This independent Quick Reference supports preparation for the Canadian Securities Institute CSI Chief Compliance Officers Qualifying Examination (CCO), exam code CCO. Use it as a compact review of CCO responsibilities, regulatory decision points, supervision expectations, and common exam traps.
Core CCO Exam Orientation
| Area | What to know for the exam | High-yield trap |
|---|
| CCO role | The CCO designs, maintains, monitors, and assesses the firm’s compliance system and reports significant issues. | The CCO does not “own” every business decision; business management remains accountable for compliant operations. |
| UDP role | The Ultimate Designated Person promotes a compliance culture and supervises the firm’s activities at the senior level. | Do not confuse strategic compliance culture responsibility with day-to-day testing and monitoring. |
| Registration | Know firm and individual registration categories, proficiency, conduct, permitted activities, and ongoing obligations. | Registration is activity-based; titles and compensation labels do not override what the person actually does. |
| Client-focused obligations | KYC, KYP, suitability, conflicts, relationship disclosure, misleading communications, and complaint handling. | Disclosure alone is not enough for a material conflict if the conflict must be avoided or controlled. |
| Supervision | Policies, procedures, surveillance, approvals, escalation, evidence, and remediation. | A policy that is not tested, evidenced, or enforced is weak control evidence. |
| Regulatory framework | Provincial/territorial securities regulators, Canadian Securities Administrators instruments, and applicable self-regulatory organization rules. | Securities regulation is not only one statute or one regulator; obligations can overlap. |
| AML/ATF and sanctions | Client identification, beneficial ownership, politically exposed persons, suspicious activity, recordkeeping, and reporting concepts. | AML compliance is separate from securities suitability, but both can affect account opening and monitoring. |
| Conflicts and ethics | Identify, assess, avoid/control/disclose, document, and supervise. | “Client consent” does not automatically cure an unmanageable conflict. |
Regulatory Framework Snapshot
| Source / body | Practical exam relevance | Typical CCO concern |
|---|
| Provincial and territorial securities regulators | Registration, prospectus requirements, enforcement, exemptions, market conduct. | Is the firm registered for the activity and complying in every jurisdiction where it acts? |
| Canadian Securities Administrators instruments and policies | Harmonized national instruments, companion policies, notices, and guidance. | Policies must reflect the current regulatory standard, not only internal custom. |
| CIRO, where applicable | Dealer member rules, supervision, proficiency, financial compliance, business conduct, complaints, and sales practices. | SRO rules may impose more detailed supervisory expectations than general securities law. |
| FINTRAC / AML regime | Anti-money laundering and anti-terrorist financing compliance obligations. | AML red flags must be escalated even when a trade appears suitable. |
| Privacy and cybersecurity expectations | Safeguarding client information, breach response, vendor oversight, access controls. | Outsourcing technology does not outsource accountability. |
| Corporate law / governance | Board oversight, officer responsibilities, minutes, resolutions, delegations. | Governance evidence matters: decisions should be documented. |
| Common law and civil liability | Negligence, misrepresentation, fiduciary-like obligations, damages. | Compliance with a rule may not eliminate civil risk. |
Key Roles and Accountability
| Role | Primary responsibility | Exam distinction |
|---|
| Board / equivalent governing body | Oversight of the firm, risk appetite, major policies, senior management accountability. | Oversees; does not normally perform daily compliance testing. |
| UDP | Promotes a culture of compliance and supervises firm activities at the highest executive level. | Senior leadership accountability; cannot be a passive figurehead. |
| CCO | Establishes and maintains compliance policies, monitors and assesses compliance, reports material issues and annually reports to governance. | Compliance control leader; needs authority, access, resources, and independence appropriate to the firm. |
| Branch manager / supervisor | Supervises representatives, accounts, trades, communications, and branch procedures. | Front-line supervisory role; CCO should test whether supervision works. |
| Dealing representative / advising representative | Client interaction, KYC, recommendations/advice, disclosure, documentation, ethical conduct. | Individual registrants remain personally responsible for compliant conduct. |
| Operations / finance | Books and records, custody, reconciliations, capital, trade processing, error handling. | Operational failures can become compliance breaches. |
| Legal counsel | Interprets law, advises on agreements, disputes, exemptions, regulatory responses. | Legal advice supports compliance but does not replace the CCO’s monitoring function. |
| Internal audit / independent reviewer | Independent assurance, where present. | Audit is not the same as the CCO function; use findings for remediation. |
CCO Responsibility Checklist
| Responsibility | Practical evidence to look for | Red flags |
|---|
| Compliance policies and procedures | Current manual, approval history, mapped rules, version control, staff attestations. | Outdated policies, no owner, no testing, no exception process. |
| Monitoring and testing | Annual plan, risk-based reviews, samples, surveillance reports, exception logs. | “No issues found” without workpapers or rationale. |
| Escalation | Written escalation matrix, issue severity ratings, UDP/board reporting. | Significant issues handled informally with no record. |
| Annual compliance reporting | Report to board or equivalent body, key findings, remediation status, resource needs. | Purely descriptive report with no risk assessment or action items. |
| Significant non-compliance reporting | Prompt escalation to UDP and governance as required by the firm’s obligations. | Waiting for the annual report when immediate escalation is appropriate. |
| Training | New hire and periodic training, completion tracking, role-specific modules. | Training not tied to rule changes, product risks, or prior deficiencies. |
| Registration oversight | Sponsorship, proficiency checks, outside activities, changes in information. | Representatives acting before approval or after a material change is ignored. |
| Conflicts program | Inventory, assessment, controls, disclosures, monitoring. | Conflicts disclosed generically but not controlled. |
| Complaint handling | Intake, acknowledgment, investigation, response, root-cause analysis. | Treating all complaints as customer service issues without compliance review. |
| Regulatory interaction | Exam responses, notices, deficiency letters, enforcement inquiries, commitments. | Commitments to regulators not tracked to completion. |
Firm Registration and Business Model Decisions
| Question | If yes, consider | If no, consider |
|---|
| Is the firm in the business of trading securities? | Dealer registration category and applicable exemptions. | Is the activity incidental, exempt, or outside securities trading? |
| Is the firm giving securities advice? | Adviser registration and representative registration. | Are communications general education, factual information, or non-tailored commentary? |
| Is the firm managing an investment fund? | Investment fund manager obligations. | Is the firm only distributing or advising a fund? |
| Does the firm distribute under prospectus exemptions? | Exempt market dealer controls, accredited investor or other exemption due diligence, risk acknowledgments where applicable. | Prospectus-qualified distribution or no distribution activity. |
| Does the firm handle client assets? | Custody, segregation, insurance, reconciliation, books and records. | Still assess access to instructions, account data, and authority. |
| Does the firm operate in multiple jurisdictions? | Multi-jurisdiction registration, notice filings, local requirements. | Confirm no clients, solicitation, or activities trigger another jurisdiction. |
Individual Registration and Conduct
| Topic | CCO review point | Common exam trap |
|---|
| Proficiency | Confirm required courses, experience, and category-specific requirements. | A person’s seniority does not replace required proficiency. |
| Permitted activities | Activities must match registration category and firm approval. | A registered individual cannot simply operate in another category because a client requests it. |
| Outside activities | Identify, approve, disclose where required, supervise conflicts. | “Unpaid” activities can still create conflicts or reputational risk. |
| Referral arrangements | Written terms, disclosure, conflict assessment, supervision. | Calling compensation a “marketing fee” does not avoid referral rules. |
| Changes to registration information | Monitor and file changes when required. | Late updates can be a compliance issue even if the underlying conduct is acceptable. |
| Misleading titles | Titles must not imply unavailable registration, expertise, or independence. | “Senior wealth specialist” can be problematic if it misleads about qualifications or role. |
| Personal financial dealings | Restrict borrowing/lending, guarantees, private investments with clients. | Client consent does not eliminate power imbalance or conflict risk. |
| Obligation | What the firm must operationalize | Control examples |
|---|
| Know your client | Collect and keep current client identity, financial circumstances, investment needs, objectives, risk profile, time horizon, and relevant constraints. | Account opening forms, periodic update prompts, material change triggers. |
| Know your product | Understand and approve products before making them available or recommending them. | Product due diligence committee, risk ratings, target market, restricted product list. |
| Suitability | Determine whether a recommendation or action is suitable and puts the client’s interest first, using KYC and KYP. | Suitability review at account opening, trade review, concentration reports. |
| Conflicts of interest | Identify material conflicts and address them in the client’s best interest. | Avoid, control, disclose, and test effectiveness. |
| Relationship disclosure | Explain nature of relationship, products/services, costs, charges, account restrictions, complaint process, and conflicts. | RDI documents, client acknowledgments, change notices. |
| Misleading communications | Ensure marketing, titles, reports, and statements are fair and not misleading. | Pre-approval of advertising, social media review, performance claim substantiation. |
KYC, KYP, and Suitability Decision Table
| Scenario | KYC issue | KYP issue | Suitability concern | Expected CCO lens |
|---|
| Client wants concentrated speculative position | Risk tolerance, risk capacity, objectives, concentration limits. | Volatility, liquidity, issuer/product risk. | May be unsuitable despite client enthusiasm. | Require documentation, warnings, approval or refusal if necessary. |
| New complex product added | Existing client data may be insufficient. | Product structure, fees, redemption limits, leverage, conflicts. | Representatives may not understand product enough to recommend it. | Product approval and training before distribution. |
| Senior client changes instructions suddenly | Capacity, vulnerability, undue influence, liquidity needs. | Product may be ordinary, but context changes risk. | Transaction may not align with client circumstances. | Escalate for senior/vulnerable client review. |
| Client refuses to provide information | Incomplete KYC. | Product knowledge still required. | Suitability determination may be impossible. | Limit account activity, document refusal, consider not opening or restricting account. |
| Existing client has stale profile | KYC not current. | Product may still be approved. | Suitability review unreliable. | Trigger update before recommendation or material action. |
Conflicts of Interest Framework
Use this order: identify → assess materiality → avoid/control/disclose → supervise → document → reassess.
| Conflict type | Examples | Preferred response | Trap |
|---|
| Compensation conflict | Higher commission product, embedded fee, sales contest, revenue sharing. | Avoid or control incentives; clear disclosure; compensation-neutral review where possible. | Disclosure buried in generic documents is weak. |
| Proprietary product conflict | Firm recommends affiliated or in-house products. | Product due diligence, shelf comparison, suitability, conflict disclosure. | Assuming proprietary products are automatically acceptable or automatically prohibited. |
| Outside activity conflict | Director role, private business, political or charitable fundraising. | Pre-approval, restrictions, monitoring, disclosure where needed. | Ignoring reputational risk because activity is outside securities business. |
| Referral conflict | Paid referral to mortgage broker, insurance agent, portfolio manager. | Written agreement, client disclosure, due diligence on referral party. | Treating referrals as outside the compliance perimeter. |
| Personal trading conflict | Front-running, trading ahead, restricted list securities. | Pre-clearance, blackout periods, restricted/watch lists, attestations. | Monitoring only representatives, not access persons or supervisors. |
| Gifts and entertainment | Excessive gifts from issuers, clients, vendors. | Limits, approvals, logs, escalation. | Small repeated benefits can aggregate into a conflict. |
| Allocation conflict | IPOs, limited offerings, block trades. | Fair allocation policy, documented rationale, exception review. | Favouring high-revenue clients without documented fair basis. |
Conflict Response Ladder
| Response | Use when | Not enough when |
|---|
| Avoid | Conflict is prohibited, too severe, or cannot be controlled in client’s best interest. | Business wants to keep revenue from a harmful practice. |
| Control | Conflict can be reduced with supervision, segregation, compensation changes, approvals, or restrictions. | Controls are not actually tested or enforceable. |
| Disclose | Client needs clear information about nature and impact of conflict. | Conflict remains harmful or unmanageable after disclosure. |
| Document | Always; evidence decision and rationale. | Documentation is used as a substitute for action. |
Supervision System Reference
| Control layer | Purpose | Examples |
|---|
| Preventive controls | Stop issues before client harm occurs. | Pre-trade approval, product restrictions, registration checks, training. |
| Detective controls | Find issues after or during activity. | Trade surveillance, exception reports, complaint reviews, email testing. |
| Corrective controls | Fix root cause and prevent recurrence. | Restitution, discipline, procedure change, system enhancement. |
| Governance controls | Ensure senior visibility and accountability. | Compliance committee, board reporting, issue dashboards. |
| Independent testing | Challenge whether controls work. | Thematic review, branch audit, sample testing, external review. |
Risk-Based Compliance Program
| Step | CCO action | Practical output |
|---|
| 1. Identify risks | Map business lines, products, clients, jurisdictions, vendors, and compensation. | Risk inventory. |
| 2. Assess risks | Rank by likelihood, impact, client harm, regulatory attention, and control strength. | Annual compliance risk assessment. |
| 3. Set monitoring plan | Allocate testing to highest-risk areas. | Compliance calendar and test plan. |
| 4. Test controls | Sample files, trades, communications, complaints, approvals, and reports. | Workpapers and findings. |
| 5. Remediate | Assign owner, due date, severity, and validation. | Issue log and remediation tracker. |
| 6. Report | Escalate significant matters and summarize trends. | UDP, board, committee, and regulatory reports. |
| 7. Reassess | Update for new products, rule changes, deficiencies, complaints, and business changes. | Revised risk rating and policy updates. |
Books and Records
| Record category | Why it matters | CCO testing examples |
|---|
| Client account records | Evidence KYC, suitability, disclosures, instructions. | Sample account files for completeness and currency. |
| Trade records | Reconstruct activity and supervision. | Compare order tickets, timestamps, approvals, and allocations. |
| Communications | Evidence recommendations, representations, complaints, and approvals. | Email/social media surveillance and retention testing. |
| Complaint files | Evidence fair handling, timelines, outcomes, root causes. | Review complaint log against emails and call notes. |
| Conflicts records | Evidence identification, controls, disclosures. | Test conflict inventory against compensation and referral arrangements. |
| Registration records | Evidence proficiency, approvals, outside activities, updates. | Match HR changes to registration filings. |
| Compliance testing records | Evidence CCO fulfilled monitoring obligations. | Review workpapers, samples, exceptions, and sign-offs. |
| Financial and operational records | Evidence solvency, custody, reconciliations, capital controls. | Coordinate with finance and operations reports. |
Complaints and Client Harm
| Stage | Compliance focus | Evidence |
|---|
| Intake | Identify whether the matter is a complaint, service issue, privacy issue, fraud concern, or regulatory matter. | Complaint log, intake notes, classification rationale. |
| Acknowledgment | Provide required process information and preserve records. | Acknowledgment letter or communication record. |
| Investigation | Review facts, documents, communications, suitability, supervision, and representative conduct. | Investigation memo, interview notes, file review. |
| Response | Provide clear outcome and reasons; address remediation where appropriate. | Final response, settlement approval, client communication. |
| Escalation | Report serious, systemic, or regulatory issues. | Escalation record to CCO, UDP, legal, insurer, regulator, or SRO as applicable. |
| Root cause | Determine whether issue is isolated or systemic. | Procedure change, training, surveillance enhancement. |
AML/ATF and Sanctions Quick Reference
| Topic | CCO-level concern | Common red flags |
|---|
| Client identification | Verify identity before or during account opening as required by the AML program. | Reluctance to provide ID, inconsistent information. |
| Beneficial ownership | Identify individuals who own or control an entity client. | Complex structures with no clear economic purpose. |
| Third-party determination | Determine whether someone else controls or benefits from the account. | Client acts on instructions from undisclosed person. |
| Politically exposed persons / heads of international organizations | Apply enhanced measures where required. | Source of funds unclear, high-risk jurisdiction links. |
| Suspicious activity | Escalate and assess unusual transactions or behaviour. | Rapid in/out transfers, no investment rationale, evasive answers. |
| Sanctions screening | Screen clients, counterparties, and relevant transactions. | Name match ignored or not resolved. |
| Ongoing monitoring | Update risk profiles and review activity. | Account activity inconsistent with KYC. |
| Training and independent review | Maintain AML training and program effectiveness review. | AML manual exists but staff cannot describe escalation steps. |
Market Conduct and Trading Abuses
| Conduct issue | Description | CCO controls |
|---|
| Insider trading | Trading with material non-public information. | Restricted lists, wall-crossing procedures, personal trading monitoring. |
| Tipping | Informing another person of material non-public information. | Confidentiality training, access controls, deal team restrictions. |
| Front-running | Trading ahead of client or firm orders. | Order monitoring, employee trade pre-clearance, timestamp review. |
| Manipulation | Artificial trading activity or misleading appearance of market interest. | Surveillance reports, order pattern review, escalation. |
| Misrepresentation | Untrue or misleading statement to clients, regulators, or market. | Marketing approval, client communication review. |
| Churning / excessive trading | Trading primarily to generate compensation or activity. | Turnover and cost-to-equity reviews, suitability testing. |
| Fair allocation failures | Preferential allocation of limited opportunities. | Allocation policy, exception report, supervisory approval. |
Product Due Diligence and Shelf Governance
| Review factor | Questions to ask | Evidence |
|---|
| Product structure | How does it generate return? What are the risks? | Due diligence memo, issuer documents, legal review. |
| Liquidity | Can clients exit? Are there redemption gates or lockups? | Liquidity classification, redemption terms summary. |
| Leverage / derivatives | Could losses exceed expectations? Are risks transparent? | Risk analysis, scenario testing. |
| Fees and compensation | What costs does the client bear? What does the firm earn? | Fee schedule, compensation comparison, conflict assessment. |
| Target market | Which clients is it designed for? Who should not buy it? | Approved investor profile, restrictions. |
| Valuation | How is the product priced? Is valuation independent? | Valuation policy, pricing source. |
| Disclosure | Are key risks plainly disclosed? | Offering documents, RDI updates, risk acknowledgments. |
| Ongoing monitoring | Are there changes in issuer, strategy, performance, liquidity, or complaints? | Product review calendar, watch list. |
Prospectus Exemptions and Private Placements
| Issue | CCO review point | Trap |
|---|
| Exemption availability | Confirm client qualifies for the exemption used. | Assuming wealth, sophistication, or occupation without evidence. |
| Documentation | Maintain forms, acknowledgments, subscription agreements, and suitability notes. | Missing exemption evidence after distribution. |
| KYC and suitability | Exemption eligibility is not the same as suitability. | Accredited investor status does not automatically make a product suitable. |
| Offering document review | Assess representations, risk factors, fees, related parties. | Treating issuer documents as unquestionable. |
| Compensation | Review commission, finder’s fee, referral, and conflict disclosure. | Undisclosed compensation can taint the recommendation. |
| Concentration | Monitor illiquid or high-risk concentration. | Suitability based on single trade rather than whole portfolio. |
| Communication type | Review focus | Red flags |
|---|
| Performance claims | Fair calculation, period, benchmark, fees, assumptions, substantiation. | Cherry-picked results or hypothetical returns without context. |
| Testimonials / endorsements | Accuracy, disclosure, conflict, approval. | Paid promotion not disclosed. |
| Titles and credentials | Not misleading; supported by actual registration or credential. | Title implies portfolio management authority without registration. |
| Social media | Pre-use or post-use review depending on firm policy and risk; record retention. | Business content sent through unapproved channels. |
| Research / commentary | Distinguish general commentary from personalized advice. | “Educational” content that effectively recommends a trade to a client. |
| Fee descriptions | Clear, complete, not misleading. | Omitting embedded, trailing, referral, or transaction costs. |
Outsourcing and Vendor Oversight
| Vendor area | CCO concern | Control evidence |
|---|
| Portfolio/account systems | Data accuracy, access control, audit trails. | User access review, change logs, reconciliation. |
| Cloud/data storage | Confidentiality, privacy, cybersecurity, jurisdiction, incident response. | Contract terms, SOC reports or equivalent assurance, breach procedure. |
| Compliance technology | Surveillance parameters, false positives, missed alerts. | Model/rule validation, alert review evidence. |
| Back-office processing | Trade errors, reconciliations, custody, statements. | Service-level reporting, exception logs. |
| Referral partners | Client disclosure, conflicts, qualification, complaint flow. | Due diligence file, written agreement. |
| Third-party portfolio managers/sub-advisers | Registration, mandate limits, oversight, performance reporting. | Due diligence, monitoring reports, agreement review. |
Cybersecurity and Privacy Controls
| Control | Exam relevance |
|---|
| Access management | Restrict client data and trading systems to authorized users. |
| Multi-factor authentication | Reduces account takeover and remote access risk. |
| Encryption and secure transmission | Protects client information in storage and transit. |
| Incident response plan | Defines escalation, containment, notification assessment, and remediation. |
| Vendor due diligence | Assesses third-party data and system risk. |
| Phishing training | Addresses common attack vector against financial firms. |
| Data retention and destruction | Keeps required records while reducing unnecessary exposure. |
| Breach documentation | Supports regulatory, client, insurer, and governance reporting decisions. |
Regulatory Examination and Deficiency Management
| Phase | CCO action | Good evidence |
|---|
| Notice / request | Coordinate response, preserve records, assign owners. | Request tracker, privilege review where applicable. |
| Document production | Provide complete, accurate, organized records. | Index, version control, sign-off. |
| Interviews | Prepare factual participants; avoid coaching improper answers. | Interview preparation notes and role clarity. |
| Preliminary findings | Validate facts, identify root causes, begin remediation. | Management response draft, evidence binder. |
| Deficiency letter | Respond with action plan, owners, and realistic timelines. | Remediation plan approved by UDP/governance. |
| Follow-up | Test completion and effectiveness. | Closure memo, validation testing. |
Escalation Decision Table
| Situation | Escalate to | Why |
|---|
| Potential significant non-compliance | CCO, UDP, board/equivalent as appropriate | Senior accountability and timely remediation. |
| Possible client harm | CCO, supervisor, legal, complaint team | Preserve evidence and assess restitution or reporting. |
| Suspected fraud or misappropriation | CCO, UDP, legal, regulator/SRO or law enforcement as appropriate | High severity and potential client asset risk. |
| AML suspicion | AML officer / designated compliance function | AML reporting and confidentiality concerns. |
| Cyber incident affecting client data | CCO, privacy lead, IT security, legal, senior management | Containment and notification assessment. |
| Representative outside activity not disclosed | Supervisor, registration/compliance, CCO | Registration update, conflict, and discipline review. |
| Misleading marketing already distributed | CCO, business owner, legal, communications | Correction, withdrawal, client impact assessment. |
| Regulatory inquiry | CCO, UDP, legal | Accuracy, privilege, consistency, and deadlines. |
Common Exam Distinctions
| Distinction | Correct exam logic |
|---|
| KYC vs KYP | KYC is client knowledge; KYP is product knowledge. Suitability needs both. |
| Suitability vs client instruction | A client instruction may still require warning, refusal, or restricted handling if unsuitable or prohibited. |
| Disclosure vs control | Disclosure informs; control reduces the conflict risk. Some conflicts must be avoided. |
| UDP vs CCO | UDP drives compliance culture and senior supervision; CCO builds and monitors the compliance system. |
| Policy vs procedure | Policy states requirement; procedure explains who does what, when, and with what evidence. |
| Registration vs proficiency | Registration is legal authorization; proficiency is a condition or requirement supporting that authorization. |
| Exemption vs suitability | A prospectus or registration exemption does not eliminate suitability, KYC, KYP, or conflict obligations. |
| Complaint vs inquiry | A complaint alleges dissatisfaction or potential wrongdoing; an inquiry may simply request information. Misclassification is risky. |
| Outsourcing vs delegation of accountability | Tasks may be outsourced; regulatory accountability remains with the registered firm and responsible individuals. |
| Material non-public information vs rumour | MNPI is specific and material; rumours still require caution, but the analysis differs. |
| Civil risk vs regulatory compliance | A firm can face civil liability even if it believes it met a technical rule. |
| Annual report vs immediate escalation | Annual reporting does not replace prompt escalation of serious issues. |
Scenario Patterns to Practice
| Scenario | Best answer direction |
|---|
| Representative recommends an illiquid exempt product to a retiree seeking income and liquidity. | Focus on KYC/KYP mismatch, suitability, concentration, disclosure, and supervisory approval. |
| Firm launches a new product before compliance signs off. | Product due diligence and KYP failure; restrict distribution until approved and trained. |
| CCO finds repeated branch deficiencies but no client complaints. | Escalate systemic control weakness; absence of complaints does not mean absence of risk. |
| High-producing representative has undisclosed outside business with clients. | Conflict, outside activity, registration update, supervision, client harm review. |
| Client qualifies as accredited investor but has low risk tolerance. | Exemption eligibility does not establish suitability. |
| Marketing piece advertises “guaranteed” returns for a market-linked product. | Misleading communication; product risk and disclosure review; withdraw/correct. |
| Vendor hosts client data and suffers breach. | Incident response, privacy/cyber review, vendor oversight, client/regulatory notification assessment. |
| AML alert shows frequent third-party transfers inconsistent with KYC. | Escalate to AML process; consider suspicious activity, account restrictions, and documentation. |
| CCO lacks access to business records needed for testing. | Governance issue; CCO must have adequate authority, access, and resources. |
| Board asks CCO to delay reporting serious deficiency until year-end. | Immediate escalation obligations and governance concern; document and seek appropriate action. |
Last-Week Review Checklist
- Rehearse the UDP vs CCO vs supervisor accountability split.
- Memorize the KYC + KYP = suitability decision logic.
- Practice conflict questions using avoid, control, disclose, document.
- Review when registration, prospectus exemptions, and individual approval are triggered.
- Know why exemption eligibility does not equal suitability.
- Review AML red flags separately from securities suitability red flags.
- Be ready to identify weak controls: no evidence, no owner, stale policy, no testing, no escalation.
- For scenario questions, answer as a CCO: identify risk, apply rule principle, escalate, document, remediate, and test.
Practical Next Step
Use this Quick Reference to build a one-page issue-spotting sheet, then drill mixed CCO scenarios until you can quickly identify the role, rule concept, client risk, conflict, escalation path, and control evidence for each fact pattern.