Improvements needed at IIROC

The CSA report also notes that IIROC may have closed investigations into instances of possible unsuitable recommendations or unauthorized trading prematurely. This closure happened either because of the absence of a formal complaint or a lack of notes documenting conversations between the client and the advisor.

In addition, the CSA’s report states, IIROC does not restrict access to its case-management database within the organization, which may give employees with conflicts of interest – such as a relative that is facing an IIROC investigation – the ability to access information about the case.

On the business conduct compliance side, the CSA report says, the review found that IIROC examiners didn’t have a process for targeting reviews in certain high-risk areas, such as clients with high portfolio concentrations in a particular security or sector, or financial advisors who recommend high-risk products. The CSA report warns that without procedures for targeting these areas, IIROC compliance staff may not be equipped to test for emerging issues consistently.

The CSA report also cautions that compliance exams may be wrapped up without IIROC properly resolving the issues uncovered during an exam. Furthermore, the CSA review found that IIROC’s trading compliance function was understaffed and did not complete all of its required reviews with a three-year cycle. However, other critical areas, such as market surveillance and the trade review and analysis functions, did not raise any red flags with the CSA.

The CSA report includes IIROC’s response to each issue, setting out how IIROC has addressed the CSA’s concern or intends to address it, or why the CSA’s conclusions are wrong in the first place.

On the question of whether possible trading abuses are being given an easy ride, IIROC says that it doesn’t target any particular closure rate and doesn’t view a higher rate of these cases being put to bed without further activity to be indicative of any shortcoming in IIROC’s enforcement processes.

IIROC’s response also details changes the SRO has made to its practices and policies since the CSA’s initial review, such as updating the enforcement case selection process. IIROC also has adopted new policies in response to the CSA’s findings, such as expanding its exam procedures to help examiners root out advisors recommending high-risk products and to identify highly concentrated client accounts.

The SRO also has adopted benchmarks that will push examiners to wrap up compliance reviews within eight weeks of receiving a firm’s response to IIROC’s initial findings. As well, the SRO requires adequate documentation of any followup that is done to resolve any outstanding issues uncovered in those exams.

Paul Riccardi, IIROC’s senior vice president, member regulation, defends the SRO’s approach: “Enforcement is a key part of our mandate, and we continue to focus on market and member cases that have a serious impact on market integrity and result in significant harm to investors and the capital markets. Our investigative procedures are robust and comprehensive, and we continue to make improvements to strengthen the process.”

IIROC’s decisions on whether to close a file or not involve “a rigorous case selection process and the quality of the evidence obtained,” Riccardi stresses, adding that the SRO does not target a particular closure rate. As for IIROC’s compliance efforts, he says, the SRO continues to enhance them “to reflect changes in market structure, business risks, investment products, demographics and corporate priorities.”

IIROC also uses a risk-based approach to compliance that allows the SRO to “allocate regulatory resources to firms and issues that have a higher potential to cause risk to the public,” Riccardi notes. This approach also helps firms to identify areas in which they should be devoting more attention to supervision, compliance and risk management.

IIROC takes a top-down approach to compliance exams, Riccardi says, which involves a good deal of work upfront in evaluating firms’ policies, procedures and internal controls. This approach gives the SRO a good idea of where to focus on-site testing within a particular firm. “We’ve also found that the field work by senior examination staff encourages meaningful dialogue on potential compliance deficiency findings and helps to resolve issues as early as possible,” he adds.

One issue that has yet to be addressed is the lack of internal restriction on access to the case-management database. According to the CSA’s report, IIROC says that restricting access will require a significant change to its systems, which can’t be done easily because of how highly integrated the existing systems are. In the meantime, the SRO is relying on its prevailing policies to identify and manage conflicts; and IIROC’s enforcement and information technology units will be making a case for resolving this issue as part of the budgeting process for the SRO’s 2016 fiscal year.

Another notable issue flagged in the CSA review is the lack of written risk-management policies at IIROC. The CSA report indicates that comprehensive policies and procedures in this area are to be implemented by the end of IIROC’s current fiscal year (March 31, 2015).

Despite these issues, the CSA report concludes that IIROC is meeting its regulatory responsibilities overall. As well, the report says, the CSA will continue to monitor IIROC’s progress in resolving those issues as part of the CSA’s oversight efforts.

One of the bright spots for IIROC in the CSA report is that the SRO appears to have overcome the effects of losing a laptop containing the personal data of thousands of brokerage clients. The CSA report is the first since IIROC revealed that an employee had lost a mobile device containing the unencrypted personal data of more than 50,000 investors in February 2013 – and IIROC comes through the CSA’s scrutiny on this topic relatively unscathed.

In fact, the report indicates, IIROC “is taking steps to address issues identified by the data loss incident,” such as adopting new policies on data security.

The CSA report also notes that IIROC had the financial flexibility to deal with the added costs generated by the incident, which involved not just the cost of investigating the loss and mitigating the impact on clients, but also defending a resulting class-action lawsuit. (Although a motion to certify that lawsuit was dismissed, that ruling is under appeal).

© 2015 Investment Executive. All rights reserved.