CIRO’s Digital Asset Custody Framework: Beyond Crypto, But Still A Ways To Go

During Q1 2026, U.S. capital markets regulators released a deluge of guidance on digital assets, while the Canadian Securities Administrators (CSA) were comparatively silent. The one exception was Canadian Investment Regulatory Organization (CIRO)’s Digital Asset Custody Framework and related Terms and Conditions (the CIRO Framework) published in early February.

The CIRO Framework reflects years of consultation with crypto asset trading platforms (CTPs) and other stakeholders, and is consistent with the CSA’s long held view that custodial safeguards are fundamental to the effective regulation of digital asset intermediaries. CIRO also adopts IOSCO’s regulatory mantra of “same risk, same regulatory outcome” by applying technical requirements developed for crypto custody to CIRO members when safekeeping tokenized securities and other “tokenized financial assets”.

While the CIRO Framework should streamline regulatory approval for CTPs and other Dealer Members proposing to offer digital asset services, key questions recently addressed by the U.S. Securities and Exchange Commission (SEC) and Commodity Futures and Trading Commission (CFTC) remain unanswered in Canada. In particular, neither CIRO nor the CSA:

• Provide guidance on issuance and trading of tokenized securities, while the SEC sets out a taxonomy of issuer-sponsored and third-party sponsored tokenized securities (custodial and synthetic), including how securities laws are expected to apply to each model;¹
• Confirm that crypto assets and stablecoins are acceptable collateral for customer margin, while the CFTC empowers derivatives clearing organizations to establish haircuts for digital assets that will be accepted as customer collateral by participating futures commission merchants (FCMs)^[2
• Reduce the 100% capital charge that currently applies to digital assets held by CIRO members, while the SEC and CFTC both endorse capital charges of 20% on bitcoin and ether and 2% on payment stablecoins held in inventory by broker-dealers and FCMs;³
• Classify digital assets into categories for regulatory purposes other than custody, while the SEC and CFTC describe five distinct categories – digital commodities, digital collectibles, digital tools, stablecoins and digital securities – and explain that digital commodities, collectibles and tools initially sold under an investment contract are no longer subject to securities laws once they are separated from the issuer’s representations or promises.⁴

CSA Project Tokenization

We anticipate that the CSA will answer some of these questions following Project Tokenization, a Fall 2025 initiative launched in Alberta, British Columbia, Ontario and Québec which seeks to use stakeholder engagement, issue mapping, targeted research and live testing to “support regulatory learning and collaborative exploration”. Project Tokenization is the CSA’s first public consultation relating to digital assets since 2019, and has attracted significant interest from market participants. The outcome could allow Canada to keep pace with the accelerating adoption of distributed ledger technology in capital markets in the United States, Europe and beyond.  

CIRO confirms its intention to review and amend the CIRO Framework as needed to maintain regulatory alignment with the CSA following Project Tokenization.

Crypto Assets vs. Tokenized Assets

The CIRO Framework establishes two categories of digital assets, strictly for custodial purposes:

1. Crypto assets: all digital assets that do not represent traditional financial assets or confer equivalent legal rights, including cryptocurrencies, protocol-based tokens, and any digital tokens linked to non-financial assets; and
2. Tokenized [financial] assets: only digital assets that represent traditional financial instruments and confer rights equivalent to the underlying assets, like equities, debt, deposits, and other financial assets and instruments.

Notably, for the purposes of its custodial classification, CIRO focuses on whether the digital asset confers the same legal rights as a traditional financial asset. For a tokenized financial asset: “the digital wrapper does not change the underlying ownership structure, rights to cash flows, priority in insolvency, or treatment under existing custody legislation”.

In contrast, Joint CSA/CIRO Staff Notice 31-369 Guidance on the Application of Securities Legislation to Finfluencer Activity December 11, 2025 (Staff Notice 31-369) implies that most crypto assets promoted by finfluencers are likely securities, regardless of whether they confer any of the legal rights associated with financial assets. In explaining how crypto assets can “appear to meet the definition of securities”, Staff Notice 31-369 relies on outdated CSA guidance published in 2017 and 2018, several years before the U.S. decision in SEC vs. Ripple Labs, Inc., Bradley Garlinghouse and Christian A. Larsen 20 Civ. 10832 (AT) 13 Jul 2023 (Ripple), which recognized that digital tokens are not, in and of themselves, securities.

Ripple and subsequent U.S. cases helped shape the digital asset taxonomy set out in the SEC & CFTC 2026 Crypto Guidance, which draws bright lines around when U.S. securities law applies to crypto asset activities. This regulatory clarity provides a framework for responsible innovation and regulation in the United States across a range of digital asset activities, including issuance, trading, borrowing/lending and custody.

We encourage the CSA to adopt CIRO’s distinction between crypto assets and tokenized financial assets more broadly, including when applying securities legislation to non-custodial digital asset markets and decentralized protocols.

Digital Custody

The CIRO Framework uses the term “digital custody” to describe the safekeeping and control of crypto assets and tokenized assets, including:

• creation, storage and governance of private cryptographic keys,
• controls over transaction authorization and execution,
• reconciliation and [digital wallet] address governance processes, and
• cybersecurity, monitoring, incident response and recovery.

CIRO recognizes that “unlike traditional securities, loss of private keys or unauthorized transactions can result in permanent loss of [digital] assets”. As a result, the CIRO Framework emphasizes technology controls, assurance reporting, segregation and governance as effective mitigants for digital custody risks.

Acceptable Crypto Custodians and Tiered Requirements

Since CIRO commenced regulating CTPs in 2022, it has attempted to take a flexible approach toward the application of its traditional custody framework to crypto asset intermediaries. CIRO has granted several discretionary exemptions⁵ from the requirement for Dealer Members to hold all client assets at an Acceptable Securities Location (ASL). In practice, these exemptions have allowed certain CTPs to custody a portion of client assets with smaller custodians that do not meet the ASL minimum capital requirements (C$100 million for a Canadian ASL and C$150 million for a non‑Canadian ASL).

The CIRO Framework’s tiered approach builds upon these early exemptions by establishing baseline requirements applicable to all crypto custodians, applying enhanced requirements to custodians permitted to hold a greater proportion of client assets and linking custody limits directly to custodian capability and risk profile. CIRO’s approach is intended to boost competition, including among Canadian service providers, and reduce concentration risk while at the same time addressing the unique risks associated with digital custody.

Key requirements for crypto custodians include:

1. Minimum capital: generally C$10 million for Canadian and C$100 million for foreign;
2. Institutional-grade infrastructure: SOC 2 reports, penetration testing and cybersecurity controls; 
3. Internal controls: procedures for custody technology, third party risk management and business continuity;   
4. Insurance: property and fidelity insurance commensurate with size and operations; and
5. Legal and jurisdictional controls: regulatory supervision, enforceable custody agreement, trust-like treatment of segregated client assets on insolvency, Basel Accord jurisdiction.

Appendix A below summarizes how these requirements apply to all tiers of crypto custodian under the CIRO Framework.

Acceptable Tokenized Asset Locations

CIRO continues to apply the traditional ASL requirements to custodians of tokenized assets, with additional expectations “layered on top to address the technology-specific risks introduced when those assets are records and transferred using distributed-ledger or similar technologies”.  

Appendix A below depicts which digital custody requirements apply to ASLs when custodying tokenized assets. In addition, CIRO reserves the right to require additional digital custody safeguards for an Acceptable Tokenized Asset Location, up to the same standards that apply to Tier 2 Crypto Custodians.   

Self-Custody of Digital Assets

When the CSA exerted jurisdiction over CTPs in 2020, custody risk was its primary focus.⁶ Consequently, all CTPs have accepted as a condition of registration under securities legislation that crypto assets representing at least 80% of the value of all crypto assets held on behalf of clients (Client Crypto) must be held in cold storage with an “acceptable third-party custodian”, and a maximum of 20% of Client Crypto may be self-custodied by the CTP. This “80/20 Split” is now enshrined in the CSA’s regulatory framework for CTPs, regardless of the sophistication and scale of self-custodial solutions used by CTPs, the SEC’s acceptance of crypto self-custody solutions implemented by U.S. broker-dealers⁷ and other global regulatory frameworks.

The CIRO Framework reflects the CSA’s 80/20 Split by providing that a Dealer Member may self-custody up to 20% of Client Crypto. CIRO also allows Dealer Members to self-custody proprietary crypto assets, however, capital penalties will apply to self-custodied proprietary crypto assets that exceed the total 20% allotment in the 80/20 Split.

In March 2026, CIRO approved an InnovateSafe test involving inventory position of stablecoins, under which three CTPs will apply margin rates of 15% to 30% to inventory positions in “approved stablecoins”⁸, subject to Terms and Conditions for Stablecoin Margin including enhanced prudential controls, monitoring, reporting and concentration limits. While CIRO’s pilot is markedly more conservative than the 2% capital charge endorsed by the SEC and CTFC, it is a small but meaningful step in the right direction.

Notably, CIRO does not propose to apply the 80/20 Split to tokenized financial assets, acknowledging that “Dealer Members themselves are eligible to act as ASLs for traditional securities…[and] imposing separate crypto-style custody limits for tokenized assets would create unnecessary regulatory asymmetry”.

The CIRO Framework manages the substantial technology risk associated with internal custody of digital assets by imposing the same SOC 2 reporting and crypto storage procedure requirements as applicable to Tier 4 Crypto Custodians to Dealer Members when they self‑custody crypto assets. Although it is not entirely clear, we expect that the same requirements would apply to Dealer Members when they self‑custody tokenized financial assets.

Segregation

The CIRO Framework underscores segregation of client assets as a core investor protection concept. While CIRO does not prescribe specific segregation mechanics for digital assets given the absence of an established legal and operational standard, it focuses on the outcome of ensuring that client assets are identifiable, traceable and recoverable in an insolvency scenario. CIRO may require legal opinions or other assurances to this effect, including references to the insolvency regime in the custodian’s jurisdiction and the legal effectiveness of the custodian’s segregation arrangements.

CIRO expects that the digital custody practices of its Dealer Members (including CTPs) will include:

• Daily segregation calculations;
• Clear designation of segregated locations;
• Prompt resolution of deficiencies, including buy-in of any unresolved deficiencies within 5 days; and
• Minimal operational commingling, with all proprietary assets held in segregated locations justified based on documented operational necessity.

Compliance, Monitoring and Supervisory Response

Consistent with CIRO’s role as the self-regulatory organization for investment dealers in Canada, the CIRO Framework applies the following requirements on all Dealer Members when engaging in digital custody activities:

• New Applicants for CIRO membership (including CTPs) must demonstrate compliance with the CIRO Framework: CTPs will no longer be required to apply for exemptive relief from the ASL requirements in order to hold Client Crypto with a crypto custodian that meets the tiered criteria.
• Material Change Notification: must be submitted by Dealer Members prior to initiating, or materially expanding, any activity involving tokenized financial assets.
• Policies and procedures: for digital custody must be implemented by Dealer Members that are customized to their operations, consistently applied and embedded in governance and control frameworks.
• Limits monitoring: of the 80/20 Split for Client Crypto must be conducted proactively, with prompt corrective action to cure breaches having regard to the significant volatility in crypto asset values.
• Reporting to CIRO: in a manner and frequency specified by CIRO, the quantity and value of digital assets held, the custody locations where they are held, any breach of custody limits including a description of the breach and the remediation plan.
• Supervisory action: repeated or unresolved breaches may result in supervisory or enforcement action, including restrictions on custody arrangements, reductions to percentage limits at certain locations and/or designation of Early warning Level 2.   

APPENDIX A

SNAPSHOT OF REQUIREMENTS FOR ACCEPTABLE TOKENIZED ASSET LOCATIONS AND CRYPTO CUSTODIAN TIERS

Footnotes

1. SEC Division of Corporation Finance, Division of Investment Management, Division of Trading and Markets Statement on Tokenized Securities (28 Jan 2026).

2. CFTC Letter No. 26-05 No-Action Position Regarding Digital Assets Accepted as Margin Collateral (Feb 6) and related FAQ (20 Mar 2026) (together, CFTC Letter 26-05 and FAQ).

3. CFTC Letter 26-105 and FAQ; SEC’s Trading and Markets FAQ on crypto asset activities and distributed ledger technology (19 Feb 2026).

4. SEC RIN 3256-AN56 and CFTC RIN 3038-AF67, Interpretative Release - Application of Federal Securities Laws to Certain Types of Crypto Assets and Certain Transactions Involving Crypto Assets (17 Mar 2026) (together, SEC & CFTC 2026 Crypto Guidance), available at the SEC Rules and Regulations page and the Federal Register.

5.See, for example, CIRO Member Bulletins and Rules Bulletins granting discretionary exemptive relief to NDAX Canada Inc. (Dec. 30, 2024), Shakepay Inc. (Jan. 10, 2025), and Wealthsimple Investments Inc. (Feb. 14, 2024). See also In the Matter of Coinsquare Capital Markets Ltd. (Oct. 11, 2024).

6. CSA Staff Notice 21‑327, Guidance on the Application of Securities Legislation to Entities Facilitating the Trading of Crypto Assets (January 16, 2020).

7. See SEC Division of Trading and Markets: Frequently Asked Questions Relating to Crypto Asset Activities and Distributed Ledger Technology (19 Feb 2026), Q&A 8 and 9.

8. Currently, the only “Approved Stablecoin” is USDC based on the criteria in Section 4.1 of the terms and conditions.