Rules Navigator

CIRO Annual Compliance Report 2025 focuses on crypto, cyber, tech risk

Giant Canadian flag
Photo: Mark Blinch/Getty Images

Julie DiMauro

 Click to share on Facebook (Opens in new window/tab) Click to share on Twitter (Opens in new window/tab) Click to share on LinkedIn (Opens in new window/tab) Click to share on WhatsApp (Opens in new window/tab)

Report summarizes issues and challenges dealers regulated by CIRO should focus on to improve investor protection.

The Canadian Investment Regulatory Organization (CIRO) just published its Annual Compliance Report, offering what the agency calls “insight for dealers into emerging compliance challenges,” and it outlines what the agency recommends in addressing them.

Its stated goal is to help dealers focus their supervision and risk-management efforts to comply with CIRO’s regulatory requirements effectively, by being prepared to take the best approach to adjusting their policies and procedures.

“By alerting dealers to potential issues faced by their industry peers, CIRO advises all members about risks and emerging compliance matters, to strengthen investor protection while responding to changes in the industry,” said Andrew Kriegler, CEO of CIRO.

The central theme of the report is the interplay between technologies used in the investment ecosystem and managing their risks to protect investors.

Key risk areas

The key risk areas covered in the report include:

Cybersecurity

The report says this area remains a key business risk, irrespective of the size and complexity of the dealer member. CIRO reminds dealers that they are required to report cybersecurity incidents that meet certain criteria and to implement necessary controls to protect their clients. The report warns of an increase in incident reports involving third-party service providers that have impacted their clients.

And dealers are encouraged to review whether they have the necessary controls in place to protect clients, client information and assets, as well as their own critical operating systems, and in training personnel to ensure their cybersecurity.

Crypto Asset Trading Platforms (CTPs)

These platforms continue to be onboarded into CIRO membership, the report notes. CIRO tells its members that compliance requires a top-down, risk-based approach to recognizing the higher inherent risk associated with CTPs. “As CIRO and the CSA continue to evolve and adapt to the changing crypto ecosystem, members planning to offer crypto-assets to clients should stay informed about regulatory developments,” the report advises.

Algorithmic trading

CIRO says algorithmic trading is a significant tool in today’s capital markets, but firms must implement robust controls to validate data inputs, and operations is essential to ensure the accuracy and reliability of trading decisions and integrity of the capital markets. The report recommends regular reviews of algorithms to ensure their ongoing effectiveness.

Social media

Social media tolls are increasingly being used as a marketing and educational tool in the finance industry, the report observes. It reminds dealers they are required to establish and maintain policies and procedures on the use of social media for business purposes by their Approved Persons. And it encourages dealers to establish clear guidelines for interacting with clients, and to maintain proper books and records of communications in compliance with regulatory obligations.

Deeper dive

The report reminds firms that Investment Dealer and Partially Consolidated Rule 3703 (IDPC Rule 3703) mandates that investment dealers report any cybersecurity incidents that meet specific criteria.

“While we have observed a consistent flow of incident reports, there has been an increase in cases involving third-party service providers affecting our dealers,” the report notes.

The report adds: “When engaging with third-party service providers, it is crucial for dealers to assess risks at all stages: before, during, and after the engagement. To assist in this, we issued Guidance Note GN-2300-21-003: Outsourcing Arrangements, outlining what functions can be outsourced and our expectations for managing risks associated with the use of third-party services.”

“Establishing clear policies and implementing effective controls are essential to mitigating the risks associated with social media communications.”

CIRO

CIRO notes in its report that it completed its first examination of a CTP in fiscal 2024, and it will be completing two field examinations in the current fiscal year.

“CIRO-regulated CTPs operate with proprietary books and records systems developed to meet the specific needs for the trade, settlement, and custody of crypto assets. Annually, we review independently prepared system control reports on these books and records systems,” the report stated.

And with regard to social media, CIRO said it has identified cases where dealers’ controls over employees’ social media accounts used for business purposes were inadequate. Specifically, dealers lacked adequate policies and procedures to identify relevant employee social media use, there were no controls in place to detect, approve, or monitor such use and there was no evidence of ongoing review and supervision of these accounts.

“Establishing clear policies and implementing effective controls are essential to mitigating the risks associated with social media communications and ensuring compliance with regulatory requirements,” the report noted.

, , , , , , ,

You may also like