IDPC Rule 3300 Series

Test yourself

Two real CIRE-bank questions on this exact outcome. Click to reveal the answer and the rule citation.

1. 1

   A registered representative receives a phishing email appearing to come from CIRO requesting that she log in to a portal and verify her account credentials. She clicks the link, enters her username and password, and the next day discovers her access to firm systems has been used to view confidential client data. Under CIRO's cybersecurity and privacy framework, which obligation is most directly triggered?

   Outcome 9.1 · click for answer

   A.The representative must file a large cash transaction report because client data may have been used for financial gain.

   B.The dealer member must assess whether the incident constitutes a privacy breach requiring notification to affected clients and potentially to the Office of the Privacy Commissioner, in addition to notifying CIRO of the cybersecurity incident per applicable CIRO requirements.Correct

   C.No regulatory obligation arises unless the attacker actually transfers client funds.

   D.The obligation is limited to resetting the representative's password and documenting the incident internally.

   Under PIPEDA (and its provincial equivalents) and CIRO's cybersecurity and recordkeeping obligations, unauthorized access to client personal information constitutes a potential privacy breach that may require notification to affected individuals and the Office of the Privacy Commissioner if there is a real risk of significant harm. CIRO rules also require dealer members to have incident response procedures and to notify CIRO of material cybersecurity events. An attacker gaining access to confidential client data triggers these obligations well before any fund transfer occurs.

2. 2

   A client wants to open an account where they can make their own investment decisions without advice and without the dealer assessing suitability on each trade. Which account type best fits this description, and what must occur before it is opened?

   Outcome 3.5 · click for answer

   A.A managed account; the dealer must provide a written investment management agreement.

   B.A discretionary account; the client and portfolio manager sign a letter of direction.

   C.An advisory account with a suitability waiver; the client signs a one-time exemption form.

   D.An order execution only (OEO) account; the dealer must provide three pre-opening disclosures: that no advice will be given, that ongoing suitability assessments will not be conducted, and that the client is responsible for their own decisions.Correct

   An order execution only account is the account type where the dealer executes client-directed orders without providing advice or conducting ongoing per-trade suitability assessments. Before opening an OEO account, IDPC Rule 3219 requires three specific written disclosures: (1) no advice will be provided, (2) suitability will not be assessed on an ongoing basis, and (3) the client is responsible for their own investment decisions. These disclosures ensure the client understands the self-directed nature of the account before the first trade.

Related terms in Regulatory

• CIRO

  The Canadian Investment Regulatory Organization, formed January 1, 2023.

• CIRE

  Canadian Investment Regulatory Examination, the entry-level CIRO exam.

• CSA (Canadian Securities Administrators)

  Umbrella organisation of Canada's 13 provincial/territorial securities regulators.

• Canadian Investor Protection Fund (CIPF)

  Investor protection fund covering client assets at CIRO investment dealers up to $1 million per account category.

• NI 31-103

  National Instrument on Registration Requirements, Exemptions and Ongoing Registrant Obligations.

• Ontario Securities Commission (OSC)

  Ontario's provincial securities regulator and the largest CSA member by market participants.