CFOtech Canada - Technology news for CFOs & financial decision-makers
Canada

Guides

#
artificial intelligence
#
data analytics
#
digital transformation
#
fintech
#
health technologies

Search

Canadian crypto custody vault layers regulation security risk
#
DevOps
#
Fintech
#
Blockchain

CIRO announces tiered crypto custody rules for dealers

Thu, 5th Feb 2026
Author image
By Jake MacAndrew, Interview Editor

Canada's self-regulatory organisation for investment dealers has set out detailed expectations for how dealer members that run crypto-asset trading platforms should hold and safeguard clients' digital assets, with a tiered approach that links custody limits to a custodian's controls and financial resources.

The Canadian Investment Regulatory Organisation (CIRO) said there is no permanent rule framework in its rulebook designed for the custody of digital assets. Existing requirements for securities and derivatives custody focus on segregation and capital, but they do not address the technology, operational and legal risks that come with crypto assets and tokenised assets.

Those risks include irreversible loss due to compromised cryptographic keys, cyberattacks, dependence on complex systems and third-party service providers, and jurisdictional uncertainty.

Last September, the RCMP seized $56 million in cryptocurrency from the online platform TradeOgre, which authorities say was used by criminal organisations to launder money. The mounted police said the seizure was the largest in Canadian history.

CIRO also highlighted concentration risk, noting that a small number of specialist providers dominate crypto custody. The regulator pointed to past failures in the sector involving hacking, fraud and insolvency as evidence that custody structures can be a key point of investor vulnerability.

CIRO's approach uses membership terms and conditions for dealer members that operate crypto-asset trading platforms. The organisation said that while longer-term policy work continues, and said parts of it may inform future permanent rules.

Two asset types

The framework, known as the Digital Asset Custody Framework, separates crypto assets from tokenised financial assets. CIRO defined crypto assets as digital assets that do not represent traditional financial assets and do not confer equivalent legal rights. Tokenised financial assets represent instruments such as equities, debt or deposits and confer rights equivalent to the underlying instruments.

Under the framework, tokenised assets must be held with entities that qualify as acceptable securities locations under CIRO's existing custody rules. Those custodians must also meet additional digital custody safeguards. CIRO said this avoids a lower standard of custody by issuing existing instruments in tokenised form.

CIRO also said it will review and amend the terms and conditions once the Canadian Securities Administrators advance its work on tokenisation. It said the classifications used for custody supervision are not intended to set broader policy direction.

Custodian tiers

For crypto assets, dealer members must hold client assets either with approved digital asset custodians or under internal custody using satisfactory custody technology. CIRO approval for digital asset custody is separate from acceptable securities location recognition for traditional securities, and the organisation said approval for one does not establish suitability for the other.

The framework uses four tiers of acceptable crypto custodians. Tier 1 and Tier 2 custodians can hold up to 100 per cent of a dealer member's crypto assets. Tier 3 custodians can hold up to 75 per cent. Tier 4 custodians can hold up to 40 per cent. The fourth tier also serves as the benchmark for internal custody equivalency.

The framework also sets minimum capital levels that differ depending on whether a custodian is established in Canada or abroad. Tier 1 capital minimums are $100,000,000 for Canadian custodians and $150,000,000 for foreign custodians. Tier 2, Tier 3 and Tier 4 minimums are $10,000,000 for Canadian custodians and $100,000,000 for foreign custodians. CIRO said foreign custodians bring additional jurisdictional and insolvency uncertainty, and higher thresholds provide a risk buffer.

Technology assurance

Across tiers, CIRO expects independent assurance over technology controls. All acceptable crypto custodians must provide a SOC 2 or ISAE 3000 (Type 2) report covering security and availability. Tier 1 and Tier 2 custodians must also cover confidentiality and processing integrity. Tier 2 custodians must provide additional assurance tailored to crypto-asset risks, which can be delivered through extended reports or separate independent reviews.

CIRO also included requirements for independent penetration testing across all tiers except Tier 1. Tier 2 custodians must provide external assurance over cybersecurity controls.

Insurance features prominently in the framework. CIRO expects property and fidelity insurance that matches the size and type of assets managed. Tier 1 and Tier 2 custodians must have fidelity policies that apply across all storage locations. Tier 3 and Tier 4 custodians can use specie insurance for cold storage in some cases, reflecting constraints in insurance markets.

Related stories
Finteum hits USD $1bn weekly intraday FX swap trades
Late payments make up over a third of global pay cycles
Bitget, BlockSec unveil new security standard for UEX
CFOs boost tech & AI budgets as hiring growth stalls
CFOs boost tech, sales & AI as headcount growth slows

Top stories

Nium adds three C suite leaders to drive global growth
Data gaps stall AI scale-up despite strong AIOps gains
NetSuite unveils AI finance tools & low-code integration
FDATA appoints Kat Cloud to strengthen open finance security
How five digital forces will redefine banking by 2026