CIRO InnovateSafe: Application Guidance for Firms

I. Background and objectives

InnovateSafe facilitates responsible testing for activities that may not fit neatly within existing regulatory requirements due to their novelty, technological complexity, or lack of precedent. The sandbox provides a structured, time-limited environment that allows firms to operate within defined parameters, enabling CIRO to evaluate risks, gather data, and assess the implications of emerging market practices.

InnovateSafe is designed to:

• Provide a controlled environment to test new or novel financial products, services, technologies, or operating models where regulatory uncertainty exists.
• Support firms in developing compliant, investor-focused solutions that may be suitable for broader market deployment.
• Enable CIRO to collect data, assess risks, and identify whether new rules, guidance, or supervisory approaches may be needed.
• Facilitate safe experimentation while maintaining strong investor protection safeguards, including mandatory reporting, risk controls, and predefined exit criteria.

Importantly, participation in InnovateSafe does not constitute CIRO endorsement, approval, or certification of any product or service. Firms must not represent participation as regulatory approval or use it for promotional or commercial purposes. Sandbox approval is time-limited and may be withdrawn if risks evolve or conditions or undertakings are breached.

II. Eligibility

To be eligible for consideration, applications must satisfy all of the following criteria.

1. Entity Type and Regulatory Status

An applicant must be:

• a CIRO-regulated firm; or
• a firm willing to submit to CIRO oversight through an agreement or undertaking.

Applicants must identify who is accountable for the initiative and demonstrate that they have appropriate governance, staffing, and controls in place, including oversight of any third-party service providers.

2. Benefit to Investors and/or Capital Markets

Applicants must demonstrate that their proposal provides clear, tangible benefits for investors and/or capital markets. These benefits should include improvements to investor outcomes, access, transparency, or protections, or enhancements to market efficiency, resiliency, or infrastructure. Secondary benefits such as competitiveness or productivity may be relevant but will not substitute for direct investor or market benefits. Accordingly, applications aimed solely at commercial expansion, user growth, branding, or signaling regulatory approval will not be considered.

3. Need for a Sandbox Approach

A proposal must further demonstrate a clear need for sandbox treatment. This includes establishing that the activity either cannot proceed or will result in significant delays under existing rules due to regulatory uncertainty, interpretive ambiguity, or the absence of a suitable framework, and that traditional exemptive relief is not feasible without further testing and evidence. The proposal should reflect meaningful innovation in technology, business model, or process rather than minor modifications of existing services.

4. Readiness to Test

Finally, applicants must be ready to test safely. This includes having a minimally viable product that has undergone pre-testing, clear test objectives and hypotheses, an understanding of known risks, and sufficient operational readiness to monitor activity and respond to incidents. Early-stage concepts or untested prototypes are not suitable for InnovateSafe.

III. CIRO Review Process

Applications are evaluated through an internal two-stage process.

In Stage 1, CIRO conducts a strategic assessment of eligibility, potential benefits, alignment with regulatory priorities, novelty, complexity, and anticipated resource requirements. Applications that pass this stage proceed to Stage 2, where CIRO conducts a deeper, cross-functional review of the proposed testing framework, including risk mitigation, investor safeguards, reporting expectations, and any temporary exemptive relief required.

If an application is approved, CIRO will set out the applicable approval framework in writing, which may include firm-provided undertakings and, where appropriate, terms and conditions describing the scope of the test, reporting obligations, risk controls, permitted activities, and exit and wind-down requirements 1.

IV. Application Process

Firms must submit a single comprehensive application that describes the innovation, the regulatory uncertainty, the expected benefits, and the preliminary testing plan, and demonstrates operational readiness. CIRO will review the application and may request additional information where necessary. Refer to the last section for the application intake form that includes a checklist.

The sections below explain why each part of the application form is required and how CIRO uses the information during its assessment.

1. Section A – Firm Information

This section allows CIRO to confirm eligibility and understand the applicant’s regulatory status, business model, intended client base, and current stage of product development. Firms not currently regulated must explicitly acknowledge their willingness to enter into an agreement with CIRO for the duration of the test.

Information on target users (e.g., retail or institutional clients) informs the level of investor protection required, while the stage of development helps CIRO verify that the initiative is mature enough for safe testing.

2. Section B – Description of Innovation

This section requires firms to describe the innovation, its intended purpose, and the rationale for seeking sandbox treatment. CIRO expects applicants to clearly explain:

• what is genuinely novel about the proposed initiative,
• how it will provide meaningful benefits to investors or capital markets
• why existing regulatory frameworks or exemptive relief channels are insufficient, and
• how the initiative aligns with the firm’s strategy and operational capabilities.

This section distinguishes legitimate regulatory testing needs from initiatives that are primarily commercial, promotional, incremental, or insufficiently developed.

3. Section C – Readiness and Team

This section outlines the firm’s operational and technological preparedness to conduct supervised testing, including the qualifications of the personnel responsible for the initiative and the role of any third-party service providers. Applicants must demonstrate that they have the governance structure, technical stability, and staffing necessary to conduct testing safely and effectively.

4. Section D – Overview of Test Plan

This section requires applicants to outline the scope, duration, design, and expected outcomes of the proposed test. This includes key hypotheses, scenarios, KPIs, user or asset limits, and reporting frequency. Applicants must also outline the technical environment in which testing will occur, including access requirements, the isolation of testing from production systems, if applicable, and proposed test scenarios. Test scenarios must be realistic, data-driven, and designed to evaluate the stated objectives and hypotheses.

CIRO uses this information to evaluate whether the proposal is appropriately structured, whether the test parameters are proportionate to the risks, and whether the initiative aligns with InnovateSafe’s testing mandate.

5. Section E – Investor Protection Measures

Applicants must describe the safeguards they will apply to participants during the test, including disclosures, consent processes, complaint handling mechanisms, and any financial protections such as insurance or asset segregation.

This section helps CIRO ensure that investor protection obligations remain central to testing activities and that risks to clients are mitigated.

6. Section F – Data, Reporting and Incident Management

This section addresses how applicants will collect data during the test, the types of metrics they will track, and how incidents will be escalated. Applicants must demonstrate that they will maintain appropriate transparency throughout the test period and that they have the capacity to identify and report issues to CIRO promptly. CIRO may impose additional reporting obligations based on the complexity or risk profile of the initiative.

7. Section G – Risk Assessment and Governance

This section requires applicants to identify their top risks and describe mitigation strategies, as well as outline the internal controls and governance mechanisms supporting the supervised test.

CIRO uses this information to determine whether the firm has adequately assessed key operational, technological, investor-related, and compliance risks, and whether governance structures are sufficient to support sandbox testing.

8. Section H – Complexity Assessment

Applicants are expected to evaluate the proposed initiative across several dimensions, including regulatory novelty, investor risk, market impact, technology maturity, business model complexity, operational readiness, and oversight needs, and assign each a rating of High, Moderate, or Low, supported by a clear rationale.

The complexity assessment allows CIRO to understand the scale and nature of the proposal, determine the level of oversight required, and help prioritize initiatives and assess internal resourcing requirements, if necessary.

CIRO may reevaluate or adjust these ratings as part of its internal review.

9. Section I – Exit and Wind-down Plan

This section outlines the applicant’s plans for both successful completion of the test and early termination if necessary. A clear exit strategy, including communication protocols, wind-down procedures, and client protections, is required before testing can begin.

CIRO uses this information to ensure that the initiative can be transitioned, concluded, or dismantled without adverse impact on clients or markets.

V. Monitoring and oversight

Testing conducted under InnovateSafe is subject to ongoing oversight. Firms will be expected to report regularly on key metrics, incidents, complaints, deviations from the approved plan, and any emerging issues. Material incidents must be escalated to CIRO in real time. CIRO may use automated tools or dashboards where appropriate and will conduct periodic supervisory reviews throughout the test. CIRO may amend, pause, or terminate a test if conditions or undertakings are breached or risks become unacceptable.

VI. End-of-test assessment

At the conclusion of the test, firms will be expected to provide a final report outlining:

• results relative to objectives and hypotheses;
• data and insights;
• incidents and how they were addressed;
• investor and market impacts;
• recommended next steps.

CIRO will assess whether the initiative can move toward broader deployment, which may require a formal change in business application pursuant to CIRO rules, requires modification, or must conclude without continuation.

It should be noted that successful completion of an InnovateSafe does not guarantee future approval or exemptive relief.

VII. Transparency and public reporting

To support transparency, CIRO will publish information about InnovateSafe initiatives on its website, including a description of the test and the approval framework under which it was approved.

CIRO will not publish proprietary or commercially sensitive information.

VIII. Contact information

Applicants may submit their completed applications or questions to the Member Services and Innovation team at InnovateSafe@ciro.ca.

Appendix: InnovateSafe Application Intake Form and Requirements (Checklist for Applicant)

• 1CIRO applies a risk-based and proportionate approach when determining the appropriate approval mechanism for InnovateSafe experiments. Depending on the risk, scope, and nature of the proposed activity, CIRO may rely on firm-provided undertakings rather than Board-imposed terms and conditions.