CIRO's new custody framework just raised the bar for crypto platform dealers
Canada's investment watchdog has set new custody standards for crypto-trading platform operators.
On February 3, 2026, CIRO published interim custody requirements for dealers operating crypto-asset trading platforms. No permanent rules govern how digital assets, which covers crypto assets, and tokenized assets including stablecoins, must be held.
Existing rules were not designed for the technological, operational and legal risks unique to digital assets, which include irreversible loss arising from compromise or mismanagement of cryptographic keys, heightened exposure to cyber-attacks, operational dependencies on complex technology stacks and third-party service providers, legal uncertainty across jurisdictions particularly in insolvency scenarios, and concentration risk arising from reliance on a small number of crypto custodians. Failures involving hacking, fraud, inadequate governance and insolvency demonstrated that custody arrangements are a critical point of investor vulnerability.
Digital assets must be held, subject to specified limits and conditions, with approved custodians or in-house using satisfactory custody technology. CIRO grouped custodians into four tiers scaling with demonstrated capacity to manage custody risks.
Tier 1 meets the highest standards for capital, and enhanced controls for regulatory oversight, technology assurance, fidelity insurance over custodied assets and operational resilience, and may hold up to 100 per cent, with $100 million minimum capital Canadian and $150 million foreign. Tier 2 meets the highest standards for regulatory oversight, insurance and operational resilience, and may hold up to 100 per cent. Tier 3 need not satisfy certain enhanced crypto-specific technology assurance standards or demonstrate external cybersecurity and operational resilience safeguards, and may hold up to 75 per cent. Tier 4 meets baseline requirements suitable for limited custody exposure, and may hold up to 40 per cent, and also serves as the benchmark for Internal Custody equivalency. Tiers 2, 3 and 4 share the same capital thresholds of $10 million Canadian and $100 million foreign.
Dealers may self-custody up to 20 per cent of the value of crypto assets held for clients and their own account, excluding proprietary positions provided for in Risk Adjusted Capital, if solutions meet Tier 4 standards.
All custodians must provide a SOC 2 or ISAE 3000 Type 2 report on security and availability, Tiers 1 and 2 additionally covering confidentiality and processing integrity. Tier 2 must provide crypto-specific assurance on lifecycle management of cryptographic keys, quorum and role-based authorization structures, governance over wallet address creation and usage, safeguards around transaction signing and execution, and monitoring, incident response and recovery for crypto-specific events. Tier 3 custodians using proprietary solutions must meet the same crypto-specific assurance criteria.
Independent penetration testing is required annually for all tiers except Tier 1, and Tier 2 must provide additional external assurance over cybersecurity controls.
Custodians must carry property and fidelity insurance matching the size and type of assets managed, Tiers 1 and 2 applying across all storage locations, Tiers 3 and 4 permitted to use Specie insurance for cold storage. All must be established in a Basel Accord jurisdiction as a regulated bank or trust company, legally and functionally separate from any crypto exchange or marketplace business.
Custody agreements must establish fiduciary duties, liability for negligence, fraud or intentional wrongdoing, and cannot limit liability for technology failures the custodian could reasonably have prevented or managed. Audited financials and SOC 2 reports are due within 90 days of the end of the reporting period, dealer approval required before engaging sub-custodians, with regular asset disclosure.
Tiers 1 through 3 require a regulator that licenses custodial activities, conducts prudential oversight, and has enforcement authority. All except Tier 4 need a memorandum of understanding between CIRO or a provincial securities regulator and the custodian's primary regulator, or between a Canadian federal prudential regulator and the custodian's primary regulator where such regulator has a bilateral arrangement with either CIRO or a provincial securities regulator.
Fully paid client assets must preserve ownership rights and be protected from creditor claims in insolvency or similar proceedings, with daily segregation calculations and deficiencies bought in within five days. Dealers monitor limits weekly; repeated or unresolved breaches may trigger supervisory or enforcement action, including restrictions on custody arrangements.
Tokenized assets must be held at Acceptable Securities Locations under IDPC Rule 4342 and the General Notes and Definitions to Form 1, with SOC 2 or ISAE 3000 assurance on security, availability, confidentiality and processing integrity, an enforceable custody agreement, and Tier 1 equivalent insurance. Dealer Members qualifying as Acceptable Securities Locations may self-custody tokenized assets without custodial limits, provided they have obtained approval as an Approved Tokenized Asset Custody Location.
Dealers must provide a Material Change Notification under IDPC Rule 2246 prior to initiating, or materially expanding, such activity. CIRO stated this is not a final or exhaustive set of requirements and will be reviewed once the CSA advances its work on Project Tokenization to maintain full regulatory alignment and avoid inconsistent or duplicative requirements.
