The Canadian Securities Administrators (CSA) and the Canadian Investment Regulatory Organization (CIRO) recently released Joint Staff Notice 31-368, their review of how firms are implementing the client-focused reforms (CFRs) that deal specifically with know your client (KYC), know your product (KYP) and suitability.
If you’ve been reading the industry headlines, you might think these reforms triggered a revolution in investor protection when the enhanced rules took effect at the end of 2021. Spoiler alert — they didn’t.
CSA and CIRO staff reviewed 105 firms and found something remarkable. Three years after the enhanced rules came into force, regulators are still seeing basic, serious gaps in how firms collect information about clients, understand products and document how recommendations put the client’s interest first.
We are not talking about obscure technical violations — these are the core controls that stand between Canadians and unsuitable advice. When those controls are weak or ignored, it is ordinary investors — not firms or regulators — who absorb the losses.
Staff do acknowledge that some firms have invested real resources and made meaningful progress. But the examples of persistent non-compliance this far into the CFR regime are hard to reconcile with the story the industry has been telling investors about these reforms.
The risk profile problem
The reforms were explicit: assess both risk tolerance (willingness to take risk) and risk capacity (ability to absorb loss) and base the client’s risk profile on the lower of the two, unless there is a well-documented reason not to.
Yet regulators found firms still using pre-reform questionnaires that only captured risk tolerance. Others collected both factors but blended them into a single score with no clear logic. Some firms mapped seniors with modest savings to “aggressive growth” profiles with no explanation.
Three years in, that is not a learning curve issue — it is non-compliance.
On financial circumstances, many firms were still not collecting basic details needed to assess concentration and liquidity risk. Some used net-worth ranges so broad ($1–$5 million) that a $400,000 investment could represent anywhere from 8% to 40% of a client’s assets. If your KYC is shallow, outdated or internally inconsistent, expecting high-quality suitability is wishful thinking or worse.
Weak KYP
The KYP findings are particularly troubling in an industry that is working hard to push ever more complex and illiquid investments into the hands of retail clients.
Some firms collected issuer documents — financials, offering memoranda, analyst reports — but did not document any actual analysis of those documents or how they fed into product approval. Some firms treated securities of related or connected issuers as automatically understood simply because they were involved in manufacturing them and did not perform a separate KYP assessment for distribution to clients. In some cases, model portfolios were approved for use without any documented explanation of their purpose, risk level, fee impact or the kind of client they were appropriate for.
Worse, some exempt market dealers offering risky, illiquid, complex securities monitored them only annually for significant changes — a frequency staff explicitly describe as inadequate. They lacked meaningful concentration and liquidity controls, and they did not obtain enough information about clients’ external holdings to gauge overall exposure to sectors or exempt products.
This is precisely the part of the market where retail investors are least able to protect themselves. If KYP and monitoring are light exactly where products are illiquid, concentrated and opaque, “client’s interest first” stops being a standard and instead becomes a slogan. Clients holding those products discover that only when something goes badly wrong.
No real suitability process
Many firms appear to have simply relabelled pre-reform suitability frameworks without absorbing two key changes:
- the explicit “client’s interest first” standard; and
- the requirement to consider cost and a reasonable range of alternatives.
Staff found firms that could not demonstrate that a reasonable range of alternatives had been considered in higher-risk or higher-cost recommendations. They found firms with no real process for comparing costs across available options, even when multiple series of the same fund were offered. They also found firms that failed to monitor when clients became eligible for lower-fee series as their assets grew.
On documentation, too many files had little more than a “suitable” tick-box and a canned note. When there is no record of what risks, costs and alternatives were actually weighed, any later challenge to the advice becomes a one-sided exercise: the firm controls the file and the client is left guessing.
What the notice doesn’t tell us
For a 41-page document, Joint Staff Notice 31-368 tells us surprisingly little about how serious the situation is.
We are not told how many of the 105 firms were broadly compliant, how many had serious deficiencies or whether some business models were consistently worse than others. We are told that “corrective action was required” and that, “in some instances,” non-compliance was serious enough for further regulatory action. We’re not told how often that happened or what consequences followed.
We also learn nothing about outcomes. Are portfolios today less concentrated in illiquid or high-fee products than before the reforms? Are seniors and lower-wealth clients actually better off? The notice does not go there. It reports on process, not results.
After years of consultation, FAQs and “additional guidance,” it is fair to ask when the transition period ends and when persistent non-compliance with basic CFR requirements will lead to visible consequences. On that, the notice is silent.
From a consumer’s vantage point, this looks like a system that always finds room for one more round of guidance, but almost never tells the public which firms are repeatedly getting it wrong.
For regulators, the next step has to move beyond more guidance.
- Publish aggregated statistics by registration category so we know, at least in broad terms, where the problems are most concentrated.
- Set clear expectations for follow-up sweeps and timelines.
- Make it clear that prolonged non-compliance with core CFR obligations will have real, visible consequences — not just behind-the-scenes remediation plans.
For firms and advisors, the message is even simpler. If your processes hold up for simple, liquid, low-fee ETFs but fall apart when you sell proprietary, illiquid or complex products, you have concentrated your compliance risk — and your clients’ harm — in the very products that can do the most damage.
The reforms were marketed as a generational shift toward advice that looks like a profession rather than a sales channel. Three years in, investors are entitled to ask a blunt question. If basic KYC, KYP and suitability are still not reliably in place, who exactly has this shift benefited, other than firms that wanted the reputational gloss of “client-focused” without embracing the reform?
If firms cannot show, on the file and on the product shelf, that the client’s interest actually comes first, then client-focused reforms have failed. The next move belongs to regulators: they can treat this notice as the last warning shot, or they can start telling the public, in plain language, which parts of the industry are still not doing the job.
Harvey Naglie is a consumer advocate and policy analyst focused on financial regulation.