Policy No. 4

MFDA INTERNAL CONTROL POLICY STATEMENT 1 – GENERAL MATTERS

This Policy Statement is one in a series that prescribes requirements for and provides guidance on compliance with MFDA Rule 2.9 that states “every Member shall establish and maintain adequate internal controls as prescribed by the Corporation from time to time.”

“Internal control” is defined as follows:

“Internal control consists of the policies and procedures established and maintained by management to assist in achieving its objective of ensuring, as far as practical, the orderly and efficient conduct of the entity’s business.  The responsibility for ensuring adequate internal control is part of management’s overall responsibility for the ongoing activities of the entity.” (CICA Handbook, 5200.03)

The effectiveness of specific policies and procedures is affected by many factors, such as management philosophy and operating style, the function of the board of directors (or equivalent) and its committees, organizational structure, methods of assigning authority and responsibility, management control methods, system development methodology, personnel policies and practices, management reaction to external influences, and internal audit.  These and other aspects of internal control affect all parts of the Member firm.

In addition to compliance with required policies and procedures set out in these Policy Statements, a Member must consider the following, to the extent that they suggest a higher standard than would otherwise be required:

1. Recommended provisions set out in these Policy Statements;
2. Authoritative literature such as publications of the Mutual Fund Dealers Association of Canada, the MFDA Investor Protection Corporation, the Internal Control Guidelines published by the Investment Dealers Association of Canada and publications of the Canadian Institute of Chartered Accountants;
3. Comments on internal control that may have been made by internal and external auditors and by industry regulators, and actions that the Member has taken as a result;
4. Industry practice; and
5. The balance struck between preventive and detective controls. Preventive controls are those which prevent, or minimize the chance of occurrence of, fraud or error.  Detective controls do not prevent fraud and error but rather detect them, or maximize the chance of their detection, so that corrective action may be promptly taken.  The known existence of detective controls may have a deterrent effect and be preventive in that sense.

The extent of preventive controls implemented by a Member will depend on management’s view of the risk of loss and the cost-benefit relationship of controlling such risk.  Where the inherent risk is high (e.g. cash) the cost of effective preventive controls will usually be warranted and expected by industry regulators.  On the other hand, where the inherent risk is very low (e.g. prepaid expenses), the cost of preventive controls would usually not be warranted nor expected by industry regulators.  Further, in a circumstance where a preventive control is warranted, a detective control should not be considered to be a suitable alternative unless it will result in prompt detection of fraud and error and provide near certainty of recovery of the property that is the subject of the fraud or error.

For example, the safeguarding of clients’ cash warrants the implementation of highly effective preventive controls.  Accordingly, Members safeguard clients’ cash by placing it in a trust account and performing monthly reconciliations.

Determining whether internal control is adequate is a matter of judgement.  However, internal control is not adequate if it does not reduce to a relatively low level the risk of failing to meet control objectives stated in this series of Policy Statements and, as a consequence, one or more of the following conditions has occurred or could reasonably be expected to occur:

1. A Member is inhibited from promptly completing transactions or promptly discharging the Member’s responsibilities to clients, to other members or to the industry;
2. Material financial loss is suffered by the Member, clients or the industry;
3. Material misstatements occur in the Member’s financial statements; and
4. Violations of the rules or standards occur to the extent that could reasonably be expected to result in the conditions described in (i) to (iii) above.

Other Policy Statements in this series set out control objectives, required and recommended firm policies and procedures and indications that internal control is not adequate.  While recommended firm policies and procedures will be appropriate in many cases to meet the stated objectives, they constitute merely one of a number of methods which a Member may utilize.  It is recognized that Members may conduct their business in compliance with legal and regulatory requirements although they may employ procedures which differ from the recommended firm policies and procedures contained in these Policy Statements.  The information is designed to provide guidance to member firms in the preparation of procedures tailored to the specific needs of their individual environment in meeting the stated control objectives.

Members must maintain a detailed written record which as a minimum should include the specific policies and procedures approved by senior management to comply with these  Policy Statements.  These policies and procedures must be reviewed and approved in writing by senior management at least annually, or more frequently as the situation arises, for their adequacy and suitability.  One method of documentation is to note on a copy of this Policy Statement the recommended policies and procedures which have been selected, and details of their performance such as who performs them, when, and how performance is evidenced.  Other forms of documentation, such as procedures manuals, flow charts and narrative descriptions are recommended.

MFDA INTERNAL CONTROL POLICY STATEMENT 2 – CAPITAL ADEQUACY

This Policy Statement is one in a series that prescribes requirements for and provides guidance on compliance with MFDA Rule 2.9 that states “every Member shall establish and maintain adequate internal controls as prescribed by the Corporation from time to time.”  It should be read in the context of Internal Control Policy Statement 1 dealing with General Matters.

This Policy Statement focuses on the monitoring of a Member’s capital position, principally through its system of management and financial reporting.  The effectiveness of such monitoring depends in large measure on the timeliness, completeness and accuracy of the accounting books and records from which those management reports are drawn.  Establishing and maintaining policies and procedures to ensure such timeliness, completeness and accuracy is part of a Member’s responsibility for internal control.  However, these matters are outside the scope of this Policy Statement 2.

Control Objective

To monitor and act upon information produced by the management reporting system so that Risk Adjusted Capital is maintained at all times in an amount at least equal to the minimum required by MFDA Rules.

Minimum Required Firm Policies and Procedures

1. A member of senior management (such as the Chief Financial Officer, Chief Operating Officer or Chief Executive Officer) is responsible for continuous monitoring of the capital position of the firm to ensure that at all times Risk Adjusted Capital is maintained as prescribed by the MFDA Rules.
2. The Member’s planning process recognizes the projected capital requirements resulting from current and planned business activities.
3. At least monthly, or more frequently if required (e.g. when the Member is operating close to early warning levels), the member of senior management assigned the task for monitoring the capital position documents that he/she has:
   1. Received management reports produced by the accounting system showing information relevant to the calculated capital position;
   2. Obtained other information concerning items that, while they may not yet be recorded in the accounting system, are likely to significantly affect the capital position (e.g. bad and doubtful debts, unreconciled positions);
   3. Calculated the capital position, compared it to planned capital limits and the prior period and reported adverse trends or variances to senior management.

4. Senior management takes prompt action to avert or remedy any projected or actual capital deficiency and reports any deficiencies, when required, immediately to the appropriate regulators.
5. The month-end estimate of required risk adjusted capital is reconciled to the Monthly Financial Report submitted for regulatory filing. Material discrepancies are investigated and steps are taken to preclude re-occurrence.
6. At least annually, the member of senior management assigned the task for monitoring the capital position documents a supervisory review of the Member’s management reporting system related to capital, to identify and implement changes required to reflect developments in the business or in the regulatory requirements.

Indications That Internal Control Is Not Adequate

• The accounting system produces information that is late or requires correction.
• Staff responsible for preparing risk adjusted capital reports lack an understanding of the regulatory requirements.
• The Chief Financial Officer or person designated with the supervisory tasks of monitoring the capital position of the firm lacks an understanding of the regulatory requirements.
• No steps are taken to establish the reliability of management reports utilized to monitor the capital position.
• Planning procedures fail to take into account the impact of planned activities on required capital.
• The Member is operating near its early warning levels.
• The Member experiences significant unexpected changes in its capital position.

MFDA INTERNAL CONTROL POLICY STATEMENT 3 – INSURANCE

This Policy Statement is one in a series that prescribes requirements for and provides guidance on compliance with MFDA Rule 2.9 that states “every Member shall establish and maintain adequate internal controls as prescribed by the Corporation from time to time.”  It should be read in the context of Internal Control Policy Statement 1 dealing with General Matters.

Control Objective

To ensure that:

1. The Member is in compliance with regulatory requirements for insurance;
2. Other insurance coverage is in accordance with business needs; and
3. Insurable losses are identified and claimed on a timely basis.

Minimum Firm Policies And Procedures

1. Insurance requirements and levels of coverage are reviewed and approved at least annually by the Member firm’s Executive Committee or Board of Directors.
2. A senior officer of the firm is designated by the Member’s Executive Committee or Board of Directors as responsible for insurance matters.
3. The senior officer or designated person assigned the task reviews the terms of the insurance policies regularly and ensures that the Member’s operating procedures are designed to result in compliance with policy terms and regulations.
4. The senior officer or designated person assigned the task monitors business changes to evaluate the need for changes in coverage or operating procedures.
5. The senior officer or designated person assigned the task monitors business operations to ensure that insured losses are identified, the insurer is notified and losses are claimed on a timely basis and their effect on aggregate limits are taken into account.
6. Senior management takes prompt action to avert or remedy any projected or actual insurance deficiency and reports any deficiencies, when required, immediately to the appropriate regulators.

Indications That Internal Control Is Not Adequate

• Staff responsible for insurance matters are ill-informed of their duties or insufficiently trained.
• Material breaches of insurance policies which could result in denial of coverage are not detected on a timely basis.
• No steps are taken to establish the reliability of reports utilized for the monitoring of variables that may affect insurance coverage.
• Failure to report claims or to recover claims thought to be covered.
• Deficiencies in coverage are indicated on regulatory capital filings.

MFDA INTERNAL CONTROL POLICY STATEMENT 4 – CASH AND SECURITIES

This Policy Statement is one in a series that prescribes requirements for and provides guidance on compliance with MFDA Rule 2.9 that states “every Member shall establish and maintain adequate internal controls as prescribed by the Corporation from time to time.”  It should be read in the context of Internal Control Policy Statement 1 dealing with General Matters.

Control Objective

To safeguard both firm and clients securities and cash so that:

1. Securities and cash are protected against material loss; and
2. Potential losses are detected and reported (for regulatory and insurance purposes) on a timely basis.

Minimum Required Firm Policies And Procedures

Trading-General

1. Trade confirmations or confirmation reports containing evidence of settlement activity (“confirmation records”) are reconciled with the Member’s trading blotters at least weekly.
2. The reconciliation should be performed by personnel who do not have the ability to enter transactional data.
3. Discrepancies between the Member’s trading blotters and confirmation records must be investigated and resolved immediately.

Trading-Nominee Name Accounts

1. The Member has a proper written agreement with each acceptable securities location used to hold securities.
2. At least monthly, the information system produces a report (e.g. client positions) of securities owned by clients but registered in the name of or held by the Member that require segregation and a reconciliation with third party information (e.g. monthly statements from the fund company) is performed to identify deficiencies.
3. Where a deficiency exists, the Member of senior management designated the task of monitoring the capital position of the firm should be advised of the deficiency in order to determine if it impacts the Member’s capital position.
4. There is supervisory review or other procedures in place to ensure the completeness and accuracy of the report of client holdings produced by the Member’s information system.
5. Journal entries made to the Member or clients’ securities holdings are properly reviewed and approved before processing.
6. The Member has a system in place to record and allocate the total amounts of dividends and interest payable and receivable at the due date.
7. Non-resident tax is withheld where applicable by law.
8. A system is in place to ensure appropriate reporting of client income for tax purposes, as required by law.

Cash-General

1. A senior official is responsible for reviewing and approving all bank reconciliations.
2. Bank accounts (including trust accounts) are reconciled, in writing, at least monthly with identification and dating of all reconciling items.
3. Journal entries to clear reconciling items are made on a timely basis and approved by management.
4. The reconciliation of bank accounts (including trust accounts), where practical, is not performed by someone with incompatible functions, including access to funds (both receipts and disbursements), access to record keeping responsibilities, including the authority to write or approve journal entries. At a minimum, the individual responsible for the reconciliation should be independent from the individual having access to funds.
5. Approval levels required to requisition a cheque are established by senior management.
6. Cheques are pre-numbered and numerical continuity is accounted for.
7. Blank cheques are properly safeguarded.
8. Cheques are signed by two authorized individuals.
9. Cheques are only signed when the appropriate supporting documentation is provided. The supporting documentation is cancelled after the cheque is signed.
10. Where facsimile signature is used, access to the machine is limited and supervised.
11. A limited number of authorized personnel are permitted to withdraw monies from bank accounts, including by way of electronic transfer.

Trust Accounts For Client Funds

1. All client cheques are recorded upon receipt by the Member and deposited to the trust account on the day of receipt. If a cheque is received after normal business hours, the cheque is deposited the following business day.
2. Deposits to the trust account are balanced daily against deposit records, receivable records, and mutual fund settlement records.
3. Members must segregate interest received that is payable to clients in respect of monies held in trust for clients in accordance with Rules 3.3.1 and 3.3.2.
4. Members that pay interest to clients in accordance with MFDA Rule 3.3.2(e) must maintain adequate records of amounts owing and paid to each individual client. 

Indication That Internal Controls Are Inadequate

• There is a significant number and dollar value of unreconciled positions and balances.
• Significant differences in reconciliations are not resolved on a timely basis.
• A large number of staff is involved in reconciling positions.
• Material losses have occurred.

MFDA INTERNAL CONTROL POLICY STATEMENT 5 – SEGREGATION OF CLIENTS’ SECURITIES

This Policy Statement is one in a series that prescribes requirements for and provides guidance on compliance with MFDA Rule 2.9 that states “every Member shall establish and maintain adequate internal controls as prescribed by the Corporation from time to time.”  It should be read in the context of Internal Control Policy Statement 1 dealing with General Matters.

This Policy Statement is applicable where client securities are held by or in the name of the Member for the benefit of the client.

Control Objective

To segregate clients’ securities so that:

1. The Member is in compliance with regulatory and legal requirements for segregation; and
2. Securities are not improperly used.

Minimum Required Firm Policies And Procedures

1. Securities requiring segregation are placed in “acceptable securities locations”, as defined by MFDA Rules, on a timely basis.
2. Written custodial agreements with applicable regulatory provisions exist for securities held at acceptable securities locations.
3. Securities are moved into or out of segregation only by authorized personnel.
4. A client is identified for each transaction.
5. At least monthly, the information system produces a report (e.g. client positions) of securities owned by clients but registered in the name of or held by the Member that require segregation and a reconciliation with third party information (e.g. monthly statements from the fund company) is performed to identify deficiencies.
6. Where a deficiency exists, the member of senior management assigned the task of monitoring the capital position of the firm should be advised of the deficiency in order to determine if it impacts the firm’s capital position.
7. There is a monthly supervisory review of compliance with segregation requirements for clients’ securities.

Indication That Internal Controls Are Inadequate

• Insufficient attention is paid to preventing violations of legal and regulatory provisions concerning securities held in segregation, including preventing the hypothecation of securities.
• Securities are held without a written custodial agreement.