Coinsquare Capital Markets Ltd.
Headnote
National Policy 11-203 Process for Exemptive Relief Applications in Multiple Jurisdictions -- relief from the requirement to engage one or more qualified external auditors to conduct an independent systems review and prepare a report in accordance with established audit standards and best industry practices -- relief subject to systems reviews similar in scope to that which would have applied to an independent systems review -- National Instrument 21-101 Marketplace Operation.
Applicable Legislation
National Instrument 21-101 Marketplace Operation, ss. 12.2, 15.1.
IN THE MATTER OF
THE SECURITIES LEGISLATION OF ONTARIO,
ALBERTA
BRITISH COLUMBIA,
MANITOBA,
NEW BRUNSWICK,
NEWFOUNDLAND AND LABRADOR,
NORTHWEST TERRITORIES,
NOVA SCOTIA,
NUNAVUT,
PRINCE EDWARD ISLAND,
QUÉBEC,
SASKATCHEWAN,
AND YUKON
(the Jurisdictions)
AND
IN THE MATTER OF
THE PROCESS FOR EXEMPTIVE RELIEF APPLICATIONS
IN MULTIPLE JURISDICTIONS
AND
IN THE MATTER OF
COINSQUARE CAPITAL MARKETS LTD.
(the Filer)
DECISION
Background
The securities regulatory authority or regulator in each of the Jurisdictions (Decision Maker) has received an application from the Filer for a decision under the securities legislation of the Jurisdictions (the Legislation) for an exemption pursuant to section 15.1 of National Instrument 21-101 Marketplace Operation (NI 21-101) from section 12.2 of NI 21-101, which requires that the Filer, on a reasonably frequent basis and, in any event, at least annually, engage one or more qualified external auditors to conduct an independent systems review and prepare a report in accordance with established audit standards and best industry practices (collectively, an ISR) for 2023 (the Exemptive Relief Sought).
Under the Process for Exemptive Relief Applications in Multiple Jurisdictions (for a coordinated review application):
1. the Ontario Securities Commission (Commission) is the principal regulator for this application, and
2. the decision is the decision of the principal regulator and evidences the decision of each other Decision Maker.
Interpretation
Terms defined in National Instrument 14-101 Definitions have the same meaning if used in this decision, unless otherwise defined.
Representations
This decision is based on the following facts represented by the Filer:
1. Coinsquare Capital Markets Ltd. (CCML) is a corporation established under the federal laws of Canada and one component of its principal business is to operate an alternative trading system (ATS) as defined in NI 21-101.
2. The head office of the Filer is located in Toronto, Ontario.
3. The Filer is a member of the Canadian Investment Regulatory Organization and the Canadian Investor Protection Fund and is registered in each of the Jurisdictions in the category of investment dealer.
4. The CCML ATS (CCML System) is an alternative trading system that supports the trading of crypto assets using Limit Orders. Limit Orders are directions given to buy or sell crypto contracts at a specified or better price. The CCML ATS matches and executes orders. It is not a protected marketplace in Canada and does not provide for national best protected bids or best protected offers.
5. The CCML System's only client is an affiliated broker dealer. It is not connected to any other marketplace and cannot affect another marketplace or be affected by another marketplace.
6. For each of its systems that supports order entry, execution, trade reporting, data feeds, or market surveillance, the Filer has developed and maintains:
a. reasonable business continuity and disaster recovery plans;
b. adequate internal controls over those systems; and
c. adequate information technology general controls, including without limitation, controls relating to information systems operations, information security, cyber resilience, change management, problem management, network support and system software support.
7. In accordance with prudent business practice, on a reasonably frequent basis and, in any event, at least annually, the Filer:
a. makes reasonable current and future capacity estimates;
b. conducts capacity stress tests to determine the processing capability of those systems to perform in an accurate, timely and efficient manner;
c. tests its business continuity and disaster recovery plans; and
d. reviews the vulnerability of the CCML System and data centre operations to internal and external threats.
8. The Filer's current trading and order entry volumes in the CCML System represent less than 4 percent of peak historical market volumes of the CCML System, and the Filer has not experienced any failure of the CCML System.
9. The Filer's current trade volume is currently substantially less than 1 percent of total market activity of Canadian crypto assets marketplaces.
10. The Filer monitors the CCML System 24 hours a day, 7 days a week to ensure that all components continue to operate and remain secure.
11. The Filer shall promptly notify the Commission of any failure to comply with the representations set out herein.
12. Other than for the exemptive relief sought, the Filer is not in default of securities legislation in any jurisdiction.
Decision
Each of the Decision Makers is satisfied that the decision meets the test set out in the Legislation for the Decision Maker to make the decision.
The decision of the Decision Makers under the Legislation is that the Exemptive Relief Sought is granted provided that:
A. The Filer shall promptly notify the Commission of any material changes to the representations set out herein, including any material changes to the Filer's annual net income or to the market share or daily transaction volume of the CCML System.
B. The Filer shall, for 2023, complete a SOC 1 Type II review of the CCML System and of its controls (SOC Report).
C. The Filer shall, for 2023, complete an independent accountant's report on applying agreed-upon procedures (AUP Report).
D. The Filer shall, for 2023, complete an annual review of the CCML System and of its controls, similar in scope to that which would have applied had the Filer conducted an ISR and in a manner and form acceptable to the Commission.
1. The review for the AUP Report will include examining the following controls:
i. controls relating to information systems operations;
ii. controls relating to information security;
iii. controls relating to cyber resilience;
iv. controls relating to network support;
v. controls relating to business continuity planning; and
vi. controls relating to disaster recovery planning.
2. The review for the SOC Report will include examining the following controls:
i. controls relating to change management;
ii. controls relating to problem management; and
iii. controls relating to system software support.
E. The SOC 1 Type II review will cover the entirety of the business year for which they are being prepared or have accompanying documentation evidencing coverage for the remainder of the business year. The first report will cover the period from January 1, 2023 to September 30, 2023. The Filer will provide a bridge letter providing assertions from management for coverage of the remainder of the 2023 business year.
F. The reports described in conditions B and C and the bridge letter described in condition E shall be filed with staff of the Commission no later than (i) 30 days after they are provided to the Filer's board of directors or audit committee, or (ii) the 60th day after the end of the year being reviewed.
G. The independent accountant's report on applying agreed-upon procedures review will cover the entirety of the business year for which they are being prepared. The first report will cover the period from January 1, 2023 to December 31, 2023.
H. Should any material concern arise relating to its systems and controls, the Filer must notify the Commission which will consider whether the exemptive relief sought should be varied or revoked.
Dated this 6th day of May, 2024.