CSA Staff Notice 31-356 Guidance on Compliance Consultants Engaged by Firms Following a Regulatory Decision
CSA Staff Notice 31-356 Guidance on Compliance Consultants Engaged by Firms Following a Regulatory Decision
CSA Staff Notice 31-356
Guidance on Compliance Consultants Engaged by Firms Following a Regulatory Decision
August 22, 2019
Introduction
Canadian Securities Administrators staff (CSA staff orwe) are issuing this Notice to provide guidance to registered firms that we directly oversee (Firms) when they are required by a securities regulatory authority or regulator (Regulator) to engage a compliance consultant{1} (Consultant) to assist them to address their compliance deficiencies and improve their compliance systems. Since this Notice focuses on Consultants engaged by Firms when required by a regulatory decision, this Notice is expected to apply to a small number of Firms in any given year.
A Firm may be required to hire a Consultant as a result of regulatory action by CSA staff, a decision of a director, or an order of a Regulator (collectively, Regulatory Decision) following a compliance review or an enforcement investigation of the Firm that identified significant non-compliance with securities law. The requirement that a Firm hire a Consultant is typically imposed as part of terms and conditions placed on a Firm's registration, an order that a Firm submit to a review of its practices and procedures, or as an order approving a settlement agreement with a Firm, all of which have the effect of creating a requirement under securities law. The Firm is usually required to engage, at its expense, a Consultant that has been approved or accepted by CSA staff{2} to address identified compliance deficiencies. These can include cases where the Firm has an inadequate compliance system, a chief compliance officer (CCO) and ultimate designated person (UDP) who are not adequately performing their responsibilities, or significant control and supervision inadequacies.
Purpose
The purpose of this Notice is to:
• help Firms identify, evaluate and engage appropriate Consultants to assist them to effectively address their compliance deficiencies on a timely basis, as CSA staff do not endorse or recommend any Consultants
• provide transparency on CSA staff's process and criteria for approving or accepting a Consultant proposed by a Firm
• inform Consultants and Firms about CSA staff's expectations for a Consultant's engagement, including their role, and the format and content for reporting
• improve the oversight and remediation processes of Firms subject to a Regulatory Decision by increasing their consistency, efficiency and effectiveness
Who is a Consultant?
A Consultant provides professional advice and services in respect of compliance with securities law, relevant industry rules, industry best practices, and development of systems regarding controls and supervision. A Consultant has in-depth knowledge and experience on compliance in the securities industry in these matters and is independent of the Firms they advise or service.
A Consultant may be a lawyer, public accountant, experienced compliance professional, former securities regulator, management or risk consultant, experienced industry person, or some combination of these roles.
Consultant's role and engagement
A Consultant advises and assists a Firm to take appropriate steps to rectify its identified compliance deficiencies and to develop controls to prevent future deficiencies. A Consultant does this by:
• understanding the Firm's business, applicable regulatory requirements, and its identified compliance deficiencies by meeting with the Firm's representatives and visiting its key business locations
• reviewing any compliance review deficiency reports, orders, terms and conditions, or settlement agreements issued by the Regulator or CSA staff
• reviewing the Firm's processes, records, policies and procedures, and system of controls and supervision
• having an open and continuing dialogue with both the Firm, especially the UDP and CCO, and CSA staff during the term of their engagement, such as by informing CSA staff of any concerns the Consultant has in completing its engagement
• making practical, tailored and effective recommendations to the Firm to address the deficiencies that comply not only with the legal requirements, but also with the spirit of the requirements and industry best practices
• proactively monitoring and assisting the Firm as it implements the recommendations
• training the Firm's representatives
A Consultant may also act as a monitor where they observe and review a Firm's activities over a period of time, such as by monitoring a Firm's trading activity or the opening of new accounts until regulatory concerns are addressed. They may also be required by a Regulatory Decision to identify if a deficiency has resulted in any investor harm (such as excessive fees), and if so (or where investor harm has already been identified), to develop and administer a remediation or compensation plan for investors.
The role of the Consultant will vary for each engagement as it will be determined by the Regulatory Decision. Typically, a Consultant will work with the Firm and CSA staff to advise, make recommendations, and assist the Firm to address its compliance deficiencies.
The Consultant's engagement will typically be to:
• create a comprehensive written compliance plan with detailed and specific recommendations and steps to address the Firm's deficiencies, along with the expected time frames for completing the steps
• provide ongoing written reports to CSA staff on the Firm's progress in implementing the recommendations in the compliance plan
• perform sufficient and appropriate testing to assess the effectiveness of the actions taken by the Firm to implement the Consultant's recommendations
• provide a final report to CSA staff assessing if the recommendations in the compliance plan have been implemented, or a written attestation to CSA staff verifying that the recommendations have been implemented, tested and are working effectively, and that the compliance deficiencies have been rectified
The Consultant's engagement is typically for an ongoing, indefinite period of time until the Firm's deficiencies have been addressed to the satisfaction of CSA staff and all other terms of the Regulatory Decision have been met (including reporting obligations to CSA staff). It is not uncommon for some engagements to last up to one year or longer.
CSA staff's typical criteria for approving or accepting a Consultant
In certain circumstances and depending on the jurisdiction, a Consultant proposed by a Firm must be approved by CSA staff. We typically apply the following criteria as part of our process for assessing if a proposed Consultant will be approved or accepted:
• Can the Consultant demonstrate it has sufficient knowledge, resources and staff to properly evaluate the Firm's compliance system and controls and supervision structure at all locations from which the Firm operates, and appropriately address any weaknesses or deficiencies?
• Can the Consultant demonstrate it has extensive experience with the type of Firm the engagement relates to, the key issues that are to be remediated, and the relevant laws and regulations?
• Is the Consultant independent of the Firm it will provide its services to? Can the Consultant demonstrate it has no conflicts of interest with respect to the engagement? For example, a lack of independence or a conflict may exist if the Consultant has an existing business, personal or family relationship with the Firm and/or its individuals, including if the Consultant previously acted in an advisory role for the Firm when the compliance deficiencies took place.
• Does the Consultant have the ability to act independently of the Firm, despite the fact that the Firm is paying for the Consultant's services? This means that the Consultant does not act as a paid advocate for the Firm's positions, but forms its own views as to what is an effective approach, recommendation or action to address the deficiencies.
• What is CSA staff's prior experience with the Consultant, including the Consultant's conduct, quality of work (recommendations, testing and reporting), and the effectiveness and efficiency of previous consulting engagements?
• Can the Consultant demonstrate it has the ability, through prior experience, to effectively persuade and influence the Firm to enhance its culture of compliance and mindset, and to improve its practices and procedures to address deficiencies?
• Can the Consultant demonstrate that it has the capacity and resources to complete the engagement on a timely basis, especially if the engagement is extensive, complicated, or is expected to take a number of months to complete?
In addition to the above, CSA staff may use other criteria as needed to assess the proposed Consultant. For some engagements, not all of the above criteria will apply.
Further, although a particular Consultant was approved by CSA staff as part of a past Regulatory Decision, it does not necessarily mean they will be approved for another engagement. Each engagement is unique and the Consultant must fit the needs of each engagement.
In most cases, one Consultant may be engaged to perform all services. But in some cases, more than one Consultant may be needed for a particular engagement as different skill sets may be required. For example, a lawyer may be needed to develop the recommendations due to his/her expertise in the area that is to be remediated, and a public accountant may be engaged to perform testing to assess if the recommendations have been fully implemented by the Firm and are working effectively.
An additional criterion may apply when the proposed Consultant is a lawyer or law firm. The terms of Regulatory Decisions often require the Firm to provide CSA staff with its written unrestricted permission for CSA staff and the Consultant to communicate with one another regarding the Firm's progress in implementing the Consultant's recommendations, or any other matter related to the Regulatory Decision. This may include CSA staff making inquiries into the substance of communications between the Consultant and the Firm. If the Consultant is a lawyer or law firm, solicitor-client privilege may apply to these communications, which may be inconsistent with the unrestricted communications required by the Regulatory Decision. As such, if the proposed Consultant is a lawyer or law firm, CSA staff in some jurisdictions may ask the Firm to waive its solicitor-client privilege as it relates to the Consultant and the engagement. Since solicitor-client privilege is a key protection in the Canadian legal system, Firms should fully understand the implications of waiving this privilege before consenting to it, such as by obtaining independent legal advice. Further, if other lawyers at the Consultant's law firm will continue to counsel the Firm on other matters, the Consultant may be asked to provide CSA staff with the controls it will put in place (such as information and ethical barriers) to ensure that the Consultant and the other lawyers do not discuss or share information about the Firm for the term of the Consultant's engagement.
As part of CSA staff's process to approve or accept a proposed Consultant, we may discuss the Consultant's credentials with the Firm, contact CSA staff in other jurisdictions who have previously dealt with the Consultant, interview the Consultant, and review the Consultant's resume and other available information.
Firm's due diligence on Consultants
The Firm is responsible for retaining and compensating the Consultant. CSA staff do not endorse or recommend any Consultants, nor do any jurisdictions maintain a list of approved Consultants. The Firm is to identify and propose one or more Consultants for CSA staff's consideration. Given the seriousness of a Regulatory Decision, it is critical for an appropriate Consultant to be engaged.
The Firm should perform sufficient due diligence on the proposed Consultant to assess if it has the knowledge, experience, independence, and resources for the engagement before the Firm proposes one or more Consultants to CSA staff. Firms should consider the criteria that CSA staff uses when approving a Consultant, and consider asking the following questions:
• What is the Consultant's education, designations and prior employment history?
• What types of past engagements has the Consultant worked on? What were the outcomes?
• Is the Consultant able to start soon after being engaged? If no, when is their availability to start?
• Is there more than one person employed by the Consultant to provide back-up, support, expertise, and continuity?
Here are some ways for a Firm to identify a Consultant:
• in the context of a Regulatory Decision, discuss with CSA staff the Firm's options and potential choices
• obtain referrals from lawyers, public accountants, security industry contacts, service providers, and any industry or trade associations of which the Firm is a member
• check websites, online reviews and social media postings of compliance professionals and associations or societies of compliance professionals
A Firm is usually requested to propose one or more potential Consultants to CSA staff by a particular date, and should therefore perform its due diligence as soon as possible.
Other considerations for Consultant's engagement
Prior to the approval of the Consultant, CSA staff in some jurisdictions may ask the Firm to provide details of the engagement (such as a draft agreement) that have been preliminarily agreed upon with the Consultant. As necessary, we may request that changes be made to the scope of work to be performed, or other details of the engagement, so that it meets the requirements of the Regulatory Decision. For example, a Regulatory Decision typically specifies that the Firm:
• may not restrict the Consultant from providing CSA staff with copies of the Firm's books and records that were obtained from the engagement
• must provide the Consultant with reasonable access to all of the Firm's books and records necessary to complete the engagement, and require the Firm's officers, directors and employees to cooperate and meet privately with the Consultant with respect to the engagement
Once the Consultant is approved by CSA staff, the Firm should finalize a written agreement with the Consultant that outlines the roles and responsibilities of the Firm and the Consultant, the individuals involved, the scope and timing of work, fees, and the Consultant's confidentiality obligations.
Terminating a Consultant
In a small number of cases, we have required a Firm to terminate a Consultant that we had approved, and to engage another Consultant. We have done this when the Consultant was not adequately fulfilling its mandate. The terms of Regulatory Decisions typically do not permit the Firm to terminate the Consultant's engagement without CSA staff's prior approval.
Reporting and testing by the Consultant
Although the terms of each Regulatory Decision will be tailored, in most cases there will be prescribed written reporting to CSA staff at specified dates or when key milestones are reached. The Consultant is typically required to report to CSA staff on the results of the Consultant's testing and work, and on the Firm's progress in addressing the identified deficiencies.
There is no standard, required format for reporting by the Consultant to CSA staff. However, outlined below are some examples of the types and content of reports commonly required. It is prudent for the Consultant to discuss the format of its reporting with CSA staff before drafting the initial report.
Compliance plan
Many Regulatory Decisions require the Consultant to prepare a compliance plan for submission to and approval by CSA staff, within a specified period after the Consultant has been approved.
A compliance plan generally should:
• itemize in summary form each compliance deficiency that is to be addressed
• set out in sufficient detail the recommended steps to be taken by the Firm and the Consultant to address each deficiency, and, as appropriate, include how the Consultant will test the implementation and effectiveness of the recommended steps after they have been put in place by the Firm for a period of time
• state who is responsible for implementing each recommended step
• state the expected completion date for each step
• provide an end date for when the plan is expected to be completed
• include a schedule with dates the Consultant is to provide reporting to CSA staff, up until the date the plan is expected to be completed, or until the reporting required by the Regulatory Decision ends.
Compliance plans typically come in the form of a letter or a letter accompanied by a detailed table. A table can break down large amounts of information into an easily readable form. See Exhibit A for a sample template of a compliance plan in a table format showing common headings used in many plans.
Once prepared, the compliance plan is signed by the Consultant, and the Firm's UDP and CCO as evidence of their knowledge of and commitment to the plan. The plan is then provided to CSA staff for review, which typically includes a call or meeting with the Consultant to discuss the plan, prior to CSA staff approving it. Among other things, we will assess the plan to ensure all deficiencies will be appropriately addressed on a timely basis, and that it provides sufficient detail for us to assess if the plan is likely to be effective.
Progress reports
Progress reports outline the Firm's progress in implementing each of the Consultant's recommendations in the compliance plan, and provide the Consultant's comments, such as on any new issues or ongoing difficulties in meeting the plan's steps. Progress reports are to be provided on an ongoing basis until the recommendations in the plan are fully implemented. The progress reports are to be signed by the Consultant and the Firm's UDP and CCO before they are provided to CSA staff for review.
We expect the Firm to make significant progress at each reporting interval. If a recommendation or step has not been completed by its expected date, the report should explain the reason for the delay, the steps to get back on track, and provide a revised completion date.
Progress reports also typically come in the form of a letter or a letter accompanied with a detailed table. A progress report in a letter form should recite summary details for each deficiency, and each deficiency's recommendation and steps from the compliance plan, for ease of reference. When a compliance plan has been prepared in a table format, it can be converted into a progress report by adding columns for the status of each step, and the Consultant's comments on each step's progress. See Exhibit B for a sample template of a progress report in a table format showing common headings used in many reports.
The progress reports may also outline the testing that has been performed by the Consultant. Performing this testing throughout the engagement may help make the engagement more efficient.
Final report
Upon the full implementation of the compliance plan, the Consultant submits a final report directly to CSA staff, with a copy to the Firm, which provides its assessment as to whether its recommendations have been fully implemented.
If required by the Regulatory Decision, the Consultant's final report will be an attestation letter which is to verify that the recommendations in the plan have been fully implemented, tested and are working effectively, and that the identified compliance deficiencies have been rectified.
The final report or attestation letter needs to substantiate in sufficient detail how the Consultant reached its assessment. For example, the attestation letter should state in summary form the actions taken by the Firm to address the deficiencies, and detail the testing that the Consultant performed and the testing outcomes.
For the testing to be effective, a sufficient period of time should elapse from the date of the implementation of a recommendation to the date that the Consultant is performing the testing. In some cases, the required period of time between the implementation and the testing will be mandated by the Regulatory Decision. A sufficient sample size should be selected for the testing, and disclosed in the reporting. The Consultant should be able to substantiate the sample size and sampling methodology to CSA staff. The Consultant should document the outcomes of its testing, and if issues were identified, provide details and support for what was done to address and prevent recurrence of the issues. If material issues are found during testing, CSA staff may request that the Consultant perform additional testing.
The final report or attestation letter typically needs to be approved by CSA staff, for the terms of the Regulatory Decision to be completed and for the Consultant's engagement to be considered complete.
CSA staff's review of the final report or attestation letter typically includes a call or meeting with the Consultant to discuss the assessment and any accompanying information or reports. The Consultant may be asked to provide further information, reports or its working papers to support its assessment or attestation. This may include, for example, copies of client files or other documents reviewed and tested by the Consultant.
Completion of the terms imposed by a Regulatory Decision
Once a Firm has demonstrated compliance with the terms of a Regulatory Decision to the satisfaction of CSA staff, the Consultant's engagement will end, and we typically will remove any applicable terms and conditions from the Firm's registration. In many cases, we will perform a subsequent compliance review of the Firm that includes assessing if the Firm has addressed its previous compliance deficiencies and is applying the Consultant's recommendations. Repeat compliance deficiencies, or evidence that the Firm is not applying the Consultant's recommendations, will be treated seriously.
Conclusion
We will apply the guidance in this Notice when a Firm is required to engage a Consultant as part of a Regulatory Decision. In many cases, Consultants engaged in these circumstances have been effective in helping Firms to address their compliance deficiencies and to significantly improve their compliance systems, or systems of control and supervision.
Questions
Please refer your questions to any of the following:
Trevor Walz Brian Murphy Senior Accountant Manager, Registration Compliance and Registrant Regulation Nova Scotia Securities Commission Ontario Securities Commission 902-424-4592 416-593-3670 Brad Woods Curtis Brezinski Compliance Auditor Compliance Auditor, Capital Markets The Manitoba Securities Commission Securities Division 204-945-6913 Financial and Consumer Affairs Authority of Saskatchewan 306-787-5876 Reid Hoglund Craig Whalen Regulatory Analyst Manager of Licensing, Registration and Compliance Alberta Securities Commission Office of the Superintendent of Securities 403-297-2991 Government of Newfoundland and Labrador 709-729-5661 To-Linh Huynh Mark French Deputy Director, Operations Manager, Registration & Dealer Compliance Financial and Consumer Services Commission (New Brunswick) British Columbia Securities Commission 506-643-7856 604-899-6856 Éric Jacob Directeur principal de l'inspection Direction principale de l'inspection Autorité des marchés financiers 514.395.0337 ext 4741
{1} Some jurisdictions use the term "compliance monitor".
{2} Some jurisdictions accept or "non-object" to the engagement of the Consultant, rather than approve.
Exhibit A
Sample template for a compliance plan
Plan item # |
Summary of deficiency |
Recommended step(s) to address deficiency (and as appropriate, the testing to be performed) |
Person(s) responsible for completing each step |
Expected date of completion for each step |
__________ |
__________ |
__________ |
__________ |
__________ |
Exhibit B
Sample template for a progress report
Plan item # |
Summary of deficiency |
Recommended step(s) to address deficiency (and as appropriate, the testing to be performed) |
Person(s) responsible for completing each step |
Expected date of completion for each step |
Status of implementation of each step, and any testing performed |
Consultant comments |
__________ |
__________ |
__________ |
__________ |
__________ |
__________ |
__________ |