Recordkeeping Requirements PDF
Document Details
Uploaded by Deleted User
Tags
Summary
This document details recordkeeping requirements for dealer members in Canada. It covers general procedures, regulatory requirements, and record retention and accessibility of dealer member's records. This is a guide on meeting recordkeeping obligations for dealer members, outlining essential procedures and their importance to ensuring regulatory compliance.
Full Transcript
Recordkeeping Requirements 10 CONTENT AREAS General Procedures Required for Recordkeeping Regulatory Recordkeeping Requirements Record Retention and Accessibility LEARNING OBJECTIVES 1 | Discuss a deale...
Recordkeeping Requirements 10 CONTENT AREAS General Procedures Required for Recordkeeping Regulatory Recordkeeping Requirements Record Retention and Accessibility LEARNING OBJECTIVES 1 | Discuss a dealer member’s non-financial recordkeeping obligations. 2 | Describe the records dealer members are required to maintain. 3 | Discuss recordkeeping accessibility. © CANADIAN SECURITIES INSTITUTE CHAPTER 10 RECORDKEEPING REQUIREMENTS 10 3 INTRODUCTION In the previous chapter, we discussed the key issues and processes involved in the opening and maintenance of client accounts, with emphasis on compliance risk. In the process, we briefly touched on the requirements by CIRO regarding recordkeeping. The focus of this chapter is a detailed view of the procedures that dealers must have in place to meet requirements for proper retention of records. Good recordkeeping is required by regulators. It is also critical to the dealer member in relation to investigations, disciplinary actions, litigation, and other business issues. The documentation maintained by a firm of its activities is essential to the firm’s ability to demonstrate its compliance with the law. This requirement applies, by extension, to every registered person at the firm, in particular with respect to dealings and communications with clients. In this chapter, we first discuss general good practices for recordkeeping, and then we explore in detail the individual requirements of the various regulators. We also discuss the types of records that are not mandated by regulation, but that should be maintained for internal purposes and made available to regulators upon request. Finally, we discuss the requirements for proper storage and maintenance of records so that they are easily accessible when the need arises. GENERAL PROCEDURES REQUIRED FOR RECORDKEEPING 1 | Discuss a dealer member’s non-financial recordkeeping obligations. Dealer members must have policies and procedures in place to meet requirements for proper retention of records. Their records are essential to regulators and government agencies, including the provincial securities administrators, CIRO, and non-securities-related government agencies such as the Canada Revenue Agency, FINTRAC, and the Office of the Privacy Commissioner (OPC). Recordkeeping requirements extend not only to day-to-day business records, but also to compliance, supervision, complaints, and investigative matters. The requirements are dynamic and may vary between laws and regulatory agencies. The compliance department should therefore maintain an up-to-date schedule of requirements applicable by regulator but also by the type of information that is being retained. In larger dealer members, compliance staff often relies on the legal department to keep them informed about changes to recordkeeping requirements, including changes to limitations periods. Registrants must maintain records for two reasons: to accurately record their business practices, financial affairs, and client transactions; and to demonstrate the extent of the dealer member’s compliance with applicable securities legislation. The manner in which the firm keeps its records is as important as the record itself. It must be stored in a safe location in “durable form”, and in such a way that it can be quickly and easily provided to a regulator upon request. DID YOU KNOW? Under CIRO Rules, a “record” is defined as books, records, client files and information and other documentation, including electronic documents, related to the Regulated Person’s business. GENERAL RECORDKEEPING FORMATS Dealer members’ records are increasingly maintained in electronic format only, although paper recordkeeping still exists at some firms. Regulators do not dictate the format of records; they only require that they be accessible. In some cases, they may ask for a copy of the original document; in others, information alone is enough. When © CANADIAN SECURITIES INSTITUTE 10 4 CHIEF COMPLIANCE OFFICERS QUALIFYING EXAMINATION SECTION 4 implementing recordkeeping systems, the firm must consider the regulators’ expectations for each type of information. Some records are created and maintained offsite, such as records of supervision of a dealer member’s business locations. In such cases, the firm should implement a policy dictating the format and method of storage such that the record can be retrieved in a reasonable period of time. Similarly, if the firm permits business location staff to circulate preliminary prospectuses, it should also dictate the procedure and format for recording the names of the recipients. This requirement ensures that final prospectuses are also circulated. Every recordkeeping procedure should require identification of the record’s location and of the person or persons responsible for creating it. Recordkeeping procedures in general should be designed to eliminate ambiguity and assist in achieving consistency throughout all business locations. This consistency can subsequently be tested through business location compliance audits. DID YOU KNOW? The Canadian General Standards Board (CGSB) has prepared a national standard for electronic records with the goal of meeting legal evidence requirements. The CGSB standard can be accessed through the Government of Canada website. REGULATORY RECORDKEEPING REQUIREMENTS 2 | Describe the records dealer members are required to maintain. The various regulators have specific recordkeeping requirements that are suitable to their needs. The different sets of requirements are discussed below. REQUIREMENTS OF CIRO RULES Under CIRO’s general requirements to maintain records, a dealer member must maintain current records that: properly record its business activities, financial position, financial operating results and client transactions, and demonstrate the dealer member’s compliance with securities laws and CIRO requirements. The records required under CIRO rules include, but are not limited to, those that demonstrate compliance with the following requirements: The dealer member’s policies and procedures Know-your-client and suitability requirements Complaint handling requirements Records must document the following information: Opening of client accounts, including any agreements with clients Correspondence with clients Compliance and supervision actions taken by the dealer member Generally, these records must be retained for seven years. © CANADIAN SECURITIES INSTITUTE CHAPTER 10 RECORDKEEPING REQUIREMENTS 10 5 DIVE DEEPER IDPC Rule section 3803, General requirements for record retention periods, states: A Dealer Member must retain copies of all records in a safe location required under CIRO requirements, in durable and accessible form, for a minimum of seven years from the date the record is created unless CIRO requirements or securities laws relating to the specific type of record require a different retention period. For complete requirements, visit CIRO’s website. MATTERS REPORTED TO CIRO An Approved Person must report to the dealer member if he or she is the subject of a written client complaint. The dealer member is required to designate a person or department to whom these reports must be made, who must then notify CIRO within the prescribed timeframe. In most cases, reporting is made through ComSet. Failure to report on time may subject the dealer member to an administrative penalty. All reported information is used to assist CIRO in fulfilling its regulatory role by identifying areas for compliance review, matters that should be investigated, industry trends, and regional issues. For each client complaint file, a dealer member must maintain a copy for seven years in a location that is quickly and easily retrievable. Complaint handling is discussed in greater detail further on in the course. COMPLIANCE AND SUPERVISION RECORDKEEPING As discussed previously, CIRO rules require dealer members to establish and maintain a written compliance governance document setting out the organizational structure and reporting relationships that support required compliance arrangements. These requirements encompass more than the Ultimate Designated Person and CCO. CIRO rules also require that supervisors be designated to perform or oversee specific compliance activities. Dealer members must take steps to ensure that they have appropriately defined the responsibilities of the relevant designated person and have assigned them within the organization. CIRO requires that firms maintain records of supervisory review for seven years. These important records must include the following information: who conducted the review, when it was conducted, what enquiries were made, what replies were received, and what actions were taken. DIVE DEEPER Under IDPC Rule section 3916, Governance document, a dealer member must file with CIRO: i. a copy of a current governance document that sets out the organizational structure and reporting relationships required under Rule 3900, and ii. notice of any material changes to the organizational structure and reporting relationships set out in the governance document. For complete requirements see www.CIRO.ca On a routine supervisory audit, compliance staff must try to verify evidence of daily and monthly account activity supervision. Supervisors commonly report that they have reviewed the daily exception reports and applicable monthly statements, but they did not record any enquiries because it was clear there were no problems. In the past, business location supervisors may have evidenced supervision by making notes on daily and monthly commission runs or exception reports. Although this can be effective if done thoroughly and diligently, the method © CANADIAN SECURITIES INSTITUTE 10 6 CHIEF COMPLIANCE OFFICERS QUALIFYING EXAMINATION SECTION 4 has several drawbacks. The notes often show that transactions have been reviewed, but they do not always show the type of enquiries made and, more importantly, any responses to enquiries. Furthermore, the volume of such reports makes it difficult to record all enquiries and responses because it means returning to the correct place in the report to record the note. Demonstrating evidence of supervision also involves reviewing up to thousands of pages of reports to determine when and where enquiries and reviews were conducted. This problem can be mitigated, though not eliminated, by introducing labour-saving templates, such as the pre- formatted supervision log shown in Table 10.1. Table 10.1 | Daily Trading Review DATE: BUSINESS LOCATION SUPERVISOR: REGISTERED REPRESENTATIVE TRANSACTION NATURE OF ENQUIRY RESPONSE/ACTION TAKEN Electronic access to such forms fosters efficient communication between head office and distant business locations. A requirement to complete the form daily and file it in an accessible location ensures an appropriate record of supervision which can also be easily retrieved upon a request from the compliance department or CIRO. Email can also maintain evidence of supervision and can be used in conjunction with a log; however, email volumes must be well managed for this system to be effective. EXAMPLE If a business location supervisor or compliance officer is communicating with an RR concerning trade or transaction reviews, a follow-up strategy is necessary to ensure that emails are not sent and promptly forgotten. Similarly, an email response to an enquiry should be maintained in an accessible file. Supervisors can keep an email folder for each RR they supervise as evidence of supervision, provided that enquiries and responses are appropriately filed. In this case, procedures should be implemented to ensure that emails are accessible. The departure of a business location supervisor or compliance staff should not compromise the firm’s ability to provide evidence of supervision. Procedures might involve periodically archiving email folders that contain supervisory correspondence. Third-party supervisory systems are now readily available in the marketplace which significantly automate the supervision process and, furthermore, the documentation of supervision. These types of systems also incorporate workflow processes to enable automatic follow-up to ensure queries regarding trading have been addressed in a timely manner. Staff should be cautioned that email has all the attributes of written correspondence, including longevity. Email communications are legally discoverable and have become key evidence in litigation. CIRO requires investment dealers to archive all business-related emails, including emails sent by mobile wireless devices. Retention of other internal emails may also warrant consideration. Although CIRO sets out the minimum standards regarding the creation of exception reports, a dealer member can prepare additional reports to assist in performing its supervision responsibilities. Minimum standards currently require that equity trades over $5,000 in stocks trading at under $5 per share be reviewed as part of daily supervision. A dealer member might decide that this report will be more helpful if sorted by exchange or currency, or between exchanges and over-the-counter markets. Other types of custom supervision might include a review of all third-party transactions or, alternatively, specific trades that meet particular criteria. For example, a report that discloses all trades for clients of a particular age (e.g., 65 and up) that have aggressive growth noted as an investment objective) might be worthwhile in the context of analyzing risk exposure for © CANADIAN SECURITIES INSTITUTE CHAPTER 10 RECORDKEEPING REQUIREMENTS 10 7 potential client complaints. If this type of report reveals a high number of these accounts with a particular RR, further investigation should continue to determine if the RR is engaging in a meaningful discovery process. It might also produce additional reports with different thresholds. In all cases, the minimums must be preserved. Maintaining business location client files can also help demonstrate supervision, and failure to maintain them can be viewed in an audit as poor supervision. These files contain client documentation and communications. In most instances, RRs’ client files contain information exchanged directly between the RR and the client. However, any client communication directed to the dealer member should be included in the business location client file. Effective recordkeeping requires clear and enforced policies. It is relatively easy to establish guidelines and policies. However, it is the evidence of supervision that is required in almost every sales compliance audit, both internal and external. It may be acceptable to miss issues during a supervisory review, but it is not acceptable to fail to conduct the review. Where there is no evidence of a review, the auditors will most likely conclude that a review did not take place. The CCO must ensure both that rules and policies are in place, and that evidence of compliance with the rules and policies exists. REQUIREMENTS OF THE UNIVERSAL MARKET INTEGRITY RULES CIRO’s Universal Market Integrity Rules set out audit trail and recordkeeping requirements with respect to orders and trades in Sections 10.11 and 10.12. UMIR requires that records be retained for seven years, and that be kept in a readily accessible location for the first two years. However, UMIR includes other requirements regarding markers to be added when specific types of orders are transmitted to a marketplace. UMIR Rule 10.16, Gatekeeper Obligations, requires that any Participant or Access Person who notes conduct that might involve a potential breach of UMIR or other SRO rules and by-laws immediately report the matter to their supervisor or compliance staff. If a supervisor or compliance employee receives a report, a review must be conducted in accordance with the dealer member’s Trade Desk Policies and Procedures, adopted under UMIR Rule 7.1. For more information regarding gatekeeper obligations, refer to Market Integrity Notice No. 2006-007, Gatekeeper Reporting Obligation. If the person doing the review concludes that a potential violation has occurred, he or she must take the following actions: Make a written record of the report and the review. Diligently investigate the activity. Make a written record of the findings of the investigation. If a violation is identified, report the findings to CIRO no later than the 15th day of the month following the month in which the findings were made. CIRO also encourages the reporting of instances where a violation may have occurred. Dealer members must retain the records of reports, reviews, and findings for at least seven years from the creation of the record. It must also allow CIRO to inspect and make copies of its records at any time during normal business hours. These review and reporting requirements are in addition to any others contained in securities legislation or SRO rules. REQUIREMENTS OF THE FINANCIAL TRANSACTIONS AND REPORTS ANALYSIS CENTRE OF CANADA Businesses and industries that must report to FINTRAC must also abide by regulations under PCMLTFA. This legislation imposes direct reporting, client identification and recordkeeping requirements on securities dealers. These requirements support the detection, investigation, and prosecution of money laundering and terrorist financing offences. © CANADIAN SECURITIES INSTITUTE 10 8 CHIEF COMPLIANCE OFFICERS QUALIFYING EXAMINATION SECTION 4 All securities dealers in Canada are required to implement a compliance regime in accordance with FINTRAC guidelines. The first step in fulfilling the requirements is to appoint a compliance officer to oversee the development and implementation of a dealer member’s money laundering and terrorist financing prevention program. This person is sometimes referred to as the chief anti-money laundering officer and is usually the dealer member’s CCO. Under PCMLTFA, dealer members must retain records in such a way that they can be provided to FINTRAC within 30 days of a request to examine them. Under the regulations, signature cards, account operating agreements, and account application forms must be kept for five years from the day of closing of the account to which they relate. In the case of records to confirm the existence of an entity (including a corporation) and beneficial ownership records, they have to be kept for five years from the day that the last business transaction was conducted. Dealer members must comply with several reporting requirements with respect to money laundering and terrorist financing activities, some of which are described below. Firms should carefully review the PCMLTFA to ensure that all reporting requirements are being met. In addition, they should register with FINTRAC to ensure that electronic reports can be filed in a timely manner. SUSPICIOUS TRANSACTIONS Dealer members are required to submit reports to FINTRAC when there are reasonable grounds to suspect that a transaction or attempted transaction is related to money laundering or terrorist financing. The same requirement applies when a transaction or attempted transaction is related to property in the firm’s possession that appears to be owned or controlled by a suspected terrorist or a terrorist group. Dealer members are required to submit the report to FINTRAC as soon as practicable after reasonable grounds for suspicion have been determined. Reports are typically submitted electronically (but may be submitted in paper format if the reporting entity in question does not have the technical capability to submit electronically). TERRORIST PROPERTY HOLDINGS If property under a dealer member’s possession or control is known to be owned or controlled by a terrorist or a terrorist group, a terrorist property report must be submitted without delay to FINTRAC, the RCMP, Canadian Security Intelligence Service (CSIS), and CIRO. Furthermore, if it is known that a transaction is related to property owned or controlled by a terrorist or a terrorist group, the transaction should not be completed and the property in question must be frozen immediately. DID YOU KNOW? Dealer members are required to submit a monthly report to CIRO or the appropriate securities administrator disclosing any property owned or controlled by or on behalf of a “listed person” that the firm is in possession or control of. The report also requires dealer members to indicate whether the RCMP and CSIS have been notified about the person and their property, and whether the assets have been frozen. LARGE CASH TRANSACTIONS Anti-money laundering legislation requires dealer members to submit reports to FINTRAC when $10,000 or more in cash (or its equivalent in another currency) is received in a single transaction. In addition, a report must be submitted to FINTRAC when any two or more transactions of $10,000 or more in cash are received from the same beneficial owner within a 24-hour period. If the dealer member has policies against accepting large amounts of cash (as it should), these policies must be communicated to everyone involved in accepting client deposits. © CANADIAN SECURITIES INSTITUTE CHAPTER 10 RECORDKEEPING REQUIREMENTS 10 9 CROSS-BORDER CURRENCY AND MONETARY INSTRUMENTS If $10,000 or more in cash or monetary instruments is being imported or exported, whether by mail, courier, or physically, this fact must be reported to a customs officer. An exemption exists for securities being imported to Canadian dealer members by courier or mail. Securities cage staff should be aware of the reporting requirements. Items that are not properly recorded can be seized at the border, with recovery being subject to a fine. Chief financial officers should familiarize themselves with all issued guidelines from FINTRAC, which are readily accessible on the agency’s webpage. In particular, Guideline 4 requires dealer members to implement a compliance regime, and they must review this regime every two years to test its effectiveness. REQUIREMENTS OF PRIVACY LEGISLATION Part of the mandate of OPC is to oversee compliance with PIPEDA, which sets out rules regarding the collection, use, and disclosure of clients’ personal information. To be compliant with PIPEDA and with similar provincial privacy legislation in Quebec, British Columbia, and Alberta, dealer members must have policies and procedures in place to govern the management of personal information. A dealer member’s privacy policy should set specific limits for the amount and type of personal information that can be collected based on what is necessary for a specific purpose. Collecting only required information reduces the risk of inappropriate use and disclosure of the information. Dealer members must also have procedures in place to handle requests from clients for access to their personal information. When a request is made, a privacy officer appointed by the firm (typically the CCO) must ensure that all front-line employees have the resources available to handle such requests. After a dealer member has confirmed that it has personal information about a client, the firm must provide access to this data within 30 days of the request. Dealer members must also tell clients how personal information about them is being used and to whom it will be disclosed. Because of requirements to provide information, dealer members must advise clients that their personal information might be given to regulators upon request. The firm must decline to accept or administer the account of clients who do not consent to have their personal information collected, used, or disclosed as necessary by the firm to the regulators. The dealer member’s privacy officer must establish timelines for the retention and destruction of all personal information collected. In general, all information that is no longer required for its original purpose should be destroyed, deleted, or rendered anonymous. The firm should have specific procedures for the safe destruction of personal information. The privacy officer must also develop safeguards that protect the sensitivity and maintain the confidentiality of any personal information that the dealer member collects. This security can be achieved by limiting access to personal information, storing files and documentation in a secure manner, having in place appropriate security measures for personal information sent over the Internet or an intranet, and making sure that paper and electronic data are disposed of properly. Fines for violations of the privacy legislation are significant and criminal charges may proceed either by summary conviction or an indictable offence. It is also an offence under the privacy legislation to destroy personal information that a client has requested, to dismiss or harass an employee who has complained to the Privacy Commission, or to obstruct a complaint investigation or audit. © CANADIAN SECURITIES INSTITUTE 10 10 CHIEF COMPLIANCE OFFICERS QUALIFYING EXAMINATION SECTION 4 OTHER RECORDKEEPING REQUIREMENTS The following types of records are not specifically mandated by regulation; however, they may be necessary for regulatory or other legal purposes, and can be beneficial to the conduct of the CCO: Records of changes to policies and procedures can be useful in resolving litigation and investigations, particularly those policies and procedures that were in place at the time of the incidents in question. This type of recordkeeping or tracking is similar to a table of concordance. It allows a dealer member to know with certainty what policies were in place at what time, as well as when the policy manual was updated. Statistical records of client complaints and settlements can be useful in determining the appropriateness of changes in supervisory requirements and in policies and procedures. Records of market research and recommendations, and their effective dates, can be useful and sometimes necessary in resolving litigation and client complaints. Records of approvals (or non-approvals) can be useful when compliance department approval is required for internal purposes. Less formal forms of recordkeeping should also be subject to policies and procedures for records retention. Due diligence should also be conducted on distributions of securities. Dealer member policies vary on the issue of due diligence records retention. Some firms maintain all records; others have detailed policies governing which records must be maintained. The CCO must ensure that the dealer member’s policy governing records retention can demonstrate due diligence during an audit and that the firm adheres to the policy. EXAMPLE Most RRs keep personal records such as day-timers and client books that can be useful in settling disputes. Similarly, written or electronic calendar entries and emails that are not otherwise required to be retained can prove useful. During an investigation or dispute, it may be necessary to show that the person who kept such a record did so as a matter of practice; otherwise, it may be construed that records shown as evidence were made up to serve the purpose. Regardless of the manner in which a record is kept, RRs should maintain consistent recordkeeping practices. To promote good recordkeeping and retention, they should be encouraged to maintain detailed notes about the client relationship in whatever manner is most convenient to them. The timing of the record’s creation is as important as the record itself. A record that is made during or immediately following an event in question is more likely to convince the investigator that it is accurate and that the RR’s system of recordkeeping is valid. RECORD RETENTION AND ACCESSIBILITY 3 | Discuss recordkeeping accessibility. Of critical importance to a dealer member is a master schedule showing what records exist, where they are, and who is responsible for their maintenance. If records cannot be easily located and easily produced upon request, regulators will assume that they do not exist. The recordkeeping responsibilities of individual employees should be included in the dealer member’s policies and procedures, as well as in their job descriptions or similar procedural directions. The schedule should be updated as required and should form the basis for internal audits to ensure that the procedures are being followed. The dealer member’s record retention policy should deal with records normally held by individuals, such as day- timers, journals, and electronic records of advisors. Many advisors take these records with them upon leaving the firm. In some cases, advisors own the computers that they use regularly. Retention of electronic records can be simplified by having network backups of whatever information is stored on personal devices. © CANADIAN SECURITIES INSTITUTE CHAPTER 10 RECORDKEEPING REQUIREMENTS 10 11 Handwritten records can be more difficult to deal with. If it is understood that the advisor can take such records upon leaving the dealer member, and if there is no regulatory obligation for the dealer member to retain the records, the dealer member should at the very least have a contractual right of access to the records for a reasonable period. Retention of records of compliance and supervision is also important, but it is sometimes overlooked, particularly at branch locations. There may be a practice of throwing out paper commission or exception reports, even those that contain notes or comments as the only record of issues raised, questions asked, and answers given. Even if retained, such records in paper form are bulky. A later search through numerous boxes of records for notes or comments that may or may not exist is time-consuming and costly. It is generally more effective to keep electronic records. Paper records on which notes are made should be stored separately by date, or all such notes and reports should be put into client files. © CANADIAN SECURITIES INSTITUTE 10 12 CHIEF COMPLIANCE OFFICERS QUALIFYING EXAMINATION SECTION 4 SUMMARY In this chapter, we discussed the procedures that dealers must have in place to meet requirements for proper retention of records. We discussed that recordkeeping procedures should be designed to eliminate ambiguity and achieve consistency throughout all business locations, with the aim of assisting compliance audits. We also discussed that the various regulators have specific recordkeeping requirements. For example, CIRO’s requirements focus on a dealer member’s providing evidence of adequate supervision. This evidence becomes especially important when a client complaint leads to an investigation and possible disciplinary action. FINTRAC, on the other hand, focuses its recordkeeping requirements on the prevention and detection of money laundering and terrorist financing. A critical aspect of recordkeeping is the means of retention and the accessibility of records. We discussed the types of records that should be retained, the importance of having someone in charge of maintaining them, and the methods used to ensure that they can be made accessible when necessary. A key point to remember is that even the personal devices and handwritten records of employees should not be off-limits in an investigation, and contracts with employees should be written up with this fact in mind. The essential nature of a dealer member’s records becomes most apparent when a client is unhappy about some aspect of his or her dealings with a firm. Those records are an integral part of the processes and procedures that every dealer member must have for handling client complaints. In the next chapter, we discuss those processes and procedures in detail. © CANADIAN SECURITIES INSTITUTE