What to Expect from a Provincial Securities Regulator Compliance Review

1.Selection and Risk Assessment: How the Process Begins

Managing Uncertainty through Preparation Regulatory reviews of registrants are a part of participating in the capital markets, but they can inspire uncertainty and concern, especially before your firm's initial review. Knowing what to expect can help you to prepare your firm and your team, focusing your energy in useful directions.

The Risk-Based Approach Provincial securities regulators use a risk-based approach to determine the timing and scope of reviews of registered firms. Registered firms are required to submit detailed information about their operations, including business activities, financial condition, custody arrangements, fee structures, marketing practices, and compliance systems. This information is typically collected through regular surveys or risk assessment questionnaires. Regulators use this information to allocate resources to higher-risk registrants and activities. Firms with higher risk scores are more likely to be subject to earlier initial reviews as well as more frequent ones.

Provincial regulators conduct compliance reviews of firms based on various factors including the business model, assets under management, complaints, and the firm’s regulatory history. A firm may be selected for review as part of the normal review cycle, based on its risk profile, referrals from another department or regulator, or if complaints are received about the firm.

Why Accurate Survey Responses Matter It should go without saying that you should be accurate in all your submissions to a regulator, and that accuracy should include your survey responses. Inaccurate information in your survey could lead to:

• A regulatory review being scheduled sooner than it otherwise would have been;

• Difficult questions about the survey responses during that review; and

• Potentially a review deficiency, if the regulator concludes that your survey responses were incomplete or misleading.

Assuming your survey is accurate, regulators use the information provided to schedule your next review.

2. The Kick-Off: Timelines and Document Requests Scheduling and Deadlines The regulators will contact you to set up an entrance meeting or initial interview, which kicks off your firm's review. In our experience, the entrance meeting typically takes place a few weeks after you first hear from the regulator that you have been selected for a review. Reviews may be conducted on-site, which encompass the major functional areas of a firm's operations, or as targeted reviews, where a particular issue is the focus.

Preparing the "Books and Records" Submission If a registered firm is selected for a compliance review, it will typically receive advance notification and be provided with a list of books and records that auditors will need to examine during the review. You will be expected to provide the requested information and documentation on or before the entrance meeting date, often via a secure portal.

Note that you will often have a limited time to prepare and upload the requested books and records, so you must keep your documentation organized and up to date.  Ensure that client records are easily accessible and capable of being compiled and uploaded quickly. Documents buried in email are not easily accessible.

Your firm will receive an initial request list of documents to disclose, including the following:

• Compliance policies and procedures manual

• KYC forms and client onboarding documentation

• Sample client statements and reports

• Marketing materials

• Trade blotters and order records, as applicable

• Evidence of supervision (e.g., review logs, review reports)

• Agreements with relevant entities

Many of the regulators' requests may be for data or information that may not be organised in a way that aligns with your firm's practices or systems, meaning those requests will take more time to understand and address.

Do not underestimate how much time and work will be required to respond to the initial books and records request list. In our experience, you can expect that your effort to respond to the initial request list will require an "all hands on deck" approach, with late hours and weekends to complete the work on time. If there is no way to avoid submitting your books and records before the deadline, advise the auditors as soon as you make that determination, and work with them on a revised deadline, instead of just being late.

Organization and Sampling Regulators appreciate effort by registered firms to organise the documents and information according to the relevant request question, in proper folders. In that way auditors can get to work easily instead of having to sort a dump of information and documents. Submitting organized documents on time can demonstrate to regulators that your firm takes compliance seriously, which is a good first impression.

Ensure submitted documents are complete and accurate, or you may face questions later during the review. Inaccuracies can cause regulators to question your firm's books and records, and related policies and procedures.

Regarding client files, in our experience auditors will sample certain client accounts, perhaps 20-40 accounts for each relevant area of focus, which is considered to be a statistically significant number. That approach allows auditors to extrapolate their results on a reasonable basis to the entire relevant population.

3. The Active Review: Meetings and Focus Areas

The Entrance Meeting The Ultimate Designated Person (UDP) and Chief Compliance Officer (CCO), at a minimum, will be expected to attend an in-person entrance meeting or initial interview with the auditors, and you can expect it to take around two hours. The entrance meeting allows auditors to learn about your firm at a high level, to consider on which areas their review should focus. If the entrance meeting identifies a clear lack of understanding of a particular area, or weakness in execution, regulators may decide to add that element into your firm's review menu.

Be prepared to respond to their questions accurately, or to ask for an additional and reasonable amount of time to review and respond accurately. Instead of bringing additional colleagues to the entrance meeting, it can be helpful to note the auditors' questions and take them back to your staff members, instead of trying to respond on the spot.

You will have an opportunity to ask questions as well.

Common Areas of Focus Provincial regulators focus on several key areas during compliance reviews:

• Compliance systems and processes (policies and procedures manual)

• Know Your Client (KYC), Know Your Product (KYP), and suitability

• Conflicts of interest

• Marketing and sales practices

• Financial condition and capital requirements

• Client reporting and disclosure

• Oversight of dealing representatives and firm personnel

• Books and records

Regulators have been clear in their annual notices and compliance reports that they intend to complete multiple rounds of Client Focused Reforms reviews for all firms, so you should expect this scrutiny. Beyond Client Focused Reforms, regulators often have other areas of focus for all firms, or all firms of a particular registration category or business model, and those can change without much, if any, notice.

4. The Iterative Process: Managing Waves of Questions

The Follow-Up Process During the examination, regulatory auditors will review your books and records and may request additional documents as their field work progresses. At or after the entrance meeting, you will likely receive follow-up questions and requests, requiring your responses before another deadline.

Subsequent to the initial books and records list, and the questions and requests you receive after the entrance meeting, they typically have many more questions and requests, asking for additional documentation or explanations in waves. Be prepared for an iterative process that will take up at least some of your time and resources, which can increase or drag on if the regulators believe they have identified critical deficiencies requiring more of your input.

Managing Timelines and Resources Your firm will generally be expected to respond to each wave of questions before a specific deadline. If you have special circumstances that require a reasonable delay or break from the review, make that request proactively. Slow or late responses to information or document requests may be viewed poorly by the regulators. Delays in responding to books and records requests have been identified as a concern in regulatory reports and guidance and, in some cases, as a deficiency related to inadequate books and records or compliance systems.

Plan to respond to initial and subsequent document and information requests quickly, thoroughly, and accurately. It can take your firm’s staff a significant amount of time and effort to do so, in addition to fulfilling their usual responsibilities, so prepare your team to budget their time accordingly. It can help in some situations to bring in an external service provider to augment your capacity and provide expertise dealing with provincial securities regulator reviews.

5. The Outcome: Reports and Deficiencies

Waiting for Results Once the on-site work is complete, auditors will return to their office to complete the balance of their review. Once the questions and document requests have stopped, you will have to wait for the resulting review report. The length of time for this off-site work will depend on the complexity of the firm's operations and the nature of the findings. In our experience, this can take several weeks to a few months.

Auditors will typically meet with the CCO and UDP for an in-person exit meeting to deliver the report or findings.

Interpreting the Signals During the review, auditors will sometimes signal areas of concern through the nature and depth of their follow-up questions. However, you should not assume that the absence of probing questions means there are no issues; some concerns may only become clear to regulatory staff after they complete their file review and internal discussions.

Next Steps Once the review is complete, senior management is provided with a report or findings, which outlines the deficiencies found during the review. Firms are typically required to respond, explaining how they will address each deficiency and setting out their plan of action. Response timelines vary but approximately 30 days is a safe bet.

It is highly unusual to receive an entirely clean review report, so you should expect to have at least some deficiencies to address and report to your management and board of directors.

If the firm addresses all issues in a satisfactory manner, the file will be closed. If the firm does not adequately address the deficiencies, regulators may take further action. Possible regulatory responses include:

• Increased oversight of the firm

• Conducting a follow-up review

• Imposing terms and conditions on the firm's registration

• Referral to enforcement staff

• Recommendation for suspension of registration

How can North Star Compliance help? If you've been selected for a provincial securities regulator compliance review or want to get ahead of your next one, get in touch with our team to discuss how we can help you prepare, respond, and strengthen your compliance program.