CSA Notice and Request for Comment: Draft Regulation to Amend Regulation 21-101 Respecting Marketplace Operation

CSA Notice and Request for Comment Draft Regulation to amend Regulation 21-101 respecting Marketplace Operation Draft amendments to Policy Statement to Regulation 21-101 respecting Marketplace Operation April 18, 2019 Introduction The Canadian Securities Administrators (the CSA or we) are publishing the following materials for a 90-day comment period: • draft Regulation to amend Regulation 21-101 respecting Marketplace Operation (Regulation), including the following forms: o Form 21-101F1 Information Statement - Exchange or Quotation and Trade Reporting System (Form 21-101F1); o Form 21-101F2 Information Statement – Alternative Trading System (Form 21-101F2); o Form 21-101F3 Quarterly Report of Marketplace Activities (Form 21-101F3); o Form 21-101F5 Information Statement – Information Processor (Form 21-101F5); • draft amendments to Policy Statement to Regulation 21-101 respecting Marketplace Operation (Policy Statement). The draft amendments to the Regulation, Form 21-101F1, Form 21-101F2, Form 21-101F3, Form 21-101F5 and the proposed changes to the Policy Statement are together referred to as the Draft Amendments. Form 21-101F1, Form 21-101F2, Form 21-101F3, and Form 21-101F5 are collectively referred to as the Forms. The Regulation, Forms and Policy Statement are collectively referred to as Regulation 21-101. The purposes of the Draft Amendments are described in the “Substance and Purpose” section below. The Draft Amendments are published with this Notice. An Annex to this Notice is being published in any local jurisdiction where any additional information is relevant to that jurisdiction only. This Notice is available on the websites of the CSA jurisdictions, including:

2 www.albertasecurities.com www.bcsc.bc.ca www.fcaa.gov.sk.ca www.fcnb.ca www.lautorite.qc.ca www.mbsecurities.ca nssc.novascotia.ca www.osc.gov.on.ca The 90-day comment period will expire on July 17, 2019. For further details, see the “Request for Comments” section below. Background The Regulation establishes the regulatory framework for marketplaces and information processors (IPs) that carry on business in the CSA jurisdictions. Together with the Forms, the Regulation requires, among other things, marketplaces and IPs to provide the CSA with comprehensive reporting of all aspects of their operations, both at the time the marketplace and the IP commence operations and anytime the marketplace and IP make changes to that information. The Regulation also requires marketplaces to report, on a quarterly basis, detailed information about the trading activity on the marketplace during the previous quarter. The Regulation also establishes detailed requirements in relation to the information technology systems used by marketplaces and IPs to support their operations. These requirements include developing and maintaining adequate internal controls and information technology general controls over critical systems, conducting capacity stress tests on such systems, developing and maintaining reasonable business continuity and disaster recovery plans, and promptly notifying the CSA of any material failures, malfunctions, delays or security breaches in respect of these systems. Marketplaces and IPs are further required to conduct an independent review of these systems (ISR) on an annual basis. Exhibit G to each of Form 21-101F1, Form 21-101F2, and Form 21-101F5 establishes a detailed framework for the reporting by marketplaces and IPs of systems-related information. Over time, the volume and breadth of reporting requirements for marketplaces and IPs has grown, in part reflecting the increased complexity and risks to fair and efficient capital markets associated with marketplaces’ and IPs’ systems and the need for the CSA to have adequate information to effectively oversee all aspects of the operations of marketplaces and IPs. At the same time, the extent and quality of the information needed to support the CSA’s oversight of marketplaces and IPs is continually changing and some information historically reported by marketplaces and IPs is now less useful and relevant to effective oversight. In addition, exchanges are subject to additional and specific reporting requirements in the terms and conditions of their recognition orders, which, in certain instances, may duplicate reporting requirements in Regulation 21-101. Given the growth and evolution of the information reported to the CSA by marketplaces and IPs, we have evaluated the reporting requirements in Regulation 21-101 and have identified

3 opportunities to streamline these requirements and reduce regulatory burden by eliminating duplicative reporting and ensuring consistency of reporting across marketplaces and IPs. At the same time, we have identified opportunities to enhance the systems-related requirements in Regulation 21-101. Substance and Purpose

1. Purposes of Draft Amendments The primary purpose of the Draft Amendments is to reduce the regulatory burden associated with the reporting requirements for marketplaces and IPs. The Draft Amendments will, in our view, streamline these reporting requirements by eliminating duplicative reporting and reporting that does not materially contribute to the CSA’s oversight of marketplaces and IPs while maintaining a robust reporting framework that supports the objectives of the CSA’s oversight, including providing protection to investors and fostering fair and efficient capital markets and investor confidence. The purposes of the Draft Amendments also include enhancing the systems requirements for marketplaces and IPs by clarifying testing and reporting expectations and establishing an appropriate focus on cyber resilience. In formulating the Draft Amendments, in addition to striving to reduce regulatory burden, we have also focussed on ensuring that the systems and reporting requirements in the Regulation continue to support innovation by marketplaces and IPs. Specific purposes of the Draft Amendments include: • Streamlining reporting requirements in the Regulation and Forms by eliminating the need to report superfluous information and eliminating duplicative reporting requirements; • Enhancing the systems-related requirements in Part 12 and Part 14 of the Regulation and related guidance in the Policy Statement by optimizing the reporting of material systems incidents by marketplaces and IPs, establishing requirements to promote the cyber resilience of marketplaces and IPs, and providing for consistency with recent proposed changes to the systems requirements for clearing agencies in Regulation 24-102 respecting Clearing Agency Requirements (Regulation 24-102); • Making other non-substantive changes, corrections and clarifications to Regulation 21-101.
2. Summary of Draft Amendments We discuss briefly the changes and policy rationales for the key Draft Amendments below. a. Streamlining reporting requirements (i) The requirement in paragraph 3.2(3)(a) of the Regulation for a marketplace to file an amendment to the information in Form 21-101F1 or Form 21-101F2 for changes not considered significant changes has been changed to provide that the marketplace must file any such amendments on a quarterly basis rather than monthly. We expect that quarterly filings of non￾significant changes to the information in Form 21-101F1 or Form 21-101F2 will alleviate a

4 significant regulatory burden on marketplaces without comprising the effective oversight of marketplaces by the CSA. (ii) Exhibits C and D to Form 21-101F1 and Form 21-101F2 have been amended to eliminate the requirements to report certain information in respect of a marketplace’s organization and any affiliated entities. In particular, we have eliminated the requirement to report historical employment information for partners, directors and officers of a marketplace and eliminated the requirement to file constating documents for affiliated entities of a marketplace. Filing this information has been burdensome for marketplaces and has not materially contributed to or enhanced the CSA’s oversight of marketplaces. (iii) We have streamlined the information required to be reported by marketplaces in Form 21-101F3 on its trading activities during the previous quarter. In particular, we have eliminated the requirements for marketplaces to report details of the trading activity for exchange￾listed equity securities and ETFs trading on equity marketplaces, to report details of the types of orders for exchange-traded securities executed on the marketplace, and to report details of the trading activity of the marketplace’s top-10 marketplace participants (based on the volume of securities traded). The Investment Industry Regulatory Organization of Canada (IIROC) presently collects this information from marketplaces; the proposed changes to Form 21-101F3 will eliminate these duplicative reporting requirements. (iv) We have lengthened the time period associated with the filing by marketplaces of amendments to the information in Exhibit L (Fees) to each of Form 21-101F1 and Form 21-101F2 to at least 15 business days before the marketplace implements a change to its fees. We expect that this change will result in a more reasonable opportunity for the CSA to review marketplace fee filings without imposing any undue burden on marketplaces proposing fee changes. b. Financial reporting New section 4.3 has been added to require recognized exchanges to file interim financial statements within 45 days of the end of the interim period. Currently, specific financial reporting requirements for exchanges are included in the terms and conditions of the exchanges’ recognition orders. c. Systems requirements (i) The concept of ‘cyber resilience’ has been added to subparagraph 12.1(a)(ii) and subparagraph 14.5(1)(a)(ii) of the Regulation as one of the information technology general controls that a marketplace or IP must develop and maintain. While cyber resilience should already be covered by an entity’s controls, the explicit addition of the concept in the Regulation is intended to be reflective of the increasing importance of ensuring that an entity has taken adequate steps to address cyber resilience. (ii) The concept of “security breach” in relation to the notifications that must be provided by a marketplace and IP under paragraph 12.1(c), paragraph 12.1.1(b) and paragraph 14.5(1)(e) has been broadened to “security incident”. The change extends the concept beyond actual breaches, as

5 we are of the view that a material event may include one where a breach has not necessarily occurred. We describe “security incidents” in the Policy Statement with reference to general definition of the concept used by the National Institute of Standards and Technology (U.S. Department of Commerce) (NIST) 1 . (iii) We have added requirements in the Regulation under section 12.1 and section 12.1.1 that marketplaces keep records of any systems failures, malfunctions, delays or security incidents and, if applicable, document reasons with respect to the materiality of the event. We have also added a requirement at section 12.1.2 that marketplaces must annually engage one or more qualified parties to perform appropriate assessments and testing to identify security vulnerabilities and measure the effectiveness of information security controls that assess the marketplace’s compliance with paragraphs 12.1(a) and 12.1.1(a) of the Regulation. Section 12.1.2 replaces guidance previously set out in the Policy Statement on vulnerability assessments and is consistent with similar requirements being proposed for recognized clearing agencies in Regulation 24-102. (iv) Under subsection 12.2(1) and paragraph 14.5(1)(c) of the Regulation, we clarify the CSA’s expectation that marketplaces and IPs engage one or more “qualified external auditors” to conduct and report on its independent systems reviews. We consider a qualified external auditor to be a person, or a group of persons, with relevant experience in both information technology and in the evaluation of related internal systems or controls in a complex information technology environment. Before engaging a qualified external auditor, we also expect the marketplaces and IPs to discuss with the CSA their choice for qualified external auditor and the scope of the systems review mandate. d. Non-substantive changes Lastly, several non-substantive changes, corrections and clarifications are proposed. By their nature, none of the non-substantive changes should have any significant impact on the application of Regulation 21-101 to marketplaces and IPs. Request for Comments We welcome your comments on the Draft Amendments. Please submit your comments in writing on or before July 17, 2019. If you are not sending your comments by email, please send a CD containing the submissions (in Microsoft Word format). Address your submission to the following CSA member commissions: Alberta Securities Commission Autorité des marchés financiers British Columbia Securities Commission Financial and Consumer Services Commission (New Brunswick) Financial and Consumer Affairs Authority of Saskatchewan Manitoba Securities Commission 1 The NIST definition of “security incident” is available at https://csrc.nist.gov/Glossary.

6 Nova Scotia Securities Commission Nunavut Securities Office Ontario Securities Commission Office of the Superintendent of Securities, Newfoundland and Labrador Office of the Superintendent of Securities, Northwest Territories Office of the Yukon Superintendent of Securities Superintendent of Securities, Department of Justice and Public Safety, Prince Edward Island Please deliver your comments only to the addresses that follow. Your comments will be forwarded to the remaining CSA member jurisdictions. Me Anne-Marie Beaudoin Corporate Secretary Autorité des marchés financiers 800, rue du Square-Victoria, 4e étage C.P. 246, tour de la Bourse Montréal (Québec) H4Z 1G3 Fax: 514 864-6381 E-mail: consultation-en-cours@lautorite.qc.ca The Secretary Ontario Securities Commission 20 Queen Street West, 22nd Floor Toronto, Ontario M5H 3S8 Fax: 416 595-2318 E-mail: comments@osc.gov.on.ca Please note that comments received will be made publicly available and posted on the Websites of certain CSA jurisdictions. We cannot keep submissions confidential because securities legislation in certain provinces requires publication of the written comments received during the comment period. Therefore, you should not include personal information directly in comments to be published. It is important that you state on whose behalf you are making the submission. Questions with respect to this Notice or the Draft Amendments may be referred to: Serge Boisvert Senior Policy Advisor Exchanges and SRO Oversight Autorité des marchés financiers Tel: 514 395-0337, poste 4358 Email: serge.boisvert@lautorite.qc.ca

7 Maxime Lévesque Senior SRO Analyst Exchanges and SRO Oversight Autorité des marchés financiers Tel: 514 395 -0337, poste 4324 Email: maxime.levesque@lautorite.qc.ca Christopher Byers Senior Legal Counsel, Market Regulation Ontario Securities Commission Tel: 416 593 -2350 Email: cbyers@osc.gov.on.ca Kortney Shapiro Legal Counsel, Market Regulation Ontario Securities Commission Tel: 416 593 -2328 Email: kshapiro@osc.gov.on.ca Heather Cohen Legal Counsel, Market Regulation Ontario Securities Commission Tel: 416 204 -8955 Email: hcohen@osc.gov.on.ca Bruce Sinclair Securities Market Specialist Legal Services, Capital Markets Regulation British Columbia Securities Commission Tel: 604 899 -6547 Email: bsinclair@bcsc.bc.ca Katrina Prokopy Senior Legal Counsel Alberta Securities Commission Tel: 403 297 -7239 Email: katrina. prokopy@asc.ca Sasha Cekerevac Regulatory Analyst, Equity Markets Alberta Securities Commission Tel: 403 297 -4219 Email: sasha. cekerevac@asc.ca