IIROC Rule 3900: trade supervision for Canadian businesses
IIROC Rule 3900 focuses on trade supervision in Canada, aiming to ensure dealer compliance at a local and regional level. With Client Focused Reforms entering the regulatory sphere in 2021, advisors were given updated guidance on choosing suitable products and distinguishing between risk and financial capacity.
Written by a human
But after IIROC transitioned to CIRO in 2023, the regulatory body worked with the Canadian Securities Administration to investigate whether these reforms had the desired effect. The agencies’ joint sweep in 2025 found that some firms failed to actually implement the proper controls, meaning that reviews were found to be legally incomplete.
With a strong link to Universal Market Integrity Rules, the CIRO annual compliance report covered gatekeeper enforcements as a ‘hot zone’ for upcoming focus. Firms should therefore refresh themselves on the trade supervision rules to stay on the right side of the regulators.
What are the Rule 3900 review tiers?
As the fundamental supervision rule for the Canadian investment industry, Rule 3900 places the ultimate burden of proof on the dealer member to prove that they are actively watching over advisors. There are two levels of supervisory checks, ensuring that oversight isn’t just at a local level, but is also verified by a centralized authority.
Local supervision
The ‘front line’ defence is in-branch supervision, conducted by resident supervisors. They are physically located at the business where the trading occurs. One of their responsibilities is to review daily trade blotters, which involves:
- – approving new accounts
- – Verifying Know Your Customer (or Know Your Vendor) documentation
- – Identifying 3900 red flag examples in real situations, such as unsuitable high-risk trades within conservative accounts
The key advantage at this level is that resident supervisors often know their advisors personally, so they are best positioned to spot behavioral changes or local risks.
Regional supervision
Conducted as a sort of ‘oversight to the oversight’, a centralized compliance department must also supervise the trading activity.
The 3900 monthly suitability checks sit at this level, with a focus on systemic patterns, trends and the verification that local supervisors are doing their jobs correctly. For example, at this level, supervisors must analyze month-end statements for churning patterns, which may indicate that traders are excessively active to generate commission. It’s easier to spot these across a month, rather than in daily checks.
Supervisory procedures also include looking for cross-branch issues, and having to review any trade above a certain financial threshold, such as $5,000.
There are also quarterly gatekeeper duties, which are designed to catch structural failures. Under rule 3900 evidence retention requirements, every quarter, the CCO must provide a formal report to the firm’s Board of Directors. This means that the firm can’t claim plausible deniability over compliance issues.
Where are the potential control gaps?
Although the two-tier IIROC trading rules system is fairly robust, there is still opportunity for fraudsters to expose vulnerabilities.
For example:
- – Manual sampling misses: if local supervisors ‘rubber stamp’ the daily blotters without actually reviewing them due to time constraints, they may have unsuitable trades slip through
- – Stale watch lists: static watch lists are only as effective as their last update, leading to windows of opportunity for malicious trading
- – Siloed communications: when Head Office supervisors rely on software that’s different to branch-level, they can be vulnerable to visibility lags
Setting up fix kits
In the context of Rule 3900, fix kits are standardized remediation frameworks used to bridge the gap between detecting a violation and proving it has been resolved. In 2025, regulators no longer just want to see issues flagged, but that there is a documented path towards remediation.
7-day remediation
7-day remediation flows are the industry benchmark for supervisory exceptions (although some issues do take longer). It may look something like this:
- 1. Day 1: detection – the automated surveillance system flags an alert
- 2. Day 2: inquiry – the supervisor sends a clarification request to the advisor
- 3. Day 3: the advisor provides the missing document or explanation
- 4. Days 4 and 5: the supervisor reviews the fix and if it meets Rule 3900 standards, closes the ticket
- 5. Day 6: the fix is timestamped and moved into the remediated folder
- 6. Day 7: the regional supervisor audits the ticket
Attestations
Attestations are legal documents whereby individuals can ‘swear’ that statements are true. These have moved away from paper statements and into digital attestation models, which provide more comprehensive coverage with regards to the regulation. Such as:
- – Unique alert IDs, which link the attestation to specific trades
- – Rule references, which state which part of Rule 3900 was reviewed
- – The standard declaration
- – And a digital fingerprint, timestamping the documentation to prove it wasn’t backdated
These fix kits are helpful in overcoming the control gaps because they give supervisors a clear process to follow. When auditors arrive, it’s easy to provide them with the list of remediation certificates generated by the fix kits, and firms can handle a growing level of alerts, even as they scale.
How surveillance tech stacks can help with compliance?
Canadian investment dealers must rely on an integrated technology system to close their compliance gaps, such as:
| Tech capabilities | Compliance aid |
| Multi-channel communications capture | Tools like Global Relay capture communications across all channels to achieve oversight of trading activity across all potential mediums |
| Data ingestion | Direct-to-system feeds can transfer the right trading data using APIs in real-time |
| Data normalization engine | Processes that standardize data types into a single, comparative storage system aid set the foundation for spotting patterns |
| Violation detection | A combination of rules-based logic and machine-learning can surveil and flag potential violations using the right context, which prevents the majority of false alerts |
| Automated alerts | Automated alerts sit at the start of the escalation process to achieve reviews in real-time |
| Evidence vault | A large-scale, secure Archive will help users to easily search and store communications and documents alike. Solutions like Global Relay’s archive are immutable, following WORM (write once, read many) storage methods for full auditability. |
Proving compliance with Rule 3900
IIROC (and now CIRO) Rule 3900 is a helpful driver for both client protection and firm defence. But with recent findings of inadequate reviews, firms must approach trade supervision with more care and focus going forward.
With the ability to quickly gather and assemble related conversations across all channels, and in their full context, Global Relay enables firms to perform full-day reconstructions. Legal teams can identify, collect, and present the relevant data for investigations or litigation, including edits, deletions, and threads.
Because the archive and monitoring suite constantly scans data to verify that all information is present, they’re viable surveillance tools for IIROC dealers, providing reliable and auditable records.