CIRE Examination Preparation · Final Element
Conflicts of Interest
& Ethics
The capstone element. Covers how to identify, avoid, address and disclose conflicts of interest — with real ethical dilemmas and scenarios. CIRO ethical standards, prohibited personal financial dealings, positions of influence, outside activities, information barriers, grey lists, cybersecurity, and 45 scenario-based exam questions designed to test judgment, not just recall.
4
Outside activity controls
9.1
Why Managing Conflicts of Interest Matters
A conflict of interest (COI) arises whenever a registered person's or dealer's own interests — financial, personal, or professional — could compromise their ability to act in a client's best interests. The investment industry is structurally exposed to conflicts: advisors earn commissions, dealers earn spreads, analysts cover companies that pay banking fees. Left unmanaged, these conflicts undermine trust, harm clients, and damage the integrity of capital markets.
The fundamental principle under CIRO's rules is that client interests come first. When a conflict cannot be eliminated, it must be managed so that the client's interests are protected. When it cannot be managed, it must be avoided entirely.
⚖️
Why It Matters for Market Integrity
Conflicts of interest, when poorly managed, cause direct harm: clients receive unsuitable advice, insider information gets traded on, research becomes biased, and capital gets misallocated. Systemic failures — the 2003 global research analyst scandal, the 2008 structured product collapse — all had conflicts of interest at their root. CIRO's rules on COI management are not bureaucratic box-ticking — they are the structural safeguards that protect retail and institutional investors in Canadian capital markets.
Material Conflict
A conflict that could reasonably be expected to affect the recommendations or decisions an advisor makes for a client — or that a client would reasonably want to know about before making a decision. Not every conflict is material, but identifying whether it is requires judgment.
Potential vs Existing COI
Existing: A conflict that is present right now (e.g., the dealer earns a trailer commission from a fund it's recommending). Potential: A conflict that could arise in a foreseeable future situation (e.g., an advisor is being courted to join an issuer's board). Both must be managed — the potential must be assessed before it becomes existing.
Who Has the Obligation
Both the Investment Dealer (at the firm level — policies, procedures, training) and the Approved Person (at the individual level — personal conduct, judgment, escalation) bear obligations. Neither can delegate the responsibility entirely to the other.
9.2
The COI Management Process
CIRO's rules establish a structured three-step process for managing conflicts of interest. The sequence matters: avoid first, address second, disclose third — disclosure alone is never sufficient if a conflict can be avoided or controlled.
1
Identify
Find all existing and reasonably foreseeable material conflicts
2a
Avoid
If the conflict cannot be managed in the client's best interest — do not proceed
2b
Address
If the conflict can be managed — put controls in place to protect the client
3
Disclose
Tell the client clearly — what the conflict is, how it is managed, and its potential impact
Step 1 — Identification of Conflicts of Interest
Dealers must take reasonable steps to identify existing and reasonably foreseeable material conflicts between: (a) the dealer or its approved persons, and (b) clients. As of 2025 CIRO Rule consolidation proposals, this obligation extends to all persons acting on the dealer's behalf — not just Approved Persons.
Structural Conflicts
Built into the business model: trailing commissions (advisor earns more if client stays in fund), principal trading (dealer profits at client's expense on spreads), underwriting relationships (research covers companies that pay the dealer banking fees). These must be systematically identified in policies and procedures.
Personal Conflicts
Individual-level: an advisor holds shares in a company they're recommending to clients, a registered person is offered a gift by an issuer, an advisor borrows money from a client, an approved person is named as beneficiary in a client's will. More unpredictable — requires individual reporting and escalation obligations.
Reasonably Foreseeable
Not just conflicts that exist today — but those that could arise from a proposed activity. E.g., an advisor considering joining a public company's board must flag this before it happens, because it creates a foreseeable future conflict with any client holding or considering that company's securities.
Steps 2a, 2b & 3 — Avoid, Address & Disclose
Avoid — When the Conflict Cannot Be Managed
Some conflicts are so fundamentally contrary to a client's interests that no amount of disclosure or controls can adequately protect the client. These must be avoided entirely. The Approved Person must not proceed with the activity or relationship.
🚫 Example — When to Avoid
An RR's brother is CEO of a small publicly traded company. The RR's book of business includes several clients who hold shares in the company, and new clients are asking the RR for coverage. The RR cannot provide objective, unbiased advice on this company's securities — the personal relationship creates a conflict that
cannot be adequately managed or disclosed away.
Required action: The RR must avoid providing any investment advice or recommendations on this company's securities. The conflict must be escalated to compliance, and those clients should be referred to another advisor for this specific holding.
Address — Putting Controls in Place
When a conflict can be managed in the client's best interest, the firm must put controls in place. Controls can include: information barriers, supervision processes, referral to another advisor for the conflicted activity, enhanced compliance monitoring, or compensation changes.
✅ Example — Addressing a Structural Conflict
A dealer earns trailing commissions from mutual fund companies. This creates an incentive to recommend funds with the highest trailers rather than the most suitable funds.
Address mechanisms: the CFR (Client Focused Reforms) suitability requirement ensures recommendations must be in the client's best interest; supervisory review flags unusually high-commission recommendations; annual fee disclosure (CRM2/TCR) makes the cost visible to clients.
Result: The conflict still exists but is managed through structural controls. It does not need to be avoided — it needs to be disclosed and supervised.
Disclose — Telling the Client
When a material conflict exists and has been addressed through controls, it must be disclosed to the client in a meaningful, timely, and specific way. Disclosure must enable the client to make an informed decision.
◆Meaningful: Plain language that the client actually understands — not buried in fine print or written in legal jargon that obscures the conflict's impact
◆Timely: Before the client makes a decision affected by the conflict — not after. Retroactive disclosure is inadequate
◆Specific: Must describe the nature of the conflict, how it might affect the client, and how it is being managed — generic statements like "we may have conflicts" are insufficient
◆RDI (Relationship Disclosure Information): The primary vehicle for upfront structural conflict disclosure — delivered at account opening and updated when material changes occur
9.3
Ethical and Legal Responsibilities to Clients
Investment dealers and their registered persons have both legal duties (enforceable rules, statutes, regulations) and ethical duties (principles of conduct that apply even when not explicitly mandated by a rule). Both are binding — but ethical duties can extend beyond what any rulebook requires.
Fiduciary Duty
The highest legal duty of care — requires acting in the client's best interest, with loyalty and utmost good faith. In Canada, discretionary portfolio managers have a formal fiduciary duty to clients. For RRs in advisory accounts, the standard is the Client Focused Reforms (CFR) "best interest" standard — similar in practical effect, though not identical in law.
Best Interest Standard (CFR)
Under the Client Focused Reforms (fully effective since 2021), RRs must prioritize the client's interests in all recommendations and actions, including when managing conflicts of interest. A recommendation must reflect the client's best interest — not the advisor's financial interest. This is a higher standard than the previous "suitability" test.
Duty of Care
Act with the competence and diligence of a reasonable professional in the same role. Maintain required proficiency, stay current with regulations, understand the products recommended, and apply appropriate judgment. Ignorance of a product's risks is not a defence.
Duty of Loyalty
Act in the client's interest, not the dealer's or advisor's own financial interest. When client interest and advisor financial interest conflict, the client wins. This is the core principle underlying all COI management rules.
Confidentiality
Client information gathered in the course of the advisory relationship — financial position, investment goals, personal circumstances — belongs to the client and must be protected. Cannot be shared externally without consent (with limited legal exceptions) or used for personal benefit (would constitute a serious ethical and potentially criminal violation).
9.4
Ethics vs Rules — Why the Distinction Matters
Rules are specific, enforceable standards — if you violate a rule, there is a clear consequence. Ethics involves broader principles and values that guide conduct even in situations where no specific rule applies. The investment industry needs both.
The Relationship Between Ethics and Rules
Rules without ethics: An advisor who does only exactly what the rules require — never more — can still behave in ways that harm clients and erode trust. The rulebook cannot anticipate every situation.
Ethics without rules: Relying purely on individual judgment creates inconsistency and unpredictability. Without enforceable standards, bad actors exploit gaps.
The right relationship: Rules establish the minimum standard. Ethics demands going further — asking not "is this technically permitted?" but "is this the right thing to do for my client?" A truly professional advisor who finds themselves asking "can I get away with this?" has already answered the question: they should not do it.
Rules-Based Compliance
Following specific prescriptive requirements. Example: filing the required conflict disclosure document is rules-based compliance — you either file it or you don't, and the consequence of not filing is defined in the IDPC Rules.
Principles-Based Ethics
Applying broader values to novel situations the rules don't explicitly address. Example: a client confides distressing personal information while updating their KYC file — no rule specifically tells you how to handle this emotionally, but ethical principles of care, compassion, and confidentiality guide appropriate conduct.
The "Newspaper Test"
A practical heuristic: would you be comfortable if your actions were reported on the front page of a national newspaper? If yes, proceed. If not, reconsider. This captures the spirit of ethical conduct — acting in a way that would withstand full public scrutiny.
9.5
Ethical Principles & Standards of Conduct
CIRO and the broader investment industry have established core ethical principles that apply to all Approved Persons and investment dealers. These are not aspirational ideals — they are enforceable standards of conduct that can form the basis of disciplinary proceedings when violated.
🎯
Integrity
Acting with honesty and strong moral principles in all professional interactions. Not deceiving, manipulating, or misleading clients, colleagues, or regulators. Truthful in all representations and disclosures.
⚖️
Fairness
Treating all clients equitably — not favouring some clients at the expense of others, ensuring all clients have fair access to services, pricing, and information. Not front-running client orders.
📚
Competence
Maintaining the knowledge, skills, and judgment necessary to provide quality services. Pursuing continuing education. Not undertaking activities beyond one's competence without supervision.
🔒
Confidentiality
Protecting all client information from unauthorized disclosure or misuse. Only sharing client data as required by law or with client consent. Not using client information for personal gain.
🤝
Client Priority
Placing the client's interests ahead of personal financial gain. Under the CFR best interest standard, this is a legal requirement in advisory relationships — not merely aspirational.
📋
Accountability
Taking responsibility for one's actions and their consequences. Escalating concerns through proper channels. Cooperating fully with regulatory investigations and compliance reviews.
9.6
CIRO Ethical Standards of Conduct
CIRO's IDPC Rules and the proposed consolidated CIRO Rules establish specific, enforceable standards of conduct that translate ethical principles into concrete obligations. Key provisions:
IDPC Rule 3100 — Conflicts of Interest
Requires dealers and approved persons to take reasonable steps to identify existing and reasonably foreseeable material conflicts, and to address them in the best interest of the client. If the conflict cannot be addressed in the client's best interest, it must be avoided. Disclosure alone is insufficient if the conflict can be avoided or properly controlled.
IDPC Rule 3111 — Personal Financial Dealings
Prohibits approved persons from engaging in personal financial dealings with clients (borrowing from clients, lending to clients, settling accounts from personal funds without firm consent, acting as executor/POA, accepting beneficiary status). Under 2025 CIRO Rule consolidation proposals, this prohibition is being extended to all employees (not just APs) of CIRO dealer members.
Conduct and Practices Handbook Course
New registered representatives and investment representatives must complete the CPH Course as part of their proficiency requirements under the 2026 CIRO Proficiency Model. This course specifically addresses ethical standards, conflicts of interest, and professional conduct obligations.
CIRO Enforcement
CIRO has authority to discipline registered persons and dealers for violations of ethical standards under the IDPC Rules. Penalties range from fines and suspension to permanent bans. Enforcement decisions are published and accessible publicly — serving as both individual accountability and industry deterrence.
Whistleblower Protections
Firms must have written policies protecting employees who report potential violations in good faith. Retaliation against a good-faith whistleblower is itself a serious violation of CIRO rules. The OSC Whistleblower Program (5–15% financial award on sanctions over $1M) incentivizes reporting of securities law violations including ethical breaches.
9.7
Prohibited Personal Financial Dealings with Clients
These are specific, explicitly prohibited activities under CIRO's IDPC Rules. They represent the types of personal dealings where a conflict of interest is so severe that they cannot be managed through disclosure alone — they must simply not occur.
🚫 Prohibited — Borrowing from Clients
An approved person cannot borrow money from a client — except where the client is a related person under the Income Tax Act (e.g., a spouse, parent) AND the approved person has obtained prior written approval from the sponsoring dealer. Further exception: borrowing from a financial institution client where lending money is the institution's ordinary business (e.g., a bank client). Why prohibited: Creates dependency — the advisor may be inclined to recommend unsuitable investments to the client to maintain the relationship and ability to repay. The client may feel pressured not to complain.
🚫 Prohibited — Lending to Clients
Approved persons cannot lend personal funds to clients. Why prohibited: If the advisor has lent money, they have a personal financial interest in the client's account performance — creating an incentive to recommend higher-risk strategies that might generate returns sufficient to repay the loan. The relationship is fundamentally compromised.
🚫 Prohibited — Settling Losses from Personal Funds Without Firm Consent
An approved person cannot pay for a client's account losses out of personal funds without the dealer's prior written consent. Why prohibited: Unauthorized settlements circumvent the dealer's complaint management process, may undermine CIRO's oversight, and can be used to conceal errors or misconduct. All settlements must go through the firm's formal process.
🚫 Prohibited — Acting as Executor, Power of Attorney, or Trustee for Clients
Approved persons cannot act as executor of a client's estate, hold power of attorney over a client's affairs, or act as trustee for a client — except for immediate family members. Under 2025 CIRO Rule Consolidation (Phase 4): a new restriction is being proposed on approved persons accepting beneficiary status in a client's estate, with an exception for immediate family members. Why prohibited: These roles create enormous conflicts — the advisor has financial interests in the client's estate while still advising the client.
🚫 Prohibited — Accepting Gifts Above Minimal Value
Approved persons cannot accept gifts, hospitality, or other consideration from clients or third parties (e.g., fund companies, issuers) that exceeds a minimal, non-monetary, and infrequent threshold — i.e., a threshold where a reasonable person would question whether it created a conflict or improperly influenced conduct. Large gifts from fund companies to advisors recommending their products are a clear conflict. Some firms set explicit dollar thresholds (e.g., $100–$150 per gift).
🚫 Prohibited — Accepting Compensation from Third Parties for Client Activities
Approved persons cannot accept any consideration from any person other than the dealer for activities conducted on behalf of a client — unless the compensation is non-monetary, minimal, infrequent, and a reasonable person would not question whether it creates a conflict, OR unless it relates to an approved outside activity. All compensation for client-facing activities must flow through the dealer.
📌 Exam Scenario — Identifying the Violation
An RR has been working with a long-standing elderly client for 12 years. The client asks the RR to become executor of her estate and to accept a $2,000 gift as thanks for years of good service. The RR is also struggling financially and considers asking the client for a short-term personal loan.
ALL THREE are prohibited:
(1) Acting as executor for a non-family client — prohibited under IDPC Rules unless immediate family.
(2) Accepting a $2,000 gift — exceeds "minimal, non-monetary, infrequent" threshold — prohibited without dealer approval and likely prohibited regardless.
(3) Borrowing from a client — prohibited without dealer written approval and evidence of ITA related-person status.
9.8
Positions of Influence
A position of influence exists when an Approved Person has a relationship with a client — beyond the normal advisory relationship — that could create undue influence over the client's investment decisions or could allow the advisor to exploit the client's trust.
What Constitutes Position of Influence
Relationships that give the advisor authority or trust beyond normal advisory: acting as power of attorney, acting as trustee, managing a client's estate, holding a position at an employer of the client (e.g., company's financial officer), being a trusted family advisor, or having a relationship with a client who is elderly, cognitively impaired, or emotionally dependent on the advisor.
Client Restrictions
Where an approved person has (or is being offered) a position of influence over a client's financial affairs, there are strict restrictions on the types of transactions and recommendations permitted. The approved person may need to be removed from managing the affected client's account, or the specific conflicted activity must be referred to another registered person.
Existing & Foreseeable Material COI
Positions of influence must be proactively assessed for COI — both existing (the influence already exists) and foreseeable (the relationship is developing in a direction that will create influence). The assessment must happen before the conflict materializes, not after harm has occurred.
Written Disclosure
Where a position of influence creates a material conflict, the Approved Person must provide written disclosure to the dealer and, where applicable, to the client. The disclosure must be specific — what the position is, how it creates a conflict, and what steps are being taken to manage it.
Reporting Obligations
Approved Persons must report positions of influence to the dealer promptly — both when the position arises and when any material change occurs. The dealer must review whether the position is compatible with the Approved Person's registration obligations and determine appropriate controls or restrictions.
👴
Vulnerable Client Protection
Positions of influence are particularly concerning with elderly, widowed, or cognitively declining clients who may be isolated and highly trusting of their advisor. CIRO rules and the Trusted Contact Person (TCP) framework (covered in Element 2) are specifically designed to protect these clients. An advisor who exploits a position of influence over a vulnerable client faces the most severe regulatory and potentially criminal consequences.
9.9
Outside Activities of Approved Persons
An Approved Person's activities outside their investment dealer role — business activities, board positions, second jobs, community roles — can create real or perceived conflicts of interest and confusion for clients. CIRO's rules require disclosure, pre-approval, and ongoing supervision of all outside activities.
📋
The Four Key Requirements
CIRO Rule 2554 requires ALL Approved Persons to: (1) Disclose all outside activities to the dealer before engaging in them. (2) Obtain the dealer's pre-approval for outside activities. (3) Allow the dealer to assess potential conflicts and implement effective controls and supervision. (4) Maintain appropriate record-keeping of all approved outside activities.
Client Confusion Risk
If clients are unaware that their advisor holds another role — particularly one that creates financial interests — they cannot assess whether the advice they receive is objective. Example: an advisor who is also a real estate agent and recommends real estate investment trusts heavily may create client confusion about whether the advice is driven by investment merit or personal commercial interests. The outside activity approval process must consider whether it will confuse clients about the nature of the advisory relationship.
Conflict of Interest Risk
Outside activities that involve direct or indirect financial relationships with issuers, competitors, or products in the advisor's coverage universe create conflicts. An advisor who is also a director of a public company: (1) may have MNPI about that company; (2) may have a financial interest in recommendations about the company's securities. Both are serious conflicts requiring either avoidance or robust management.
Effective Controls
Approval for outside activities should only be granted where: the dealer can establish effective supervision over the activity, the activity does not use client information, the activity does not involve securities-related business without proper disclosure and registration, and the conflict can be managed in the client's best interest.
When to Deny
Some outside activities should not be permitted — specifically, positions with public issuers (board memberships) that would prevent the Approved Person from providing fully informed and unbiased advice to clients. If the dealer concludes it cannot properly control the conflict in the client's best interest, it should not permit the activity.
Record-Keeping
The dealer must maintain records of: the disclosure made by the Approved Person, the due diligence conducted in assessing the outside activity, the approval decision and conditions, any material changes to the activity, and the ongoing supervision applied. CIRO can inspect these records during compliance examinations.
📌 Real Scenario — Outside Activity Assessment
An RR with a major bank-owned dealer is offered a part-time teaching position at a local university's finance department. She is also offered a position on the advisory board of a cannabis company (public, listed on TSX Venture) that several of her clients currently hold.
University teaching position: Low risk. No conflict with client interests. No use of client information. No securities-related business. Likely approvable with standard disclosure. Record-keeping required.
Cannabis company advisory board: High risk. The RR would have: (1) a financial interest in the company's success while advising clients who hold its shares; (2) potential access to MNPI as an insider; (3) a reputational connection to a specific issuer that compromises objectivity. The dealer should either (a) refuse approval, or (b) if approved with extremely robust controls, require: the RR to be removed from managing positions in this company for all clients, placement on the restricted list, enhanced supervision, and full disclosure to affected clients.
9.10
Client Confidentiality — Policies & Procedures
Investment dealers are legally and ethically required to protect the confidentiality of all client information. The primary legislative frameworks are PIPEDA (Personal Information Protection and Electronic Documents Act) at the federal level, and corresponding provincial legislation in Quebec (Law 25) and Alberta.
What Must Be Protected
All personal and financial information provided by the client: name, address, SIN, date of birth, financial position, investment objectives, risk tolerance, account holdings, transaction history, personal circumstances disclosed in the advisory process. All of this information is provided in confidence and belongs to the client.
Required Policies & Procedures
Dealers must have written policies and procedures covering: who has access to client information (need-to-know basis), how client data is stored and transmitted securely, how data breaches are identified and reported, what disclosures are made to clients about data practices (privacy policy), and how client data is securely disposed of when no longer needed.
When Disclosure Is Permitted
Client information can be shared without consent only in limited circumstances: (1) required by law (court order, regulatory requirement, FINTRAC STR/LCTR filing); (2) necessary to complete the transaction the client authorized; (3) to a carrying broker in a normal course of business sharing arrangement. All other sharing requires client consent.
Prohibited Uses
Using client information for personal gain — the most serious violation. If an advisor uses knowledge of a client's large upcoming trade to personally trade ahead (front-running), this is simultaneously a confidentiality breach, a COI violation, potentially insider trading, and a UMIR violation. Multiple regulatory frameworks overlap here.
Data Breach Requirements
Under PIPEDA, organizations must report privacy breaches that create a real risk of significant harm to individuals to the Office of the Privacy Commissioner of Canada (OPC) and notify affected individuals. Investment dealers also have cybersecurity incident reporting obligations to CIRO. Quebec's Law 25 (effective 2023) imposes additional requirements including 72-hour notification timelines for high-risk incidents.
9.11
Information Barriers, Firewalls & Information Control
In a full-service investment dealer, different departments routinely have access to material non-public information (MNPI) about issuers, transactions, or market-moving events. Without active controls, this information could flow to trading desks, creating insider trading risk. Information barriers and firewalls are the structural solutions.
Information Barriers (Chinese Walls)
Physical and electronic barriers that prevent MNPI from flowing between departments. The investment banking / capital markets group (which routinely has MNPI about pending deals) is separated from trading desks, research analysts, and sales teams. No informal communication about deals in progress is permitted across the barrier. Access to sensitive deal documents is restricted on a strict need-to-know basis. Crossing the Chinese Wall — even accidentally — is a serious compliance event that must be reported.
Firewalls (Technology Controls)
Electronic information barriers implemented through technology: access controls limiting which employees can access certain database systems, email monitoring and filtering, system logging of access to sensitive documents, network segmentation preventing unauthorized data transmission. Technology firewalls reinforce and operationalize the human information barriers.
Grey List
A watch list of securities where the dealer may have MNPI. Trading in grey-listed securities is not prohibited but is subject to enhanced scrutiny and supervision. Compliance monitors all trades in grey-listed securities for patterns inconsistent with known client objectives or that could indicate MNPI-based trading. The list is maintained confidentially — employees are generally not told which specific securities are on the grey list (to avoid signalling MNPI).
Restricted List
A prohibited trading list for securities where the dealer definitely has MNPI — typically because the investment banking division is actively engaged on a transaction involving the issuer. Trading is PROHIBITED for firm employees and proprietary accounts in restricted securities until the restriction is lifted (deal announced or engagement terminated). Unlike the grey list, employees are told when a security is restricted so they know not to trade it.
Research Independence
Research analysts must be structurally separated from investment banking to maintain analytical independence. Rules prohibit investment bankers from pressuring analysts to issue favourable ratings, and analysts from participating in investment banking pitches. Research ratings must reflect genuine analytical views, not commercial relationships.
🔍
Grey vs Restricted — The Critical Distinction for the Exam
Grey list (watch list): Possible MNPI → enhanced scrutiny → trading PERMITTED but supervised. Restricted list: Definite MNPI → prohibition → trading PROHIBITED for employees and proprietary accounts. This distinction is tested consistently. A common exam scenario: an RR wants to recommend a security that's on the grey list — they can, but compliance will scrutinize the recommendation. If it's on the restricted list, they cannot recommend it to any client until the restriction is lifted.
9.12
Cybersecurity and Confidential Information
Cybersecurity is no longer an IT concern — it is a regulatory obligation and an ethical imperative for investment dealers. The volume and sensitivity of financial data held by dealers makes them prime targets for cyberattacks. A breach can harm thousands of clients simultaneously.
CIRO Cybersecurity Obligations
CIRO requires dealers to have cybersecurity programs that address: risk assessment, access controls, data encryption, incident detection, response plans, and reporting protocols. While CIRO does not prescribe a specific technical framework, the obligation to maintain "adequate systems and controls" includes cybersecurity. Dealers must report material cybersecurity incidents to CIRO promptly.
Common Cyber Threats
Phishing: Fraudulent emails impersonating trusted entities to steal credentials. Ransomware: Malware that encrypts systems and demands payment. Account takeover: Using stolen credentials to access client accounts — particularly serious in the securities context, as unauthorized trades can be executed. Social engineering: Manipulating employees into disclosing information or providing system access. Third-party risk: Cyberattacks through vendors, custodians, or technology providers connected to the dealer's systems.
Data Encryption
All client data stored and transmitted must be encrypted. This applies to: data at rest (in databases and servers), data in transit (emails, file transfers, API connections), and portable devices (laptops, USB drives). Unencrypted data on lost or stolen devices is a significant breach risk and regulatory liability.
Access Controls & Least Privilege
Employees should only have access to client data they need to perform their specific job function ("least privilege" principle). Strong authentication (multi-factor authentication — MFA) for all systems containing client data. Regular access reviews to ensure terminated employees and role changes are promptly reflected in system permissions.
Incident Response
Dealers must have a written cybersecurity incident response plan that covers: detection, containment, assessment, notification (clients, CIRO, OPC/privacy regulators as required), remediation, and post-incident review. The plan must be tested regularly and updated to address evolving threats. Regulatory reporting timelines are specific — PIPEDA breach reporting must be prompt; Quebec Law 25 requires 72-hour notification for high-risk incidents.
Employee Training
Human error is the most common cybersecurity vulnerability. Dealers must provide regular cybersecurity training including: phishing awareness, password hygiene, social engineering recognition, mobile device security, and the regulatory obligations around data protection. Training is not a one-time event — the threat landscape evolves constantly.
⚠️
Cybersecurity & COI Intersection
A cybersecurity failure is also an ethical failure. An investment dealer that collects sensitive client financial information and then fails to protect it with adequate cybersecurity controls has violated the client's trust and their confidentiality obligations — regardless of whether the breach was caused by a sophisticated external attacker or by preventable employee negligence. The ethical duty to protect client information is as binding as the technical regulatory requirement.
Element 9 — Master Summary
14 exam-critical points
01COI Management Process: Three steps: (1) Identify all existing and reasonably foreseeable material conflicts. (2a) Avoid — if the conflict cannot be managed in the client's best interest. (2b) Address — put controls in place if it can be managed. (3) Disclose — specific, meaningful, timely disclosure to the client. Disclosure alone is never enough if the conflict can be avoided or controlled.
02Material vs Immaterial COI: A material conflict is one that could reasonably affect advice given or that a client would want to know before making a decision. Not every potential conflict is material — requires judgment. Both existing and reasonably foreseeable conflicts must be managed.
03Ethics vs Rules: Rules set the minimum standard. Ethics demands going further — asking "is this right for the client?" not "can I get away with this?" The newspaper test: would you be comfortable if this action was reported on the front page of a national newspaper?
04Best Interest Standard (CFR): Under Client Focused Reforms, RRs must prioritize client interests in all recommendations — including when managing conflicts. This is a higher standard than the old suitability test. Discretionary portfolio managers have a fiduciary duty.
05Six Ethical Principles: Integrity, Fairness, Competence, Confidentiality, Client Priority, Accountability. All are enforceable conduct standards, not merely aspirational ideals.
06Prohibited Personal Financial Dealings (Key Six): (1) Borrowing from clients (except related persons with firm consent). (2) Lending to clients. (3) Settling losses from personal funds without firm consent. (4) Acting as executor/POA/trustee for non-family clients. (5) Accepting gifts above minimal threshold. (6) Accepting third-party compensation for client activities without approval. Under 2025 CIRO consolidation: accepting beneficiary status from client's estate also being added.
07Positions of Influence: Must be reported to dealer promptly. May require: removal from managing affected client's account, written disclosure to dealer and client, enhanced supervision. Particularly serious with vulnerable, elderly, or dependent clients.
08Outside Activities — Four Requirements: (1) Disclose to dealer before engaging. (2) Obtain dealer pre-approval. (3) Effective controls and qualified supervision must be in place. (4) Appropriate records maintained. Some activities (board positions with public issuers creating unmanageable conflicts) should not be permitted. Outside activities must not use client information.
09Client Confidentiality: Governed by PIPEDA (federal), Quebec Law 25, and CIRO rules. Client data shared only: required by law, to complete authorized transactions, or with client consent. Data breaches must be reported to OPC and affected clients. Quebec Law 25: 72-hour notification for high-risk incidents.
10Grey List vs Restricted List: Grey (Watch) List = possible MNPI → enhanced scrutiny, trading PERMITTED but supervised. Restricted List = definite MNPI → trading PROHIBITED for employees and proprietary accounts. Employees told about restricted list; generally NOT told which securities are grey-listed.
11Information Barriers (Chinese Walls): Structural separation between investment banking (MNPI) and trading/sales. No informal communication across the barrier. Electronic firewalls reinforce human barriers through access controls, system logging, and network segmentation.
12Research Independence: Analysts must be structurally separated from investment banking. Ratings must reflect genuine analysis, not commercial relationships. Bankers cannot pressure analysts; analysts cannot participate in banking pitches. NI 31-103 and CIRO rules both address research independence.
13Cybersecurity as Ethics: Failing to protect client data with adequate cybersecurity controls violates both regulatory obligations and ethical duties. Required: encryption, access controls (least privilege), MFA, incident response plans, regular employee training, prompt reporting to CIRO and privacy regulators on material breaches.
142025 CIRO Rule Consolidation (Phase 4): Key changes in proposal stage: (1) Personal financial dealings restrictions extended to ALL employees (not just Approved Persons). (2) New restriction on accepting beneficiary status from client's estate (exception for immediate family). (3) Conflict identification obligation extended to all persons acting on the dealer's behalf, not just Approved Persons.