful resources in the context of preparing or revising policy and procedure manuals include the CIRO website,
industry peers, and in-house legal counsel. In addition, many external legal firms communicate through newsletters
and other means regulatory and legislative proposals or changes, as well as relevant judicial decisions. Other
resources include industry conferences, CIRO emails, experienced firm employees, CIRO’s Conduct, Compliance and
Legal Advisory Section, and the Investment Industry Association of Canada.

© CANADIAN SECURITIES INSTITUTE
 CHAPTER 7      DEVELOPMENT OF POLICIES AND PROCEDURES 7 11

SUMMARY
In this chapter, we focused on the key principles underlying written policies and procedures, along with the concepts
behind policy and procedure design, approval and dissemination, and issues relating to their development and
implementation.
We discussed the difference between a policy and a procedure: a policy is a rule (usually based on a regulation); a
procedure is a set of instructions explaining how to carry out the rule.
We also discussed that the processes for developing, approving, implementing, amending, and updating policies
and procedures are themselves a matter of policy and procedure. By now, you should understand the significant
areas covered by a dealer member’s policies and procedures, and describe some best practices for creating a robust,
usable manual.
Above all, remember that policies and procedures that govern employee behaviour should be readily accessible,
and that employees should easily be able to locate the specific information they need. The manual should also be
reviewed and updated regularly, according to established guidelines.
Finally, we touched on resources available to dealer members to help them prepare and revise their manuals and
stay up to date with proposed regulatory changes.
We briefly mentioned the need to assess information technology requirements necessary to monitor employee
performance. In the next chapter, we will fully explore this core function of a compliance department and explain
why it is necessary to facilitate ongoing compliance with dealer member policies and regulatory requirements.

© CANADIAN SECURITIES INSTITUTE