Chapter 2 - Formal Compliance Structure PDF
Document Details
Uploaded by Deleted User
Tags
Summary
This document outlines the formal compliance structure of a financial institution, specifically a dealer member of CIRO in Canada. It details learning objectives concerning the mandate and responsibilities of a compliance department, the roles of key personnel, including a chief compliance officer and the board of directors.
Full Transcript
Formal Compliance Structure 2 CONTENT AREAS Overview of a Formal Compliance Structure Roles and Responsibilities Creating a Senior-Level Compliance Structure Relationships with Regulators an...
Formal Compliance Structure 2 CONTENT AREAS Overview of a Formal Compliance Structure Roles and Responsibilities Creating a Senior-Level Compliance Structure Relationships with Regulators and Other Parties Introducing Broker/Carrying Broker Arrangements Compliance Governance Document LEARNING OBJECTIVES 1 | Discuss the mandate and responsibilities of a compliance department, and distinguish between supervision and compliance. 2 | Describe the role and responsibilities of a chief compliance officer, a board of directors, and other designated persons. 3 | Discuss and differentiate between the components of a senior-level compliance structure. 4 | Describe the chief compliance officer’s role in maintaining relationships with regulators and with internal and external parties. 5 | Describe the four types of introducing broker/carrying broker arrangements under the Canadian Investment Regulatory Organization Rules, and list the responsibilities of the introducing broker and the carrying broker for each type. 6 | Develop a compliance governance document. © CANADIAN SECURITIES INSTITUTE CHAPTER 2 FORMAL COMPLIANCE STRUCTURE 2 3 INTRODUCTION In the previous chapter, we discussed the importance of having a properly working compliance function and department at an investment dealer member of CIRO. We focused particularly on the need for a culture of compliance. We also examined how the nature of compliance and the roles of key internal players at a dealer member have evolved to meet the current expectations of regulators in the securities industry. In this chapter, we discuss the formal compliance structures mandated by securities regulation and those that are less formal but dictated by good business practices. The second type may exceed, but not fall short of, regulatory expectations. They are put in place to reflect the acceptable risk profile mandated by the dealer member. In general, this chapter treats the compliance department as a dedicated resource separate from business operations, with full-time staff under the direction and authority of a full-time chief compliance officer. In some dealer members, particularly smaller firms, compliance is carried out by one or more persons who also have business line responsibilities and possibly other operational responsibilities. OVERVIEW OF A FORMAL COMPLIANCE STRUCTURE 1 | Discuss the mandate and responsibilities of a compliance department, and distinguish between supervision and compliance. A formal compliance structure at a dealer member is made up of a compliance function and a compliance department. As discussed in Chapter 1, the compliance function refers to the various staff members who carry out compliance responsibilities at a dealer member. The compliance department is a business unit whose role is to identify, assess, advise on, act on, communicate, monitor, escalate, and report on the dealer member’s compliance with regulatory requirements. General compliance concepts and certain specific requirements apply equally to all dealer members, but the manner in which they are applied depends on the characteristics of the individual firm. For example, a large, integrated, full-service dealer member typically would have an extensive and complex supervisory and compliance control environment because of the many services and products it offers through various channels. A boutique dealer member specializing in a limited range of product and service offerings would have a considerably different structure, as would an introducing broker that relies on its carrying broker to carry out specified activities. Surveillance and monitoring are seen as the primary functions of the compliance department. However, it is also the department’s role to interpret rules and to address and explain compliance issues. Furthermore, the CCO and the compliance department are only part of an effective compliance risk management structure. The department should operate within formal and informal relationships both inside and outside the firm. DID YOU KNOW? The compliance department, and in particular the CCO, is typically the lead relationship contact with all regulators with authority over the dealer member. When designing a formal compliance structure, CCOs should consider the dealer member’s business, corporate structure, and governance framework, which are designed to meet business objectives. They should then define and document the department’s mandate in the context of the total environment. Ultimately, the most effective compliance structure complies with regulatory and risk management requirements in a way that aligns with business objectives. It is important for firms to design a compliance mandate based on business that is actually carried out. The same holds true for supporting documents such as the policy and procedure manual. A pre-ordained compliance structure that is not based on the business actually carried on by the firm will not support the firm in meeting regulatory and compliance expectations. © CANADIAN SECURITIES INSTITUTE 2 4 CHIEF COMPLIANCE OFFICERS QUALIFYING EXAMINATION SECTION 1 The terms used and roles played by various departments of a dealer member are not always clear because they vary in the way functional responsibilities are allocated. The term risk management, for example, is used by insurance underwriters, lenders, derivative traders, and compliance officers to mean different things. Similarly, the role of an internal audit department is often confused with the role of the compliance department. Regardless of the differences, however, all departments must be clear about their responsibilities. Dealer members are subject to numerous compliance requirements beyond those imposed by securities regulations. Not all requirements are necessarily the responsibility of the CCO or the compliance department. Non-securities- related requirements include legal and regulatory requirements imposed by employment and corporate statutes, anti-money laundering and terrorist financing regulations, and privacy laws. A firm’s structure and business may impose further obligations. EXAMPLE Client accounts must be handled in accordance with relevant tax regulations overseen by the Canada Revenue Agency. If a dealer member has an agreement with the United States Internal Revenue Service, it must comply with these obligations as a Qualified Intermediary. A dealer member or its parent may also have issued securities to the public and be subject to the obligations of a reporting issuer. The CCO and the compliance department are unlikely to have the necessary expertise or authority to address such issues. A dealer member and its CCO should agree on the CCO’s legal and regulatory responsibilities across the firm. A less-than-explicit statement of a CCO’s mandate can lead to compliance gaps when unanticipated problems arise. A regulator may hold the compliance department or CCO responsible for a compliance failure if responsibility has not been assigned elsewhere. Typically, the CCO’s mandate is stated in his or her job description but it should also be specified in public or firm-facing documentation so that other departments and business units understand the mandate of the compliance department. Each dealer member must assign specific responsibilities to the CCO, and either the board of directors or the UDP should see to it that all other compliance responsibilities are assigned elsewhere. All requirements should be documented, including expectations as well as responsibilities. For example, it should be made clear that the CCO is expected to provide advice when requested and to identify control vulnerabilities within the firm, even those that are not his or her direct responsibility. CONTROL FUNCTIONS AT A DEALER MEMBER Certain securities regulatory functions may be performed by the compliance department or may be assigned to other areas. Typical compliance department functions include the following activities: Developing and maintaining compliance policies and procedures, which typically are published and updated in the dealer member’s policy and procedure manual Monitoring and surveillance (including supervision of Tier 2 trading and onsite business location reviews) Conducting certain pre-clearance and approval activities Providing compliance training, education, awareness, and support Dealing with regulatory examinations, inquiries, and issues Monitoring, participating in, and providing advice on regulatory developments Handling complaints Conducting internal reviews and investigations Maintaining regulatory relationships Reporting internally on compliance matters to management and the board of directors © CANADIAN SECURITIES INSTITUTE CHAPTER 2 FORMAL COMPLIANCE STRUCTURE 2 5 Reporting externally on compliance matters to regulatory authorities Managing registration-related issues Other control functions mandated by securities regulations or other authorities are described below. FINANCE AND ACCOUNTING CIRO requires that dealer members appoint a chief financial officer (CFO) who is typically responsible for managing the firm’s financial and accounting functions. Responsibilities include the maintenance and monitoring of the firm’s capital position as required by regulations. The CFO also oversees activities that are integral to the firm’s business activities, such as budgeting, expenditure controls, and cash management. The regulatory framework does not explicitly distinguish the CFO’s area of accountability from the CCO’s, although accepted industry practice usually draws a distinction between financial compliance and business conduct compliance. However, some operational areas fit equally well under the compliance monitoring of either the CCO or the CFO. Therefore, it is important that the dealer member delineates between the responsibilities of the two positions. CREDIT The credit area of a dealer member typically establishes margin policies and rates to the extent that the firm uses rates lower than those mandated by regulation. It also monitors and enforces firm and client adherence to credit policies and related matters, such as those related to sell-outs and the issuance of margin calls, accounts that are under-margined, and accounts that are in a debit position. AUDIT Dealer members must have periodic external audits of their financial statements and specific financial, operational and control procedures. Larger dealer members may also have an internal audit function that reviews the firm’s risk management, reporting, and control environment. Typically, internal audit departments are aligned with finance departments with a direct reporting link to the audit committee of the board of directors. An audit department might also audit a compliance department, conduct its own business locations audits, or participate in sales compliance audits led by a compliance department. REGISTRATION Most dealer members have a specialist group that handles various firm and individual registration applications, changes, renewals, terminations, and related filings required under securities regulations. This function may exist under the compliance department or the legal department, or it may be a stand-alone department, depending on the complexity of the dealer member’s business model. LEGAL The need for specialist legal resources varies significantly between dealer members, depending on the nature of their business and size. In addition, the CCO may sometimes have a legal background. Legal services are usually required when drafting standard-form client documents and agreements, providing advice on the legal aspects of new products, services and business initiatives, and during litigation and other legal processes. Firms may rely on external counsel or hire internal counsel, either within the compliance department or through a separate general counsel or legal department. If a lawyer within a compliance department (including a CCO who is also a lawyer) provides legal advice to the dealer member, such services must be clearly distinguished from compliance activities. This distinction is necessary to avoid confusion as to whether the advice is being provided by a lawyer or by the CCO. The distinction also preserves the legal privilege of materials, which protects a client’s dealings with a legal advisor from being disclosed without the client’s permission. © CANADIAN SECURITIES INSTITUTE 2 6 CHIEF COMPLIANCE OFFICERS QUALIFYING EXAMINATION SECTION 1 Although not required, the legal department is often set up as a separate function from the compliance department for this reason. In such cases, the compliance department operates as a client department, similar to all other departments. In this manner, when required, the compliance department can seek legal advice from the law department and be afforded similar privilege and confidentiality protections that clients typically enjoy. CORPORATE SECRETARY The corporate secretary is responsible for official documents, such as the official seal, records of shares issued, the dealer member’s corporate minute book, and minutes of all board or committee meetings. The secretary usually supports the firm’s governance by organizing meetings, compiling and distributing meeting materials, making sure that certain required resolutions are submitted to the board of directors, and similar administrative functions. This person may also be responsible for filings required by corporate law. RISK MANAGEMENT AND INSURANCE The risk management function is noteworthy because securities regulations impose specific fidelity bond and mail coverage requirements. Risk management is also a key element of the dealer member’s control environment as it relates to trading and credit exposure. Some or all of these responsibilities may be integrated within the compliance department, or the compliance department may form part of these functional areas. Regardless of the structure adopted, the dealer member’s overall compliance framework should delineate the relevant responsibilities. The CCO should act to ensure that internal reporting and communication lines are coordinated so that information is shared between compliance and other departments. The cyclical nature of the investment industry often leads to reductions or increases in staff as the market shifts. CIRO expects its dealer members to maintain effective compliance programs in all market conditions. The firm may have some flexibility in determining the compliance structure, but it must always have adequate staff and resources to meet compliance and control functions. This consideration is particularly important in the context of restructuring. EXAMPLE In many dealer members, various other departments are aligned with the compliance function and share compliance responsibilities. For example, the following three departments share some degree of responsibility: The finance department is generally responsible for ensuring adherence to regulatory capital rules. Interaction with compliance on issues relating to capital is inevitable. The credit department is responsible for the timely settlement of securities trades and for monitoring the use of margin. Many private client compliance problems are complicated by credit issues. Larger dealer members have internal audit departments that conduct audits of head office departments and business locations to assist in ensuring compliance with the internal control standards of the industry. These audits often overlap with sales compliance audits conducted by the compliance department. ROLES AND RESPONSIBILITIES 2 | Describe the role and responsibilities of a chief compliance officer, a board of directors, and other designated persons. CIRO’s IDPC rules set out the dealer member’s obligation to supervise its business and operations and establish a system of controls designed to provide reasonable assurance that the dealer member and its employees are complying with CIRO requirements. Further obligations are imposed by the Universal Market Integrity Rules © CANADIAN SECURITIES INSTITUTE CHAPTER 2 FORMAL COMPLIANCE STRUCTURE 2 7 (UMIR) and by other securities regulatory authorities. These regulatory requirements provide a framework for a dealer member’s formal compliance structure that encompasses the roles, responsibilities, and relationships of the compliance department. Within this framework, the dealer member must create, maintain, and apply written policies and procedures that establish a system of controls and supervision. As part of this system, it must also establish a mechanism to ensure that all registrants are capable of complying with applicable CIRO requirements. This mechanism will typically take the form of ongoing and current training for registrants to support their understanding and awareness of regulatory obligations. DIVE DEEPER IDPC Rule section 3901 (2) states: Appropriate supervision of all aspects of a Dealer Member’s business and operations is a fundamental responsibility of the Dealer Member. The Dealer Member’s policies and procedures that specifically address its supervision system must remain up to date at all times, based on current CIRO requirements and applicable laws. Complete requirements in this regard can be found on CIRO’s website. DISTINCTION BETWEEN SUPERVISORY AND COMPLIANCE FUNCTIONS The supervisory function is very similar, but not identical, to the compliance function. CIRO distinguishes between supervision and compliance as follows: Compliance staff identifies issues and typically refers them to the appropriate supervisor for resolution. Supervisors resolve issues after they have been identified. The supervisor is generally part of the business unit in which the compliance issue occurred. The logic of this arrangement is that the business unit is best able to supervise its own activities. Compliance operates at arm’s length from the business unit and relies on sampling and other techniques to identify compliance issues. It does not normally review every transaction. DIVE DEEPER CIRO guidance further articulates the nuances that distinguish the two functions. See Guidance Note 1400-21-002, The Role of Compliance and Supervision. This Guidance Note relates to Rule 3900, Supervision, and to Rule 1400, Standards of Conduct. For complete requirements see www.CIRO.ca CIRO permits dealer members to combine compliance and supervision. For example, compliance officers may be assigned responsibility for approving new accounts, which is a supervisory responsibility that requires registration. In determining whether a person has supervisory responsibility, CIRO looks at the person’s responsibilities, authority, and functions, and any documentation describing the person’s responsibilities and authority. We examine these roles and responsibilities below. THE DEALER MEMBER Each dealer member must establish, implement, communicate, and maintain effective programs to ensure compliance with applicable rules and regulations. It must also appoint as many supervisors as necessary to properly supervise the business of the firm. Finally, the compliance and supervisory regime must take into account the scope and complexity of the firm’s business. © CANADIAN SECURITIES INSTITUTE 2 8 CHIEF COMPLIANCE OFFICERS QUALIFYING EXAMINATION SECTION 1 BOARD OF DIRECTORS Under IDPC Rule section 3915, the CCO must report to the board of directors (or its equivalent) about the status of compliance at the dealer member. Reporting must occur as often as necessary, typically on a quarterly basis, but at least annually. The very detailed reports should provide a status report on the state of compliance matters within the firm. The board is required to review the reports and, if any compliance deficiencies are noted, it must decide what actions are necessary to rectify them. It must then make sure that the actions deemed necessary are carried out. The responsibilities of the board in relation to trading are detailed in UMIR under Part 1 Responsibility for Supervision and Compliance of Policy 7.1 Trading Supervision Obligations. This provision restates the dealer member’s obligation to supervise the actions of its employees, directors, and officers to ensure that trading is carried out in accordance with regulatory requirements. The applicable sections of Policy 7.1 read as follows: An effective supervision system requires a strong overall commitment on the part of the Participant, through its Board of Directors, to develop and implement a clearly defined set of policies and procedures that are reasonably designed to prevent and detect violations of Requirements. The Board of Directors of a Participant is responsible for the overall stewardship of the firm with a specific responsibility to supervise the management of the firm. On an ongoing basis, the Board of Directors must ensure that the principal risks for noncompliance with Requirements have been identified and that appropriate supervision and compliance procedures to manage those risks have been implemented. Management and the Board of Directors must ensure that the compliance department is adequately funded, staffed and empowered to fulfill these responsibilities. In performing the trading supervision obligations, the Participant will act as a “gatekeeper” to help prevent and detect violations of applicable Requirements. MANAGEMENT Each dealer member management team is responsible for supervising and directing the activities of the dealer member, as well as the individuals within the dealer member, to ensure compliance with the rules governing those activities within their management responsibility. COMPLIANCE DESIGNATIONS A number of formal compliance designations are required, some of which depend on the types of business conducted by the dealer member. Some designations may require specific registration approval by a regulatory authority; others are assigned by the firm. The firm must maintain particulars of the persons who have accountability. Key designated persons include the positions described below, among others. ULTIMATE DESIGNATED PERSON CIRO requires that each dealer member have only one person approved in the category of UDP. It also requires that the designated UDP be the chief executive officer (CEO) or a person who acts in a similar capacity. The CCO is permitted to also serve as the UDP, but this arrangement typically occurs only in smaller firms. It is more likely that investment in compliance will be treated as a high priority when the business head is appointed to the position of UDP. The UDP is responsible for the conduct of the dealer member and the supervision of its employees. The UDP is also responsible for developing and implementing policies and procedures that adequately reflect the regulatory requirements of the firm. © CANADIAN SECURITIES INSTITUTE CHAPTER 2 FORMAL COMPLIANCE STRUCTURE 2 9 CHIEF COMPLIANCE OFFICER The dealer member must appoint a CCO, which is an integral position in the firm’s executive management team. Certain functions and activities are assigned to the CCO by regulation, and responsibilities are further defined by the firm’s organizational structure. See Exhibit 2.1 below. The person in this role must implement compliance systems and establish and maintain policies and procedures for assessing compliance by the firm and by persons acting on its behalf. The CCO is also responsible for monitoring and assessing compliance with all of the firm’s requirements and applicable rules. Regardless of the role of the CCO at any given dealer member, the function should interact with business areas across the organization. The CCO must have access to the UDP and the board of directors (or equivalent) when the CCO considers it necessary or advisable in view of his or her responsibilities. Exhibit 2.1 | Excerpt from IDPC Rule section 3912, Responsibilities of the Chief Compliance Officer The Chief Compliance Officer must: 1. Establish and maintain policies and procedures to assess compliance by the Dealer Member and individuals acting on its behalf with CIRO requirements and securities laws; 2. Monitor and assess compliance by the Dealer Member, and individuals acting on its behalf, with CIRO requirements and securities laws; and 3. Report to the Ultimate Designated Person as soon as possible if there is any indication that the Dealer Member or any individual acting on its behalf may be in noncompliance with CIRO requirements or securities laws and (A) the noncompliance creates a reasonable risk of harm to a client; (B) the noncompliance creates a reasonable risk of harm to the capital markets; or (C) the noncompliance is part of a pattern of noncompliance. DESIGNATED SUPERVISORS CIRO requires that a dealer member appoint as many supervisors as necessary to properly supervise its various lines of business. CIRO requires designated supervisors to be responsible for functions including: Opening new accounts and supervising account activity Supervising options and futures accounts Pre-approving advertising, sales and literature, and correspondence materials An individual may be designated as a supervisor in more than one category. For example, a supervisor at a business location may be the designated supervisor for account openings, options accounts, and certain types of marketing and advertising. ACCOUNTS SUPERVISOR Dealer members must appoint one or more supervisors who are responsible for approving the opening of new accounts and for establishing and maintaining procedures relating to the supervision of accounts and account activity. CIRO rules permit a hierarchy for the approval of new accounts and supervision of ongoing account activity. These responsibilities are shared by a few persons in a small dealer member; larger firms with more locations may require a more elaborate supervisory structure. The CCO typically assesses whether the adopted processes are operating as they should. In the case of larger firms with several business locations, the CCO’s assessment may involve periodic onsite reviews of business location supervision and recordkeeping as required. Alternatively, small firms may choose to assign supervisory responsibility for account opening and activity directly to a centralized compliance function. © CANADIAN SECURITIES INSTITUTE 2 10 CHIEF COMPLIANCE OFFICERS QUALIFYING EXAMINATION SECTION 1 RESIDENT SUPERVISORS CIRO rules do not refer to branch managers as part of a formal compliance structure; however, the resident supervisor’s role is similar to that of a branch manager. CIRO considers that a resident supervisor is in the best position to know the registrants (e.g., RRs and IRs) in the office, to know or meet many of the clients, to understand local conditions and needs, to facilitate business by quickly approving new accounts, and to respond immediately to questions or problems. CIRO rules do not require a resident supervisor for a business location; however, they do contemplate certain factors that dealer members should consider in determining whether a resident supervisor is required. Once a formal business location and head office supervisory structure is in place, the firm and its registrants must verify that it works to ensure that business conduct across the entire firm is in compliance with CIRO rules. EXAMPLE To illustrate the flexibility of the rules with respect to implementing a system of supervision, some dealer members will have regional supervisors for each province who are based centrally, but who travel to the business locations within their supervision territory frequently. Each dealer member must make sure that such a system works effectively once it is put into place. Alternatively, some dealer members take a more location-centric approach by maintaining enough supervisors in each business location to meet certain criteria. Criteria might relate to the number of registrants, the types of business carried out (e.g., options or commodities), and factors such as previous client complaints or registrants on heightened supervision. The rules have been tailored to ensure flexibility in recognition of the differing business models that exist among dealer members of CIRO, so that each member may implement a system that is best suited to its business model. OPTIONS SUPERVISORS Dealer members that deal in options must appoint a qualified supervisor to monitor options trading, to approve customer accounts, and to establish and maintain appropriate supervisory procedures pertaining to options trading. FUTURES SUPERVISORS Dealer members that deal in futures must appoint a qualified supervisor to monitor trading in futures contracts, to approve customer accounts, and to establish and maintain appropriate supervisory procedures pertaining to futures trading. TRADING SUPERVISOR Section 7.1 of UMIR requires that each dealer member appoint a head of trading to oversee supervision of the firm’s trading activities in the marketplace. The head of trading must also make sure that all employees are supervised for compliance with UMIR. SUPERVISOR OF ADVERTISING, SALES LITERATURE, AND CORRESPONDENCE Dealer members must designate one or more supervisors to be responsible for supervising advertising, sales literature, and correspondence distributed by the firm and its employees. These supervisors must make sure that all materials, both hard copy and electronic, comply with applicable regulatory standards and the firm’s own policies and procedures. They must also approve specified materials prior to publication or use. © CANADIAN SECURITIES INSTITUTE CHAPTER 2 FORMAL COMPLIANCE STRUCTURE 2 11 OTHER DESIGNATIONS Other designations may be required, depending on a dealer member’s business. For example, dealer members must designate one or more supervisors to be responsible for reviewing and approving research reports, and dealers offering managed or discretionary accounts must assign responsibility to qualified supervisors for such activities. Appointment of a chief officer of anti-money laundering/anti-terrorist financing (AML/ATF), a chief privacy officer, and a designated complaints officer is also required. Qualified staff must be appointed to each designated position, but overlap is permitted. For example, the chief privacy officer might also be the chief AML/ATF officer. However, it would not be appropriate for a credit clerk, for example, to serve as chief AML/ATF officer because such a person is unlikely to be qualified. CHIEF ANTI-MONEY LAUNDERING/ANTI-TERRORIST FINANCING OFFICER The chief AML/ATF officer is responsible for the dealer member’s compliance with the federal Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA) and its regulations. This position is required pursuant to the PCMLTFA. The AML/ATF compliance officer should have the authority and the resources necessary for proper discharge of responsibilities. The appointed person should be a senior-level officer with direct access and must provide regular reporting to senior management and the board of directors. CHIEF PRIVACY OFFICER The chief privacy officer must implement and supervise the dealer member’s privacy policy. This officer must make sure that the privacy policy complies with both the federal Personal Information Protection and Electronic Documents Act (PIPEDA) and provincial privacy legislation. The regulations prescribe how private sector organizations may collect, use, or disclose personal information in the course of commercial activities. The firm’s privacy officer may also be responsible for ensuring the firm’s compliance with Canada’s anti-spam laws. DESIGNATED COMPLAINTS OFFICER Dealer members are required by CIRO rules to appoint an individual to act as a designated complaints officer for the firm. The person in this role may be a supervisor or other registrant in the compliance department. This position is discussed in greater detail further on in the course. CREATING A SENIOR-LEVEL COMPLIANCE STRUCTURE 3 | Discuss and differentiate between the components of a senior-level compliance structure. The UDP and the CCO roles at a dealer member form the senior-level components of a formal compliance structure. The UDP is in a position of accountability, whereas the CCO’s position is one of day-to-day responsibility. The CCO advises management on compliance issues and must report to the UDP and the board of directors regarding the status of compliance at the firm. The UDP is ultimately responsible to the SROs for the conduct of the firm and the supervision of its employees. The dealer member must allow its UDP and CCO to directly access the firm’s board of directors whenever either person considers it necessary or advisable in view of their responsibilities. We will further explore the relationship between the CCO and UDP after looking at other components of a compliance structure, below. REPORTING REQUIREMENTS Because the CCO has access, and reports at least annually, to the board, he or she is able to establish a working relationship with the directors. The mandate of the CCO is to provide the board with reasonable assurance that all standards and requirements of applicable securities laws and regulations are met, along with the firm’s own © CANADIAN SECURITIES INSTITUTE 2 12 CHIEF COMPLIANCE OFFICERS QUALIFYING EXAMINATION SECTION 1 requirements. CIRO expects that the CCO’s report to the board will identify and discuss material findings contained within the following articles: CIRO compliance reports Early warning designations Gatekeeper reports Disciplinary actions Compliance risk trend reports Any other relevant findings When the CCO reports compliance deficiencies to the board, it is the board’s responsibility to determine what actions are necessary and make sure they are carried out. However, it usually looks to the CCO for guidance. Regardless of whether the board requests it, CIRO rules require a CCO to report on the sufficiency and effectiveness of actions taken. The CCO works with management and other relevant parties to arrive at a mutually satisfactory approach to resolving compliance issues. If differences cannot be resolved through escalation to the UDP and other executive management, the CCO must advise the board of his or her concerns. Board reporting is discussed in greater detail further on in this course. AUDIT COMMITTEE The boards of directors of all public companies (and many private companies) have audit committees that consider the reports and recommendations of external auditors. This committee can also consider the reports of the internal audit department and the compliance department. However, because these procedures meet only the minimum requirements, they are not sufficient for a large firm. In such cases, as part of its corporate governance responsibilities, the board should request follow-up reports on major issues highlighted in the annual report. In other words, an annual report requirement does not mean that compliance issues are only discussed once a year. A compliance or business conduct committee of the board is another feasible means of board oversight that reinforces the importance of compliance. DOCUMENT RETENTION The CCO should maintain documentary evidence of compliance for the mandatory seven years from the date the record is created. Firms should also consider specific document retention policies, including those applicable to electronic records such as email. The ability to prove compliance with the applicable rules is as important as actual compliance with the rules. The documentation requirement applies particularly to the following activities: Client account openings Compliance with the Know Your Client (KYC) rule and suitability requirements Correspondence with clients Compliance and supervision activities of the firm COMBINING THE UDP AND CCO ROLES The regulatory framework permits a firm to designate the same person as both UDP and CCO. This combined role may be appropriate in small firms where the nature, extent, and complexity of business activities do not warrant retaining a full-time CCO. In those circumstances, it generally works best for the CEO to serve as both UDP and CCO because it sends a strong message about the importance of compliance. It is also a more effective option than having a junior employee in the same position who may lack the seniority, authority, experience, and skills necessary to properly perform the CCO function. © CANADIAN SECURITIES INSTITUTE CHAPTER 2 FORMAL COMPLIANCE STRUCTURE 2 13 There are significant disadvantages, however, to combining the UDP and CCO roles. UDPs have other obligations that may prevent them from devoting sufficient time to the CCO function. It also takes time for the UDP to become technically proficient in the CCO role and familiar with the applicable regulations. Before deciding to combine the two roles, it is important to consider the amount of time required to be an effective CCO. In addition, segregation of functions is a key internal control principle. Combining the UDP and CCO roles eliminates the benefits of having a separate risk assurance function that can conduct independent assessments of the firm’s activities and supervisory processes. If the UDP has a potential conflict of interest in relation to compliance, such a structure can remove the balance that might otherwise exist—in extreme situations, it can result in issues being neglected or concealed. A UDP who also acts as CCO assumes full responsibility for advising management about compliance issues and for allocating resources to address deficiencies. In other words, the person in the combined role assumes full regulatory liability for compliance failures that could have been prevented through the exercise of reasonable care. IDENTIFYING POTENTIAL CONFLICTS OF THE UDP In conjunction with their regulatory responsibilities, UDPs must balance the diverse interests of clients, employees, shareholders, creditors and other stakeholders. They must also focus on various business outcomes, including sales, profitability, and shareholder return. In setting regulatory compliance and risk management goals, the CCO must take all such objectives and stakeholders into consideration. For example, a UDP who is also the CEO is directly responsible for the firm’s capital markets business. However, it may not be possible for that person to have an arm’s-length relationship between the business and compliance functions. Arguably, this conflict is acceptable because business decisions should always be made with full knowledge of, and appropriate regard for, compliance accountability. However, such is not always the case. Particularly problematic are situations where the UDP or other senior management or board members have a business interest on the firm’s side and a personal interest on the other side of a transaction. The CCO should be aware of any situation where there is a strong financial incentive by a person in a position of authority to breach regulatory or fiduciary standards in pursuit of personal profit. The CCO should notify the UDP of the conflict of interest and report it to the board, if necessary. Such conflicts may come to light through the following means: Registrants’ declaration of conflicts under securities and corporate laws Ongoing compliance surveillance and monitoring Informed internal or external parties The CCO’s own knowledge of the firm’s business The CCO cannot ignore a substantiated concern about illegal or improper activities by the UDP or by any other member of senior management or the board. Depending on the situation, the CCO should confront the relevant party or formally escalate the matter to executive management or the board (assuming there is no evidence of complicity). In some cases, the CCO’s only option is to resign and seek legal counsel. The resignation must be accompanied by a full, written description of reasons for doing so. The CCO must also notify the securities regulatory authorities and, if necessary, the police. © CANADIAN SECURITIES INSTITUTE 2 14 CHIEF COMPLIANCE OFFICERS QUALIFYING EXAMINATION SECTION 1 RELATIONSHIPS WITH REGULATORS AND OTHER PARTIES 4 | Describe the chief compliance officer’s role in maintaining relationships with regulators and with internal and external parties. Maintaining relationships with federal and provincial regulators and with the SRO is a crucial function of the CCO. These relationships help the CCO to acquire and maintain industry knowledge, to shape industry regulation, and to ensure that effective lines of communication are open when issues arise at the firm. A first step in fostering such relationships is to identify the bodies that regulate the businesses of the dealer member, including the following organizations, among others: CIRO Provincial securities administrators Ombudsman for Banking Services and Investments (OBSI) Financial Transactions and Reports Analysis Centre of Canada (FINTRAC) CIRO supports a Compliance and Legal Section that has the following mandate: It advises on the development of rules and policies on business conduct, registration, and enforcement-related matters affecting dealer members. It provides a forum for the exchange of information related to complying with CIRO, as well as other requirements regarding business conduct, registration, and enforcement-related matters. CIRO’s Conduct, Compliance and Legal Section (CCLS) is one of many CIRO Advisory Committees. CCLS may have subcommittees that focus on issues such as education; institutional, retail, and order-execution-only lines of business; money laundering; registration; and seniors’ issues. Dealer members have the opportunity to nominate representatives for these committees. The representatives, in turn, provide opportunities for input on industry- specific issues. The CCO is often the primary interface between the regulatory bodies and the dealer member. Managing these interfaces is an important and occasionally challenging task, especially in the context of regulatory enquiries, investigations, and disciplinary actions. The CCO should develop policies to guide the firm’s interaction with regulators, especially for regulatory activities. For example, if a regulator begins an investigation into a business or activity of the firm, someone at the firm must be in a position to coordinate the regulatory enquiry. To maintain good relations with the regulators, the firm is obliged to readily cooperate with investigations and respond quickly to enquiries and requests for records. A policy dealing with regulatory interface should address the following items: The identity of a department or person at the dealer member who is the single point of contact with the regulators (typically the CCO for all regulators) A protocol regarding actions to be taken in the face of a regulatory audit or investigation Educational measures regarding these same actions Recordkeeping requirements to ensure that regulatory enquiries are addressed fully and on time, and that records of responses are maintained When regulatory audits take place at the dealer member, additional direction must be provided to staff during the audit process regarding such things as communications and clean desk policy. © CANADIAN SECURITIES INSTITUTE CHAPTER 2 FORMAL COMPLIANCE STRUCTURE 2 15 RELATIONSHIPS TO LINE MANAGEMENT, EXECUTIVE MANAGEMENT Certain aspects of the relationship between compliance and business unit management should be reflected in the formal compliance structure adopted by the dealer member. The CCO should be involved in the firm’s strategic decisions about issues—both narrow and broad. A narrow issue, for example, might be the offer of a new product or service, whereas a merger with a competitor or the creation of a new business division has broader implications. Ideally, the CCO should be perceived not only as the source for identifying regulatory issues and concerns about business decisions, but also as a constructive and creative problem solver. It is much easier to provide input at the early stages of a business decision than to address concerns that arise after the fact. CCOs must establish a free flow of information between the compliance department and business line managers. Because of its monitoring and surveillance activities, the compliance department is often in the best position to identify actual or potential problems. Such risk situations should be reported to the appropriate management supervisory personnel. The compliance department often provides support in any further investigation and offers advice about remedial actions. If the business unit cannot resolve an issue, it should be escalated. The compliance department must understand the structure and activities of the business in order to design appropriate oversight mechanisms and identify problems and issues. Through involvement in new business activities, the department can assess relevant risks and requirements and report them to management. Likewise, business unit managers, supervisors, and other personnel should be encouraged to contact the compliance department when any compliance questions arise. However, the compliance department’s role is to advise rather than dictate. Final decision-making authority should reside with the business unit manager or supervisor, or with someone further up the line of accountability. The compliance department should maintain its independence in the process. However, should a business unit manager choose to ignore the advice of the compliance department, the dialogue that has taken place surrounding the issue itself should be clearly documented. Documentation should include the recommendation of the compliance department and the ensuing decision of the business unit to ignore that advice. In such instances, the escalation of such issues to the UDP and other senior management may be warranted. REPORTING TO MANAGEMENT A key responsibility of the CCO is to ensure effective and prompt reporting of compliance-related matters and to properly escalate problems and issues when necessary. The CCO is also expected to act professionally and in a manner appropriate to the seniority of the role when giving recommendations and advice on how such matters can be resolved. PROMOTING THE BENEFITS OF COMPLIANCE A properly designed compliance system minimizes regulatory problems, litigation, and client complaints. However, it is difficult to measure the value of effective compliance in precise terms. The significant costs associated with compliance failures usually become apparent only when they occur. Therefore, the CCO should promote the benefits of compliance across the organization. As much as possible, the CCO should provide measurements using trend analysis, peer group comparisons, and other techniques. Advocacy of compliance can also be premised on regulatory necessity and ethical imperatives; however, advocates are most effective when they define and quantify the benefits of good compliance. RELATIONSHIPS WITH EXTERNAL PARTIES As indicated earlier, it will be important for the compliance department—and the CCO in particular—to manage several internal relationships within a dealer member as part of effective introduction and maintenance of a culture of compliance within the firm. In addition to internal relationships, dealer members also have external relationships with service providers. These service providers form part of the dealer member’s compliance infrastructure. © CANADIAN SECURITIES INSTITUTE 2 16 CHIEF COMPLIANCE OFFICERS QUALIFYING EXAMINATION SECTION 1 Examples of external relationships that require management, and that are also subject to CIRO rules, are the introducing and carrying broker relationship that a dealer member maintains. In addition to this specific relationship, CIRO also provides guidance on its expectations when a dealer member chooses to outsource certain functions (i.e., retain an external party to provide operational services). Both of these subjects are discussed below. INTRODUCING BROKER/CARRYING BROKER ARRANGEMENTS 5 | Describe the four types of introducing broker/carrying broker arrangements under the Canadian Investment Regulatory Organization Rules, and list the responsibilities of the introducing broker and the carrying broker for each type. In order to manage back office expenses, dealer members may enter into arrangements that involve back office service sharing with another organization. This includes an arrangement between an introducing broker (introducer) and a carrying broker (carrier), which raises important compliance considerations. Introducing broker/carrying broker (IB/CB) relationships are regulated under CIRO rules. In this context, an introducer is an investment dealer who contracts out its recordkeeping, clearing, settlement, and custody functions to another dealer member—the carrier. An introducer can also contract out other services to the carrier, such as the provision of margin on client purchases. The combination of services and the assignment of responsibilities determine the type of IB/CB arrangement that is in place. Simply put, the services provided by the carrier include both maintenance of the introducer’s books and records and custody of its clients’ assets. IDPC Rule 2400, Acceptable Back Office Arrangements, delineates four types of IB/CB arrangements and describes the responsibilities of each party for each type, as well as the requirements for documentation and disclosure to clients. CIRO provides a standard agreement for each type of arrangement. The commercial terms agreed to, such as fees and comfort deposits by the introducer, are included as appendices to the agreements. Some variable and critical items, such as the reports to be provided to the introducer, are also listed in the appendices and present an important issue for CCOs, given that these reports may be used to carry out critical compliance and supervision functions. Some carriers also provide back-up compliance services to their introducers, even when they carry no formal compliance responsibility. The CCOs of both parties must be aware of the services being provided and the extent of the responsibility undertaken by the carrier. To the extent that an introducer does not take responsibility for the capital required by clients’ accounts, and because it does not handle client assets, it may be subject to lower capital and insurance requirements. TYPES OF INTRODUCING BROKER/CARRYING BROKER ARRANGEMENTS There are four major types of IB/CB arrangements. Each type is described in detail below. TYPE 1 ARRANGEMENT In a Type 1 arrangement, the introducer conducts business under its own name at a location similar to the carrier’s. The carrier provides for margin requirements, funding of client accounts, security, and free-credit segregation. It also handles all cash and security transactions on behalf of the introducer, including both trading and settlement. The introducer and carrier are jointly responsible for supervision and compliance. © CANADIAN SECURITIES INSTITUTE CHAPTER 2 FORMAL COMPLIANCE STRUCTURE 2 17 The arrangement is initially disclosed to the client when an account is opened and it appears on all statements, trade confirmations, and correspondence. Because the carrier is responsible for all matters affecting capital and has joint and several responsibility for supervision and compliance, the minimum risk-adjusted capital (RAC) for a Type 1 introducer is $75,000, instead of the usual $250,000. Type 1 introducers can have only one carrier and must do all business through that dealer member. An exception is allowed for commodity futures, if the carrier does not provide that service. TYPE 2 ARRANGEMENT In a Type 2 arrangement, the introducer is solely responsible for supervision and compliance requirements. Disclosure of the arrangement can be made either when the account is opened and annually thereafter, or on a continuous basis, as with Type 1 arrangements. The minimum RAC for a Type 2 introducer is $250,000; however, the introducer does not have to provide capital for client margins. A Type 2 introducer must also do all its business through one carrier only, with the same exception for commodity futures that applies to Type 1 relationships. TYPE 3 ARRANGEMENT In a Type 3 arrangement, the introducer is responsible for reporting client account balances and providing for client margin. The introducer is also responsible for reporting concentrated security positions contained in the serviced client accounts. In this type of arrangement, the introducer is solely responsible for supervision and compliance. The arrangement is disclosed either when an account is opened and annually thereafter, or on a continuous basis. A Type 3 introducer can have more than one carrier. It can also carry some types of accounts solely on its own books, if it can show a business need to do so, and it can consolidate the various books and records for capital supervision and reporting purposes. TYPE 4 ARRANGEMENT In a Type 4 arrangement, the introducer has all the responsibilities of a Type 3 introducer and is also responsible for segregation of client free-credit balances. It can provide its own financing directly through the use of margined and inventory securities, although this is usually done through the carrier. A Type 4 introducer can also have more than one carrier or carry some types of accounts solely on its own books, subject to the same conditions that apply in a Type 3 relationship. Table 2.1 summarizes the current rules relating to IB/CB requirements, as codified in the various sections of Rule 2400. © CANADIAN SECURITIES INSTITUTE 2 18 CHIEF COMPLIANCE OFFICERS QUALIFYING EXAMINATION SECTION 1 Table 2.1 | Introducing Broker/Carrying Broker Requirements Under IDPC Rule 2400 Standards and Type 1 Type 2 Type 3 Type 4 Responsibilities Minimum capital $75,000 $250,000 $250,000 $250,000 Client account The carrier reports The carrier reports Introducers must report Introducers must report reporting client account balances client account balances client account balances client account balances for introduced for introduced of their own introduced of their own introduced accounts. accounts. accounts. accounts. Client margining The carrier is The carrier is The introducer is The introducer is responsible. responsible. responsible. responsible. Compliance Introducers and The introducer is The introducer is The introducer is supervision carriers have joint responsible. responsible. responsible. responsibility. Introducers entering Multiple IB−CB Multiple IB−CB Multiple IB−CB Multiple IB−CB into multiple IB/CB arrangements are arrangements are arrangements are arrangements are arrangements not allowed, with not allowed, with allowed when the allowed when the the exception of an the exception of an introducer can show introducer can show additional arrangement additional arrangement the following meets the following meets entered into exclusively entered into exclusively three requirements: three requirements: for trading in futures for trading in futures and options. and options. It has a separate It has a separate product line. product line. It has appropriate It has appropriate systems in place to systems in place to monitor the KYC monitor the KYC rule. rule. It can report It can report customer cash customer cash balances and balances and securities positions securities positions on a combined on a combined basis. basis. These rules include These rules include the arrangement for the arrangement for trading in futures and trading in futures and options. options. Introducer fully Same as above Same as above Same as above Same as above servicing a line of business Client Required Required Not required Not required acknowledgement at the opening of client accounts Appendix A, at the end of this chapter, provides a more detailed chart that summarizes the current IB/CB rules. © CANADIAN SECURITIES INSTITUTE CHAPTER 2 FORMAL COMPLIANCE STRUCTURE 2 19 CHARACTERISTICS OF A CARRYING BROKER To qualify as a carrying broker, a dealer member must meet the following conditions: It must be a CIRO dealer member. It must be approved in the province in which the carrier’s head office is located. It must otherwise be in compliance with applicable CIRO rules and any requirements of the regulatory authority in the jurisdiction of the introducing broker. A carrier can carry the accounts of clients introduced to it by another CIRO dealer member. Because of the unique fiduciary responsibilities inherent in the financial services industry, when choosing a carrier, an introducer should consider factors such as the carrier’s industry reputation, financial strength, knowledge, experience, service assurances, and commitment to business. Chief compliance officers should be aware of the levels of service and technology that carriers can provide to help them maintain compliance and supervision at all levels. The following characteristics of the carrier are important considerations: Credit policies Procedures manuals Forms (which should be compatible with the introducer’s approach to client documentation and supervision) Internal control policy statements Registration Business continuity plan Daily trade and month-end statement review reporting Exception reports Back-up compliance reviews and advice (which is often an added service, without carriers being responsible for correcting problems, unless they raise a credit issue or other issues of concern to the carrier) Anti-money laundering and privacy guidelines REPORTING REQUIREMENTS Carriers are considered the gatekeepers in an IB/CB relationship. Their responsibility lies in ensuring that introducers abide by CIRO rules. This responsibility varies depending on the requirements and the nature of the activity. The only introducers that share equal responsibility for client supervision regarding KYC rules are Type 1 introducers. Both parties in a Type 1 arrangement must understand the day-to-day division of functions and maintain clear lines of communication. Carriers are obliged under CIRO rules to ensure that introducers have the necessary system requirements, forms, and other reports required to abide with the regulations. This obligation is one of the benefits for the introducer of entering into an IB/CB relationship: it is the carrier’s responsibility to ensure that any affected internal control systems are aligned with new or amended rules. The carrier in a Type 1 relationship conducts daily trade and month-end client statement reviews at the head office level under CIRO rules. It might also perform these reviews in other types of arrangements as a service to the introducer, but it would generally do so without dealing with identified problems because it is not required to under CIRO rules. © CANADIAN SECURITIES INSTITUTE 2 20 CHIEF COMPLIANCE OFFICERS QUALIFYING EXAMINATION SECTION 1 PRIVACY REQUIREMENTS Canada’s federal privacy law, PIPEDA, imposes certain obligations on both introducers and carriers. Under PIPEDA, each dealer member must appoint an individual who is responsible for ensuring that the dealer member is in compliance with PIPEDA. A carrier cannot dictate who the introducer appoints; however, as a service, it might prepare a memorandum highlighting important aspects of PIPEDA, to help the introducer deal with the impending changes. The carrier can also provide examples of documents or training that it intends to use to ensure compliance with PIPEDA. FOREIGN AFFILIATES An exemption in the CIRO rules allows carrying brokers to enter into an IB/CB relationship with a foreign affiliate. This exemption exists only for foreign affiliates of the carrier, with the following conditions: The foreign affiliate must disclose the relationship to its clients. It must obtain approval from the requisite authority in its jurisdiction. The carrier must apply for this exemption, documenting the services provided and the completion of the necessary conditions. Some jurisdictions, including the United States, permit this arrangement, but only for the purpose of institutional delivery-against-payment business (in which payment for securities is due at the time of delivery). For retail business, the foreign affiliate must have a U.S. carrier operating under U.S. requirements. OUTSOURCING ARRANGEMENTS Generally, arrangements in which recordkeeping services and custodial services are not provided are not subject to the IB/CB rules. They are, however, subject to CIRO’s guidance on outsourcing arrangements. CIRO Guidance Note 2300-21-003 notes that although outsourcing arrangements have existed for many years, business cost pressures are leading dealer members to outsource non-traditional functions. CIRO expresses concerns that without adequate safeguards, this trend could lead to incremental investor protection risk, market reputation risk, credit risk, and systemic risk. In general, regulators use the distinction between core and non-core functions in their discussions about outsourcing. The International Organization of Securities Commissions describes a core function as one that is “critical to the ongoing viability of an entity as well as meeting its regulatory obligations to customers”. Regardless of this distinction, the industry acknowledges that some core functions can be outsourced, providing that adequate controls are in place. In the past, outsourcing has included the following arrangements: Back office sharing with an affiliated Canadian financial institution IB/CB arrangements Security custody arrangements External portfolio management arrangements The Canadian Securities Administrators introduced general principles about the internal controls that should accompany outsourced functions. These principles are included in Part 11 of the Companion Policy to National Instrument 31-103. It states that registered firms (including dealer members) continue to be responsible and accountable for outsourced functions. Outsourcing arrangements should be set out in a written, legally binding contract that includes mutual expectations. Due diligence should be conducted of prospective third-party service providers, including their affiliates. This diligence should include an assessment of the service provider’s reputation, financial stability, relevant internal controls, and ability to deliver the services. © CANADIAN SECURITIES INSTITUTE CHAPTER 2 FORMAL COMPLIANCE STRUCTURE 2 21 The registered firm should also have the following cautionary measures: Assurance that the service provider has a business disruption recovery plan and safeguards to protect the privacy of client information Ongoing quality reviews of the outsourced functions A tested business continuity plan in case the service provider fails to deliver the contracted services Proper acknowledgement of privacy and other laws when entering into the arrangement The registered firm, its regulators, and auditors should have access to the work product of the service provider. Also, a control list of all outsourcing arrangements, including effective dates, must be maintained by the registered firm. OUTSOURCING OF CORE VERSUS NON-CORE FUNCTIONS CIRO states that the following core functions may not be outsourced: The account opening process Suitability assessments The handling of client complaints However, the following core activities may be outsourced: Investment decisions for managed accounts Certain client account-related functions, such as the clearing and settlement of trades Administration of margin and other account loans Management and maintenance of information systems Preparation of client account statements, regulatory financial reports, non-financial regulatory reports, registration filings and database maintenance activities, treasury functions, corporate finance activities, research reports and marketing, and professional services such as accounting and internal audit services The following non-core functions may also be outsourced: Office service management The procurement of external consultant services Human resources management DUE DILIGENCE EXPECTATIONS CIRO notes that detailed requirements exist for specific outsourcing arrangements, including IB/CB arrangements, security custody arrangements, and external portfolio management arrangements. In considering whether other functions may be outsourced, CIRO proposes the following due diligence expectations of dealer members, when making a decision about outsourcing a service or function: A dealer member should have a comprehensive outsourcing policy that guides its due diligence process in making an outsourcing decision. A dealer member should not outsource a function if it diminishes its ability to meet its obligations to its clients and regulators, impedes its effective supervision by regulators, or unduly concentrates outsourced functions with one service provider. A dealer member should report new outsourced functions to CIRO in accordance with IDPC Rule section 2246. See Guidance Note 2200-21-001, Reporting of Material Changes to Business Activities for more details. © CANADIAN SECURITIES INSTITUTE 2 22 CHIEF COMPLIANCE OFFICERS QUALIFYING EXAMINATION SECTION 1 A dealer member that has outsourced functions should perform the following measures: Enter into comprehensive, written outsourcing contracts. Maintain a centralized list of core activities that have been outsourced. Establish a comprehensive risk management program that addresses the risks associated with the outsourced functions and the service provider. EXAMPLE Outsourcing risks to be managed include reputation risk, compliance risk, exit strategy risk, data and information access risk, and the concentration risk of the industry as a whole to the service provider. Dealer members should have a robust procurement system relating to critical services such as information technology to ensure that appropriate due diligence is conducted on all service providers, and due diligence in this regard should be updated frequently. This is particularly important given the recent increase in cybersecurity risks in the investment industry. COMPLIANCE GOVERNANCE DOCUMENT 6 | Develop a compliance governance document. Dealer members must establish and maintain a written compliance governance document setting out the organizational structure and reporting relationships that support required compliance arrangements. These requirements encompass more than the UDP and CCO. As discussed previously, CIRO rules require that supervisors be designated to perform or oversee specific compliance activities. Dealer members must take steps to ensure that they have appropriately defined the relevant responsibilities of the designated persons and have assigned them within the organization. CIRO requires that dealer members maintain records of supervisory review for seven years. These important records must include the following information: who conducted the review, when it was conducted, what enquiries were made, what replies were received, and what actions were taken. CONTENT OF THE COMPLIANCE GOVERNANCE DOCUMENT The compliance governance document of a dealer member must be in writing and must set out the organizational structure and the reporting relationships that support the compliance function, as required. Because no mandatory form or content applies to the document, dealer members have a great deal of flexibility when creating it. At a minimum, the following information should be included: A list of all roles required by regulation (UDP, CCO, and supervisor) A clear description of what each role requires The identity and role of the person to whom each required role reports A list of the procedures and responsibilities used to designate persons to fill the required roles The identity and role of the person responsible for approving the compliance governance document and reviewing it periodically for necessary amendments The reporting relationship of the CCO to the board of directors of the firm The dealer member should consider incorporating policy statements of any business unit positions for which the incumbent will be designated to fulfill a regulatory role. Such a statement might read as follows: “The person occupying the office of the CEO shall be designated as, and assume the responsibilities of, the firm’s Ultimate Designated Person.” © CANADIAN SECURITIES INSTITUTE CHAPTER 2 FORMAL COMPLIANCE STRUCTURE 2 23 A more general statement may be appropriate where it is not possible to identify everyone who may, from time to time, be required to assume a specific designated role. The firm must maintain accessible records of all designated supervisors to ensure compliance with CIRO rules. The firm should also maintain accessible records of compliance governance documents and related items. Such records must include changes to designated supervisors, delegations of functional responsibility, and similar material. These records must be maintained for seven years. The board of directors should approve the corporate governance document, and the document must be filed with CIRO. A copy of the document should be given to specific people with designated roles. Only the people’s designated roles should be named, so that the document does not have to be amended when other staff changes. Each current designated role must be documented, as well as records of historical assignments and any changes to these assignments. The document may also address how often the CCO must report to the board and any board structures related to compliance (i.e., the role of the executive committee acting on behalf of the board when dealing with compliance issues). REVIEWS AND UPDATES The compliance governance document should be reviewed and updated when necessary. For example, a change in a dealer member’s management structure or the organization of the business unit organization may necessitate revisions. An approval process should be defined for such changes, and notice of any material changes must be filed with CIRO. RELATIONSHIP TO POLICIES AND PROCEDURES MANUAL The compliance governance document should refer to and be consistent with a dealer member’s written policies and procedures manual. The same holds true for other documented descriptions of roles and responsibilities, such as board of directors’ mandates and descriptions of individual position. The primary role of the governance document is to identify the people who have regulatory roles in a dealer member and provide an overview of their responsibilities. On the other hand, the policies and procedures manual identifies the people responsible for specific activities and supervisory functions, describes in detail all requirements for the roles, and explains how they are conducted. © CANADIAN SECURITIES INSTITUTE 2 24 CHIEF COMPLIANCE OFFICERS QUALIFYING EXAMINATION SECTION 1 SUMMARY In this chapter, we discussed the formal compliance structure of a dealer member, beginning with the compliance department’s mandate that forms the basis of such a structure. We described the control functions and the assignment of compliance responsibilities to different areas of the dealer member. These functions and responsibilities are mandated by CIRO or other securities regulatory authorities. Additionally, CIRO distinguishes between the supervisory and compliance functions of a dealer member. We explored the various regulated roles that make up the framework of a dealer member’s formal compliance structure and the basic duties required of the appointees. Specifically, we explained the obligations of the firm itself, the board of directors, the CCO, the UDP, management, and the various designated persons in compliance and supervisory roles. Some designations require specific registration approval by a regulatory authority, whereas others are assigned by the firm to suit its particular business model. This chapter also provided a detailed description of the CCO’s role and responsibilities from a hiring perspective. This information should help you explain the experience, skills, and industry knowledge a CCO should bring to the dealer member. It is important to remember, however, that no one job description or candidate profile can be uniformly applied to the CCO role, because no two dealer members are exactly alike. Just as no single job description applies to the CCO’s role, no single organizational structure fits all compliance departments. Nevertheless, although dealer members vary in their management structure, business lines, and strategies, the different units of a firm share typical features in their organizational charts. CIRO requires dealer members to establish and maintain a written compliance governance document setting out the organizational structure and reporting relationships. This chapter brings us to the end of Section 1: The Role of Compliance and Formal Compliance Structure. By now, you should have a good understanding of the compliance mechanisms of a dealer member and how they are influenced by securities regulation. With this knowledge, you are ready to begin the first chapter of Section 2, in which you will learn more about Canada’s regulatory environment and basic securities law. © CANADIAN SECURITIES INSTITUTE CHAPTER 2 FORMAL COMPLIANCE STRUCTURE 2 25 APPENDIX A The following chart summarizes the current rules relating to IB/CB requirements, as codified in the various sections of IDPC Rule 2400. Standards and Type 1 Type 2 Type 3 Type 4 Responsibilities Minimum capital $75,000 $250,000 $250,000 $250,000 Client account The carrier reports The carrier reports Introducers must report Introducers must report reporting client account client account client account balances client account balances balances for balances for of their own introduced of their own introduced introduced accounts. introduced accounts. accounts. accounts. Client margining The carrier is The carrier is The introducer is The introducer is responsible. responsible. responsible. responsible. Segregation of The carrier is The carrier is The carrier is responsible. The carrier is responsible. comfort deposits responsible. responsible. and securities Segregation of The carrier is The carrier is The carrier is responsible. The introducer is client-free credit responsible. responsible. responsible. Insurance Both introducers and Both introducers and Both introducers and Both introducers and coverage carriers must provide carriers must provide carriers must provide carriers must provide the necessary the necessary the necessary insurance the necessary insurance insurance coverage. insurance coverage. coverage. Introducers coverage. Introducers Introducers must Introducers must must include client net must include client net include client net include client net equity in calculating their equity in calculating their equity in calculating equity in calculating insurance coverage. insurance coverage. their insurance their insurance coverage. coverage. Disclosure of IB/CB Ongoing disclosure Annual disclosure is Annual disclosure is Annual disclosure is arrangement is required, as well as required, as well as required, as well as required, as well as when the account is when the account is when the account is first when the account is first first opened. first opened. opened. opened. Compliance Introducers and The introducer is The introducer is The introducer is supervision carriers have joint responsible. responsible. responsible. responsibility. CIRO membership With the exception With the exception With the exception of With the exception of of foreign of foreign foreign subsidiaries and foreign subsidiaries and subsidiaries and subsidiaries and foreign affiliates, both the foreign affiliates, both the foreign affiliates, foreign affiliates, introducers and carriers introducers and carriers both the introducers both the introducers must be CIRO dealer must be CIRO dealer and carriers must and carriers must members. members. be CIRO dealer be CIRO dealer members. members. © CANADIAN SECURITIES INSTITUTE 2 26 CHIEF COMPLIANCE OFFICERS QUALIFYING EXAMINATION SECTION 1 Standards and Type 1 Type 2 Type 3 Type 4 Responsibilities CIRO approval The firms must have The firms must have The firms must have a The firms must have a a written contract, a written contract, written contract, and written contract, and and CIRO approval and CIRO approval CIRO approval must be CIRO approval must be must be obtained to must be obtained to obtained to enter into an obtained to enter into an enter into an IB/CB enter into an IB/CB IB/CB arrangement. IB/CB arrangement. arrangement. arrangement. Introducers Multiple IB/CB Multiple IB/CB Multiple IB/CB Multiple IB/CB entering into arrangements are arrangements are arrangements are allowed arrangements are allowed multiple IB/CB not allowed, with not allowed, with when the introducer can when the introducer can arrangements the exception the exception show the following three show the following three of an additional of an additional requirements: requirements: arrangement entered arrangement entered into exclusively for into exclusively for It has a separate It has a separate product line. product line. trading in futures and trading in futures and options. options. It has appropriate It has appropriate systems in place to systems in place to monitor the KYC rule. monitor the KYC rule. It can report It can report customer cash customer cash balances and balances and securities positions securities positions on a combined basis. on a combined basis. These rules include the These rules include the arrangement for trading arrangement for trading in futures and options. in futures and options. Introducer fully Same as above Same as above Same as above Same as above servicing a line of business Introducers clearing Not allowed Not allowed Allowed Allowed trade settlements on its own Exemption from Exemption is allowed Exemption is allowed Exemption is allowed Exemption is allowed Rule 2400 at the discretion of at the discretion of at the discretion of the at the discretion of the the CIRO. the CIRO. CIRO. CIRO. Client Required Required Not required Not required acknowledgement at the opening of client accounts © CANADIAN SECURITIES INSTITUTE