ARTICLE
1 April 2026

Preparing For The OSC's 2026 Risk Assessment Questionnaire: What Registrants Need To Know

GR
Gardiner Roberts LLP

Contributor

Gardiner Roberts LLP logo
Gardiner Roberts LLP is a full-service law firm representing a bespoke client base, including major banks, municipalities, government entities, entrepreneurs, tech and growth companies, real estate developers, lenders, investors, innovative and community leading businesses and organizations.
Explore Firm Details
The Ontario Securities Commission ("OSC") has issued an advance notice regarding the 2026 Risk Assessment Questionnaire ("RAQ") for registrants in Ontario.
Canada Ontario Corporate/Commercial Law
Eliane Leal da Silva,Tara Dewan, and Michael DeCosimo
Your Author LinkedIn Connections
Eliane Leal da Silva’s articles from Gardiner Roberts LLP are most popular:
  • within Corporate/Commercial Law topic(s)
  • in Canada
  • with readers working within the Law Firm industries
Gardiner Roberts LLP are most popular:
  • within Consumer Protection, Intellectual Property and Law Department Performance topic(s)
  • with Senior Company Executives, HR and Finance and Tax Executives

The Ontario Securities Commission (“OSC”) has issued an advance notice regarding the 2026 Risk Assessment Questionnaire (“RAQ”) for registrants in Ontario. The advance notice provides firms with early visibility into the information that will be requested and is intended to assist registrants in preparing ahead of the formal distribution of the questionnaire on May 6, 2026.

In parallel, the OSC has distributed its Investment Fund Survey (the “Survey”) to investment fund managers, which must be completed by April 30, 2026. Recognizing the time and resources required to complete both the Survey and the RAQ, the OSC has issued this advance notice to support firms in planning and allocating compliance resources effectively.

The RAQ remains a key component of the OSC’s risk-based oversight framework. Information provided by registrants enables the OSC’s Registration, Inspections and Examinations Division to assess firms’ relative risk profiles and determine where regulatory resources should be focused, including identifying firms for potential compliance reviews.

For many registrants, the RAQ also serves as an important reminder of the OSC’s expectations regarding well-documented compliance programs, effective governance structures, and accurate operational reporting.

The Role of the Risk Assessment Questionnaire

The OSC uses the RAQ to collect detailed information about registrants’ business activities, operations and compliance frameworks. Responses support the OSC’s risk-ranking methodology and assist in identifying areas that may warrant further regulatory scrutiny.

Information collected through the RAQ may inform: (i) risk-based compliance examinations; (ii) targeted regulatory sweeps; (iii) thematic reviews across registrant categories; and (iv) ongoing monitoring of registrant business models.

Firms identified as presenting higher regulatory risk may be more likely to be selected for detailed compliance reviews.

Key Areas of Regulatory Interest

While the precise scope of the questionnaire may evolve, the RAQ typically focuses on several core aspects of registrant operations including:

1. Firm structure and business activities

Registrants are generally required to provide detailed information regarding ownership and organizational structure, types of registrable activities conducted, revenue sources and business lines, client types and concentrations, and assets under management or administration. This information assists the OSC to assess the scale and complexity of a firm’s operations.

2. Compliance systems and governance

The RAQ also requests information regarding the design and operation of a firm’s compliance program, including: (i) the role and reporting structure of the Chief Compliance Officer; (ii) internal supervision and oversight frameworks; (iii) policies and procedures governing registrant obligations; and (iv) internal escalation processes for compliance issues. These questions allow the OSC to assess whether registrants maintain compliance systems that are reasonably designed to ensure adherence to securities law requirements.

3. Operational risk and outsourcing

Regulators have increasingly focused on operational resilience and vendor oversight. Registrants may therefore be requested to provide information regarding: (i) reliance on third-party service providers; (ii) technology systems and trading platforms; (iii) cybersecurity policies and incident response procedures; and (iv) oversight of outsourced operational functions. These areas are particularly relevant given the growing reliance on technology and external service providers.

4. Client-related processes

The RAQ may also include questions relating to client servicing and product distribution practices, including: (i) client onboarding and account opening processes; (ii) know-your-client (KYC) practices; (iii) know-your-product (KYP) processes; and (iv) marketing and distribution activities. These areas remain central to the regulatory framework governing registrants.

Implications for Registrants

While the RAQ is not itself a compliance review, it plays an important role in informing the OSC’s supervisory activities. As a result, firms should approach the questionnaire with the same level of diligence applied to other regulatory reporting obligations.

In particular, registrants should ensure that:

  • responses accurately reflect actual operations and compliance practices;
  • information provided is consistent with other regulatory filings and disclosures; and
  • internal compliance documentation supports the responses provided.

Given the level of detail required, completing the RAQ typically requires coordination across compliance, operations, finance and senior management functions.

Practical Steps for Firms

Registrants may wish to begin preparing for the RAQ by taking several practical steps:

  • Reviewing compliance frameworks: to confirm that policies, procedures and supervisory structures remain current and effective;
  • Verifying operational data: to ensure information relating to clients, assets under management and business activities is accurate and in order;
  • Assessing outsourcing arrangements: to confirm that third-party providers are appropriately monitored and documented; and
  • Conducting an internal self-assessment: ideally, firms align RAQ preparation with their internal compliance review, which is often done far enough in advance of the RAQ so they are better prepared.

Key Takeaways

The OSC’s advance notice of the 2026 Risk Assessment Questionnaire reflects the regulator’s continued reliance on risk-based supervision of registrants.

For registrants, the RAQ is not only a regulatory reporting obligation but also as a valuable opportunity to review internal compliance systems and operational practices.

Registrants that prepare early by reviewing governance structures, compliance documentation and operational data will be better positioned to provide accurate responses and demonstrate that their compliance programs remain aligned with regulatory expectations. A PDF version is available for download  here.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

[View Source]
Authors
Photo of Eliane Leal da Silva
Eliane Leal da Silva
Photo of Tara Dewan
Tara Dewan
Photo of Michael DeCosimo
Michael DeCosimo
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More