LogoRegulatory Alerts
2019-04-18

Draft Regulation to amend Regulation 21-101 respecting Marketplace Operation

The securities regulator amends Regulation 21-101 to streamline reporting requirements and enhance operational standards for marketplaces and information processors. The changes extend filing deadlines for certain forms, mandate annual vulnerability assessments and independent systems reviews, and impose stricter notification and record-keeping obligations for material system failures and security incidents. Additionally, the amendment updates ownership disclosure exhibits and clarifies definitions to ensure consistent application across recognized exchanges, quotation and trade reporting systems, and alternative trading systems.

Autorite des marches financiers Quebec logo

Canada

Autorite des marches financiers Quebec

Click to view thumbnail

REGULATION TO AMEND REGULATION 21-101 RESPECTING MARKETPLACE OPERATION Securities Act (chapter V-1.1, s. 274, s. 331.1, par. (1), (2), (3), (8), (19) and (32.0.1), and s. 331.2)

  1. Section 3.2 of Regulation 21-101 respecting Marketplace Operation (chapter V-1.1, r. 5) is amended: (1) by replacing, in paragraph (2), “7 business days” with “15 business days”; (2) by replacing, in subparagraph (a) of paragraph (3), the word “month” with the words “calendar quarter”; (3) by adding, after paragraph (5), the following: “(6) For purposes of subsection (5), where information in a marketplace’s Form 21-101F1 or Form 21-101F2, as applicable, has not changed since the marketplace previously filed Form 21-101F1 or Form 21-101F2 under subsection (5), the marketplace may incorporate that information by reference into its updated and consolidated Form 21-101F1 or Form 21-101F2.”.
  2. Section 4.2 of the Regulation is amended by deleting, in paragraph (1), the words “the requirements outlined in”.
  3. The Regulation is amended by adding, after section 4.2, the following: “4.3. Filing of Interim Financial Reports A recognized exchange and a recognized quotation and trade reporting system must file interim financial reports within 45 days after the end of each interim period in accordance with paragraphs 4.1(1)(a) and (b).”.
  4. Section 12.1 of the Regulation is amended: (1) in paragraph (a): (a) by replacing subparagraph (i) with the following: “(i) adequate internal controls over those systems, and”; (b) by inserting, in subparagraph (ii) and after “information security,”, “cyber resilience,”; (2) by replacing subparagraph (ii) of paragraph (b) with the following: “(ii) conduct capacity stress tests to determine the processing capability of those systems to perform in an accurate, timely and efficient manner,”; (3) by replacing paragraph (c) with the following: “(c) promptly notify the regulator or, in Québec, the securities regulatory authority and, if applicable, its regulation services provider, of any systems failure, malfunction, delay or security incident that is material and provide timely updates on the status of the failure, malfunction, delay or security incident, the resumption of service and the results of the marketplace’s internal review of the failure, malfunction, delay or security incident, and

2 “(d) keep a record of any systems failure, malfunction, delay or security incident and, if applicable, document the reasons why the marketplace considered the systems failure, malfunction, delay or security incident not to be material.”. 5. Section 12.1.1 of the Regulation is amended: (1) by replacing, in paragraph (a), the words “an adequate system of information security controls” with the words “adequate information security controls”; (2) by replacing paragraph (b) with the following: “(b) promptly notify the regulator, or in Québec, the securities regulatory authority and, if applicable, its regulation services provider, of any security incident that is material and provide timely updates on the status of the incident, the resumption of service, and the results of the marketplace’s internal review of the security incident, and “(c) keep a record of any such security incident and, if applicable, document the reasons why the marketplace considered that such security incident was not material.”. 6. The Regulation is amended by adding, after section 12.1.1, the following: “12.1.2. Vulnerability Assessments On a reasonably frequent basis and, in any event, at least annually, a marketplace must engage one or more qualified parties to perform appropriate assessments and testing to identify security vulnerabilities and measure the effectiveness of information security controls that assess the marketplace’s compliance with paragraphs 12.1(a) and 12.1.1(a).”. 7. Section 12.2 of the Regulation is amended by replacing paragraph (1) with the following: “(1) On a reasonably frequent basis and, in any event, at least annually, a marketplace must engage one or more qualified external auditors to conduct an independent systems review and prepare a report in accordance with established audit standards and best industry practices that assesses the marketplace’s compliance with (a) paragraph 12.1(a), (b) section 12.1.1, and (c) section 12.4.”. 8. Section 12.3 of the Regulation is amended: (1) by replacing, in subparagraph (a) of paragraphs (1) and (2), the word “and” with the word “or”; (2) by replacing, in subparagraph (a) of paragraph (3.1), “(2)(a)” with “(2)(b)”. 9. Section 12.4 of the Regulation is amended by replacing, in paragraph (3), “, that” with the word “that”, “, must” with the word “must” and the word “marketplace” with the words “recognized exchange or quotation and trade reporting system”. 10. Section 14.5 of the Regulation is replaced with following: “14.5. System Requirements (1) An information processor must (a) develop and maintain

3 (i) adequate internal controls over its critical systems, and (ii) adequate information technology general controls, including, without limitation, controls relating to information systems operations, information security, cyber resilience, change management, problem management, network support, and system software support, (b) in accordance with prudent business practice, on a reasonably frequent basis and in any event, at least annually, (i) make reasonable current and future capacity estimates for each of its systems, and (ii) conduct capacity stress tests of its critical systems to determine the processing capability of those systems to perform in an accurate, timely and efficient manner, (iii) (paragraph revoked), (c) on a reasonably frequent basis and, in any event, at least annually engage one or more qualified external auditors to conduct an independent systems review and prepare a report in accordance with established audit standards and best industry practices that assesses the information processor’s compliance with paragraph (a) and section 14.6, (d) provide the report resulting from the review conducted under paragraph (c) to (i) its board of directors or the audit committee promptly upon the report’s completion, and (ii) the regulator or, in Québec, the securities regulatory authority, by the earlier of the 30th day after providing the report to its board of directors or the audit committee or the 60th day after the calendar year end, (e) promptly notify the following of any systems failure, malfunction, delay or security incident that is material and provide timely updates on the status of the failure, malfunction, delay or security incident, the resumption of service and the results of the information processor’s internal review of the failure, malfunction, delay or security incident: (i) the regulator or, in Québec, the securities regulatory authority, and (ii) any regulation services provider, recognized exchange or recognized quotation and trade reporting system monitoring trading of the securities about which information is provided to the information processor, and (f) keep a record of any systems failure, malfunction, delay or security incident and, if applicable, document the reasons why the information processor considered the systems failure, malfunction, delay or security incident not to be material. (2) An information processor must provide the regulator or, in Québec, the securities regulatory authority with a report by the 30th day after the end of the calendar quarter, containing a log and summary description of each systems failure, malfunction, delay or security incident referred to in paragraph (1)(f).”.

4 11. The Regulation is amended by inserting, after section 14.5, the following: “14.5.1. Vulnerability Assessments On a reasonably frequent basis and, in any event, at least annually, an information processor must engage one or more qualified parties to perform appropriate assessments and testing to identify security vulnerabilities and measure the effectiveness of information security controls that assess the information processor’s compliance with paragraph 14.5(1)(a).”. 12. Form 21-101F1 of the Regulation is amended: (1) by replacing Exhibit B with the following: “Exhibit B – Ownership For an exchange or quotation and trade reporting system that is a corporation, provide a list of the beneficial holders of 5% or more of any class of securities of the exchange or quotation and trade reporting system. For each listed security holder, please provide the following:

  1. Name.
  2. Principal business or occupation and title.
  3. Ownership interest, including the total number of securities held, the percentage of the exchange or quotation and trade reporting system’s issued and outstanding securities held, and the class or type of security held.
  4. Whether the security holder has control (as interpreted in subsection 1.3(2) of Regulation 21-101 respecting Marketplace Operation). In the case of an exchange or quotation and trade reporting system that is a partnership, sole proprietorship, or other form of organization, please provide a list of the registered or beneficial holders of the partnership interests or other ownership interests in the exchange or quotation and trade reporting system. For each person listed, please provide the following:
  5. Name.
  6. Principal business or occupation and title.
  7. Nature of the ownership interest, including a description of the type of partnership interest or other ownership interest.
  8. Whether the person has control (as interpreted in subsection 1.3(2) of Regulation 21-101 respecting Marketplace Operation).”; (2) by deleting paragraph 5 of item 1 of Exhibit C; (3) by deleting paragraphs 2, 5 and 6 of item 2 of Exhibit D; (4) by replacing, in paragraph 2 of Exhibit G, under the title “IT Risk Assessment”, the word “are” with the word “is”.

5 13. Form 21-101F2 of the Regulation is amended: (1) by replacing Exhibit B with the following: “Exhibit B – Ownership For an ATS that is a corporation, provide a list of the beneficial holders of 5% or more of any class of securities of the ATS. For each listed security holder, please provide the following:

  1. Name.
  2. Principal business or occupation and title.
  3. Ownership interest, including the total number of securities held, the percentage of the ATS’s issued and outstanding securities held, and the class or type of security held.
  4. Whether the security holder has control (as interpreted in subsection 1.3(2) of Regulation 21-101 respecting Marketplace Operation). In the case of an ATS that is a partnership, sole proprietorship, or other form of organization, please provide a list of the registered or beneficial holders of the partnership interests or other ownership interests in the ATS. For each person listed, please provide the following:
  5. Name.
  6. Principal business or occupation and title.
  7. Nature of the ownership interest, including a description of the type of partnership interest or other ownership interest.
  8. Whether the person has control (as interpreted in subsection 1.3(2) of Regulation 21-101 respecting Marketplace Operation).”; (2) by deleting paragraph 5 of item 1 of Exhibit C; (3) by deleting paragraphs 2 and 5 of item 2 of Exhibit D; (4) by replacing, in paragraph 2 of Exhibit G, under the title “IT Risk Assessment”, the word “are” with the word “is”.
  9. Form 21-101F3 of the Regulation is amended: (1) by replacing item 6 of Part A with the following: “6. Systems – A log and summary description of systems failures, malfunctions, delays or security incidents during the quarter in respect of any systems, operated by or on behalf of the marketplace, that support order entry, order routing, execution, trade reporting, trade comparison, data feeds, market surveillance and trade clearing and a log and summary description of each security incident during the quarter for any system that shares network resources with one or more of the systems, operated by or on behalf of the marketplace, that supports order entry, order routing, execution, trade reporting, trade comparison, data feeds, market surveillance and trade clearing that, if breached, would pose a security threat to one or more of the previously mentioned systems.”; (2) in section 1 of Part B: (a) by deleting, in Chart 1, under “Exchange-Traded Securities”, rows 1 and 2;

6 (b) by deleting, in Chart 3, rows 2 and 7; (c) by deleting item 5. 15. Form 21-101F5 of the Regulation is amended by repealing paragraph 5 of item 1 of Exhibit C. 16. This Regulation comes into force on (indicate here the date of coming into force of this Regulation).

Share