Regulators cite CIRO's Québec intake gaps and CERTS oversight in annual compliance review
About 15 percent of CIRO’s data was still transiting through a US-based cloud service provider despite its policy requiring all data to be hosted in Canada, the Canadian Securities Administrators (CSA) found in its latest oversight report.
The report stated that while the data in question was non-sensitive and fully encrypted, its routing through servers outside Canada remained inconsistent with CIRO’s internal procurement policy.
CIRO said it would switch the service region to Canada by July 2025 and confirmed that no data was currently being stored on the US servers.
The CSA also flagged an inadequate independent assessment of internal controls for CIRO’s Continuing Education Reporting and Tracking System (CERTS).
While two penetration test reports had been submitted during the first mutual fund dealer continuing education cycle, the CSA concluded they did not fully meet recognition order requirements for a comprehensive review.
CIRO stated that CERTS had undergone a successful disaster recovery test in 2024 and that an independent audit of internal controls would be completed in fiscal year 2026 following discussions with the CSA.
A third compliance gap was identified in CIRO’s Québec Regional Office, which lacked defined responsibilities and staff dedicated to processing membership applications from Québec-based firms.
While senior Québec leadership had decision-making authority, the CSA noted that the intake review process remained centralized with no direct involvement from Québec staff.
CIRO said it would amend intake procedures to include mandatory review and sign-off from Québec Relationship Managers or Directors before applications proceed to decision-maker review.
The CSA completed its risk-based review by focusing on three functions: information technology, membership intake, and trading conduct compliance.
While identifying these three medium-priority findings, it did not raise additional concerns about CIRO’s compliance with recognition orders in these areas.
CIRO has also addressed findings from the previous oversight cycle and updated relevant policies and documentation following this latest review.
