message archive search m

essage archive search message archive search

Compliance Solutions

Archiving the financial services world

IIROC Rule 29.7IIROC Notice 11-0349IIROC Rule 17.16MFDA Rule 2MFDA Rule 5MFDA Notice MR-0056National Instrument 31-103UMIR Policy 7.1

IIROC and MFDA Requirements and Global Relay Solutions for Electronic Communications Recordkeeping & Supervision

CANADIAN FINANCIAL FIRMSIIROC DEALER MEMBERSMUTUAL FUND DEALERS

WELCOME AND THANK YOU for your interest in the electronic messaging compliance services of Global Relay for Canadian firms subject to IIROC and MFDA requirements. We are confident that you will find that our compliance solutions exceed your expectations.

COMPLIANCE is more than just the preservation of records to ensure that your firm can survive regulatory, audit and evidentiary scrutiny. It’s a matter of Reputation, Integrity and Control. The stakes are high and they are tied to the prosperity of your firm. The compliance and legal eDiscovery burden should involve pro-active decision-making on the part of senior management to choose a high quality compliance solution to efficiently retain, protect, manage and ensure authenticity of records and to implement safeguards and internal supervisory controls against inadequate data management practices. Selecting a message archiving solution should be thought of as an investment in your firm’s future, both in terms of risk reduction and overall firm image.

GLOBAL RELAY’S TECHNOLOGY SOLUTIONS reflect “best practices” standards that have become the benchmark for message management. Global Relay Archive, Global Relay Search and the Compliance Reviewer are specifically engineered to provide a total regulatory compliance and eDiscovery solution for firms subject to the regulatory compliance requirements of IIROC and the MFDA as well as the SEC, FINRA, FSA, and international data protection and privacy laws, including PIPEDA. Our cloud-based services provide reliable, cost-effective and scalable message management and compliance solutions that:

are implemented within hours, with no software or hardware requirements or other capital outlaysare continuously and seamlessly updated to meet current technological, legal and regulatory needsprovide end-user tools such as mobile access to all data via iPhone, iPad, Blackberry and Android

GLOBAL RELAY IS 100% CANADIAN. All of your firm’s data is stored in our two East/West coast mirrored SSAE16/SOC I Type II certified Canadian data centres. As the developer, owner and operator of our technology, we have provided message archiving solutions since 1999 without a single incident of data loss. Each year, Global Relay engages KPMG to perform independent testing upon its security, business and operational controls and report upon findings. This comprehensive third party validation is unique in the hosted messaging industry.

YOUR COMPLIANCE SOLUTION will be tailored, without extra cost, according to the existing and evolving needs of your firm. Global Relay solutions are scalable to meet the needs of customers ranging in size from small businesses to enterprise-level, large-scale multi-national deployments. We are a dedicated team of professionals with the highest synergy of business, technical and legal expertise. With 24x7x365 IT support and our full-time, in-house compliance lawyers, we help our customers on a daily basis troubleshoot and resolve key IT and business issues, as well as play a mission critical role in your equation to achieving corporate excellence. Global Relay Archive seamlessly integrates with virtually any technology environment, allowing your firm to leverage Global Relay’s fully redundant systems and multi-layered security without the cost and staff time required to run and maintain equivalent systems on-premise and providing your firm with a superior balance of technology, service, support, training and affordability to efficiently meet regulatory, audit, corporate governance, eDiscovery requests and other business needs.

Call Global Relay at +1.866.484.6630 or visit us at www.globalrelay.com, and let us demonstrate how our best-of-class solutions will make the difference in winning you as a customer.

Yours truly,

Shannon Rogers President & General Counsel

1

Assisting IIROC and MFDA Regulated Firms in Meeting Requirements for Electronic Recordkeeping, Supervision, and Data Protection

Services at a Glance

Recordkeeping Requirements

Supervision Requirements

Business Continuity/Disaster Recovery Requirements

Global Relay Technical Solutions for

IIROC Rule 29.7

IIROC Notice 11-0349 Guidelines

National Instrument 31-103

MFDA Rules 2 & 5

Global Relay Archive: Controls and Features

Compliance Reviewer: Controls and Features

Global Relay ArchiveTABLE OF CONTENTS

23 45

69

13 14 16 20

For More InformationPlease refer to the following Global Relay publications:

Global Relay Services Guide: a complete overview of all Global Relay compliance, message archiving, support, and professional services

Global Relay Compliance Solutions Guidebooks: additional publications detailing how Global Relay addresses the message archiving and compliance needs of:

SEC Regulated Firms (Investment Advisors, Hedge Funds & Private Equity)

FINRA Regulated Broker-Dealers

Available upon requestKPMG Report on Global Relay’s Business, Operational and Security Controls: provides assurances and transparency into the high standards of Global Relay’s internal controls, and how these truly differentiate Global Relay

SSAE16/SOC I Type II Reports on Global Relay’s two mirrored East/West coast Canadian data centres

Also refer to the following IIROC, MFDA, and Related Documents, which can be found online:IIROC Member Regulatory Resources: http://iiroc.knotia.ca/Knowledge/Browse/BrowseToc.cfm? kType =445

IIROC Notice 11-0349 – Guidelines for the Review, Supervision and Retention of Advertisements, Sales Literature and Correspondence: http://docs.iiroc.ca/DisplayDocument.aspx?DocumentID=DBED7D6AED1C4A8BB3D9BEF 60412AA27&Language=enMFDA Rules: http://www.mfda.ca/regulation/rules.html

National Instrument 31-103 – Registration Requirements and Exemptions: http://www.osc.gov.on.ca/documents /en/Securities-Category3/rule_20090717_31-103_national-instrument.pdf

2

At-A-GlanceSERVICES

Global Relay ArchiveSecurely captures and preserves email, instant messaging (AOL, MSN, Yahoo!, GoogleTalk), BlackBerry, Bloomberg, Thomson Reuters, CME/Pivot, ICE/YellowJacket, social media (LinkedIn, Twitter, Facebook), Web pages and more. Check with Global Relay if you need to archive a message type that is not listed here.

Compliance ReviewerComplete message supervisory system that is configured to enforce and monitor your supervisory policies and procedures.

Audit and eDiscoverySolutions are readily accessible within Global Relay Archive, providing efficient online tools for collaboration, case management and responses to legal data requests.

Global Relay SearchProvides users with 24/7 “anywhere access” to their messages via BlackBerry, iPhone, iPad, Android, Outlook and the Web.

Global Relay MessageGlobal Relay’s flagship messaging and unified collaboration communications service, designed to address the messaging, federation, compliance, privacy and security needs of firms in regulated industries.Global Relay Message is currently in Beta.

Global Relay services are presented in three “pillars”:

searcharchivemessage

Global Relay Message1 Secure, fully compliant messaging platform

Email Services Secure email with spam and virus filtering, shared calendars and contacts

Continuity Email

Message Hub Federate your Microsoft OCS/Lync with Thomson Reuters Messaging

In-house, Hosted Exchange, Zimbra, Notes, Google Apps and more

Access messages anytime, anywhere

Search across all message types

Easily Reply, Reply All, Forward and Recover messages

SAML enabled2

web

3

Significance of Rules Regulators are no longer tolerating inadequate recordkeeping and supervision of a firm’s electronic communications. IIROC Rule 29.7 (supplemented by IIROC Notice 11-0349) requires firms to archive, monitor and review electronic advertisements, sales literature and correspondence for clients. Of note, IIROC has recently clarified that “all methods used to communicate, including, but not limited to, Facebook, Twitter, YouTube, blogs, and chat rooms, are subject to the IIROC Rules.” It is the content of a communication that determines whether it is related to a firm’s business, not the method by which the communication takes place. The MFDA has also adopted recordkeeping rules, which can be found in MFDA Rule 5. In addition to the IIROC and MFDA Rules, National Instrument 31-103 requires firms to document correspondence with clients.

Who Must ComplyGenerally, these rules are applicable to all persons engaged in trading or acting as a dealer under the jurisdiction of IIROC, the Canadian Securities Administrators (CSA) and/or the MFDA. Canadian companies registered in the U.S. will also be subject to SEC and FINRA requirements.

RequirementsIn connection with electronic communications under IIROC Rule 29.7 and IIROC Notice 11-0349, firms must:

retain all advertisements and sales literature for 2 years, and correspondence with the public for 5 years;create and store indexes for all electronic records; design and implement retention systems and programs that can reliably capture all types of electronic messages used for business purposes, including, if permitted, those sent via personal mobile devices;retain records of reviews and approvals related to electronic communications; andhave readily accessible for inspection by IIROC all stored business-related electronic communications prepared for clients, and all records of supervisory reviews of the same.

In connection with MFDA Rule 5, firms must:retain all “books, records and other documents” necessary for the “proper recording of [their] business transactions and financial affairs and the transactions that [they] execute on behalf of others” (Rule 5.1);store electronic records such that: the method of storage guards against the risk of falsification, records can be provided promptly to regulators, and suitable back-up and disaster recovery programs are in place (Rule 5.2); andretain records for 7 years from the date of creation or such other terms as required by the MFDA (Rule 5.6).

In connection with electronic communications under NI 31-103, firms must:

retain records of business activities, financial affairs and transactions, including client correspondence retain such records for seven years from their date of creation;store records in a durable form in a safe location; andprovide records to regulators in a “reasonable period of time.”

Note: Section 7.1 of the Universal Market Integrity Rules (UMIR) Rule 10.11 requires firms to verify that electronic order information is “stored, retrievable and accurate.”

Global Relay’s SolutionGlobal Relay Archive provides a highly scalable cloud-based message archive system designed to address IIROC, FINRA, SEC and MFDA rules. Global Relay Archive captures and archives all electronic communications of a firm, including email, instant messages, BlackBerry, Bloomberg, Thomson Reuters, test messages, social media messages and more, in a single unified and accessible system. All data is stored in Global Relay’s two mirrored SSAE16/SOC I Type II Canadian data centres.

RECORDKEEPINGSUMMARY OF REQUIREMENTS

4

SUPERVISION SUMMARY OF REQUIREMENTS

Significance of RulesIn addition to the recordkeeping requirements previously outlined, IIROC Rule 29.7 requires firms to develop, establish and maintain a supervisory system to ensure advertisements, sales literature and correspondence with clients complies with all applicable rules. MFDA Rule 2 also includes supervisory responsibilities. In addition, UMIR Policy 7.1 and NI 31-103 require a compliance supervision and preservation system to be put in place.

Who Must ComplyGenerally, these rules are applicable to all persons engaged in trading or acting as a dealer, including Investment Dealer firms and registered representatives that fall under the jurisdiction of IIROC, MFDA, and the CSA. Canadian companies registered in the U.S. will also be subject to SEC and FINRA requirements.

RequirementsIn connection with electronic communications under IIROC Rule 29.7 and IIROC Notice 11-0349, firms must:

establish written supervisory policies and procedures for all business-related communications for clients (including methods of detecting and addressing prohibited communications, methods and frequency for reviewing business-related email and distinguishing types of records, supervisory hierarchy for conducting reviews and cross-supervision, and notice requirements), to be approved by IIROC; establish written policies to conduct supervision via pre-use approval, post-use review or post use sampling depending on the type of material and the nature and business of the individual firm (Note: Rule 29.7(3) requires 6 specific types of materials to be reviewed prior to use); educate and train employees on procedures governing electronic correspondence with the public;monitor and evaluate supervisory procedures to ensure compliance; andin relation to supervision of social media: static content, such as a profile, background or wall information, is usually considered an ‘original template advertisement’ and must be pre-approved pursuant to IIROC Rule 29.7(3). Conversely, interactive electronic forums such as Tweets, which involve real time discussion, do not require prior approval but must be supervised.

In connection with electronic communications under MFDA Rule 2, firms must:establish, implement and maintain policies and procedures to ensure business is conducted in compliance with all applicable rules and legislation (Rule 2.5.1); andPre-approve all advertisements and sales communications (Rule 2.7.3).

In connection with electronic communications under UMIR Policy 7.1, firms must:implement a compliance monitoring system designed to detect compliance violations; andmaintain an audit trail and record of supervisory reviews for 5 years (Note: 7 years under NI 31-103).

Global Relay’s Solution Global Relay engineered the Compliance Reviewer technology as part of Global Relay Archive in order to provide Members with a turn-key, unified electronic record supervisory control system with advanced monitoring and filtering (including keyword/lexicon flagging and exclusions, random sampling, and scheduled searches) as well as advanced reporting, audit and eDiscovery tools. To enforce and monitor your firm’s policies for proper messaging usage, corporate governance and compliance, Global Relay’s Compliance Reviewer provides a flexible, easy-to-use, multi-tier supervisory system and Compliance Dashboard that can mirror the reporting structure of any size firm, no matter how complex. Using Global Relay Search, the Compliance Reviewer is able to retrieve, filter, review and monitor all archived email, instant messages, BlackBerry, Bloomberg, Thomson Reuters, text messages, social media messages and more in a single unified platform.

5

BUSINESS CONTINUITY SUMMARY OF REQUIREMENTS

Significance of RulesRegulators have mandated high levels of business protection and contingency measures in Canada and globally. In the event of a market-wide disruption, the resilience of the financial sector is contingent upon the rapid recovery and resumption of critical activities. IIROC Rule 17.16 requires a business continuity plan (BCP) to deal with significant business interruptions and efficiently resume operations. Under MFDA Rule 2.9, members are required to establish and maintain the prescribed internal controls. MFDA Notice MR-0056 sets out the prescribed business continuity planning requirements.

Who Must ComplyAll IIROC and MFDA members must make adequate BCP preparations relative to their size, business and structure.

RequirementsUnder IIROC Rule 17.16, firms must:

establish a customized BCP that is based on a business impact analysis of a serious or prolonged disruption or emergency and the mitigating solutions. Relevant Rule 17.16 Guidelines include: duplication of critical technology, and strong vital records and other data critical to resuming business in a secure, geographically removed location, that isavailable for use during an emergency; pre-designated alternate sites, located a prudent distance from primary sites; organizational strategies for IT and business functions (such as access to client data); processes for the storage, protection and recovery of data (electronic records);back-up procedures for all applications and hardware;processes for handling lost work in progress and/or backlog processing as well as alternative methods of communication during a disruption;ability to resume effective operation within an acceptable period of time;continued compliance with all relevant regulations and legal obligations and duties to clients; review, test and audit regularly for BCP capabilities and quality;updatde the BCP in the event of any material change to operations, structure, business or location; andall the firm’s operations in each region where the firm has a presence must be incorporated into BCP.

Under MFDA Notice MR-0056, firms must:develop a BCP that is appropriate for their “size and business model” that should define critical operations and services, triggers for invoking the BCP and management and staff obligations, as well as establish the procedures for maintaining core business functions;allocate “adequate resources” to the BCP;have back-up systems for the preservation and recovery of all records (including electronic records);establish procedures to ensure communication of all necessary information between all relevant parties and stakeholders in the case of a disaster or crisis situation; andensure mission critical third party suppliers have adequate business continuity plans in place.

Global Relay’s Business Continuity/Disaster Recovery Solution Global Relay’s business operations, technologies and its own BCP have been designed with a goal of providing 100% availability of Mission Critical services to customers. Our fully redundant core systems operate from two mirrored SSAE16/SOC I Type II data centres that are designed to provide seamless uninterrupted service in the event of a hardware failure, multiple system failure or service disruption. In the case of a catastrophic event, Global Relay systems are designed specifically to ensure the preservation and security of customer data. Annually, KPMG conducts testing on Global Relay’s core systems, networks and internal controls to validate the redundancy and security of the systems. Global Relay Archive allows all employees to access their messages anytime, anywhere - even when your firm’s mail server is down. Additionally, Global Relay offers an email continuity solution through an ‘always on’ secondary mail system in the event your primary mail server(s) suffer an outage.

6

IIROC Rule 29.7 SolutionADVERTISEMENTS, SALES LITERATURE & CORRESPONDENCE

Global Relay Archive, Global Relay Search and Compliance Reviewer are engineered to meet the regulatory compliance requirements for supervision and record retention of electronic correspondence under IIROC Rule 29.7 and the corresponding Guidelines for the Review, Supervision and Retention of Advertisements, Sales Literature and Correspondence under Notice 11-0349 (the “Guidelines”).

IIROC Rule 29.7 requires Members to implement policies and procedures for the supervision and post-review of advertisements, sales literature and correspondence as an alternative to the requirement to obtain prior approval of such materials. Electronic communications, including communications over social media, are subject to the requirements of IIROC Rule 29.7. Global Relay Archive meets the requirements as follows:

Rule 29.7 Compliance Requirement Global Relay’s Compliance Solutions

(1)

Untrue, Misleading, Detrimental or Non-Compliant E-Records

No Member shall issue to the public, participate in or knowingly allow its name to be used in respect of any advertisement, sales literature or correspondence, and no registered or approved persons shall issue or send any advertisement, sales literature or correspondence in connection with its or his or her business which:

(a) contains any untrue statement or omission of a material fact or is otherwise false or misleading;

(b) contains an unjustified promise of specific results;

(c) uses unrepresentative statistics to suggest unwarranted or exaggerated conclusions, or fails to identify the material assumptions made in arriving at these conclusions;

(d) contains any opinion or forecast of future events which is not clearly labeled as such;

(e) fails to fairly present the potential risks to the client;

(f) is detrimental to the interests of the public, the Association or its Members; or

(g) does not comply with any applicable legislation or the guidelines, policies or directives of any regulatory authority having jurisdiction.

In response to the explosive growth of electronic messages as principle business communication tools, a major focus of implementing internal supervisory compliance controls is for Members to establish procedures designed to protect investors from misrepresentation and fraud via electronic communications. Once the Member’s written policies have been established, the Compliance Reviewer’s rule-based system can be employed to monitor all of a firm’s electronic communications in order to enforce adherence to such prohibitions by the firm’s employees.

As part of Global Relay Archive, Global Relay’s Compliance Reviewer incorporates monitoring technology developed to meet current best practices standards for message supervision. The technology is updated as required to ensure that compliance requirements are met for new and amended rules as they are introduced. Global Relay’s legal and IT departments are tightly integrated to ensure that actual deployment strategies for a firm of any nature, size, structure and customer base meet the mandated compliance requirements.

See Section 3(a) of Compliance Reviewer for a description of the lexicon flagging rules, manual real-time search, and random sampling functionalities available to flag archived messages for review. See also Sections 3(b)-(e) of Compliance Reviewer for descriptions of the Compliance Dashboard, supervisory workflow, and review functionality.

(2)

Supervisory Policies

Each Member shall develop written policies and procedures that are appropriate for its size, structure, business and clients for the review and supervision of advertisements, sales literature and correspondence relating to its business. All such policies and procedures shall be approved by the Association.

In general, IIROC examiners will periodically review each Member’s policies and procedures and systems to ensure that they are reasonable in view of each firm’s structure and the nature and size of its business and client base. Global Relay Archive and Compliance Reviewer have been developed to meet current “best practices” standards for electronic recordkeeping and supervision. Global Relay’s technology standards more than meet the IIROC requirements, as they were originally based on the more stringent compliance requirements mandated for U.S. Broker-Dealers under the Financial Industry Regulatory Authority (FINRA) and SEC Rule 17a-4.

7

(2)

Supervisory Policies

(Continued)

Given that IIROC Rule 29.7 requires that electronic business correspondence to clients be monitored, in the least, all outgoing messages deemed to be official business records should be subject to the provisions of the Member firm’s electronic communications records management and supervisory review policies and procedures. Global Relay Archive has the capability of capturing all such incoming, internal and outgoing messages and attachments of a firm, and the Compliance Reviewer may be used either to flag for review all such incoming, internal and outgoing messages and attachments or to selectively flag only outgoing messages, including social media and mobile.

See Section 1 of Compliance Reviewer for a complete description of the Compliance Reviewer’s features related to: implementing compliance procedures, electronically supervising employees, documenting activity within Global Relay Archive (including evidence of the review process), setting review schedules, reporting on compliance decisions and activity, and training employees.

(3)

Supervision of Post-Review Process

The policies and procedures referred to in subsection (2) may provide that such review and supervision will be done by pre-use approval, post use review or post use sampling, as appropriate to the type of material. … [see By-law for pre-approval list of material]

Pre-Use Approval – To assist in detecting distribution process breaches, once a firm has determined what material must be pre-approved the Administrator has the ability to create customized flagging rules to notify the compliance department if such materials are distributed before completing the pre-approval process (e.g. keywords detecting particular research reports, market letters, telemarketing scripts, promotional seminar texts, original template advertisements, etc.). For more details on flagging methods, refer to Section 3(a) of Compliance Reviewer.

Post-Use Review or Post-Use Sampling – all outgoing (and incoming, if desired) messages of any User may be flagged for post-delivery review by any combination of methods described in Section 3(a) of Compliance Reviewer, including customized flagging lexicons, manual real-time search, and random sampling.

Specific examples of material to be reviewed include:

i. Electronic Correspondence - Reviewers and Super Reviewers are able to specifically review samples of all email, IM and social media messages, including attachments, from each individual Registered Rep (RR). Such sampling may specify each RR’s Username in order to ensure capturing some of their RR’s public correspondence. Messages of an RR that include recommendations to a customer may also be flagged for review by customer name, keywords or phrases.

ii. Customer Complaints – A value added ability of the Compliance Reviewer is that through keyword flagging, notification of customer complaints delivered to the Dealer Member electronically, whether by email, Tweet or other message type, may be flagged and brought to the attention of the firm.

(4) Training

Where such policies and procedures do not require the approval of advertisements, sales literature or correspondence prior to being issued, the Member must include provisions for the education and training of registered and approved persons as to the Member’s policies and procedures governing such materials as well as follow-ups to ensure that such procedures are implemented and adhered to.

Where a firm does not conduct a pre-approval review of electronic materials, IIROC Rule 29.7(4) requires the firm to:

Train Employees – once a firm has established appropriate written supervisory procedures, it is then required to educate and train appropriate employees on these procedures regarding the governance of all outgoing public electronic advertisements, sales literature and correspondence relating to its business. Although Global Relay Archive and Compliance Reviewer operate via an intuitive user interface, virtually eliminating any learning curve, Global Relay will assist in this process by providing support for employee education and training where required. An audit trail of all Reviewer actions, whether the employee is having a training session or is carrying out an actual review, is automatically logged and available as required for proof of training.

Monitor and Evaluate Procedures - Global Relay’s Compliance Reviewer has a reporting module with the ability to monitor, track and provide statistics on a firm’s monitoring and surveillance activities in order to ensure proper implementation and compliance, as well as for audits and periodic re-evaluation by the firm. Administrators (or others with designated access rights) may view the results of the Reviewer’s actions and the auditing of actions to ensure the executed reviews comply with the policy goals of the Member firm.

Rule 29.7 Compliance Requirement Global Relay’s Compliance Solutions

8

(5) Archiving

Copies of all advertisements, sales literature and correspondence and all records of supervision under the policies and procedures required by subsection (2) shall be retained so as to be readily available for inspection by the Association. All advertisements, sales literature and related documents must be retained for a period of 2 years from the date of creation and all correspondence and related documents must be retained for a period of 5 years from the date of creation.

Archiving - Global Relay Archive supports all major electronic message types used in finance – see Section 1 of Global Relay Archive for a complete list – allowing your firm to leverage social media (LinkedIn, Twitter and Facebook), blogs and other message types while remaining compliant with recordkeeping rules. See Section 2 of Global Relay Archive for an overview of the archiving process and the controls Global Relay implements to ensure the quality, accuracy and completeness of all archived messages. See also Section 3 of Global Relay Archive for an overview of Global Relay Archive’s security controls, including end-to-end encryption and unalterable audit trails. See Section 1(e) of Compliance Reviewer for details on how the review and supervision process is documented by Global Relay Archive’s Compliance Reviewer.

Readily Available – All messages in Global Relay Archive can be accessed online 24x7x365 via web browser, Outlook plug-in, and mobile apps for iPhone, iPad, BlackBerry and Android. All messages and indexes can be made readily available to regulators via export to standards-based formats (e.g. PST) or online. See Section 2(e) of Global Relay Archive for details on these options.

Retention Term – Retention terms within Global Relay Archive are determined by each firm’s policies and retention schedules and can accommodate the 2 and 5 year retention terms mandated by IIROC. See Section 2(d) of Global Relay Archive for complete details on retention terms. Note that NI 31-103 requires records required preserved under securities legislation to be retained for 7 years. See 11.6 (1)(a) of the Technical Solution for National Instrument 31- 103 for details.

Rule 29.7 Compliance Requirement Global Relay’s Compliance Solutions

9

IIROC Notice 11-0349 SolutionGUIDELINES FOR THE REVIEW, SUPERVISION AND RETENTION OF ADVERTISEMENTS, SALES LITERATURE AND CORRESPONDENCE

In correspondence with IIROC Rule 29.7, IIROC has issued Guidelines for the Review, Supervision and Retention of Advertisements, Sales Literature and Correspondence in IIROC Notice 11-0349. This notice provides further guidance and information regarding the development and implementation of the policies and procedures required under Rule 29.7. The Guidelines are a valuable resource when implementing an electronic message archiving and surveillance system, such as Global Relay’s Global Relay Archive and Compliance Reviewer.

Notice 11-0349 Compliance Requirement Global Relay’s Compliance Solutions

Guideline Part II

Recordkeeping Responsibilities: Pursuant to National Instrument 31-103, Registration Requirements, Exemptions and Ongoing Registrant Obligations (“NI 31-103”), firms must retain records of their business activities, financial affairs, client transactions and communication. Whether a communication is related to the business of the Dealer Member, and therefore captured by this requirement, depends on the content of the communication. The type of device used to transmit the communication or whether it is a firm-issued or personal device is irrelevant. Dealer Members must therefore design systems and programs with compliant record retention and retrieval functionalities for those methods of communication permitted at the firm.

Global Relay recognizes that social media, IM and email have had an unprecedented effect on the business world. Global Relay Archive is designed to allow financial firms to leverage all major types of electronic messages in order to become true social enterprises. Global Relay Archive supports the preservation and retrieval of all major message types used in finance – see Section 1 of Global Relay Archive for a complete list of archived message types.

Global Relay captures email via envelope journaling, social media via API, and other message types via proprietary converter and SMTP/IMAP. This direct, automatic capture ensures that all business messages of a firm are captured regardless of the type of device used to transmit them or the location of the individual sending the message and allows a firm’s employees to use personal devices for business communications when permitted by the firm’s policies. The Global Relay approach avoids a critical compliance gap that can occur when social media archiving solutions (such as middleware) work only when users access social networks from behind a proxy server on company premises. See Section 2 of Global Relay Archive for a complete description of the archiving process and quality controls.

Access Controls: When designing and implementing compliant retention and retrieval practices, [Members should consider]…the need to prohibit access to social media websites that do not allow for compliant retention practices.

Global Relay Archive enables your firm to leverage social media, blogs and other electronic distribution channels as business development tool. Global Relay recognizes that social media services like LinkedIn, Twitter, and Facebook have become indispensable for marketing, networking and more and has developed Global Relay Archive to gives your firm the tools it needs to easily leverage social media while remaining in control of your business, respecting employees’ personal privacy rights, and remaining compliant with IIROC regulations.

Global Relay captures social media at its source for a more compliant, more complete archive, making a direct connection to social networks to ensure complete, timely and accurate capture of your firm’s social media activity. This takes place automatically, regardless of employees’ location or device. Users’ experience on social media sites is unaffected by the archiving process, which runs automatically in the background. See Section 2 of Global Relay Archive for a complete description of the archiving process and quality controls.

Personal Devices: When designing and implementing compliant retention and retrieval practices, [Members should consider]…the use of personal communication devices for business communication as well as the ability to retain, supervise and retrieve all business related communication made on these devices.

As stated above, Global Relay Archive captures messages at their source, regardless of the device used to transmit them, allowing a firm’s employees to use personal devices for business communications when permitted by the firm’s policies. See Section 2 of Global Relay Archive for a complete description of the archiving process and quality controls.

10

Guideline Part III

Suitability & Recommendations: Dealer Members must be mindful of the additional regulatory obligations that may be triggered as a result of the content of a communication delivered to clients. For instance, a “recommendation”, whether delivered via a social media website or by way of written correspondence, must take into consideration the suitability requirements set out in IIROC Dealer Member Rule 1300.1…At the very least, Dealer Members should implement measures to monitor and/or prohibit electronic communications that constitute a recommendation which must comply with IIROC’s suitability rules.

Once the Member firm’s written policies on the use of recommendations in communications with clients have been established, the Compliance Reviewer’s rule-based system can be employed to monitor email activity to enforce adherence to such rules by the firm’s employees and to ensure that recommendations comply with suitability guidelines. The Compliance Reviewer enables the review, monitoring and retrieval of a firm’s messages stored in Global Relay Archive and therefore has the ability to monitor and flag for review messages that may violate firm or regulatory policies.

Reviewers and Super Reviewers are able to specifically review samples of all email, IM and social media messages from each individual user. Such sampling may specify each user’s username in order to ensure capturing some of their public correspondence. Messages that include recommendations to a client may also be flagged for review by customer name, keywords or phrases.

Guideline Part IV

Supervisory Responsibilities: Pursuant to IIROC Dealer Member Rule 29.7(2), Members must establish policies and procedures that allow them to comply with their supervisory obligations and protect clients from misleading or false statements. Subject to IIROC Dealer Member Rule 29.7(3), it is at the discretion of Members to determine whether to employ:

pre-use approval,post-use review, orpost-use sampling

as the most effective means of monitoring communications.

See Section 1 of Compliance Reviewer for a complete description of the Compliance Reviewer’s features related to: implementing compliance procedures, electronically supervising employees, documenting activity within Global Relay Archive (including evidence off the review process), setting review schedules, reporting on compliance decisions and activity, and training employees. See Section 3 of Compliance Reviewer on the features available to prevent and detect compliance violations, including lexicon based flagging rules, manual real-time search and/or random sampling, and a customizable supervisory structure and hierarchy.

Supervision Systems: It is the Dealer Member’s responsibility to evaluate the adequacy of their systems to review all forms of communication: incoming, outgoing, printed or electronic. This can be done by providing secure remote access to the Dealer Member’s systems to employees and agents, by prohibiting the sending of business-related communication through sites and devices that are not supervised, or by requiring that copies of all business-related communication be sent to the Dealer Member on a pre/post approval basis. There is also software available that will enable Dealer Members to review outgoing and incoming emails for keywords which highlight communications that require review.

Global Relay Archive and Compliance Reviewer provide your firm with the ability to review all incoming, outgoing and internal electronic communications. See 2(c) of Global Relay Archive for details on the processes used to capture a complete, accurate record of all firm’s messages. Note that all messages that may be deemed “correspondence” under IIROC Rule 29.7, defined as “electronic business related communication prepared for delivery to a single current or prospective client” (broadly interpreted to encompass not only registered representatives, but all associated persons to the business), will be captured and made potentially subject to a supervisory review facilitated by the Compliance Reviewer.

See Section 3 of Compliance Reviewer for details on the features available to Facilitate post-review of all messages.

Supervisory Hierarchy: The designated Supervisor should… ensure that any individuals assigned specific responsibilities under the policies and procedures are aware of their duties and are properly fulfilling them.

Within a small firm, one Reviewer can monitor all User messages. The Reviewer in this case is often the business owner, the partner or director specifically charged with overseeing compliance. For growing, complex, or large firms, the Administrator may establish multiple User Groups (Group 1, 2, 3 etc.) to organize Users into appropriate departments, divisions, business units, management teams or offices. A multi-tiered supervisory review system may be adopted consisting of multiple Reviewers and Super Reviewers. In this case, the Super Reviewer has all access and review capabilities of the Reviewer, as well as firm-wide access to all User email (unless specifically restricted) to carry out the second level review.

Notice 11-0349 Compliance Requirement Global Relay’s Compliance Solutions

11

Guideline Part IV

(continued)

Policies & Procedures: A Dealer Member’s policies and procedures should describe:

the type of review required, including who is responsible for conducting reviews and taking remedial action if necessary;sampling frequency or techniques; andrecord retention requirement for each type of material used by the Dealer Member. Policies and procedures should also provide for cross-supervision; individuals should not be responsible for the supervision or approval of advertising or sales literature which they themselves have prepared, and where specific types of advertising, sales literature or correspondence are prohibited by the Dealer Member, the policies and procedures should explicitly state the prohibition.

See Section 1 of Compliance Reviewer for a complete description of the Compliance Reviewer’s features related to: implementing compliance procedures, electronically supervising employees, documenting activity within the Global Relay Archive (including evidence of the review process), setting review schedules, reporting on compliance decisions and activity, and training employees.

Social Media: With regard to social media websites used for business purposes, such as blogs, LinkedIn, Twitter, YouTube, chat rooms and Facebook… Static content, such as a profile, background or wall information, usually considered an ‘original template advertisement’, must be pre-approved pursuant to IIROC Dealer Member Rule 29.7(3) and is generally accessible to anyone. An interactive electronic forum, such as Facebook or Twitter, on the other hand, includes real-time discussions and although it does not require prior approval, must be supervised to ensure compliance with IIROC Dealer Member Rules and securities legislation. In the event that interactive content becomes static, for example by posting the real-time interactive content in a static forum such as a blog, this static content must be pre-approved if it is captured under IIROC Dealer Member Rule 29.7(3).

Global Relay Archive captures content generated on social media sites, both static and interactive. Global Relay Archive complies with recordkeeping and supervision requirements for social media as follows:

i. Archiving - secure and compliant capture of your firm’s public social media activity (e.g. LinkedIn, Twitter and Facebook) through APIs. Enterprise social media (e.g. Chatter and Yammer) are captured via SMTP. Features of note include:

Anywhere, any device – Data capture takes place regardless of users’ device, location or network — including smartphones and home computers.

Transparency – Users’ experience on social media sites is unaffected by the archiving process, which runs automatically in the background.

ii. Supervision - compliance review and monitoring of social media:

Rich interface display – When viewing social media communications inside Global Relay Archive, they appear in their original format – preserving all photos, formatting and links (as opposed to plain text without context).

Redline view – Compliance Officers love this: When changes are made to a social media page, such as changes in Profile information, Global Relay Archive shows a unique “redline” view that pinpoints exactly what text was altered, added or removed on social media pages (as opposed to static screenshots without tracked changes).

Compliance tools – As with email and all other message types, compliance officers and managers reviewing social media with Global Relay Archive have access to the most sophisticated array of built-in supervision & monitoring tools, including customizable keyword flagging and exclusions, legal holds and random message sampling.

Global Relay Archive for Web – provides an easy to use solution to archive websites and blogs. It creates digital snapshots of your firm’s website — proving exactly what the site showed to the public at a given point in time. Each web page is time/date stamped along with a 256-bit digital signature, providing an irrefutable source of evidence in the event of legal action or other situations that require your firm to demonstrate what appeared on its website at a given point in time. Global Relay Archive for Web will capture the content just as it appeared to the public on a specified date — including Flash and JavaScript content. An online dashboard enables your firm to view archived website content dynamically, just as it originally appeared online rather than through screenshots.

Notice 11-0349 Compliance Requirement Global Relay’s Compliance Solutions

12

Guideline Part IV

(continued)

Assigning Supervisory Responsibilities: Where a Dealer Member is organized in two or more separate business units or divisions, the Dealer Member may assign a Supervisor for each business unit or division responsible for ensuring the business unit’s or division’s compliance with IIROC Dealer Member Rule 29.7.

The Compliance Reviewer technology is highly scalable. A firm may establish a multi-tier surveillance and monitoring structure for one or more domains, which may include one or more administrators, Reviewers and Super Reviewers, each with defined access privileges depending on review level. The Administrator has the ability to set up the firm’s Users and assigns them to User Groups. A User Group may be set up for each separate business unit or division. The Administrator can then appoint Reviewers to monitor specific User Groups, and one or more partners, directors or officers may be appointed as Super Reviewers to assist Reviewers and be charged with overall responsibility for ensuring compliance with IIROC Rule 29.7.

The names of persons who prepared, reviewed and approved correspondence are readily ascertainable from the retained records, as well as an Audit Trail of all other actions and reports. A Reviewer has access to the messages of his or her assigned User Group(s) in order to carry out the first level review. Reviewer actions also include the ability to annotate and escalate a reviewed message to a superior or Super Reviewer. By the Reviewer being assigned specific Users to monitor, confidentiality is ensured within the firm, by preventing inappropriate viewing of messages.

Notice 11-0349 Compliance Requirement Global Relay’s Compliance Solutions

13

Global Relay Archive and Compliance Reviewer are engineered to meet the regulatory compliance requirements for record retention and supervision of electronic correspondence under National Instrument 31-103 (NI 31-103), which requires firms to retain records of their business activities, including correspondence with clients, as well records documenting supervision and review activities conducted as part of a firm’s compliance program. Global Relay meets the requirements of NI 31-103 as follows: NI-31-103 Compliance Requirement Global Relay’s Compliance Solutions

11.1(a) Compliance System

A registered firm must establish, maintain and apply policies and procedures that establish a system of controls and supervision sufficient to provide reasonable assurance that the firm and each individual acting on its behalf complies with securities legislation.

Global Relay Archive and Compliance Reviewer have been developed to meet current “best practices” standards for electronic recordkeeping and supervision. Global Relay’s technology standards more than meet NI 31-103 requirements, as they were originally based on the more stringent compliance requirements mandated for U.S. Broker-Dealers under the Financial Industry Regulatory Authority (FINRA) and SEC Rule 17a-4.

11.5(1) Required Records

A registered firm must maintain records to… accurately record its business activities, financial affairs, and client transactions, and demonstrate the extent of the firm’s compliance with applicable requirements of securities legislation.

Global Relay Archive supports all major electronic message types used in finance – see Section 1 of Global Relay Archive for a complete list – allowing your firm to leverage email, IM social media (LinkedIn, Twitter and Facebook), blogs and other message types while remaining compliant with recordkeeping rules. See Section 2 of Global Relay Archive for an overview of the archiving process and the controls Global Relay implements to ensure the quality, accuracy and completeness of all archived messages. See Section 1(e) of Compliance Reviewer for details on how the review and supervision process is documented by Global Relay Archive’s Compliance Reviewer.

11.5(2)(n) and (o)Required Records

[Required records] include, but are not limited to, records that…: document correspondence with clients [and] document compliance and supervision actions taken by the firm.

See Section 1(e) of Compliance Reviewer for details on how the review and supervision process is documented by Global Relay Archive’s Compliance Reviewer.

11.6 (1)(a)Retention

A registered firm must keep a record that it is required to keep under securities legislation for 7 years from the date the record is created.

Retention terms within Global Relay Archive are determined by each firm’s policies and retention schedules and can accommodate the 7 year retention term mandated by NI 31-103. See Section 2(d) of Global Relay Archive for complete details on retention terms.

11.6 (1)(b) Form of Records

A registered firm must keep a record that it is required to keep under securities legislation in a safe location and in a durable form

All messages within Global Relay Archive are mirrored between Global Relay’s two SSAE16/SOC I Type II certified Canadian data centres. All messages are captured and preserved with write-verification on tamperproof storage. See Sections 2(a)-(c) of Global Relay Archive for complete details on the archiving process. See Section 3 of Global Relay Archive for information on the Archive’s security controls, including end-to-end encryption and unalterable audit trails that document all activity within Global Relay Archive.

11.6 (1)(c) Accessibility

A registered firm must keep a record that it is required to keep under securities legislation in a manner that permits it to be provided to the regulator or the securities regulatory authority in a reasonable period of time.

Global Relay Archive maintains a real-time database which contains accurate information pertaining to the messages stored in the system. See 2(e) of Global Relay Archive for details on the methods available to promptly provide data to regulators, including message export to CD/DVD, hard drive or secure FTP, as well as 24x7x265 online access via a special User Role for audit purposes called the “Ghost Reviewer.”

11.6 (2) Production of Records

A record required to be provided to the regulator or the securities regulatory authority must be provided in a format that is capable of being read by the regulator or the securities regulatory authority.

As stated above, your firm can export messages to standards-based formats (including PST, EML, etc.) as well as provide online access to regulators as necessary.

NI 31-103 SolutionCOMPLIANCE RECORDKEEPING

14

MFDA Rules 2 & 5 Solution BUSINESS CONDUCT & BOOKS, RECORDS AND REPORTING

The MFDA has issued regulations similar to those of IIROC requiring its members to keep records “necessary for the proper recording of its business transactions and financial affairs and the transactions that it executes on behalf of others.” Members are also required to meet certain minimum standards of supervision in relation to the handling of their business and the conduct of their employees. Global Relay meets these requirements as follows:

Rule 2 Compliance Requirement Global Relay’s Compliance Solutions

2.5.1SupervisoryResponsi- bilities

Each Member is responsible for establishing, implementing and maintaining policies and procedures to ensure the handling of its business is in accordance with the By-laws, Rules and Policies and with applicable securities legislation.

Global Relay Archive and Compliance Reviewer have been developed to meet current “best practices” standards for electronic recordkeeping and supervision. Global Relay’s technology standards more than meet the MFDA requirements, as they were originally based on the more stringent compliance requirements mandated for U.S. Broker-Dealers under the Financial Industry Regulatory Authority (FINRA) and SEC Rule 17a-4.

2.5.3

CCO

Each Member must designate an individual registered under applicable securities legislation as a chief compliance officer…The CCO must establish and maintain policies and procedures for assessing and monitoring compliance by the Member and its Approved Persons with the By-laws, Rules and Policies and with applicable securities legislation.

MFDA Rule 2.8 requires that all client communications from Members comply with strict conduct standards. Among these standards, Rule 2.8 states that no client communication may: continue untrue or misleading information, make “unwarranted or exaggerated claims,” or be detrimental to the interests of client, the public, or the MFDA and its members. As stated in Rule 2.5.1, Global Relay Archive was designed to meet best practice standards to allow your firm to monitor electronic communications in order to ensure that they comply with conduct standards and other applicable regulations.

Global Relay Compliance Reviewer’s rule-based system can be employed to monitor email activity to enforce adherence to such rules by the firm’s employees and to ensure that recommendations comply with suitability guidelines. The Compliance Reviewer enables the review, monitoring and retrieval of a firm’s messages stored in Global Relay Archive and therefore has the ability to monitor and flag for review messages that may violate firm or regulatory policies.

Reviewers and Super Reviewers are able to specifically review samples of all email, IM, social media and other electronic messages from each individual user. Such sampling may specify each user’s username in order to ensure capturing some of their public correspondence. Messages that include recommendations to a client may also be flagged for review by customer name, key words or phrases. See Section 1 of Compliance Reviewer for a complete description of the Compliance Reviewer’s features related to: implementing compliance procedures, electronically supervising employees, documenting activity within Global Relay Archive (including evidence off the review process), setting review schedules, reporting on compliance decisions and activity, and training employees.

2.5.7Documen-tation ofSupervisory Review

The Member must maintain records of all compliance and supervisory activities undertaken by it and its partners, directors, officers, compliance officers and branch managers pursuant to the By-laws and Rules.

During the lifecycle of every message, all actions (viewing, replying, forwarding, downloading, flagging, notation, review) by any User, Reviewer, Super Reviewer, Administrator or the system itself associated with the message are logged. The Archive’s detailed logs provide a full Audit Trail verifying the integrity of the message and providing proof of supervisory review. These logs are automatically appended to the messages and are viewable and made available to authorized Administrative Users. See 1(e) of Compliance Reviewer for a description of the Compliance Reviewer’s icon-based review system. See also 1(h) for a description of the on-demand reports available to provide evidence of supervisory review.

15

5.1RecordkeepingResponsibilities

Every Member shall keep such books, records and other documents as are necessary for the proper recording of its business transactions and financial affairs and the transactions that it executes on behalf of others and shall keep such other books, records and documents as may be otherwise required by the Corporation.

Global Relay recognizes that social media, IM and email have had an unprecedented effect on the business world. Global Relay Archive is designed to allow financial firms to leverage all major types of electronic messages – see Section 1 of Global Relay Archive for a complete list – allowing your firm to leverage email, IM, social media (LinkedIn, Twitter and Facebook), blogs and other message types while remaining compliant with recordkeeping rules.

5.2 Storage Medium

All records and documents required to be maintained by a Member in writing or otherwise may be kept by means of mechanical, electrical, electronic or other devices provided:

(a) such method of record keeping is not prohibited under any applicable legislation;

(b) there are appropriate internal controls in place, to guard against the risk of falsification of the information recorded;

(c) such method provides a means to furnish promptly to the Corporation upon request legible, true and complete copies of those records of the Member which are required to be preserved; and

(d) the Member has suitable back-up and disaster recovery programs.

Archiving Process - Global Relay Archive is a message archiving system for long-term preservation, access and retrieval of electronic communications. It employs retention scheduling to manage the lifecycle of messages, ensuring compliance preservation periods are met. See Section 2 of Global Relay Archive for an overview of the archiving process and the controls Global Relay implements to ensure the quality, accuracy and completeness of all archived messages. See also Section 3 of Global Relay Archive for an overview of Global Relay Archive’s security controls, including end-to-end encryption and unalterable audit trails.

Internal Controls – Global Relay captures all messages automatically, preserving them on tamperproof storage with write-verification to ensure accuracy and completeness. Messages cannot be altered within Global Relay Archive See Section 2(a)-(c) for a complete description of Global Relay’s controls to guard against the risk of falsification.

Furnish Promptly - Global Relay Archive maintains a real-time database which contains accurate information pertaining to the messages stored in the system. See 2(e) of Global Relay Archive for details on the methods available to promptly provide messages to regulators, including message export and online access.

Back-Up and Disaster Recovery – Global Relay mirrors all data between two SSAE16/SOC I Type II certified Canadian data centres. There are always at least 4 copies of every message preserved within Global Relay Archive. In the case of a catastrophic event, Global Relay systems are designed specifically to ensure the preservation and security of customer data. KPMG has conducted systems and controls testing on Global Relay’s core systems, networks and internal controls to demonstrate the redundancy and security of the systems.

5.5 Access To Books & Records

All books, records, documentation and other information required to be kept and maintained by a Member or Approved Person shall be available for review by the Corporation and the Corporation shall be entitled to make copies thereof and retain them for the purposes of carrying out its objects and responsibilities under the applicable securities legislation, the By-laws or the Rules.

All data preserved in Global Relay Archive can be made promptly available to approved persons such as Reviewers and/or regulators online or via CD/DVD, hard drive, and secure FTP. 24x7x365 online access can also be provided to regulators via the “Ghost Reviewer” User Role. See 2(e) of Global Relay Archive for complete descriptions of these options.

5.6 Record Retention

Each Member shall retain copies of the records and documentation referred to in this Rule 5 for seven years from the date the record is created or such other time as may be prescribed by the Corporation.

Retention terms within Global Relay Archive are determined by each firm’s policies and retention schedules and can accommodate the 7 year retention term mandated by the MFDA. See Section 2(d) of Global Relay Archive for complete details on retention terms.

Rule 5 Compliance Requirement Global Relay’s Compliance Solutions

16

Global Relay ArchiveCONTROLS AND FEATURES

Global Relay Archive is an enterprise-class cloud-hosted electronic message archiving solution that addresses the demands of regulatory compliance, eDiscovery, and internal and external audits as well as business continuity, data management, storage and security. Global Relay Archive is developed, owned and operated in-house by Global Relay. It securely captures and archives all major types of electronic messages and stores them in a unified archive with federated search capabilities.

1. Message TypesGlobal Relay Archive securely captures and archives all of a firm’s incoming, internal and outgoing electronic communications, including all major message types used in business:

Email Public Instant Messaging (AIM, MSN, Yahoo!, GoogleTalk) Social Media (LinkedIn, Twitter, Facebook) BlackBerry and Android Messaging (Text/SMS, PIN, Call logs) Bloomberg Messaging (Instant Bloomberg, Bloomberg Mail) Thomson Reuters Messaging (Eikon, Thomson Reuters Messenger) CME (Pivot) ICE (YellowJacket) Jabber/XMPP Cisco WebEx Microsoft OCS/LYNC LivePerson OpenFire Web Chatter (Salesforce)YammerGlobal Relay Message

Global Relay Archive may support message types not listed here. Please contact Global Relay to determine whether a specific message type is supported.

a. Global Relay Archive for Email – captures email and attachments from virtually all email platforms, including Exchange, Lotus Notes/Domino, Office 365, Google Apps, and more. Email is envelope journaled and delivered to Global Relay Archive via IMAP or SMTP, and includes metadata such as BCC and Distribution Lists.

b. Global Relay Archive for Instant Messaging (IM) – supports all major public instant messaging platforms, including AIM, MSN, GoogleTalk, and Yahoo!, as well as enterprise platforms such as ICE (YellowJacket), CME (Pivot) and more, as well as Global Relay Messenger, a secure, closed network instant messaging system.

c. Global Relay Archive for Social Media – supports LinkedIn, Twitter and Facebook and is designed for compliance, automatically capturing and archiving social media communications in long-term tamperproof storage. Features of note include:

i. Rich interface display – When viewing social media communications inside Global Relay Archive, messages appear in their original format – preserving all photos, formatting and links (as opposed to plain text without context).

ii. Redline view – Compliance Officers love this: When changes are made to a social media page, such as changes in Profile information, Global Relay Archive shows a unique “redline” view that pinpoints exactly what text was altered, added or removed on social media pages (as opposed to static screenshots without tracked changes).

17

Note that Global Relay also offers plug-ins for archiving of enterprise social media platforms such as Yammer and Chatter (Salesforce).

d. Global Relay Archive for Mobile – is essential to manage, protect, and retain all types of mobile messaging. Global Relay Archive for BlackBerry and Global Relay Archive for Android capture email, text messages (SMS), PIN messages, and call logs. Messages are automatically captured, indexed, and archived in the cloud. Global Relay Archive`s technology supports the capture of iPhone and iPad messaging. Global Relay will offer this service when Apple permits vendors to do so.

e. Global Relay Archive for Bloomberg – enables Bloomberg® Messages to be automatically downloaded from the Bloomberg® FTP site and consolidated in Global Relay Archive.

f. Global Relay Archive for Thomson Reuters – enables the compliant use of Eikon and Thomson Reuters Messenger by logging user-generated content such as instant messages, chat room conversations and more. Global Relay is the exclusive integrated archive partner for Thomson Reuters worldwide.

g. Global Relay Archive for Web – preserves websites, social media and forums while accurately replicating complex interactive elements like Flash, Javascript/AJAX, video and audio, ensuring that Members can capture these important elements of their business.

2. Archiving Process and Controls

a. Preservation & Access – Global Relay Archive is a message archiving system for long-term preservation, access and retrieval of electronic communications. It employs retention scheduling to manage the lifecycle of messages, ensuring compliance preservation periods are met. Following best practice standards, Global Relay Archive is able to provide “readily available” real-time access to messages through Global Relay’s two mirrored East/West coast SSAE 16/Type II certified Canadian data centres for the entire time of the Member’s required retention term. Messages are preserved on tamperproof storage with write-verification.

b. Write-verification – All messages stored within Global Relay Archive are forwarded directly from a firm’s email server, messaging platform or social media site with no User intervention. All such records are stored in their original format. Global Relay Archive automatically verifies the quality and accuracy of the storage media recording process as electronic communications and attachments are delivered to Global Relay`s two mirrored East/West Coast SSAE16/SOC I Type II certified Canadian data centres.

The accuracy and completeness of the write-verification recording process is ensured through data comparison. As messages are processed, Global Relay Archive automatically compares the post-processed message with the original message before the original message is deleted. Global Relay Archive also provides automated seven day external storage as an added level of redundancy in the write-verification process.

c. Message Capture – Global Relay Archive uses envelope journaling to capture and archive all incoming, internal, outgoing email, including attachments, on a domain-wide basis. Your firm may also set up selective journaling rules if necessary. Global Relay uses proprietary convertors, APIs, and SMTP/IMAP to capture other message types, including IM, social media, and more.

18

d. Message Unification – Global Relay Archive securely and automatically captures a wide variety of message types, converts them into EML using Global Relay developed proprietary converters, and integrates them into a unified, searchable Archive. An overview of the technologies used to process specific message types is shown below:

e. Message Retention – Global Relay Archive employs retention scheduling to manage the lifecycle of electronic messages, audit trails and indices, ensuring compliance requirements are met. Following best practice standards, Global Relay Archive provides readily available real-time access to messages through Global Relay’s two mirrored East/West coast SSAE16/SOC I Type II certified Canadian data centres during the Member’s required retention term. Typically, any message can be accessed in 2 seconds. Retention terms in Global Relay Archive are defined by each firm’s Records Retention Schedule (ranging from 3, 5, 7, or 10+ years). The system supports disposition of messages and attachments by time and event-based destruction. Message destruction functionality is executed either by message age, message date, message date range, folder, user, group, message size, to, from, subject, event, and priorities.

f. Message Availability – Global Relay Archive maintains a real-time database which contains accurate information pertaining to the messages stored in the system. All messages in Global Relay Archive are full text indexed and preserved with complete metadata (including Date, From, To, Cc, Bcc, Distribution List, Subject, X-Header, alias, attachment name and more). Global Relay Search technology leverages this extensive metadata to provide advanced search capabilities.

Global Relay Archive’s easy and efficient search and retrieval capabilities provide prompt and effective record access of electronic communications and attachments. Exact copies of all electronic communications, indexes and metadata are readily available to authorized Users (including reviewers, regulators and lawyers). Online access, viewing, forwarding as email, downloading as files and printing of indexes and messages is done through a secure web browser using advanced search tools. Features of note include:

19

i. Message Export – Your firm may request to have existing data exported by Global Relay in standards-based formats (e.g. PST, GWI, EML, NSF, PDF, HTML, etc.). All data held can be made available via FTP transfer, DVD and/or hard drive. Global Relay assists with approximately 20 ongoing data demands on a daily basis and 10 IIROC/MFDA/SEC/FINRA audits per week and has a 24-hour turnaround time for message export. Messages can be extracted by type, custodian and/or date. Note that all exports include complete Bcc and Distribution Data. Note also that data export is subject to the fee in your firm’s Fee Agreement.

ii. Online Access – Global Relay Archive has a special user role for audit purposes called the “Ghost Reviewer.” Upon the direction of your firm, Global Relay can set up an account for a third party auditor or regulator which only gives that party access to a customer defined subset of messages (e.g. a folder set up for the audit). The auditor or regulator can then review all of the messages online without his or her actions showing up in the audit trail. Use of the Ghost Reviewer is dependent on the discretion of the individual regulator or examiner.

iii. Personal Archive – Global Relay Search provides anytime, anywhere access to archived messages via web browser, Outlook plug-in, and mobile apps for iPhone, iPad, BlackBerry and Android. All users in a firm can have real-time access to a personal Archive of their own historical messages that includes every message type in the firm’s Archive. Powerful search functionality enables users to retrieve and restore any message in seconds.

3. Security Controls

a. Encryption – Global Relay Archive has end-to-end encryption to protect the privacy and confidentiality of customer data. TLS/SSL encryption is employed to ensure the privacy and security of data in transit. Data at rest is protected using a dual military level AES and RSA encryption system. Each incoming message is AES encrypted with a unique, randomly generated encryption key. Each message’s AES encryption key is then encrypted with a 2048 bit RSA public key. The RSA public key is then encrypted with a passphrase-encrypted private key. All three keys are kept in separate stores. The encryption (and decryption) process is transparent to Users.

b. Audit Trails – During the lifecycle of a message, all actions by any User, Reviewer, auditor, or the system itself associated with the message are logged, including all reviews of the same. Global Relay Archive’s detailed logs provide a full audit trail verifying the integrity of the message. These logs are available to any authorized administrative User.

c. Back-Up and Disaster Recovery – Global Relay mirrors all data between two SSAE16/SOC I Type II certified Canadian data centres. There are always at least 4 copies of every message preserved within Global Relay Archive. In the case of a catastrophic event, Global Relay systems are designed specifically to ensure the preservation and security of customer data. KPMG has conducted systems and controls testing on Global Relay’s core systems, networks and internal controls to demonstrate the redundancy and security of the systems.

20

Compliance ReviewerCONTROLS AND FEATURES

All electronic messages deemed to be official business records should be subject to the provisions of an IIROC or MFDA Member’s electronic records management and supervisory review policies and procedures. As discussed in Global Relay’s Technical Solutions to IIROC Rule 29.7 and MFDA Rule 2, Global Relay Archive has the capability to capture all such incoming, internal and outgoing messages and attachments, and the Compliance Reviewer tools may be used to flag for review all such messages and attachments.

1. Overview of Compliance System Controls and Features Once written supervisory compliance policies and procedures for electronic messaging have been established, Global Relay Archive and Compliance Reviewer make the enforcement of a Member’s compliance and supervisory policies simple by enabling a Member to:

a. Implement Procedures – cost effectively implement procedures to detect and prevent compliance violations through a rules-based system in accordance with the Member’s written supervisory policies. This may include multi-tier Reviewers and Super Reviewers, if applicable, and customized surveillance and monitoring privileges and capabilities to match each firm’s policies regarding review and use of electronic messaging

b. Archive Messages – The Compliance Reviewer tools are incorporated into Global Relay Archive, where all messages, attachments and associated indexes are serialized, time-date stamped and preserved on tamperproof storage using write-verification. All messages are stored in their original format Global Relay’s two mirrored East/West Coast SSAE16/SOC I Type II certified Canadian data centres. Messages are easily searchable and retrievable through a secure web browser, Outlook, and mobile apps for BlackBerry, iPad, iPhone and Android. The easy-to-use interface allows authorized Users to conduct searches using structured queries based on various search parameters.

c. Set Record Retention Schedules – Global Relay Archive employs retention scheduling to manage the lifecycle of messages, audit trails and indexes, ensuring compliance preservation requirements and supervisory policies are met. Following best practice standards, Global Relay Archive is able to provide “readily available” real-time access to messages for the entire length of the retention term. Note, that retention terms can be extended for data that is part of one or more Legal Holds.

d. Electronically Supervise – enable Reviewers, Super Reviewers and Administrators to supervise employees by using various review configurations to review any User’s messages via any secure web browser. For details, refer to Section 2 - Compliance Monitoring System.

e. Review & Document – Reviewers and Super Reviewers, via an intuitive user interface, can instantaneously retrieve for review any flagged message. Using a simple color-coded icon indicator based system, a Reviewer is then able to evaluate and select the appropriate action icon to log the status of the message (e.g. “Flagged for Review”, “Reviewed,” Non-compliant”, “Escalated”, “Closed”, etc.). A comment field will automatically appear for non-compliant or escalated messages to add a predefined or issue specific comment. Also, the date of the Reviewer’s action and their User name are recorded. If monitoring large numbers of users, a first level Reviewer may escalate any non-compliant message to a Super Reviewer for further evaluation.

21

f. Schedule Review Time Frames – For review purposes, a rules-based schedule for automatic message flagging and review may be implemented and customized to enforce policy time deadlines for review. If a Reviewer fails to review within the set time frame, an icon indicator will automatically mark the flagged message accordingly. Reviewers also have the ability to flag and review on demand.

Global Relay Archive’s supervision and review functionality is incorporated into an icon-based review system and Compliance Dashboard to provide a summary of the status of all messages. This includes:

i. list of messages to be reviewed,

ii. status of messages to be reviewed,

iii. labels to indicate which business policy(ies) caused message to be flagged for review, icon-based codes to assign (e.g., Flagged for Review, Viewed, Action Required, Reviewed, Non- Compliant, Closed, Escalated etc.), and

iv. a calculation of messages with Action Required/overdue.

g. Document Activity – During the lifecycle of a message, all actions (viewing, replying, forwarding, downloading, flagging, notation, review) by any User, Reviewer, Super Reviewer, Administrator or the system itself, associated with the message are logged in an unalterable audit trail that is available online with the associated message. Global Relay Archive’s detailed logs provide a full audit trail verifying the integrity of the message. They may be forwarded, downloaded or printed, for internal or IIROC/MFDA inspection purposes. Compliance-related messages may also be organized into Reviewer or Administrator defined folders. The Compliance Reviewer also includes advanced on-demand and scheduled reporting features - allowing compliance officers to gain clear insight into message compliance within the firm and provide reports to the regulators, where required.

h. Reports - Report Manager, part of Global Relay Archive, enables in-depth reporting on compliance monitoring activity and can also be automated with daily, weekly, or monthly email delivery. The Supervisor Review Report provides a table view of reviewer activity that includes number of messages viewed, flagged and reviewed/not reviewed by selected reviewers.) This report is a valuable tool during proof of review audits. The report can be generated on-demand to be printed and/or emailed. It can also be scheduled to automatically run and be emailed to specific recipients.

Authorized users can run reports to determine user access rights as well as to determine which users have not been assigned to groups. Authorized users can run a compliance activity report with detailed information on flagged messages as well as a keyword flagging report to see how many messages have been flagged based on each word/phrase in the customized flagging lexicon.

There are also activity reports are available on a per-reviewer basis. They include: number of incoming, internal and outgoing messages (of each message type) of the users and/or user groups assigned to a particular reviewer; number of incoming, internal and outgoing messages (of each message type) to be reviewed by a particular reviewer and number of messages that have been reviewed and are overdue for a selected date range. These reports also includes quota percentages met/not met and the number of messages pending action, escalated, marked with a priority or as non-compliant, etc. In addition, ad hoc reports can be run off of specific searches.

i. Train Employees – Members’ compliance programs include training of registered and approved persons as to the Member’s policies and procedures governing the compliance procedures and reviews, as well as follow-ups to ensure that such procedures are implemented and adhered to. Global Relay will assist in this process by providing support for employee education and training with respect to Global Relay Archive and Compliance Reviewer. The intuitive user interface is simple, virtually eliminating any learning curve. An audit trail of all Reviewer actions, whether the employee is having a training session or is carrying out an actual review, is automatically logged and available, if required for proof of training.

22

2. Compliance Monitoring SystemA Member may establish a highly scalable, multi-tier surveillance and monitoring structure for one or more domains, which may include one or more administrators, Reviewers and Super Reviewers, each with defined access privileges depending on review level. The Administrator has the ability to set up the Member’s Users and assigns them to User Groups or Folders. A User Group may be set up for each separate business unit or division. The Administrator appoints Reviewers to monitor specific User Groups, and one or more partners, directors or officers may be appointed as Super Reviewers to assist Reviewers and be charged with overall responsibility for ensuring compliance with the By-law. The names of persons who wrote, reviewed and approved correspondence are readily ascertainable from message metadata and audit trails. A Reviewer has access to the electronic messages of his/her assigned User Group(s) in order to carry out the first level review. By assigning a Reviewer Users to monitor, a Member can ensure that only those employees with a business need to access specific messages have the ability to do so. Reviewer actions include the ability to annotate and escalate a reviewed message to a superior or Super Reviewer.

3. Preventing and Detecting Compliance ViolationsOnce the Member’s written supervisory compliance policies and procedures have been established, the Compliance Reviewer’s rule-based system can be employed to monitor message activity to enforce adherence to such policies and procedures. The Compliance Reviewer enables the review, monitoring and retrieval of a Member’s electronic messages stored in Global Relay Archive, and therefore has the ability to monitor, detect and flag for review messages that may contain prohibitions set forth in the Member’s policies.

a. Flagging for Review – Messages of any User may be flagged for review by any combination of the following methods:

i. Customizable Flagging Rules – Global Relay Archive includes robust lexicon filters that flag and queue messages for review. Global Relay provides pre-populated lexicons of keywords and phrases that are likely to be suspicious as well as detailed compilations of alternatives for each industry. Authorized Users can easily create or modify flagging lexicons based on keywords, keyword proximity, exclusions, domain addresses and phrase proximity analysis. Global Relay Archive can also calculate the number of hits by each keyword/phrase to ensure effective lexicon use. Keywords/phrases that are generating too many hits can then be reviewed and adjusted as needed.

ii. Manual Real-Time Search – Immediate access and retrieval of exact copies of all messages, indexes and metadata preserved in Global Relay Archive is conducted via an easy-to-use interface. Proprietary search technology allows authorized Users to conduct searches using structured queries based on any combination of various search parameters (all, date, date range, To, From, Cc, Bcc, Distribution List, Subject, keywords contained within a message or attachment, X-Header, alias, attachment file name, events, etc.).

Global Relay Archive supports Boolean (AND, OR, NOT), wildcard, word stemming, relational/proximity searching, conceptual searches through combination keywords, events and exclusion filtering, tags, labels, priorities, and compound queries. Searching can be done across the entire Archive or across specific folders, groups and/or users as well as across all message types or a specified subset of types.

iii. Random Sampling – Random sampling rules can be set by User, User group, or the Member as a whole. Different random sampling percentages can also be set for incoming, outgoing and internal messages.

23

b. Supervisory Review & Evaluation – A Member may establish a multi-tier surveillance and monitoring structure for one or more domains, which may include one or more Administrators, Reviewers and Super Reviewers, each with defined access privileges depending on review level. Reviewer actions include the ability to annotate and escalate a reviewed email to a superior or Super Reviewer. Each Reviewer will be assigned specific Users to monitor in order to ensure confidentiality within the member firm, by preventing inappropriate viewing of messages.

Global Relay Archive’s supervision and review functionality is incorporated into an icon-based review system and Compliance Dashboard to provide a summary of the status of all messages. Reviewers and Super Reviewers, via an intuitive user interface, can instantaneously retrieve for review any flagged message. See Section 1(e) - Document Review Process, above for a complete description of the Compliance Review’s simple color-coded icon indicator based system.

c. Explanatory Evaluation Comments – In addition to marking the message status, a predefined or issue specific comment may accompany all non-compliant and/or escalated messages. For IIROC and MFDA compliance purposes, a firm is able to create a predefined comment list that may include the prohibitions set out in IIROC Rule 29.7(1)(a)-(g) (e.g. “False or Misleading Information”; “Unjustified Promise of Results”; “Unwarranted Conclusions”; “Future Forecast”; “Inadequate Description of Risks”; “Abusive Content”; or “Detrimental to Public Interest”).

d. Examples – Specific examples of messages that may be flagged for review include:

i. Electronic correspondence – Reviewers and Super Reviewers are able to specifically review samples of all email, IM and social media messages from each individual Member. Such sampling may specify each Member’s username in order to ensure capturing some of their Member’s public correspondence. Messages of a Member that include recommendations to a customer may also be flagged for review by customer name, keywords or phrases.

i. Customer Complaints – A value added ability of the Compliance Reviewer is that through keyword flagging, notification of customer complaints delivered to the Member by email may be flagged and brought to the attention of the Member.

e. Transparency – Note, that a Member’s supervisory policies and procedures should maintain transparency and disclose to its employees and representatives that all electronic messages are being archived. Proper notice and updates should be given to employees to ensure that such employees are fully informed of electronic message retention, monitoring, supervisory review, usage and archive policies being undertaken and upheld within the Member.

message archive search m

essage archive search message archive search1.1

globalrelay.com +1.866.484.6630 info@globalrelay.net

Copyright ©1999 - 2012 Global Relay Communications Inc. All Rights Reserved. Not to be reproduced withoutpermission. Products or brand names are trademarks or registered trademarks of their respective owners.

new york chicago vancouver singapore london