TL;DR
- Canada’s latest move shifts regulatory focus away from trading activity toward custody, with crypto custody rules now structured around how and where platforms hold client assets rather than what they list or trade.
- CIRO’s interim framework introduces tiered limits for custodians and caps platform self-custody, reshaping market structure by favoring stronger governance, diversification, and institutional-grade custody arrangements.
Canada’s latest move on digital assets does not target trading activity or token listings. Instead, the focus is on custody. With new crypto custody rules now in effect, Canada’s regulators are tightening standards around where regulated platforms hold client crypto assets and how they manage custody risks.
The framework was issued by the Canadian Investment Regulatory Organization (CIRO) and applies to its dealer members that operate crypto asset trading platforms. The rules take effect immediately and introduce a tiered approach to crypto custody that links allowable exposure to the quality and risk profile of custodians.
The shift reflects a regulatory judgment shaped by past failures. In Canada, those failures are inseparable from the collapse of QuadrigaCX, which exposed how custody breakdowns can erase client assets even when trading activity itself appears orderly.
Why custody, not trading, is where regulators now intervene
Regulators have learned that trading rules offer limited protection if custody fails. Market conduct requirements do not prevent losses when private keys are lost, assets are commingled, or insolvency law is unclear.
For Canadian crypto regulation, custody has emerged as the critical control point. Weak custody arrangements concentrate operational and legal risk in a way that trading oversight cannot offset. When assets are poorly segregated or controlled by a single entity, failures can propagate quickly.
CIRO’s approach reflects a broader push toward clearer crypto custody standards. The goal is to reduce single-point-of-failure risk while maintaining continuity for platforms that already operate within the regulated perimeter.
How CIRO’s tiered custody framework actually works
CIRO’s interim Digital Asset Custody Framework introduces a risk-based structure built around four custodian tiers. Each tier carries a specific cap on how much client crypto a dealer member may place with custodians in that category.
Under the framework, Tier 1 and Tier 2 custodians may hold up to 100% of client assets, Tier 3 custodians are capped at up to 75%, and Tier 4 custodians are limited to up to 40%.
Higher-tier custodians are subject to stronger requirements around governance, audits, and financial resilience. These include capital or insurance expectations, with Tier 1 Canadian custodians required to maintain at least CAD $100 million. Lower-tier custodians face tighter percentage caps and reduced allowable exposure. The framework also addresses crypto custody rules Canada has previously applied on an interim basis, formalizing them into a single supervisory model.
The structure does not prohibit custody arrangements outright. Instead, it constrains exposure based on assessed risk. CIRO positions the framework as flexible, but enforceable, with custody decisions tied directly to measurable controls rather than broad policy judgments.
Market structure impact: who benefits, who feels pressure
While neutral in design, regulated crypto custody requirements tend to favor platforms with access to large, well-capitalized custodians. Firms that already rely on institutional custodians with established audit and governance practices can adapt more easily.
Smaller platforms may face higher costs or reduced flexibility. For some, meeting crypto custody standards will require restructuring existing arrangements or limiting client asset exposure. The framework therefore introduces indirect consolidation pressure without explicitly excluding participants.
This effect is structural rather than punitive. CIRO’s rules do not dictate business models, but they do reward scale, compliance infrastructure, and access to high-quality custody providers.
Why self-custody caps apply — even for regulated firms
One of the most notable features of the framework is the introduction of crypto self-custody limits for dealer members. Under the framework, CIRO permits dealer members to self-custody client crypto assets, but limits self-custody to 20% of total client and proprietary crypto assets under management, subject to internal control requirements.
The rationale is historical rather than ideological. Past failures showed that internal custody without strong governance can amplify risk. Concentrating key control inside a single operating entity exposes clients to operational errors and insolvency complications.
By capping self-custody, CIRO aims to balance operational flexibility with crypto investor protection that Canada’s regulators have emphasized since earlier enforcement actions. The focus is not on banning internal custody, but on preventing unchecked concentration.
>>> Read more: Canada Stablecoin Regulation Links to Open Banking
“Interim” rules with permanent consequences
CIRO has described the framework as interim, signaling that supervisory expectations may evolve. That designation matters because it allows the regulator to refine limits and requirements as data from supervision and audits accumulates.
For Canadian crypto regulation, custody has become a durable enforcement lever. Future adjustments are likely to focus on assurance standards, cross-border custodians, and the treatment of client assets during insolvency.
The framework does not eliminate failure risk. It reshapes how that risk is distributed and managed. In doing so, it marks a decisive step in formalizing custody as the cornerstone of Canada’s approach to regulated crypto markets.
