CSA Notice of Publication: Regulation to amend Regulation 21-101 respecting Marketplace Operation

CSA Notice of Publication Regulation to amend Regulation 21-101 respecting Marketplace Operation Changes to Policy Statement to Regulation 21-101 respecting Marketplace Operation June 18, 2020 Introduction The Canadian Securities Administrators (the CSA or we) are adopting amendments to: • Regulation 21-101 respecting Marketplace Operation (the Regulation), including the following forms: o Form 21-101F1 Information Statement - Exchange or Quotation and Trade Reporting System (Form 21-101F1); o Form 21-101F2 Information Statement – Alternative Trading System (Form 21-101F2); o Form 21-101F3 Quarterly Report of Marketplace Activities (Form 21-101F3) o Form 21-101F5 Information Statement – Information Processor (Form 21-101F5). In connection with the above, the CSA is also making changes to Policy Statement to Regulation 21-101 respecting Marketplace Operation (the Policy Statement). The amendments to the Regulation, including Form 21-101F1, Form 21-101F2, Form 21-101F3, Form 21-101F5, and the changes to the Policy Statement are together referred to as the Amendments. Form 21-101F1, Form 21-101F2, Form 21-101F3, and Form 21-101F5 are collectively referred to as the Forms. The Regulation, the Forms and the Policy Statement are collectively referred to as Regulation 21-101. The purposes of the Amendments are described in the “Substance and Purpose” section below. The Amendments are published with this Notice, which includes the following annexes:

• Annex A – Summary of Changes to Regulation 21-101 (against version currently-in￾effect) • Annex B – List of commenters • Annex C – Summary of comments and CSA responses. Provided all necessary ministerial approvals are obtained, the Amendments will come into force on September 14, 2020. This Notice, including its annexes, is available on the websites of the CSA jurisdictions, including: www.albertasecurities.com www.bcsc.bc.ca www.fcaa.gov.sk.ca www.fcnb.ca www.lautorite.qc.ca www.mbsecurities.ca nssc.novascotia.ca www.osc.gov.on.ca Background The Regulation establishes the regulatory framework for marketplaces and information processors (IPs) that carry on business in the CSA jurisdictions. Together with the Forms, the Regulation requires, among other things, marketplaces and IPs to provide the CSA with comprehensive reporting of all aspects of their operations, both at the time the marketplace and the IP commence operations and anytime the marketplace and IP make changes to that information. The Regulation also requires marketplaces to report, on a quarterly basis, information about the trading activity on the marketplace during the previous quarter. The Regulation also establishes requirements regarding the information technology systems used by marketplaces and IPs to support their operations, including developing and maintaining adequate internal controls and information technology general controls over critical systems, conducting capacity stress tests on such systems, developing and maintaining reasonable business continuity and disaster recovery plans, and conducting an independent review of these systems (ISR). On April 18, 2019, the CSA published proposed amendments to Regulation 21-101 for public comment. Substance and Purpose The primary purpose of the Amendments is to reduce the regulatory burden associated with the reporting requirements for marketplaces and IPs in Regulation 21-101. The Amendments will, in our view, streamline these requirements by eliminating duplicative reporting as well as reporting that does not materially contribute to the CSA’s oversight of marketplaces and IPs while

maintaining a robust reporting framework that supports the objectives of the CSA’s oversight, including providing protection to investors and fostering fair and efficient capital markets and investor confidence. The Amendments are also intended to enhance the requirements in relation to the IT systems maintained by marketplaces and IPs. The Amendments clarify testing and reporting requirements and introduce an appropriate focus on cyber resilience. Specific purposes of the Proposed Amendments include: • Streamlining reporting requirements in the Regulation and Forms by eliminating the need to report superfluous information and eliminating duplicative reporting requirements; • Enhancing the systems-related requirements in Part 12 and Part 14 of the Regulation and related guidance in the Policy Statement by optimizing the reporting of material systems incidents by marketplaces and IPs, establishing requirements to promote the cyber resilience of marketplaces and IPs, and providing for consistency with recent changes to the systems requirements for clearing agencies in Regulation 24-102 respecting Clearing Agency Requirements; • Making other non-substantive changes, corrections and clarifications to Regulation 21-101. Summary of Comments Received by the CSA In response to the publication of the proposed amendments, we received submissions from five commenters. We have considered the comments received and thank all commenters for their thoughtful input on the proposed amendments. A list of commenters who submitted comment letters together with a summary of their comments and the CSA’s responses to those comments is attached to this Notice at Annexes B and C respectively. Copies of the comment letters are available at www.osc.gov.on.ca Summary of Changes to the Regulation, Forms and Policy Statement Annex A to the Notice includes a summary of notable changes to the Regulation, Forms and Policy Statement, including changes made to the versions published for comment on April 18, 2019.

Questions Please direct any questions regarding this Notice or the Amendments to: Serge Boisvert Senior Policy Advisor Exchanges and SRO Oversight Autorité des marchés financiers Tel: 514 395-0337, poste 4358 Email: serge.boisvert@lautorite.qc.ca Maxime Lévesque Senior SRO Analyst Exchanges and SRO Oversight Autorité des marchés financiers Tel: 514 395-0337, poste 4324 Email: maxime.levesque@lautorite.qc.ca Christopher Byers Senior Legal Counsel, Market Regulation Ontario Securities Commission Tel: 416 593-2350 Email: cbyers@osc.gov.on.ca Ruxandra Smith Senior Accountant, Market Regulation Ontario Securities Commission Tel: 416 593-8322 Email: ruxsmith@osc.gov.on.ca Kortney Shapiro Legal Counsel, Market Regulation Ontario Securities Commission Tel: 416 593-2328 Email: kshapiro@osc.gov.on.ca Rina Jaswal Senior Legal Counsel Capital Markets Regulation Division British Columbia Securities Commission Tel: 604 899-6683 Email: RJaswal@bcsc.bc.ca

Lenworth Haye Senior Oversight Analyst, Market and SRO Oversight Capital Markets Regulation Division British Columbia Securities Commission Tel: 604 899-6668 Email: lhaye@bcsc.bc.ca Katrina Prokopy Senior Legal Counsel Alberta Securities Commission Tel: 403 297-7239 Email: Katrina.Prokopy@asc.ca Jesse Ahlan Regulatory Analyst, Market Structure Alberta Securities Commission Tel: 403 297-2098 Email: Jesse.Ahlan@asc.ca

ANNEX A SUMMARY OF CHANGES The following briefly describes the changes and policy rationales for the key Amendments. Streamlining reporting requirements The requirement in paragraph 3.2(3)(a) of the Regulation for a marketplace to file non￾significant amendments to the information set out in Form 21-101F1 or Form 21-101F2 has been changed to provide that the marketplace must file any such amendments on a quarterly basis rather than monthly. We expect that quarterly filings of non-significant changes to the information in Form 21-101F1 or Form 21-101F2 will alleviate a significant regulatory burden on marketplaces without compromising the effective oversight of marketplaces by the CSA. Exhibits C, D and E to Form 21-101F1 and Form 21-101F2 have been streamlined to eliminate the requirements to report certain information in respect of a marketplace’s organization, affiliates, and operations. We have eliminated the requirement to report historical employment information for partners, directors and officers of a marketplace, eliminated the requirement to file constating documents for affiliated entities of a marketplace, and consolidated the information a marketplace reports regarding its operations. We expect that the streamlining of these exhibits will materially reduce regulatory burden without compromising the CSA’s oversight of marketplaces. We have also streamlined the information required to be reported quarterly by marketplaces in Form 21-101F3 by eliminating duplicative and burdensome requirements for marketplaces to report systems-related information, including a summary of outages during the previous quarter, as well as requirements to report information on the implementation status of previously filed changes to operations. We have also eliminated all reporting requirements for equity marketplaces trading exchange-listed securities, as the Investment Industry Regulatory Organization of Canada (IIROC) presently collects this information from marketplaces. We have lengthened the time period associated with the filing by marketplaces of amendments to the information in Exhibit L (Fees) to each of Form 21-101F1 and Form 21-101F2 to at least 15 business days before the marketplace implements a change to its fees. We expect that this change will result in a more reasonable opportunity for the CSA to review marketplace fee filings without imposing any undue burden on marketplaces proposing fee changes. Financial reporting New section 4.3 has been added to the Regulation to require recognized exchanges to file interim financial reports within 60 days of the end of the interim period. Currently, in certain CSA jurisdictions, specific financial reporting requirements for exchanges are included in the terms and conditions of the exchanges’ recognition orders.

Systems requirements The concept of ‘cyber resilience’ has been added to subparagraph 12.1(a)(ii) and subparagraph 14.5(1)(a)(ii) of the Regulation as one of the information technology general controls that a marketplace or IP must develop and maintain. While cyber resilience should already be covered by an entity’s controls, the explicit addition of the concept in the Regulation is intended to be reflective of the increasing importance of ensuring that an entity has taken adequate steps to address cyber resilience. The concept of “security breach” in relation to the notifications that must be provided by a marketplace and IP under paragraph 12.1(c), paragraph 12.1.1(b) and paragraph 14.5(e) has been broadened to “security incident”. The change extends the concept beyond actual breaches, as we are of the view that a material event may include one where a breach has not necessarily occurred. We have changed the Policy Statement to provide guidance on what constitutes a “security incident”, referencing guidance provided by the National Institute of Standards and Technology (U.S. Department of Commerce) (NIST) 1 . We have added requirements in the Regulation under section 12.1 and section 12.1.1 that marketplaces keep records of any systems failures, malfunctions, delays or security incidents and identify whether they are material. In response to concerns raised by commenters and to avoid placing undue burden on marketplaces, we have not proceeded with additional related reporting requirements that were included in the proposed amendments to Regulation 21-101 published for comment. However, guidance included in the Policy Statement provides that the CSA may request additional information from marketplaces regarding systems failures, malfunctions, delays or security incidents. We have also clarified the requirement at section 12.1.2 that marketplaces must annually engage a qualified party to perform appropriate assessments and testing to identify security vulnerabilities and measure the effectiveness of information security controls that assess the marketplace’s compliance with paragraphs 12.1(a) and 12.1.1(a) of the Regulation. Section 12.1.2 replaces guidance previously set out in the Policy Statement on vulnerability assessments and is consistent with similar requirements being proposed for recognized clearing agencies in Regulation 24-102 respecting Clearing Agency Requirements. Other changes Lastly, several non-substantive changes, corrections and clarifications have been made. By their nature, none of the non-substantive changes will have any impact on the application of Regulation 21-101 to marketplaces and IPs. 1 The NIST definition of “security incident” is available at https://csrc.nist.gov/Glossary.

The following table presents the changes to Regulation 21-101 as a result of the Amendments. Provision Subject Description of Change Regulation 21-101 Sub. 3.2(2) Fee changes Changes to Exhibit L must be filed 15 business days before implementing the change Para. 3.2(3)(a) Housekeeping changes Housekeeping changes to Form 21-101F1 and Form 21-101F2 filed quarterly rather than monthly Sub. 3.2(6) Annual consolidated F1/F2 Unchanged information may be incorporated by reference into annual filing S. 4.3 Financial reporting Exchanges to file interim financial reports within 60 days of the end of each interim period Para. 12.1(a) IT controls IT general controls must include controls relating to cyber resilience Para. 12.1(b) Capacity stress tests Clarified requirement that stress testing must determine the processing capability of IT systems Para. 12.1(c) Notification of systems incidents Marketplaces must provide prompt notification of material security incidents (for critical and auxiliary systems) Para. 12.1(d) Record-keeping for systems incidents Marketplaces must keep records of any systems failure, malfunction, delay or security incident and identify whether it is material S. 12.1.2 Vulnerability assessments Marketplaces must engage a qualified party to perform a vulnerability assessment at least annually Sub. 12.2(1) Independent Systems Review (ISR) Marketplace must engage a qualified external auditor to conduct an independent systems review Para. 12.2(2)(b) Reporting of ISR Delivery of report to the CSA within 60 days of report completion (rather than calendar year end) Ss. 14.5 and 14.5.1 System requirements for Information Processors (IPs) Changes to systems requirements for IPs to conform to changes to requirements for marketplaces Form 21-101F1, Form 21-101F2 and Form 21-101F5 Exhibits (general) Date of implementation of change Date of implementation to reflect the actual or expected date of implementation Exhibit B Ownership of marketplace  Threshold for disclosure raised from 5% to 10%  Carve out for marketplaces that are reporting issuers Exhibit C Organization of marketplace and IP Streamlining of information to be provided to reduce burden and eliminate duplication Exhibit D Affiliates of marketplace Streamlining of information to be provided to reduce burden and eliminate duplication Exhibit E Operations of marketplace Streamlining of information to be provided to reduce burden and eliminate duplication

Form 21-101F3 Part A General marketplace information Removal of requirements to report on previously filed amendments to F1 and F2 Part A Systems-related reporting Removal of requirements to report systems outages and changes Part B (Section 1) Equity marketplaces trading exchange-listed securities All reporting requirements have been removed to alleviate regulatory burden, as IIROC currently collects much of this information Part B (Section 2) Fixed Income marketplaces Reporting requirements for concentration of trading by marketplace participant (Chart 9) removed Policy Statement 21-101 S. 6.2 Financial reporting Guidance on the form of financial reporting for marketplaces, including guidance on interim periods and accounting principles Sub. 7.8(1) Conflicts of interest Clarification of guidance that the conflict of interest policies and procedures marketplaces are required to maintain should address actual, potential or perceived conflicts in respect of any involvement of partners, directors, officers, or employees of a marketplace’s owners in the marketplace’s operations Sub. 14.1(1) IT controls Revised guidance on sources of guidance as to what may constitute adequate IT controls Sub. 14.1(2.1) Materiality of systems incidents Additional guidance on what constitutes a material systems incident Sub. 14.1(2.2) Security incidents Additional guidance on what constitutes a material security incident and the public disclosure of a security incident Sub. 14.1(2.3) Prompt notification of material systems incidents Additional guidance on the requirement to promptly report material systems incidents Sub. 14.1(2.4) Record-keeping for systems incidents Guidance on the CSA’s expectations for record-keeping in relation to systems incidents Sub. 14.1(3) Independent Systems Reviews Additional guidance regarding qualified external auditors and expectations regarding the form and substance of the ISR Sub. 14.1(3.1) Vulnerability assessments Guidance regarding qualified parties performing the required assessments and testing

1 ANNEX B List of Commenters on draft Regulation to amend Regulation 21-101 respecting Marketplace Operation and draft amendments to Policy Statement to Regulation 21-101 respecting Marketplace Operation (as published for comment on April 18, 2019) Commenters: CNSX Markets Inc. (Canadian Securities Exchange) Nasdaq CXC Limited (Nasdaq Canada) Neo Exchange Inc. TMX Group Limited TriAct Canada Marketplace LP (MATCHNow)

1 ANNEX C Summary of Comments on draft Regulation to amend Regulation 21-101 respecting Marketplace Operation and draft amendments to Policy Statement to Regulation 21-101 respecting Marketplace Operation and CSA Responses Topic/Reference Summary of Comments CSA Response General Comments Exemption framework for foreign ATSs One commenter recommended introducing an exemption framework for foreign ATSs that trade foreign listed securities and/or foreign traded securities. The commenter indicated that the requirements for foreign fixed income ATSs considered to be carrying on business in Canada are burdensome and duplicative and that the CSA should place greater reliance on the foreign marketplace’s home jurisdiction for regulatory oversight. We acknowledge the comment and note that CSA Staff is separately considering an exemption framework for foreign-based ATSs trading fixed￾income securities. Streamlining Reporting Requirements Annual consolidated Form 21-101F1 and Form 21-101F2 Several commenters indicated that the requirement to file an annual consolidated Form F1 or F2 is burdensome and does not provide any information that is not already provided during the periodic filings. The commenters suggested that this requirement should be removed from the Regulation. In the event that the requirement at subsection 3.2(5) of the Regulation is removed, one commenter indicated that it would no longer be necessary to include proposed new subsection 3.2(6) in the Regulation. We have retained the requirement for marketplaces to file an annual consolidated F1 or F2. In our view, the requirement to prepare and file an annual consolidation assists both marketplaces and CSA staff in keeping the information in the forms accurate and up-to-date. The inclusion of subsection 3.2(6) in the Regulation will allow marketplaces to streamline their annual consolidation and avoid the burden associated with

2 Topic/Reference Summary of Comments CSA Response duplicating information already filed with the CSA. Housekeeping changes to Form 21-101F1 and Form 21-101F2 Commenters generally supported the proposed revision of subsection 3.2(3) of the Regulation to provide for the quarterly filing of housekeeping changes to the F1 and F2. However, one commenter indicated that changing the reporting timeframe for non-significant changes to quarterly may result in unintended duplication with the contents of the F3, as both reports will cover the same filing period. We have removed the requirements in the F3 for marketplaces to provide information on the implementation status of changes previously filed. We think this will address the risk of unintended duplication raised by the commenter. Form 21-101F1 and Form 21-101F2 - Exhibits Commenters generally supported the proposed revisions to the information in the Exhibits to the F1 and F2. However, commenters identified numerous other data points in the Exhibits that, in their view, represented burdensome or duplicative information requirements that should be streamlined or eliminated. Specific examples identified by the commenters include:  The current 5% threshold in Exhibit B for identifying significant shareholders of a marketplace is too low and, for a marketplace that is a reporting issuer, may be impractical in any event. The CSA should consider raising the disclosure threshold to 10%, which is already an established securities law threshold.  Exhibits C and D may be streamlined to eliminate duplicative information about directors’ occupations and principal business activities.  Exhibit E may be streamlined to eliminate overlapping and duplicative information about a marketplace’s operations.  The CSA should reconsider the need to require the updating of Exhibits J and L where the rules and fees of We have streamlined the data points in the Exhibits to the F1 and F2 to address many of the comments raised. In particular, the threshold for reporting significant shareholders in Exhibit B has been raised from 5% to 10% and marketplaces that are also reporting issuers have been carved out of this requirement. Exhibits C, D, and E have also been streamlined as suggested in the comments received. We have also removed the requirement in the F1 and F2 to file a clean version of the revised form.

3 Topic/Reference Summary of Comments CSA Response an exchange are publicly available on the exchange’s website. One commenter also recommended that for amended F1s and F2s, only the blacklined versions of the forms should be filed, as simultaneous filing of clean versions of the forms causes burden and continuity issues. Form 21-101F3 – Part A Several commenters indicated that the information in Items 4-7 of Part A of the F3 duplicates information marketplaces already file with the CSA or does not materially contribute to the CSA’s oversight of marketplaces. Commenters indicated that Items 4-7 of Part A should be eliminated from the F3. We have removed Items 4-7 of Part A of the F3. Form 21-101F3 – Part B Several commenters also indicated that much of the information required by the charts in Section 1 of Part B of the F3 is already provided to IIROC or, in certain instances, is no longer relevant and is consequently burdensome to produce. One commenter noted specifically that the information in Chart 6 in respect of routing of marketplace orders is no longer relevant as marketplaces no longer route orders for purposes of order protection requirements. Commenters generally suggested that the information in the F3 relating to the activities of marketplaces trading exchange-listed securities should be eliminated from the form. We have removed the reporting requirements in Section 1 of Part B relating to equity marketplaces trading exchange-listed securities. Fee changes Several commenters indicated that the proposed change to subsection 3.2(2) of the Regulation, increasing the filing timeline for fee changes from seven business days to 15 business days before implementation, would result in unnecessary delays, and associated burden, for We have left the timing for the filing of changes to Exhibit L as proposed (15 business days). In our view, changes to fees and fee models represent an area of increasing complexity in marketplace operations

4 Topic/Reference Summary of Comments CSA Response marketplaces needing to make fee changes on tight timing for competitive reasons. Commenters indicated that for non-controversial fee changes that replicated existing models or resulted in simple fee decreases, marketplaces should have a mechanism for an accelerated implementation timeline. One commenter recommended a review framework for proposed fee changes whereby, within 15 business days of filing, there would be a decision to approve the change for immediate implementation, put the fee change out for public comment, or require the marketplace to resubmit a revised fee change proposal for a further 15-business day review. that warrants a reasonable period of time for the CSA to consider new and complex proposals. We do not think that the extra time allowed for considering fee changes unfairly disadvantages marketplaces in making changes quickly in a competitive environment. Financial reporting Several commenters indicated that the proposed requirement for recognized exchanges to file interim financial reports within 45 days of the end of the interim period is too short a time period and presents difficulties in efficiently scheduling board meetings to review financial reporting. The commenters indicated that for recognized exchanges that are not reporting issuers, the filing deadline should be extended to 60 days. One commenter also indicated that for recognized exchanges that are not reporting issuers, the time period for filing annual audited financial statements at subsection 4.2(1) should be extended from 90 days to 120 days. Finally, one commenter indicated that the disclosure of accounting principles and statement of compliance with IFRS will result in considerable work for recognized exchanges that are not reporting issuers and may not be We have changed new section 4.3 of the Regulation to require recognized exchanges to file interim financial reports within 60 days after the end of each interim period. However, we do not think it is appropriate to extend the timeline to file annual audited financial statements to 120 days for recognized exchanges that are not reporting issuers. In our view, it is important that recognized exchanges submit annual financial statements on a timely basis in order for Staff to review the exchanges’ financial condition. Consequently, we have not changed the timeframe for annual

5 Topic/Reference Summary of Comments CSA Response consistent with similar requirements in the terms and conditions of the exchange recognition orders. financial reporting for recognized exchanges. CEO certification One commenter indicated that the form of certification required at subsection 3.2(4) of the Regulation duplicates the form of certification already required by the F1 and F2 and should be eliminated. We acknowledge the comment but have not made any changes to the form of certification at subsection 3.2(4) and in the Forms. We note that the subsection 3.2(4) requires certification regarding the completeness of the form and that the marketplace is operating as designed. We think that the additional components of this certification are important to retain as part of an annual certification requirement. Systems-related Requirements Cyber resilience While commenters generally supported the inclusion of the concept of cyber resilience in the systems requirements for marketplaces in Part 12 of the Regulation, one commenter noted that the term “cyber resilience” is not clearly defined in the Regulation and does not otherwise have an accepted or commonly understood definition. The commenter suggested that a clear and measurable definition of cyber resilience be included in the Regulation. We note that the additional guidance in subsection 14.1(1) of the Policy Statement refers to sources of guidance for marketplaces as to what constitutes adequate IT controls, including controls in relation to cyber resilience. We felt that it was more appropriate to rely on industry guidance for the design of an optimal control environment rather than attempt to precisely define the concept of cyber resilience. Security incidents – record-keeping and reporting Commenters expressed concerns with the proposed revisions to Part 12 of the Regulation that would require marketplaces to keep records of and report to regulators in We have addressed the concerns with the over-reporting of systems-related

6 Topic/Reference Summary of Comments CSA Response respect of “security incidents” as opposed to “security breaches”. Commenters indicated that the proposed guidance on what may constitute a security incident, together with the guidance on the materiality of such incidents for reporting purposes, would result in a significant over-reporting of security incidents to the CSA, which would be burdensome and out of proportion to the value of the reporting. Commenters indicated that the proposed requirement at Item A6 of the F3 would create a reporting obligation for all security incidents regardless of materiality or impact on the marketplace or participants and operationalizing such reporting would be very costly. Commenters also indicated that the materiality standard for reporting security incidents should be based on an assessment of the impact of the incident on participants and on a marketplace’s key business processes rather than on a framework of reporting up to senior marketplace personnel. One commenter indicated that the CSA should consider relying on the requirement for independent systems reviews (ISRs) at section 12.2 of the Regulation for assurance that non-material security incidents are being managed appropriately by marketplaces. information raised in the comments in two respects:

1. We have removed the requirement in Item A6 of the F3 requiring marketplaces to make quarterly reporting of outages or other system events, material or otherwise.
2. We have revised the record￾keeping requirement at para. 12.1(d) of the Regulation to remove the requirement that marketplaces document their materiality assessments in relation to system events. We also note that the guidance in subsection 14.1(2.1) of the Policy Statement on materiality indicates that marketplaces may consider the impact of the systems event on participants in determining whether or not the incident is material for purposes of paragraph 12.1(c) of the Regulation. Vulnerability assessments (VAs) Several commenters indicated that VAs, as proposed at section 12.1.2 of the Regulation, are expensive and not necessarily undertaken absent risks or changes to technology. Several commenters suggested that the CSA consider making vulnerability assessments a bi-annual requirement or triggered by other circumstances, including at the request of the CSA. One commenter also requested We acknowledge the comments but have not made changes to the requirement at section 12.1.2 of the Regulation. In our view, the requirement for annual vulnerability assessments is consistent with the need for marketplaces to design a

7 Topic/Reference Summary of Comments CSA Response clarity as to what constitutes a qualified party for purposes of the assessment. control environment that appropriately accounts for cyber resilience. As with the requirement for annual ISRs, the CSA would be prepared to consider exemptions from this requirement in appropriate circumstances. Independent Systems Review One commenter indicated that the requirement for a marketplace to engage a qualified external auditor to undertake the ISR prevents highly qualified and appropriately independent Internal Audit departments from undertaking the ISR. The commenter noted that applying for exemptions from the requirement to engage a qualified external auditor is also costly. Once commenter also questioned the necessity of the guidance at subsection 14.1(3) of the Policy Statement that the marketplace must discuss its choice of auditor with the CSA if the auditor engaged is required by the Regulation to be qualified. The commenter suggested that if the purpose of the guidance is for the CSA to pre-approve the marketplace’s engagement, this requirement should be in the Regulation itself. One commenter also indicated that the new requirement at subsection 12.2(1) that the ISR be conducted in accordance with “best industry practices” is subjective, notwithstanding the proposed guidance in the Policy Statement, and is not necessary, as the ISR must also be conducted in accordance with established audit standards. Several commenters also indicated that the ISR requirement should be changed to a bi-annual requirement, given its associated expense. Commenters We acknowledge the comments but have not made any changes to the requirements regarding ISRs as proposed. In our view, the ISR is a critical tool for managing the risks associated with marketplaces’ systems in a deeply interconnected market structure. While we recognize the professional objectivity required of internal auditors, we are of the view that requiring ISRs to be conducted by a qualified external auditor both enhances and promotes confidence in the process. Consequently, we believe it remains essential for marketplaces to engage a qualified external auditor to conduct an ISR on an annual basis. We note, however, that the CSA may consider exemptions from the annual ISR requirement where appropriate. In reviewing the appropriateness of such exemptions, we would consider the circumstances applicable to the

8 Topic/Reference Summary of Comments CSA Response suggested that the ISR could be triggered more frequently if a marketplace experiences material systems issues. Lastly, one commenter suggested that the CSA consider building some flexibility into to the date for delivery of the ISR report to the CSA. The deadline of no later than 60 days following the end of the calendar year means that certain reports from sub-service organizations are not received in time to incorporate into the report. marketplaces, which would include the existence of an appropriately qualified an independent Internal Audit department and the functions it performs. Also, we note that paragraph 12.2(2)(b) has been revised to provide for delivery of the ISR report 60 days following completion of the report. Implementation of material systems changes One commenter felt that the OSC must take a more flexible approach in its interpretation of OSC Staff Notice 21-706, which provides guidance regarding the timing for a marketplace implementing a material change to its systems. The commenter suggested that 90 days following notification of regulatory approval of a material systems change would be appropriate for “mandatory” changes that all participants must implement but that 30 days would be an appropriate implementation period for functionality that is optional. OSC Staff intends to revoke OSC Staff Notice 21-706 when the amendments to Regulation 21-101 take effect. Going forward, the Exchange and ATS Protocols will prohibit marketplaces carrying on business in Ontario from implementing material systems changes earlier than a “reasonable period of time” following notification that the change has been approved.