CSA Staff Notice 31-350 Guidance on Small Firms Compliance and Regulatory Obligations

CSA Staff Notice 31-350 Guidance on Small Firms Compliance and Regulatory Obligations

CSA Notice





CSA Staff Notice 31-350
Guidance on Small Firms Compliance and Regulatory Obligations



May 18, 2017

Introduction

Canadian Securities Administrators staff (CSA staff or we) conducted compliance reviews of small firms registered with the CSA (small firms, or reviewed firms) in one or more of the following categories: investment fund manager (IFM), portfolio manager (PM) and exempt market dealer (EMD). The firms selected were primarily sole proprietorships or firms with one registered individual (i.e., one individual who was registered in a category that authorizes the individual to act as a dealer or an adviser on behalf of the registered firm, or in the case of an IFM, one individual registered as the chief compliance officer (CCO)).

Substance and Purpose

A registered firm must establish, maintain and apply policies and procedures that establish a system of controls and supervision that provides reasonable assurance the firm and individuals acting for it prudently manage the risks associated with its business. The CSA identifies opportunities to reduce the regulatory burden associated with compliance whenever possible, while balancing the regulatory outcomes it requires. As a result of the compliance reviews, CSA staff have concluded that additional guidance will assist small firms in meeting their compliance and regulatory obligations. Although we intend this notice to provide guidance to small firms, it may be useful to other registrants too. We strongly encourage firms to use this notice as a self-assessment tool to strengthen their compliance with securities legislation. Going forward, CSA staff will continue to monitor firms' compliance in this area.

Scope and Methodology

From October 1, 2014 to June 30, 2016, we conducted compliance reviews of 65 small firms. We assessed the firms' compliance against the requirements in applicable securities legislation, including National Instrument 31-103 Registration Requirements, Exemptions and Ongoing Registrant Obligations (NI 31-103) and its Companion Policy (31-103CP).

Summary of Results

The following table sets out common deficiencies identified across all three registration categories and the percentage of small firms with the noted deficiencies we observed during our compliance reviews.

1.

Significant business interruptions plan and succession planning -- inadequate or missing (35%)

 

2.

Monitoring systems (i.e., inadequate written policies and procedures (71%), incomplete books and records (25%), inadequate marketing materials (15%))

 

3.

CCO annual report -- inadequate or missing (29%)

 

4.

Interim financial statements and accounting principles -- incorrect accounting method and insufficient procedures (15%)

 

5.

Inadequate excess working capital (9%)

 

6.

Inadequate relationship disclosure information (63%)

 

7.

Inadequate collection/documentation of know-your-client information (54%)

 

8.

Non-delivery of or inadequate client statements (45%)

 

9.

Inadequate or outstanding filings to regulators (34%)

Specific Issues and Guidance

This notice provides details and guidance with respect to some of the deficiencies noted during our reviews. Specifically, we identified that small firms can be at risk of failing to meet requirements of applicable securities legislation if they do not have: (i) a comprehensive plan to address significant business interruptions and succession issues; (ii) monitoring systems that are reasonably likely to identify non-compliance at an early stage; and (iii) supervisory systems that allow the firm to correct non-compliant conduct in a timely manner. Additional findings noted during our reviews are presented below.

1. Significant Business Interruptions and Succession Planning

Small firms often have only one registered individual to operate the business and service clients. This raises concerns regarding the impact on the firm's clients in the event of the death, incapacitation or prolonged temporary absence of the sole registered individual. For example, if the sole advising representative at a PM is no longer capable of performing his or her registerable duties, client portfolios can no longer be managed by the firm unless the firm is able to register another advising representative. Alternatively, the client will have to engage another PM firm to manage his or her portfolio.

In most cases of business interruption, there is a period where the client's portfolio is not being managed, which could be a significant issue for clients who need to generate income to meet their cash flow needs (e.g., by selling securities). Client portfolios are also at higher risk especially in periods of volatile markets. As a result, business continuity planning is particularly important for small firms that manage client portfolios. It is advisable that a small firm's plan specifically address issues of significant business interruptions, with an emphasis on the loss of key personnel and succession.

Including steps to deal with succession planning when developing a written business continuity plan (BCP) allows firms to mitigate, respond to and recover from significant business interruptions that could impact their ability to provide services to clients. Pursuant to section 11.1 of NI 31-103, firms are required to establish, maintain and apply policies and procedures that establish a system of controls and supervision to ensure compliance with securities legislation and manage the risks associated with their business in accordance with prudent business practices. Section 11.1 of 31-103CP states that an acceptable compliance system includes internal controls to manage business risks, including risks that may relate to business interruption.

In order to manage risks related to business interruption, small firms should consider: (i) developing a BCP that is appropriate for their size and business model, (ii) designating an individual to execute the BCP (BCP executor), and (iii) reviewing the BCP annually.

When developing a BCP, firms should consider, as applicable to their business models, the following:

• procedures to mitigate, respond to, and recover from business interruptions and other types of disturbances that may disrupt the firm's day-to-day operations;

• how the firm will communicate with clients, key personnel, third-party service providers, and regulators (e.g., provide an alternate means of communication);

• procedures to protect, backup and recover the firm's books and records (e.g., as a result of a cyber-security incident or natural disaster);

• details about the relocation of the firm's office in the event of a temporary or permanent loss of the firm's head office or principal place of business;

• the firm's business succession or wind-down procedures (e.g., assignment of duties to key persons) in the event of death, incapacitation or prolonged temporary absence of the sole registered individual;

• who is responsible for notifying the regulators in the event of death, incapacitation or prolonged temporary absence of the sole registered individual;

• what information clients need to know about the BCP to ensure that it can be properly executed (e.g., by providing clients with the name and contact details of the BCP executor, and explaining to clients how they can access their assets in the event of loss of the firm's key personnel, or by providing the client with the name and contact details of the relationship manager at the custodian where the clients' assets are held);

• training of firm employees, including training about their specific duties if the BCP needs to be implemented;

• how often the BCP needs to be updated and its effectiveness assessed; and

• how the firm will assess the adequacy of the BCPs of outside service providers.

Small firms with only one individual that have no other support or administrative staff may need to designate a BCP executor external to the firm, such as a spouse, relative, legal counsel, or another registrant. When selecting an external BCP executor, firms should consider the capability of the designated individual to carry out this responsibility in the potentially stressful circumstances that would trigger the BCP (e.g., a spouse or relative may not be able to fulfill his or her non-registrable duties under the BCP). Small firms may also consider designating an additional alternate BCP executor, for example, in the event that the spouse of the sole registered individual has also passed away or is incapacitated where he/she was the designated BCP executor.

There are circumstances where exemptive relief may be granted to assist in implementing a BCP. For example, while there is a restriction on acting for another registered firm set out in section 4.1 of NI 31-103, we are prepared to consider on a case-by-case basis applications for exemptive relief from the section 4.1 restriction on an expedited basis. In light of the potentially immediate adverse impact to clients, a significant business interruption such as death, incapacitation or prolonged temporary absence of the sole registered individual would likely be a valid business reason for a BCP executor to be registered with more than one registered firm.

When working with an external BCP executor, it would be prudent, depending on a small firm's business model, to ensure that:

• a written agreement is in place so that the BCP executor understands his or her responsibilities;

• the BCP executor is familiar with the firm's BCP;

• the BCP executor is familiar with the firm's business to properly wind down or temporarily manage the small firm or facilitate the transfer of the firm's client accounts;

• a confidentiality agreement is in place if the BCP executor would have access to confidential client information; and that the firm has properly pre-arranged client authorization to share this confidential information (e.g., in the relationship disclosure information documentation);

• if the BCP executor is another registrant, conflicts of interest between both firms have been considered (e.g., an external BCP executor could be managing clients of two firms in a scenario of temporary absence); and

• the BCP executor understands securities legislation and is aware of costs (e.g., costs related to filing an application for exemptive relief).

2. Monitoring systems

Small firms may have resource constraints that make segregation of duties difficult or impossible. These challenges make ensuring good documentation practices and controls especially important for small firms in order to demonstrate good compliance. All firms must maintain records to accurately record business activities, financial affairs, and client transactions, and demonstrate the extent of a firm's compliance with applicable requirements of securities legislation. In addition to maintaining books and records, firms must establish, maintain and apply policies and procedures that establish a system of controls and supervision sufficient to:

(i) provide reasonable assurance that the firm and each individual acting on its behalf comply with securities legislation; and

(ii) manage the risks associated with its business in accordance with prudent business practices.

Some reviewed firms that employ other non-registered staff (e.g., research analysts, relationship managers, administrative or support staff) did not establish, maintain and apply policies and procedures to establish such a system of controls and supervision.

Small firms are encouraged to consider employing non-registered staff or using technology to perform additional verification procedures. For example, non-registered staff can proofread documents, double-check calculations, and verify that the registered advising or dealing representative has completed the know-your-client and other client forms. In some cases, firms may also find it helpful to use software or other tools to ensure the accuracy of their data (e.g., when calculating net asset values, return of capital, etc.).

We remind small firms that as the size and scope of their business operations expand, they should be mindful of each individual's duties and responsibilities and apply to register those individuals that are required to be registered under securities legislation (e.g., as an associate advising representative or dealing representative).

Books and Records

CSA staff found that the reviewed firms often did not maintain internal books and records to evidence the due diligence conducted to support their business activities. For example, they did not:

• record the investment decisions made;

• prepare and maintain trade orders and trade blotters;

• record the review and approval of marketing materials;

• retain signed agreements with service providers;

• retain signed subscription agreements between the firm's clients and issuers; or

• maintain records to evidence the reconciliation of client portfolio positions to custodian records.

The reviewed firms often did not maintain adequate books and records to evidence compliance with securities legislation and with the firm's own policies and procedures.

While firms may use the books and records of other parties (e.g., custodian) to reconcile their books and records, the registrant is ultimately responsible for maintaining their own separate set of books and records.

Written Policies and Procedures

CSA staff found that the reviewed firms often did not have adequate policies and procedures. For example, firms that are registered in multiple registration categories should develop policies and procedures governing all of the key functions relating to each registration category and a firm that is registered as an IFM should have specific policies and procedures related to core IFM business operations (i.e., fund accounting, transfer agent and trust accounting functions). If these functions are performed by third-party service providers, the firm should develop written oversight procedures and document how adequately the service providers are performing these outsourced functions.

CSA staff found that the reviewed firms often did not have policies and procedures with respect to personal trading. Specifically, there was no documentation or evidence of a review/process in place to ensure that clients were treated fairly. All registrants must have policies and procedures to respond to conflicts of interest, such as those arising from personal trading.

3. CCO Annual Report

The CCO must assess the overall compliance structure and internal controls at the firm at least annually. Questions about the adequacy of the firm's compliance system, and whether the CCO is adequately performing his or her responsibilities may arise when the CCO has not drafted an annual compliance report, or submits a perfunctory report that concludes that the firm has complied with securities legislation without support for how this assessment was made.

We would suggest that the CCO should describe in the report the steps that were taken to perform the assessment, the results of the assessment (including any significant instances of non-compliance such as those that create a risk of harm to a client or the capital markets), and what has been done or will be done to address the non-compliance. The CCO of a small firm can meet the annual report requirement by documenting this assessment in the firm's board of directors' minutes.

4. Interim Financial Statements and Accounting Principles

All firms, including small firms, may have deficiencies with respect to their financial statements, use of accounting principles, or excess working capital calculations. We believe that the guidance set out in below will assist all firms in strengthening their policies and procedures in this area and their overall compliance with securities legislation.

Firms should have detailed written financial policies and procedures clearly outlining who is expected to do what, when and how. For instance, firms that outsource to third parties or rely on staff to perform accounting functions should establish procedures that indicate who prepares and calculates the financial records, how they are calculated, who reviews and approves calculations and results, and when each of these activities occurs. Firms with only one individual should at a minimum develop procedures to state when and what financial records will be prepared.

CSA staff found that some reviewed firms applied the cash basis accounting method instead of the accrual basis accounting method. For instance, firms were not accruing revenues as they were earned; instead, they were waiting for when cash was received to recognize revenues. Similarly, expenses were not being accrued as they were incurred; instead, they were expensed when paid. For example, if you are aware of an expense incurred for legal costs, but have not received the invoice, the expected amount of the legal expense should be accrued during the month it was incurred and not when the invoice is received.

A firm's financial statements must comply with required accounting principles (as defined in National Instrument 52-107 Acceptable Accounting Principles and Auditing Standards) in order to ensure that the firm's resulting working capital calculation accurately reflects the firm's actual capital position.

Firms should review the guidance provided in:

• sections 12.10 to 12.11 of 31-103CP, and

• section 2.7 of the Companion Policy to National Instrument 52-107 Acceptable Accounting Principles and Auditing Standards.

5. Inadequate Excess Working Capital

Firms must properly complete Form 31-103F1 Calculation of Excess Working Capital (the Form) to ensure that all working capital calculations are accurate at all times. Some reviewed firms had inadequate excess working capital during the period covered by our compliance reviews. These firms often did not perform their working capital calculations with sufficient frequency and, accordingly, were not aware of their working capital position at all times. While these firms often maintained a nominal amount of excess working capital, as expenses were incurred it caused a working capital deficiency. In this scenario, a firm might need to calculate its excess working capital position on a more frequent basis, such as daily or weekly.

When some firms failed to maintain accounting records, this resulted in a failure to monitor the firm's working capital position except during the annual audit. Since there were no accounting records available for review, CSA staff were not able to determine if the firm applied proper accounting treatment.

CSA Staff also found that some firms did not follow the instructions set out in the Form. For example, a firm held investments but did not make the appropriate deduction for market risk under Line 9 of the Form. In other instances, firms did not deliver in a timely manner to the principal regulator the subordination agreements relating to related party debt that was excluded from the calculation of excess working capital. Guidance on how to properly complete the Form is provided in sections 12.1 and 12.2 of 31-103CP.

Lastly, firms should include procedures for when and if a working capital deficiency should occur, indicating who is responsible for rectifying the deficiency and how the deficiency would be reported to the applicable regulator as soon as possible.

Additional Guidance

This notice provides guidance with respect to deficiencies which in our view may present particular challenges for small firms. We also refer firms to the following guidance with respect to other common deficiencies identified in our compliance reviews:

• CSA Staff Notice 31-336 Guidance for Portfolio Managers, Exempt Market Dealers and Other Registrants on the Know-Your-Client, Know-Your-Product and Suitability Obligations;

• CSA Staff Notice 31-334 CSA Review of Relationship Disclosure Practices;

• section 14.14 of 31-103CP;

• CSA Staff Notice 31-347 Guidance for Portfolio Managers for Service Arrangements with IIROC Dealer Members;

• National Instrument 33-109 Registration Information;

• section 11.9 or 11.10 of NI 31-103;

• section 13.4 of 31-103CP under the heading Individuals who have outside business activities; and

• CSA Staff Notice 31-325 Marketing Practices of Portfolio Managers.

Conclusion

All firms, including small firms, are encouraged to meet or exceed industry best practices in complying with regulatory requirements and to have policies, procedures and systems that are appropriate to their size and business model. The CSA will continue to review and evaluate firms' compliance with securities legislation. Firms can keep up-to-date on regulatory developments by actively reviewing staff notices and publications, participating in information outreach sessions organized by various CSA members, and signing up for mailings from the various CSA members.

Questions

Please refer your questions to any of the following:

Curtis Brezinski
Compliance Auditor, Capital Markets, Securities Division
Financial and Consumer Affairs Authority of Saskatchewan
306-787-5876
 
Angela Duong
Compliance Auditor
Manitoba Securities Commission
204-945-8973
 
Reid Hoglund
Regulatory Analyst
Alberta Securities Commission
403-297-2991
 
To-Linh Huynh
Senior Analyst
Financial and Consumer Services Commission (New Brunswick)
506-643-7856
 
Éric Jacob
Directeur principal de l'inspection
Autorité des marchés financiers
514-395-0337, extension 4741
 
Jonathan Lee
Senior Compliance Analyst
British Columbia Securities Commission
604-899-6670
 
Janice Leung
Manager, Adviser/IFM Compliance
British Columbia Securities Commission
604-899-6752
 
Susan Pawelek
Accountant
Compliance and Registrant Regulation
Ontario Securities Commission
416-593-3680
 
Chris Pottie
Manager, Compliance and SRO Oversight
Policy and Market Regulation Branch
Nova Scotia Securities Commission
902-424-5393
 
Kat Szybiak
Senior Legal Counsel
Compliance and Registrant Regulation
Ontario Securities Commission
416-593-3686
 
Craig Whalen
Manager of Licensing, Registration and Compliance
Office of the Superintendent of Securities
Newfoundland and Labrador
709-729-5661