CIRO’s 2026 Compliance Report: Cyber, AI, Crypto, and CFR Under Shifting Scrutiny

Executive summary

CIRO’s 2026 Annual Compliance Report (“2026 Compliance Report”) is presented as a tool to help dealers comply with their regulatory requirements and support investor protection by highlighting emerging compliance challenges and common deficiencies. The 2026 Compliance Report incorporates a subtle but shifting tone on emerging topics, such as cybersecurity, technology (including AI), digital assets, as well as familiar ones such as Client Focused Reforms (CFR), registration and proficiency, with a heavier emphasis on specific deficiencies and regulatory exam considerations.

In emerging areas, CIRO points to increasing cybersecurity incidents involving third‑party service providers, identifies AI as a specific area of interest in Financial and Operations compliance reviews, and references its Digital Assets Custody Framework for CTPs in the context of operational resilience. At the same time, the report reiterates recurring issues—such as non‑tailored CFR policies, gaps in supervision and communication controls, and weaknesses around outside activities and referral arrangements—as common deficiencies.

In our view, compared to earlier CIRO publications, the 2026 Compliance Report places greater emphasis on common deficiencies and inadequate practices. Cybersecurity, AI, digital assets, CFR implementation and supervision, and registration remain familiar topics, but the 2026 Compliance Report more clearly identifies where firms are falling short (for example, non‑tailored CFR policies) and states that certain manuals are not sufficient (such as high‑level policies that simply restate principles‑based rules).

What’s new or newly emphasized in 2026

Cybersecurity and operational resilience

The 2026 Compliance Report notes that cybersecurity “remains a key business risk” and indicates concern around third‑party service providers, noting that dealers have made “substantial progress” in remediating cybersecurity‑related findings.  That said, CIRO highlights the importance of continuous staff training to strengthen cyber awareness.​

While the CIRO report did not include any mention of other technology-driven fraud problems for dealers, such as romance scams and pig butchering of clients, which disproportionately impact senior and vulnerable clients, dealers would be well-advised to include such training for their staff members along with the other cybersecurity elements mentioned by CIRO.

CIRO has previously emphasized cybersecurity as a key business risk and focused heavily on firms understanding and complying with incident‑reporting requirements. In the 2026 Compliance Report, CIRO again calls cybersecurity a key business risk, but explicitly notes an increase in cases involving third‑party service providers affecting dealers, highlights that dealers have made “substantial progress” on cyber remediation, and stresses continuous staff training to reduce vulnerabilities.  This emphasis is unsurprising, especially in the context of CIRO’s own recent cyber incident. CIRO’s discussion places more emphasis on practical vulnerabilities, particularly staff behaviour, in addition to policy and reporting frameworks.

Artificial intelligence as an examination topic

CIRO notes that AI is increasingly important in helping dealers manage complexity, improve efficiency and support decision‑making. CIRO will inquire about the use of AI in dealers’ operations and review related operational controls as part of its financial and operations compliance exams.

The 2026 Compliance Report moves AI from a largely conceptual emerging risk to an explicitly named examination topic, in our view, with a clear expectation that firms be ready to discuss and evidence controls around AI tools.

Digital assets and the Digital Assets Custody Framework

The 2026 Compliance Report refers to CIRO’s Digital Assets Custody Framework in connection with CIRO‑regulated crypto‑asset trading platforms (CTPs). This framework sets expectations for how CTPs safeguard and segregate client crypto‑assets. Crypto-asset custody is situated within firms’ broader operational resilience obligations; cyber and resilience exercises may be one avenue through which CIRO assesses firms’ capabilities.

Earlier CIRO publications focused on integrating CTPs into the regulatory framework and completing initial examinations, noting that CIRO and the CSA are tailoring the approach and that further CTP field exams are planned. In our view, CIRO’s focus on crypto‑asset custody within its broader operational‑risk and cyber messaging indicates that digital‑asset platforms are being integrated into mainstream oversight, rather than treated as purely novel entrants.

Reminders from CIRO on well-established topics

Common supervisory and conduct deficiencies

CIRO describes common issues it has identified in supervision—such as gaps in oversight of outside activities, unapproved communication channels, trade supervision and referral arrangements—and encourages firms to review these specific areas.  Here, the 2026 Compliance Report includes specifics of where current practices are not meeting expectations. Framed as recurring expectations, dealers can expect regulatory focus on these and other issues during exams:

• Gaps in supervisory practices, including oversight of outside activities.

• Insufficient identification and control of client communications conducted through non‑approved channels.

• Concerns with the adequacy of daily and monthly trade supervision.

• Due diligence and disclosure issues involving conflicts of interest and referral arrangements.

Policies, procedures and implementation quality

CIRO links the report to the joint CSA–CIRO CFR Phase 2 sweep, which focused on KYC, KYP, and suitability enhancements. CIRO stresses that policies and procedures must be “tailored to the firm’s business model and are detailed and actionable,” and identifies lack of tailoring as the most common deficiency among CIRO dealers in the CFR context. The 2026 Compliance Report encourages firms to ensure that their written policies, training, and supervisory practices align and support effective compliance systems. This discussion continues a long‑standing theme criticizing generic “off‑the‑shelf” compliance policy manuals, and now ties that concern to the CFR sweep data.

How compliance teams can use the 2026 Compliance Report

CIRO describes the 2026 Compliance Report as providing “insight into emerging compliance challenges and how [dealers] can address them” and helping dealers “focus their supervision and risk‑management efforts” while reflecting their business models.

Within that framing, compliance teams can:

• Use the cybersecurity, AI and digital‑asset sections to verify that their risk assessments, controls, and staff training programs address the types of incidents, technologies and frameworks CIRO highlights.

• Review their CFR‑related policies and procedures to ensure they are tailored, detailed and actionable, in line with the deficiencies identified in the CSA–CIRO sweep.

• Benchmark their supervisory practices, communication controls, conflict‑management, and referral‑arrangement oversight against the common issues set out in the report.

• Confirm that their internal processes reflect CIRO’s delegated registration role, the new proficiency model, and the expectations around complete registration information and timely training reporting.

Next Steps

Choose the compliance team at North Star Consultants as your partner to help assess the quality and efficacy of your policies, procedures and training.  North Star’s team of former compliance officers, regulators, educators, and private practice lawyers are ready to help you confirm that compliance and legal expectations are addressed, report to your stakeholders on the effectiveness of your compliance program, and, most importantly, ensure that clients’ trust in your firm is secure.

About the Authors

Kanchan Mehta is a global compliance leader with experience across Canada, the United States, Singapore, and India. She has held senior roles at SEC-registered investment firms, investment banks, and brokerage institutions, including serving as Director of Compliance for a U.S. robo-advisor and hedge fund. She brings over 15 years of experience in risk management and the development and implementation of compliance frameworks.

Read Kanchan’s full bio here.

Martha Rafuse (B.A. Western University, LL.B. Osgoode, LL.M London School of Economics), Counsel at North Star Legal, brings more than two decades of securities regulatory experience across the financial industry, private practice, and government. Prior to joining North Star Legal, Martha led large compliance teams for both Canadian and U.S. firms, including RBC Phillips, Hager & North Investment Counsel Inc., RBC Dominion Securities Inc. (Retail), and Royal Mutual Funds Inc. As Legal Counsel at the Ontario Securities Commission, Martha developed legal solutions for novel regulatory issues and led significant policy initiatives.

Read Martha’s full bio here.