The New Architecture of Trust: Considering CIRO’s New Digital Asset Custody Framework in a Global Context

Executive Summary

On February 3, 2026, the Canadian Investment Regulatory Organization (“CIRO”) issued a Notice on CIRO’s Digital Asset Custody Framework, establishing interim guidelines for a tiered custody framework for crypto assets held by CIRO Dealer Members. This approach moves beyond the ad-hoc terms and conditions previously applied to Crypto Asset Trading Platforms (“CTPs”), offering a structured, risk-based approach to digital asset safekeeping.

CIRO’s interim framework represents a significant progression of the domestic regulatory environment. It introduces a prescriptive tiered model based on capital and assurance, a hard cap on self-custody, and a critical bifurcation between "crypto assets" and "tokenized financial assets".

For a Canadian platform or dealer, the practical question is how to structure its operations so day‑to‑day operations remain compliant and scalable across borders.​

For those operating only in Canada, CIRO’s interim framework is relatively clear: internal self‑custody must remain within the 20% cap on the value of crypto assets held for clients and the dealer’s own account, while the remaining exposure must be placed with third‑party custodians that satisfy CIRO’s expectations. For dealers with non-Canadian operating affiliates, the ability to use the same global custodian across jurisdictions creates greater architectural flexibility.

When viewed against the backdrop of the EU’s Markets in Crypto-Assets Regulation (“MiCA”), the UK’s emerging Client Asset Sourcebook (“CASS”) regime, and the US qualified custodian rules, CIRO’s approach appears uniquely pragmatic yet operationally demanding, specifically regarding foreign custodians and self-custody limits.

1. The Core Framework: A Tiered, Risk-Based Model

CIRO has rejected a "one-size-fits-all" approach, noting that in its view, a uniform standard could exclude capable custodians and concentrate systemic risk. Instead, the regulator has introduced four tiers of Acceptable Crypto Custodians, distinguishing them by capital adequacy, residency, and assurance levels.

The Capital Disconnect A standout feature for counsel structuring cross-border arrangements is the sharp capital differential between domestic and foreign custodians. CIRO posits that foreign custodians present higher jurisdictional and insolvency risks.

• Tier 1 Requires significant capital ($100M CAD / $150M Foreign) and enhanced controls. These entities may hold 100% of a Dealer Member’s crypto assets.

• Tier 2 A critical category for domestic innovators. It allows for lower capital ($10M CAD / $100M Foreign) but demands the highest standards of regulatory oversight, insurance, and operational resilience. Like Tier 1, they may hold 100% of client assets.

• Tiers 3 and 4 Subject to custody caps of 75% and 40% respectively, reflecting lower assurance or capital requirements.

The "Hard" Self-Custody Cap Perhaps the most significant operational constraint is the limit on internal custody. Dealer Members may self-custody no more than 20% of the value of crypto assets held for clients and their own account. CIRO’s 20% cap may discourage heavy reliance on in‑house custody and to push firms toward stronger third‑party custodians.  This is a distinct departure from other peer jurisdictions where self-custody is not quantitatively capped at a specific threshold. 

2. The Tokenization Distinction: Preventing Regulatory Arbitrage

The industry will appreciate CIRO’s handling of "tokenized financial assets" versus "crypto assets." CIRO explicitly states that the digital wrapper does not alter the underlying legal rights of traditional financial instruments.

• Crypto Assets: (e.g., Bitcoin, protocol tokens) fall under the new tiered custody framework.

• Tokenized Assets: (e.g., tokenized equity or debt) must be held at an Acceptable Securities Location (ASL) under existing IDPC Rule 4342.

However, to prevent regulatory arbitrage where a firm might tokenize an asset to avoid digital safety checks, CIRO applies a dual application of rules. A custodian of tokenized assets must qualify as an ASL and meet certain digital custody safeguards applicable to crypto asset custodians. This ensures that the settled legal certainty of traditional custody is preserved while addressing the relevant technological risks.

3. Operational Mandates: Assurance and Insurance.

Technological Assurance Reliance on a simple SOC 2 Type 2 report may no longer be sufficient for CIRO’s higher tiers, and additional assurances and penetration testing are required depending on the tier level.

Insurance Realities CIRO mandates fidelity insurance (Crime or Financial Institution Bond) for all custodians. Recognizing the hard market for crypto insurance, CIRO offers a pragmatic concession: some tiers have an option to use Specie insurance (physical damage/theft coverage) for assets in cold storage. This nuance acknowledges that Specie coverage is often the only viable option for smaller custodians holding assets offline.

4. Global Comparative Analysis

Crypto Trading Platforms can use the same custodians across multiple jurisdictions.  Compatible requirements are desirable in jurisdictions where operations and clients are located.

CIRO’s framework places Canada in a unique position relative to some of its global peers in the US, EU, and UK. While broadly aligned on principles of segregation and capital, the approach does not copy any particular crypto custodial regime, as none of those regimes use CIRO‑style, tiered custodian categories with binding percentage caps and a 20% self‑custody cap for dealer platforms.

The EU’s MiCA creates a passportable license across the bloc with harmonized capital rules and service‑based requirements, whereas CIRO uses custodian‑tier exposure caps.

The UK is adapting its comprehensive CASS regime to crypto, which focuses on client assets.  By contrast, CIRO’s current framework focuses operational‑risk‑driven tiering plus numeric exposure limits by custodian (and internal custody), along with prudential safeguards for capital and insurance. 

In the US, there is still no single, comprehensive, crypto‑specific US custody statute although the US position has become increasingly prescriptive. US rules focus on who qualifies as a custodian under existing securities laws, as well as how those custodians operate, while CIRO’s framework dictates how much each type of custodian, or the dealer itself, can hold.  Both jurisdictions allow the use of crypto‑native custodians, but structured differently.

5. Strategic Implications

The CIRO framework allows for flexibility, but may cause the centralization of the Canadian market for firms with cross-border business. The capital requirements for foreign custodians ($100M) to achieve Tier 2 status may may have the effect of steering many dealers toward a relatively small number of well‑capitalized custodians, given the higher capital thresholds for foreign providers and differentiated caps by tier.  For crypto dealers in Canada, the CIRO custody guidelines offer several options, including the use of “made in Canada solutions, or well capitalized internationally accepted foreign custodians.

By implementing an interim framework that is "SRO-driven," CIRO retains the agility to come up with tailored solutions as well as a framework that new and existing platforms can rely upon. 

North Star Group is here to help you build, register, staff and launch your firm.

North Star Group is a specialized legal, compliance consulting, education, and recruitment platform focused on Canadian financial services and other regulated businesses. North Star Legal provides business-focused corporate and governance advice, as well as transactional and regulatory support. North Star Consultants helps firms navigate complex regulatory issues, design and run compliance programs, and support during regulatory reviews.  North Star Recruitment sources specialized compliance and legal talent for regulated firms. 

About the Authors

Michael Holder (B.A. Western, LL.B. Windsor, MBA, Western) is the Managing Partner of North Star Legal, bringing more than 20 years of wealth management, legal, and compliance experience in Canada’s financial services sector. Having acted as Associate General Counsel and Chief Compliance Officer of Wealthsimple, Senior Legal Counsel at BMO Financial Group and a partner of one of Canada’s largest firms, Michael combines his practice and advisory work with teaching Fintech and Disruption of Banking at Ivey Business School.

Read Michael’s full bio here.

Martha Rafuse (B.A. Western University, LL.B. Osgoode, LL.M London School of Economics), Counsel at North Star Legal, brings more than two decades of securities regulatory experience across the financial industry, private practice, and government. Prior to joining North Star Legal, Martha led large compliance teams for both Canadian and U.S. firms, including RBC Phillips, Hager & North Investment Counsel Inc., RBC Dominion Securities Inc. (Retail), and Royal Mutual Funds Inc. As Legal Counsel at the Ontario Securities Commission, Martha developed legal solutions for novel regulatory issues and led significant policy initiatives.

Read Martha’s full bio here.