CIRO Director and Executive Exam Quick Reference

Last revised: June 29, 2026

Compact exam-prep reference for the CIRO Director and Executive Exam covering governance, supervision, risk, capital, conduct, conflicts, and compliance.

Exam identity and study lens

Item	Reference
Official provider	Canadian Investment Regulatory Organization
Official exam title	CIRO Director and Executive Exam
Official exam code	Director & Executive Exam
Candidate lens	Director, executive, senior officer, or control-function candidate at a CIRO-regulated dealer
Best study approach	Think like an accountable executive: governance, supervision, escalation, controls, client protection, financial soundness, and regulatory cooperation

This independent Quick Reference is designed for final review. Use it to organize rules and concepts around decisions a director or executive must make, not around isolated definitions.

High-yield exam themes

Theme	What to know	Common trap
Governance accountability	Board and senior management must ensure effective oversight, risk management, compliance culture, and adequate resources.	Delegating work to management, compliance, or vendors does not eliminate accountability.
Regulatory structure	CIRO rules operate alongside securities legislation, CSA instruments, provincial/territorial regulators, AML law, privacy law, tax rules, and marketplace rules.	Treating CIRO as the only authority. Dealer activity can trigger multiple regimes.
Registration and approval	Titles, functions, authority, ownership, and client-facing activity can trigger registration, approval, proficiency, or disclosure requirements.	Assuming a corporate title alone determines regulatory status. Function matters.
Supervision	Supervision must be risk-based, documented, tested, escalated, and responsive to red flags.	Relying on policies without evidence of implementation.
Client-focused conduct	KYC, KYP, suitability, conflicts, costs, relationship disclosure, complaint handling, and vulnerable-client controls are central.	Believing disclosure cures every conflict or suitability issue.
Financial soundness	Capital, liquidity, segregation, margin, reconciliations, books and records, insurance, and operational resilience protect clients and markets.	Viewing finance as only the CFO’s issue. Directors need oversight evidence.
Enforcement exposure	Individuals and firms can face reviews, terms and conditions, fines, suspensions, bans, settlements, or hearings.	Assuming only the firm is exposed when management ignored red flags.

Regulatory map

Body / regime	Main role for exam purposes	Director/executive focus
Canadian Investment Regulatory Organization	National self-regulatory organization for investment dealers, mutual fund dealers, and marketplace regulation functions.	Dealer compliance with CIRO rules, approved person conduct, supervision, market conduct, financial compliance, enforcement cooperation.
Provincial and territorial securities regulators	Securities legislation, registration framework, prospectus/exemptions, market integrity, investor protection, enforcement.	Ensure firm activities satisfy both CIRO requirements and applicable securities laws.
Canadian Securities Administrators instruments	National and multilateral rules such as registration, registrant conduct, conflicts, disclosure, and derivatives-related obligations where applicable.	Know when CSA rules set baseline registrant obligations beyond CIRO rules.
Canadian Investor Protection Fund	Investor protection fund for eligible client property held by member firms, subject to its rules.	Ensure client asset segregation, custody controls, records, and communication accuracy.
FINTRAC / AML regime	Anti-money laundering, terrorist financing, sanctions-related controls, reporting, records, risk assessment, training.	Board and executive oversight of AML compliance program and escalation.
Marketplaces and clearing entities	Trading venues, clearing, settlement, margin, operational processes.	Understand execution, settlement, clearing, custody, and counterparty risk.
Privacy and cybersecurity regimes	Protection of personal information, breach response, data governance.	Ensure incident response, vendor controls, access controls, and board reporting.

Rulebook orientation

Rule area	Candidate must be able to recognize
CIRO Investment Dealer and Partially Consolidated Rules	Core investment dealer obligations: business conduct, supervision, capital, margin, financial reporting, books and records, approved persons, complaints, client accounts, trading-related controls.
CIRO Mutual Fund Dealer Rules	Mutual fund dealer conduct, supervision, client account, sales practice, and dealer responsibility requirements where applicable.
Harmonized CIRO rule development	CIRO continues to harmonize legacy rule frameworks. Confirm which rule set applies to the firm, line of business, and exam scenario.
Securities legislation and CSA instruments	Registration, conflicts, client-focused reforms, prospectus/exempt market rules, continuous disclosure, market abuse prohibitions, and enforcement powers.
Firm policies and procedures	Internal policies cannot be weaker than regulatory requirements; they must be implemented, monitored, and updated.

Governance roles and accountability

Role	Core responsibility	What good oversight evidence looks like
Board of directors	Set tone, approve strategy/risk appetite, oversee senior management, capital, compliance, client protection, conflicts, and major risks.	Minutes showing challenge, reports reviewed, decisions, follow-up items, and escalation tracking.
Individual director	Exercise care, diligence, independent judgment, and informed oversight.	Questions asked, dissent or challenge recorded where appropriate, evidence of preparation.
Chief executive / senior executive	Execute strategy, maintain control environment, allocate resources, supervise management, ensure regulatory cooperation.	Management dashboards, accountability mapping, remediation ownership, escalation records.
Ultimate Designated Person	Promotes and oversees compliance culture and firm-wide compliance system.	Compliance priorities, board reporting, unresolved issues escalated, resource gaps addressed.
Chief Compliance Officer	Establishes and monitors compliance system, reports issues, advises management and board.	Compliance testing, exception reports, issue logs, annual/periodic reports where required.
Chief Financial Officer / finance leader	Financial records, capital, liquidity, reconciliations, regulatory financial reporting, accounting controls.	Capital dashboards, reconciliation sign-offs, audit findings, variance explanations.
Supervisors / branch managers	Day-to-day supervision of approved persons, accounts, trades, complaints, outside activities, and red flags.	Reviews documented, exception reports cleared, escalations timely.
Approved persons / registrants	Client-facing and regulated activity within authority, competence, and dealer policies.	Registration status, training records, supervision outcomes, complaint history.
Internal audit / risk / control functions	Independent testing, risk assessment, control validation, governance assurance.	Audit plans, findings, management responses, repeat-issue tracking.

Governance checklist for directors and executives

Confirm the firm has a current regulatory obligation inventory.
Review risk appetite and ensure it matches products, clients, leverage, geography, and technology.
Require dashboards for capital, liquidity, complaints, supervision exceptions, cybersecurity, AML, and high-risk products.
Ask whether compliance and supervision teams have enough authority, independence, staffing, and technology.
Track repeat findings from CIRO exams, internal audit, external audit, client complaints, and branch reviews.
Ensure conflicts are identified before products, compensation grids, referrals, or acquisitions are implemented.
Require documented escalation criteria for material breaches, client harm, financial deterioration, and regulatory inquiries.
Verify board minutes reflect challenge, not passive receipt of reports.

Registration, approval, and proficiency decision points

Scenario	Exam-relevant issue	Better answer
New executive joins with authority over dealer operations	May require approval, registration, disclosure, or proficiency depending on function.	Analyze actual authority and regulated activities, not only job title.
Director is not client-facing	Still may be subject to CIRO approval and conduct expectations.	Director oversight role can create regulatory obligations even without sales activity.
Employee gives investment recommendations	Registration category and proficiency may be required.	Do not permit advice activity through an unregistered or improperly supervised person.
Approved person starts side business	Outside activity, conflict, reputation, time commitment, and client confusion concerns.	Require prior disclosure, firm review, approval where required, and ongoing monitoring.
Executive controls another entity doing business with dealer	Related-party, referral, conflict, outsourcing, and financial exposure concerns.	Escalate to conflict review, board oversight, documentation, and client disclosure where appropriate.
Individual changes role or authority	Registration/approval records may need updates.	Use change-management controls for role, ownership, discipline, outside activity, and location changes.

Three-lines-of-defence view

Line	Function	Director/executive exam focus
First line	Business units and supervisors own risks in client activity, trading, operations, and products.	Business cannot outsource compliance thinking to the compliance department.
Second line	Compliance, risk, AML, privacy, finance controls, and other oversight functions.	Must have authority, independence, reporting access, and resources.
Third line	Internal audit or independent assurance.	Tests whether controls work; repeat findings are major governance red flags.
Board / committees	Oversight above all lines.	Must challenge, approve appetite, monitor remediation, and ensure accountability.

Client account and conduct reference

Area	Required exam thinking
KYC	Know the client’s identity, financial circumstances, investment knowledge, objectives, risk profile, time horizon, liquidity needs, constraints, and relevant personal circumstances.
KYP	Understand each product’s structure, costs, risks, liquidity, complexity, conflicts, target client, restrictions, and ongoing monitoring needs.
Suitability	Assess recommendations and accepted orders using KYC and KYP, with the client’s interest placed first where required.
Relationship disclosure	Clients must understand account type, services, fees, conflicts, reporting, complaint process, and firm/client responsibilities.
Conflicts	Identify, avoid or address material conflicts in the client’s interest, and disclose clearly when disclosure is part of the control set.
Costs and compensation	Consider embedded fees, commissions, spreads, referral fees, trailing commissions, performance fees, borrowing costs, and switching costs.
Leverage and margin	Requires special attention to risk tolerance, ability to absorb loss, liquidity, suitability, and supervision.
Discretionary authority	Higher control standard; authority must be permitted, documented, supervised, and limited to approved arrangements.
Vulnerable clients	Watch for diminished capacity, financial exploitation, trusted contact issues, power of attorney concerns, and temporary hold escalation where applicable.
Complaints	Treat possible misconduct, client loss, or unsuitable advice seriously; investigate impartially and document resolution.

KYC, KYP, and suitability traps

Trap	Why it is wrong	Exam-safe correction
“The client signed the form, so suitability is satisfied.”	Signature is evidence, not analysis.	Confirm information is reasonable, current, and applied to the recommendation/order.
“High net worth means high risk tolerance.”	Capacity for loss is not the same as willingness to accept risk.	Assess risk tolerance and risk capacity separately.
“The product is approved, so it is suitable for everyone.”	KYP approval is product-level; suitability is client-specific.	Match product attributes to the client profile and account context.
“OEO account means no controls.”	Order-execution-only reduces advice obligations but not all conduct, disclosure, conflict, or market integrity obligations.	Maintain appropriate account, disclosure, trading, and complaint controls.
“Disclosure fixes the conflict.”	Some conflicts must be avoided or controlled; disclosure alone may be inadequate.	Identify, assess materiality, control or avoid, disclose clearly when appropriate.
“Institutional client means no oversight.”	Some obligations may differ, but fair dealing, conflicts, market integrity, and documentation still matter.	Apply the correct standard for the client category and activity.

Conflict of interest quick reference

Conflict source	Risk	Strong control
Proprietary products	Biased shelf, compensation incentive, limited comparison.	Product due diligence, suitability controls, clear disclosure, compensation review.
Referral arrangements	Client confusion, undisclosed compensation, unsuitable referral.	Written agreement, due diligence, disclosure, supervision, conflict review.
Sales contests / grids	Incentive to recommend higher-paying or inappropriate products.	Pre-approval, monitoring, balanced scorecards, prohibition of harmful incentives.
Outside activities	Time conflict, client confusion, undisclosed compensation, reputational risk.	Prior approval, periodic attestations, client disclosure where needed, monitoring.
Personal financial dealings	Borrowing/lending, guarantees, private investments with clients.	Prohibit or tightly control; escalate exceptions.
Gifts and entertainment	Influence over product selection, execution, allocation, or research.	Limits, pre-clearance, registers, review for patterns.
Allocation of limited opportunities	Favouritism among clients, staff, or related accounts.	Fair allocation policy, timestamps, allocation rationale, surveillance.
Research/investment banking conflict	Biased recommendations or disclosure.	Information barriers, disclosure, supervision, restricted lists.
Insider information	Illegal trading, tipping, reputation damage.	Watch/restricted lists, barriers, training, escalation.

Conflict decision path

    flowchart TD
	A[Potential conflict identified] --> B{Is it material?}
	B -- No --> C[Document assessment and monitor]
	B -- Yes --> D{Can it be avoided?}
	D -- Yes --> E[Avoid or prohibit activity]
	D -- No --> F[Design controls in client's interest]
	F --> G{Is disclosure also needed?}
	G -- Yes --> H[Clear, timely, specific disclosure]
	G -- No --> I[Document why disclosure not required]
	H --> J[Supervise, test, and escalate breaches]
	I --> J
	E --> J

Supervision framework

Supervision area	What directors/executives should expect
Account opening	Risk-based approval, KYC completeness, account type appropriateness, vulnerable-client flags, leverage/margin approvals.
Trade review	Pre-trade or post-trade review based on risk, product, representative history, client profile, concentration, and exception triggers.
Branch supervision	Periodic reviews, supervisor independence, complaint review, outside activities, marketing, books and records, client communications.
Electronic communications	Approved channels, retention, surveillance, lexicon alerts, personal device controls.
Marketing and social media	Fair, balanced, not misleading, approved before use where required, records retained.
High-risk representatives	Enhanced supervision for complaints, disciplinary history, sales patterns, high concentration, outside activities, or leverage use.
Product shelf	New product approval, ongoing due diligence, concentration monitoring, training, and client disclosure.
Delegation	Duties may be delegated, but oversight, reporting, and accountability remain.

New product approval matrix

Gate	Key questions
Product purpose	What client need does it serve? Is it investment, speculation, hedging, income, liquidity, tax, or protection?
Complexity	Can representatives, supervisors, and clients reasonably understand the structure and risk?
Market and liquidity risk	Can clients exit? Are values observable? What happens in stressed markets?
Credit/counterparty risk	Who owes performance? What is the exposure if issuer, guarantor, or counterparty fails?
Cost and compensation	Are fees, embedded costs, spreads, commissions, and incentives transparent and reasonable?
Target market	Which clients may be appropriate? Which clients should be excluded?
Tax/accounting issues	Are representations supportable? Are tax assumptions uncertain or client-specific?
Operations	Can systems book, price, settle, custody, report, and supervise the product?
Legal/regulatory	Are offering documents, exemptions, registration, disclosure, and advertising controls adequate?
Training	Are representatives and supervisors trained before launch?
Post-launch monitoring	Are complaints, concentrations, performance, liquidity, and exceptions reviewed?

Trading and market conduct

Concept	Exam meaning	Red flags
Best execution	Policies and processes to obtain advantageous execution terms for client orders, considering relevant factors.	Routing based mainly on payment, convenience, or affiliate benefit without controls.
Client priority	Client orders generally must not be disadvantaged by firm or employee trading.	Principal or employee trades ahead of client interest.
Manipulative/deceptive trading	Conduct creating false or misleading appearance of trading activity or price.	Wash trades, spoofing, layering, marking the close, artificial volume.
Insider trading / tipping	Trading or informing others while in possession of material non-public information.	Unusual trading before announcements, weak information barriers.
Front-running	Trading ahead of known client or market-moving orders.	Proprietary or employee trades before large client orders.
Short sale controls	Proper order marking, locate/settlement controls where applicable, and supervision.	Persistent fails, mismarked orders, abusive short activity.
Fair allocation	Equitable allocation among client accounts and proprietary accounts.	Favouring high-fee clients, related accounts, or employees.
Trade errors	Prompt identification, correction, client fairness, root-cause remediation.	Hiding errors, allocating losses to clients, inconsistent correction.

Financial, capital, and operations reference

Area	Director/executive focus
Capital adequacy	Dealer must maintain required capital and monitor deterioration. Board should receive trend reporting and early-warning indicators.
Liquidity	Ability to meet obligations during normal and stressed conditions, including settlement, margin calls, client withdrawals, and funding disruptions.
Books and records	Accurate, complete, timely records support supervision, financial reporting, tax, audit, and regulatory examination.
Client asset segregation	Client property must be identified, safeguarded, reconciled, and separated from firm misuse.
Margin	Margin rules reduce credit exposure but do not eliminate market, liquidity, or suitability risk.
Reconciliations	Bank, custodian, security position, client ledger, suspense, and control-account breaks must be investigated.
Pricing and valuation	Hard-to-value securities require independent review, documentation, and escalation.
Insurance	Fidelity, fraud, and operational coverage should align with business risks and regulatory expectations.
Introducing/carrying arrangements	Responsibilities for accounts, custody, statements, margin, supervision, and client communications must be clear.
Outsourcing	Outsourced functions require due diligence, contracts, monitoring, access to records, BCP, privacy, and regulatory access.
Business continuity	Plans must cover people, premises, technology, vendors, cyber incidents, market disruption, and communications.

Core finance formulas worth remembering

\[ \text{Working Capital} = \text{Current Assets} - \text{Current Liabilities} \]\[ \text{Equity in a Margin Account} = \text{Market Value of Securities} + \text{Credit Balance} - \text{Debit Balance} \]\[ \text{Loan Value} = \text{Market Value} \times \text{Permitted Loan Rate} \]\[ \text{Concentration Percentage} = \frac{\text{Exposure to Issuer, Sector, Client, or Counterparty}}{\text{Relevant Portfolio, Capital, or Exposure Base}} \times 100 \]

Use these as conceptual tools. For the real exam, apply any CIRO-specific capital, margin, or reporting rule stated in the question.

Risk taxonomy for directors and executives

Risk	Meaning	Board-level question
Conduct risk	Clients or markets harmed by behaviour, incentives, weak supervision, or culture.	What behaviours are rewarded, tolerated, and escalated?
Compliance risk	Breach of CIRO rules, securities law, AML, privacy, tax, or internal policy.	Are obligations mapped to controls and tested?
Credit risk	Counterparty, issuer, client margin, or settlement failure.	What exposures are concentrated and how are they collateralized?
Market risk	Loss from price, rate, FX, volatility, or spread movement.	What stress scenarios could exceed appetite?
Liquidity risk	Inability to meet obligations or unwind positions without unacceptable loss.	What funding sources and contingency plans exist?
Operational risk	People, process, system, fraud, error, or vendor failure.	Which key controls are manual, fragile, or untested?
Cyber risk	Unauthorized access, ransomware, data loss, service disruption.	Are incident plans tested and reported to the board?
Model risk	Incorrect models for margin, valuation, surveillance, credit, or advice tools.	Who validates assumptions and overrides?
Legal risk	Contracts, litigation, enforceability, disclosure, fiduciary or agency issues.	Are legal risks escalated before launch or transaction approval?
Reputational risk	Loss of trust from client harm, enforcement, media, or control failure.	Are issues addressed early or minimized until they become public?
Strategic risk	Business model, acquisition, expansion, or technology risk.	Does the firm’s control environment match its growth plan?
Third-party risk	Vendor, affiliate, cloud, custodian, or carrying broker failure.	Can the firm continue and access records if the vendor fails?

AML, sanctions, and financial crime controls

Control	Exam focus
Client identification	Verify identity and understand the nature of the client relationship.
Beneficial ownership	Identify individuals who own or control entities where required.
Politically exposed persons / high-risk clients	Apply enhanced review and senior approval where required.
Ongoing monitoring	Review activity against expected account behaviour.
Suspicious activity	Escalate and report according to AML procedures and legal requirements.
Sanctions screening	Screen clients, counterparties, and transactions against applicable sanctions controls.
Training	Tailor training to roles: front office, operations, compliance, executives, and board.
Independent effectiveness review	Test whether AML controls work, not just whether policies exist.
Recordkeeping	Maintain records that support regulatory review and investigations.

Complaints, investigations, and enforcement

Item	Practical distinction
Service issue	Administrative or service concern without misconduct, loss, or rule breach indicators; still track for patterns.
Regulatory complaint	Allegation of unsuitable advice, misrepresentation, unauthorized trading, fraud, fee issue, conflict, or other misconduct.
Internal investigation	Must be impartial, documented, timely, and independent of conflicted personnel.
Client remediation	Consider financial harm, account correction, fee reversal, interest, tax consequences, and communication clarity.
External dispute resolution	Clients may have access to independent dispute resolution processes where applicable.
CIRO examination	Regulatory review of books, records, supervision, capital, and conduct; cooperation is expected.
Enforcement matter	Can involve document requests, interviews, allegations, settlements, hearings, and sanctions.
Individual exposure	Directors, executives, supervisors, and approved persons can face consequences for personal misconduct or failure to supervise.

Escalation workflow for material issues

    flowchart TD
	A[Issue or red flag discovered] --> B[Stabilize client, market, capital, or data risk]
	B --> C[Preserve records and facts]
	C --> D{Potential rule breach, client harm, AML, privacy, or capital issue?}
	D -- No --> E[Resolve, document, monitor trend]
	D -- Yes --> F[Escalate to responsible executive, compliance, legal, and risk]
	F --> G{Regulatory/client reporting required?}
	G -- Yes --> H[Report through approved process]
	G -- No --> I[Document rationale]
	H --> J[Remediate root cause]
	I --> J
	J --> K[Test fix and report closure to management/board]

Records and evidence that exam scenarios often imply

Area	Evidence candidates should expect
Board oversight	Agendas, minutes, reports, challenge, approvals, follow-up logs.
Registration	NRD records, approvals, proficiency evidence, role descriptions, change notices.
Supervision	Exception reports, account reviews, trade reviews, branch reviews, escalation notes.
KYC/KYP/suitability	Client forms, updates, product due diligence, suitability rationale, concentration reviews.
Conflicts	Conflict inventory, assessments, approvals, disclosures, monitoring results.
Complaints	Complaint log, investigation file, correspondence, resolution, trend analysis.
Financial compliance	Capital calculations, reconciliations, financial statements, audit files, variance explanations.
AML	Risk assessment, client ID, beneficial ownership, monitoring alerts, reports, training.
Cyber/privacy	Access logs, incident reports, breach assessment, vendor reviews, recovery testing.
Outsourcing	Due diligence, contracts, service levels, audit rights, BCP, termination plan.

Scenario shortcuts

If the question says…	Think first about…
“Senior management knew but did not act”	Failure to supervise, weak escalation, governance accountability.
“Compliance identified repeat exceptions”	Root-cause remediation, resources, escalation to executives/board.
“High commissions from one product”	Conflict, KYP, suitability, compensation incentives, concentration.
“Client is elderly and suddenly changes instructions”	Vulnerable client, trusted contact, exploitation red flags, documentation.
“Representative uses personal email/text”	Books and records, supervision, privacy, cybersecurity, off-channel communications.
“New fintech platform or robo-advice tool”	Algorithm governance, KYC, suitability logic, disclosure, cyber, model risk.
“Affiliate provides services”	Related-party conflict, outsourcing, referral, fair pricing, client disclosure.
“Dealer expands into complex products”	Product approval, training, supervision, capital, liquidity, operational readiness.
“Unreconciled positions or suspense accounts”	Books and records, client asset risk, financial control weakness.
“Market disruption or cyberattack”	BCP, incident response, client communication, regulatory escalation.

Common exam traps to avoid

Confusing board oversight with day-to-day management execution.
Treating compliance as advisory only when issues require executive action.
Assuming a client’s sophistication eliminates all dealer obligations.
Ignoring conflicts because the client made money.
Treating KYC as a static onboarding form rather than an ongoing obligation.
Approving products before operations, supervision, and training are ready.
Focusing only on sales compliance while missing capital, custody, cyber, AML, or privacy risk.
Assuming regulatory reporting is optional until every fact is known.
Letting business growth outpace compliance staff, systems, and supervisory capacity.
Failing to document why decisions were reasonable at the time.

Final review checklist

Before sitting for the CIRO Director and Executive Exam, make sure you can:

Explain how the Canadian Investment Regulatory Organization fits with securities regulators and other legal regimes.
Distinguish board, executive, CCO, CFO, supervisor, and approved-person responsibilities.
Apply KYC, KYP, suitability, conflicts, and complaint rules to short scenarios.
Identify when escalation, remediation, board reporting, or regulatory reporting may be required.
Recognize financial control red flags involving capital, margin, segregation, reconciliation, and liquidity.
Evaluate outsourcing, new products, cyber incidents, AML alerts, and related-party arrangements.
Choose the governance answer that documents challenge, assigns accountability, fixes root causes, and protects clients.

Practical next step

Use this Quick Reference as a checklist while working scenario-based practice questions. For each missed question, write the issue, the accountable role, the required control, and the likely escalation path.

Scenario Guide

Element 1 — General Regulatory Framework