Canada introduced a four-tiered crypto asset custody framework, limiting customer asset holdings to 40-100% depending on the level of protection, in order to prevent a repeat of the QuadrigaCX disaster.
The Canadian Investment Regulatory Organization (CIRO), a nationally self-regulated, non-profit organization, has just released its Cryptocurrency Custody Framework to mitigate risks from security incidents, fraud, and poor governance. This framework outlines how members operating cryptocurrency trading platforms must ensure robust protection for their clients' crypto assets.
According to a February 3rd press release, CIRO stated that the implementation of the regulatory framework will temporarily be managed through membership terms and conditions, allowing for rapid adjustments to new risks while long-term regulations are being developed. Sources familiar with the matter revealed that the regulator is seeking to avoid a repeat of the QuadrigaCX collapse in 2019, which caused significant losses to investors.
The core component of the regulatory framework is a risk-based, tiered approach to crypto asset custody institutions. Accordingly, custody entities are Chia into four tiers based on factors such as Capital level, level of legal supervision, coverage scope, and operational capacity. These tiers determine the maximum percentage of client assets a custody entity is permitted to hold.
Classification by level of protection
Specifically, top-tier custodians with the best protection can hold up to 100% of client assets, while the lowest tier, Tier 4, has a ceiling of only 40%. Additionally, brokerage members are permitted to directly hold up to 20% of the total crypto assets of their clients under management.
Beyond these limitations, the regulatory framework introduces numerous additional requirements, including corporate governance policies aimed at establishing governance structures, ensuring compliance in key management activities, cybersecurity, incident response, and third-party risk management. Mandatory requirements for insurance, independent audits, security compliance reporting, and regular penetration testing are also XEM essential.
The regulatory framework stipulates that custody agreements must clearly define liability for any losses arising from breaches of obligations or lack of reasonable care.
CIRO stated that the regulatory framework adopts a balanced, risk-based approach, aiming to protect investors while encouraging innovation and market competition. During its development, the regulator XEM contributions from industry partners, including crypto asset trading platforms and custodians, and referenced global standards.
Criminal activity in the cryptocurrency industry has increased dramatically as cryptocurrencies have become more popular. The Financial Transaction Reporting and Analysis Centre of Canada (FINTRAC) imposed a fine of approximately $12 million on the domestic cryptocurrency exchange Cryptomus last October for failing to report over 1,000 suspicious transactions related to darknet markets, fraud, ransomware payments, and sanctions evasion.
FINTRAC also imposed significant fines on Kucoin and Binance earlier this year for similar violations.
