The Investment Industry Regulatory Organization of Canada (IIROC) must make changes to its enforcement processes, according to the latest oversight review by the Canadian Securities Administrators (CSA). The CSA also reports that IIROC may be facing a new class action lawsuit in connection with the loss of a laptop computer containing clients’ personal information in 2013.

The CSA released a report today detailing the results of its latest oversight review of IIROC. The review, which was conducted jointly by eight of the provincial securities regulators, focuses on three areas: enforcement, information technology and business conduct compliance (BCC).

The CSA flags in its report a couple of ongoing enforcement issues at IIROC, which the CSA deems to be “high” priorities for the self-regulatory organization (SRO) to address. The report also indicates that, while courts in Quebec have refused to certify a potential class action lawsuit in connection with the loss of client data in 2013, “IIROC was recently served with a motion to authorize a new class action lawsuit.”

IIROC says that, based upon the advice of counsel, it believes “the action is without merit” and it “will be defending the action vigorously.”

High-priority

As for the oversight review, the CSA says that regulators have identified two high-priority findings in IIROC’s enforcement department, both of which were flagged in a previous review in 2014. They include concerns that the SRO isn’t adequately restricting access to the enforcement department’s case management database and that management oversight of enforcement cases is not being fully documented.

The report indicates that IIROC intended to deal with the database issue in its 2016 budget, but no such action was taken. The CSA says that this situation “continues to enable users with a perceived or actual conflict of interest to have the opportunity to access information on [the database] to their benefit.”

In response, IIROC indicates that it has budgeted for the required changes and that a capital expenditure request will be sent to its board for approval in fiscal 2017 (which starts April 1, 2016). In the meantime, IIROC says, it has implemented controls intended to mitigate the perceived risks. “Until the long term IT solution is in place, we will also remind staff that IIROC has the ability to track and report on historical access to files and to take action as necessary,” IIROC states in the CSA report.

Concerns over documentation

The report also indicates that the CSA continues to have concerns about the consistent documentation of management’s review and approval of case assessment and investigation files. In response, IIROC notes that the necessary reviews and approvals are taking place, and that the problem involves the consistent documentation of those reviews. The SRO also says that a staff working group was formed in July 2015 to address the issue of document management standards, and that it aims to finalize new protocols this year.

The CSA review also notes a handful of “medium” priority issues in the IT and BCC departments. In particular, it says, certain compliance review procedures may be insufficient to uncover client-managed accounts that are unduly concentrated or to identify advisors who recommend high-risk products across client-managed accounts, among other concerns related to ensuring suitability.

In response, IIROC reports that its business conduct compliance team “has made a number of changes in examination procedures to more thoroughly test the suitability of investment recommendations … We continue to enhance our compliance program to reflect changes in markets, risks, investment products and demographics to focus on priorities such as suitability.”

Information security plan

IIROC also stresses that its board is actively overseeing the implementation of its information security plan. “IIROC remains committed to strong information security,” it says.

The review does not cover other aspects of IIROC’s operations, such as financial compliance, market surveillance or regulatory policy. The CSA says that, apart from the issues cited in its review, the regulators did not identify any other concerns with IIROC meeting the terms and conditions of its recognition orders.

IIROC notes that it is “pleased” that the CSA found that it is in overall compliance with the terms of its recognition orders and that it has “made sufficient progress in resolving most of the findings in the 2014 report.”

“We intend to fully address any outstanding findings in order to enhance our regulatory effectiveness,” IIROC says in a statement responding to the CSA report. “We will continue to strengthen our capabilities to deliver on IIROC’s regulatory priorities, which remain focused on protecting investors, promoting compliance and fostering fair and efficient markets across Canada.”