Outside Business Activity (OBA)

Test yourself

Two real CIRE-bank questions on this exact outcome. Click to reveal the answer and the rule citation.

1. 1

   A registered representative receives a phishing email appearing to come from CIRO requesting that she log in to a portal and verify her account credentials. She clicks the link, enters her username and password, and the next day discovers her access to firm systems has been used to view confidential client data. Under CIRO's cybersecurity and privacy framework, which obligation is most directly triggered?

   Outcome 9.1 · click for answer

   A.The representative must file a large cash transaction report because client data may have been used for financial gain.

   B.The dealer member must assess whether the incident constitutes a privacy breach requiring notification to affected clients and potentially to the Office of the Privacy Commissioner, in addition to notifying CIRO of the cybersecurity incident per applicable CIRO requirements.Correct

   C.No regulatory obligation arises unless the attacker actually transfers client funds.

   D.The obligation is limited to resetting the representative's password and documenting the incident internally.

   Under PIPEDA (and its provincial equivalents) and CIRO's cybersecurity and recordkeeping obligations, unauthorized access to client personal information constitutes a potential privacy breach that may require notification to affected individuals and the Office of the Privacy Commissioner if there is a real risk of significant harm. CIRO rules also require dealer members to have incident response procedures and to notify CIRO of material cybersecurity events. An attacker gaining access to confidential client data triggers these obligations well before any fund transfer occurs.

2. 2

   A registrant's dealer is subject to IDPC Rule 1406 ('most stringent prevails'). A provincial securities regulator publishes a rule requiring a shorter complaint resolution timeline than the timeline specified in IDPC Rule 3700. Which timeline applies?

   Outcome 9.1 · click for answer

   A.The IDPC Rule 3700 timeline applies because CIRO rules supersede provincial rules for its members.

   B.Both timelines apply simultaneously, requiring dual reporting to CIRO and the provincial regulator.

   C.The dealer may choose either timeline at its discretion.

   D.The provincial rule applies because it is more stringent, and IDPC Rule 1406 requires compliance with whichever requirement is most stringent.Correct

   IDPC Rule 1406 establishes that where a provincial or territorial requirement is more stringent than the corresponding CIRO requirement, the member must comply with the more stringent standard. CIRO rules set a floor, not a ceiling. If a provincial regulator mandates a shorter complaint resolution period, the dealer must meet that shorter deadline. There is no discretion to choose the less stringent standard, and the rule does not require dual reporting; it simply requires compliance with whichever standard is higher.

Related terms in Regulatory

• CIRO

  The Canadian Investment Regulatory Organization, formed January 1, 2023.

• CIRE

  Canadian Investment Regulatory Examination, the entry-level CIRO exam.

• CSA (Canadian Securities Administrators)

  Umbrella organisation of Canada's 13 provincial/territorial securities regulators.

• Canadian Investor Protection Fund (CIPF)

  Investor protection fund covering client assets at CIRO investment dealers up to $1 million per account category.

• NI 31-103

  National Instrument on Registration Requirements, Exemptions and Ongoing Registrant Obligations.

• Ontario Securities Commission (OSC)

  Ontario's provincial securities regulator and the largest CSA member by market participants.