In 2021, I predicted that CIRO would begin auditing Canadian dealers to ensure proper supervision and controls over remote work. At the time, I hoped that due to the sudden and immediate shift to pandemic-induced industry-wide work-from-home mandates, regulators would cut dealers some slack, provide breathing room to adjust to the "new reality," and that after a reasonable adjustment period, CIRO might begin to crack down on home office inspections by enforcing tighter controls over remote work supervisory and auditing requirements. So far, we haven't seen any bulletins or notices from CIRO reporting results of such audits or related enforcement proceedings.

However, I'm not quite ready to admit I was wrong (I am not always this stubborn... but my wife might disagree). While CIRO has been quiet on this front, not so in the U.S. If we look to the Financial Industry Regulatory Authority (or FINRA, the U.S. equivalent to CIRO), under Rule 3110, dealers are required to maintain a system of supervising the activities of advisors, which includes routine home offices audits.1 In fact, some of the recently proposed FINRA Rule amendments will require dealers to maintain, and update each quarter, a list of all advisors' who maintain home offices. CIRO frequently takes policy cues from FINRA, so it would not surprise me if CIRO eventually adopts similar remote work rules. It may be that CIRO has been too busy with the IIROC and MFDA consolidation to fully implement these auditing requirements, so we're looking forward to learning whether CIRO has implemented any remote work rules in its new rulebook.

But even if home audits don't catch on in Canada (I find it difficult to see how they won't), advisors need to firmly safeguard their clients' confidential information, even from their own families. Consider the following real-world scenario (we've slightly changed the facts):

  • Advisor Smith built a sizeable practice, starting from friends, family, and close contacts. Smith set up her "home office" at the end of her kitchen table, which is where she conducted most of her business; this included telephone calls and video conferences. She kept her printer in the basement.
  • Smith's husband was retired and spent much of his time around the house. He was often in earshot of Smith's conversations with clients. Smith routinely asked him to retrieve documents from the basement printer.
  • One day, Smith's husband was on a walk with one of his friends, Johnson (who was also a client of Smith's), when Smith's husband mentioned in passing that Johnson must be so pleased with Smith's work, because his accounts were up significantly. Johnson obviously recognized that Smith's husband was aware of his private, confidential information, and immediately complained to the dealer, raising privacy breaches. Needless to say, the dealer was not pleased with Smith, registered the complaint with CIRO, and then conducted an audit and investigation into Smith's home office practices.

Some meaningful (and basic) ways that advisors can protect their clients' confidential information to avoid ending up like Smith includes:

  1. Designated workspace: generally speaking, a room away from the rest of the family is important. This permits the advisor to freely speak with clients on calls or virtual meetings. If the advisor wears a headset, then even those trying to listen in will not hear more than the advisor's side of the conversation. This is good for client privacy, and is more comfortable for the advisor as they will not need to concern themselves with shielding their conversations from those within earshot.
  2. Physical document security: if advisors maintain physical documents, which is prohibited by some dealers, these must always be out of sight, and locked away in a filing cabinet when not in use. The advisor should never recycle confidential documents at home, opting instead to either shred these documents, or ideally, bring them into the office for shredding.
  3. Access controls: the computer must be password protected, and all work must be through the dealer's secure access login portal.
  4. Electronic document security: advisors should never e-mail client documents to their personal e-mail accounts (ex. Gmail), or save confidential information outside of their designated work computer. This includes saving documents on a flash drive or unapproved external cloud-based storage system, such as iCloud, Dropbox, or OneDrive.
  5. Approved channels of communication: under no circumstances should advisors e-mail their clients from their personal e-mail accounts, or send their clients text messages or communicate using applications such as WhatsApp. The dealer cannot monitor these conversations, and this issue has attracted substantial fines in the U.S.2(and the topic of another blog to come).

While it might be tempting to ignore these basic privacy measures because they are inconvenient, it will be even less convenient when dealing with the consequences of regulatory enforcement proceeding arising from a breach of client privacy.

Footnotes

1. See https://www.finra.org/rules-guidance/rulebooks/finra-rules/3110.

2. https://www.investmentexecutive.com/news/from-the-regulators/bmo-wall-street-firms-sanctioned-for-app-violations/.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.