Register today for OSC Dialogue 2024: Inviting, thriving and secure capital markets
Email blast – Business Continuity Planning
You are receiving this email because you are a CCO and/or UDP of a registered firm in Ontario.
Dear Registrants,
This is a reminder that all registered firms are required to establish, maintain and apply a written business continuity plan (BCP) to adequately manage the impact of an event causing a significant business disruption. For small firms and firms with few registered individuals, it is particularly important for the BCP to reasonably address the impact to clients and business operations in the event of the death, incapacitation or prolonged absence of key individuals.
A BCP is part of the system of controls and supervision that registered firms must establish, maintain and apply to ensure compliance with securities legislation and manage the risks associated with their business in accordance with prudent business practices.
When developing a BCP, small firms should consider designating an individual to execute the BCP (BCP executor) and, as appropriate for their size and business model, the following:
- procedures to mitigate, respond to, and recover from business interruptions and other types of disturbances that may disrupt the firm’s day-to-day operations;
- how the firm will communicate with clients, key personnel, third-party service providers (e.g., banks, custodians, brokers, administrators), and regulators (e.g., provide an alternate means of communication);
- procedures to protect, backup and recover the firm’s books and records (e.g., as a result of a cyber-security incident or natural disaster);
- details about the relocation of the firm’s office in the event of a temporary or permanent loss of the firm’s head office or principal place of business;
- the firm’s business succession or wind-down procedures (e.g., assignment of duties to key persons) in the event of death, incapacitation or prolonged temporary absence of the sole registered individual;
- who is responsible for notifying the regulators in the event of death, incapacitation or prolonged temporary absence of the sole registered individual;
- what information clients need to know about the BCP to ensure that it can be properly executed (e.g., by providing clients with the name and contact details of the BCP executor, and explaining to clients how they can access their assets in the event of loss of the firm’s key personnel, or by providing the client with the name and contact details of the relationship manager at the custodian where the clients’ assets are held);
- training of firm employees, including training about their specific duties if the BCP needs to be implemented;
- how often the BCP needs to be updated and its effectiveness assessed; and
- how the firm will assess the adequacy of the BCPs of third-party service providers.
It is also important for registered firms to make all the necessary arrangements so that the designated BCP executor is adequately trained and able to execute the BCP effectively, ensuring that the BCP executor is authorized to provide instructions on behalf of the firm to third-party service providers (e.g., banks, custodians, brokers, administrators) and communicate with the regulators.
Small firms with only one registered individual and no other support or administrative staff may have to designate a BCP executor external to the firm (e.g., a spouse, relative, legal counsel, or another registrant), provided that such external BCP executor has the knowledge, authority, and qualification to carry out this responsibility in compliance with securities legislation in the event of a business interruption. Where prudent business practices require that the firm have an external BCP executor, the firm should ensure that:
- a written agreement is in place so that the BCP executor understands and acknowledges his or her responsibilities;
- the BCP executor is familiar with the firm’s BCP;
- the BCP executor is familiar with the firm’s business to properly wind down or temporarily manage the small firm or facilitate the transfer of the firm’s client accounts;
- a confidentiality agreement is in place if the BCP executor would have access to confidential client information; and that the firm has properly pre-arranged client authorization to share this confidential information (e.g., in the relationship disclosure information documentation);
- if the BCP executor is another registrant, conflicts of interest between both firms have been considered (e.g., an external BCP executor could be managing clients of two firms in a scenario of temporary absence); and
- the BCP executor understands securities legislation and is aware of costs (e.g., costs related to filing an application for exemptive relief).
Guidance for small firms on significant business interruptions and succession planning was also provided in CSA Staff Notice 31-350 Guidance on Small Firms Compliance and Regulatory Obligations.
Compliance and Registrant Regulation Staff
Ontario Securities Commission
For compliance inquiries, you may contact us via email at [email protected]