Investment Firm Justified in its Collection of "Know Your Client" Information

PIPEDA Report of Findings #2014-012

December 5, 2014


A customer alleged that his investment firm's Know Your Client (KYC) Form required him to provide an unreasonable amount of personal information. As part of having the firm handle his Tax Free Savings Account (TFSA) and Registered Retirement savings Plan (RRSP), he was asked to fill out a form requiring information such as number of years' investment experience, annual income, spouse's or partner's annual income, number of dependents, liquid assets, fixed assets, liabilities, and estimated net worth.

The firm's Branch Manager informed the complainant that the information was required in order for the firm to comply with the Investment Industry Regulatory Organization of Canada ("IIROC") KYC and Suitability requirements. Pursuant to these requirements, investment firms are required to collect sufficient information regarding a client and determine the suitability of each proposed transaction. By understanding details regarding risk tolerance, assets, liabilities and household sources of income, a firm can better assess the suitability of proposed transactions for clients.

Our Office assessed whether the investment firm was in contravention of Principle 4.3.3 of Schedule 1 of PIPEDA by requiring the complainant, as a condition of service, to consent to the collection, use or disclosure of information beyond that required to fulfill the explicitly specified and legitimate purposes.

With respect to whether the purposes had been explicitly specified, our Office found that the firm informed the complainant that the disputed information was indeed requested for the purpose of compliance with IIROC's requirements-a fact made explicit in a brochure provided to him. Our Office also found that a reasonable person would consider the collection of information for these purposes as being legitimate in the circumstances. IIROC's Dealer Member Rules require Dealer Members to conduct reasonable due diligence and collect sufficient information, as well as remain informed of essential facts relating to each of their customers.

Finally, our Office looked at whether the investment firm was requiring more information than necessary to achieve the purposes as a condition of service. Some personal information requested from the complainant by the firm tracks the information identified in a standard form provided by IIROC and which IIROC requires that Dealer Members, at a minimum, collect -namely: annual income, number of dependents and net worth. In light of this, our Office found that the investment firm appropriately required this information. Our Office also accepted that the investment firm was justified in requiring other knowledge about a client's current financial situation in the circumstances, namely, spousal income, assets and liabilities, and number of years of investment experience in order to comply with IIROC's requirements.

All told, our Office found that the allegation that the investment firm requires more personal information than necessary as a condition of service was not well-founded.

Lessons Learned

  • Investment firms should identify the purposes for which the personal information is collected at or before the time the information is collected.
  • Investment firms may be entitled to require an individual to consent, as a condition of service, to the collection of certain personal information where it can be demonstrated that the information is required in order to comply with regulatory obligations related to compliance with IIROC's KYC and suitability requirements and the purpose has been explicitly specified.

Complaint under the Personal Information Protection and Electronic Documents Act (the “Act”)

  1. The complainant alleges that his investment firm ("the respondent") required an unreasonable amount of personal information on its Know Your Client Form in order to maintain a Tax Free Savings Account ("TFSA") and Registered Retirement Savings Plan ("RRSP") account.
  2. The respondent argued that the information was required in order for its organization to comply with the Investment Industry Regulatory Organization of Canada ("IIROC")'s Know Your Client ("KYC") and suitability requirements.
  3. In light of the analysis that follows, we find that the allegation that the respondent requires more personal information than necessary as a condition of service is not well-founded.

Summary of Investigation

Information from the complainant

  1. On January 10, 2013, the complainant was asked by the respondent to complete a "Know Your Client Update Form" for his RRSP and TFSA accounts. The form states "please review the information about you, below. If any of the information needs to be updated, please insert the correct information and initial where required in the space provided". In the complainant's view, certain requested information should be considered optional. He indicated that the respondent did not need to know his or his spouse's income and that the respondent should only require name, contact information, social insurance number, investment objectives, and whether he or his spouse are a director, senior officer, or insider of a publicly traded company.
  2. The complainant provided our Office with a copy of the KYC Update Form and highlighted certain information that was indicated by the respondent as being mandatory: number of years' investment experience with: stocks, bonds, mutual funds, options, and short selling; annual income; spouse's or partner's annual income; number of dependents; liquid assets; fixed assets, liabilities and estimated net worth.
  3. On February 6, 2013, the complainant contacted the respondent's Ombudsman office; his request was forwarded to the Branch Manager. The Branch Manager informed the complainant that the information was required by IIROC and provided him with a brochure from IIROC entitled "Opening Your Retail Account - what your investment dealer needs from you - and why."
  4. The brochure explainedIIROC's role and why certain information is required. The following is an excerpt from the brochure:

    The Investment Industry Regulatory Organization of Canada (IIROC) regulates all investment dealers in Canada. […] Your advisor's firm is required by IIROC rules and other laws to gather certain information about you. It may be unable to open an account for you if you are unwilling to provide this information. This brochure sets out the basic information requirements for the initial application and ongoing maintenance of your account. […] Most investment firms are required to determine the suitability of each proposed transaction in your account. This applies whether or not the trades are the result of recommendations by the firm's staff. To determine suitability, your firm and advisor need to fully understand your financial situation, investment needs, objectives, investing experience and tolerance for risk. These can only be assessed by collecting from you accurate information about your personal and financial circumstances. This requirement, part of the Know-Your-Client rule, is one of the cornerstones of securities regulation.

    In order for your firm and advisor to comply with the Know-Your-Client rule, you will be asked to provide and keep up to date the following information:

    • marital status
    • age
    • occupation
    • income and net worth
    • number of dependents
    • risk tolerance
    • investment objectives
    • investment knowledge and experience
  5. On February 22, 2013, the complainant contacted IIROC to seek further information. The complainant alleged that the representative was unable to explain why certain personal information was required, and simply stated that the requirements were "written by IIROC's policy department". Not satisfied with the responses received from the respondent and IIROC, the complainant filed the current complaint with our Office, which was accepted on March 27, 2013.
  6. On May 15, 2013, the respondent sent a letter to the complainant indicating that KYC is essential in providing the investment advisor with up to date material information on his financial and investment information, risk tolerance and investment objectives. It further notified the complainant that, given his refusal to update his KYC information, he was required to "transfer-out" his accounts.

Information from IIROC

  1. According to IIROC's websiteFootnote 1:

    IIROC carries out its regulatory responsibilities under Recognition Orders from the provincial securities commissions that make up the Canadian Securities Administrators (CSA). IIROC is subject to oversight and regular operational reviews by CSA members.[…] In Canada, each province or territory has government bodies - securities commissions, authorities, administrators- that rely on an SRO [Self Regulatory Organization] such as IIROC to carry out certain regulatory responsibilities. […] Securities legislation requires investment dealers to apply and be accepted for membership with an SRO if they wish to operate in Canada. Securities legislation also requires that individual employees who are carrying out certain functions within investment dealers be registered.

  2. The Recognition Orders applicable to IIROC require it to, among other things: (i) regulate investment dealers; (ii) establish, administer and monitor its rules, policies and other similar instruments (Rules); and (iii) enforce compliance with its Rules by Dealer Members.
  3. Dealer Member Rules, enacted by IIROC, set out detailed requirements with which its Dealer Members are required to comply. According to IIROC, the Dealer Member Rules are long standing and were approved by the provincial Securities CommissionsFootnote 2. Further, IIROC indicated that there is both a recognition and reliance by the provincial Securities Commissions on IIROC for regulation of Dealer Members.
  4. IIROC Dealer Member Rule 1300.1 establishes the principle that 'Each Dealer Member shall use due diligence to learn and remain informed of the essential facts relative to every customer and to every order or account accepted'. Rule 1300.1 also requires Dealer Members to use due diligence to assess the suitability of proposed transactions for clients based on a number of factors "including the client's current financial situation, investment knowledge, investment objectives and time horizon, risk tolerance and the account or accounts' current investment portfolio composition and risk level."
  5. Dealer Member Rule 1300.2 establishes the principle that a Dealer Member must designate a supervisor to be responsible for the opening of new accounts and for establishing and maintaining procedures acceptable to IIROC for account supervision to ensure that the handling of client business is within the bounds of ethical conduct, consistent with just and equitable principles of trade and not detrimental to the interests of the securities industry. Dealer Member Rule 1300.2 further provides that, as part of this supervision, each new account must be opened pursuant to a new account form which includes the applicable information required by IIROC's New Client Application Form ("Form 2") for retail customer accounts.
  6. Form 2 is not a mandatory form that Dealer Members are required to use, as presented, under Dealer Member Rule 1300.2, but rather sets out the categories of information that Dealer Members are required to collect, consistent with the IIROC investor brochure, referenced above. Information requested on Form 2 includes: spouse's name, spouse's occupation, number of dependents, investment knowledge, net worth broken down by net liquid and fixed assets, and annual income from all sources.
  7. IIROC Dealer Member Rule 2500 Part II sets out further requirements for opening new retail accounts, including the principle that KYC procedures must also be directed at meeting a Dealer Member's gatekeeper obligations by identifying clients that present a high risk of conducting improper activities in the securities markets by, among other things, making a reasonable effort to determine the nature of the client's business. Dealer Member Rule 2500 Part II further provides KYC procedures must also meet the requirements of anti-money laundering and terrorist financial legislation and regulations. Through a memorandum of understanding with the Financial Transactions and Reports Analysis Centre of Canada ("FINTRAC"), IIROC monitors compliance with anti-money laundering legislation and reports to FINTRAC, as appropriate.
  8. IIROC further indicated that Dealer Member Rules 1300 and 2500 are based on principles and so the categories of information set out in the rules and in Form 2 are not exhaustive. IIROC has published a Guidance Note setting out IIROC's interpretation, expectations and suggested best practices relating to these KYC and account opening requirements [IIROC Notice 12-0109 - Know your client and suitability - Guidance (March 26, 2012)]. The document states in part:

    IIROC Dealer Member Rule 1300.2 requires that each account be opened pursuant to a new account application which includes, at a minimum, the collection of applicable information required by Form 2, also referred to as the New Account Application Form. […] The information collected regarding risk tolerance and investment objectives should be sufficiently precise to enable the Dealer Member and the Registered Representative to meet their suitability assessment obligations.

Information from the Respondent

  1. As part of this investigation our Office sought further explanation from the respondent regarding the collection of personal information on its KYC form. The Investment Industry Association of Canada (IIAC) responded on behalf of the respondent. IIAC indicated that the issues underlying the complaint are industry-wide as the respondent was complying with the IIROC's requirements when requesting the disputed information.
  2. The submissions received by our Office from IIAC were consistent with the information received from IIROC (outlined above). IIAC expanded upon the regulatory requirements, stating that the National Instrument 31-103 Registration Requirements and Exemptions, and in particular Part 13, which has force of law across the country, requires Dealer Members to do reasonable due diligence and collect sufficient information to satisfy IIROC's KYC and suitability requirements.
  3. Part 13 describes the KYC and suitability requirements. KYC relates to collecting sufficient information regarding a client; this includes the client's investment needs, financial circumstances, risk tolerance and credit worthiness. Suitability requirements relate to ensuring, based on the information collected pursuant to KYC requirements, that the purchase or sale of a security is suitable for the client.
  4. IIAC clarified that when the respondent asked the complainant to update his client information after 3 years (as per the respondent's practice), it did so to ensure it was satisfying its regulatory obligations to IIROC, namely having procedures in place to ensure that client information is accurate to comply with KYC and suitability requirements.
  5. Our Office requested additional information from the respondent with regard to three categories of information that appeared to go beyond that explicitly identified in Form 2, namely, number of years of investment experience, spouse's or partner's annual income, and assets and liabilities. IIAC responded on behalf of the respondent, and the response is summarized in the following paragraphs.
  6. In the request for additional information our Office indicated that the respondent appeared to be seeking a more detailed level of personal information than that required by Form 2, which only categorizes a client's investment knowledge (e.g. sophisticated, poor). IIAC responded that investment experience as requested by the respondent is vital to assist the Dealer Member to validate the client's stated investment knowledge. More specifically, IIAC explained that asking the client about his or her investment experience in dealing with various products (e.g. stocks, mutual funds) establishes the client's understanding of different investment products, and contributes to establishing the client's risk tolerance. For example, there are high-risk products that require a higher level of sophistication to understand the risk involved. IIAC further explained that collecting KYC information solely by asking clients to tick a box that best describes their investment objectives or risk tolerance would limit the Dealer Member's ability to provide clients with suitable advice which in turn may expose them to financial losses and the Dealer to unnecessary risk by failing to sufficiently satisfy his or her KYC obligations.
  7. According to IIAC by understanding the details with respect to all assets, liabilities and sources of income in a household, the firm can better assess suitability. The income of a spouse still fits into the client's overall financial position and ability to invest and incur losses. IIAC further indicated that even if a client were to act independently of a spouse in terms of the opening and operation of an investment account, the income of the spouse is still a factor to consider.
  8. Finally, our Office requested additional information relating to the respondent's seemingly more detailed request for assets and liabilities (as compared to Form 2 which requests net liquid and fixed assets, not requiring clients to explicitly disclose their total assets and liabilities). IIAC responded that the information required is not materially more detailed; the information enables the Dealer Member to establish a meaningful net worth figure for a client and therefore a more complete understanding of the client. A clear picture of the client's financial situation will help the firm identify situations where there may be unreasonable exposure or risk being incurred by a client, relative to his or her true financial position. IIAC further indicated that failure to understand the client's liabilities could affect proper protection of the client's interests and impact the Dealer Member's ability to properly assess a client's eligibility for products and services.

Application

  1. In making our determinations, we applied Principles 4.2, 4.3.3 and 4.4 of Schedule 1 of the Act and Subsection 5(3) of the Act.
  2. Subsection 5(3) stipulates that an organization may collect, use or disclose personal information only for purposes that a reasonable person would consider are appropriate under the circumstances.
  3. Principle 4.2 stipulates that the purposes for which the personal information is collected shall be identified by the organization at or before the time the information is collected.
  4. Principle 4.3.3 states that an organization shall not, as a condition of the supply of a product or service, require an individual to consent to the collection, use or disclosure of information beyond that required to fulfill the explicitly specified and legitimate purposes.
  5. Principle 4.4 stipulates that the collection of personal information shall be limited to that which is necessary for the purposes identified by the organization.

Findings

Requiring Consent for the Collection of Information Beyond What is Required

Specifying Purposes

  1. In determining whether there has been a contravention of Principle 4.3.3, we must first determine whether the purposes for which the respondent collected the personal information were explicitly specified. The respondent informed both the complainant and our Office that the disputed information was requested for the purpose of compliance with IIROC's KYC requirements. The brochure provided to the complainant also described the information a Dealer Member is required to collect and why that information is necessary. As a result, in our view, the respondent did identify its purposes for the collection of the information.

Legitimate Purposes

  1. Next, we must consider whether the stated purposes are appropriate. As cited in paragraph 19 above, National Instrument 31-103 Registration Requirements and Exemptions requires Dealer Members to conduct reasonable due diligence and collect sufficient information to satisfy IIROC's KYC and suitability requirements. National Instrument 31-103 has force of law across the country.
  2. IIROC has been recognized as an SRO and is required to regulate investment dealers. IIROC enacted Dealer Member Rules that were approved by the provincial Securities Commissions. Included in those rules are requirements that Dealer Members learn and remain informed of essential facts relative to each of their customers.
  3. We are of the view that a reasonable person would consider the collection of information for the purpose of complying with the KYC and suitability requirements as being appropriate in the circumstances.

More Information than Necessary to Achieve the Purpose

  1. We must therefore consider whether the respondent is requiring more information than necessary to achieve the legitimate purpose (i.e. compliance with KYC and suitability requirements) as a condition of service.
  2. The information the respondent was requesting from the complainant, and which it maintains was required in order to maintain his accounts, does not appear to have been collected initially by the respondent. It is not clear why this is the case. Nevertheless the issue is whether the respondent did, in the circumstances, require the information in order to continue operating the accounts.
  3. Upon refusing to provide the information requested on the respondent's KYC Update Form, the complainant was required to "transfer-out" his accounts. It follows that the information was required as a condition of service.
  4. At issue, is whether the required information was more information than necessary to achieve the purpose. The disputed information is:
    • the number of years' investment experience with: stocks, bonds, mutual funds, options, and short selling;
    • annual income;
    • spouse's or partner's annual income;
    • number of dependents;
    • liquid assets, fixed assets and liabilities; and
    • estimated net worth.
  5. The non-exhaustive categories of information set out in the Dealer Member Rules and Form 2 include:
    • spouse's name,
    • spouse's occupation,
    • number of dependents,
    • investment knowledge,
    • net worth (net liquid and fixed assets), and
    • annual income from all sources.
  6. The guidance note for Dealer Members also indicates that IIROC Dealer Member Rule 1300.2 requires that each account be opened pursuant to a new account application which includes, at a minimum, the collection of applicable information required by Form 2.
  7. The following personal information, requested from the complainant by the respondent, tracks the information identified in Form 2: annual income, number of dependents and net worth. In light of IIROC's responsibilities to regulate investment dealers, and given the approval of the Dealer Member Rules by the provincial Security Commissions, our Office accepts that the respondent appropriately required these pieces of personal information.
  8. The remaining personal information requested from the complainant is not explicitly identified in Form 2. However, we accept that Form 2 was not intended to exhaustively set out the information that Dealer Members may be required to collect in order to satisfy their KYC and suitability requirements. We will therefore assess the additional categories of information requested by the respondent individually.

i. Number of years' investment experience

  1. IIAC represented that investment experience as requested by the respondent is vital to assist the Dealer Member to validate the client's stated investment knowledge. More specifically, IIAC explained that asking the client about his or her investment experience in dealing with various products (e.g. stocks, mutual funds) establishes the client's understanding of different investment products, and contributes to establishing the client's risk tolerance. In addition, the IIROC guidance notice 12-0109 states that the information collected regarding risk tolerance should be sufficiently precise to enable the Dealer Member and the Registered Representative to meet their suitability assessment obligations.
  2. Compliance with IIROC's Dealer Member Rule 1300.1 requires, in part, that Dealer Members use due diligence to assess the suitability of proposed transactions for clients based on a number of factors including the client's current investment knowledge. Our Office accepts that the respondent will gain a clearer understanding of a client's investment knowledge by requiring the number of years' investment experience with various investment products.

ii. Spouse's or partner's annual income

  1. According to IIAC, a spouse's income contributes to the client's overall financial position and ability to invest and incur losses. By understanding the details with respect to all assets, liabilities and sources of income in a household, the firm can better assess suitability. We accept the respondent's position that a spouse's income impacts a client's suitability assessment.
  2. Dealer Member Rule 1300.1 requires that Dealer Members use due diligence to assess the suitability of proposed transactions for clients based on a number of factors including the client's current financial situation. In our view, by requiring the complainant to provide his spouse's income, the respondent did not require more information than necessary to achieve the purpose of compliance with KYC.

iii. Assets and Liabilities

  1. On behalf of the respondent, IIAC explained that failure to understand the client's liabilities could affect proper protection of the client's interests and impact the Dealer Member's ability to properly assess a client's eligibility for products and services.
  2. We accept the respondent's position that a client's liabilities can impact the suitability assessment. Therefore, we are of the view that the respondent was justified in its requirement for asset and liability information, in order to comply with Dealer Member Rule 1300.1.

Conclusion

  1. Accordingly, we conclude that the allegation that the respondent requires more information than necessary as a condition of service is not well-founded.
Date modified: