Chapter 8 - Monitoring PDF
Document Details
Uploaded by Deleted User
Tags
Related
- Consumer Compliance Examinations - Compliance Management System PDF
- Market Conduct - Prevention and Detection of Market Abuse PDF
- Market Conduct: Prevention and Detection of Market Abuse
- Financial Crimes and Individual Accountability PDF
- Risk Management Guidelines (January 2013) PDF
- Elements of Effective Security Compliance PDF
Summary
This document provides a detailed overview of monitoring and surveillance in a financial firm's context. It highlights the importance of compliance monitoring strategies, supervisory systems, and regulatory requirements; especially for dealer members in the financial industry.
Full Transcript
Monitoring 8 CONTENT AREAS Overview of Monitoring and Surveillance Establishing Monitoring and Surveillance Systems Formal Monitoring Techniques Monitoring a System’s Effectivene...
Monitoring 8 CONTENT AREAS Overview of Monitoring and Surveillance Establishing Monitoring and Surveillance Systems Formal Monitoring Techniques Monitoring a System’s Effectiveness Key Control Points LEARNING OBJECTIVES 1 | Describe compliance monitoring strategies and supervisory systems. 2 | Explain the concepts associated with a control environment in a monitoring program. 3 | Discuss the primary issues and monitoring requirements that apply to a dealer member and its staff. 4 | Identify core regulatory requirements and best practices for monitoring. 5 | Discuss the distinctions between the monitoring requirements for key control points, including account opening and activity. © CANADIAN SECURITIES INSTITUTE CHAPTER 8 MONITORING 8 3 INTRODUCTION In the previous chapter, we discussed the fact that policies and procedures help reduce risk for dealer members and the industry as a whole. We explored the key principles underlying written policies and procedures, and we discussed the way they must be communicated to and understood by everyone in the firm. In this chapter, we explore the monitoring and surveillance function and explain why it is necessary to facilitate ongoing compliance with dealer member policies and procedures and regulatory requirements. This chapter provides a comprehensive overview of monitoring and monitoring issues, as well as the basic regulatory and operational requirements of a macro-level compliance monitoring system for a full-service, self-clearing investment dealer. In particular, it addresses regulatory requirements, organizational development, systems requirements and resources, evidence of supervision, and best practices. OVERVIEW OF MONITORING AND SURVEILLANCE 1 | Describe compliance monitoring strategies and supervisory systems. Surveillance and monitoring of business activities at a dealer member are core functions that facilitate ongoing compliance with dealer member policies and regulatory requirements. These compliance department functions support the identification of early-stage patterns of improper behaviour, activities, or trends, as well as material or systemic weaknesses in a dealer member’s compliance practices. They are also meant to support the dealer member in meeting its regularly scheduled supervisory requirements as dictated by CIRO and other regulators. It is the role of the CCO to develop, implement, and supervise monitoring systems to help the compliance department oversee all of a firm’s business activities. Usually, both the compliance department and business line supervisors monitor adherence to internal and external standards. In addition, most firms implement operational policies and procedures as part of an overall control environment. Aside from its day-to-day surveillance activities, the compliance department usually does more specific monitoring through reviews and audits to test the effectiveness of supervisory procedures and adherence to policies and procedures. The procedures established by the compliance department aim to either prevent violations from occurring or detect them through surveillance mechanisms. Regulatory expectations extend beyond the firm and its employees to the conduct of its clients (regarding, for example, insider trading). An objective of any monitoring or surveillance process, whether conducted by compliance or business line staff, is to ensure the proper escalation and resolution of both actual and potential violations. A failure to identify and take action against any indication of potential violations arising from client activity can result in regulatory discipline. Chief compliance officers must establish a framework for their firm’s compliance monitoring system to ensure that it is aligned with the business conducted by the firm, and to ensure that the system is effectively implemented and periodically audited. Any exceptions to compliance are appropriately escalated. However, compliance monitoring is inherently imperfect because it is impossible to review every event, transaction, client, product, and trade in a manner that eliminates risk. The challenge of an effective monitoring regime is to develop tools that quickly and accurately produce the information needed and facilitate an effective response. Firms must also be able to demonstrate to the regulators that effective supervision has taken place during this process. Effective supervision is not simply an evaluation of statutory or regulatory mandated testing; it should also reflect the dealer member’s analysis of the risks it perceives in relation to its business model. Therefore, the dealer member should recognize that an effective supervisory system goes beyond mandatory regulatory testing; it should also be designed to mitigate other risks to the dealer member, such as the risk of litigation. © CANADIAN SECURITIES INSTITUTE 8 4 CHIEF COMPLIANCE OFFICERS QUALIFYING EXAMINATION SECTION 3 ESTABLISHING MONITORING AND SURVEILLANCE SYSTEMS 2 | Explain the concepts associated with a control environment in a monitoring program. A monitoring system is a dynamic system that takes into account the types of business conducted along with the resources available. It is, by definition, an imperfect system because some surveillance must take place after an event has occurred. By analyzing the issues raised in the context of their dealer member, CCOs should be able to conceive the monitoring system that is required for their firm. At a minimum, firms must have qualified individuals supervising transactions in accounts and must provide evidence of this supervision. However, minimum standards do not cover many situations relevant to CCOs. A successful compliance regime and monitoring system must go beyond those standards to reflect a substantive approach to compliance, rather than a routine checklist exercise. The CCO should assess the level of risk inherent in the business model of the dealer member to ensure that the firm’s compliance system accounts for it. Supervisory and compliance systems at both the head office and the business locations are basic operational functions integral to the decision-making and responsibilities assigned to various people. Generally, CIRO mandates the implementation of these systems in their rules. However, the rules are not prescriptive; considerable flexibility is provided so that firms can develop controls appropriate to their size, organization, product mix, and expertise. CIRO rules are intended to assist CCOs in asking relevant questions about what controls and supervision are appropriate to their firm’s monitoring system. DID YOU KNOW? IDPC Rule 3900, Supervision, sets out the dealer member’s obligation to supervise its business and operations. The rule is divided into seven parts: Part A – General supervision requirements Part B – Supervision of all accounts Part C – Supervision of retail client accounts Part D – Supervision of institutional client accounts Part E – Supervision of order execution only accounts Part F – Supervision of options, futures contracts and futures contract options trading accounts Part G – Supervision of discretionary accounts and managed accounts Go to CIRO’s website for the complete requirements REGULATORY STANDARDS Regulatory standards are fundamental to the design and operation of compliance monitoring processes. Dealer members must make sure that relevant requirements are identified and incorporated and that they are operating as intended. They must also continually monitor and assess new and revised regulations so that systems can be modified in response to regulatory developments. CIRO’s minimum standards do not preclude firms from establishing a higher standard of supervision. In fact, in many situations, it is appropriate and desirable to implement a higher standard to ensure proper supervision. Monitoring processes must also address other legislative regulatory requirements, such as anti-money laundering, anti-terrorist financing, and privacy regulations. Processes may also be required to address standards or obligations imposed by a firm’s insurance policies or other contractual arrangements. © CANADIAN SECURITIES INSTITUTE CHAPTER 8 MONITORING 8 5 Some dealer members use a legislative compliance matrix, which is a comprehensive listing of regulatory requirements and related control or supervisory processes. Such a system can help to ensure that all regulatory requirements have been identified and are being fulfilled, thus achieving what has customarily been done by business line supervisors and compliance staff. The matrix also validates the dealer member’s written policies and procedures and ensures that they are complete. However, because of the volume of regulations, creating a compliance matrix is a highly resource-intensive exercise, both in preparation and ongoing updating. The initiative requires a dedicated team drawing on compliance resources that would otherwise be allocated to day-to-day compliance monitoring and risk management. A common concern is that key resources may be allocated to a burdensome and onerous administrative process, without any meaningful results in terms of compliance risk management. INTERNAL CONTROLS The term internal controls usually refers to the policies and procedures established and maintained by a dealer member to ensure three results: The firm’s business is conducted in an orderly and efficient way. Management directives are carried out. Necessary actions are taken to address risks at all levels and in all functions throughout the firm. CIRO requires all dealer members to establish and maintain adequate internal controls to support the firm’s “internal control environment” and sets out detailed requirements and guidance about a number of internal control matters. The specific and functional activities and controls covered by these requirements are often considered financial or operational matters. In other words, the compliance department may not be responsible for some of the areas encompassed by the policy. Nevertheless, internal control concepts and techniques are relevant to compliance monitoring because they establish procedures that must be followed and that often support a robust compliance function. There are two major types of internal controls: Preventive controls prevent or minimize the chance that fraud or error will occur. These controls are typically the more effective type of controls but may entail greater costs and impediments to business efficiency. Detective controls increase the chance that fraud or error will be detected, so that corrective action can be promptly taken. Although they do not directly prevent violations, they may have a deterrent effect and can be preventive in that sense. Typically, an internal control environment comprises both types of controls. The extent to which preventive controls are used depends on management’s view of the risk and the cost-to-benefit relationship of controlling such risk. If the inherent risk is high, the cost of effective preventive controls is usually not only warranted but expected by industry regulators. Detective controls may be more appropriate where the inherent risk is lower or if a violation can be effectively remedied after the fact. Monitoring as a form of detective control is most effective when a violation is detected immediately after it has occurred. For example, it is usually easier and less costly to cancel a trade that has just occurred than one that is not noticed for days or weeks. In addition to monitoring, common internal control techniques include the following aspects: Defined, documented, and well-understood policies and procedures Accurate, timely, and useful reporting Segregation of duties Approval requirements © CANADIAN SECURITIES INSTITUTE 8 6 CHIEF COMPLIANCE OFFICERS QUALIFYING EXAMINATION SECTION 3 Authorization limits Access controls Reconciliation SUPERVISION VERSUS COMPLIANCE OVERSIGHT As previously discussed, the management of a dealer member and its compliance department generally have different roles in the monitoring process. Management approves and supervises activities under its charge, whereas the CCO and the compliance department typically provide second-tier monitoring and review. The compliance department does not have the decision-making power and authority of management. Management has the authority to direct the business, including making decisions about whether to accept a client or effect a given transaction. It can also hire, provide incentives for, discipline, and terminate business line employees. The focus of management is mostly on revenue, but compliance is becoming an increasingly important consideration for them. Some high-profile compliance failures have shown that violations can cost the violating firm dearly. Management must be well aware of this fact. They must understand that, although their objectives for revenue are paramount, that revenue cannot be earned at the cost of noncompliance. Employees typically look to management for guidance regarding their organization’s culture, and they respond accordingly. It is therefore critical that management stress to their staff the importance of being compliant while continuing to meet revenue objectives. Otherwise, they risk exposing themselves and the dealer member to regulatory action, litigation, and reputational harm. At some dealer members, private client business is primarily responsible for supervising itself, with the compliance department assuming an advisory and oversight role. At other firms, the compliance department takes primary responsibility for virtually all compliance functions. Either model is effective, as long as the allocation of functions, responsibility, and accountability are clear and evident to all concerned. If compliance assumes supervisory functions, such as approving new accounts, the supervisors must be registered. A proactive compliance department does not take the place of responsible business supervisors. With respect to issues related to business activities, business line personnel still have ultimate authority and are ultimately accountable when issues arise. Supervisors must make sure that business is carried out in compliance with applicable rules. RISK-BASED MONITORING When developing strategies to minimize risk, many compliance departments proactively review business activities in conjunction with business units. Under this model, the compliance department assesses and identifies regulatory, compliance, and reputational risks throughout the firm and addresses deficiencies before problems arise. EXAMPLE Regulators emphasize risk-based compliance. CIRO has an annual assessment process that results in a grading and a Risk Trend Report issued for each dealer member. Similarly, the Ontario Securities Commission (OSC) directs detailed questionnaires at the firms it regulates, including fund managers and portfolio managers, to determine their level of compliance risk. Compliance departments use a similar risk-based approach to identify areas of specific concern and allocate resources accordingly. Under risk-based compliance, a dealer member’s most significant compliance risks are identified and ranked. The following internal and external factors are considered during this process: The inherent risk associated with the activity, based on experience in both the firm and the industry Regulatory standards and expectations regarding emerging issues © CANADIAN SECURITIES INSTITUTE CHAPTER 8 MONITORING 8 7 Previously identified compliance concerns, deficiencies, and control weaknesses The consequences of a compliance failure The size or significance of the activity in relation to the firm’s total business mix (keeping in mind that small business units often have disproportionate compliance incidents) A high-risk area can be defined through the following means: By business unit, office location, or individual employee Through reference to a particular type of activity, product, transaction, or security In relation to defined client types or profiles When designing a monitoring system, criteria and processes must be adequately identified and adequate resources applied to the risk. It is ineffective to use only the commission level as a basis for determining whether an account requires review because the commission level is not related to the size of the account. Other calculations or methods that focus supervisory attention on a small number of high-risk accounts may be more appropriate. For example, a commission-to-equity ratio can be used to eliminate high-value accounts for which the current commission level is low. Regarding activities where there is discretion as to the timing and extent of commitment, dealer members should consider applying a risk-based methodology to resource allocation that incorporates specific parameters. EXAMPLE In scheduling business location reviews, dealer members may rank each business location based on its risk profile. Factors to consider include size, type of business, experience of the business location’s supervisor, client complaint history, results of previous reviews, number of registrants, registrants under review, existence of an onsite supervisor, and other applicable considerations. Resource allocation is not without challenges. For example, if the compliance costs of private client options trading are higher than those arising from retail mutual fund activities, resources should perhaps be focused on the options activities. However, a business that is perceived as having low overall compliance risk may have one significant problem, which can be very costly from many perspectives. This fact was evident during the 2005 regulatory sanctions and settlements involving short-term trading in mutual funds. Mutual funds are generally considered a low level of risk in terms of product type. However, in this case, certain firms permitted certain clients to engage in short-term trading strategies, which took advantage of price discrepancies in the marketplace. This activity significantly increased compliance risk. CCOs must deal with many demands simultaneously. Some of the major challenges include time management and effective allocation of resources, based on relative priorities. Thoroughly investigating every activity and each transaction that a dealer member undertakes is not feasible. Therefore, confirmed compliance violations or issues are generally assigned the highest priority. THE CONCEPT OF REASONABLE ASSURANCE As previously discussed, dealer members must establish a compliance system for monitoring compliance with CIRO requirements and securities laws. The monitoring system must specifically address preventing and detecting violations. However, no matter how well conceived and operated, no internal control system is infallible. Factors such as bad judgment and human error are inherent limitations on the effectiveness of any control environment. In addition, controls can be circumvented through collusion by two or more people, even though management can override the system. Therefore, a supervisory system’s design must reflect the constraints of its resources and aim for the benefits to outweigh the costs. © CANADIAN SECURITIES INSTITUTE 8 8 CHIEF COMPLIANCE OFFICERS QUALIFYING EXAMINATION SECTION 3 Each dealer member has its own unique compliance environment influenced by factors such as its history, management, client mix, and business units. Size is another factor, given that smaller dealer members typically have fewer resources than larger firms. When determining what resources are needed for effective monitoring, a dealer member must consider factors such as the technology available and the businesses it is involved in. Staff responsible for supervising specialized businesses must have the appropriate knowledge, experience, and regulatory proficiency. The following business and product categories might require specialized compliance resources: Private client brokerage (advisory) Discretionary portfolio management Options or commodities trading Discount brokerage Corporate finance, mergers and acquisitions, and syndication Mutual funds and hedge funds Research Derivatives trading Institutional sales and trading, and proprietary trading Stock borrowing and lending In addition to the types of business that a dealer member conducts, compliance resources may also need to be deployed based on trends or specific activities undertaken (or permitted) by the dealer member or by specific investment advisors. For example, if a dealer member permits its registered employees (or PROs) to maintain trading accounts at other dealer members, additional resources will be required to ensure that the trading activity that takes place in these outside accounts is properly supervised. The dealer member’s approach to outside activities should also be considered. To the extent that the dealer member allows registered employees to pursue activities outside the firm, additional resources are required to review and approve such activities. In both of these examples, the activities in question are permitted under applicable CIRO rules. However, the dealer member must have additional resources, which are typically scarce at the best of times, to properly allow such conduct to occur. In such cases, the business leaders of the dealer member must weigh the cost of allowing outside accounts or activities against any benefit to the firm. DIVE DEEPER CIRO provides guidance relating to employees’ obligation to disclose and obtain approval for any outside activities. It also sets out the dealer member’s supervisory responsibilities regarding outside activities. To see the complete requirements, go to CIRO’s website. At a full-service dealer member, staff and resources are usually allocated to broad business categories such as private clients, capital markets, and mutual funds. Depending on the breadth and size of the business, a further breakdown of requirements may be necessary. No allocation formula applies to this dynamic process other than good judgment and the understanding that inadequate or inappropriate staff and resources can have devastating consequences. Resources must always be sufficient to ensure that regulatory standards are met and that key risks are appropriately mitigated. Resources must also be allocated so that their benefits are worth the costs. © CANADIAN SECURITIES INSTITUTE CHAPTER 8 MONITORING 8 9 FORMAL MONITORING TECHNIQUES 3 | Discuss the primary issues and monitoring requirements that apply to a dealer member and its staff. After a dealer member has decided which activities and transactions to monitor, it should define how items are selected for review and to what extent they must be reviewed. Factors such as regulatory standards, risk, and the desired level of assurance should be considered. SAMPLING The cost of reviewing all relevant activities or transactions usually exceeds the benefits obtained. It is more efficient to select a representative sample of items for examination. This sampling method provides direct assurance regarding the reviewed items and allows extrapolation about issues or deficiencies that likely apply overall. Sample items are commonly selected either individually or as a group of all items in a defined time period. The two basic types of sampling are judgmental sampling and random sampling: Judgmental sampling With this method, items are selected from the total population based on subjective consideration of factors such as size, relative risk, and whether a representative sample has been obtained. Random sampling This method eliminates selection bias by ensuring that every item in the population has an equal chance of selection. When used in conjunction with statistical methods, it is possible to generate mathematically calculated extrapolations and confidence factors around the population as a whole. Random sampling is a common technique in financial audits; however, it is not often used in compliance monitoring processes. When using sampling to arrive at a general conclusion, the following factors should be considered: Is the sample size sufficiently large in relation to the population? Are the items selected for the sample truly representative of the total population? Has anything changed since the sampled items were identified (such as a new supervisor or new supervisory review procedures)? Should the population be subdivided or stratified to tighten the shared characteristics of the items within the population? DID YOU KNOW? Deficiencies identified through a review of a sample of accounts opened at a particular business location may lead to a conclusion about all accounts opened at that business location. However, the same will not necessarily hold true for other business locations, unless the same deficiencies are identified. ISSUE IDENTIFICATION AND REVIEW The monitoring process should reveal any failures of policies and procedures, as well as any undesirable activity, so that exceptions to defined standards can be identified and addressed. In some cases, the dealer member’s carrying broker can provide what is known as exception reporting capabilities. These reports dramatically reduce the compliance department’s time and efforts. Rather than looking for all exceptions, supervisors can focus their energies on evaluating only those exceptions flagged by the automated report. © CANADIAN SECURITIES INSTITUTE 8 10 CHIEF COMPLIANCE OFFICERS QUALIFYING EXAMINATION SECTION 3 Some dealer members can customize reports to focus on a specific product type (e.g., leveraged exchange traded funds) or a specific client type (e.g., clients over age 70). Customization also permits the dealer member to divert resources very quickly based on issues or concerns identified by the firm or as directed by the regulator. The monitoring parameters must strike an appropriate balance between over- and under-scrutiny. For example, when everything is viewed as an exception, a disproportionate amount of resources is spent verifying that issues do not actually exist. Conversely, a monitoring regime that rarely or never identifies deficiencies should be carefully assessed to determine if it is being effective. RED FLAGS A dealer member’s monitoring process must be equipped to identify and deal with red flags indicating that a contravention of a specific rule, regulation, or policy may have occurred. A red flag can arise in virtually any context. It may be noted in the course of surveillance and assurance processes. A review concerning one issue may uncover a red flag related to another concern. A red flag may also arise based on information from a client or from an external party not under supervision. The CCO, or other compliance personnel, should not disregard an intuition that a violation may be occurring. Any activity that does not seem to make sense or does not feel right should be investigated. Experienced business and compliance staff members develop sensitivity to these issues. Even though they may not be able to articulate at the outset what is causing them concern, they can sense when an issue is present. ROGUE EMPLOYEES The issue of the rogue employee is a regular occurrence in the securities industry. An employee can appear to be highly successful before a reason for the apparent success is fully understood. The employee can be otherwise nondescript. For example, an operations staff member quietly appropriates assets from the dealer member or its clients. No system of internal control can prevent all employee misconduct, intentional or otherwise. However, due diligence in hiring processes, well-designed internal controls, effective oversight mechanisms, and an understanding of the nature and legitimacy of results achieved can mitigate the impact of misconduct and help detect it at an early stage. EXAMPLE Some common red flags include the following indicators: Any indication that defined standards are being ignored Internal control gaps or attempts to circumvent existing controls Activities for which a legitimate purpose is not apparent or cannot be explained by those involved Contradictory or inconsistent information Previous compliance infractions or concerns involving persons connected with a current situation Evasive, illogical, contradictory, or counterintuitive responses to inquiries No knowledge or understanding of expected standards by the persons involved Requests for exceptions to approved policies and procedures Any situation that is otherwise out of the norm © CANADIAN SECURITIES INSTITUTE CHAPTER 8 MONITORING 8 11 MANUAL SURVEILLANCE Along with automated monitoring systems, most dealer members continue to rely significantly on the judgment and expertise of staff who conduct reviews to identify and resolve issues. One of the key challenges in any manual process is ensuring completeness and consistency. Therefore, written policies and procedures must clearly define the issues that should be identified and specify how they should be addressed. These measures also ensure continuity when employees leave or their responsibilities change. SYSTEMS-GENERATED EXCEPTION REPORTS Automated monitoring systems identify exceptions and generate reports by comparing activity to defined parameters. These systems increase the efficiency of the monitoring process. They also ensure that all exceptions are identified and that none are overlooked. EXAMPLE Some retail dealer members have suitability monitoring systems that classify securities and automatically compare clients’ holdings against their recorded investment objectives. For compliance purposes, automated processes should be functionally defined, and a cost-benefit analysis should be conducted. Applications or software may require significant initial development costs, ongoing operation, and support costs. Costs might include specialist information technology staff, either within the compliance department or outsourced. Applications available through third-party vendors can be a cost-effective alternative. Another consideration is a dealer member’s overall systems and data environment. To create a reliable exception report, all relevant data should be electronically captured, accessible, correct, and current. System-generated exception reports must also minimize false positives (i.e., indication of a violation when none is present) and false negatives (i.e., no indication of a violation when one is present). For this reason, reports are best applied to simple surveillance routines with a minimal number of variables and associated degrees. INQUIRY, RESEARCH, AND INDEPENDENT VERIFICATION If an actual or potential issue comes to light, the first step is to document the issue. This step creates evidence that supervision has taken place, which is a necessary part of the supervisory process of issue identification, documentation, review and analysis, and resolution. Additional inquiry or research may be necessary to confirm or deny the presence of a risk or violation. Research may involve asking relevant business line personnel for information. Documentation of this information usually meets the test of adequate supervision if it is appropriate, reasonable, and consistent with other known information. The CCO must follow up diligently. However, unnecessary inquiries that might undermine the credibility of the compliance department should be avoided. For example, an inquiry need not be sent if a compliance officer can address the issue by simply reviewing the transaction history of an account. FOLLOW-UP AND RESOLUTION Reviews that are conducted properly often fail in the follow-up stage. For example, follow-up inquiries at a busy dealer member are initiated by email, but responses go unnoticed, and no corrective action is taken, despite promises to do so. A defined recording and tracking system can capture identified issues and ensure their timely resolution. If a matter is not satisfactorily resolved within a reasonable time, the issue should be escalated and reported to senior management. Additional procedures should verify that remedial actions have been appropriately implemented. © CANADIAN SECURITIES INSTITUTE 8 12 CHIEF COMPLIANCE OFFICERS QUALIFYING EXAMINATION SECTION 3 A formal escalation policy should specify how the dealer member and CCO should resolve identified issues for which requests for resolution have failed. In an effective supervision system, the dealer member demonstrates an ability to identify, analyze, resolve and finally document all specific queries or reviews. Unresolved issues create a known and significant weakness in the firm’s general control environment. However, junior compliance officers should not be expected to devote significant resources to resolving those issues; they should simply be aware of the manner in which an unresolved issue should be escalated (and to whom). CCOs need to do more than ensure that issues are identified; they should also audit the process to ensure that it is operating effectively, and that all issues are appropriately addressed and escalated. EXAMPLE A compliance officer identifies a speculative transaction that is inconsistent with a client’s investment objectives. He refers it to the appropriate supervisor, who responds that the client’s investment objectives are being updated to include speculation. The compliance officer lets the supervisor know that this resolution is inadequate, and that the issue should be re-addressed or escalated. He audits the process to make sure that the supervisor follows through with resolving or escalating the issue. DOCUMENTING SUPERVISION Each issue that arises must be documented, along with all actions taken to address the issue and their outcome. Ideally, anyone reading the documents, such as a regulator or plaintiff’s counsel, should conclude that the issue was appropriately acted on and remedied. It is often challenging for a CCO to demonstrate evidence of supervision at the business location and head office level. The best evidence is a log, either hard copy or electronic, setting out the inquiries that were made, the answers that were received, and all resolutions of the problem. Such evidence of supervision is preferred over notes and initials on daily or monthly reports. Although commonly done, adding notes or initials to regular reports is less effective than properly documenting the issue in a proper log because there is no evidence that the issue was followed up and analyzed for problems and patterns. MONITORING A SYSTEM’S EFFECTIVENESS 4 | Identify core regulatory requirements and best practices for monitoring. When allocating staffing resources, the CCO needs to consider certain caveats on the delegation of duties, as established by regulation. The key concept is that, unlike tasks and procedures, responsibility cannot be delegated. A CCO who delegates compliance functions must make sure they are performed properly. This duty may involve a periodic review of the delegated tasks and procedures. For example, the CCO might perform monthly reviews of a sample of approved option accounts to ensure that they are being properly scrutinized by a designated options supervisor. Similarly, the effectiveness of monitoring and surveillance procedures should be reviewed in an ongoing or periodic assessment. Compliance results, and failures of internal and external reviews of the compliance function, should be considered. Any resulting changes that are implemented should also be monitored to ensure that they are being followed. Regulatory discipline and court decisions against the dealer member should be seen as an opportunity to identify what went wrong and fix it. Similarly, discipline and court decisions involving other dealer members may also prompt the firm to assess the effectiveness of its own controls. © CANADIAN SECURITIES INSTITUTE CHAPTER 8 MONITORING 8 13 INTERNAL AND EXTERNAL EXAMINATIONS A supervisory and compliance monitoring system can be supplemented by other resources. The findings of functional groups such as internal audit or risk management can be a valuable source of information in relation to both day-to-day and broader systemic control assessments. A free flow of information and proper coordination between areas help to ensure that there is no overlap or gaps. A best practice is to periodically review the compliance department by way of an internal audit or another independent assessment process. Similarly, external auditors bring an independent and objective view to a dealer member’s control environment. Although directed at financial reporting, the external audit process may also identify compliance control deficiencies or issues. For example, the year-end audit procedures performed to confirm account balances have been known to identify compliance violations. Regulatory reviews and examinations are another source of information. Specific issues, and a broader assessment of the control environment, are usually provided by such reviews. Failure to properly remedy deficiencies identified during a regulatory examination can lead to regulatory discipline against both a dealer member and its CCO, particularly if the regulator has been led to believe corrective action has been taken. Audits may be performed both on the compliance department itself and other head office departments, such as corporate finance. Business location audits are also critical to the operation of the dealer member to ensure that remote locations are in compliance with dealer member policies and procedures. KEY CONTROL POINTS 5 | Discuss the distinctions between the monitoring requirements for key control points, including account opening and activity. Monitoring is necessary for several reasons. It detects acts of noncompliance that have bypassed a control point. It also identifies situations where the control point is not operating as it should. Monitoring processes should be tailored to risks. Doing so helps the CCOs determine the key control points within their dealer member, whether they are reliable, and what their typical errors are. An insignificant control does not warrant significant resources, but key controls that are inherently weak should be actively monitored. EXAMPLE Given the importance of account opening at dealer members, a key control point is the account opening approval process, whether at the business location level or at head office. A lax control at this level may facilitate speedy account opening, but it can expose the dealer member to potentially poor documentation. An excessively strict control point, on the other hand, may prevent accounts from being opened on a timely basis. CLIENT ACCEPTANCE AND ACCOUNT APPROVAL Account opening requirements are found throughout CIRO’s rules. These rules require that new account documentation be completed prior to the commencement of trading and that they are approved prior to or within a day of the first trade. Two critical functions follow the completion of new account documents: the approval of the account by a business location supervisor or designated director, partner, or officer; and the identification and tracking of missing or incomplete documentation. © CANADIAN SECURITIES INSTITUTE 8 14 CHIEF COMPLIANCE OFFICERS QUALIFYING EXAMINATION SECTION 3 REVIEW OF ACCOUNT APPROVAL A review of account approvals is crucial in sales compliance audits. After an account is approved, no further routine review of the documents typically occurs at either the business location or head office level, other than specific requirements that accounts be periodically re-documented in their entirety (generally every two years). Because of the volume of accounts, larger dealer members use technology to assist in the account opening process. Computer software ensures that required data fields are completed, thus preventing incomplete applications from being submitted for review and approval. It also verifies that the information is valid. For example, if a client’s street address is inconsistent with the postal code given, an error message appears. Large dealer members have also implemented exception reports to determine whether a client has shared an address or postal code with an advisor. These reports, and similar others, have become basic control and surveillance tools at most major dealer members. Smaller firms may use less formal means but must still diligently document recordkeeping and follow-up. This type of objective criteria results in better risk management because situations requiring a detailed review of new account information are more likely to come to light. Accounts with incorrect or incomplete information, and accounts identified as having a higher-risk profile, are then subject to a more intensive approval process. TRACKING MISSING INFORMATION Most dealer members can track missing information electronically, but there is some concern about the accuracy of such reports. Disputes may arise between advisors, business locations, and head office when documents are lost in transit. The most common of these disputes relates to documents that allegedly go astray between a business location and head office. An efficient document-tracking report is important for addressing missing documents. The department responsible for new accounts should maintain these reports, rather than a central facility or department where they are less likely to be kept up to date. This reporting can be integrated with the account-opening process so that advisors know what documents are expected. The advisor can check documents in and out, and head office can then follow up regarding missing documents. Standards relating to missing documentation might be enforced by withholding commission payouts or issuing recurring financial penalties to advisors on the errant accounts. Another effective mechanism to eliminate deficient or missing account documentation is to restrict the account in question from trading until such time as all account documentation issues have been resolved. BUSINESS LOCATION SUPERVISION A dealer member’s supervisory system must include procedures for follow-up and review to ensure that supervisory personnel are properly executing their functions. Most firms have more than one business location – possibly hundreds, in the case of private client services. In some hybrid business models, supervision is handled by head office. Guidance Note 3900-21-002, Best Practices for Head Office Supervision of Business Locations, sets out best practices for business location supervision. It notes that compliance audits should be designed effectively, with particular attention to the following aspects: Scope Audit planning Audit program and training Risk identification Audit report and follow-up © CANADIAN SECURITIES INSTITUTE CHAPTER 8 MONITORING 8 15 COMPLIANCE AUDITS Virtually all dealer members with more than one business location perform some form of business conduct audit at the various locations. The scope of the audit depends on the size of the location and the functions it performs. Some dealer members also perform separate audits related to financial compliance. The location’s business conduct audit program must be appropriately designed and must function effectively. An important part of the audit occurs before the actual visit to the specific location through a review of materials available at the head office level. Documents under review include monthly trade supervision reviews, registration files, outstanding client complaints, and correspondence with other departments, such as credit and marketing. Many dealer members also require that a pre-audit questionnaire is completed. Business conduct audits should be standardized so that all business locations are subject to the same level of review and the same compliance standards. The audits should be collegial to some degree, so that the audit team and business locations’ staff can interact and learn from each other. An audit report, which is usually produced after the audit, should be provided within a reasonable time. The report should request a written response addressing any deficiencies noted. The CCO, in conjunction with management, should determine the implications of the audit reports, particularly in respect of serious or repeated deficiencies. Under certain circumstances, surprise examinations in retail business locations may be appropriate, especially where there is an indication of inappropriate behaviour or inadequate controls. CIRO notes the following frequent concerns with the quality of business location reviews: Inadequate follow-up procedures Inadequate oversight procedures for fee-based accounts Lack of evidence of supervision Inadequate control over the issuance of customized portfolio summaries Improper reassignment of accounts of terminated registrants Poor control of client address changes Inadequate control and review of advertising and sales literature RETAIL ACTIVITY MONITORING AND SURVEILLANCE Dealer members that engage in the following retail activities must implement a supervisory framework that addresses the specific standards and risks associated with monitoring private client business: Establishing and maintaining appropriate supervisory responsibilities, resources, policies, and procedures The conduct of supervisory reviews, delegation, training, and education The opening of new accounts and account documentation requirements and controls Business location supervisory requirements The handling of legal actions and client complaints Applying for approval from a self-regulatory organization for another form of account supervision The use of margin in client accounts Implementing supervisory procedures in order to adequately supervise client account activity © CANADIAN SECURITIES INSTITUTE 8 16 CHIEF COMPLIANCE OFFICERS QUALIFYING EXAMINATION SECTION 3 DID YOU KNOW? Under CIRO rules, the policies and procedures relating to the supervision of retail client accounts must specifically address the detection of the following activities and occurrences: Unsuitable trading Undue concentration of securities in a single account or across accounts Excessive trading Trading in restricted securities Conflicts of interest between a registered representative, investment representative, portfolio manager, or associate portfolio manager and client trading activity Excessive trade transfers and trade cancellations indicating possible unauthorized trading Inappropriate or high-risk trading strategies Deterioration of the quality of client holdings in an account Excessive or improper crosses of securities between clients Improper or excessive employee trading Front-running Client contact by way of letter, phone call, or meeting is necessary in any retail account supervisory system. Regulators and the courts have criticized dealer members for not contacting clients to discuss or identify potential compliance concerns. Moreover, the use of confirmation letters (or other forms of written communication with clients, such as concentration letters) are extraordinarily effective tools in supporting the compliance monitoring function. At the same time, they confirm client appetite for specific behaviour and also provide support for the dealer member regarding the potential of litigation in the future. FULL SERVICE VERSUS ORDER EXECUTION ONLY CIRO rules set out the required standard for dealer members that offer only order execution services, without assessing the suitability of a client’s investment decisions. From a regulatory perspective, the only significant difference in the monitoring requirements imposed on order execution only (OEO) firms (also known as discount brokers), compared with full-service firms, is that discount brokers are not subject to the same suitability rules. In practice, the methods used by discount brokers tend to rely on information systems that screen for inappropriate clients and trading. A key structural difference between the two types of dealer members is that discount brokers have less reliance on advisors and business location supervisors to act as monitors. In most cases, these staff members do not even exist at discount brokers, at least not in the traditional sense. Even though accounts are opened in a number of different ways, gatekeeper and anti-money laundering requirements must still be met. The OEO firms are also subject to CIRO’s rules concerning conflicts of interest, which include the requirement to address conflicts of interest considering the best interest of their clients. At their most advanced level, discount brokers screen clients electronically against a variety of databases to identify inappropriate clients. Orders are also screened to ensure that sufficient margin exists, or that short sales are being made from approved accounts. FEE-BASED ACCOUNTS Fee-based accounts make up an increasingly significant component of the business mix of many retail dealer members. Under CIRO rules, dealer members offering fee-based accounts are required, in lieu of commission levels, to define procedures that determine which accounts require monthly review. © CANADIAN SECURITIES INSTITUTE CHAPTER 8 MONITORING 8 17 Dealer members offering fee-based accounts must ensure that recommendations are suitable, meaning that suitability extends not only to security selection but to account selection as well. The firms are also expected to monitor the accounts continuously to ensure that charges are reasonable in proportion to what they would be in a commission-based environment. OTHER ACCOUNT TYPES Retail monitoring activities must address the unique requirements associated with various types of accounts and activities. Other account types include managed accounts, discretionary accounts, options accounts, futures accounts, and futures options accounts. Specific rules exist for these accounts from a supervisory perspective. INSTITUTIONAL ACTIVITY MONITORING AND SURVEILLANCE In addition to meeting general supervision obligations, a dealer member’s policies and procedures relating to the supervision of institutional client accounts must specifically address the need to detect improper or suspicious account activity including: Manipulative and deceptive activities Trading in securities on the dealer member’s restricted list Front-running in an employee or proprietary account These topics are discussed in greater detail further on in the course. © CANADIAN SECURITIES INSTITUTE 8 18 CHIEF COMPLIANCE OFFICERS QUALIFYING EXAMINATION SECTION 3 SUMMARY This chapter provided a comprehensive overview of monitoring and monitoring issues. In particular, it addressed regulatory requirements, organizational development, systems requirements and resources, evidence of supervision, and best practices. We discussed the necessary internal controls to ensure that a firm’s business is conducted in an orderly and efficient way, that management directives are carried out, and that necessary actions are taken to address risks. We also discussed the different roles carried out by supervisory and compliance staff. A key point to remember is that the compliance department does not have the decision-making powers and authority of management. By now, you should be able to describe two formal monitoring techniques: judgmental sampling (where items are selected from the total population based on subjective considerations) and random sampling (where every item in a population has an equal chance of selection). You should also be able to identify the red flags that call into question whether a contravention of a specific rule, regulation, or policy may have occurred. In addition to automated monitoring systems, we discussed that most firms rely on the expertise of staff who conduct reviews to identify and resolve issues. Monitoring components include systems-generated exception reports, inquiry, research and independent verification, follow-up and resolution, and the always-necessary documentation. Finally, we discussed the specific monitoring requirements relating to the many operational areas of a dealer member, including business location supervision and retail activity. This chapter brings us to the end of Section 3, in which we covered a broad range of skills and responsibilities required of a CCO. In the next section, we explore how CCOs apply those skills in their various areas of responsibility at a dealer member. We begin by discussing the key issues and processes involved in the opening and maintaining of client accounts. © CANADIAN SECURITIES INSTITUTE