Documentation and Process: What CIRO Expects From Product Due Diligence and KYP

Section 01

Overview

Four years after the Client Focused Reforms (CFRs) came into force, CIRO and the CSA jointly reviewed 277 firms across every major registration category — 172 in the Phase 1 sweep on conflicts of interest, and a further 105 in the Phase 2 sweep covering KYC, KYP and suitability. Phase 2 was published as Joint CSA/CIRO Staff Notice 31-368 on December 10, 2025; the OSC walked the industry through the consolidated findings at its Registrant Outreach session on April 15, 2026. Where the gaps were significant, regulatory action followed.

This article focuses on a single slice of those findings: product due diligence at the firm level (what goes on the shelf, how it gets there, how it stays there) and Know Your Product at the advisor level (what each registered individual has to understand about each security they recommend or hold). The recurring observation, narrowed to that slice, is the thesis: the dominant deficiency was documentation and process discipline. Firms had policies. Advisors had judgment. What was missing — repeatedly — was a defined, supervised, evidenceable process and a documentation trail that demonstrated the analysis behind each shelf decision and each advisor-level KYP.

The paper answers two operational questions, walks through five myths that share a documentation-and-process root cause, and closes with three structural questions firms with several hundred advisors keep raising.

The two operational questions

• At the firm (enterprise) level, what does the organisation have to do to determine what goes on the shelf, and how is the product due diligence process managed?
• At the advisor level, what is the KYP process the registered individual has to implement, what specifically do they have to document, and is there flexibility to focus only on top holdings or active recommendations?

The three structural questions, revisited at the end

• If a firm has several hundred advisors, does every advisor have to conduct ongoing product due diligence?
• Does every advisor have to use a similar platform?
• Does the firm need to supervise the product due diligence process for every advisor?

Section 02

The Heart of the Issue — Documentation and Process

Phase 2 produced a specific catalogue of where the documentation-and-process gap appeared in product due diligence. Five findings, drawn directly from the 105 reviews, recur:

• Firms relied on a related issuer's KYP, on an offering memorandum, or on third-party change notifications as if those discharged the firm's own KYP. The regulator rejected each as a substitute for the firm's own analysis. (Section B.1, B.2)
• "Approval" of a security on a list, without documented evidence of a meaningful KYP review and supporting rationale, was insufficient. The firm has to define the approval process, the criteria, the roles, and the documentation. (Section B.3)
• Most firms had defined no monitoring criteria — no written definition of what counts as a "significant change" — so monitoring triggers were unambiguous in name only. (Section B.4)
• Transfer-in securities and client-directed trades were excluded from KYP processes on the basis of small size or low frequency. The regulator rejected the carve-out. (Section B.5)
• Outdated and boilerplate policies, optional training on shelf products, no attendance evidence. (Section D)

The through-line is consistent. The work, in many cases, was being done. The regulator's finding was that the work could not be shown to have been done — and an obligation that cannot be evidenced cannot be supervised, audited, or defended. Documentation must demonstrate analysis, not merely record an outcome. That is the discipline this article is about.

Section 03

When Does Product Due Diligence Need to Happen? — Triggers and Timing

The CFR documentation expectation is contemporaneous: the file has to record the analysis at the moment the obligation arises. Triggers fall into two groups — scheduled reviews on a periodic cycle, and event-driven reviews when something changes about the product or the firm's awareness of it.

Scheduled cadence

• Initial shelf assessment — firm level. Created prior to shelf approval for any new security. The Product Assessment Report is the deliverable.
• Annual full-shelf review — firm level. Each approved product re-reviewed at least annually, plus on any material change.
• Initial advisor KYP — advisor level. Completed prior to each new recommendation of a security the advisor has not previously assessed.
• Periodic advisor KYP refresh — advisor level. Aligned with the firm's annual full-shelf review at minimum, more frequently where complexity warrants.

Event-driven triggers

The firm has to define, in writing, what counts as a "significant change." Without that definition, monitoring is structurally incapable of triggering anything. The events typically captured:

• Strategy or mandate change in the product. A change in the investment objective, asset mix, or operating mandate.
• Material change in the fee structure. An increase in management fee, a change in trailing commission, or a new layer of cost.
• Key-person departure or governance change. Departure of a portfolio manager, change in control of the issuer, or change in board oversight.
• Credit event or financial deterioration. Issuer downgrade, default, restructuring, or any event that changes the security's risk profile.
• Regulatory action against the issuer or product. A regulator's enforcement action, a halted distribution, or a restriction on availability.
• Change in the firm's internal risk rating. Any movement that changes the profile the product was originally approved for.
• Transfer-in or client-directed trade outside the shelf. Triggers an advisor-level KYP within a reasonable time, regardless of size or frequency.

Section 04

The Firm (Enterprise) Level

Two parts: what the firm has to do to determine what goes on the shelf, and how the product due diligence process is managed once it is there.

Part A — Determining what goes on the shelf

1. Written approval policy and procedures

A version-controlled, current PDD policy that governs the full product due diligence lifecycle: approval criteria, tiering methodology, shelf removal standards, and the roles responsible for each step. Reviewed at least annually, or immediately upon a material regulatory change.

2. Structured product assessment for every new security

Each security proposed for the shelf is evaluated for structure, features, risks, costs, target client profile, disclosure adequacy, and any product-level conflicts of interest. The output is a Product Assessment Report — dated, with the analyst named, source documents listed (prospectus, Fund Facts, ETF Facts, offering memorandum, financial statements, third-party research), findings against each dimension, the decision, and the rationale.

3. Tiered review methodology

KYP depth is risk-based. Streamlined tier for listed securities with robust public disclosure; in-depth tier for complex, structured, or exempt-market products; independent-review tier for related or connected issuer products. The tier applied is recorded inside each Product Assessment Report, with the rationale.

4. Formal approval or rejection — recorded

The output is a formal approval, rejection, or conditional approval, captured in a Shelf Approval Record. The list itself is not the documentation; the file behind each entry is.

5. Model portfolios assessed as products

Each model portfolio is itself assessed as a product — composition, rebalancing methodology, cost profile, target client profile — at the portfolio level, in a Model Portfolio Assessment Report separate from the constituent assessments.

Part B — Managing the product due diligence process

1. A defined "significant change" trigger framework

Written enumeration of the events that fire a product re-review, the responsible reviewer, and the documentation that follows. Without it, monitoring cannot trigger anything.

2. Continuous, risk-based monitoring

Monitoring is continuous, not annual. The Product Monitoring Log captures dated entries for each monitoring activity, the source reviewed, the findings, and the resulting shelf decision (continue, restrict, remove). Issuer-driven notifications are not monitoring.

3. Advisor notification when a product changes

When a significant change is identified, Approved Persons holding client positions in the product are notified promptly, in a form that supports their individual KYP refresh, with delivery date confirmed. The Advisor Notification Record sits alongside the trigger that fired it.

4. Mandated, evidenced training on shelf products

Training on every shelf product is mandatory; attendance is captured; competency standards are defined per product category; refresher training is delivered after a significant product change. Phase 2 treats absence of mandated, evidenced training as a standalone deficiency category.

5. Records that survive seven years

Every output above is subject to the seven-year retention minimum under NI 31-103 ss.11.5-11.6 and CIRO record retention rules. Records have to be reproducible in readable form on demand. Chat transcripts, ad-hoc spreadsheets, and email threads do not survive in a form an inspector can read.

Across several hundred advisors, none of this is producible by goodwill. A consistent, supervised, auditable PDD process at that scale requires a defined operating model, a shared system of record, and a supervisory layer that can see across the entire shelf and the entire registered population.

Section 05

The Advisor Level

Three parts: what KYP process the advisor has to implement, what specifically has to be documented, and whether the advisor has flexibility to do this their own way or to focus on top holdings only. Notice 31-368 Section B.2, the OSC seminar at slides 29–32, and NI 31-103 s.13.2.1(2) converge on a single answer: the registered individual's KYP obligation runs in parallel with the firm's, is not subsumed by it, and applies across the entire book.

Part A — The KYP process the advisor has to implement

The advisor's KYP is independent of the firm's. The firm's Product Assessment Report informs the advisor's analysis; it does not replace it. Four moving parts:

• Initial KYP assessment for each security before first recommending it. The advisor's own analysis, based on the source documents the advisor has reviewed, tiered to the complexity of the product.
• KYP refresh on material product change. When the firm's monitoring identifies a significant change, the advisor refreshes their KYP, working from the firm's notification and the underlying source documents. The refresh is the advisor's restated understanding, not a copy of the firm's update.
• KYP assessment for transfer-ins and client-directed trades. Inside the perimeter, assessed within a reasonable time after the position settles. Small size and low frequency are not exemptions.
• Periodic refresh for products the advisor continues to recommend or hold, aligned with the firm's annual full-shelf review at minimum.

Part B — What the advisor specifically has to document

Three recurring artifacts. Each maps to a specific obligation; each is what an inspection looks for.

1. The KYP Assessment Note

Created at the initial KYP for each security, refreshed on material change. Records the source documents reviewed, the date, and the advisor's findings on structure, risks, costs, and target client profile. Demonstrates that the advisor independently understood the product — not that the firm did.

2. The Triggered KYP Review Record

Created whenever an event-driven trigger fires — most commonly a product-change notification from the firm. Identifies the trigger, references the underlying change, records the updated KYP, and indicates the action taken (continue, recommend reposition, escalate) or the rationale for no action. "Reviewed, no changes" with no evidence of analysis behind it is not a Triggered Review Record.

3. The Transfer-In KYP Assessment Note

Created within a reasonable time after a transfer-in or a client-directed trade outside the shelf. Same depth of assessment as a security the advisor recommended outright.

Each is produced contemporaneously with the obligation it records and retained for seven years. The discipline is contemporaneity and retrievability — not the prose style of the note.

Part C — Flexibility, top holdings, and "my own way"

Format flexibility. The rule is principles-based; it does not specify a template. But Section B.3 requires the firm to define the approval process, criteria, and roles, and Section B.4 requires the firm to define what counts as a significant change. Those obligations cannot be discharged if every advisor produces KYP documentation in a different format, in a different system, with different fields, and at a different depth. Without a firm-defined standard, the firm cannot supervise, cannot demonstrate consistency, and cannot satisfy the retention requirement in a form that survives an inspection. The advisor's substantive judgment is theirs; the documentation format is the firm's.

Top holdings only. No. The KYP perimeter is every security the advisor recommends or holds across client accounts at the firm — including transfer-in positions, including small positions, including positions held by only one client. The substantive depth of an assessment is correctly tiered to product complexity (a simple listed equity produces a shorter Note than a private real-estate LP) — but every security in a client account at the firm has to have one. Concentrating the KYP process on top holdings is precisely the carve-out the regulator closed in Phase 2.

Section 06

Five Documentation-and-Process Myths

Five common myths in the field share a single root cause: each carves a documentation or process hole that Notice 31-368 closes explicitly.

Section 07

Looping Back — The Three Structural Questions

If a firm has several hundred advisors, does every advisor have to conduct ongoing product due diligence?

Yes — and the documentation obligation runs at both levels in parallel. The individual KYP obligation under NI 31-103 s.13.2.1(2) attaches to each registered representative for every security they recommend or hold. There is no scaling exemption. Across several hundred advisors that is several hundred individual KYP obligations, plus one firm-level obligation governing how the activity is supervised and evidenced. Myths 1, 2 and 5 are all variations on the assumption that someone else's documentation, or a narrower perimeter, discharges the advisor's; the rule never permitted that substitution.

Does every advisor have to use a similar platform for this process?

The rule does not name a platform; it requires a consistent, defined, evidenceable process — and at scale, that is what a platform is. Section B.3 requires the firm to define the approval process, criteria, and roles. Section B.4 requires the firm to define what counts as a significant change. Myths 3 and 4 are the symptoms of letting each advisor define their own format and cadence. Across several hundred advisors, the only realistic way to satisfy the consistency and evidence requirement is a shared system of record. The platform itself is not the obligation; consistency, evidence, and supervisability are — and a shared platform is the practical answer to those.

Does the firm need to supervise the product due diligence process for every advisor?

Yes — supervision is a non-delegable firm-level obligation, and it has to be evidenced. Notice 31-368 Section D treats supervisory and training failures as a standalone deficiency category. Myth 4 ("each advisor their own way") makes supervision impossible by construction; without a defined process, the supervisor has no standard to supervise against. Where supervision exists in name only, the firm is exposed regardless of how diligent any individual advisor is.

Section 08

"Do I Really Have To Do This?"

This is the question the five myths are really attempting to answer. They are reasonable-sounding ways of arriving at "no," and they are wrong for the reasons set out above. The question is rarely about the regulation itself. NI 31-103 is clear; Notice 31-368 leaves no room for misreading; CIRO's supervisory framework is explicit. "Do I really have to do this?" is almost always shorthand for one of three other questions.

"Will anyone actually check?" Two CSA/CIRO sweeps across 277 firms in three years say yes. The OSC's 2025 Annual Report (Staff Notice 33-759) and the April 2026 outreach session confirm that the sweep findings are now driving inspection priorities. Where deficiencies were significant, regulators acted. The track record is the answer.

"What's the worst that happens if I get this wrong?" Two parallel exposures. For the registered individual, a defended client complaint or a CIRO investigation is materially harder when the file does not contain a KYP record that demonstrates analysis — and in a serious case, an individual's registration is on the line. For the firm, where supervisory failures around the PDD process are systemic, the regulator's response has been firm-level enforcement, public censure, and remediation orders. The asymmetry runs against the firm in both directions.

"Is there a way to satisfy this without changing how I work?" No. The CFR documentation expectation is that KYP and product due diligence are contemporaneous, traceable, evidenced, and supervised across the entire book. That cannot be retrofitted from memory at the point of an inspection, and it cannot be reconstructed by judgment alone. The operating model has to change — but the change is closer to routinising existing professional behaviour than to inventing new work. Most advisors are already forming KYP judgments; the gap is that the judgment is not being captured in a form the firm can supervise and the regulator can read.

"Do I really have to do this?" assumes the work is optional. The actual question is "What does the KYP evidence trail need to look like across my book, and what is the cheapest, most reliable way to produce it consistently across hundreds of advisors?" That question has answers. The first one does not.

Product due diligence is not the obstacle. Doing it in a way that the firm can supervise, that the regulator can read, and that survives an inspection — that is the discipline the CFRs were drafted to require, and that is the discipline the rest of the decade will be measured against.

Section 09

Sources

1. Joint CSA/CIRO Staff Notice 31-368, Client Focused Reforms — KYC, KYP and Suitability, December 10, 2025.
2. Joint CSA/CIRO Staff Notice 31-363, Client Focused Reforms — Conflicts of Interest (Phase 1), August 3, 2023.
3. Ontario Securities Commission, Registrant Outreach — Client Focused Reforms (CFRs), April 15, 2026.
4. OSC Staff Notice 33-759, Registration, Inspections and Examinations 2025 Annual Report.
5. National Instrument 31-103 (Registration Requirements) and Companion Policy 31-103CP, ss.11.5–11.6, 13.2, 13.2.1.
6. CIRO IDPC Rules and MFD Rules; legacy guidance MSN-0048 (KYP), GN-3300-21-001 (product due diligence).
7. Buckler internal research: Enterprise Due Diligence, Point of Sale KYP, and Advisor Ongoing Due Diligence.