CSA Oversight 2025 – CIRO And CIPF – Key Highlights

The Canadian Securities Administrators (“CSA”) have published CSA Staff Notice 25-315 – 2025 Annual Activities Report on the Oversight of the Canadian Investment Regulatory Organization and the Canadian Investor Protection Fund (the “Report”).¹ The Report summarizes the key activities through which the CSA conducts its oversight of the Canadian Investment Regulatory Organization (“CIRO”) and the Canadian Investor Protection Fund (“CIPF”) for the period of January 1 to December 31, 2025.

This bulletin focuses on:

1. the CIRO cybersecurity breach;
2. the expansion of CIRO’s enforcement authority and disgorgement framework;
3. the status of post-amalgamation integration initiatives; and
4. developments relating to CIPF’s fund resources and investment policies.

CIRO Cybersecurity Breach

A central issue in 2025 was a significant cybersecurity incident identified by CIRO on August 11, 2025, with notifications made to the CSA, law enforcement, and applicable privacy commissioners.

CIRO implemented containment measures and engaged external cybersecurity experts. While initial findings suggested that only registration-related data had been compromised, a subsequent forensic review expanded the scope of the breach. By January 2026, approximately 750,000 current and former clients of member firms were confirmed to be affected.

CIRO is notifying impacted individuals, offering credit monitoring and identity protection, and is advancing enhancements to its cybersecurity framework. The CSA has maintained active oversight throughout and continues to assess whether further regulatory action is warranted.

The incident highlights the growing importance of cybersecurity resilience in capital markets infrastructure.

Expanded Enforcement Powers and the Disgorgement Distribution Program

The Report highlights a material strengthening of CIRO’s enforcement capabilities. In 2025, Ontario joined six other provinces² in granting CIRO full enforcement powers, including the ability to collect fines directly, compel and present evidence, and benefit from statutory immunity in carrying out its regulatory functions. This development further positions CIRO as a national frontline enforcement body.

Additionally, CIRO’s Disgorgement Distribution Program represents a notable development for investor protection. Following consultations in 2023 and 2024, CIRO applied to use its Restricted Fund to support the program, which launched on April 1, 2026. The Restricted Fund is composed of monetary sanctions collected from fines or other amounts ordered in or arising from CIRO enforcement proceedings. These funds are used to support specific initiatives, including the disgorgement program.³

Previously, investors harmed by registrant misconduct could not recover losses through CIRO even where disgorgement was ordered. The new framework addresses this gap by enabling funds collected in disciplinary proceedings to be returned directly to affected investors.

Post-Close Initiatives and the Self-Regulatory Organization (“SRO”) Framework Integration

The Report highlights the ongoing implementation of solutions outlined in CSA’s Position Paper 25-404 (New Self-Regulatory Organization Framework), with several initiatives relating to the amalgamation of the Investment Industry Regulatory Organization of Canada (“IIROC”) and the Mutual Fund Dealers Association of Canada (“MFDA”).⁴

1. CIRO Rulebook Consolidation: A multi-phase consolidation of the investment dealer and mutual fund dealer rulebooks into a unified framework (the DC Rules). The project aims to harmonize regulatory requirements across dealer categories with the DC Rules replacing the current Investment Dealer and Partially Consolidated Rules and Mutual Fund Dealer (“MFD”) Rules.
2. Cooperative Operating Agreement: The CSA is overseeing the development of a new Cooperative Operating Agreement between CIRO and CIPF. This agreement will govern their ongoing relationship and will replace the current Transitional Agreement, which came into effect on January 1, 2023. The Transitional Agreement had been designed to ensure that existing arrangements between the predecessor SROs and investor protection funds would continue to govern the relationship between CIRO and CIPF.⁵
3. Enforcement Practices and Systems Integration: As of February 24, 2025, mutual fund dealers began using the Complaints and Settlement Reporting System (ComSet) to report all events required under MFD Rule 600, which sets out reporting requirements. Investment dealers were already using the system, which was originally developed for them.
4. Proficiency Model: CSA members approved and implemented CIRO’s new proficiency model for investment dealer representatives, effective January 1, 2026. To support this model, CIRO has released syllabi, practice exams, and study guides. This effort to strengthen proficiency is supported by Fitch Learning, which is assisting with the design of the syllabus and the exams for investment dealer approved persons.⁶
5. Additional Initiatives: Other ongoing areas of focus include dual registration frameworks for investment dealers and mutual fund dealers and incorporated advisor compensation options between investment fund dealing representatives and mutual fund dealing representatives.

Collectively, the initiatives described herein and more fulsomely in the Report reflect continued progress along the path toward a unified regime with enhanced regulatory consistency.

Alongside these initiatives, the CSA reviewed the CIPF’s three-year strategic plan for 2025-2027.⁷ The CIPF continues to provide protection, within prescribed limits, to eligible clients of CIRO dealer member firms who suffer losses if their property held by a member firm becomes unavailable due to the insolvency of that firm. CIPF maintains two funds for this purpose: the Investment Dealer Fund (“IDF”) and the Mutual Fund Dealer Fund (“MFDF”).

As part of its integration efforts, the CIPF aligned the investment policies and strategies of the IDF and MFDF while maintaining separate funds, insurance and lines of credit. The IDF continues to use a credit-risk based fund model (“IDF Model”) to estimate its liquidity resource requirement and determine its fund size. The CIPF is assessing if it is appropriate to extend the IDF Model to the mutual dealer universe and is in the process of developing a credit-risk model for the MFDF. Crypto assets remain excluded from coverage.

Key Takeaways

The Report reflects a continued path toward a more centralized, integrated, and accountability-driven regulatory environment, with heightened focus on cybersecurity, strengthened enforcement and investor restitution mechanisms, and ongoing harmonization of the SRO framework.

Footnotes

1. Canadian Securities Administrators, Canadian securities regulators report on key oversight activities of CIRO and CIPF (April 2, 2026).

2. Alberta, Québec, Newfoundland and Labrador, Prince Edward Island, Nova Scotia and New Brunswick.

3. The Restricted Fund is used to cover appropriate expenses related to running CIRO’s investor office, investor advisory panel, and hearing panels. CIRO may also use the funds for emerging regulatory issues, education and research initiatives, a whistleblower program, supporting non-profit organizations that focus on protecting investors, or other uses authorized by the CSA.

4. IIROC and the MFDA, the predecessor SROs, amalgamated to continue as the New Self-Regulatory Organization of Canada on January 1, 2023, which subsequently changed its name to CIRO on June 1, 2023.

5. CIPF is the currently approved/accepted IPF, which formed through the amalgamation of two protection funds, the former Canadian Investor Protection Fund and the MFDA Investor Protection Corporation, on January 1, 2023.

6. Fitch Learning markets itself as a global leader in financial education and professional certification solutions.

7. CIPF’s 2025-2027 Strategic Plan is structured around five key pillars: enhance operational strength and insolvency preparedness; optimize liquidity resources; being responsive and evolve coverage strategies; deepen stakeholder relationships and communications; evolve people strategy and culture.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.