Trading Supervision Obligations Presentation for CCLS Annual Conference 2017

Agenda Three lines of defense OSFI E-13 Enterprise Compliance Program Large Firm Supervision Structures UMIR 7.1 Trading Supervision Obligations Past, present and future Monitoring, testing and issues tracking Questions

Three lines of defense model – OSFI Guideline E-13 *E-13 communicates OSFI’s key expectations for Federally Regulated Financial Institutions to establish and maintain an enterprise-wide framework of regulatory risk management controls.

Enterprise Compliance Framework

Large Firm Supervision Structures – parallel structures Regulatory Structure UDP & CCO Governance IIROC Policy 38 All registrants must report to a Registered Supervisor Registered Supervisors NRD filing current employment item 10 description of duties Categories of registration and/or proficiency requirements Delegation letters Evidence of Supervision Employment Structure Global Titles and Operating Groups span multiple jurisdictions Trading business split between Bank and Dealer depending on registration requirements Many registrants report to non registrants on org chart Issues tracking system maintains evidence of reviews and outstanding regulatory issues Outsourced centralized services

Process for Supervision (the 6 W’s) Identify Regulation (Rules or Policy) – new or existing Interpret the regulation – the WHY and WHAT Map the Regulation to a Business Unit This identifies the WHERE This allows for Issue tracking and documentation of the regulation Risk Assessment (nature and size of the business, risk and impact) Monitor Regulatory Developments for new or changing regulations Comment process Complete coverage Effective challenge & Advisory High/Med/Low Regulatory Risk Risk sets priorities for audit and reviews

Second Line - Compliance (cont.) First Line - Supervision Second Line - Compliance Delegation WHO does the supervision Implement a control WHEN and HOW you supervise Document the frequency, sample size, procedures etc. Monitoring and Testing plans (M&T) Recording of the exceptions and results of M&T Submit to Compliance for review and approval Is registration required to perform supervision tasks Document delegation of functions and tasks Document the control (P&P) Is the control effective Does the control mitigate Regulatory Risk Preventative or Detective Control Compliance implements their own independent M&T plans (i.e. Trade Desk Review)

UMIR 7.1 what is new and what does that mean to dealers You can stay the same but that won’t make sense very quickly! Adjust to principle based rules and guidance Pro, Introduces flexibility in policies and procedures Con, Increases risk that firms don’t do enough or do too much Document risk based analysis and any changes to existing P&Ps Very subjective to determine if Supervision and/or Compliance is adequately funded Increased reliance on technology solutions (i.e. surveillance tools) Vendor solutions bring their own risk – reliant on vendor’s interpretation (group think) Making changes to vendor solution may be misguided In house solutions can be expensive, lengthy development and do not get the benefit of leveraging other firms ideas and experiences More meetings and committees to discuss changes More focus on documentation and reporting

Monitoring, Testing and Issues Tracking Monitoring controls – risk based approach assessing compliance with regulatory requirements using information from daily business activities Testing to determine if controls are operating effectively at a specific point in time Risk base approach Issues Tracking Recording deficiencies (which line of defense identified the issue, who remediates and what is the plan) Reporting Issues to Management (division and legal entity) Compliance Department - effective challenge on the above CCO assess’ the adequacy of, adherence to and effectiveness of the controls and the compliance program.

Questions?