CA Supervision Supervision Handbook for Financial Service Providers

Transcription

1 WHITE PAPER OCTOBER 2014 CA Supervision Supervision Handbook for Financial Service Providers Chris Boswell North American Security

2 2 WHITE PAPER: SUPERVISION HANDBOOK FOR FINANCIAL SERVICE PROVIDERS ca.com Table of Contents Executive Summary 3 Section 1: 4 FINRA Regulated Compliance (Broker-Dealers) Section 2: 4 SEC Regulated Compliance (Investment Advisors, Hedge Funds and Private Equity) Section 3: 5 IIROC and MFDA Regulated (Canadian Financial Institutions) Section 4: 7 CA Supervision Controls and Features Section 5: 10 Detailed Breakdown of Supervision Requirements Section 6: 20 About the Author

3 3 WHITE PAPER: SUPERVISION HANDBOOK FOR FINANCIAL SERVICE PROVIDERS ca.com Executive Summary Challenge Financial services organizations are subject to a variety of regulatory supervision requirements depending on the nature of the services they offer, the geographic locations in which they operate and the regulating bodies providing oversight of their operations. Managing these requirements is a complex and costly task and failure to comply can cost organizations millions of dollars resulting from fines and loss of business due to negative publicity. Opportunity CA Supervision provides a robust supervision platform that not only addresses primary regulatory objectives but also integrates with other corporate security platforms to help you better manage your broader risk management and compliance programs. Benefits Investment advisors, hedge funds and private equity firms regulated by the SEC; Canadian financial firms regulated by IIROC and MFDA and FINRA regulated Broker-Dealers are all subject to stringent supervision requirements. CA Technologies provides a comprehensive message supervision solution that is designed to seamlessly integrate with your in-house records and archiving provider to help monitor and enforce your organization s supervisory policies and procedures.

4 4 WHITE PAPER: SUPERVISION HANDBOOK FOR FINANCIAL SERVICE PROVIDERS ca.com Section 1: FINRA Regulated Compliance (Broker-Dealers) NASD Conduct Rules 3010 and 3012 and FINRA Rule 3130 form the foundation of a regulatory scheme for the supervision of member FINRA Broker-Dealer firms. Additional FINRA Guidance Regarding the Review and Supervision of Electronic Communications outlines specific requirements to review all business electronic communications, including , instant messages, BlackBerry, Bloomberg, Thomson Reuters, social media messages, and mobile messaging. Electronic communication supervision requirements include, at a high level: Develop written supervision policies and procedures for the review of employees incoming and outgoing electronic communications (including which communication channels and platforms are permissible, which categories of correspondence will be reviewed and timing and method of review). Monitor electronic communications of each Registered Representative regarding financial or investment recommendations, product/service promotions and customer complaints. Conduct necessary and appropriate training regarding policies and procedures governing electronic communications. Maintain an audit trail of supervision activities that identifies the reviewer, communication that was reviewed, date of review and any issues identified and/or steps taken during the course of the review. Monitor compliance with policies and procedures and periodically re-evaluate the efficacy of any supervision systems in place. Section 2: SEC Regulated Compliance (Investment Advisors, Hedge Funds and Private Equity) Investment Advisors, including hedge funds and private equity funds, registered or required to be registered under section 203 of the Investment Advisors Act are required to establish, maintain and enforce written supervisory policies and procedures in order to detect and prevent compliance violations, including the misuse of non-public material information. Electronic communications supervision requirements outlined in 17 CFR (4)-7 and corresponding SEC Final Rule Release IA-2204 include, at a high level: Implement controls to detect, prevent and promptly correct any regulatory violations that may occur. Establish, maintain, and enforce written procedures reasonably designed to prevent the misuse of material nonpublic information (insider trading). Monitor the accuracy of disclosures made to investors, clients and regulators, including account statements and advertisements. Establish safeguards for the privacy protection of client records. Designate a Chief Compliance Officer who will be responsible for administering the organization s supervision program. Perform an annual review of the firm s written supervision policies and procedures.

5 5 WHITE PAPER: SUPERVISION HANDBOOK FOR FINANCIAL SERVICE PROVIDERS ca.com Conduct that may lead to SEC investigation include: Misrepresentation or omission of important information about securities; Manipulating the market prices of securities; Stealing customers funds or securities; Violating broker-dealers responsibility to treat customers fairly; Insider trading (violating a trust relationship by trading while in possession of material, non-public information about a security); and Selling unregistered securities. Proper supervision of electronic communications can play a major role in detecting and/or preventing these activities. The Dodd-Frank Act On July 21, 2010, President Obama signed into law the Dodd-Frank Wall Street Reform and Consumer Protection Act, introducing sweeping changes to the way the American financial industry is regulated. Prior to the Dodd-Frank Act, many hedge fund and private equity fund investment advisers were exempt from registration with the SEC by virtue of the private adviser exemption under the Advisers Act, which provided that an investment adviser was exempt from registration if the adviser (i) had fewer than 15 clients during the course of the preceding 12 months and (ii) neither held itself out generally to the public as an investment adviser nor acted as an investment adviser to any registered investment company or business development company. Now that many private equity funds and hedge funds are no longer exempt, these advisers will be subject to the same registration requirements, regulatory oversight, and other requirements that apply to other SEC-registered investment advisers. This includes compliance with requirements for recordkeeping and supervision of electronic communications. Non-compliance may result in regulatory disciplinary action, costly penalties and a loss of goodwill and reputation. Section 3: Benefits IIROC and MFDA Regulated (Canadian Financial Services Institutions) The Investment Industry Regulatory Organization of Canada (IIROC) and Dealers Mutual Fund Association of Canada (MFDA) have established supervision guidelines for member organizations under IIROC Rule 29.7 (supplemented by IIROC Notice ), Universal Market Integrity Rule (UMIR) 7.1 and MFDA Rule 2 that require firms to create and maintain a supervisory system to ensure advertisements, sales literature and correspondence with clients comply with all applicable rules. In addition, the Ontario Securities Commission (OSC) has issued National Instrument , which requires registered firms to establish, maintain and apply policies and procedures that establish a system of controls and supervision.

6 6 WHITE PAPER: SUPERVISION HANDBOOK FOR FINANCIAL SERVICE PROVIDERS ca.com In connection with electronic communications under IIROC Rule 29.7 and IIROC Notice , all methods used to communicate, including and social media sites like Facebook, Twitter, YouTube, blogs and chat rooms, are subject to the IIROC Dealer Member Rules. The type of the device used to transmit the communication or whether it is a firm-issued or personal device is irrelevant. At a high level, firms must: Establish policies and procedures that allow dealer members to comply with their supervisory obligations and protect clients from misleading or false statements. As it relates to social media sites specifically, static content, such as a profile, background or wall information, usually considered an original template advertisement, must be pre-approved pursuant to IIROC Dealer Member Rule 29.7(3) and is generally accessible to anyone. An interactive electronic forum, such as Facebook or Twitter, on the other hand, includes real time discussions and although it does require prior approval, must be supervised to ensure compliance. Establish controls that employ either pre-use approval, post-use review or post-use sampling of electronic communications Provide education and training on the organization s policies and procedures regarding proper use of advertisements, sales literature and customer correspondence Monitor and evaluate supervisory procedures to ensure compliance; In connection with electronic communications under MFDA Rule 2, firms must: Establish, implement and maintain policies and procedures to ensure business is conducted in compliance with all applicable rules and legislation (Rule 2.5.1); Provide evidence of supervision review and perform ongoing reviews of policies and procedures to evaluate program efficacy Pre-approve all advertisements and sales communications (Rule 2.7.3). In connection with electronic communications under UMIR Policy 7.1, firms must: Establish a compliance monitoring system that is reasonably designed to prevent and detect compliance violations; and Maintain an audit trail of supervision activities and actions taken by compliance department.

7 7 WHITE PAPER: SUPERVISION HANDBOOK FOR FINANCIAL SERVICE PROVIDERS ca.com Section 4: CA Supervision Controls and Features Comprehensive coverage of electronic communication CA Supervision works with your existing archival and records management solution to help capture and control the flow of electronic communications within and without the organization. This coverage offers the ability to review all electronic communications across all channels including , instant messages, social websites, and specific market services provided by Bloomberg and Thomson Reuters. Figure A. Holistic strategy for monitoring electronic communications. While we understand that compliance policies and procedures will not prevent every violation of the securities laws, we believe that prevention should be a key objective of all firms compliance policies and procedures. SEC Final Rule: Compliance Programs of Investment Companies and Investment Advisers

8 8 WHITE PAPER: SUPERVISION HANDBOOK FOR FINANCIAL SERVICE PROVIDERS ca.com Unlike many supervision solutions on the market, CA Supervision has the ability to actually control information in real time. Its flexible architecture includes agents that can be deployed on message servers, desktops, laptops and at the network boundary to intercept potential violations before they occur. The CA Supervision enforcement capabilities also provide a rich end-user experience that reinforces awareness of corporate policies and procedures. What is most important, however, is that its enforcement agents work together with your message server to help ensure that when messages are blocked they are not inadvertently processed and journaled for archiving. This unique capability is critical for maintaining the integrity of your organization s supervision and compliance processes and reducing the risk of legal and/or regulatory enforcement actions. Figure B. Robust deployment model provides maximum coverage of communications.

9 9 WHITE PAPER: SUPERVISION HANDBOOK FOR FINANCIAL SERVICE PROVIDERS ca.com More than just keywords Industry driven policy capability and accuracy CA Supervision includes a comprehensive catalog of policies to address the major areas of concern for the regulated financial industries. These policies are able to combine identity awareness with content analysis to target very specific information for further review. Leveraging a unique, proprietary approach to searching text, as well as advanced fingerprinting capabilities, CA Supervision can achieve a very high level of accuracy and scale to organizations processing tens of millions of messages per day. Figure C. Content and contextual policy analysis in action. Powerful review and reporting tools CA Supervision provides a web-based portal to provide powerful review and reporting capabilities to compliance teams. The tool supports both a centralized review model with a single review team as well as a distributed model where each manager can function as a reviewer for their individual group. Reviewers have the ability to customize their review portal to provide quick access to the appropriate content to be reviewed. Security models enable each manager to only see the content relevant to their own group. The portal is designed to create an easy-to-use tool that allows the reviewer to efficiently review and report on the relevant events. Reports can be generated to produce an accurate picture of the current events and reviewers. Users can drill down from high level reports all the way to the relevant events behind the numbers. Comprehensive audit capabilities CA Supervision was designed for compliance professionals to address regulatory requirements. The solution includes a customizable audit workflow to track events as they are reviewed, escalated, and closed. Every action taken within the audit flow is recorded and can be reported on. The reports have been created for the purpose of providing compliance teams and auditors a clear view of the content as well as of the reviewers themselves.

10 10 WHITE PAPER: SUPERVISION HANDBOOK FOR FINANCIAL SERVICE PROVIDERS ca.com Section 5: Detailed Breakdown of Supervision Requirements FINRA regulated broker-dealers Organizations subject to the National Association of Securities Dealers (NASD) Rule 3010, the corresponding Regulatory Notice (Supervision of Electronic Communications: Dec. 2007), NASD Notice to Members (SEC Approves Rules Regarding Supervision, Review and Record Retention of Correspondence: Jan. 1998), and NASD Notice to Members (SEC Approves Rules Amendments Requiring Review of Incoming, Written Correspondence: Jan. 1999) can leverage the CA Supervision s supervision capabilities to help monitor all incoming and outgoing messages related to a member firm s business. Requirement CA Supervision Solution Regulatory Reference Implement procedures Electronically supervise Member firms required to implement procedures for the review of incoming and outgoing electronic messages will find CA Supervision offers a comprehensive solution for regulatory supervision. Our nique architecture incorporates not only controls to detect potential violations AFTER they have already occurred, but can also PREVENT registered representatives from engaging in activity that puts the organization at risk in the first place. CA Supervision supports reasonable review of registered epresentative communications through our intuitive web-based console, which intelligently flags messages and routes potential violation activity to reviewers based on the nature of the activity the representative is engaged in. With over 200 policies provided out of the box, you will find that dozens of these policies have been co-developed with our current financial services customers specifically for correspondence challenges surrounding electronic supervision. This includes Bid Rigging, Investment Advice Prohibition, Securities Parking, Anti-Money Laundering, Solicitations, Whistleblower, Customer Complaints, Trading in Outside Accounts, Exclusivity, Guarantees and Assurances, Inside Information, and many more. NASD Supervision (d) (1) Supervision of Registered Representatives Each member shall establish procedures for the review and endorsement by a registered principal in writing, on an internal record, of all transactions and for the review by a registered principal of incoming and outgoing written and electronic correspondence of its registered representatives with the public relating to the investment banking or securities business of such member. Such procedures should be in writing and be designed to reasonably supervise each registered representative. Evidence that these supervisory procedures have been implemented and carried out must be maintained and made available to the Association upon request. Document the review process and provide evidence of review CA Supervision has a supervision console with features that capture all activity related to the violation, including who performed the supervision, who else may have been involved in the review and any disciplinary action taken. All of this information is captured in an unalterable audit trail.

11 11 WHITE PAPER: SUPERVISION HANDBOOK FOR FINANCIAL SERVICE PROVIDERS ca.com Requirement CA Supervision Solution Regulatory Reference Completeness ofcorrespondence Training CA Supervision has flexible deployment architecture to enable your supervision controls to capture ALL electronic communications between your registered representatives and customers. Our agents can be deployed directly on your message servers to monitor all internal and external communications (including mobile messages originating from mobile devices and tablets). CA Supervision agents can also be deployed directly on your registered representatives desktop or laptop endpoints to monitor communications they may be having with customers from their own personal accounts. CA Supervision has policy capabilities that include a feedback mechanism that can provide interactive warnings when registered representatives are engaging in communications that may put your organization at risk. This provides an effective tool to educate users on policies and procedures that are in place and track whether users truly understand the role they play in ensuring compliance. NASD Supervision (d) (1) Supervision of Registered Representatives Each member shall establish procedures for the review and endorsement by a registered principal in writing, on an internal record, of all transactions and for the review by a registered principal of incoming and outgoing written and electronic correspondence of its registered representatives with the public relating to the investment banking or securities business of such member. Such procedures should be in writing and be designed to reasonably supervise each registered representative. Evidence that these supervisory procedures have been implemented and carried out must be maintained and made available to the Association upon request. Retention requirements CA Supervision integrates with many of the largest archival solutions on the market. Leveraging these integrations, we can inspect content as it is being archived and enable it to be categorized properly for disposition in accordance with regulatory requirements. The meta-data we apply during archival can then be leveraged by supervisors and legal ins subsequent search and discovery efforts. NASD 3010 (d)(3) Retention of Correspondence Each member shall retain correspondence of registered representatives relating to its investment banking or securities business in accordance with Rule The names of the persons who prepared outgoing correspondence and who reviewed the correspondence shall be ascertainable from the retained records and the retained records shall be readily available to the Association, upon request.

12 12 WHITE PAPER: SUPERVISION HANDBOOK FOR FINANCIAL SERVICE PROVIDERS ca.com Requirement CA Supervision Solution Regulatory Reference Identifying correspondence for review Identifying reviewers Managing frequency of review Monitoring compliance Ongoing governance CA Supervision provides a powerful engine to detect the different types of correspondence which fall under regulatory review. Policies can be created at a granular level to determine which content should be monitored across different users or groups of users and CA Supervision can even prevent employees from corresponding with customers based on the nature of the content being discussed. CA Supervision provides a unique fingerprinting capability that can also be used to detect users making unauthorized changes to pre-approved marketing materials which may place the firm in violation with regulations. CA Supervision includes a powerful workflow engine which allows you to identify reviewers and the users and content they must review. Reviewers are able to escalate and route events to other administrators or super-reviewers to assist in investigations. Role- based security can enforce who has visibility to see events under review and CA Supervision can even throttle the level of detail captured for a particular violation. CA Supervision provides a number of dashboards and reports to track the latency of review and promote timely review of content. Sampling can be performed by policy or with the CA Supervision Review Queue to help ensure appropriate regulatory coverage is maintained. CA Supervision automatically flags potential compliance violations for review and provides an intuitive interface to allow members of your supervision team to interact with business users to determine whether the firm is in compliance with regulatory andates. CA Supervision provides flexible dashboards and reports which can help you monitor and track trends in your supervision activities over time. You can use our solution to easily identify areas for improvement and identity reviewers that may not be performing their duties. NASD Notice to Members 98-11: Supervision and Review Guidelines In adopting review procedures pursuant to Rule 3010, members must: Identify how supervisory reviews will be conducted and documented; Identify what types of correspondence will be pre- or post-reviewed; Identify the organizational position(s) responsible for conducting review of the different types of correspondence; Specify the minimum frequency of the reviews for each type of correspondence; Monitor the implementation of and compliance with the firm s procedures for reviewing public correspondence; and Periodically re-evaluate the effectiveness of the firm s procedures for reviewing public correspondence and consider any necessary

13 13 WHITE PAPER: SUPERVISION HANDBOOK FOR FINANCIAL SERVICE PROVIDERS ca.com Requirement CA Supervision Solution Regulatory Reference Review customer recommendations Report customer complaints CA Supervision provides policies out of the box to monitor registered representatives public correspondence, including recommendations and advice. These policies can be easily tailored by our customers based on the specific products and services they offer. CA Supervision provides policies out of the box to monitor registered representatives public correspondence, including customer complaints. Our policy capabilities can also include enforcement mechanisms that can prohibit RR s from responding directly to complaints or detect when RR s are responding unprofessionally. NASD Notice to Members 98-11: Supervision and Review Guidelines In adopting review procedures pursuant to Rule 3010, members must also: Require supervisory review of some of each registered representative s public correspondence, including recommendations to customers; Provide that all customer complaints, whether received via or in written form from the customer, are reported to the NASD in compliance with FINRA 4530 (FINRA Rule 4530(d) requires firms to report quarterly statistical and summary information regarding written customer complaints). Control correspondence with customers regardless of medium used CA Supervision will monitor all corporate correspondence between a registered representative and customer on enterprise systems regardless of whether the correspondence occurs from the office, at home, on a personal or company-provided laptop, desktop, mobile device or tablet. CA Supervision can even be used to prevent registered representatives from corresponding with customers via their personal on company desktops and laptops (endpoint agent required). NASD Notice to Members 98-11: Supervision and Review Guidelines In adopting review procedures pursuant to Rule 3010, members must also: Prohibit registered representatives and other employees use of electronic correspondence to the public unless such communications are subject to supervisory and review procedures developed by the firm. For example, NASD Regulation would expect members to prohibit correspondence with customers from employees home computers or through third party systems unless the firm is capable of monitoring such communications.

14 14 WHITE PAPER: SUPERVISION HANDBOOK FOR FINANCIAL SERVICE PROVIDERS ca.com SEC regulated compliance (investment advisors, hedge funds and private equity) Organizations subject to the Securities and Exchange Commission (SEC) Part 275 Rule 206(4)-7 Compliance procedures and practices under the Investment Advisors Act of 1940 and the corresponding Release No. IA-2204 Final Rule: Compliance Programs of Investment Companies and Investment Advisors can leverage the CA Supervision capabilities to help achieve and maintain costeffective compliance. Requirement CA Supervision Solution Regulatory Reference Implement policies and procedures Investment Advisors required to implement procedures for compliance with Rule 206(4)-7 will find CA Supervision offers a comprehensive solution for regulatory supervision. Our unique architecture incorporates not only controls to detect potential violations AFTER they have already occurred, but can also PREVENT registered representatives from engaging in activity that puts the organization at risk in the first place. 17 CFR (4)-7 Compliance procedures and practices. If you are an investment adviser registered or required to be registered under section 203 of the Investment Advisers Act of 1940 (15 U.S.C. 80b-3), it shall be unlawful within the meaning of section 206 of the Act (15 U.S.C. 80b-6) for you to provide investment advice to clients unless you: a. Policies and procedures. Adopt and implement written policies and procedures reasonably designed to prevent violation, by you and your supervised persons, of the Act and the rules that the Commission has adopted under the Act. Perform annual review CA Supervision provides a robust reporting platform that allows you to track, in realtime, the ongoing efficacy of supervision controls and practices in place within your organization. Capabilities include reports and dashboards to track trending of potential violation activity and the progress of ongoing investigations. This information can easily be summarized to provide a snapshot for executives performing annual (or more periodic) reviews. 17 CFR (4)-7 Compliance procedures and practices. b. Annual review. Review, no less frequently than annually, the adequacy of the policies and procedures established pursuant to this section and the effectiveness of their implementation. Secure records from unauthorized alteration or untimely destruction CA Supervision integrates with many of the largest archival solutions on the market. Leveraging these integrations, we automatically inspect content and apply the correct disposition policy as the records are being archived. As a result, records are secured from unauthorized alteration and protected from untimely destruction. SEC Release No. IA-2204 Final Rule: Compliance Programs of Investment Companies and Investment Advisers An adviser s policies and procedures, at a minimum, should address the following issues to the extent that they are relevant to that adviser: The accurate creation of required records and their maintenance in a manner that secures them from unauthorized alteration or use and protects them from untimely destruction.

15 15 WHITE PAPER: SUPERVISION HANDBOOK FOR FINANCIAL SERVICE PROVIDERS ca.com Requirement CA Supervision Solution Regulatory Reference Review the accuracy of disclosures made to investors CA Supervision has powerful lexicon capabilities that enable your organization to quickly build accurate policies for the detection of disclosures made to investors, clients and regulators. Information such as account statements and advertisements can be captured and flagged for review to help ensure that proper policies and procedures are being followed. SEC Release No. IA-2204 Final Rule: Compliance Programs of Investment Companies and Investment Advisers An adviser s policies and procedures, at a minimum, should address the following issues to the extent that they are relevant to that adviser: The accuracy of disclosures made to investors, clients, and regulators, including account statements and advertisements; Controls in place for safeguarding client information CA Supervision provides a number of policies out of the box to detect a variety of sensitive personal information, including SSN s, credit card numbers, addresses, driver s license numbers, etc. Policies can be extended to include customer financial statements or any other documents generated that might include non-public personally identifiable information. When enabled, these policies can help ensure your advisers do not send sensitive customer records via without proper approval. SEC Release No. IA-2204 Final Rule: Compliance Programs of Investment Companies and Investment Advisers An adviser s policies and procedures, at a minimum, should address the following issues to the extent that they are relevant to that adviser: Safeguards for the privacy protection of client records and information Regulation S-P Privacy of Consumer Financial Information 17 CFR Part Regulation S-P Privacy of Consumer Financial Information 17 CFR Part Requires investment advisers to adopt policies and procedures that address administrative, technical, and physical safeguards for the protection of customer records and information Controls in place to prevent misuse of nonpublic information (insider trading) CA Supervision provides policies out of the box to monitor adviser correspondence for misuse of non-public information. These policies can not only be applied to external communications, but can also be tailored to enforce wall crossing within your organization. Advisers Act section 204A 15 U.S.C. 80b-4a Requires each adviser registered with the SEC to have written policies and procedures reasonably designed to prevent the misuse of material nonpublic information by the adviser or persons associated with the adviser.

16 16 WHITE PAPER: SUPERVISION HANDBOOK FOR FINANCIAL SERVICE PROVIDERS ca.com IIROC and MFDA regulated canadian financial services institutions Organizations subject to the IIROC Rule 29.7 and the corresponding Guidelines for the Review, Supervision and Retention of Advertisements, Sales Literature and Correspondence under Notice can leverage the CA Supervision capabilities to help achieve and maintain costeffective compliance. Requirement CA Supervision Solution Regulatory Reference Untrue, misleading, detrimental and non-compliant correspondence CA Supervision provides policies out of the box to monitor dealer member public correspondence, including sales information, recommendations and advice. These policies can be easily tailored by our customers based on specific products and services they offer. CA Supervision can also fingerprint approved sales literature and be used to detect instances where a dealer alters or uses this literature in a manner which is misleading to customers. IIROC RULE 29.7(1) No Dealer Member shall issue to the public, participate in or knowingly allow its name to be used in respect of any advertisement, sales literature or correspondence, and no registered or Approved Persons shall issue or send any advertisement, sales literature or correspondence in connection with its or his or her business which: a. contains any untrue statement or omission of a material fact or is otherwise false or misleading; b. contains an unjustified promise of specific results; c. uses unrepresentative statistics to suggest unwarranted or exaggerated conclusions, or fails to identify the material assumptions made in arriving at these conclusions; d. contains any opinion or forecast of future events which is not clearly labeled as such; e. fails to fairly present the potential risks to the client; f. is detrimental to the interests of the public, the Corporation or its Dealer Members; or g. does not comply with any applicable legislation or the guidelines, policies or directives of any regulatory authority having jurisdiction.

17 17 WHITE PAPER: SUPERVISION HANDBOOK FOR FINANCIAL SERVICE PROVIDERS ca.com Requirement CA Supervision Solution Regulatory Reference Preventive controls and ostuse review. CA Supervision provides both preventive pre-send and detective post-use supervision controls to help comply with regulatory guidance. The presend controls actively detect and block potential violation activity before it occurs, while the post-use capabilities flag potential violation activity for review by designated Supervision administrators. The robust CA Supervision workflow capabilities, including sampling, can be executed by policy or with the CA Supervision Review Queue to help ensure appropriate regulatory coverage is maintained. IIROC RULE 29.7(3) Policies and procedures provide that review and supervision will be done by pre-us approval, post-use review or postuse sampling, as appropriate to the type of material. IIROC Guidance Note Pursuant to IIROC Dealer Member Rule 29.7(2), Dealer Members must establish policies and procedures that allow them to comply with their supervisory obligations and protect clients from misleading or false statements. Subject to IIROC Dealer Member Rule 29.7(3), it is at the discretion of Dealer Members to determine whether to employ: pre-use approval, post-use review, or post-use sampling as the most effective means of monitoring communications. Training and education The CA Supervision policy capabilities include a feedback mechanism that can provide interactive warnings when dealers are engaging in communications that may put your organization at risk. This provides an effective tool to educate users on policies and procedures that are in place and track whether users truly understand the role they play in ensuring compliance. IIROC RULE 29.7(4) Where such policies and procedures do not require the approval of advertisements, sales literature or correspondence prior to being issued, the Dealer Member must include provisions for the education and training of registered and Approved Persons as to the Dealer Member s policies and procedures governing such materials as well as follow-ups to ensure that such procedures are implemented and adhered to. Retention CA Supervision integrates with many of the largest archival solutions on the market. Leveraging these integrations, CA Supervision can automatically capture all advertisements, sales literature and correspondence and categorize the information for archival in accordance with the information s regulatory IIROC RULE 29.7(5) Copies of all advertisements, sales literature and correspondence and all records of supervision under the policies and procedures required by subsection (2) shall be retained so as to be readily available for inspection by the Association. All advertisements, sales literature and related documents must be retained for a period of 2 years from the date of creation and all correspondence and related documents must be retained for a period of 5 years from the date of creation.

18 18 WHITE PAPER: SUPERVISION HANDBOOK FOR FINANCIAL SERVICE PROVIDERS ca.com Requirement CA Supervision Solution Regulatory Reference Content inspection independent of device type CA Supervision has flexible deployment architecture help ensure that your supervision controls are capturing ALL electronic communications between your dealers and customers, regardless of device. Our agents can be deployed directly on your message servers to monitor all internal and external communications (including mobile messages originating from mobile devices and tablets). CA Supervision agents can also be deployed directly on your dealers desktop or laptop endpoints to monitor communications they may be having with customers from their own personal accounts. IIROC Guidance Note Pursuant to National Instrument , Registration Requirements, Exemptions and Ongoing Registrant Obligations ( NI ), firms must retain records of their business activities, financial affairs, client transactions and communication. Whether a communication is related to the business of the Dealer Member, and therefore captured by this requirement, depends on the content of the communication. The type of device used to transmit the communication or whether it is a firm-issued or personal device is irrelevant. Dealer Members must therefore design systems and programs with compliant record retention and retrieval functionalities for those methods of communication permitted at the firm. Social media websites Most financial services firms convert social media website correspondence to RFC 2822 compliant messages and archive these records alongside normal communications. CA Supervision integrates with many of the largest archival vendors on the market. Leveraging these integrations, we can inspect social media correspondence for potential violations as it is being archived and enable it to be categorized properly for disposition in accordance with regulatory requirements. For those social media websites that are not integrated into your organization s archival process, The CA Supervision for Endpoints agent can prevent this correspondence altogether or silently monitor activity for compliance with posted policies and procedures. IIROC Guidance Note When designing and implementing compliant retention and retrieval practices members should: consider the need to prohibit access to social media websites that do not allow for compliant retention practices. prohibit or restrict the use of these types of sites by Approved Persons who have a history of non-compliant behavior, and allow only those Approved Persons who have received appropriate training on the Dealer Member s policies and procedures regarding social media websites to utilize this technology to communicate with the investing public. Use of personal communication devices As long as correspondence is taking place on corporate messaging systems, CA Supervision can monitor correspondence for potential policy violations, even in the event the communication originated on a personal device. Note: While theca Supervision for Endpoints agent can monitor use of personal from corporate devices, CA Supervision cannot monitor use of personal/cloud services from personal devices such as personal desktops/laptops, smart phones or tablets on which endpoint agents are not installed. IIROC Guidance Note When designing and implementing compliant retention and retrieval ractices members should consider the use of personal communication devices for business communication as well as the ability to retain, supervise and retrieve all business related communication made on these devices.

19 19 WHITE PAPER: SUPERVISION HANDBOOK FOR FINANCIAL SERVICE PROVIDERS ca.com Requirement CA Supervision Solution Regulatory Reference Suitability and recommendations CA Supervision provides policies out of the box to monitor registered representatives public correspondence, including recommendations and advice. These policies can be easily tailored by our customers based on specific products and services they offer. IIROC Guidance Note Dealer Members should implement measures to monitor and/or prohibit electronic communications that constitute a recommendation which must comply with IIROC s suitability rules. Supervision hierarchy CA Supervision includes a powerful workflow engine which allows you to identify reviewers and the users and content they must review. Reviewers are able to escalate and route events to other administrators or superreviewers to assist in investigations. Role- based security can enforce who has visibility to see events under review, and CA Supervision can even throttle the level of detail captured for a particular violation. This security model also prevents reviewers from reviewing activity that they themselves may have been actively involved in, promoting effective crosssupervision across the organization. IIROC Guidance Note Policies and procedures should also provide for cross-supervision; individuals should not be responsible for the supervision or approval of advertising or sales literature which they themselves have prepared, and where specific types of advertising, sales literature or correspondence are prohibited by the Dealer Member, the policies and procedures should explicitly state the prohibition. Where a Dealer Member is organized in two or more separate business units or divisions, the Dealer Member may assign a Supervisor for each business unit or division responsible for ensuring the business unit s or division s compliance with IIROC Dealer Member Rule Review the reviewer CA Supervision provides a number of dashboards and reports designed specifically to monitor and track reviewer activity within the system. These mechanisms can be used as a feedback loop to remind reviewers of their responsibilities, identify reviewers that may not be following up on issues in a timely fashion and help ensure that the organization is fulfilling its regulatory obligations. IIROC Guidance Note The designated Supervisor should also ensure that any individuals assigned specific responsibilities under the policies and procedures are aware of their duties and are properly fulfilling them.

20 20 WHITE PAPER: SUPERVISION HANDBOOK FOR FINANCIAL SERVICE PROVIDERS Section 6: About the Author Chris Boswell has over 13 years of experience developing and implementing security, risk and compliance solutions. During his tenure at CA Technologies, Chris has held a variety of technical and management positions across our security services, product management and sales organizations. His work in the governance, risk and compliance domain has led to several patent filings for CA Technologies. Chris currently coordinates sales activities for our information protection and control solutions, CA DataMinder and CA ControlMinder, and works closely with product and development teams on behalf of customers to address emerging security, risk and compliance challenges. Connect with CA Technologies at ca.com CA Technologies (NASDAQ: CA) creates software that fuels transformation for companies and enables them to seize the opportunities of the application economy. Software is at the heart of every business, in every industry. From planning to development to management and security, CA is working with companies worldwide to change the way we live, transact and communicate across mobile, private and public cloud, distributed and mainframe environments. Learn more at ca.com. Copyright 2014 CA. All rights reserved. IBM is a trademark of International Business Machines in the United States, other countries, or both. All trademarks, trade names, service marks and logos referenced herein belong to their respective companies. This document is for your informational purposes only. CA assumes no responsibility for the accuracy or completeness of the information. To the extent permitted by applicable law, CA provides this document as is without warranty of any kind, including, without limitation, any implied warranties of merchantability, fitness for a particular purpose, or non-infringement. In no event will CA be liable for any loss or damage, direct or indirect, from the use of this document, including, without limitation, lost profits, business interruption, goodwill or lost data, even if CA is expressly advised in advance of the possibility of such damages. CA does not provide legal advice. Neither this document nor any software product referenced herein serves as a substitute for your compliance with any laws (including but not limited to any act, statute, regulation, rule, directive, standard, policy, administrative order, executive order, and so on (collectively, Laws ), referenced herein or any contract obligations with any third parties. You should consult with competent legal counsel regarding any such Laws or contract obligations. CS _1014