This commentary is of interest to IIROC and MFDA members.
IIROC notice on best practices for head office supervision of branch offices
The notice was largely based on the findings in a thematic review between January and March 2009 of the branch officer supervision at selected dealer members.
IIROC Rule 38.1(vi) requires periodic on-site reviews of branch offices where supervision is conducted and supervisory records are maintained.
MFDA Policy 5
sets minimum standards for branch reviews so any findings in the IIROC review is unlikely to be lost on MFDA staff.
The B.C., Alberta, Saskatchewan, Ontario and Quebec Securities Commissions co-operate on conducting reviews of IIROC's and the MFDA's regulatory programs, usually every three years. One repeated theme in the findings of the IIROC reviews has been disappointment at the number of branch office reviews conducted by IIROC. IIROC's position has been that it is responsibility of the dealers to ensure that branch office supervision is done well and IIROC's program has only to ensure that the dealers have effective branch review programs.
Effective supervision at branch offices is a high priority for both the CSA and the self-regulators. Some CSA members have conducted their own reviews of branches of SRO members from time to time, which adds to the number of reviews and reviewers to which a dealer may be subject. The SROs know that they have insufficient resources to review all the branch offices in the country on anything like a reasonable schedule, so have made it clear that branch reviews are a dealer's responsibility.
While not suggesting that IIROC does not place its own priority over dealer branch reviews, because of the CSA's interest this is a theme that will not lose its priority over time!
2. Risk Assessment and Scheduling
The guidelines set out the elements of a branch review program succinctly: objectives, comprehensive scope, use of a standard up-to-date program, planning, risk assessment, reporting and follow-up.
MFDA Policy 5 covers the same ground in much more detail and goes into a detailed description of the expected review process that is not included in the IIROC guidance.
The section on risk assessment lists risk factors to be considered in conducting a branch review. It does not explain what risks.
Dealers have a natural tendency to think about risks to clients, credit risk, risk to capital or profitability, reputational risks and regulatory risk. Their assessments are based on actual or foreseeable harm.
IIROC looks at the risk of violations of regulations or deficiencies in compliance systems. Violations and deficiencies count even when to the dealer the risk of any real harm to anyone is remote. Inadequate paperwork can be mentally dismissed because the firm really knows its clients or processes. Cutting corners on client identity verification poses no great risk because the rules are over the top and the firm's money laundering risk is low. These are readily and frequently used rationalizations but they cut no ice with IIROC.
There are always circumstances, however unlikely, in which the deficiency can result in something important being overlooked and some real harm. Even if no direct harm ever occurs, short-circuiting the rules can undercut the compliance culture that IIROC wants to see and dealers should want to foster.
Dealers are therefore well advised to adopt at least in part the IIROC approach to risk by looking at the risk of mundane failures to adhere to the letter of every regulation, policy and procedure.
The factors noted in the IIROC bulletin include whether the branch manager has his or her own accounts, mix of business conducted at the branch, experience of the staff and branch manager, number of accounts, complaint and disciplinary experience and findings of past reviews. It does not mention other risk factors such as size, number of staff involved in supervision, technology, asset turnover rate or commission to asset ratio and whether the branch salespeople are employees or agents.
these risk indicators are common sense, but here is a general description of
what IIROC is suggesting you should be looking at:
- How experienced are the people? It
is commonplace to think that those with greater experience are less liable
to have problems. In fact, a study several years ago found that
after a certain point the opposite was true, that there tended to be more
complaints against more experienced representatives. This finding
supported introduction of the continuing education program, which may have
reversed the trend, although as far as we are aware there has been no follow-up
study. So is the staff experienced enough to avoid or identify
problems? Could they be set in ways that are inconsistent with
changing industry standards and public expectations?
much work does the supervisory staff have to do? It isn't just a matter
of how many RRs and accounts there are, how many are active? How
active is the trading? Think again about indicators like commission
to assets under management or turnover ratios. What is the asset
mix? Is it weighted more towards lower or higher risk securities?
Does the branch manager have his or her own accounts and if so, how many
and how active? How much technological, on-site human and head
office support does the branch manager have? How often does head office
have to question accounts or trades that the local supervisors have
there anything - client complaints, regulatory investigations, frequent
Compliance Department intervention, slow response to questions raised,
unusual demands for Compliance Department support, high staff turnover -
the suggests a higher than average level of risk at a particular office?
is the relationship between the firm and the branch and its personnel?
There is disagreement on whether the principal/agent relationship is
inherently more risky than the employer/employee model. IIROC staff
generally belief that there is a higher degree of risk in the
principal/agent model and they get support in that belief from some
The theory is that there is
a looser relationship between the firm and its agents, who are therefore less
likely to take direction from the dealer. The agent can often move to
another firm taking his or her clients without competition from the firm, may
own the office and equipment and may be the direct employer of support staff, making
them less tied to the dealer. Clearly the strength of dealer control in
principal/agent relationships will vary from firm to firm and even within
firms, but a dealer who uses them should not overlook an assessment of whether
they entail a higher risk than the traditional employer/employee relationship.
Of course the various factors will interact. For example, there is a risk that a new supervisor will miss problems until he or she gains experience; that risk is exacerbated or reduced depending on whether the type of business and products he or she is supervising is high or low risk, whether he or she continues to have a lot of clients or devotes full time to supervision, the number of representatives and active accounts under his or her supervision and the available support of technology or experienced support staff.
There are no specific requirements in the IIROC rules as to how frequently branch reviews need to be done or how extensive they need to be. MFDA Policy 5 states a general expectation of a three year review cycle, with more frequent reviews of higher risk branches and a reasonable explanation for a lower frequency.
A dealer with a well designed and documented branch risk assessment program can review low risk branches less frequently or support a decision to conduct only specific parts of its program during a particular review. A dealer can justify a lengthy period between reviews of a well-run branchy if there has been no change in its risk factors. Even if it does an annual branch review, the dealer can justify forgoing looking at a part of the operation that was found to be well-run the last time through.
A risk assessment process can therefore help optimize the use of time and resources.
3. Who does the reviews?
One of the issues not dealt with in the IIROC notice that is included in MFDA Policy 5 is the qualifications of those conducting the reviews. It notes:
"The individuals must possess sufficient knowledge not only to be able to follow prescribed procedures, but to be able to know where follow up review should be pursued." It suggests that the reviewers have the same qualifications as branch managers or equivalent industry education or experience.
That those assigned to do branch reviews must have sufficient time, i.e. the reviews should not simply be piled onto the work load of an already overtaxed Compliance Department, and
That the reviewer(s) must be independent of the branch and branch manager.
Some larger dealers have separate departments or groups conducting branch reviews on a full-time basis. Others have made use of group internal audit departments. The latter practice warrants careful consideration because most of the significant issues to be dealt with in branch reviews relate to business conduct, not financial compliance. Reviews of financial controls may be necessary, but staff qualified to do both them financial control and business conduct reviews well are few and far between.
A dealer may be in the unfortunate position of not having enough branches to review to support the employment of full time branch review staff, nor sufficient capacity that they can detach one or two people for a period of branch review detail. Even larger firms may find that after several rounds of branch reviews the need to maintain the same schedule and same extent is reduced.
Staffing to conduct reviews can be a problem, either in finding qualified staff or scheduling when there is insufficient work for full-time, year-round branch reviewers.
However, there are no rules requiring branch reviews to be done internally. They can be done by knowledgeable external consultants or auditors, who can be brought in to do at least the on-the-spot reviews in a concentrated time on contract. Planning or follow-up and oversight of corrective action can remain with the dealer's Compliance Department.
4. Findings of the IIROC sweep
The IIROC notice lists seven findings. It is notable that only one of them is exclusively related to a frequent deficiency in the branch review process: a lack of effective follow-up. The notice suggests best practices including formal responses, time-lines for responses and corrective actions and follow-up reviews.
The other common deficiencies found during
the sweep are many of the same common deficiencies found during head office
- Inadequate procedures to supervise fee-based
- Inadequate records
of supervision. Sometimes a review will conclude that it is being
done but just not properly recorded; sometimes it is hard to tell whether
it is being done at all. Either way, if there is ever a regulatory
investigation that finds some kind of violation, the lack of supervisory
records is likely to lead to the conclusion that there was no supervision
- Lack of controls
over customized portfolio reports, i.e. those issued by registered
representatives where the reports aren't drawn directly from dealer
records and/or can be altered by the representative
reassignment of accounts of terminated registered representative
- Poor controls over
client address changes, and
- Inadequate controls over and review of
advertising and sales literature.
Failing to follow up to rectify deficiencies found in reviews has worse effects than just wasting time. A deficiency left uncorrected is a ticking time bomb. If there is ever an investigation that finds a violation that might conceivably have been prevented or detected earlier if the supervision problem had been fixed, the branch supervisor and firm are almost certain to face a charge of lack of supervision. Reports may also be discoverable in civil actions.
Dealers should pay attention to every report issued by its regulators outlining common deficiency findings. Those are the things that the regulators are sure to concentrate on during the next review - branch or head office - and they are likely to be less tolerant of those firms that haven't paid attention to the messages they have been sending.
5. Registration Reform Rule Changes
The IIROC review was conducted prior to the Registration Reform Project rule changes. Those changes give IIROC dealer members more flexibility in how they structure supervision and compliance at the branch level. The MFDA decided not to change it requirements that branch offices have branch managers performing specific supervisory duties.
As IIROC dealers restructure their branch supervision they will have to be very careful to ensure that they maintain a robust process for reviewing any supervisory activity conducted outside of head office, whether at a branch, regionally or a head office. The results will have to be convincing to IIROC that the new structure is at least as effective as the old, and preferably more effective.
Even where there is no on-site supervision, current IIROC and CSA expectations include cyclical visits to all business locations. Among the requirements that should be addressed in those visits are:
Signage and IIROC membership and CIPF disclosures on premises
Compliance with shared premises policies and procedures
Controls on on-site advertising, sales literature and research in publicly accessible areas
Maintenance up up-to-date hard copy forms, agreements and disclosure documents
Maintenance of necessary activity records
Maintenance of controls to ensure confidentiality of client personal information.
Sutton Boyce Gilkes can help you design your branch risk assessment process and branch review program, or review them to ensure they are both comprehensive and efficient. We can also help train reviewers or audit your process to ensure that it is effective.
March 16, 2010
Comments are due on IIROC proposed changes to its arbitration program, including a proposed increase in the award limit from $100,000 to $350,000.
See: IIROC Rules Notice 09-0359
March 28, 2010
All firms registered as of 28/Sep/09 are required to satisfy the bonding or insurance requirements of NI 31-103 and notify the principal regulator of a change, claim or cancellation to an insurance policy. The requirements are in sections 12.3 to 12.7 of NI 31-103.
All firms registered as of 29/Sep/09 are required to satisfy the referral arrangement requirements of NI 31-103, founds in sections 13.7 to 13.11
See: CSA Staff Notice 31-311
For other important dates and deadlines, see our Regulatory Calendar.
Click Here >>