Request for comments on draft guidance regarding outsourcing arrangements

Transcription

1 Rules Ntice Request fr Cmments Dealer Member Rules Please distribute internally t: Internal Audit Legal and Cmpliance Operatins Regulatry Accunting Senir Management Cntacts: Luis Piergeti Vice President, Financial and Operatins Cmpliance (416) Richard J. Crner Vice President, Member Regulatin Plicy (416) Octber 22, 2012 Request fr cmments n draft guidance regarding utsurcing arrangements This Ntice requests cmments n draft guidance with respect t utsurcing arrangements. The attached draft guidance: summarizes the existing requirements and guidance relating t entering int and maintaining utsurcing arrangements, identifies the Dealer Member business activities that may nt be utsurced and thse that may be utsurced, sets ut IIROC s expectatins as t the apprpriate due diligence prcedures that must be undertaken by IIROC Dealer Members befre utsurcing any business activity, and sets ut IIROC s plans t prpse rules relating t utsurcing. Dealer Members and ther interested parties are requested t prvide cmments n the attached draft Guidance Nte. Cmments shuld be made in writing and delivered by January 20, 2013 (90 days frm the publicatin date f this Ntice).

2 Rules Ntice Guidance Nte Dealer Member Rules Please distribute internally t: Internal Audit Legal and Cmpliance Operatins Regulatry Accunting Senir Management Cntacts: Luis Piergeti Vice President, Financial and Operatins Cmpliance (416) Richard J. Crner Vice President, Member Regulatin Plicy (416) XXXX Octber XX 2012 Outsurcing arrangements Guidance Nte bjectives The bjectives f this Guidance Nte are t: summarize the existing requirements and guidance relating t entering int and maintaining utsurcing arrangements, identify the Dealer Member business activities that may nt be utsurced and thse that may be utsurced, set ut IIROC s expectatins as t the apprpriate due diligence prcedures that must be undertaken by IIROC Dealer Members befre utsurcing any business activity, and set ut IIROC s plans t prpse rules relating t utsurcing. Backgrund infrmatin and cntext are als prvided n the develpment f regulatry principles gverning utsurcing arrangements by regulated entities and relevant financial sectr guidance published n this subject matter. The cncept f utsurcing is nt new in the securities industry. The IIROC Dealer Member Rules set ut the requirements fr many f the cmmn utsurcing arrangements that are entered int by Dealer Members, including: Back ffice sharing arrangements with an affiliated Canadian financial institutin, Intrducing brker/carrying brker arrangements,

3 Security custdy arrangements, and External prtfli management arrangements. Hwever, as firms face increasing cmpetitive pressures t cntain and reduce csts, there is a crrespnding trend t utsurce mre business functins, activities and prcesses t third-party service prviders thrugh arrangements that IIROC Dealer Member Rules d nt adequately address. In recent years, there has been an evlutin f utsurcing arrangements put in place between Dealer Members and regulated/unregulated entities that may r nt be affiliated, and that may be freign r dmestic. Fr example, Canadian bank parent emplyees f Dealer Members cnduct certain back-ffice peratinal functins n behalf f the Dealer Member and the bank parent charges fr thse csts pursuant t a service agreement. Similar arrangements exist fr US FINRA registered parent cmpanies f Dealer Member subsidiaries. These functins include accunting and back-ffice supprt that are utside the scpe f Rule 35 Intrducing brker/carrying brker arrangements. There is a grwing interest by self-clearing Dealer Members t utsurce the daily management f bks and recrds, including the recnciliatin f bank accunt balances, psitins held in custdy, dividend/interest incme received, and stck rerganizatins, t bth dmestic and freign unregulated, third-party service prviders. Withut adequate safeguards, this industry trend may give rise t incremental investr prtectin, market reputatin, credit and systemic risks. Dealer Members are reminded f their bligatin t prvide IIROC with advance ntificatin f material changes in their business mdel, including peratins pursuant t IIROC Rules Ntice Reprting f changes t business mdels dated March What is utsurcing? A reprt prepared in 2005 by the Internatinal Organizatin f Securities Cmmissins (IOSCO) sets ut the fllwing definitin fr utsurcing: utsurcing is defined as an event in which a regulated utsurcing firm cntracts with a service prvider fr the perfrmance f any aspect f the utsurcing firm s regulated r unregulated functins that culd therwise be undertaken by the firm itself. It is intended t include nly thse services that were r can be delivered by internal staff and management the service prvider may be a related party within a crprate grup, r an unrelated utside entity. The service prvider may itself be either regulated (whether r nt by the same regulatr with authrity ver the utsurcing firm), r may be an unregulated entity. utsurcing wuld nt cver purchasing cntracts, althugh as with utsurcing, firms shuld ensure that what they are buying is apprpriate fr the intended purpse. Purchasing is defined as the IIROC Ntice XX XXXX DRAFT Rules Ntice Guidance Nte - Outsurcing arrangements - 2 -

4 acquisitin frm a vendr f services, gds r facilities withut the transfer f the purchasing firm s nn-public prprietary r custmer infrmatin 1. The IOSCO reprt makes an imprtant distinctin between material cre and nn-cre utsurcing functins f a firm. It describes a cre functin as ne that is critical t the nging viability f an entity as well as meeting its regulatry bligatins t custmers. Cre functins include recmmending, entering int and clearing and settling investment prduct transactins with clients, hlding client investment prduct psitins in custdy, reprting t clients n the accunt psitins and cash balances held (and the value f thse psitins and balances) and respnding t client cmplaints. Nn-cre activities wuld include ffice service management activities; cnsultant advisry services; and human resurces activities. The distinctin f cre versus nn-cre functins shuld be cnsidered by Dealer Members seeking t demnstrate that they are discharging their regulatry bligatins in the cntext f utsurcing cre functins. The IOSCO study prvided nine guiding principles in regards t utsurcing by financial intermediaries as listed belw: 1. Crprate gvernance - A regulated entity seeking t utsurce activities shuld have in place a cmprehensive plicy t guide the assessment f whether and hw thse activities can be apprpriately utsurced. The bard f directrs r equivalent bdy retains respnsibility fr the utsurcing plicy and related verall respnsibility fr activities undertaken under that plicy. 2. Risk management A regulated entity shuld establish a cmprehensive utsurcing risk management prgram t address the utsurced activities and the relatinship with the service prvider. 3. N subrgatin f regulatry respnsibility A regulated entity shuld ensure that utsurcing arrangements neither diminish its ability t fulfill its bligatins t custmers and regulatrs, nr impede effective supervisin by regulatrs. 4 Due diligence A regulated entity shuld cnduct apprpriate due diligence in selecting third-party service prviders. 5. Cntract - Outsurcing relatinships shuld be gverned by written cntracts that clearly describe all material aspects f the utsurcing arrangement, including the rights, respnsibilities and expectatins f all parties. The cntract shuld neither prevent nr impede the regulated entity frm meeting its respective regulatry bligatins, nr the regulatr frm exercising its regulatry pwers. 1 Surce: Principles n Outsurcing f Financial Services fr Market Intermediaries, Chapter 1 Technical Cmmittee f the Internatinal Organizatins f Securities Cmmissin (IOSCO), February IIROC Ntice XX XXXX DRAFT Rules Ntice Guidance Nte - Outsurcing arrangements - 3 -

5 The regulated entity must ensure it has the ability t access all bks, recrds and infrmatin relevant t the utsurced activity being perfrmed at the service prvider. The cntract shuld prvide fr the cntinuus mnitring and assessment by the regulated entity f the service prvider s that any necessary crrective measures can be taken immediately. A terminatin clause and minimum perids t execute a terminatin prvisin, if deemed necessary, shuld be included. The latter wuld allw the utsurced services t be transferred t anther third-party service prvider r t be incrprated int the regulated entity. Such a clause shuld include prvisins relating t inslvency r ther material changes in the crprate frm, and clear delineatin f wnership f intellectual prperty fllwing terminatin, including transfers f infrmatin back t the regulated entity and ther duties that cntinue t have an effect after the terminatin f the cntract. The cntract shuld include, where apprpriate, cnditins f subcntracting by the third-party service prvider fr all r part f an utsurced activity. It shuld require apprval by the regulated entity f the use f subcntractrs by the third-party service prvider fr all r part f a serviced activity r activity being delivered. Mre generally, the cntract shuld prvide the regulated entity with the ability t maintain similar cntrl ver the risks that may arise when a service prvider utsurces t ther third parties as might arise under the riginal direct utsurcing arrangement. 6. Business Cntinuity A regulated entity and its service prviders shuld establish and maintain cntingency plans, including a plan fr business disruptin recvery and peridic testing f backup facilities. 7. Cnfidential Infrmatin A regulated entity shuld take apprpriate steps t require that service prviders prtect cnfidential infrmatin f bth the regulated entity and its clients frm intentinal r inadvertent disclsure t unauthrized persns. 8. Regulatry Assessment - Regulatrs shuld take int accunt utsurcing activities as an integral part f their nging assessment f the regulated entity. Regulatrs shuld assure themselves by apprpriate means that any utsurcing arrangements d nt hamper the ability f the regulated entity t meet its regulatry requirements. Regulatrs shuld cnsider utsurcing activities as part f their verall risk assessment f a regulated entity. In rder t be able t assess and mnitr the utsurcing plicy and utsurcing risk management prgram f a regulated entity, regulatrs shuld be able, upn request, t btain prmptly any relevant bks and recrds pertaining t the utsurced activity, irrespective f whether they are in the pssessin f the IIROC Ntice XX XXXX DRAFT Rules Ntice Guidance Nte - Outsurcing arrangements - 4 -

6 utsurcing firm r the third-party service prvider, and t btain additinal infrmatin cncerning utsurced activities. A regulatr s access t such bks and recrds may be direct r indirect, thugh the regulated entity shuld always maintain direct access t such bks and recrds. This may include a requirement that the bks and recrds be maintained in the regulatr s jurisdictin, r that the service prvider agrees t send riginals r cpies f the bks and recrds t the regulatr s jurisdictin upn request. Regulatrs shuld cnsider implementatin f apprpriate regulatins and measures designed t supprt access t bks, recrds and infrmatin f the service prvider abut the perfrmance f utsurced activities. This may include the requirement that regulated entities incrprate in utsurcing arrangements cntractual prvisins that prvide the regulated entity with access t, and a right f inspectin f, the service prvider s bks and recrds dealing with utsurced activities, and similar access t the bks and recrds f any subcntractr, as well as cntractual prvisins by which the service prvider is required t make bks, recrds and ther infrmatin abut utsurced activities by the service prvider available t the regulatr upn request. 9. Cncentratin - Regulatrs shuld be aware f the ptential risks psed where the utsurced activities f multiple regulated entities are cncentrated within a limited number f service prviders. These guiding principles have been adpted internatinally by securities cmmissins, including the CSA jurisdictins. In additin, the Office f the Superintendent f Financial Institutins (OSFI) 2 has issued similar guidelines. 2. What are the CSA requirements fr utsurcing? When Natinal Instrument was implemented in September 2009, its Cmpanin Plicy intrduced general principles fr the establishment and maintenance f internal cntrl systems at registrants with specific reference t the need t fllw prudent business practices and t cnduct a due diligence analysis when cnsidering whether r nt t utsurce. Part 11 f the Cmpanin Plicy states that registered firms are respnsible and accuntable fr all functins that they utsurce t a service prvider. The functins utsurced shuld be set ut in a written, legally binding cntract that includes the expectatins f the parties t the utsurcing arrangement. It requires that registered firms cnduct a due diligence analysis f prspective third-party service prviders, including affiliates f the firm. Due 2 Dealer Members that are affiliated with a Canadian federally regulated financial entity (FRFE) shuld als be cgnizant f the Office f the Superintendent f Financial Institutins (OSFI) revised Guideline B-10 n Outsurcing f Business Activities, Functins and Prcesses dated March IIROC Ntice XX XXXX DRAFT Rules Ntice Guidance Nte - Outsurcing arrangements - 5 -

7 diligence shuld include an assessment f the service prvider s reputatin, financial stability, relevant internal cntrls and ability t deliver the services. The registrant firm shuld: ensure that third-party service prviders have adequate safeguards fr keeping infrmatin cnfidential and, where apprpriate, fr recvering frm a business disruptin; cnduct nging reviews f the quality f utsurced services; develp and test a business cntinuity plan t minimize disruptin t the firm s business and its clients if the third-party service prvider des nt deliver its services satisfactrily; and, cnsider ther legal requirements, such as privacy laws, that may apply when entering int utsurcing arrangements. The registrant firm, its regulatr and auditrs shuld have the same access t the wrk prduct f a third-party service prvider as they wuld if the firm itself perfrmed the activities. Firms shuld ensure this access is prvided and shuld include a prvisin requiring it in any cntract entered int with a service prvider. A cntrl list f all utsurcing arrangements and effective dates f agreements executed must be maintained by Dealer Members. These arrangements which frm a critical element f a Dealer Member s peratins are subject t IIROC examinatin and must be available upn request. This may include inspectin f any recrds maintained by the service prvider and its peratins. 3. Other industry guidance n utsurcing Relevant industry guidance n utsurcing was develped by the Markets in Financial Instruments Directive (MiFID) Cnnect - a jint prject set up by 11 trade assciatins in the Eurpean Unin (EU) t supprt their members in implementing EU legislatin n utsurcing 3, including the Financial Securities Authrity (FSA) 4. The guidance prvides Dealer Members with a useful checklist in develping its wn written plicies and prcedures in respect t utsurcing and meeting the requirements set ut in the Cmpanin Plicy t Natinal Instrument A summary f the guidance is set ut in Appendix A. 3 4 The 11 members f MiFID Cnnect are The Assciatin f British Insurers (ABI), The Assciatin f Private Client Investment Managers and Stckbrkers (APCIMS), Assciatin f Freign Banks (AFB), The Bnd Market Assciatin, the British Bankers Assciatin (BBA), Building Scieties Assciatin (BSA), the Futures and Optins Assciatin (FOA), The Internatinal Capital Market Assciatin (ICMA), Investment Management Assciatin (IMA), The Internatinal Swaps and Derivatives Assciatin (ISDA) and the Lndn Investment Banking Assciatin (LIBA). FSA adpted MiFID Cnnect industry guidance int their Handbk (Chapter 8 - Senir Management Arrangements, Systems and Cntrls (SYSC) surcebk) in May IIROC Ntice XX XXXX DRAFT Rules Ntice Guidance Nte - Outsurcing arrangements - 6 -

8 4. Which investment dealer activities may be utsurced? IIROC supprts the apprach taken in the IOSCO study f distinguishing between cre and nncre activities. As part f its analysis f Dealer Member activities, IIROC has made use f these same distinctins. In perfrming its analysis, and in establishing IIROC expectatins, IIROC has applied an apprach that is cnsistent with the principles set ut in the IOSCO study and with the guidance set ut in the Cmpanin Plicy t Natinal Instrument In rder t identify which investment dealer activities may be utsurced, the majr activities that are perfrmed at a Dealer Member have been analyzed and categrized as either: cre activities which may nt be utsurced; cre activities which may be utsurced; r nn-cre activities which may be utsurced. Fr further details f the activities analyzed and their eligibility fr utsurcing, please refer t Appendix B. Cre activities which may nt be utsurced IIROC Dealer Member Rules prhibit certain cre activities f the Dealer Member frm being utsurced. Fr the mst part, these prhibitins stem frm the requirement set ut in IIROC Dealer Member Rule 39.3, which limits individuals cnducting securities related business n behalf f a Dealer Member t either emplyees r agents f a Dealer Member. This requirement effectively prhibits the utsurcing f mst cre, client-facing, activities f the Dealer Member including: the accunt pening prcess (including cllectin f knw yur client infrmatin and prvisin f relatinship disclsure infrmatin); the perfrmance f suitability assessments (trade, rder, trade type, trade strategy, methd f financing, accunt type, etc.); and the handling f client cmplaints. An exceptin t the prhibitin f the utsurcing f cre client-facing activities is the utsurcing f the perfrmance f investment decisin making in managed accunts. IIROC Dealer Member Rules specifically allw fr the utsurcing f managed accunt investment decisin making t an external prtfli manager hired by the Dealer Member, as per the definitin f managed accunt set ut in Dealer Member Rule Cre activities which may be utsurced Other cre activities f a Dealer Member that are nt prhibited frm being utsurced are as fllws: the perfrmance f investment decisins in managed accunts (as previusly mentined); the perfrmance f certain client accunt-related peratins activities, such as the clearing and settlement f client trades the administratin f margin lans and ther client accunt lans IIROC Ntice XX XXXX DRAFT Rules Ntice Guidance Nte - Outsurcing arrangements - 7 -

9 the preparatin f client accunt statements the preparatin f regulatry financial reprts the preparatin f nn-financial regulatry reprts the perfrmance f registratin-related filing and database maintenance activities the perfrmance f treasury activities the perfrmance f crprate finance activities the preparatin f research reprts and marketing newsletters the perfrmance f marketing activities the use f utside prfessinal services relating t the business activities f the Dealer Member, such as accunting and internal audit services the management and maintenance f Dealer Member infrmatin systems Where any f these activities are t be utsurced, including where activities are utsurced t anther Dealer Member: IIROC expects the Dealer Member t frmally assess the initial and nging apprpriateness f the utsurce service prvider (see sectin 5 f this ntice fr further details); and the Dealer Member that has utsurced specific activities retains respnsibility fr ensuring that the activities are perfrmed prperly and in cmpliance with relevant IIROC requirements. Nn-cre activities which may be utsurced There are nn-cre activities f the Dealer Member that are nt prhibited frm being utsurced under the applicable IIROC Dealer Member Rules and that wuld nt give rise t regulatry cncern if they were utsurced. These activities include: ffice service management activities; the prcurement f external cnsultant services; and human resurces management activities. Similar t the utsurcing f cre activities, where any f these activities are t be utsurced IIROC expects the Dealer Member t frmally assess the initial and nging apprpriateness f the utsurce service prvider (see sectin 5 f this ntice fr further details). 5. What shuld be assessed when determining whether r nt t utsurce a particular activity? As previusly stated, IIROC Dealer Member Rules set ut detailed requirements fr specific utsurcing arrangements (such as intrducing brker/carrying brker arrangements, security custdy arrangements and external prtfli management arrangements) but the Rules d nt set ut general requirements t be met when cnsidering whether r nt t enter int an utsurcing arrangement. The fllwing principles establish IIROC s expectatins f Dealer Members due diligence regarding utsurcing: IIROC Ntice XX XXXX DRAFT Rules Ntice Guidance Nte - Outsurcing arrangements - 8 -

10 A Dealer Member shuld have a cmprehensive utsurcing plicy that guides the perfrmance f due diligence assessment(s) that will underlie decisins regarding whether, and hw, certain activities can be apprpriately utsurced A Dealer Member shuld never enter int an utsurcing arrangement that: diminishes its ability t fulfill its bligatins t clients and regulatrs, impedes effective supervisin by regulatrs, r unduly cncentrates its utsurced activities in ne r a few utsurce service prviders. A Dealer Member shuld infrm IIROC f any new utsurcing arrangements invlving cre Dealer Member activities that are being entered int by a Dealer Member, in accrdance with IIROC Rules Ntice , Reprting f Changes t Business Mdels. A Dealer Member that has utsurced certain activities shuld: enter int written utsurcing cntracts that clearly describe all material aspects f the utsurcing arrangements, including the rights, respnsibilities and expectatins f all parties maintain a centralized list, alng with cpies f related agreements, f the utsurce service prviders t which cre Dealer Member activities have been utsurced establish and carry-ut a cmprehensive utsurcing risk management prgram that mnitrs the risks assciated with: the utsurced activities; and the utsurcing relatinship entered int with the service prvider. The risks assciated with the utsurcing relatinship that need t be managed include: reputatin risk, the risk that pr service by the utsurce prvider will affect the reputatin f the Dealer Member; cmpliance risk, the risk that the utsurce prvider will nt cmply with regulatry r ther requirements that apply t the Dealer Member; exit strategy risk, the risk that due t ver-reliance n the utsurce prvider and a lack f relevant skills within the Dealer Member, the Dealer Member wn t be able t reassume perfrmance f the utsurced activities r cntract with anther utsurce prvider n a timely basis; access risk, the risk that the Dealer Member wn t have timely access t data, recrds r assets; and cncentratin risk, the risk that the industry as a whle, r a material prtin theref, has significant expsure t the utsurce prvider See Appendix C fr a mre cmplete list f the key risks assciated with utsurcing and the majr cncerns assciated with these risks. where applicable, btain and prvide t IIROC an audit reprt, such as the CICA 5970 (nw changed t CSAE 3416) reprt r the SAS 70 (nw changed t SSAE 16) reprt, fr each utsurce arrangement relating t a cre Dealer Member activity; and IIROC Ntice XX XXXX DRAFT Rules Ntice Guidance Nte - Outsurcing arrangements - 9 -

11 include as part f its business cntinuity planning, plans that address the scenari where ne r mre majr utsurce service prviders underg a business disruptin. 6. Are utsurcing arrangements invlving affiliates subject t this guidance? The guidance set ut in this ntice cvers bth arm s length and nn-arm s length utsurcing arrangements. In the case f nn-arm s length utsurcing arrangements, such as arrangements invlving affiliates, the fllwing additinal access risk cnsideratin applies: the arrangement shuld include prcedures designed t limit affiliate emplyee and dual affiliate emplyee / Dealer Member emplyee access t and cntrl ver Dealer Member data, recrds and assets Withut such prcedures in place, emplyees acting in the best interests f their affiliate emplyer may be able t make material changes t Dealer Member data and recrds r mve Dealer Member and Dealer Member client assets withut cnsidering r acting in the best interests f the Dealer Member. 7. Will IIROC be intrducing utsurcing rules? In additin t the guidance set ut in this ntice, IIROC is currently wrking n prpsed rules relating t utsurcing that will cdify: the general due diligence bligatins f Dealer Members that must be met when: the utsurcing f particular activities is being cnsidered and an utsurcing arrangement has been entered int. It is intended that the bligatins set ut in this prpsed rule will be principle-based and similar in nature t thse set ut in sectin 5 f this ntice. the specific bligatins f Dealer Members t ensure nging access t and cntrl ver: its bks and recrds, including client accunt recrds; and Dealer Member and Dealer Member client accunt assets held by r under the cntrl f the Dealer Member. Bks and Recrds In rder fr a Dealer Member t meet its bligatins cncerning the maintenance f bks and recrds, the rule prpsals will require that: the Dealer Member maintain its bks and recrds at a central ffice lcatin; and access t bks and recrds be limited t: emplyees and agents f the Dealer Member, and emplyees and agents f an utsurcing service prvider, with which the Dealer Member has entered int an utsurcing arrangement. In the case f an emplyee r agent f the Dealer Member, if the individual is als an emplyee r agent f an affiliated rganizatin, the rule prpsals will specify that bks IIROC Ntice XX XXXX DRAFT Rules Ntice Guidance Nte - Outsurcing arrangements

12 and recrds access shuld nly granted where it is necessary fr the individual t carry ut their respnsibilities as an emplyee r agent f the Dealer Member. Dealer Member and Dealer Member client accunt In rder t meet its asset safeguarding bligatins, the rule prpsals will similarly require that the Dealer Member restrict access t Dealer Member and client assets t: emplyees and agents f the Dealer Member, and emplyees and agents f an utsurcing service prvider with which the Dealer Member has entered int an utsurcing arrangement. Further, in the case f an emplyee r agent f the Dealer Member, if the individual is als an emplyee r agent f an affiliated rganizatin, the rule prpsals will specify that access t Dealer Member and Dealer Member client accunt assets shuld nly ccur where it is necessary fr the individual t carry ut their respnsibilities as an emplyee r agent f the Dealer Member. IIROC Ntice XX XXXX DRAFT Rules Ntice Guidance Nte - Outsurcing arrangements

13 Appendix A Other industry guidance n utsurcing - MiFID The MiFID guidance encurages firms t take reasnable steps t avid undue additinal peratinal risk, such as the utsurcing f imprtant peratinal functins in such a way as t impair materially the quality f its internal cntrl and the ability f the firm t mnitr cmpliance with all bligatins under its regulatry system. Specifically, the MiFID guidance categrizes activities based n the likelihd as t whether they cnstitute utsurcing f ptentially critical and imprtant functins. Examples f such functins include: (a) Cmpliance, internal audit, accunting r risk management supprt; (b) Credit risk cntrl; (c) Prtfli administratin r prtfli management by a third-party; (d) Data strage (physical and electrnic); (e) Onging, day-t-day systems maintenance/supprt; and, (f) Onging, day-t-day sftware/systems management (such as, where third-party carries ut day-t-day functinality and/r runs sftware r prcesses n its wn systems). Fr activities that are highly likely t be critical t the firm, the MiFID guidance sets ut the fllwing cnditins t be satisfied: (i) the service prvider must have the ability, capacity, and any authrisatin required by law t perfrm the utsurced functins, services r activities reliably and prfessinally; (ii) the service prvider must carry ut the utsurced services effectively, and t this end the firm must establish methds fr assessing the standard f perfrmance f the service prvider; (iii) the service prvider must prperly supervise the carrying ut f the utsurced functins, and adequately manage the risks assciated with the utsurcing; (iv) apprpriate actin must be taken if it appears that the service prvider may nt be carrying ut the functins effectively and in cmpliance with applicable laws and regulatry requirements; (v) the firm must retain the necessary expertise t supervise the utsurced functins effectively and manage the risks assciated with the utsurcing and must manage thse risks and must supervise thse functins and manage thse risks; (vi) the service prvider must disclse t the firm any develpment that may have a material impact n its ability t carry ut the utsurced functins effectively and in cmpliance with applicable laws and regulatry requirements; (vii) the firm must be able t terminate the arrangement fr the utsurcing where necessary withut detriment t the cntinuity and quality f its prvisin f services t clients; (viii) the service prvider must c-perate with the relevant regulatry authrities in cnnectin with the utsurced activities; (ix) the firm, its auditrs, and relevant regulatry authrities must have effective access t data related t the utsurced activities, as well as t the business premises f the service prvider; and the regulatry authrities must be able t exercise thse rights f access; IIROC Ntice XX XXXX DRAFT Rules Ntice Guidance Nte - Outsurcing arrangements

14 (x) (xi) Appendix A the service prvider must prtect any cnfidential infrmatin relating t the firm and its clients; and, the firm and the service prvider must establish, implement and maintain a cntingency plan fr disaster recvery and peridic testing f backup facilities, where necessary, having regard t the functin, service r activity that has been utsurced. In additin, the FSA has issued guidance that specifies that the fllwing critical issues shuld be addressed in any utsurce agreement: Specific functins t be utsurced - utline and clearly define the functins t be utsurced, the respnsibilities f the firm and the service prvider; Service and perfrmance level standards - specify the precise service and perfrmance levels in bth quantitative and quantitative terms and hw these will be mnitred; Regulatr/auditr access t infrmatin - impse an bligatin n the service prvider t prvide t the firm, its auditrs and/r its regulatrs with rights f inspectin and access t bks, recrds and infrmatin relevant t the utsurced activity (and bks, recrds and infrmatin f sub-cntractrs where relevant) where required; Terminatin prcess - utline the agreed terminatin and exit management prcess, including exit strategies t allw fr transfer f the service t anther service prvider r t the firm itself; Prperty wnership and cnfidentiality - the wnership f intellectual prperty and the prtectin f cnfidential infrmatin; Prir cnsent befre sub-cntracting - require prir cnsent f the firm t the pssibility and circumstances f any sub-utsurcing (that is, where a service prvider subcntracts elements f the service t ther third-party prviders) and ensure that any terms agreed between the service prvider and any third-party d nt cntradict the terms f the agreement between the firm and the service prvider; and, Material change ntificatin requirement - require the service prvider t immediately infrm the firm f any material change in circumstances which culd have a material impact n the prvisin f services by the service prvider. Other - In additin, cnsideratin shuld be given t including ther elements such as thse which: cnfirm the chice f law where the service prvider is lcated abrad; utline the respnsibilities f the service prvider with regard t IT security; require acceptance f liability by the service prvider fr unsatisfactry perfrmance r ther breach f the agreement; utline payment prcesses; require guarantees and indemnities frm the service prvider; utline agreed mechanisms t reslve disputes; and, utline agreed business cntinuity measures t be taken by the service prvider. IIROC Ntice XX XXXX DRAFT Rules Ntice Guidance Nte - Outsurcing arrangements

15 Appendix B List f Outsurcing Functins CORE The fllwing are examples f utsurcing activities/functins that are cre and likely critical t the reputatin and nging viability f a securities firm: Activity Activity utsurcing eligibility 5 Client facing-related activities such as: Accunt pening prcess (including cllectin f knw yur Outsurcing f accunt pening prcess is prhibited - because client infrmatin and prvisin f relatinship disclsure the activity must be perfrmed and supervised by Apprved infrmatin); Persns wh must be emplyees r agents f the Dealer Member, it cannt be utsurced Investment decisins in managed accunts Outsurcing f investment decisins in managed accunts is permitted - Dealer Member Rules specifically allw fr the utsurcing f managed accunt investment decisins t an external prtfli manager hired by the Dealer Member, as per the definitin f managed accunt set ut in Dealer Member Rule Suitability assessments in advisry accunts (trade, rder, Outsurcing f suitability assessments in advisry accunts is trade type, trade strategy, methd f financing, accunt prhibited - because the activity must be perfrmed and type, etc.); and supervised by registered individuals wh must be emplyees r agents f the Dealer Member, it cannt be utsurced Client cmplaint handling. Outsurcing f client cmplaint handling is prhibited 5 Please nte: Nt all IIROC Dealer Member Rules applicable t a specific activity have been cited in this clumn. Rather, nly thse rules believed t be mst relevant t the issue f utsurcing have been cited. IIROC Ntice XX XXXX DRAFT Rules Ntice Guidance Nte - Outsurcing arrangements

16 Appendix B Activity Activity utsurcing eligibility 5 Client accunt-related peratins activities, including: Operatins activities such as cash depsits/disbursements, security receipts and deliveries, security transfers, trade executin prcessing, clearing, settlement, security rerganizatins, dividends and interest, sharehlder prxies and slicitatins; Outsurcing f the perfrmance f peratins activities relating t security transactin, transfer, rerganizatin and entitlement events is permitted Activities relating t the safeguarding f client accunt psitins; Outsurcing f client accunt asset custdy is permitted, subject t cmplying with the fllwing requirements: Client psitins held utside f a Dealer Member must cmply with the requirements set ut in IIROC Dealer Member Rules 17.3 thrugh 17.3B, 2000 and 2600, Statements 4 thrugh 6 and Frm 1 In additin, there are als IIROC Dealer Member Rules that are specific t utsurcing arrangements invlving the external custdy f client accunt psitins as fllws: security custdy, prvided securities are held in an acceptable securities lcatin as defined in Frm 1 back ffice sharing arrangements, prvided the arrangements cmply with the requirements set ut in IIROC Dealer Member Rule 35.1(d) intrducing/carrying brker arrangements, prvided the arrangements cmply with the requirements set ut in IIROC Dealer Member Rule 35 On a related matter, IIROC has recently issued draft guidance n clearing arrangements, anther back ffice utsurcing arrangement. The draft guidance set ut in IIROC Rules Ntice indicates that while there are n IIROC rules specific t IIROC Ntice XX XXXX DRAFT Rules Ntice Guidance Nte - Outsurcing arrangements

17 Appendix B Activity Activity utsurcing eligibility 5 clearing arrangements, there are practical issues and general utsurcing due diligence issues that must be assessed in rder t determine the apprpriateness f entering int a particular clearing arrangement Activities relating t the valuatin f client accunt psitins; Outsurcing f client accunt asset valuatin is permitted, subject t cmplying with the fllwing requirements: Valuatin must be dne in accrdance with the requirements set ut in IIROC Dealer Member Rule 2600, Statements 7 and Frm 1 Activities relating t the maintenance f client accunt recrds and reprting t clients n the accunt psitins and cash balances held; and Margin and verdue cash accunt administratin such as, credit limits, margin calls, cllectin f bad lans. Outsurcing f client accunt recrd maintenance and accunt statement preparatin is permitted, subject t cmplying with the fllwing requirements: Client accunt recrds must be maintained and accunt statements must be prvided t clients in accrdance with the requirements set ut in IIROC Dealer Member Rule 200 Outsurcing f accunt lan administratin is permitted Financial regulatry reprting (financial filings, etc.) Outsurcing f financial reprt preparatin is prhibited - under: Dealer Member Rule 17.1, the Dealer Member must maintain risk adjusted capital greater than zer at all times; and Dealer Member Rule 2600, Statement 2, the Dealer Member must have in place internal plicies and prcedures designed t ensure its capital adequacy bligatin is being met at all times These bligatins culd nt be met if the preparatin f regulatry financial reprts was utsurced. IIROC Ntice XX XXXX DRAFT Rules Ntice Guidance Nte - Outsurcing arrangements

18 Appendix B Activity Activity utsurcing eligibility 5 Nn-financial regulatry reprting (nn-financial filings, gatekeeper filings, etc.) Registratin-related activities such as: Outsurcing f nn-financial reprt preparatin is prhibited Outsurcing f registratin-related activities is permitted Filing f firm and individual registratin applicatins; Filing f annual and nging infrmatin updates (utside business activities, claims filed, ffice lcatin); Filing f individual terminatin ntices; and Maintenance f central database tracking individual registratins and related prficiency requirements. Treasury activities (such as security brrwing and lending, cash management) Crprate finance activities Research reprts and market newsletters Outsurcing f treasury activities is permitted Outsurcing f crprate finance activities is permitted Outsurcing f the preparatin f research reprts and market newsletters is permitted, subject t cmplying with the fllwing requirements: Preparatin f research reprts - Requirement #4 and Guideline #2 f Rule 3400 specifically refer t and permit the distributin f third-party prduced research reprts subject t certain cnditins being met. Apprval f research reprts and market newsletters fr distributin - Rule 29.7(3) requires that research reprts and market newsletters be apprved by a Supervisr prir t publicatin IIROC Ntice XX XXXX DRAFT Rules Ntice Guidance Nte - Outsurcing arrangements

19 Appendix B Activity Activity utsurcing eligibility 5 Marketing (advertising, call centres) Outsurcing f the preparatin f marketing materials is permitted, subject t cmplying with the fllwing requirement: Apprval f marketing materials and advertising - Rule 29.7(3) requires that telemarketing scripts, prmtinal seminar texts, riginal advertisements and any ther materials used t slicit clients that cntains perfrmance reprts r summaries be apprved by a Supervisr prir t publicatin r use Prfessinal services related t the business activities f the securities dealer (such as, accunting, internal audit) Outsurcing the cntracting f external prfessinal services is permitted, subject t cmplying with the fllwing requirement: Hiring f external auditrs - Rule 16.1 requires each Dealer Member t select its external auditr fr the purpses f the annual audit f IIROC Dealer Member Frm 1 frm a list f auditrs apprved by the applicable IIROC District Cuncil. Infrmatin system management and maintenance (such as, data entry and prcessing, data centers, server facilities management, end-user supprt, lcal area netwrks, help desks) Outsurcing f infrmatin system management and maintenance is permitted NON-CORE The fllwing wuld nt be cnsidered utsurcing activities/functins that are critical t the nging viability f the firm: Office service management activities such as: Market infrmatin services (e.g. Blmberg, Mdy's); Purchase f gds, wares, cmmercially available sftware and ther cmmdities; Repair and maintenance f fixed assets; and Curier services, regular mail, utilities, telephne. IIROC Ntice XX XXXX DRAFT Rules Ntice Guidance Nte - Outsurcing arrangements

20 Cnsultant services such as: Independent audit reviews; Credit bureau checks; Discrete advisry services (e.g. legal and tax pinins); and Independent cnsulting; Appendix B Human resurce management activities such as: Staff recruitment assistance; Prcurement f specialized training r cntinuing educatin; and Payrll prcessing and benefits administratin. IIROC Ntice XX XXXX DRAFT Rules Ntice Guidance Nte - Outsurcing arrangements

21 Appendix C Key Risks f Outsurcing While the utsurcing f certain activities can be beneficial t a financial services rganizatin, utsurcing can give rise t risks which need t be managed effectively. Risk Strategic risk Reputatin risk Cmpliance risk Operatinal risk Exit strategy risk Cunterparty risk Cuntry risk Cntractual risk Access risk Cncentratin and systemic risk Majr Cncerns The third-party utsurce service prvider may cnduct activities n its wn behalf which are incnsistent with the verall strategic gals f the regulated entity. Failure t implement apprpriate versight f the utsurce service prvider. Failure t maintain adequate in-huse expertise t versee the utsurce service prvider. Pr service frm third-party utsurce service prvider. Custmer interactin is nt cnsistent with verall standards f the regulated entity. Third-party utsurce service prvider practices are nt in line with stated practices (ethical r therwise) f regulated entity. Privacy laws are nt cmplied with. Cnsumer and prudential laws nt adequately cmplied with. Outsurce service prvider has inadequate cmpliance systems and cntrls. Technlgy failure. Inadequate financial capacity t fulfill bligatins and/r prvide remedies. Inadequate internal cntrls leading t undetected errrs r fraud. Difficult/cstly fr firm t undertake inspectins f the utsurce service prvider s peratins. The risk that apprpriate exit strategies are nt in place. This culd arise frm verreliance n ne firm, the lss f relevant skills in the institutin itself preventing it frm bringing the activity back in-huse, and cntracts which make a timely exit prhibitively expensive. Limited ability t return services t firm due t lack f staff r lss f institutinal knwledge. Inapprpriate underwriting r credit assessments. Quality f receivables may diminish. Plitical, scial and legal climate may create added risk. Business cntinuity planning is mre cmplex. Ability t enfrce cntract. Fr ff shre utsurcing arrangements, chice f law is imprtant. Outsurcing arrangement hinders ability f regulated entity t prvide timely data and ther infrmatin t regulatrs. Additinal layer f difficulty in regulatr understanding activities f the utsurce prvider. The industry, as a whle, has significant expsure t the utsurce prvider. This cncentratin risk has a number f facets, including: Lack f cntrl, by individual firms, ver prvider; and Systemic risk t industry as a whle. IIROC Ntice XX XXXX DRAFT Rules Ntice Guidance Nte - Outsurcing arrangements