CIRO’s digital asset custody framework: institutionalizing crypto custody in Canada CIRO’s digital asset custody framework: institutionalizing crypto custody in Canada

Introduction

On February 3, 2026, the Canadian Investment Regulatory Organization (CIRO) released a notice (the notice) outlining requirements for the custody of digital assets by CIRO dealer members (dealer members) operating crypto-asset trading platforms (CTPs) in Canada. This framework was developed through an iterative and consultative process involving key stakeholders, with the objective of protecting investors while continuing to foster innovation and competition in the sector.

Previously, there was no framework under CIRO’s rules specifically governing the custody of digital assets by investment dealers. CIRO, appreciating the unique risks surrounding custody of digital assets, has imposed custody requirements on dealer members operating CTPs through its terms and conditions of membership (described as an interim approach capable of expansion and development).

Appendix A of the notice contains a chart outlining “Custodian Requirements for Tokenized Asset Custodians and Crypto Custodians” (Tiers 1–4), which can be accessed here [PDF].

The framework

Under this framework, dealer members are required to ensure that digital assets are held by either one or more approved custodians or under internal custody (with appropriate technology). Custodians must be approved digital asset custodians, as approval to custody securities in general on its own is insufficient (the requirements for traditional securities custody remains unchanged).

This framework differentiates crypto assets and tokenized versions of traditional financial instruments (equities, debt, etc.). Tokenized financial assets (which are not exclusively crypto assets) must continue to be held by custodians under the traditional securities custody framework (Acceptable Securities Location), as well as by custodians who meet requirements for holding digital assets. This approach is intended to ensure that existing custody requirements for securities and cash cannot be circumvented merely by issuing those instruments in tokenized form.

Meaning of “digital custody”

CIRO outlines that “digital custody” involves safekeeping and control of both crypto assets and tokenized assets, and in practice, typically includes:

• creation, storage and governance of private cryptographic keys
• controls over transaction authorization and execution
• reconciliation and address governance processes and
• cybersecurity, monitoring, incident response and recovery

Tiered model

Regarding custody of crypto assets, CIRO provides that asset-holding limits should scale with the crypto custodian’s capacity to manage risks. CIRO introduces a tiered framework which establishes baseline requirements for custodians, applies enhanced requirements for custodians who are permitted to hold a greater proportion of client assets and links custody limits to the custodian’s ability to manage custody risks (with Tier 1 custodians permitted to hold 100% of dealer member’s assets and Tier 4 custodians permitted to hold 40% of dealer member’s assets). This approach allows dealer members to diversify their custody arrangements and mitigate concentration risk among custodians with limited risk capacity. Of note, this tiered model does not apply to “Acceptable Tokenized Asset Custodians” as defined in the notice.

Custodian requirements

The notice outlines several key requirements for custodians, including:

• minimum capital requirements
  • These requirements are intended to provide financial resilience against operational and market stress.
• requirement of institutional grade infrastructure
  • Addresses technology-driven risks inherent in crypto-asset custody.
• insurance and internal controls
  • Ensures maintenance of strong preventative controls and mitigation of financial impact upon custody failure.
• legal and jurisdictional controls
  • Addresses risks that arise when assets are held outside of traditional custodial frameworks, in jurisdictions with differing insolvency, trust, and enforcement regimes, and contractual arrangements that may not protect client assets in adverse scenarios.

Acceptable Tokenized Asset Locations

Acceptable Tokenized Asset Custodians must meet the following requirements:

• qualify as an ASL under IDPC Rule 4342 and General Notes and Definitions in Form 1
• have policies and procedures specific to securing tokenized assets
• SOC 2 or ISAE 3000 assurance covering security, availability, confidentiality and processing integrity and
• insurance coverage

CIRO reserves the right to impose additional safeguards in cases that warrant enhanced controls/safeguards (based on the nature, scale, complexity or risk profile of an arrangement).

Segregation

CIRO does not prescribe specific segregation mechanics for digital assets. Rather, dealer member and digital asset custodians must ensure fully paid client assets are protected from the claims of creditors and preserves client ownership rights in insolvency (or similar proceedings). CIRO may require a legal opinion, or other assurances, confirming such safeguards are in place.

Self-custody

Dealer members are permitted to self-custody up to 20% of the value of crypto assets it holds for clients or on its own account. With internal custody representing a substantial technology risk, Dealer members’ internal custody solutions must meet the SOC reporting and tier-specific requirements applicable to Type 4 Crypto Custodians.

Dealer members may self-custody tokenized assets (with no prescribed limit) provided they have obtained approval as an Approved Tokenized Asset Custody Location.

Compliance and monitoring

Dealer members are expected to monitor compliance with custody limits weekly and take prompt action in cases of breach. Additionally, dealer members are to report to CIRO:

• in the manner and frequency specified by CIRO — including on the quantity and value of digital assets held, and the custody locations at which those assets are held
• a breach of the limits applicable to a crypto custodian or internal custody, including a description of the breach, steps taken to remediate the breach, and a clear remediation plan when a breach cannot be cured within one business day

Repeated or unresolved breaches can result in supervisory or enforcement action.

Final observations

One of the most notable features of the framework is its insistence on regulatory continuity. CIRO has not created a standalone digital asset custody regime detached from existing securities infrastructure. Instead, tokenized financial assets remain subject to the Acceptable Securities Location framework, supplemented by digital custody safeguards. CIRO’s message is clear: tokenization does not alter the legal character of an underlying asset.

Additional clarification on stablecoins would be helpful. To the extent certain stablecoins are characterized as tokenized financial assets, they may be required to be held at Acceptable Securities Locations in addition to meeting digital asset safeguards. This could narrow the pool of eligible custodians relative to other crypto assets and potentially require CTPs to bifurcate custody arrangements.  

Finally, the framework reflects the fact that the Canadian digital asset industry continues to inch further into traditional finance or “TradFi” territory. CIRO’s approach neither treats crypto custody as exceptionally unique, nor permits it to operate outside prudential norms. Instead, it blends traditional safeguards such as capital adequacy, contractual liability and insolvency protection with crypto-specific controls addressing private key management, cyber resilience and technological integrity.

In practical terms, digital asset custody in Canada is no longer operating at the regulatory margins; it has been absorbed into the mainstream supervisory architecture.