Canada Unveils Tougher Crypto Custody Rules to Curb Hacking and Investor Losses

Canada’s top investment industry regulator has introduced a new framework governing the custody of digital assets, aiming to reduce the risk of losses stemming from hacking, fraud, and weak governance practices.

The Canadian Investment Regulatory Organization (CIRO) on Tuesday published its Digital Asset Custody Framework, setting out clear standards for how dealer members operating crypto asset trading platforms must safeguard client assets.

CIRO said the framework will be enforced through membership terms and conditions as an interim step, allowing regulators to respond more quickly to emerging risks while more comprehensive and permanent rules are developed.

The self-regulatory body said the measures are designed to address the “technological, operational, and legal risks unique to digital assets,” drawing on lessons from past failures such as the 2019 collapse of QuadrigaCX, which left thousands of Canadians unable to access their crypto holdings.

Tiered, risk-based custody model

At the core of the new framework is a tiered, risk-based approach to crypto custody. Custodians are classified into four tiers based on factors including capital strength, regulatory supervision, insurance coverage, and operational resilience.

Under the rules, top-tier custodians with the strongest safeguards may hold up to 100% of client assets, while lower-tier custodians face stricter limits — with Tier 4 custodians capped at 40%. Dealer members that choose to self-custody client crypto are limited to holding no more than 20% of the total value of client digital assets.

Beyond custody limits, the framework imposes a range of additional requirements. These include robust governance policies covering key management, cybersecurity controls, incident response planning, and third-party risk oversight. Firms must also carry mandatory insurance, undergo independent audits, provide security compliance reports, and conduct regular penetration testing.

Custody agreements must clearly define liability for losses caused by negligence or preventable failures, CIRO said.

“The framework reflects a risk-based and proportionate approach designed to balance investor protection with market innovation and competition,” the regulator said, noting that it was developed in consultation with crypto trading platforms, custodians, and other industry stakeholders, as well as with reference to international regulatory practices.

Stronger oversight amid past enforcement actions

The move forms part of Canada’s broader push to strengthen investor protections as the domestic crypto market evolves. Regulatory scrutiny has intensified following a series of high-profile enforcement actions.

In October, Canada’s financial intelligence unit FINTRAC fined local crypto exchange Cryptomus roughly C$126 million for failing to report more than 1,000 suspicious transactions linked to darknet markets, fraud, ransomware payments, and sanctions evasion. Earlier in the year, offshore exchanges KuCoin and Binance were also fined for similar compliance failures.

CIRO, which has enforcement authority over its member firms and registered individuals, is empowered to investigate misconduct and impose penalties ranging from fines to suspensions. The regulator said the new custody framework is intended to support responsible innovation while ensuring stronger safeguards for Canadian crypto investors.