ARTICLE
24 March 2026

Crypto Custody Compliance: CIRO’s New Framework

ML
McMillan LLP

Contributor

McMillan LLP logo
McMillan is a leading business law firm serving public, private and not-for-profit clients across key industries in Canada, the United States and internationally. With recognized expertise and acknowledged leadership in major business sectors, we provide solutions-oriented legal advice through our offices in Vancouver, Calgary, Toronto, Ottawa and Montréal. Our firm values – respect, teamwork, commitment, client service and professional excellence – are at the heart of McMillan’s commitment to serve our clients, our local communities and the legal profession.
Explore Firm Details
On February 3, 2026, the Canadian Investment Regulatory Organization (“CIRO”) published a Notice on CIRO’s Digital Asset Custody Framework (the “Notice”)...
Canada Technology
Jennie Baek,Matthew DeAmorim,Karan Lall (Articling Student)
+2 Authors
 Your Author LinkedIn Connections
McMillan LLP are most popular:
  • with Senior Company Executives, HR and Finance and Tax Executives
  • with readers working within the Accounting & Consultancy and Insurance industries

On February 3, 2026, the Canadian Investment Regulatory Organization (“CIRO”) published a Notice on CIRO’s Digital Asset Custody Framework (the “Notice”) setting out updated terms and conditions (the “New Framework”) for the custody of digital assets by Dealer Members (as defined by the Investment Dealer and Partially Consolidated Rules, the “CIRO Rules”), including those operating crypto-asset trading platforms (“CTPs”) in Canada.

Background

In Canada, a firm that facilitates the trading of either: (a) crypto assets that are securities and/or derivatives or (b) instruments or contracts, based on crypto assets, that are securities or derivatives, are required to seek registration as an investment dealer and membership as a Dealer Member with CIRO (such firms referred to by CIRO and the Canadian Securities Administrators (the “CSA”) as CTPs). However, the CIRO Rules, which govern the activities of investment dealers, were designed to govern traditional securities and derivatives, and not necessarily the legal and technological risks unique to digital assets.

The current rules on custody applicable to Dealer Members are set out under CIRO Rule 4300. Under the pre-existing framework provided under the CIRO Rules, CTPs who have obtained membership with CIRO were required to hold client securities and precious metals bullion (including digital assets) at an “Acceptable Securities Location”1 (“ASL”), subject to the terms and conditions of any applicable exemptive relief granted by CIRO.

In addition, CTPs registered in the category of investment dealer are required to comply with applicable securities legislation, and the terms and conditions imposed under any applicable exemptive relief granted to a CTP by the CSA on a case-by-case basis. Under the standard form of exemptive relief granted by the CSA, CTPs are, among other requirements, required to hold not less than 80% of the total value of Crypto Assets held on behalf their clients with an “Acceptable Third-party Custodian”2 and maintain appropriate insurance and policies and procedures to mitigate custodial risk.

Custody rules applicable to crypto assets held on behalf of reporting issuer investment funds are also set out in National Instrument 81-102 – Investment Funds.

The New Framework

The New Framework is intended to act as an interim regulatory framework, with the expectation that harmonized regulatory instruments or permanent rules will be developed in the future. Crypto assets, as defined by CIRO for the purposes of clarity but not as a universal definition, include cryptocurrencies, protocol-based tokens, and any digital tokens linked to non-financial assets (collectively, “Crypto Assets”). The New Framework provides different rules for Crypto Assets and tokenized versions of traditional financial instruments including stablecoins (“Tokenized Assets”) to reflect their unique characteristics.

The key provisions of the New Framework are set out below, including differences in application as between Crypto Assets and Tokenized Assets.

Subject to the applicable terms and conditions, the New Framework requires Dealer Members to hold digital assets either (1) with one or more approved digital asset custodians, or (2) under internal custody, with the use of satisfactory custody technology. Custody requirements governing traditional securities remains unchanged. The New Framework is implemented through terms and conditions imposed on Dealer Members operating CTPs. While custodians are not required to become CIRO members themselves, they must satisfy CIRO criteria to be approved as a custody location.

Custodial Rules for Crypto Assets and Tokenized Assets

The New Framework uses a tiered system for Crypto Assets that

  • establishes baseline requirements applicable to all acceptable crypto custodians,
  • applies enhanced requirements to crypto custodians permitted to hold a greater proportion of client assets, and
  • links custody limits directly to crypto custodian capability and risk profile.

Specifically, the New Framework establishes four tiers (the “Tiers”) applicable to custodians that hold Crypto Assets (“Crypto Asset Custodians”):

  • Tier 1 Crypto Asset Custodians meet the highest standards for capital, controls for regulatory oversight, technology, insurance, and operational resilience, and may hold up to 100% of a Dealer Member’s Crypto Assets.
  • Tier 2 Crypto Asset Custodians have lower capital requirements but must meet the highest standards for regulatory oversight, insurance, and operational resilience and may hold up to 100% of a Dealer Member’s Crypto Assets.
  • Tier 3 Crypto Asset Custodians are subject to the same capital requirements as Tier 2 Crypto Asset custodians, but are subject to reduced technology assurance, cybersecurity requirements and operational resilience standards. Tier 3 Crypto Asset Custodians but may only hold up to 75% of a Dealer Member’s Crypto Assets.
  • Tier 4 Crypto Asset Custodians meet only baseline requirements and are capped at a custody limit of 40% a Dealer Member’s Crypto Assets, serving as the benchmark for internal custody equivalency.

Tokenized Assets are differentiated from Crypto Assets on the grounds that they represent traditional financial instruments that confer rights equivalent to the underlying assets. The tokenization of these instruments does not affect the rights of Tokenized Assets or their treatment under existing custody legislation. As a result, instead of applying the New Framework to Tokenized Assets, CIRO provided that Tokenized Assets must continue to be held with an entity that qualifies as an ASL under the CIRO Rules with additional safeguards applicable to custody performed through digital asset infrastructure (“Tokenized Asset Custodians”).

The Notice provides a table summarizing the requirements with respect to Crypto Asset Custodians under each of the Tiers and to Tokenized Asset Custodians. The table has been reproduced below and supplemented with further information from the Notice.

qwe

Notes

  1. SOC 2 and ISAE 3000 (Type 2) Reports are attestations from an independent auditor that can include assurances with respect to, among others, the design and operation of the custodian’s controls, their confidentiality practices, the efficiency of their systems, and crypto-asset risks.
  2. Additional assurance is required for Tier 2 Crypto Asset Custodians as compared to Tier 1 Crypto Asset Custodians because they are permitted to hold a greater percentage of Crypto Assets while not meeting the highest capital requirement.
  3. Tier 3 Crypto Asset Custodians that use proprietary technologies to administer, store, or transfer Crypto Assets must meet the same criteria as Tier 2 Crypto Asset Custodians with respect to this requirement.
  4. Tier 2 and Tier 3 Crypto Asset Custodians are expected to maintain stronger controls than the other Tiers with respect to third-party risk management and business continuity. Tier 2 must evidence their adherence while Tier 3 can provide a representation with respect to their adherence to qualify as a Tier 3 Custodian.
  5. All custodians must maintain insurance in the prescribed form. Fidelity insurance for Tokenized Asset Custodians, Tier 1 Crypto Asset Custodians and Tier 2 Crypto Asset Custodians must apply across all storage locations regardless of method or physical location. External assurance is required with respect to insurance from Tier 2 Crypto Asset Custodians. Tier 3 and 4 Crypto Asset Custodians may use specie insurance for Crypto Assets held in cold storage.
  6. Tier 1, 2, and 3 Crypto Asset Custodians are expected to provide formal information-sharing arrangements between CIRO, a provincial securities regulator or a Canadian federal prudential regulator (as applicable) and the crypto-custodian’s primary regulator.
  7. A Dealer Member may self-custody up to 20% of the Crypto Assets that it holds for its clients and its own account. However, CIRO will require that the Dealer Member abide by the requirements applicable to Tier 4 Crypto Asset Custodians.

CIRO maintains the right to impose additional safeguards on Tokenized Assets custodians in their discretion, but provided that any additional requirements will not exceed the custody requirements applicable to Tier 2 Crypto Asset Custodians.

Practical Next Steps for CTP Dealer Members

Dealer Members operating CTPs and CTPs seeking to become a CIRO Dealer Member should begin assessing their custody arrangements against the New Framework. This includes inventorying all custody locations, assessing each engaged or proposed custodian against the Crypto Asset Custodian Tiers, confirming compliance with percentage concentration limits, and validating that required safeguards, such as SOC assurance reports, insurance coverage, segregation practices, and cybersecurity control, meet applicable standard. Dealer Members should also review and, where necessary, update custody agreements and implement internal monitoring and reporting processes to ensure ongoing compliance with tier thresholds and operational requirements.

Footnotes

1. “Acceptable Securities Location” is defined in the General Notes and Definitions of Form 1. Such entities include certain Canadian/foreign banks, trust companies, and certain depositories and clearing agencies like CDS Clearing and Depository Services Inc. and Depository Trust Company.

2. An “Acceptable Third-party Custodian” is referred to by the CSA as an entity that is a qualified Canadian or foreign custodian (or has obtained prior regulatory consent), is functionally independent of the CTP, and has current audited financial statements (with an unqualified opinion) and a SOC 2 report, both within the last 12 months. For further information and the full definition, please see CSA Staff Notice 21-332 Crypto Asset Trading Platforms: Pre-Registration Undertakings – Changes to Enhance Canadian Investor Protection.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

The foregoing provides only an overview and does not constitute legal advice. Readers are cautioned against making any decisions based on this material alone. Rather, specific legal advice should be obtained.

© McMillan LLP 2025

[View Source]
Authors
Photo of Jennie Baek
Jennie Baek
Photo of Matthew DeAmorim
Matthew DeAmorim
Photo of Jerry Z. Huang
Jerry Z. Huang
Photo of Karan Lall (Articling Student)
Karan Lall (Articling Student)
Photo of David Adjei
David Adjei
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More