When the QuadrigaCX crypto exchange collapsed in 2019, thousands of Canadians were left helpless as their life savings vanished overnight. Regulators have now introduced a detailed framework to stop these kinds of catastrophic losses from happening again.
The Canadian Investment Regulatory Organization (CIRO) published its Digital Asset Custody Framework this week, laying out tough new requirements for companies that hold cryptocurrency assets. The rules aim to plug the technological weak spots and stop operational breakdowns that have plagued the digital asset industry.
Risk-Based Approach to Better Protection
To streamline its tasks, the framework will divide crypto custodians into four tiers based on their capital reserves, regulatory oversight, insurance protection, and their ability to handle operations well. Custodians at the top tier with the best security can hold all of a client’s assets, but those at the bottom—Tier 4—can only hold 40 percent.
CIRO requires detailed governance rules covering everything from key management and cybersecurity to how firms respond to incidents and handle outside vendors. Custodians have to carry insurance, get independent audits, file security reports, and also run “penetration tests” on a regular schedule. The custody contracts themselves need clear language about who pays when losses happen because of negligence or mistakes that could have been avoided.
Enforcement and Industry Impact
The regulator wants to use membership plans to enforce these standards for now, which lets it move quickly while longer-term rules get written. CIRO built the framework after speaking with people in the industry—trading platforms and custodians—and looking at what other countries do.
The move bolsters Canada’s crypto regulation efforts. The country is already ensuring that crypto exchanges adhere to better compliance standards. For instance, in 2025, KuCoin and Binance faced similar penalties, sending a clear message that regulators are serious about holding the crypto industry accountable.
