What to expect from an OSC Compliance Review

1. Selection and Risk Assessment: How the Process Begins

Managing Uncertainty through Preparation Regulatory reviews of registrants are a part of participating in the capital markets, but they can inspire uncertainty and concern, especially before your firm’s initial review. Knowing what to expect can help you to prepare your firm and your team, focusing your energy in a useful direction.

The Risk-Based Approach The OSC uses a risk-based approach to determine the timing and scope of reviews of registered firms. As part of the registration process, applicant firms are required to submit detailed information about their operations, including business activities, financial condition, custody arrangements, fee structures, marketing practices, and compliance systems. This information is typically collected through a Risk Assessment Questionnaire (RAQ), which generates a risk score for the firm.

The OSC uses these risk scores to rank firms and allocate resources to higher-risk registrants and activities. Firms with higher risk scores are more likely to be subject to earlier initial reviews as well as more frequent ones. The OSC conducs on-site compliance reviews of firms with higher risk scores compared to their peers, focusing on higher-risk activities and requiring corrective action for identified deficiencies.

Why Accurate RAQ Responses Matter It should go without saying that you should be accurate in all your submissions to a regulator, and that accuracy should include your RAQ responses. Inaccurate information in your RAQ can lead to:

• A regulatory review being scheduled sooner than it otherwise would have been;

• Difficult questions about the RAQ responses during that review; and

• Potentially a review deficiency, if the OSC concludes that your RAQ responses were incomplete or misleading.

Assuming your RAQ is accurate, regulators use the information provided to schedule your next review.

2. The Kick-Off: Timelines and Document Requests

Scheduling and Deadlines The regulators will contact you to set up an entrance meeting, which kicks off your firm’s review. In our experience, the entrance meeting typically takes place approximately two weeks after you first hear from the OSC that you have been selected for a review.

About a week before the entrance meeting, you will receive an extensive books and records request. You will be expected to provide the requested information and documentation on or before the entrance meeting date, via a secure link. Note that you will often have approximately five business days to prepare and upload the requested books and records, so you must have your documentation organized and up to date, and ensure client records are easily accessible and capable of being compiled and uploaded quickly.

Preparing the "Books and Records" Submission Your firm will receive an initial request list of documents to disclose, including the following:

• Compliance policies and procedures manual

• KYC forms and client onboarding documentation

• Sample client statements and reports

• Marketing materials

• Trade blotters and order records, as applicable

• Evidence of supervision (e.g., review logs, review reports)

• Agreements with relevant entities.

Many of the OSC’s requests will be for information that may not be organised in a way that aligns with your firm’s practices or systems, meaning those requests will take more time to understand and address. Do not underestimate how much time and work will be required to respond to the request list. In our experience, you can expect that your effort to respond to the initial request list will require an "all hands on deck" approach, with late hours and weekends to complete the work on time.

Organization and Sampling Regulators appreciate effort by registered firms to organise the documents and information according to the relevant request question, in proper folders. In that way the regulators can get to work easily instead of having to sort a dump of information and documents. Submitting documents on time and organised can demonstrate to regulators that your firm takes compliance seriously, which is a good first impression.

Ensure submitted documents are complete and accurate, or you may face questions later on during the review. Inaccuracies can cause regulators to question your firm’s books and records, and related policies and procedures.

Regarding client files, in our experience auditors will sample certain client accounts, perhaps 20-40 accounts for each relevant area of focus, which is considered to be a statistically significant number. That approach allows regulators to extrapolate their results on a reasonable basis to the entire relevant population.

3. The Active Review: Meetings and Focus Areas

The Entrance Meeting The UDP and CCO, at a minimum, will be expected to attend the entrance meeting with the auditors, and you can expect it to take around two hours. The entrance meeting allows regulators to learn about your firm at a high level, to consider on which areas their review should focus. If the entrance meeting identifies a clear lack of understanding of a particular area, or a weakness in execution, regulators may decide to add that element into your firm’s review menu.

Be prepared to respond to their questions accurately, or to ask for an additional and reasonable amount of time to review and respond accurately. You will have an opportunity to ask questions as well.

Duration and Location OSC auditors may not be on-site for long, typically for two or three days, but potentially lasting two to three weeks, with some variation based on firm size and scope.  If your firm is organized to be entirely virtual then of course there is no on-site element to the review.

Common Areas of Focus There are areas of focus that will always be included, such as Know Your Client (KYC), Know Your Product (KYP), and suitability. Auditors may add new glosses on those areas, such as the current focus on Client Focused Reforms for KYC, KYP, and suitability. Regulators have been clear in their annual staff compliance notice that they intend to complete multiple rounds of Client Focused Reforms reviews for all firms, so you should expect this scrutiny.

Outside of Client Focused Reforms, regulators often have other areas of focus for all firms, or all firms of a particular registration category or business model, and those can change without much, if any, notice.

4. The Iterative Process: Managing Waves of Questions

The Follow-Up Process At the end of the entrance meeting, you will likely receive your first list of questions, requiring your responses within another five business days. Subsequent to the initial list, and the questions you receive after the entrance meeting, they typically have many more questions, asking for additional documentation or explanations in waves.

Be prepared for an iterative process that will take up at least some of your time and resources, which can increase or drag on if the regulators believe they have identified critical deficiencies requiring more of your input.

Managing Timelines and Resources Your firm will generally be expected to respond to each wave of questions within five business days, but if you are unable to meet that deadline, ask for reasonable amount of additional time proactively instead of just being late.  If you have special circumstances that require a reasonable delay or break from the review, make that request proactively as well.

Slow or late responses to information or document requests may be viewed poorly by the regulators. Recent OSC reports and guidance have identified delays in responding to books and records requests as a concern and, in some cases, as a deficiency related to inadequate books and records or compliance systems.

Plan to respond to initial and subsequent document and information requests quickly, thoroughly, and accurately. It can take firm staff a significant amount of time and effort to do so, in addition to fulfilling their usual responsibilities, so prepare your team to budget their time accordingly. It can help in some situations to bring in an external service provider to augment your capacity and provide expertise dealing with OSC reviews.

5. The Outcome: Reports and Deficiencies

Waiting for Results Once the questions and document requests have stopped, and OSC staff have completed their review, you will have to wait for the resulting review report (often referred to as a “compliance report” or “deficiency report”). In our experience, this can take several weeks to a few months, depending on the complexity of the firm and the scope of issues identified.

Interpreting the Signals During the review, auditors will sometimes signal areas of concern through the nature and depth of their follow-up questions. However, you should not assume that the absence of probing questions means there are no issues; some concerns may only become clear to OSC staff after they complete their file review and internal discussions.

Once you have the review report, the next phase of work begins. It is highly unusual to receive an entirely clean review report, so you should expect to have at least some deficiencies to address.

How can North Star Compliance help? If you’ve been selected for an OSC compliance review or want to get ahead of your next one, get in touch with our team to discuss how we can help you prepare, respond, and strengthen your compliance program.

About the Authors

Kanchan Mehta is a global compliance leader with experience across Canada, the United States, Singapore, and India. She has held senior roles at SEC-registered investment firms, investment banks, and brokerage institutions, including serving as Director of Compliance for a U.S. robo-advisor and hedge fund. She brings over 15 years of experience in risk management and the development and implementation of compliance frameworks.

Read Kanchan’s full bio here.

Martha Rafuse (B.A. Western University, LL.B. Osgoode, LL.M London School of Economics), Counsel at North Star Legal, brings more than two decades of securities regulatory experience across the financial industry, private practice, and government. Prior to joining North Star Legal, Martha led large compliance teams for both Canadian and U.S. firms, including RBC Phillips, Hager & North Investment Counsel Inc., RBC Dominion Securities Inc. (Retail), and Royal Mutual Funds Inc. As Legal Counsel at the Ontario Securities Commission, Martha developed legal solutions for novel regulatory issues and led significant policy initiatives.

Read Martha’s full bio here.