Under the bright lights: CSA & CIRO illuminate enhanced expectations in phase 2 client-focused reform sweep

Unveiled at last

On Dec. 10, 2025, the Canadian Securities Administrators (CSA) and Canadian Investment Regulatory Organization (CIRO) published their much-anticipated findings from recent regulatory compliance sweeps of 105 registered firms in Staff Notice 31-368 Client Focused Reforms: Review of Registrants’ Know Your Client, Know Your Product and Suitability Determination Practices and Additional Guidance (the Report).  

Casting a spotlight on compliance programs

The Report summarizes findings and provides guidance arising from the regulators’ reviews focused on assessing compliance with the Know Your Client (KYC), Know Your Product (KYP), and suitability determination requirements implemented as part of the so-called Client Focused Reforms, or CFRs. These were fundamental changes to registrant conduct requirements, implemented in two phases in 2021, through amendments to National Instrument 31-103 Registration Requirements, Exemptions and Ongoing Registrant Obligations (NI 31-103) and corresponding CIRO member rules.

The regulators view the guidance in the Report as an interpretation of the already-existing expectations under the CFRs. Understanding what the Report means for each firm is a critical component of meeting ongoing registrant obligations.

We anticipate that the Report will have varied implications for firms and have anticipated action items for firms in the section titled “Illuminating the path ahead.”

From the Report: “Our results highlight the fundamental importance of firms developing policies and procedures to ensure compliance with all aspects of the CFRs.”

1. KYC

The Report stresses the importance of collecting, updating and confirming sufficient KYC information to enable registrants to meet their suitability determination obligations. Firms are expected to require clients to confirm the accuracy of their KYC information upon initial collection, as well as when KYC is being verified or reassessed. The process for obtaining this confirmation should be codified in policies and can be achieved by various means, provided the confirmation is demonstrable to the regulators.

Reviews and updates

The regulators expect firms to review all elements of a client’s KYC information at the minimum required frequency¹, as well as within a reasonable time after becoming aware of a significant change to that information. Firms should determine what will be considered a material change to KYC information. They are also expected to engage in a “meaningful interaction” and to document that review in sufficient detail, regardless of whether there is a resultant change to existing KYC information. Of note, suitability reviews should take place alongside each KYC review, because the verification of KYC information and the analysis and application of that information are inextricably linked processes.

Risk profile

The concept of “risk profile” was introduced under the CFRs and represents the cumulative assessment of both a client’s risk capacity and risk tolerance. At the firm level, clear and consistent criteria should be established for determining clients’ overall risk profiles. Firms should obtain specific responses from clients, assess separately their risk tolerance and their risk capacity, and evaluate and document these two factors independently before forming and documenting the rationale for the client’s overall risk profile. According to the Report, the risk profile should be the lower of the two factors, with a detailed rationale if the firm deviates from this standard in a particular case.

Financial circumstances information

To support suitability determinations, firms are expected to collect, document and evidence information regarding a client’s financial circumstances. Firms are expected to have sufficient detail and proof of these factors that, for example, may require a breakdown of the client’s financial assets held at the firm and elsewhere, in order to properly assess concentration. We know that clients are often reluctant to share certain information, particularly with respect to outside holdings, but the regulators nonetheless expect to see sufficient detail, corroborating evidence, documentation of discrepancies, and resolution of any inconsistencies regarding financial circumstances.

2. KYP

KYP has several facets: it is a core registrant obligation for firms to assess, approve and monitor securities offered, and an equally important registrant obligation for individual registrants to take reasonable steps to understand the securities they recommend to clients. Similar to the guidance provided with respect to KYC, the Report repeatedly references the importance of sufficient documentation to evidence the assessments that have been performed.

When completing KYP assessments at the firm level, firms must gather documentation relating to an issuer — such as offering documents and financial statements — and have a meaningful, significant process for how to review that information. Firms should also set out who will conduct the review and specify the date(s) when the reviews are conducted. The approval should demonstrate an appropriate level of consideration, including the key elements that were assessed and why approval was granted.

The Report states that KYP analyses are, in fact, required for related or connected issuers, even if the firm is involved at the issuer level (such as with proprietary pooled fund products) and that the process should be similar to that used in respect of unrelated issuers.

Firms using model portfolios are expected to assess them, including their investment objectives and strategies, composition, costs, risks, and for whom they would be suitable, as well as document that assessment when completing an analysis. Relevant aspects of securities to be assessed that we were already aware of include their structure, features and risks. The Report expands on this, stating it is also important to review the parties involved in the security (for instance, management of the issuer, portfolio manager, product manufacturer, guarantors, or significant counterparties) and any conflicts inherent in the securities (such as arising from compensation structure and related party issues).

KYP documentation should include the relevant aspects of the securities that were considered, evidence of the specific approval of the securities, and proof that securities have been monitored for significant changes (which, in some cases, could trigger further actions, such as restricting sales to certain investors).

With respect to frequency, while likely factually dependent, the Report noted that annual monitoring of risky, illiquid and/or complex products by EMDs is inadequate and insufficient.

The Report contains scant information regarding the depth of review required, other than statements to the effect that the process may vary based on a security’s structure, complexity, risk level, and transparency.

Individual registrants have their own KYP obligations, and it is important to evidence that, even if they are selecting from a “pre-approved” list of firm securities, they must take sufficient steps to discharge their own individual obligations. For model portfolios, this would include understanding their composition, features and risks, and the type of clients for whom the securities may be suitable.

While flexibility is important given the variety of registrant business models and client base, we think that market participants were looking for additional, concrete guidance on how to delineate the reasonable range of alternative products to be assessed (see discussion on Suitability below), as well as more information on the depth of review required.

3. Suitability

As a practice note, we recommend that firms only consider the guidance impacting suitability once they have first assessed and made necessary modifications to KYC- and KYP-related processes.

The Report highlights that suitability is not a stand-alone concept. As such, making a suitability determination is multi-pronged and requires firms to:

• collect, update and document sufficient KYC information;
• engage in and document a robust KYP process;
• use both the KYC and KYP information to determine suitability based on the enhanced criteria introduced by the CFRs; and
• ensure that an investment action puts the client’s interests first (this analysis must be described in the firm’s policies and procedures, and documented in client records).

As always, firms should take note of the guidance relating to client-directed trades and unsolicited orders: these actions are not exempt from the suitability process, nor from the oversight of compliance with the suitability process.

Enhanced suitability factors to be considered

Registrants must make reasonable efforts to assess and address each of the specific factors required to be considered before taking an investment action for a client, including KYC, KYP, the impact on the client’s account, potential and actual impact of costs on the client’s returns, and a reasonable range of alternative investment actions available through the firm.

Policies and procedures that fail to demonstrate how a firm has considered and weighed each of the specifically enumerated factors in paragraph 13.3(1)(b) of NI 31-103, and how the firm puts the client’s interests first, may fall short of the regulators’ expectations. This is in spite of repeated statements that the CFRs are principles-based and that firms can tailor their application to their operations to achieve compliance.

Concentration and liquidity

Firms should consider the impact of an investment action across all of the client’s accounts held at the firm to determine if it will materially impact concentration and liquidity. Controls should be in place allowing firms to calculate, monitor, and manage concentration in client accounts and portfolios. The higher the concentration in a specific security/sector/industry, the higher the onus to document and demonstrate suitability. The same goes for holdings that exceed concentration or liquidity thresholds, but that are nonetheless considered suitable.

Reasonable range of alternatives

To ensure that a reasonable range of alternatives is considered in the course of making a suitability determination, firms should clearly outline who is responsible for identifying and assessing such alternatives, and at what point in time those comparisons should take place. Firms should also define the scope of products that will be considered as comparable alternatives within a reasonable range. An evaluation of alternatives requires assessing features such as cost structures and returns, tax costs, management fees, and transaction costs. Registered individuals are expected to consider lower cost alternatives available through the firm and to document their basis for choosing among suitable alternatives.

Model portfolios

Firms employing model portfolios are expected to undertake and document suitability determinations at different levels:

• At the model level: When constructing and managing the model portfolio, suitability determination is to be done for securities included in the models.
• At client-facing level: When a particular model portfolio is selected for a client from other model portfolios available at the firm, there must also be a suitability determination.

Additionally, if an individual registrant is allowed to substitute securities within a model portfolio — or deviate from the model at the client-facing level — a suitability determination is required in respect of the substituted securities or the deviation from the model. The firm must also evidence a reasonable basis for making suitability determinations at both the firm and individual registrant level.

Reassessments

Suitability reassessments are triggered each time a client’s KYC information is updated, as well as when the registrant becomes aware of a KYP change in a security that could impact suitability. Of note, suitability reassessments are also triggered when there is a change in the registrant responsible for an account. As with KYC updates, meaningful records of suitability reassessments must be maintained.

Additional guidance

Shedding light on training

We have always emphasized the importance of tailored training on the key components of KYC, KYP and suitability. The Report itemizes several specific components of these obligations that should be addressed in training sessions, which should be tailored to the audience and the firm’s activities. All registered employees should receive the training, and firms must be able to easily demonstrate attendance and completion. The Report suggests that employees be tested on the material: pop quiz, anyone?

Illuminating the path ahead

Clearly, the Report will require action from all firms. Although the order of priority will vary depending on each firm’s business model and current alignment with the guidance contained in the Report, the next steps will include some, or all, of the following:

1. Review written policies and procedures in light of the checklist that the regulators have included at the end of their Report. In particular, attention should be paid to:
   1. Outlining the roles, steps and controls for each KYC, KYP and suitability process (that is, who is responsible for what, when and why), and ensuring procedures are followed consistently.
   2. Providing clear definitions and expectations of what constitutes a “significant change” to a security being proactively monitored for KYP purposes, and when responses may be warranted, such as a reassessment of the security’s approval or client suitability.
   3. Outlining a clear monitoring process and a corresponding paper trail to show that the procedures were followed.
   4. Implementing a process for considering the impact of an investment action across all of the client’s accounts.
   5. Ensuring the firm establishes concentration and liquidity controls, such as EMDs distributing illiquid investments should have thresholds to assess overall client exposure to specific issuers and sectors, overall exempt product exposure, and concentration limits relative to a client’s net financial assets and internal firm thresholds.
2. Update client KYC forms to ensure the requisite information is captured, including information about each client’s financial circumstances, and in certain cases, investments held outside the firm, particularly if the registrant offers illiquid products. It is important to determine (and document) what the registrant considers a “significant change” in this information, and how the information will be updated within a reasonable timeframe after becoming aware of the change.
3. Review and update suitability procedures and records to include key assumptions, scope of data assessed, and analysis performed.
4. Consider supervisory processes, including with respect to the suitability procedures, which may include periodic testing of client files.
5. Review training materials to ensure they are tailored, include all the expected KYC, KYP and suitability aspects set out in the Report, and document attendance by all registered employees. Product-specific training should be considered for new or complex products to be distributed by the firm.

Of note, the Report indicates that CIRO will publish further guidance on KYC, KYP and suitability, in part to reflect its consolidated rules that are to be published for a 120-day comment period in February 2026.