IIROC unveils compliance priorities guidance

SRO cites cybersecurity risks, conflicts of interest, and misleading communications among concerns

IIROC unveils compliance priorities guidance

The Investment Industry Regulatory Organization of Canada (IIROC) has published a compliance priorities report to help registered firms focus their regulatory supervision and risk-management efforts.

"Together with our supplemental materials, regular contact with firms, annual compliance conferences and other forums, IIROC's Compliance Priorities Report helps firms focus their supervision and risk-management efforts to comply with IIROC's regulatory requirements in a way that is appropriate for their business models," Irene Winel, Senior Vice-President, Member Regulation and Strategy, IIROC, said in a statement.

Part of the key findings show that regardless of the size or complexity of a company, cybersecurity remains a major commercial risk. Each company requires sufficient procedures in place to protect customer and personal data, as well as assets as if it were its own set of key systems and applications. During regular FinOps inspections, IIROC said it looked at how companies show they've met the cybersecurity incident reporting requirements as well as the threat of cyber-attacks is mitigated.

Citing the success of its first two cybersecurity self-assessment surveys, as well as the importance of regular self-assessments in ensuring good cyber risk management, IIROC engaged Deloitte to develop cybersecurity self-assessment checklists for businesses. Although usage of the tool is optional, the self-regulatory organization strongly advised all businesses to do a cybersecurity audit and self-evaluation at least once every two years.

IIROC also referred to its Fundamentals of Risk Management guide published on March 31, 2021, which it released to orient businesses on the significant hazards associated with technology adoption, use, and change. It has also incorporated how businesses use technology and manage the risks that come with it into their FinOps risk model.

Furthermore, IIROC is beefing up on their inspection procedures to guarantee that businesses have conceived and developed products that are fit for purpose and developed measures to ensure that their systems and applications complied with the applicable regulations.

“As part of the review of technology risk, we intend to review supply chain risks and systemically important vendors to the industry with a view to considering ways in which to identify, assess and manage these risks,” IIROC said.

IIROC also said it, together with the CSA and the MFDA, is conducting a comprehensive review to determine the extent to which Dealers are adhering to new CFR conflict of interest provisions (COI) that came into effect on June 30, 2021. The review's goal is to see if companies have followed the essence of the new COI standards and put appropriate measures in place. Rather than continuing to default to disclosure, IIROC wants firms to address substantial conflicts in the best interests of clients.

The guidance also emphasized CFR amendments that took effect on December 31, including rules regarding misleading communications and titles.

Referring to provisions IIROC Rule 3640, the SRO emphasized that the common practice of awarding a corporate title without clearly defined and real corporate responsibilities is not acceptable.

“We believe appointments of this kind are inconsistent with the rule as the use of these titles could reasonably be expected to deceive or mislead the retail public as to the nature of the Approved Person’s relationship with the Dealer Member,” IIROC said.