Record Retention

Test yourself

Two real CIRE-bank questions on this exact outcome. Click to reveal the answer and the rule citation.

1. 1

   A registered representative receives a phishing email appearing to come from CIRO requesting that she log in to a portal and verify her account credentials. She clicks the link, enters her username and password, and the next day discovers her access to firm systems has been used to view confidential client data. Under CIRO's cybersecurity and privacy framework, which obligation is most directly triggered?

   Outcome 9.1 · click for answer

   A.The representative must file a large cash transaction report because client data may have been used for financial gain.

   B.The dealer member must assess whether the incident constitutes a privacy breach requiring notification to affected clients and potentially to the Office of the Privacy Commissioner, in addition to notifying CIRO of the cybersecurity incident per applicable CIRO requirements.Correct

   C.No regulatory obligation arises unless the attacker actually transfers client funds.

   D.The obligation is limited to resetting the representative's password and documenting the incident internally.

   Under PIPEDA (and its provincial equivalents) and CIRO's cybersecurity and recordkeeping obligations, unauthorized access to client personal information constitutes a potential privacy breach that may require notification to affected individuals and the Office of the Privacy Commissioner if there is a real risk of significant harm. CIRO rules also require dealer members to have incident response procedures and to notify CIRO of material cybersecurity events. An attacker gaining access to confidential client data triggers these obligations well before any fund transfer occurs.

2. 2

   A registrant's dealer is subject to IDPC Rule 1406 ('most stringent prevails'). A provincial securities regulator publishes a rule requiring a shorter complaint resolution timeline than the timeline specified in IDPC Rule 3700. Which timeline applies?

   Outcome 9.1 · click for answer

   A.The IDPC Rule 3700 timeline applies because CIRO rules supersede provincial rules for its members.

   B.Both timelines apply simultaneously, requiring dual reporting to CIRO and the provincial regulator.

   C.The dealer may choose either timeline at its discretion.

   D.The provincial rule applies because it is more stringent, and IDPC Rule 1406 requires compliance with whichever requirement is most stringent.Correct

   IDPC Rule 1406 establishes that where a provincial or territorial requirement is more stringent than the corresponding CIRO requirement, the member must comply with the more stringent standard. CIRO rules set a floor, not a ceiling. If a provincial regulator mandates a shorter complaint resolution period, the dealer must meet that shorter deadline. There is no discretion to choose the less stringent standard, and the rule does not require dual reporting; it simply requires compliance with whichever standard is higher.

Related terms in Compliance

• Client Focused Reforms (CFR)

  The 2021 CSA reforms that rewrote suitability, KYC, and conflicts of interest.

• PCMLTFA

  Proceeds of Crime (Money Laundering) and Terrorist Financing Act.

• FINTRAC

  Canada's federal anti-money-laundering and anti-terrorist-financing agency.

• OBSI (Ombudsman for Banking Services and Investments)

  Independent dispute-resolution body for client complaints escalated after the dealer's internal process.

• Large Cash Transaction Report (LCTR)

  Mandatory FINTRAC report for cash transactions of $10,000 CAD or more.

• Suspicious Transaction Report (STR)

  Mandatory FINTRAC report when reasonable grounds exist to suspect money laundering or terrorist financing.