Notice on CIRO’s Digital Asset Custody Framework

1. Background and context

There is currently no permanent framework under the CIRO Rules that governs the custody of digital assets (which covers crypto assets, and tokenized assets including stablecoins) by investment dealers. While existing CIRO rules address custody, segregation, and capital requirements for securities and derivatives, those frameworks were not designed to address the technological, operational, and legal risks unique to digital assets which include, among others:

• irreversible loss arising from compromise or mismanagement of cryptographic keys,
• heightened exposure to cyber-attacks,
• operational dependencies on complex technology stacks and third-party service providers,
• legal uncertainty across jurisdictions particularly in insolvency scenarios, and
• concentration risk arising from reliance on a small number of crypto custodians.

Historical failures in the crypto sector, including losses due to hacking, fraud, inadequate governance, and insolvency, have demonstrated that custody arrangements are a critical point of investor vulnerability.

In the absence of formal rules specifically tailored to crypto asset custody, we have imposed custody requirements on Dealer Members operating CTPs through terms and conditions of membership. This approach allows us to respond more quickly to emerging risks, tailor requirements to specific business models and risk profiles, and provide regulatory clarity and investor protection while broader policy work continues.

These terms and conditions are intended to operate as an interim regulatory framework and do not represent a final or exhaustive set of requirements. We expect that, over time, elements of this framework may inform the development of permanent rules or harmonized regulatory instruments as crypto asset markets mature.

2. Development and approval of the framework

The digital asset custody framework was developed through an iterative and consultative process that included:

• engagement with Dealer Members and restricted dealers operating CTPs,
• consultations with their crypto custodians and liquidity providers, and
• consideration of international regulatory developments and market practices.

The framework reflects a risk-based and proportionate approach designed to balance investor protection with market innovation and competition.

The framework, including the associated terms and conditions, has been approved by CIRO’s Board of Directors.

3. Overview of the framework

Under applicable terms and conditions, Dealer Members must ensure that digital assets are held, subject to specified limits and conditions, either:

• with one or more approved digital asset custodians; or
• under internal custody, with the use of satisfactory custody technology.

Approval of a digital asset custodian by CIRO is a separate and distinct determination from the recognition of an Acceptable Securities Location (ASL) under the CIRO Rules. While some custodians may qualify under both regimes, approval for securities custody does not, on its own, establish suitability for digital asset custody.

3.1 Traditional securities custody requirements remain unchanged

Traditional securities custody operates within a mature legal framework where statutory trust, nominee or client-name relationships, and segregation rights are well-established and tested through case law. This provides courts and investors with a reliable basis for protecting client assets in insolvency. Crypto custody does not yet benefit from the same settled legal certainty, so the framework must compensate through technological, operational, and governance safeguards.

Traditional securities custodians also operate within a well-established market infrastructure in which client securities are ultimately recorded, cleared, and settled through regulated corporate issuers or central depositories that are directly subject to banking, payments and securities regulatory oversight. Because traditional securities custody intermediaries operate within this highly regulated ecosystem, risks relating to asset segregation, loss of control, and recovery in insolvency are substantially mitigated by robust settlement finality and segregation rules, and established creditor-protection principles.

For these reasons, we are not amending the requirements for traditional securities custody, which continue to provide an appropriate level of investor protection and systemic resilience and remain fully in force.

3.2 Crypto Assets and Tokenized Assets

The framework seeks to differentiate the custody of crypto assets from that of tokenized versions of traditional financial instruments in order to reflect their distinct legal, operational, and risk characteristics. This distinction is not a universal definition, but a custodial classification necessary to ensure that Dealer Members apply the appropriate safeguards depending on the nature of the asset.

Crypto assets refer to all Digital Assets that do not represent traditional financial assets or confer equivalent legal rights. This includes cryptocurrencies, protocol-based tokens, and any digital tokens linked to non-financial assets.

Tokenized financial assets, in contrast, refer only to Digital Assets that represent traditional financial instruments and confer rights equivalent to the underlying assets, like equities, debt, deposits, and other financial assets and instruments. Their legal and economic characteristics continue to be governed by existing legislation and rules, including securities law, banking law, and payments law. The digital wrapper does not change the underlying ownership structure, rights to cash flows, priority in insolvency, or treatment under existing custody legislation.

For this reason, we have determined that tokenized assets must be held with entities that qualify as ASLs in the traditional custody framework. However, because custody is performed through digital asset infrastructure, tokenized asset custodians must also meet certain specified digital custody safeguards applicable to crypto asset custodians.

This dual application of requirements ensures that tokenized instruments that retain the legal protections of their traditional form gain the operational protections required for digital custody. It also eliminates potential arbitrage whereby existing custody rules for securities and cash could be circumvented simply by issuing them in tokenized form.

This approach preserves continuity of custody treatment for traditional assets in tokenized form, avoids regulatory arbitrage between tokenized and non-tokenized instruments, and supports market innovation by enabling existing regulated issuers and intermediaries, including broker-dealers and investment fund managers, to participate meaningfully in tokenized markets without impairing established protections for investors.

3.3 Alignment with the Canadian Securities Administrators (CSA) work on tokenization

The custodial classifications and requirements set out in these Terms and Conditions are limited to addressing current operational and supervisory needs for CIRO Dealer Members and are not intended to pre-judge or pre-determine CSA policy direction.

CIRO will review and amend these Terms and Conditions, as necessary, once the CSA advances its work on Project Tokenization to maintain full regulatory alignment and avoid any inconsistent or duplicative requirements.

4. What we mean by digital custody

Digital custody involves the safekeeping and control of crypto assets and tokenized assets. In practice, this includes:

• the creation, storage, and governance of private cryptographic keys,
• controls over transaction authorization and execution,
• reconciliation and address governance processes, and
• cybersecurity, monitoring, incident response, and recovery.

Unlike traditional securities, loss of private keys or unauthorized transactions can result in permanent loss of assets. These characteristics inform our emphasis on technology controls, assurance reporting, segregation, and governance.

5. Acceptable crypto custodians and tiered requirements

5.1 Why we used a tiered model

We considered whether a single, uniform set of custody requirements would be appropriate for crypto assets. We determined that such an approach could unnecessarily exclude capable crypto custodians, exacerbate concentration risk, and reduce competition including among Canadian service providers. At the same time, we determined that reliance on capital thresholds alone is insufficient to address crypto custody risks.

The tiered framework therefore:

• establishes baseline requirements applicable to all acceptable crypto custodians,
• applies enhanced requirements to crypto custodians permitted to hold a greater proportion of client assets, and
• links custody limits directly to crypto custodian capability and risk profile.

Where a crypto custodian is permitted to hold a large percentage of Dealer Members’ crypto assets, the impact of a failure is correspondingly greater. We therefore determined that asset-holding limits should scale with the crypto custodian’s demonstrated capacity to manage custody risks.

Under the framework:

• Tier 1 Crypto Custodians meet the highest standards for capital, and enhanced controls for regulatory oversight, technology assurance, fidelity insurance over custodied assets, and operational resilience. They may hold up to 100% of a Dealer Member’s crypto assets.
• Tier 2 Crypto Custodians have lower capital requirements but meet the highest standards for regulatory oversight, insurance, and operational resilience. They may hold up to 100% of a Dealer Member’s crypto assets.
• Tier 3 Crypto Custodians meet robust but comparatively lower requirements as compared to Tier 2 custodians. They are not required to satisfy certain enhanced crypto-specific technology assurance standards or demonstrate external cybersecurity and operational resilience safeguards. They may hold up to 75% of a Dealer Member’s crypto assets.
• Tier 4 Crypto Custodians meet baseline requirements suitable for limited custody exposure. They may hold up to 40% of a Dealer Member’s crypto assets and also serve as the benchmark for Internal Custody equivalency.

This graduated approach allows Dealer Members to diversify custody arrangements while avoiding over-concentration at crypto custodians with lower risk capacity.

Refer to Appendix for a quick table that summarizes the requirements across all tiers.

6. Key custodian requirements explained

6.1 Minimum capital

Minimum capital requirements are intended to provide financial resilience against operational and market stress and support the custodian’s ability to invest in systems, controls, and personnel.

The minimum capital requirement for crypto custodians depends on whether they are established in Canada or outside Canada. For organizations established in Canada, the minimum capital requirements are lower than those established outside Canada1. The lower thresholds reflect a combination of regulatory oversight, enforcement proximity, and jurisdictional risk considerations. Foreign crypto custodians may be subject to differing insolvency regimes, uncertainty regarding the treatment of segregated crypto assets, and potential restrictions on CIRO’s ability to compel information or enforce remedies. Higher capital requirements for foreign crypto custodians serve as a risk buffer against these additional uncertainties. In addition, differentiated capital thresholds support competition and resilience in the Canadian crypto custody market while maintaining investor protection.

Accordingly, we expect that the crypto custodian’s capital, according to its latest audited financial statements, prepared under IFRS or US GAAP, must be at least the amount set out in the table below.

6.2 Institutional-grade infrastructure

We have imposed institutional-grade infrastructure and assurance requirements to address the technology-driven risks inherent in crypto asset custody. Unlike the custody of traditional securities, crypto custody depends almost entirely on the integrity of technology systems, including key generation and storage, transaction authorization controls, and cybersecurity defenses. Failures in these systems can result in irreversible loss of crypto assets, unauthorized transfers that cannot be unwound, and prolonged service disruptions, all of which could lead to material harm to investors and market confidence. We therefore determined that robust, independently verified technology controls are a foundational requirement for any custodian entrusted with crypto assets.

We place significant reliance on independent assurance to assess custody controls. SOC 2 and ISAE 3000 (Type 2) reports are widely recognized frameworks for evaluating internal controls over technology and operations. However, we recognize that not all SOC reports are equivalent in scope or depth, and traditional SOC reporting was not developed specifically for crypto-asset risks. Accordingly, the framework requires enhanced or crypto-specific assurance for certain tiers, as well as independent penetration testing.

In the following sections, the requirements related to institutional-grade infrastructure are listed.

a) SOC 2 Report – Security and Availability

All Acceptable Crypto Custodians are required to provide a SOC 2 or ISAE 3000 (Type 2) report based on the Trust Service Criteria relevant to Security and Availability2.

• The Security criterion focuses on protecting systems and data from unauthorized access, disclosure, or damage. This includes logical and physical access controls, authentication mechanisms, and monitoring to prevent and detect security incidents.
• The Availability criterion evaluates whether systems are available for operation and use as committed or agreed. This includes baseline resilience measures and disaster recovery capabilities, and system performance monitoring.

A SOC 2 Type 2 report is an independent auditor’s attestation that the custodian’s controls related to these criteria were designed appropriately and operated effectively over a period of time.

We consider Security and Availability assurance to be the minimum standard necessary for any custodian holding crypto assets.

b) SOC 2 Report – Confidentiality and Processing Integrity

Crypto custodians permitted to hold a larger proportion of client assets, specifically Tier 1 and Tier 2 Crypto Custodians, are required to provide assurance covering Confidentiality and Processing Integrity3.

• The Confidentiality criterion assesses whether information designated as confidential is protected as committed or agreed.
• The Processing Integrity criterion evaluates whether systems produce timely, accurate, complete, and authorized transactions and outputs as intended.

These additional trust service criteria address protection of sensitive information, accuracy, completeness, and authorization of transactions, and controls preventing unauthorized or erroneous processing.

We determined that these controls are particularly important where crypto custodians are permitted to hold a significant share of crypto assets, as failures could have widespread impact.

c) SOC 2 Report – Crypto asset specific assurance

We recognize that even enhanced SOC reporting may not fully capture risks unique to crypto custody. Accordingly, Tier 2 Crypto Custodians are also required to demonstrate assurance specifically tailored to crypto-asset risks which include, but are not limited to:

• lifecycle management of cryptographic keys
• quorum and role-based authorization structures
• governance over wallet address creation and usage
• safeguards around transaction signing and execution
• monitoring, incident response, and recovery for crypto-specific events.

We permit flexibility in how this assurance is provided, including:

• SOC 2 or ISAE 3000 reports incorporating these crypto-specific control objectives, or
• stand-alone reports prepared by qualified independent professionals.

d) Custody technology

Tier 3 Crypto Custodians using third-party custody technology must receive annually a SOC 2 or ISAE 3000 (Type 2) report relevant to at least the Trust Service Criteria of Security and Availability for each outsourced technology provider, and have established policies and procedures addressing the user entity controls described in that report as necessary to achieve the control objectives.

Tier 3 Crypto Custodians that use a proprietary solution to administer, store, and transfer crypto assets must meet the criteria described above under SOC 2 Report – Crypto asset specific assurance.

This ensures that Crypto Custodians that are permitted to hold increased percentages of Dealer Members’ crypto assets use technology tested independently for controls unique to the risks of crypto assets.

e) Independent penetration testing

Independent penetration testing is required across all tiers (except for Tier 1 Crypto Custodians) to assess real-world resilience against evolving threats.

We view penetration testing as a necessary complement to SOC-type assurance because it simulates actual attack scenarios and can identify vulnerabilities not captured by control-based assessments and provide insight into detection and response effectiveness.

We expect a recognized and qualified independent professional to perform penetration testing at least annually.

f) External assurance over cybersecurity controls

Tier 2 Crypto Custodians are required to provide additional external assurance over cybersecurity controls.

This reflects our expectation that crypto custodians who are permitted to hold a very large percentage of crypto assets, while not meeting the highest standard for capital requirements, must demonstrate additional security controls, including governance over cybersecurity risk and independent validation of cyber risk management practices.

6.3 Insurance and internal controls

We have imposed requirements for insurance and policies and procedures to ensure Crypto Custodians maintain strong preventive controls and mitigate the financial impact of custody failures that may occur despite those controls.

Insurance requirements are designed to complement, not replace, other custody safeguards and are intended to mitigate losses arising from theft or destruction of crypto assets, employee or insider misconduct, infrastructure failures, and exploitation of security vulnerabilities. Insurance provides an additional layer of protection by enabling recovery in circumstances where operational, technical, or legal safeguards fail. We therefore consider insurance to be a necessary component of a comprehensive custody risk framework.

Insurance requirements operate alongside expectations regarding third-party risk management and business continuity.

Many crypto custodians rely on third-party technology providers including custody solutions, cloud service providers, key management or signing services, or security and monitoring vendors.

We expect crypto custodians, particularly at higher tiers, to:

• identify and manage third-party risks,
• maintain documented business continuity and disaster recovery arrangements, and
• ensure that insurance coverage appropriately reflects outsourced dependencies.

At Tier 2 Crypto Custodians, we expect external assurance over these controls.

a) Procedures for crypto asset custody technology and security controls

This requirement applies to all crypto custodians. The crypto custodian needs to represent that it maintains policies and procedures describing its methods and practices for securing crypto assets including, but not limited to, controls over private keys, signing mechanisms, wallet management, storage practices, transactional authorization flows, and technical attack surfaces.

b) Procedures for third party risk management and business continuity

All crypto custodians must have policies and procedures that mitigate risks of reliance on third parties and significant business interruptions. SOC 2 Trust Service Criteria relevant to Security and Availability describe baseline controls, and so we are not imposing additional requirements on Tier 4 Crypto Custodians.

Tier 2 and 3 Crypto Custodians, permitted to custody more substantial percentages of crypto assets, are expected to maintain even stronger controls. While Tier 3 Crypto Custodians must represent that they adhere to recognized frameworks for third party risk management and business continuity, Tier 2 Crypto Custodians must evidence their adherence.

Tier 2 Crypto Custodians can achieve this by either:

• being supervised by a regulator that has specified and public minimum requirements regarding third party risk management and business continuity, or
• providing assurance reports prepared by qualified independent professionals assessing the custodian’s controls with reference to recognized frameworks for third party risk management and business continuity.

c) Insurance – Fidelity and Specie coverage

We expect all crypto custodians to carry property and fidelity insurance that matches the size and type of assets it manages.

Crime or Financial Institution Bond insurance is intended to protect against losses arising from theft, fraud, or dishonesty by employees or insiders, social engineering and other forms of deception, and certain external criminal acts.

Specie insurance is intended to protect against loss or damage to assets held in cold storage, including physical destruction, theft or misappropriation, and certain operational failures.

The insurance policies must:

• cover a broad range of risks and should protect against events such as:
  • destruction or loss of assets
  • misconduct by employees or insiders
  • accidents caused by infrastructure failures
  • exploitation of security or operational vulnerabilities
• avoid restrictive definitions or exclusions
• not include wording that unfairly limits coverage in a way that is not standard for the industry.

We require all crypto custodians to maintain fidelity insurance in the form of a Crime or Financial Institution Bond or equivalent policy tailored for entities active in crypto asset markets. Tiers 1 and 2 Crypto Custodians’ fidelity policies apply across all storage locations, regardless of where the assets are physically or logically stored, or whether assets are held in hot, warm, or cold storage. This requirement reflects our expectation that crypto custodians holding a significant proportion of client assets demonstrate comprehensive coverage and avoid structural gaps in insurance protection.

Tiers 3 and 4 Crypto Custodians may alternatively insure crypto assets in cold storage through Specie insurance. This limited relaxation reflects the state of the insurance markets where fidelity coverage may not be available to some crypto custodians, and in recognition that the risk of loss is substantially reduced when crypto assets are held in cold storage.

6.4 Legal and jurisdictional controls

We have imposed legal and jurisdictional requirements to address risks that arise where crypto assets are held:

• outside traditional custodial frameworks,
• in jurisdictions with differing insolvency, trust, and enforcement regimes, and
• under contractual arrangements that may not clearly protect client assets in adverse scenarios.

Unlike securities custody, where legal principles and statutory protections are well-established, crypto asset custody often depends heavily on contractual rights and local insolvency law. We therefore determined that clear legal enforceability, regulatory oversight, and jurisdictional safeguards are essential to protecting crypto assets.

We have observed several recurring risk factors in the crypto custody ecosystem:

• many crypto custodians are established outside Canada,
• some jurisdictions lack clear legal treatment of segregated digital assets,
• insolvency regimes may not recognize customer ownership or trust-like treatment of segregated crypto assets, and
• regulatory oversight of crypto custodians varies across jurisdictions.

These factors increase the risk that, in the event of custodian distress or failure, client crypto assets could be frozen by local authorities, treated as part of the custodian’s general estate, or subject to prolonged legal uncertainty.

The legal and jurisdictional requirements are therefore designed to mitigate these risks and establish the foundational safeguards needed to ensure that crypto custodians entrusted with crypto assets operate within a robust and trustworthy regulatory environment. These requirements set baseline expectations across five core areas.

a) Registration

We expect all Crypto Custodians to be properly regulated and in good standing. These requirements apply to all crypto custodians across all tiers:

1. The crypto custodian must be established in a Basel Accord jurisdiction and be regulated in its home country either as a bank or a trust company. Banks and trust companies are typically subject to strict rules covering capital, governance, risk management, cybersecurity, and safeguarding of client assets. Requiring all crypto custodians to fall into one of these categories ensures they operate within a strong, well-established legal and regulatory framework.
2. The crypto custodian must provide a letter or confirmation from its regulator showing that it is following the rules and operating within the terms of its license.
3. The crypto custodian must be independent from trading, exchange or marketplace operations. It must be legally and functionally separate from any crypto exchange or marketplace business. This separation is intended to eliminate exposure to losses caused by exchange operations, prevent conflicts of interest, reduce incentives to misuse or rehypothecate client assets, and align crypto custody practices with traditional fiduciary expectations.

b) Acceptable custody agreement

The custody agreement is a central investor-protection mechanism. We expect custody agreements to clearly establish that:

1. The crypto custodian acts as a fiduciary. The agreement must state that the crypto custodian is legally required to act in the best interests of the Dealer Member when holding its crypto assets. This protects client assets by legally obligating the crypto custodian to act with loyalty and care.
2. The crypto custodian is responsible if it causes losses through misconduct. The agreement must say that the crypto custodian is liable for losses caused by its negligence, fraud, or intentional wrongdoing. If the crypto custodian mishandles assets or behaves improperly, the Dealer Member (and ultimately investors) must have clear recourse for losses.
3. The crypto custodian cannot avoid responsibility for controllable technology failures. The crypto custodian’s liability cannot be limited if a technology problem occurs that the custodian could reasonably have prevented or managed. Crypto custody depends heavily on technology. This requirement acknowledges that crypto custodians have a responsibility to ensure baseline technology resiliency which underpins the custody of crypto assets.
4. The crypto custodian must provide annual audited financial statements and SOC 2 reports. These must be delivered at least once a year, and within 90 days of the end of the reporting period. These reports verify the crypto custodian’s ongoing financial stability, assess its internal controls, cybersecurity, and operational practices.
5. The crypto custodian must get the Dealer Member’s approval before sending the Dealer Member’s crypto assets to a sub‑custodian, and regularly disclose which assets are held by each sub‑custodian. This ensures the Dealer Member understands where assets are stored, who is responsible for them, and how exposure is distributed which reduces operational, legal, and concentration risks.

c) Trust status on insolvency

For crypto custodians established outside Canada, we focused on whether the applicable legal framework supports trust-like treatment of segregated client crypto assets.

We expect that:

• custody contracts are enforceable in the relevant jurisdiction; and
• segregated client assets are preserved from the custodian’s insolvency estate.

Where these questions are uncertain, we may require additional information, legal analysis, or jurisdiction-specific evidence to assess whether client assets would be protected in the event of the crypto custodian’s or the Dealer Member’s insolvency.

d) Regulatory supervision

For Tiers 1, 2, and 3 Crypto Custodians, permitted to custody a more substantial percentage of Dealer Members’ crypto assets, we require supervision by a regulator that licenses custodial activities, conducts prudential oversight, and has enforcement authority.

e) Memorandum of Understanding

In addition, we expect formal information-sharing arrangements, such as a memorandum of understanding (MOU), between CIRO (or a provincial securities regulator) and the crypto custodian’s primary regulator, or between a Canadian federal prudential regulator and the crypto custodian’s primary regulator where such regulator has a bilateral arrangement with either CIRO or a provincial securities regulator.

These arrangements allow us to obtain timely information regarding enforcement actions or financial distress and take appropriate steps to protect client assets held by CIRO Members.

This requirement applies to all crypto custodians except Tier 4 Crypto Custodians.

7. Acceptable Tokenized Asset Locations

The baseline custody expectations applicable to Tokenized Assets remain rooted in CIRO’s existing ASL requirements, with additional digital-custody expectations layered on top to address the technology-specific risks introduced when those assets are recorded and transferred using distributed-ledger or similar technologies.

The purpose of the requirements below is therefore not to recreate the crypto custody framework, but to preserve the traditional custody baseline that already applies to financial instruments while ensuring that entities holding Tokenized Assets for Dealer Members can appropriately manage the digital-custody risks associated with token formats, wallets, key management, digital transfer, and ledger finality.

Accordingly, Acceptable Tokenized Asset Custodians must meet all of the following requirements:

a) Qualify as an ASL under IDPC Rule 4342 and General Notes and Definitions to Form 1

The custodian must first satisfy the underlying statutory and regulatory requirements governing custody of those instruments and ensure that they qualify as ASL under IDPC Rule 4342 and General Notes and Definitions to Form 1. This ensures continuity of client-asset protection rules, segregation expectations, and insolvency treatment that pre-date tokenization. The ASL requirement avoids regulatory arbitrage between traditional and tokenized forms of the same asset and prevents tokenized custody from becoming a lower-standard alternative to traditional custody obligations.

b) Policies and procedures for securing digital assets

While ASL status preserves the traditional custody baseline, distributed-ledger-based representations introduce operational, security, and key-management risks not contemplated in the general ASL framework. Custodians must therefore represent that it maintains policies and procedures for securing tokenized assets.

c) SOC 2 or ISAE 3000 assurance covering security, availability, confidentiality, and processing integrity

Tokenization introduces digital intermediaries and technical infrastructures that may mediate ownership claims. SOC 2 or ISAE 3000 assurance covering security, availability, confidentiality, and processing integrity ensures that custodians have adequate controls to secure Tokenized Assets in digital form and to operate custody technology in a manner consistent with investor-protection expectations.

d) Custody agreement enforceable in the custodian’s jurisdiction with digital-asset specific protections

Although Tokenized Assets are backed by traditional legal frameworks, the custody agreement between the Dealer Member and the Tokenized Asset Custodian, serves as a necessary and enforceable link and must clearly define responsibilities, liability, and sub-custody expectations, as required for all acceptable crypto custodians.

e) Insurance coverage

Insurance expectations preserve alignment with traditional custody while acknowledging new vectors of operational and technological loss associated with Tokenized Assets held in digital environments. Accordingly, tokenized asset custodians must have insurance coverage applicable to a Tier 1 crypto custodian.

7.1 Discretion to require enhanced custody safeguards

Under CIRO Rules, entities may qualify as ASLs based on a range of criteria, including regulatory status, entity type, and capital thresholds. These criteria were developed for traditional custody arrangements, where assets are held through centralized systems, well-understood intermediaries, and long-established legal frameworks governing ownership, segregation, and insolvency treatment.

The tokenization of financial instruments introduces additional dimensions of risk that vary significantly depending on how the tokenized asset is structured, issued, transferred, and custodied. While many ASLs are well-resourced and subject to robust oversight, others may engage in tokenized asset activities that are novel, highly technical, or operationally complex, relative to their traditional business models. In such cases, the baseline requirements stipulated above may not provide sufficient assurance that tokenized assets are being safeguarded appropriately.

For this reason, CIRO will have discretion to require additional digital custody safeguards in cases where we determine that the nature, scale, complexity, or risk profile of a particular tokenized asset custody arrangement warrants enhanced controls.

Importantly, this discretion is bounded; any additional requirements imposed will not exceed the digital custody standards applicable to Tier 2 Crypto Custodians. This ensures that requirements remain proportionate, predictable, and aligned with existing benchmarks.

8. Segregation

Segregation is a core investor protection concept and ensures that client assets are identifiable and traceable, are not available to satisfy claims of general creditors, and can be recovered in an insolvency scenario.

We have not prescribed segregation mechanics for digital assets. Given the absence of an established legal and operational standard for crypto asset custody that would support prescriptive segregation rules across custody models, we have focused on required outcomes rather than specific mechanics. Accordingly, we expect Dealer Members and digital asset custodians to ensure that fully paid client assets are held in a manner that provides effective protection from claims of creditors and preserves client ownership rights in insolvency or similar proceedings. To this effect, we may require legal opinions or other assurances demonstrating that digital assets held at the custodian are not available to satisfy claims of the custodian’s creditors and would be excluded from the custodian’s estate in the event of insolvency, except for the purpose of satisfying client claims to those assets. The opinion should address the applicable insolvency regime in the custodian’s jurisdiction and confirm that the custody and segregation arrangements used by the custodian are legally effective in achieving this result.

8.1 Internal custody

A Dealer Member may self-custody up to 20% of the value of crypto assets it holds for clients and for its own account. Dealer Members may exclude from this total its proprietary positions for which they have provided for in their Risk Adjusted Capital.

Internal custody represents a substantial technology risk and we require Dealer Members’ internal custody solutions to meet the SOC Reporting and Tier specific requirements applicable to Type 4 Crypto Custodians. Dealer Members should document how those controls are satisfied.

8.1.1 Self-custody of tokenized assets

Because Dealer Members themselves are eligible to act as ASLs for traditional securities instruments under IDPC Rule 4342 and the General Notes and Definitions to IDPC Form 1, Dealer Members may self-custody tokenized assets, provided they have obtained approval as an Approved Tokenized Asset Custody Location.

We are also not imposing custody limits on tokenized assets held by such approved Dealer Members because imposing separate crypto-style custody limits for tokenized assets would create unnecessary regulatory asymmetry, given that the underlying financial instrument can already be custodied by ASLs without custodial limits under existing IDPC requirements.

8.2 Determining and resolving segregation deficiencies and commingling

We expect Dealer Members to perform segregation calculations daily and resolve deficiencies promptly. The Dealer Member must demonstrate timely segregation practices.

Operational models involving commingling of client and firm assets are sometimes unavoidable in activities transacted on blockchains but increase legal and operational risk. We therefore expect Dealer Members to minimize commingling and to justify any proprietary assets held in segregated locations based on documented operational necessity.

We also expect Dealer Members to designate segregated locations clearly and undertake to buy-in any deficiencies unresolved within 5 days.

9. Compliance, monitoring, and supervisory response

9.1 Policies and procedures

We have imposed policies and procedure requirements to ensure that crypto asset and tokenized asset custody obligations are implemented, customized to the Dealer Member’s unique operations, consistently applied, and embedded in governance and control frameworks. We consider documented policies and procedures to be a foundational control supporting compliance with all requirements.

9.2 Limits monitoring

We have imposed monitoring requirements to ensure that Dealer Members identify emerging custody risks promptly and take corrective action before issues result in investor harm.

Crypto asset values can fluctuate significantly and rapidly, and periodic, proactive monitoring is essential to effective custody risk management. Without regular monitoring, Dealer Members may unknowingly exceed permitted custody or Internal Custody limits.

We expect Dealer Members to monitor compliance with custody limits at least weekly, and take prompt action to cure breaches.

9.3 Reporting to CIRO and supervisory response

We have imposed reporting requirements to provide regulatory visibility into custody practices and support timely supervisory intervention where necessary.

Dealer Members are required to report,

• in the manner and frequency specified by CIRO - the quantity and value of digital assets held, and the custody locations at which those assets are held.
• a breach of the limits applicable to a crypto custodian or internal custody, and which includes a description of the breach, steps taken to remediate the breach, and a clear remediation plan when a breach cannot be cured within a day.

Repeated or unresolved breaches may result in supervisory or enforcement action, including restrictions on custody arrangements. We may, under IDPC Rule section 4134, also designate a Dealer Member in Early warning Level 2, that has breached the limit applicable to its internal wallet(s) or a third-party custodian more than once. In addition to the standard sanctions, we may, under IDPC Rule sections 4135 and 4136, impose a reduction to the percentage limit applicable to that location. This restriction is subject to the notice and review provisions of IDPC Rule subsections 4136(2) and (3).

10. Implementation

As noted in section 1, this framework is being imposed on Dealer Members operating CTPs as part of their approval to conduct crypto-asset activity. CIRO staff will consider appropriate transition arrangements for such Dealer Members operating CTPs on a case-by-case basis, having regard to proportionality, existing custody arrangements, and the nature, scale, and risk profile of the member’s crypto-asset activities.

It should be noted that the custody requirements for tokenized assets would apply to all Dealer Members that hold or offer tokenized assets to clients, regardless of whether the Dealer Member operates a CTP.

The offering of tokenized asset products, whether held for clients or for the Dealer Member’s own account, as outlined in this Notice, involves the deployment of new digital custody technology, reliance on third-party or internal distributed ledger infrastructure, and novel legal and operational risks that differ materially from traditional securities or fiat custody arrangements. Given this risk profile, the introduction or expansion of tokenized asset offerings may materially affect a Dealer Member’s risk exposure, technology footprint, and operational resilience. As a result, CIRO expects that Dealer Members will provide a Material Change Notification under IDPC Rule 2246 prior to initiating, or materially expanding, any activity involving tokenized assets4.

11. Conclusion

The crypto asset custody framework reflects CIRO’s risk-based approach to regulating crypto markets. By combining clear minimum standards, tiered requirements, and detailed expectations around custody agreements, segregation, and governance, CIRO seeks to protect investors while supporting innovation and competition.

We encourage Dealer Members and stakeholders to engage with CIRO Staff where questions arise regarding the application of these requirements

12. Appendix

Comparison Table - Criteria for Digital Asset Custodians

• 1The lower threshold for all crypto custodians mirrors the minimums stipulated under National Instrument 31-103.
• 2For more information, please refer to the AICPA documentation on the Trust Services Criteria.
• 3Ibid.
• 4Under IDPC Rule 2246(1), a Dealer Member must notify the Corporation of a material change to its business that may reasonably be expected to affect the nature, scope or risks of the Dealer Member’s business. In addition, Guidance Note GN-2200-21-001 clarifies that changes which introduce new technology-enabled products, systems, or risk exposures, and which require vendors, infrastructure, or arrangements not previously reviewed by CIRO, are to be treated as material business changes.