Canada’s top investment industry watchdog has rolled out a new set of rules aimed at strengthening how crypto assets are held and protected, as regulators work to limit losses from hacks, fraud and poor governance.
Key points to remember:
- Canada has introduced new interim cryptocurrency custody rules to reduce losses from hacking and fraud.
- Custodians now face tiered limits based on capital strength, oversight and resilience.
- The framework adds stricter requirements for governance, assurance and audit while supporting innovation.
The Canadian Investment Regulatory Organization (OCRI) released its digital asset custody framework on Tuesday, outlining detailed expectations for broker-dealer members that operate crypto asset trading platforms.
The framework is intended as an interim measure and will be applied through the terms of membership, allowing the CIRO to respond more quickly to emerging risks while longer-term rules are developed.
Canada introduces tiered custody rules
CIRO said the framework directly addresses the “technological, operational and legal risks unique to digital assets”, drawing lessons from past failures, including the collapse of QuadrigaCX in 2019, which left thousands of customers unable to recover their funds.
At the heart of the new regime is a risk-based, tiered structure for cryptocurrency custodians. Under this model, depositories are allocated into one of four tiers based on factors such as capital strength, regulatory oversight, insurance coverage and operational resilience.
Higher-tier custodians can hold up to 100% of clients’ crypto assets, while lower-tier providers face increasingly strict limits, with Tier 4 custodians capped at 40%.
Dealer Members who choose to keep assets in-house are limited to holding more than 20% of the total value of the client’s cryptocurrencies.
The framework also imposes a wide range of operational requirements. These include formal governance policies covering private key management, cybersecurity controls, incident response procedures and third-party risk management.
Custodians must carry insurance, undergo independent audits, provide security compliance reports, and conduct regular penetration testing.
Custody agreements are required to specify liability in cases where losses result from negligence or avoidable failures.
CIRO said the approach was intended to be proportionate, balancing enhanced investor protection with room for innovation and competition.
The rules were developed in consultation with cryptocurrency trading platforms, custodians and other industry stakeholders, and were benchmarked against international practices.
Canada Steps Up Crypto Enforcement After Major FINTRAC Fines
The move comes amid increased scrutiny of crypto compliance in Canada. In October, the country’s financial intelligence agency, FINTRAC, fined local exchange Cryptomus approximately $126 million for failing to report suspicious transactions linked to darknet markets and fraud.
Earlier this year, FINTRAC also imposed sanctions on offshore platforms KuCoin and Binance for similar violations.
As a self-regulatory organization, the CIRO has the authority to investigate professional misconduct by its members and impose sanctions, including fines and suspensions.
As reported, Canada is preparing to roll out its first comprehensive framework for fiat-backed stablecoins as part of the 2025 federal budget, closely mirroring the regulatory path followed by the United States earlier this year.
The Bank of Canada is expected to spend $10 million over two years, starting in the 2026-2027 fiscal year, to oversee the rollout.
The move comes just months after the United States passed its GENIUS Act in July, a landmark stablecoin bill that ramped up global regulatory momentum.
The post Canadian Regulator Sets Tighter Crypto Custody Standards to Reduce Losses appeared first on Cryptonews.
