TLDR
- CIRO sets four-tier risk-based custody structure for crypto trading firms
-
Top custodians can hold 100% of assets; Tier 4 is limited to 40%
-
Internal custody by platforms capped at 20% to reduce central risk
-
CIRO can proactively update custody standards as risks evolve
The Canadian Investment Regulatory Organization (CIRO) has introduced a new Digital Asset Custody Framework to raise the standards for how crypto platforms manage user assets. The move comes in response to past crypto failures, most notably the 2019 collapse of QuadrigaCX, which left customers with over $123 million in unrecovered funds.
The framework will apply to crypto asset trading platforms (CTPs) that are members of CIRO. It sets mandatory rules on how these firms must safeguard digital assets, including how custody is handled both externally and internally. CIRO said the new rules will take effect immediately as part of each firm’s membership terms, giving the organization flexibility to update expectations without needing legislative delays.
Tiered Structure Will Limit How Much Custodians Can Hold
A key part of the framework is a four-tier structure for custodians. CIRO said custodians will be ranked based on capital, insurance coverage, oversight, and technical controls. Top-tier custodians can hold up to 100% of client crypto assets, while Tier 4 custodians are capped at 40%.
Crypto trading platforms using internal custody solutions will face an added cap. Under the new rules, internal storage is limited to 20% of client asset value, helping to minimize central risk in the event of failure or mismanagement.
The framework also sets expectations for governance practices. These include independent audits, mandatory insurance, key management procedures, cybersecurity planning, and routine penetration testing. All custody agreements must define liability clearly in the case of negligence or preventable loss.
CIRO Will Adjust Rules as Market Risks Evolve
CIRO said it will closely monitor custody practices and will proactively update the framework when early risk signs appear. These signs include repeated security issues, new custody models, or changes in how crypto is stored.
“If we see that expectations are no longer aligned with how custody risk is manifesting, CIRO would update the framework proactively,” the regulator said. The guidance was shaped with input from custodians and CTPs, as well as comparisons to global practices.
The goal, CIRO added, is to balance safety with innovation.
“The framework reflects a risk-based and proportionate approach designed to balance investor protection with market innovation and competition.”
Past Failures Inform Present Regulations
QuadrigaCX remains Canada’s most well-known crypto failure. Its CEO, Gerald Cotten, died in 2018, and it was later revealed that customer funds were missing. Co-founder Michael Patryn was allegedly involved in operations during key misappropriation periods. These failures led to stronger scrutiny on custody arrangements.
CIRO’s Alexandra Williams called custody “one of the most critical points of risk in the crypto ecosystem.” The new framework is part of broader national reforms. The Canadian government has also issued fines for exchanges like Cryptomus, KuCoin, and Binance for poor compliance.
With this new framework, Canada is working to improve crypto safety by requiring stricter controls on where and how digital assets are stored, limiting risks from fraud, poor governance, and inadequate cybersecurity.
