From red flags to repercussions: What CCOs and UDPs need to know about the new landscape of gatekeeper obligations

The longstanding obligation for securities registrants to uphold the integrity of capital markets by acting as “gatekeepers” is undergoing a quiet transformation. The gatekeeping obligation has long been understood as a requirement to guard the market against illegal, abusive and unfair practices, set out in the Universal Market Integrity Rules (UMIR)’s detailed requirements for trading supervision and market access. However, recent enforcement decisions have increasingly emphasized the broader, principles-based standards under Rule 1400 of the Investment Dealer and Partially Consolidated Rules (IDPC). In recent CIRO decisions, Rule 1400 is being applied more expansively, with an increased emphasis on ethical behavior and the duty to question “red flags”, even absent a concrete violation of UMIR.

What you need to know

• Most recent gatekeeper enforcement is driven by the broader, catch-all Rule 1400 under the IDPC Rules.
• What constitutes a “red flag” is not always clear – these are context-dependent indicators that may signal a breach of securities laws or regulations. Registrants are expected to remain vigilant, engage compliance and use professional judgment to determine when inquiry is necessary.
• Regulators are signaling stricter “hindsight” scrutiny of gatekeeping behavior.
• UDPs and CCOs should ensure that supervisors are equipped to recognize red flags, avoid assuming a reasonable explanation, and proactively inquire of advisors and clients. This kind of oversight is essential to effective risk management.

The rules governing gatekeeper obligations

UMIR Rules 7.1 and 7.13 are specific, prescriptive gatekeeper obligations focused on trading supervision and market access that apply to dealers in CIRO-regulated marketplaces.

• UMIR 7.1: Requires registered dealers with marketplace access to supervise trading activity on marketplaces to detect and prevent manipulative or deceptive practices; typically seen when there is a systemic issue of failed monitoring.
• UMIR 7.13: Applies to firms that offer Direct Electronic Access (DEA) or routing arrangements, requiring them to manage those specific market access risks through onboarding, monitoring, and control frameworks.

Most gatekeeper enforcement decisions are guided by IDPC Rule 1400, which sets out fundamental standards of conduct for individuals and firms.

The key components of Rule 1400 are focused on ethical and specific misconduct:

• Ethical conduct: Regulated persons must “observe high standards of ethics and conduct and act openly and fairly and in accordance with just and equitable principles of trade.” The purpose is to ensure that participants in the investment industry refrain from conduct that could harm the public interest or undermine confidence in the markets.
• Specific misconduct: The Rule identifies negligent conduct, failure to comply with legal or regulatory obligations, unreasonable departures from expected standards, and actions likely to diminish investor confidence as contraventions.

The state of gatekeeper obligations was unsettled in late 2024

In July 2024, the scope of gatekeeper obligations was somewhat unsettled. In Re Englesby and Nishimura, (the CIRO Decision) the CIRO Hearing Panel, an independent tribunal that decides disciplinary and regulatory cases, adopted a fact-specific, restrained approach to Rule 1400. This decision dealt with allegations that the registrants, who worked at a large investment dealer, acted contrary to Rule 1400 by facilitating client activity that raised red flags. The registrants did not ask the clients any further questions about this activity, which enforcement staff alleged was a breach of their gatekeeping obligations.

Although the trading activity in this instance raised several red flags, the Hearing Panel found that there were plausible, non-suspicious explanations.¹ As a result, the respondents were not required to inquire further, and the Hearing Panel concluded that the registrants gatekeeper obligations had not been breached and dismissed the disciplinary action against them. The key finding of the Hearing Panel was that registrants generally do not need to inquire if there are reasonable possible explanations for the suspicious activity.

In making its decision, the Hearing Panel adopted a three-step approach to determine compliance, asking (1) if the activities at issue raise a red flag that should have prompted the registrant to make inquiries, (2) if the registrant made the inquiries, and (3) if the registrant acted reasonably based on the information uncovered by these inquiries.²

BCSC steps in, rejects the speculative approach at CIRO

Following the decision, CIRO Staff applied to the British Columbia Securities Commission (BCSC) for a hearing and review of the CIRO Decision, which the respondents applied to strike. In Re CIRO and Englesby, the BCSC disagreed with the CIRO Hearing Panel’s approach of accepting "possible reasonable explanations" for suspicious activity as a basis for inaction.³ It emphasized that Rule 1400 is broad and principles-based, and sent the case back to a CIRO Hearing Panel to decide on an approach consistent with the principles set out in the BCSC’s decision.

The legal error, according to the BCSC, was the Hearing Panel’s focus on whether the red flags might have resulted from something innocent, such as a change in occupation, or whether there were other plausible explanations.

The BCSC clarified that the proper question is whether a reasonable registrant would have inquired further. On the facts of this case, the Commission found that further inquiry was clearly warranted.⁴

The BCSC did not reject CIRO’s three-step framework for evaluating gatekeeper conduct, but it cautioned against treating that framework as exhaustive, noting the difficulty of defining gatekeeper obligations in a single, universal test and acknowledging the existence of other valid ways to analyze an issue.⁵

Recent decisions follow a similar trend toward stricter gatekeeper enforcement

A 2025 CIRO settlement decision, Re Hildebrandt, offers greater clarity on the current direction of CIRO’s gatekeeper enforcement. In Hildebrandt, the registrant ignored a series of red flags that should have prompted diligent inquiries and greater caution before facilitating any further trades.⁶ In its reasons, the Hearing Panel engaged in a lengthy discussion of gatekeeper obligations, making it clear that gatekeepers must do more than just obtain assurances from their clients: if there is any possibility of abusive trading, the registrant must put genuine effort into investigating the situation.⁷ This requires registrants to maintain an “alert, curious attitude” and uphold their duty to assess whether the actions their client ask them to take are consistent with the public interest.⁸

The essence of Rule 1400 is the ethical obligation to question not only the trades themselves, but who is placing them and why.

In a recent settlement between Canaccord and CIRO, Canaccord admitted that it failed its gatekeeping obligations, including by not questioning a client’s rationale and the risk implications of a unique structure,⁹ and failing to coordinate trader reports of red flags.¹⁰

Another recent settlement between CIRO and Echelon reinforces CIRO’s increasingly firm stance on gatekeeper obligations. Over a 4-year period, Echelon admitted that its managing director facilitated nearly $180 million in over-the-counter (OTC) trades, which are direct transactions involving securities that are not listed on a national stock exchange.¹¹ These trades were executed for foreign broker-dealers without adequate supervision, identity verification, or inquiry into red flags.¹² Despite indicators of abusive trading, Echelon admitted that it failed to escalate concerns or comply with internal trading limits, resulting in a clear failure of gatekeeping obligations.¹³ In the settlement agreement, CIRO warned that when dealing in high-risk OTC securities—known for their volatility and frequent use in fraudulent schemes—registrants must exercise heightened vigilance through adequate due diligence, supervision, and prompt inquiry into suspicious activity.¹⁴

UMIR 7.1 and 7.13 still in play

While many cases of gatekeeper enforcement are guided by IDPC Rule 1400, the specific gatekeeper obligations in UMIR Rules 7.1 and 7.13 remain binding on registrants.¹⁵ When firms breach these rules, particularly through systemic monitoring failures, CIRO will take enforcement action.

Conclusion

The evolving gatekeeper landscape demands more scrutiny from registrants, as regulators increasingly emphasize the duty to question suspicious activity, even in the absence of clear violations. As recent CIRO decisions illustrate, the restrained approach has given way to a broader, more assertive interpretation of gatekeeper obligations. While the prescriptive requirements of UMIR remain relevant, Rule 1400 has emerged as the primary enforcement tool, obligating registrants not only to detect red flags but to actively investigate and document them.