Canada’s top investment industry regulator has unveiled a new framework designed to strengthen how crypto assets are held and safeguarded, marking a significant step in the country’s effort to curb losses linked to fraud, hacks, and operational failures. The Canadian Investment Regulatory Organization, or CIRO, published its Digital Asset Custody Framework on February 3, setting out interim standards for dealer members that operate crypto trading platforms.
The framework will be enforced through CIRO membership terms and conditions rather than formal rulemaking, allowing regulators to respond more quickly to emerging risks in fast-moving digital asset markets. CIRO said the measures draw on lessons from past failures, including the 2019 collapse of QuadrigaCX, which exposed gaps in custody practices and left thousands of customers unable to recover funds.
Tiered Custody and Risk Limits
At the center of the new regime is a tiered, risk-based approach to crypto custody. Custodians are classified into four tiers based on factors such as capital strength, regulatory oversight, insurance coverage, and operational resilience. Under the framework, top-tier custodians may hold up to 100% of client crypto assets, while lower-tier providers face progressively tighter limits, with Tier 4 custodians capped at 40%.
Dealer members that choose to self-custody assets are subject to even stricter constraints, limited to holding no more than 20% of the total value of client crypto. CIRO said these limits are intended to reduce concentration risk and ensure that weaker or less regulated custodians do not hold disproportionate amounts of client funds.
The framework also introduces enhanced governance and operational requirements. Custodians must establish formal policies for private key management, cybersecurity, incident response, and third-party risk oversight. Insurance coverage, independent audits, security compliance reports, and regular penetration testing are now mandatory components of custody operations.
Enforcement and Global Context
Custody agreements must clearly define liability in cases where losses result from negligence or preventable failures, reinforcing accountability across the custody chain. CIRO emphasized that the rules are designed to be proportionate, aiming to improve investor protection without unduly restricting innovation or competition in Canada’s crypto sector. The regulator said the framework was developed in consultation with industry participants and benchmarked against international standards.
The move comes amid heightened enforcement activity across Canada’s digital asset market. In recent months, the country’s financial intelligence agency, FINTRAC, has issued substantial penalties against both domestic and offshore crypto platforms for compliance failures related to anti-money laundering controls. As a self-regulatory organization, CIRO has the authority to investigate member misconduct and impose sanctions, including fines and suspensions.
Canada’s tighter custody standards also align with broader regulatory momentum globally, as jurisdictions seek to reinforce market infrastructure following high-profile crypto failures. Alongside custody reforms, Canadian authorities are preparing a comprehensive framework for fiat-backed stablecoins under the 2025 federal budget, signaling a more structured and institutionally focused approach to digital asset regulation.
