Chapter 8 - Monitoring.pdf

Transcript

Monitoring 8

CONTENT AREAS

Overview of Monitoring and Surveillance

Establishing Monitoring and Surveillance Systems

Formal Monitoring Techniques

Monitoring a System’s Effectiveness

Key Control Points

LEARNING OBJECTIVES

1 | Describe compliance monitoring strategies and supervisory systems.

2 | Explain the concepts associated with a control environment in a monitoring program.

3 | Discuss the primary issues and monitoring requirements that apply to a dealer member and
its staff.

4 | Identify core regulatory requirements and best practices for monitoring.

5 | Discuss the distinctions between the monitoring requirements for key control points, including
account opening and activity.

© CANADIAN SECURITIES INSTITUTE
 CHAPTER 8      MONITORING 8 3

INTRODUCTION
In the previous chapter, we discussed the fact that policies and procedures help reduce risk for dealer members
and the industry as a whole. We explored the key principles underlying written policies and procedures, and we
discussed the way they must be communicated to and understood by everyone in the firm.
In this chapter, we explore the monitoring and surveillance function and explain why it is necessary to facilitate
ongoing compliance with dealer member policies and procedures and regulatory requirements. This chapter
provides a comprehensive overview of monitoring and monitoring issues, as well as the basic regulatory and
operational requirements of a macro-level compliance monitoring system for a full-service, self-clearing investment
dealer. In particular, it addresses regulatory requirements, organizational development, systems requirements and
resources, evidence of supervision, and best practices.

OVERVIEW OF MONITORING AND SURVEILLANCE

1 | Describe compliance monitoring strategies and supervisory systems.

Surveillance and monitoring of business activities at a dealer member are core functions that facilitate ongoing
compliance with dealer member policies and regulatory requirements. These compliance department functions
support the identification of early-stage patterns of improper behaviour, activities, or trends, as well as material or
systemic weaknesses in a dealer member’s compliance practices. They are also meant to support the dealer member
in meeting its regularly scheduled supervisory requirements as dictated by CIRO and other regulators. It is the role
of the CCO to develop, implement, and supervise monitoring systems to help the compliance department oversee
all of a firm’s business activities.
Usually, both the compliance department and business line supervisors monitor adherence to internal and external
standards. In addition, most firms implement operational policies and procedures as part of an overall control
environment. Aside from its day-to-day surveillance activities, the compliance department usually does more
specific monitoring through reviews and audits to test the effectiveness of supervisory procedures and adherence to
policies and procedures.
The procedures established by the compliance department aim to either prevent violations from occurring or detect
them through surveillance mechanisms. Regulatory expectations extend beyond the firm and its employees to
the conduct of its clients (regarding, for example, insider trading). An objective of any monitoring or surveillance
process, whether conducted by compliance or business line staff, is to ensure the proper escalation and resolution
of both actual and potential violations. A failure to identify and take action against any indication of potential
violations arising from client activity can result in regulatory discipline.
Chief compliance officers must establish a framework for their firm’s compliance monitoring system to ensure that
it is aligned with the business conducted by the firm, and to ensure that the system is effectively implemented and
periodically audited. Any exceptions to compliance are appropriately escalated. However, compliance monitoring
is inherently imperfect because it is impossible to review every event, transaction, client, product, and trade in a
manner that eliminates risk.
The challenge of an effective monitoring regime is to develop tools that quickly and accurately produce the
information needed and facilitate an effective response. Firms must also be able to demonstrate to the regulators
that effective supervision has taken place during this process. Effective supervision is not simply an evaluation of
statutory or regulatory mandated testing; it should also reflect the dealer member’s analysis of the risks it perceives
in relation to its business model. Therefore, the dealer member should recognize that an effective supervisory
system goes beyond mandatory regulatory testing; it should also be designed to mitigate other risks to the dealer
member, such as the risk of litigation.

© CANADIAN SECURITIES INSTITUTE
8 4 CHIEF COMPLIANCE OFFICERS QUALIFYING EXAMINATION      SECTION 3

ESTABLISHING MONITORING AND SURVEILLANCE SYSTEMS

2 | Explain the concepts associated with a control environment in a monitoring program.

A monitoring system is a dynamic system that takes into account the types of business conducted along with the
resources available. It is, by definition, an imperfect system because some surveillance must take place after an
event has occurred. By analyzing the issues raised in the context of their dealer member, CCOs should be able to
conceive the monitoring system that is required for their firm. At a minimum, firms must have qualified individuals
supervising transactions in accounts and must provide evidence of this supervision. However, minimum standards
do not cover many situations relevant to CCOs. A successful compliance regime and monitoring system must go
beyond those standards to reflect a substantive approach to compliance, rather than a routine checklist exercise.
The CCO should assess the level of risk inherent in the business model of the dealer member to ensure that the
firm’s compliance system accounts for it.
Supervisory and compliance systems at both the head office and the business locations are basic operational
functions integral to the decision-making and responsibilities assigned to various people. Generally, CIRO mandates
the implementation of these systems in their rules. However, the rules are not prescriptive; considerable flexibility is
provided so that firms can develop controls appropriate to their size, organization, product mix, and expertise. CIRO
rules are intended to assist CCOs in asking relevant questions about what controls and supervision are appropriate
to their firm’s monitoring system.

DID YOU KNOW?

IDPC Rule 3900, Supervision, sets out the dealer member’s obligation to supervise its business and
operations. The rule is divided into seven parts:
Part A – General supervision requirements
Part B – Supervision of all accounts
Part C – Supervision of retail client accounts
Part D – Supervision of institutional client accounts
Part E – Supervision of order execution only accounts
Part F – Supervision of options, futures contracts and futures contract options trading accounts
Part G – Supervision of discretionary accounts and managed accounts
Go to CIRO’s website for the complete requirements

REGULATORY STANDARDS
Regulatory standards are fundamental to the design and operation of compliance monitoring processes. Dealer
members must make sure that relevant requirements are identified and incorporated and that they are operating
as intended. They must also continually monitor and assess new and revised regulations so that systems can be
modified in response to regulatory developments.
CIRO’s minimum standards do not preclude firms from establishing a higher standard of supervision. In fact,
in many situations, it is appropriate and desirable to implement a higher standard to ensure proper supervision.
Monitoring processes must also address other legislative regulatory requirements, such as anti-money laundering,
anti-terrorist financing, and privacy regulations. Processes may also be required to address standards or obligations
imposed by a firm’s insurance policies or other contractual arrangements.

© CANADIAN SECURITIES INSTITUTE
 CHAPTER 8      MONITORING 8 5

Some dealer members use a legislative compliance matrix, which is a comprehensive listing of regulatory
requirements and related control or supervisory processes. Such a system can help to ensure that all regulatory
requirements have been identified and are being fulfilled, thus achieving what has customarily been done by
business line supervisors and compliance staff. The matrix also validates the dealer member’s written policies and
procedures and ensures that they are complete.
However, because of the volume of regulations, creating a compliance matrix is a highly resource-intensive exercise,
both in preparation and ongoing updating. The initiative requires a dedicated team drawing on compliance resources
that would otherwise be allocated to day-to-day compliance monitoring and risk management. A common
concern is that key resources may be allocated to a burdensome and onerous administrative process, without any
meaningful results in terms of compliance risk management.

INTERNAL CONTROLS
The term internal controls usually refers to the policies and procedures established and maintained by a dealer
member to ensure three results:

The firm’s business is conducted in an orderly and efficient way.
Management directives are carried out.
Necessary actions are taken to address risks at all levels and in all functions throughout the firm.

CIRO requires all dealer members to establish and maintain adequate internal controls to support the firm’s
“internal control environment” and sets out detailed requirements and guidance about a number of internal control
matters. The specific and functional activities and controls covered by these requirements are often considered
financial or operational matters. In other words, the compliance department may not be responsible for some
of the areas encompassed by the policy. Nevertheless, internal control concepts and techniques are relevant to
compliance monitoring because they establish procedures that must be followed and that often support a robust
compliance function.
There are two major types of internal controls:

Preventive controls prevent or minimize the chance that fraud or error will occur. These controls are typically the
more effective type of controls but may entail greater costs and impediments to business efficiency.
Detective controls increase the chance that fraud or error will be detected, so that corrective action can be
promptly taken. Although they do not directly prevent violations, they may have a deterrent effect and can be
preventive in that sense.

Typically, an internal control environment comprises both types of controls. The extent to which preventive controls
are used depends on management’s view of the risk and the cost-to-benefit relationship of controlling such risk.
If the inherent risk is high, the cost of effective preventive controls is usually not only warranted but expected by
industry regulators. Detective controls may be more appropriate where the inherent risk is lower or if a violation can
be effectively remedied after the fact.
Monitoring as a form of detective control is most effective when a violation is detected immediately after it has
occurred. For example, it is usually easier and less costly to cancel a trade that has just occurred than one that is not
noticed for days or weeks.
In addition to monitoring, common internal control techniques include the following aspects:

Defined, documented, and well-understood policies and procedures
Accurate, timely, and useful reporting
Segregation of duties
Approval requirements

© CANADIAN SECURITIES INSTITUTE
8 6 CHIEF COMPLIANCE OFFICERS QUALIFYING EXAMINATION      SECTION 3

Authorization limits
Access controls
Reconciliation

SUPERVISION VERSUS COMPLIANCE OVERSIGHT
As previously discussed, the management of a dealer member and its compliance department generally have
different roles in the monitoring process. Management approves and supervises activities under its charge, whereas
the CCO and the compliance department typically provide second-tier monitoring and review. The compliance
department does not have the decision-making power and authority of management.
Management has the authority to direct the business, including making decisions about whether to accept a client or
effect a given transaction. It can also hire, provide incentives for, discipline, and terminate business line employees.
The focus of management is mostly on revenue, but compliance is becoming an increasingly important
consideration for them. Some high-profile compliance failures have shown that violations can cost the violating
firm dearly. Management must be well aware of this fact. They must understand that, although their objectives for
revenue are paramount, that revenue cannot be earned at the cost of noncompliance.
Employees typically look to management for guidance regarding their organization’s culture, and they respond
accordingly. It is therefore critical that management stress to their staff the importance of being compliant while
continuing to meet revenue objectives. Otherwise, they risk exposing themselves and the dealer member to
regulatory action, litigation, and reputational harm.
At some dealer members, private client business is primarily responsible for supervising itself, with the compliance
department assuming an advisory and oversight role. At other firms, the compliance department takes primary
responsibility for virtually all compliance functions. Either model is effective, as long as the allocation of functions,
responsibility, and accountability are clear and evident to all concerned. If compliance assumes supervisory
functions, such as approving new accounts, the supervisors must be registered.
A proactive compliance department does not take the place of responsible business supervisors. With respect
to issues related to business activities, business line personnel still have ultimate authority and are ultimately
accountable when issues arise. Supervisors must make sure that business is carried out in compliance with
applicable rules.

RISK-BASED MONITORING
When developing strategies to minimize risk, many compliance departments proactively review business activities
in conjunction with business units. Under this model, the compliance department assesses and identifies regulatory,
compliance, and reputational risks throughout the firm and addresses deficiencies before problems arise.

EXAMPLE
Regulators emphasize risk-based compliance. CIRO has an annual assessment process that results in a grading
and a Risk Trend Report issued for each dealer member. Similarly, the Ontario Securities Commission (OSC)
directs detailed questionnaires at the firms it regulates, including fund managers and portfolio managers, to
determine their level of compliance risk. Compliance departments use a similar risk-based approach to identify
areas of specific concern and allocate resources accordingly.

Under risk-based compliance, a dealer member’s most significant compliance risks are identified and ranked. The
following internal and external factors are considered during this process:

The inherent risk associated with the activity, based on experience in both the firm and the industry
Regulatory standards and expectations regarding emerging issues

© CANADIAN SECURITIES INSTITUTE
 CHAPTER 8      MONITORING 8 7

Previously identified compliance concerns, deficiencies, and control weaknesses
The consequences of a compliance failure
The size or significance of the activity in relation to the firm’s total business mix (keeping in mind that small
business units often have disproportionate compliance incidents)

A high-risk area can be defined through the following means:

By business unit, office location, or individual employee
Through reference to a particular type of activity, product, transaction, or security
In relation to defined client types or profiles

When designing a monitoring system, criteria and processes must be adequately identified and adequate resources
applied to the risk. It is ineffective to use only the commission level as a basis for determining whether an account
requires review because the commission level is not related to the size of the account. Other calculations or
methods that focus supervisory attention on a small number of high-risk accounts may be more appropriate.
For example, a commission-to-equity ratio can be used to eliminate high-value accounts for which the current
commission level is low.
Regarding activities where there is discretion as to the timing and extent of commitment, dealer members should
consider applying a risk-based methodology to resource allocation that incorporates specific parameters.

EXAMPLE
In scheduling business location reviews, dealer members may rank each business location based on its risk
profile. Factors to consider include size, type of business, experience of the business location’s supervisor, client
complaint history, results of previous reviews, number of registrants, registrants under review, existence of an
onsite supervisor, and other applicable considerations.

Resource allocation is not without challenges. For example, if the compliance costs of private client options trading
are higher than those arising from retail mutual fund activities, resources should perhaps be focused on the options
activities. However, a business that is perceived as having low overall compliance risk may have one significant
problem, which can be very costly from many perspectives. This fact was evident during the 2005 regulatory
sanctions and settlements involving short-term trading in mutual funds. Mutual funds are generally considered a
low level of risk in terms of product type. However, in this case, certain firms permitted certain clients to engage
in short-term trading strategies, which took advantage of price discrepancies in the marketplace. This activity
significantly increased compliance risk.
CCOs must deal with many demands simultaneously. Some of the major challenges include time management
and effective allocation of resources, based on relative priorities. Thoroughly investigating every activity and each
transaction that a dealer member undertakes is not feasible. Therefore, confirmed compliance violations or issues
are generally assigned the highest priority.

THE CONCEPT OF REASONABLE ASSURANCE
As previously discussed, dealer members must establish a compliance system for monitoring compliance with
CIRO requirements and securities laws. The monitoring system must specifically address preventing and detecting
violations. However, no matter how well conceived and operated, no internal control system is infallible. Factors
such as bad judgment and human error are inherent limitations on the effectiveness of any control environment.
In addition, controls can be circumvented through collusion by two or more people, even though management can
override the system. Therefore, a supervisory system’s design must reflect the constraints of its resources and aim
for the benefits to outweigh the costs.

© CANADIAN SECURITIES INSTITUTE
8 8 CHIEF COMPLIANCE OFFICERS QUALIFYING EXAMINATION      SECTION 3

Each dealer member has its own unique compliance environment influenced by factors such as its history,
management, client mix, and business units. Size is another factor, given that smaller dealer members typically have
fewer resources than larger firms.
When determining what resources are needed for effective monitoring, a dealer member must consider factors
such as the technology available and the businesses it is involved in. Staff responsible for supervising specialized
businesses must have the appropriate knowledge, experience, and regulatory proficiency.
The following business and product categories might require specialized compliance resources:

Private client brokerage (advisory)
Discretionary portfolio management
Options or commodities trading
Discount brokerage
Corporate finance, mergers and acquisitions, and syndication
Mutual funds and hedge funds
Research
Derivatives trading
Institutional sales and trading, and proprietary trading
Stock borrowing and lending

In addition to the types of business that a dealer member conducts, compliance resources may also need to be
deployed based on trends or specific activities undertaken (or permitted) by the dealer member or by specific
investment advisors. For example, if a dealer member permits its registered employees (or PROs) to maintain
trading accounts at other dealer members, additional resources will be required to ensure that the trading activity
that takes place in these outside accounts is properly supervised.
The dealer member’s approach to outside activities should also be considered. To the extent that the dealer member
allows registered employees to pursue activities outside the firm, additional resources are required to review and
approve such activities.
In both of these examples, the activities in question are permitted under applicable CIRO rules. However, the dealer
member must have additional resources, which are typically scarce at the best of times, to properly allow such
conduct to occur. In such cases, the business leaders of the dealer member must weigh the cost of allowing outside
accounts or activities against any benefit to the firm.

DIVE DEEPER

CIRO provides guidance relating to employees’ obligation to disclose and obtain approval for any outside
activities. It also sets out the dealer member’s supervisory responsibilities regarding outside activities.
To see the complete requirements, go to CIRO’s website.

At a full-service dealer member, staff and resources are usually allocated to broad business categories such as
private clients, capital markets, and mutual funds. Depending on the breadth and size of the business, a further
breakdown of requirements may be necessary. No allocation formula applies to this dynamic process other than
good judgment and the understanding that inadequate or inappropriate staff and resources can have devastating
consequences. Resources must always be sufficient to ensure that regulatory standards are met and that key risks
are appropriately mitigated. Resources must also be allocated so that their benefits are worth the costs.

© CANADIAN SECURITIES INSTITUTE
 CHAPTER 8      MONITORING 8 9

FORMAL MONITORING TECHNIQUES

3 | Discuss the primary issues and monitoring requirements that apply to a dealer member and its staff.

After a dealer member has decided which activities and transactions to monitor, it should define how items are
selected for review and to what extent they must be reviewed. Factors such as regulatory standards, risk, and the
desired level of assurance should be considered.

SAMPLING
The cost of reviewing all relevant activities or transactions usually exceeds the benefits obtained. It is more efficient
to select a representative sample of items for examination. This sampling method provides direct assurance
regarding the reviewed items and allows extrapolation about issues or deficiencies that likely apply overall.
Sample items are commonly selected either individually or as a group of all items in a defined time period. The two
basic types of sampling are judgmental sampling and random sampling:

Judgmental sampling With this method, items are selected from the total population based on subjective
consideration of factors such as size, relative risk, and whether a representative sample
has been obtained.

Random sampling This method eliminates selection bias by ensuring that every item in the population has
an equal chance of selection. When used in conjunction with statistical methods, it is
possible to generate mathematically calculated extrapolations and confidence factors
around the population as a whole. Random sampling is a common technique in financial
audits; however, it is not often used in compliance monitoring processes.

When using sampling to arrive at a general conclusion, the following factors should be considered:

Is the sample size sufficiently large in relation to the population?
Are the items selected for the sample truly representative of the total population?
Has anything changed since the sampled items were identified (such as a new supervisor or new supervisory
review procedures)?
Should the population be subdivided or stratified to tighten the shared characteristics of the items within the
population?

DID YOU KNOW?

Deficiencies identified through a review of a sample of accounts opened at a particular business location
may lead to a conclusion about all accounts opened at that business location. However, the same will
not necessarily hold true for other business locations, unless the same deficiencies are identified.

ISSUE IDENTIFICATION AND REVIEW
The monitoring process should reveal any failures of policies and procedures, as well as any undesirable activity,
so that exceptions to defined standards can be identified and addressed. In some cases, the dealer member’s
carrying broker can provide what is known as exception reporting capabilities. These reports dramatically reduce
the compliance department’s time and efforts. Rather than looking for all exceptions, supervisors can focus their
energies on evaluating only those exceptions flagged by the automated report.

© CANADIAN SECURITIES INSTITUTE
8 10 CHIEF COMPLIANCE OFFICERS QUALIFYING EXAMINATION      SECTION 3

Some dealer members can customize reports to focus on a specific product type (e.g., leveraged exchange traded
funds) or a specific client type (e.g., clients over age 70). Customization also permits the dealer member to divert
resources very quickly based on issues or concerns identified by the firm or as directed by the regulator. The
monitoring parameters must strike an appropriate balance between over- and under-scrutiny. For example, when
everything is viewed as an exception, a disproportionate amount of resources is spent verifying that issues do
not actually exist. Conversely, a monitoring regime that rarely or never identifies deficiencies should be carefully
assessed to determine if it is being effective.

RED FLAGS
A dealer member’s monitoring process must be equipped to identify and deal with red flags indicating that a
contravention of a specific rule, regulation, or policy may have occurred.
A red flag can arise in virtually any context. It may be noted in the course of surveillance and assurance processes. A
review concerning one issue may uncover a red flag related to another concern. A red flag may also arise based on
information from a client or from an external party not under supervision.
The CCO, or other compliance personnel, should not disregard an intuition that a violation may be occurring. Any
activity that does not seem to make sense or does not feel right should be investigated. Experienced business and
compliance staff members develop sensitivity to these issues. Even though they may not be able to articulate at the
outset what is causing them concern, they can sense when an issue is present.

ROGUE EMPLOYEES
The issue of the rogue employee is a regular occurrence in the securities industry. An employee can appear to be
highly successful before a reason for the apparent success is fully understood. The employee can be otherwise
nondescript. For example, an operations staff member quietly appropriates assets from the dealer member or its
clients.
No system of internal control can prevent all employee misconduct, intentional or otherwise. However, due
diligence in hiring processes, well-designed internal controls, effective oversight mechanisms, and an understanding
of the nature and legitimacy of results achieved can mitigate the impact of misconduct and help detect it at an
early stage.

EXAMPLE
Some common red flags include the following indicators:

Any indication that defined standards are being ignored
Internal control gaps or attempts to circumvent existing controls
Activities for which a legitimate purpose is not apparent or cannot be explained by those involved
Contradictory or inconsistent information
Previous compliance infractions or concerns involving persons connected with a current situation
Evasive, illogical, contradictory, or counterintuitive responses to inquiries
No knowledge or understanding of expected standards by the persons involved
Requests for exceptions to approved policies and procedures
Any situation that is otherwise out of the norm

© CANADIAN SECURITIES INSTITUTE
 CHAPTER 8      MONITORING 8 11

MANUAL SURVEILLANCE
Along with automated monitoring systems, most dealer members continue to rely significantly on the judgment
and expertise of staff who conduct reviews to identify and resolve issues.
One of the key challenges in any manual process is ensuring completeness and consistency. Therefore, written
policies and procedures must clearly define the issues that should be identified and specify how they should be
addressed. These measures also ensure continuity when employees leave or their responsibilities change.

SYSTEMS-GENERATED EXCEPTION REPORTS
Automated monitoring systems identify exceptions and generate reports by comparing activity to defined
parameters. These systems increase the efficiency of the monitoring process. They also ensure that all exceptions
are identified and that none are overlooked.

EXAMPLE
Some retail dealer members have suitability monitoring systems that classify securities and automatically
compare clients’ holdings against their recorded investment objectives.

For compliance purposes, automated processes should be functionally defined, and a cost-benefit analysis should
be conducted. Applications or software may require significant initial development costs, ongoing operation, and
support costs. Costs might include specialist information technology staff, either within the compliance department
or outsourced. Applications available through third-party vendors can be a cost-effective alternative.
Another consideration is a dealer member’s overall systems and data environment. To create a reliable exception
report, all relevant data should be electronically captured, accessible, correct, and current.
System-generated exception reports must also minimize false positives (i.e., indication of a violation when none is
present) and false negatives (i.e., no indication of a violation when one is present). For this reason, reports are best
applied to simple surveillance routines with a minimal number of variables and associated degrees.

INQUIRY, RESEARCH, AND INDEPENDENT VERIFICATION
If an actual or potential issue comes to light, the first step is to document the issue. This step creates evidence
that supervision has taken place, which is a necessary part of the supervisory process of issue identification,
documentation, review and analysis, and resolution. Additional inquiry or research may be necessary to confirm or
deny the presence of a risk or violation.
Research may involve asking relevant business line personnel for information. Documentation of this information
usually meets the test of adequate supervision if it is appropriate, reasonable, and consistent with other known
information. The CCO must follow up diligently. However, unnecessary inquiries that might undermine the
credibility of the compliance department should be avoided. For example, an inquiry need not be sent if a
compliance officer can address the issue by simply reviewing the transaction history of an account.

FOLLOW-UP AND RESOLUTION
Reviews that are conducted properly often fail in the follow-up stage. For example, follow-up inquiries at a busy
dealer member are initiated by email, but responses go unnoticed, and no corrective action is taken, despite
promises to do so.
A defined recording and tracking system can capture identified issues and ensure their timely resolution. If a
matter is not satisfactorily resolved within a reasonable time, the issue should be escalated and reported to senior
management. Additional procedures should verify that remedial actions have been appropriately implemented.

© CANADIAN SECURITIES INSTITUTE
8 12 CHIEF COMPLIANCE OFFICERS QUALIFYING EXAMINATION      SECTION 3

A formal escalation policy should specify how the dealer member and CCO should resolve identified issues for
which requests for resolution have failed. In an effective supervision system, the dealer member demonstrates an
ability to identify, analyze, resolve and finally document all specific queries or reviews. Unresolved issues create
a known and significant weakness in the firm’s general control environment. However, junior compliance officers
should not be expected to devote significant resources to resolving those issues; they should simply be aware of the
manner in which an unresolved issue should be escalated (and to whom).
CCOs need to do more than ensure that issues are identified; they should also audit the process to ensure that it is
operating effectively, and that all issues are appropriately addressed and escalated.

EXAMPLE
A compliance officer identifies a speculative transaction that is inconsistent with a client’s investment objectives.
He refers it to the appropriate supervisor, who responds that the client’s investment objectives are being updated
to include speculation. The compliance officer lets the supervisor know that this resolution is inadequate, and
that the issue should be re-addressed or escalated. He audits the process to make sure that the supervisor follows
through with resolving or escalating the issue.

DOCUMENTING SUPERVISION
Each issue that arises must be documented, along with all actions taken to address the issue and their outcome.
Ideally, anyone reading the documents, such as a regulator or plaintiff’s counsel, should conclude that the issue was
appropriately acted on and remedied.
It is often challenging for a CCO to demonstrate evidence of supervision at the business location and head office
level. The best evidence is a log, either hard copy or electronic, setting out the inquiries that were made, the answers
that were received, and all resolutions of the problem. Such evidence of supervision is preferred over notes and
initials on daily or monthly reports. Although commonly done, adding notes or initials to regular reports is less
effective than properly documenting the issue in a proper log because there is no evidence that the issue was
followed up and analyzed for problems and patterns.

MONITORING A SYSTEM’S EFFECTIVENESS

4 | Identify core regulatory requirements and best practices for monitoring.

When allocating staffing resources, the CCO needs to consider certain caveats on the delegation of duties, as
established by regulation. The key concept is that, unlike tasks and procedures, responsibility cannot be delegated.
A CCO who delegates compliance functions must make sure they are performed properly. This duty may involve
a periodic review of the delegated tasks and procedures. For example, the CCO might perform monthly reviews of
a sample of approved option accounts to ensure that they are being properly scrutinized by a designated options
supervisor.
Similarly, the effectiveness of monitoring and surveillance procedures should be reviewed in an ongoing or periodic
assessment. Compliance results, and failures of internal and external reviews of the compliance function, should
be considered. Any resulting changes that are implemented should also be monitored to ensure that they are being
followed.
Regulatory discipline and court decisions against the dealer member should be seen as an opportunity to identify
what went wrong and fix it. Similarly, discipline and court decisions involving other dealer members may also
prompt the firm to assess the effectiveness of its own controls.

© CANADIAN SECURITIES INSTITUTE
 CHAPTER 8      MONITORING 8 13

INTERNAL AND EXTERNAL EXAMINATIONS
A supervisory and compliance monitoring system can be supplemented by other resources. The findings of
functional groups such as internal audit or risk management can be a valuable source of information in relation to
both day-to-day and broader systemic control assessments. A free flow of information and proper coordination
between areas help to ensure that there is no overlap or gaps. A best practice is to periodically review the
compliance department by way of an internal audit or another independent assessment process.
Similarly, external auditors bring an independent and objective view to a dealer member’s control environment.
Although directed at financial reporting, the external audit process may also identify compliance control
deficiencies or issues. For example, the year-end audit procedures performed to confirm account balances have
been known to identify compliance violations.
Regulatory reviews and examinations are another source of information. Specific issues, and a broader assessment
of the control environment, are usually provided by such reviews. Failure to properly remedy deficiencies identified
during a regulatory examination can lead to regulatory discipline against both a dealer member and its CCO,
particularly if the regulator has been led to believe corrective action has been taken.
Audits may be performed both on the compliance department itself and other head office departments, such as
corporate finance. Business location audits are also critical to the operation of the dealer member to ensure that
remote locations are in compliance with dealer member policies and procedures.

KEY CONTROL POINTS

5 | Discuss the distinctions between the monitoring requirements for key control points, including
account opening and activity.

Monitoring is necessary for several reasons. It detects acts of noncompliance that have bypassed a control point.
It also identifies situations where the control point is not operating as it should. Monitoring processes should be
tailored to risks. Doing so helps the CCOs determine the key control points within their dealer member, whether
they are reliable, and what their typical errors are. An insignificant control does not warrant significant resources,
but key controls that are inherently weak should be actively monitored.

EXAMPLE
Given the importance of account opening at dealer members, a key control point is the account opening approval
process, whether at the business location level or at head office. A lax control at this level may facilitate speedy
account opening, but it can expose the dealer member to potentially poor documentation. An excessively strict
control point, on the other hand, may prevent accounts from being opened on a timely basis.

CLIENT ACCEPTANCE AND ACCOUNT APPROVAL
Account opening requirements are found throughout CIRO’s rules. These rules require that new account
documentation be completed prior to the commencement of trading and that they are approved prior to or within a
day of the first trade.
Two critical functions follow the completion of new account documents: the approval of the account by a business
location supervisor or designated director, partner, or officer; and the identification and tracking of missing or
incomplete documentation.

© CANADIAN SECURITIES INSTITUTE
8 14 CHIEF COMPLIANCE OFFICERS QUALIFYING EXAMINATION      SECTION 3

REVIEW OF ACCOUNT APPROVAL
A review of account approvals is crucial in sales compliance audits. After an account is approved, no further routine
review of the documents typically occurs at either the business location or head office level, other than specific
requirements that accounts be periodically re-documented in their entirety (generally every two years).
Because of the volume of accounts, larger dealer members use technology to assist in the account opening process.
Computer software ensures that required data fields are completed, thus preventing incomplete applications from
being submitted for review and approval. It also verifies that the information is valid. For example, if a client’s street
address is inconsistent with the postal code given, an error message appears.
Large dealer members have also implemented exception reports to determine whether a client has shared
an address or postal code with an advisor. These reports, and similar others, have become basic control and
surveillance tools at most major dealer members. Smaller firms may use less formal means but must still diligently
document recordkeeping and follow-up.
This type of objective criteria results in better risk management because situations requiring a detailed review of
new account information are more likely to come to light. Accounts with incorrect or incomplete information, and
accounts identified as having a higher-risk profile, are then subject to a more intensive approval process.

TRACKING MISSING INFORMATION
Most dealer members can track missing information electronically, but there is some concern about the accuracy
of such reports. Disputes may arise between advisors, business locations, and head office when documents are lost
in transit. The most common of these disputes relates to documents that allegedly go astray between a business
location and head office. An efficient document-tracking report is important for addressing missing documents. The
department responsible for new accounts should maintain these reports, rather than a central facility or department
where they are less likely to be kept up to date. This reporting can be integrated with the account-opening process
so that advisors know what documents are expected. The advisor can check documents in and out, and head office
can then follow up regarding missing documents.
Standards relating to missing documentation might be enforced by withholding commission payouts or issuing
recurring financial penalties to advisors on the errant accounts. Another effective mechanism to eliminate deficient
or missing account documentation is to restrict the account in question from trading until such time as all account
documentation issues have been resolved.

BUSINESS LOCATION SUPERVISION
A dealer member’s supervisory system must include procedures for follow-up and review to ensure that supervisory
personnel are properly executing their functions. Most firms have more than one business location – possibly
hundreds, in the case of private client services. In some hybrid business models, supervision is handled by head
office.
Guidance Note 3900-21-002, Best Practices for Head Office Supervision of Business Locations, sets out best practices
for business location supervision. It notes that compliance audits should be designed effectively, with particular
attention to the following aspects:

Scope
Audit planning
Audit program and training
Risk identification
Audit report and follow-up

© CANADIAN SECURITIES INSTITUTE
 CHAPTER 8      MONITORING 8 15

COMPLIANCE AUDITS
Virtually all dealer members with more than one business location perform some form of business conduct audit at
the various locations. The scope of the audit depends on the size of the location and the functions it performs. Some
dealer members also perform separate audits related to financial compliance.
The location’s business conduct audit program must be appropriately designed and must function effectively. An
important part of the audit occurs before the actual visit to the specific location through a review of materials
available at the head office level. Documents under review include monthly trade supervision reviews, registration
files, outstanding client complaints, and correspondence with other departments, such as credit and marketing.
Many dealer members also require that a pre-audit questionnaire is completed.
Business conduct audits should be standardized so that all business locations are subject to the same level of review
and the same compliance standards. The audits should be collegial to some degree, so that the audit team and
business locations’ staff can interact and learn from each other.
An audit report, which is usually produced after the audit, should be provided within a reasonable time. The report
should request a written response addressing any deficiencies noted. The CCO, in conjunction with management,
should determine the implications of the audit reports, particularly in respect of serious or repeated deficiencies.
Under certain circumstances, surprise examinations in retail business locations may be appropriate, especially where
there is an indication of inappropriate behaviour or inadequate controls.
CIRO notes the following frequent concerns with the quality of business location reviews:

Inadequate follow-up procedures
Inadequate oversight procedures for fee-based accounts
Lack of evidence of supervision
Inadequate control over the issuance of customized portfolio summaries
Improper reassignment of accounts of terminated registrants
Poor control of client address changes
Inadequate control and review of advertising and sales literature

RETAIL ACTIVITY MONITORING AND SURVEILLANCE
Dealer members that engage in the following retail activities must implement a supervisory framework that
addresses the specific standards and risks associated with monitoring private client business:

Establishing and maintaining appropriate supervisory responsibilities, resources, policies, and procedures
The conduct of supervisory reviews, delegation, training, and education
The opening of new accounts and account documentation requirements and controls
Business location supervisory requirements
The handling of legal actions and client complaints
Applying for approval from a self-regulatory organization for another form of account supervision
The use of margin in client accounts
Implementing supervisory procedures in order to adequately supervise client account activity

© CANADIAN SECURITIES INSTITUTE
8 16 CHIEF COMPLIANCE OFFICERS QUALIFYING EXAMINATION      SECTION 3

DID YOU KNOW?

Under CIRO rules, the policies and procedures relating to the supervision of retail client accounts must
specifically address the detection of the following activities and occurrences:

Unsuitable trading
Undue concentration of securities in a single account or across accounts
Excessive trading
Trading in restricted securities
Conflicts of interest between a registered representative, investment representative, portfolio
manager, or associate portfolio manager and client trading activity
Excessive trade transfers and trade cancellations indicating possible unauthorized trading
Inappropriate or high-risk trading strategies
Deterioration of the quality of client holdings in an account
Excessive or improper crosses of securities between clients
Improper or excessive employee trading
Front-running

Client contact by way of letter, phone call, or meeting is necessary in any retail account supervisory system.
Regulators and the courts have criticized dealer members for not contacting clients to discuss or identify potential
compliance concerns. Moreover, the use of confirmation letters (or other forms of written communication with
clients, such as concentration letters) are extraordinarily effective tools in supporting the compliance monitoring
function. At the same time, they confirm client appetite for specific behaviour and also provide support for the
dealer member regarding the potential of litigation in the future.

FULL SERVICE VERSUS ORDER EXECUTION ONLY
CIRO rules set out the required standard for dealer members that offer only order execution services, without
assessing the suitability of a client’s investment decisions. From a regulatory perspective, the only significant
difference in the monitoring requirements imposed on order execution only (OEO) firms (also known as discount
brokers), compared with full-service firms, is that discount brokers are not subject to the same suitability rules. In
practice, the methods used by discount brokers tend to rely on information systems that screen for inappropriate
clients and trading.
A key structural difference between the two types of dealer members is that discount brokers have less reliance
on advisors and business location supervisors to act as monitors. In most cases, these staff members do not even
exist at discount brokers, at least not in the traditional sense. Even though accounts are opened in a number of
different ways, gatekeeper and anti-money laundering requirements must still be met. The OEO firms are also
subject to CIRO’s rules concerning conflicts of interest, which include the requirement to address conflicts of
interest considering the best interest of their clients. At their most advanced level, discount brokers screen clients
electronically against a variety of databases to identify inappropriate clients. Orders are also screened to ensure that
sufficient margin exists, or that short sales are being made from approved accounts.

FEE-BASED ACCOUNTS
Fee-based accounts make up an increasingly significant component of the business mix of many retail dealer
members. Under CIRO rules, dealer members offering fee-based accounts are required, in lieu of commission levels,
to define procedures that determine which accounts require monthly review.

© CANADIAN SECURITIES INSTITUTE
 CHAPTER 8      MONITORING 8 17

Dealer members offering fee-based accounts must ensure that recommendations are suitable, meaning that
suitability extends not only to security selection but to account selection as well. The firms are also expected to
monitor the accounts continuously to ensure that charges are reasonable in proportion to what they would be in a
commission-based environment.

OTHER ACCOUNT TYPES
Retail monitoring activities must address the unique requirements associated with various types of accounts
and activities. Other account types include managed accounts, discretionary accounts, options accounts, futures
accounts, and futures options accounts. Specific rules exist for these accounts from a supervisory perspective.

INSTITUTIONAL ACTIVITY MONITORING AND SURVEILLANCE
In addition to meeting general supervision obligations, a dealer member’s policies and procedures relating to the
supervision of institutional client accounts must specifically address the need to detect improper or suspicious
account activity including:

Manipulative and deceptive activities
Trading in securities on the dealer member’s restricted list
Front-running in an employee or proprietary account

These topics are discussed in greater detail further on in the course.

© CANADIAN SECURITIES INSTITUTE
8 18 CHIEF COMPLIANCE OFFICERS QUALIFYING EXAMINATION      SECTION 3

SUMMARY
This chapter provided a comprehensive overview of monitoring and monitoring issues. In particular, it addressed
regulatory requirements, organizational development, systems requirements and resources, evidence of supervision,
and best practices.
We discussed the necessary internal controls to ensure that a firm’s business is conducted in an orderly and efficient
way, that management directives are carried out, and that necessary actions are taken to address risks.
We also discussed the different roles carried out by supervisory and compliance staff. A key point to remember is
that the compliance department does not have the decision-making powers and authority of management.
By now, you should be able to describe two formal monitoring techniques: judgmental sampling (where items are
selected from the total population based on subjective considerations) and random sampling (where every item in a
population has an equal chance of selection).
You should also be able to identify the red flags that call into question whether a contravention of a specific rule,
regulation, or policy may have occurred.
In addition to automated monitoring systems, we discussed that most firms rely on the expertise of staff who
conduct reviews to identify and resolve issues. Monitoring components include systems-generated exception
reports, inquiry, research and independent verification, follow-up and resolution, and the always-necessary
documentation.
Finally, we discussed the specific monitoring requirements relating to the many operational areas of a dealer
member, including business location supervision and retail activity.
This chapter brings us to the end of Section 3, in which we covered a broad range of skills and responsibilities
required of a CCO. In the next section, we explore how CCOs apply those skills in their various areas of
responsibility at a dealer member. We begin by discussing the key issues and processes involved in the opening and
maintaining of client accounts.

© CANADIAN SECURITIES INSTITUTE