Compliance roundup – March

Best practices

The first step is drawing up a list of what to contract out, says Thiele. “Then you need to come up with a robust process for due diligence. It’s important to send out a detailed questionnaire to the provider, but that’s not enough. You need to kick the tires: go meet them and check out their facilities.”

Adds Susan Silma, a Toronto-based industry consultant and former OSC director: “Think about the impact the third-party firm can have on your reputation and client experience.” For instance, does the company have a record of improper handling of confidential information? Once you’ve made your picks, be sure to draw up contracts. Not everyone does this, and IIROC won’t be happy if you don’t have a formal agreement on the books.

It’s critical, says Thiele, that you’ve documented policies and procedures on all aspects of outsourcing: selection process, assessment procedures, records of actual assessments, etc. When IIROC does its review, for instance, it will want to see you’ve assessed a sample of the trade confirmations your third-party firm has processed. This is the main sticking point, notes Thiele. Most dealer members do solid due diligence and reviews, but at times their records aren’t thorough enough. “If you can’t demonstrate to the regulator you’re doing those reviews, it becomes a case of ‘he says, she says.’ ”

She suggests creating a matrix or chart indicating whom outsourcing arrangements are with, what’s been done and when. For instance, the chart would show when a due diligence questionnaire was sent out; when the completed form was returned; who reviewed it and when; when a face-to-face meeting was held; and where to find back-up materials.

From IIROC’s point of view, outsourcing doesn’t mean transferring responsibility, Silma says. “In fact, when you outsource, you take on new responsibilities. You have to assess the appropriateness of the arrangement on an ongoing basis, not just at the outset.”

DOs and DON’Ts

The guidance itemizes key core and non-core activities that can be outsourced (see “Core activities,” this page).

Silma notes the guidance allows certain activities to be outsourced, including those related to suitability assessments, account opening and the client complaint process. But since virtually all elements of these activities are client-facing and therefore must be performed by a registered representative, she suggests only administrative aspects could be outsourced.

For instance, she says, once the KYC information is collected or a complaint is received by the dealer member, inputting that information into a database could be appropriately outsourced.

Outsourcing a core activity may be considered a change in business model, adds Silma. That means you need to inform IIROC. Non-core activities that can be out-
sourced include:

• office service management activities;
• procurement of external consultant services; and
• human resources management activities.

Outsourcing risks

The guidance’s appendix lists key risks. For instance, it warns of client harm risk, which means “inadequate third-party outsource service provider controls to ensure adequate protection and timely client access to…account assets and related account records.”

Thiele singles out firm concentration risk. This is when a dealer uses one provider for most or all of its outsourcing needs. IIROC’s worry, Thiele says, is that if the third-party firm goes under, the dealer could be paralyzed.

“There’s been a lot of discussion within industry groups on this one,” she says. If a dealer has determined Company X is the best, can the regulator require part of the outsourcing load be directed elsewhere? In other words, is it IIROC’s business to tell firms with whom they can or cannot
do business?

“For the most part IIROC’s been true to its statement that it’s a principles-based guidance,” says Thiele, “but we’ll have to see how this one plays out.”

Susan Han, a lawyer at Miller Thomson in Toronto, suggests the fact that Penson Financial Services Canada, a major back office service provider, went out of business likely contributed to IIROC’s flagging of concentration risk.

“When Penson went under, it caused a real kerfuffle at IIROC. It served more than 100 firms when it closed shop. All of a sudden all these broker-dealers and portfolio managers had to find new providers.” Han adds IIROC was actively involved in these transitions.

Thiele also highlights what IIROC calls access risk. This refers to cases where the service provider is unable to give timely access to information regulators ask dealers for during audits and reviews.

“There’s the potential for regulator frustration if you can’t get [that information] to them,” says Thiele, adding they’ll also wonder, “How can you be doing effective oversight if you can’t even get timely information?”

Han notes access risk is a problem when dealers switch service providers. Dealer members have to maintain records, even on closed accounts, for seven years. “Sometimes data for [those] accounts gets lost because it’s not converted over at the same time.”