CIRO report highlights cybersecurity, crypto risks, and compliance updates for dealers

The Canadian Investment Regulatory Organization (CIRO) has released its Annual Compliance Report, outlining key compliance risks and regulatory priorities for investment and mutual fund dealers.  

The report provides guidance on emerging challenges, helping dealers align their risk-management and supervisory efforts with regulatory expectations.   

Andrew Kriegler, CEO of CIRO, stated, “The Compliance Report serves to communicate emerging issues to all dealers for awareness, preparedness, and to take the best approach to adjusting policies and procedures.” 

He emphasized that by alerting dealers to potential industry risks, CIRO aims to strengthen investor protection and support industry-wide compliance.   

The report highlights several areas of concern, particularly the role of technology in investment operations and the associated risks.   

Cybersecurity risks 

CIRO notes that cybersecurity remains a major threat regardless of a dealer’s size or complexity. Dealers must report incidents that meet certain criteria and ensure proper controls are in place.  

The report identifies an increase in cybersecurity incidents involving third-party service providers and urges firms to review their security measures. 

Crypto Asset Trading Platforms (CTPs) 

The onboarding of CTPs into CIRO membership continues, with a risk-based compliance approach recognizing the higher inherent risks of these platforms. As regulatory frameworks evolve, CIRO advises dealers offering crypto-assets to stay updated on compliance requirements. 

Algorithmic trading 

Given the widespread use of automated trading in capital markets, CIRO stresses the importance of implementing strong controls to validate data inputs and trading decisions. The report recommends periodic reviews of trading algorithms to maintain market integrity. 

Social media compliance 

As financial firms increasingly use social media for marketing and education, CIRO reminds dealers to establish policies governing its use for business purposes. Dealers must maintain proper records of client communications to meet regulatory obligations. 

CIRO continues to focus on integration efforts following its formation in 2023 through the merger of the Investment Industry Regulatory Organization of Canada and the Mutual Fund Dealers Association of Canada.  

As part of its Strategic Plan, CIRO has streamlined compliance programs and internal structures to improve regulatory efficiency.   

Key developments in compliance integration include:   

Compliance team restructuring 

The organization has integrated investment and mutual fund dealer compliance teams into Business Conduct Compliance (BCC), Financial & Operations Compliance (FinOps), and Trading Conduct Compliance (TCC). These teams are supported by the Compliance Modernization Group. 

Mutual fund dealer oversight in Quebec 

Since September 2024, CIRO’s Montreal office has taken over responsibility for compliance examinations of Quebec-based mutual fund dealers, under delegated authority from the Autorité des marchés financiers (AMF). 

Risk assessment models 

CIRO has introduced harmonized risk models for assessing Business Conduct, Financial & Operations, and Trading Conduct Compliance risks. These models will be used in member risk assessments starting December 2024. 

Examination cycles 

Compliance examinations now follow a one- to four-year cycle based on risk assessments, replacing previous models with different timelines for investment and mutual fund dealers. The changes aim to allocate resources efficiently while maintaining oversight. 

The report also details updates on regulatory priorities, including:   

• T+1 settlement transition: Canada transitioned from a T+2 to a T+1 trade settlement cycle in May 2024, aligning with the US. CIRO monitored the transition and reported a smooth process with minimal market disruption. 

• Short selling and extended failed trades: Amendments to Universal Market Integrity Rules (UMIR) related to short selling, approved in November 2024, will take effect in April 2025. These changes introduce new requirements for dealers to demonstrate a reasonable expectation to settle short sales. 

• Derivatives regulation: CIRO has updated its derivatives rules to align with National Instrument 93-101, ensuring consistency in regulatory oversight across securities, listed derivatives, and over-the-counter derivatives. 

• Client Focused Reforms (CFR): A review of how firms are complying with CFR rules related to Know Your Client (KYC) and Know Your Product (KYP) requirements is underway. CIRO expects to release a joint report with the Canadian Securities Administrators (CSA) in 2025.