NI 31-103 Section 13.3 (Referral Arrangements)

Test yourself

Two real CIRE-bank questions on this exact outcome. Click to reveal the answer and the rule citation.

1. 1

   A client opens a margin account and immediately requests a leveraged position equal to three times her net liquid assets. The registrant processes the order because the client signed the margin agreement and insists she understands the risks. Which statement best reflects the registrant's obligation?

   Outcome 3.4 · click for answer

   A.The registrant has no further obligation once the client has signed the margin agreement and acknowledged the risks.

   B.The registrant must still assess whether the leveraged strategy is suitable for the client's KYC profile; client acknowledgment of risk does not discharge the suitability obligation.Correct

   C.The suitability obligation is suspended for margin accounts because clients self-certify their understanding.

   D.The obligation is fully discharged if the registrant provides a written risk disclosure document at account opening.

   Signing a margin agreement and acknowledging risks transfers some responsibility to the client but does not extinguish the registrant's suitability obligation under NI 31-103 and CIRO rules. The registrant must still assess whether the leveraged strategy is appropriate given the client's financial situation, risk tolerance, and investment objectives. Suitability analysis applies to each order or recommendation, not only at account opening.

2. 2

   A registered representative receives a phishing email appearing to come from CIRO requesting that she log in to a portal and verify her account credentials. She clicks the link, enters her username and password, and the next day discovers her access to firm systems has been used to view confidential client data. Under CIRO's cybersecurity and privacy framework, which obligation is most directly triggered?

   Outcome 9.1 · click for answer

   A.The representative must file a large cash transaction report because client data may have been used for financial gain.

   B.The dealer member must assess whether the incident constitutes a privacy breach requiring notification to affected clients and potentially to the Office of the Privacy Commissioner, in addition to notifying CIRO of the cybersecurity incident per applicable CIRO requirements.Correct

   C.No regulatory obligation arises unless the attacker actually transfers client funds.

   D.The obligation is limited to resetting the representative's password and documenting the incident internally.

   Under PIPEDA (and its provincial equivalents) and CIRO's cybersecurity and recordkeeping obligations, unauthorized access to client personal information constitutes a potential privacy breach that may require notification to affected individuals and the Office of the Privacy Commissioner if there is a real risk of significant harm. CIRO rules also require dealer members to have incident response procedures and to notify CIRO of material cybersecurity events. An attacker gaining access to confidential client data triggers these obligations well before any fund transfer occurs.

Related terms in Regulatory

• CIRO

  The Canadian Investment Regulatory Organization, formed January 1, 2023.

• CIRE

  Canadian Investment Regulatory Examination, the entry-level CIRO exam.

• CSA (Canadian Securities Administrators)

  Umbrella organisation of Canada's 13 provincial/territorial securities regulators.

• Canadian Investor Protection Fund (CIPF)

  Investor protection fund covering client assets at CIRO investment dealers up to $1 million per account category.

• NI 31-103

  National Instrument on Registration Requirements, Exemptions and Ongoing Registrant Obligations.

• Ontario Securities Commission (OSC)

  Ontario's provincial securities regulator and the largest CSA member by market participants.