What to Expect from a BCSC Compliance Review
1. Selection and Risk Assessment: How the Process Begins
Managing Uncertainty through Preparation Regulatory reviews of registrants are a part of participating in the capital markets, but they can inspire uncertainty and concern, especially before your firm’s initial review. Knowing what to expect can help you to prepare your firm and your team, focusing your energy in useful directions.
The Risk-Based Approach The BCSC uses a risk-based approach to determine the timing and scope of reviews of registered firms. Registered firms are required to submit detailed information about their operations, including business activities, financial condition, custody arrangements, fee structures, marketing practices, and compliance systems. This information is typically collected through a regular survey, which generates a risk score for the firm.
The BCSC uses these risk scores to rank firms and allocate resources to higher-risk registrants and activities, assigning risk ratings using detailed factors (e.g., business model, AUM, complaints, regulatory history) and targeting a roughly two- to five‑year exam cycle. Higher‑risk firms examined more frequently; for example, Mortgage Investment Corporations, or “MICs”, are rated higher risk. Firms with higher risk scores are more likely to be subject to earlier initial reviews as well as more frequent ones. The BCSC conducts on-site compliance reviews of firms with higher risk scores compared to their peers, focusing on higher-risk activities and requiring corrective action for identified deficiencies. BCSC auditors
Why Accurate Survey Responses Matter It should go without saying that you should be accurate in all your submissions to a regulator, and that accuracy should include your survey responses. Inaccurate information in your survey could lead to:
• A regulatory review being scheduled sooner than it otherwise would have been;
• Difficult questions about the survey responses during that review; and
• Potentially a review deficiency, if the BCSC concludes that your survey responses were incomplete or misleading.
Assuming your survey is accurate, regulators use the information provided to schedule your next review.
2. The Kick-Off: Timelines and Document Requests
Scheduling and Deadlines The regulators will contact you to set up an entrance meeting, which kicks off your firm’s review. In our experience, the entrance meeting typically takes place a few weeks after you first hear from the BCSC that you have been selected for a review. The “field examination” is described as the BCSC’s main monitoring tool; they emphasize on‑site review of books and records, interviews with key staff, as well as evidence of checks, balances, and internal controls.
Preparing the "Books and Records" Submission Before the entrance meeting you will receive an extensive books and records request, with several dozen items. You will be expected to provide the requested information and documentation on or before the entrance meeting date, via a secure portal. Note that you will often have approximately five business days to prepare and upload the requested books and records, so you must keep your documentation organized and up to date, and ensure client records are easily accessible and capable of being compiled and uploaded quickly. Documents buried in email are not easily accessible.
Your firm will receive an initial request list of documents to disclose, including the following:
• Compliance policies and procedures manual
• KYC forms and client onboarding documentation
• Sample client statements and reports
• Marketing materials
• Trade blotters and order records, as applicable
• Evidence of supervision (e.g., review logs, review reports)
• Agreements with relevant entities.
Many of the BCSC’s requests may be for data or information that may not be organised in a way that aligns with your firm’s practices or systems, meaning those requests will take more time to understand and address.
Do not underestimate how much time and work will be required to respond to the request list. In our experience, you can expect that your effort to respond to the initial request list will require an "all hands on deck" approach, with late hours and weekends to complete the work on time.
If there is no way to avoid submitting your books and records before the deadline, advise the auditors as soon as you make that determination, instead of just being late.
Organization and Sampling Regulators appreciate effort by registered firms to organise the documents and information according to the relevant request question, in proper folders. In that way the auditors can get to work easily instead of having to sort a dump of information and documents. Submitting documents on time and organised can demonstrate to regulators that your firm takes compliance seriously, which is a good first impression.
Ensure submitted documents are complete and accurate, or you may face questions later during the review. Inaccuracies can cause regulators to question your firm’s books and records, and related policies and procedures.
Regarding client files, in our experience auditors will sample certain client accounts, perhaps 20-40 accounts for each relevant area of focus, which is considered to be a statistically significant number. That approach allows regulators to extrapolate their results on a reasonable basis to the entire relevant population.
3. The Active Review: Meetings and Focus Areas
The Entrance Meeting The UDP and CCO, at a minimum, will be expected to attend an in-person entrance meeting with the auditors, and you can expect it to take around two hours. The entrance meeting allows auditors to learn about your firm at a high level, to consider on which areas their review should focus. If the entrance meeting identifies a clear lack of understanding of a particular area, or a weakness in execution, regulators may decide to add that element into your firm’s review menu.
Be prepared to respond to their questions accurately, or to ask for an additional and reasonable amount of time to review and respond accurately. Instead of bringing additional individuals to the entrance meeting, it can be helpful to note the auditors’ questions and take them back to those staff members, instead of everyone trying to respond on the spot.
You will have an opportunity to ask questions as well.
Common Areas of Focus There are areas of focus that will always be included, such as Know Your Client (KYC), Know Your Product (KYP), suitability, and conflicts of interest. Auditors may add new glosses on those areas, such as the current focus on Client Focused Reforms for KYC, KYP, and suitability. Regulators have been clear in their annual staff compliance notice that they intend to complete multiple rounds of Client Focused Reforms reviews for all firms, so you should expect this scrutiny.
Outside of Client Focused Reforms, regulators often have other areas of focus for all firms, or all firms of a particular registration category or business model, and those can change without much, if any, notice.
4. The Iterative Process: Managing Waves of Questions
The Follow-Up Process At the end of the entrance meeting, you will likely receive your first list of follow-up questions and requests, requiring your responses before another deadline. Subsequent to the initial books and records list, and the questions and requests you receive after the entrance meeting, they typically have many more questions and requests, asking for additional documentation or explanations in waves.
Be prepared for an iterative process that will take up at least some of your time and resources, which can increase or drag on if the regulators believe they have identified critical deficiencies requiring more of your input.
Managing Timelines and Resources Your firm will generally be expected to respond to each wave of questions before a specific deadline, but if you are unable to meet that deadline, ask for reasonable amount of additional time proactively instead of just being late. If you have special circumstances that require a reasonable delay or break from the review, make that request proactively as well.
Slow or late responses to information or document requests may be viewed poorly by the regulators. Recent regulatory reports and guidance have identified delays in responding to books and records requests as a concern and, in some cases, as a deficiency related to inadequate books and records or compliance systems.
Plan to respond to initial and subsequent document and information requests quickly, thoroughly, and accurately. It can take firm staff a significant amount of time and effort to do so, in addition to fulfilling their usual responsibilities, so prepare your team to budget their time accordingly. It can help in some situations to bring in an external service provider to augment your capacity and provide expertise dealing with BCSC reviews.
5. The Outcome: Reports and Deficiencies
Waiting for Results Once the questions and document requests have stopped, and BCSC staff have completed their review, you will have to wait for the resulting review report (often referred to as a “compliance report” or “deficiency report”). In our experience, this can take several weeks to a few months, depending on the complexity of the firm and the scope of issues identified. The BCSC will typically meet with the CCO and UDP for an in-person exit meeting to deliver the report.
Interpreting the Signals During the review, auditors will sometimes signal areas of concern through the nature and depth of their follow-up questions. However, you should not assume that the absence of probing questions means there are no issues; some concerns may only become clear to BCSC staff after they complete their file review and internal discussions.
Next Steps Once you have the review report, the next phase of work begins. Firms must respond, typically within about 30 days, with an action plan to address the identified deficiencies. It is highly unusual to receive an entirely clean review report, so you should expect to have at least some deficiencies to address and report to your management and board of directors.
How can North Star Compliance help? If you’ve been selected for a BCSC compliance review or want to get ahead of your next one, get in touch with our team to discuss how we can help you prepare, respond, and strengthen your compliance program.