Regulator flags cyber, crypto and capital gaps while urging stronger supervisory controls nationwide
The Canadian Investment Regulatory Organization has released its 2026 Compliance Report, offering dealers a detailed snapshot of where it sees regulatory weaknesses, operational vulnerabilities and rising risk trends across the industry.
The annual publication is designed to give firms practical insight into recurring deficiencies and emerging threats, while clarifying supervisory expectations.
A central theme this year is modernization, both within CIRO and across the dealer community. Following the rollout of its strategic plan, the regulator has been aligning internal compliance teams and harmonizing examination processes. The goal is to deliver more consistent oversight while minimizing disruption to firms.
CIRO is also refining its Annual Risk Questionnaire upgrading the digital interface so dealers can submit responses, upload supporting documentation and provide feedback more seamlessly. Enhancements made after the 2025 cycle are intended to improve usability and data quality, giving the regulator sharper risk insight.
The report makes clear that cybersecurity remains one of the most pressing concerns. After experiencing a significant cyber incident in 2025, CIRO is urging dealers to stress-test their controls, bolster vendor due diligence and improve employee training.
The organization notes a rise in attacks linked to third-party providers and encourages firms to strengthen layered defenses to “reduce vulnerability to these attacks.” It also reminds dealers that early engagement with the regulator is critical when implementing operational shifts: “We also encourage dealers to reach out when considering operational changes so we can offer guidance and support throughout the process.”
Digital assets continue to command regulatory attention. CIRO says it is advancing oversight of crypto asset trading platforms as they move further into the regulatory fold, with a focus on custody standards, risk disclosure and supervisory frameworks. As firms integrate crypto offerings into broader business lines, the regulator expects robust controls that mirror those applied to traditional products.
Artificial intelligence is another evolving area. Dealers deploying AI-driven tools, whether for client servicing, compliance monitoring or trading, are advised to assess whether those changes constitute material business shifts requiring regulatory notification.
Financial resilience also features prominently. For mutual fund dealers, the report flags recurring shortcomings in capital calculations and asset reconciliation practices. CIRO reiterates that firms must reconcile client and firm assets monthly, maintain sufficient capital buffers and ensure documentation supports internal controls.
On the conduct front, the regulator highlights findings from joint sweeps examining Client Focused Reforms, where deficiencies were identified in suitability determinations and know-your-client processes. Trading supervision — including oversight of short selling and extended failed trades — is another area where policies must align with current expectations.
“CIRO's Compliance Report helps dealers understand industry-wide trends in compliance matters so they can adapt their policies and procedures to meet emerging challenges and better protect investors from potential harm,” said Andrew J. Kriegler, President and CEO of CIRO. “As dealers continue to adopt innovative technologies and evolve their operations to meet the changing needs of Canadian investors, mitigating new risks is crucial to maintain the integrity and health of Canadian capital markets.”
