business people standing in line under a magnifying glass

When your regulator or head office comes calling to perform a compliance audit, you must be prepared. If you’re not, the consequences can range from a warning to terms and conditions being placed on your registration or being deregistered altogether.

Typically, financial advisors are subject to an audit every two to three years. But you could be audited more frequently if you are deemed high-risk.

Everyone makes mistakes. Your goal should be to minimize or mitigate any compliance risks by maintaining a rigorous compliance regime, says Manny DaSilva, president of Canfin Magellan Investments Inc. in Toronto and chair of the Canadian Association of Compliance Professionals: “It is part and parcel of being in business.”

Making sure your practice is compliant is an ongoing responsibility and not simply a one-off event. All staff must be trained in proper procedures and you should turn to your compliance department for guidance.

To ensure you are meeting your compliance obligations, DaSilva says, you should refer to your compliance manual or standard operating policies and procedures.

Maintaining a compliant practice requires well-documented processes, says Vipool Desai, president of Ara Compliance Support in Toronto. He adds that you should understand the concepts behind the rules and document how you apply those concepts.

“Advisors must be able to provide evidence that they do what their documented policies state,” Desai says. Regulators audit what you are doing based on your documentation, he adds.

As part of the documentation process, DaSilva says, you must maintain well-organized client files, which should detail all interactions with clients, sorted by date, with the most recent at the top.

Your files should contain notes on all client reviews, discussions, questions and correspondence, including copies of email communications. Auditors pay particular attention to evidence showing that an advisor understands each client’s needs. Know-your-client (KYC) issues, risk tolerance and risk capacity “must be reflected in client files,” DaSilva says.

For example, if your client decides to invest in a product that is of higher risk than the client’s risk profile normally would call for, you should document that you discussed the risks with the client, and include the client’s response.

DaSilva points out that advisors generally are not good note-takers. He recommends using a formatted questionnaire, which will help you ensure that you ask all the necessary questions and ascertain that the client understands a product’s level of risk, for example. Without a completed questionnaire signed by the client, he says, the client can say that he or she didn’t understand the product if contacted during your audit.

Many advisors use the KYC questionnaire as evidence that they understand clients’ objectives and risk profile. However, KYC is simply a regulatory requirement that uses a check-the-box system to ensure that advisor recommendations align with client needs. Client files must contain more detailed information, which is usually acquired during the discovery process and through subsequent client reviews and meetings.

Desai says that one of the most common findings from compliance audits is that KYC forms are not updated frequently enough. These forms must be updated at least every three years — more often if a client’s circumstances change during that period.

DaSilva says a key goal among compliance auditors is to find evidence of investment suitability. That is especially true for leveraged accounts, through which clients borrow to invest. Auditors also look for evidence of suitability in cases in which clients invest in higher-risk investments, such as mortgage-based products.

“[Auditors will] zero in on the higher-risk portion of the book,” DaSilva says.

Another red flag for auditors is many clients having similar KYC forms, with the same risk profiles and the same objectives, DaSilva says. Such a situation raises questions about whether the advisor performed adequate due diligence.

During an audit, DaSilva says, the auditor may take a sample of several aspects of your operation, such as the demographic composition of your book or trade types. Regulators pay special attention to senior clients, who are widely regarded as vulnerable to financial abuse.

Desai adds that auditors also emphasize areas such as client relationship disclosure documentation. These documents, which detail the nature of your relationship with the client, identify the services provided, disclose all costs to operate an account and describe the types of risks that a client should consider when making an investment decision, including conflicts of interest.

As well, Desai says, auditors scrutinize the process for approving trades above a certain threshold, the custody of client assets, the valuation method for illiquid securities and your record-keeping protocol.

You should never have blank forms signed by clients in your possession, DaSilva advises. And, he says, be sure to report any known infractions to the regulator before the regulator finds out about it.

“The consequences of not reporting a known infraction,” says DaSilva, “are worse than [those of] the infraction itself.”