The Canadian Investment Regulatory Organization (CIRO) released its latest annual compliance report (the Report) which details areas of focus for CIRO-regulated dealers in 2026 and beyond. As always, we encourage firms to use the Report as a checklist to conduct a gap analysis of regulatory and compliance priorities.
Where Dealer Members may wish to focus
In anticipation of CIRO’s enhanced focus on the following topics in upcoming CIRO dealer member (Dealer Member) examinations, firms may wish to revisit and, if necessary, enhance, their existing policies and procedures, documentation, and training in the following areas:
- AI use is a significant focus of the regulators. Dealer Members will want to ensure that they understand and have documented their AI use in all aspects of their business and operations. Dealer members should implement appropriate policies and controls to address risks, including privacy. Based on our experience to date assisting firms registered with the Canadian Securities Administrators (CSA), legal and compliance staff should carefully consider how firms respond to use, disclosure and governance-related inquiries in connection with AI. Dealer Members should also consider when the use of AI might trigger a material business change with CIRO.
- Cybersecurity remains an ever-present focus during examinations. Dealer Members should ensure that their cybersecurity policies, procedures and processes remain in line with regulatory requirements and best practices, including with third-party providers.
- The joint CIRO/CSA Client Focused Reforms KYC, KYP and Suitability Sweep released in December 2025 (the CFR Sweep), sets the standards CIRO will use in upcoming compliance reviews. Dealer Members should ensure their KYC, KYP and suitability policies, procedures and processes align with this guidance.
- With the expected pending release of CIRO’s rule amendments on incorporated advisors for investment dealers, Dealer Members should expect increased CIRO focus on Dealer Member employment/ agent arrangements with registered representatives.
- CIRO’s new proficiency model took effect on January 1, 2026, ushering in new rules, guidance, and exam requirements.
- On March 12, 2026, CIRO published Guidance Note GN-3200-26-001: Guidance on order execution only account services and activities (the New OEO Guidance). OEO Dealer Members should review this publication to confirm that their current OEO platforms remain compliant and to explore how their platforms may be modified or expanded under the New OEO Guidance. BLG will be publishing a client insight on the New OEO Guidance shortly, so please stay tuned.
Dealer operations and risk management
Cyber
Having experienced first-hand a cyber breach this year, CIRO stresses the importance of cybersecurity in the Report, highlighting the changing nature and increased sophistication of cyberattacks as well as the evolving ability to detect threats. The Report also notes that CIRO has received a steady flow of incident reports from dealers alongside an increase in threats involving third-party service providers. CIRO points firms to its expectations for managing risks related to the use of third-party service providers in Guidance Note GN-2300-21-003: Outsourcing Arrangements.
Crypto
CIRO continues to transition crypto asset trading platforms (CTPs) into membership, pairing due‑diligence reviews with early field exams to validate controls and ensure their systems meet regulatory expectations. On Feb. 3, 2026 CIRO published Guidance Note 26-0033: Notice on CIRO's Digital Asset Custody Framework, communicating expectations for custody of digital assets by dealers, standardizing segregation practices, and introducing a tiered crypto custodian model that includes limits on customer assets and minimum capital requirements for crypto custodians in a given tier. As CTPs evolve, CIRO’s regulatory sandbox initiative, “Innovate Safe”, offers opportunities for firms to test new product and service offerings. Crypto‑collateralized retail lending services and stablecoin‑based settlement models are both currently under consideration.
AI
Dealers should be prepared for scrutiny of their use of AI by CIRO’s Financial and Operations Compliance team. The regulators will want to understand the extent to which dealers are using AI as well as to review operational controls to ensure the AI is working as designed. As noted above, our experience suggests that legal and compliance staff should carefully consider how firms respond to use, disclosure and governance-related inquiries in connection with AI. Dealers should also consider whether any use of AI or automation is a material business change requiring advance written notification to CIRO and/or an update to firm registration information via Form 33-109F5 Change of Registration Information. Based on our experience, the scope of what may be considered a “change of business” has increased in recent years, which has resulted in extended review periods and a broadened scope of regulatory approval for activities contemplated by CIRO dealers.
Trading
Short selling remains a key area of focus for CIRO, particularly as amendments to Universal Market Integrity Rules (UMIR) 3.3 took effect in April 2025. UMIR amendments require participants to have a reasonable expectation to settle on settlement date before placing any short‑sale order. The Report highlights the need for participants to update their policies and procedures to reflect these new UMIR requirements.
CIRO identified deficiencies regarding extended failed trades. Firms may wish to revisit CIRO’s 2024 guidance on UMIR Requirements Related to Short Selling and Failed Trades, in particular regarding reporting the required details and using the trade date as the start of the 10-day reporting timeline.
Client focused reforms KYC, KYP and suitability sweep findings
As noted above, CIRO and the CSA have published the results of their CFR Sweep. The Report highlights the need for Dealer Members to have policies and procedures tailored to their firm’s business model and which are detailed and actionable. CIRO expects these policies to contain firm-specific details on the processes implemented to address the CFR requirements.
We welcome the news that CIRO is currently developing guidance to assist firms in responding to the CFR Sweep. Concurrently, Business Conduct Compliance (BCC) examinations will continue to focus on assessing whether Dealer Members have taken steps to identify and remedy any gaps in CFR compliance. Firms who have yet to do so may wish to revisit our detailed analysis of the CFR Sweep and resulting actions they can take here.
Finfluencer arrangements
In December 2025, CIRO and the CSA published a joint Staff Notice containing guidance for dealers forming arrangements with finfluencers. The Report reminds CIRO dealers of their various responsibilities in connection with finfluencer arrangements, including the requirement to perform adequate due diligence, establish written agreements (including referral arrangements), and ensure finfluencers are well informed about the dealer, its products and/or services. Any claims or statements made by finfluencers must be fair, balanced, substantiated and not misleading. BCC examinations have been bolstered to include a review of controls with respect to arrangements with finfluencers.
Business conduct compliance (BCC) reviews
Drawing from the findings of recent BCC reviews, Dealer Members should be aware of the following deficiencies as discussed in the Report:
Conflicts of interest
- failures in the identification and management of conflicts of interest, including findings that certain firms do not maintain centralized conflict of interest repositories;
- findings of asymmetries between client disclosures and internal records on conflicts;
- failures to ensure conflict-related client disclosures are clear and timely;
- failures to keep updated, written procedures in support of the identification, management, and disclosure of conflicts;
- deficiencies with respect to due diligence in connection with referral arrangements, the assessment of referral-related conflicts of interest, and the corresponding disclosure required to be made to clients;
- gaps in supervisory practices, including inadequate reviews of outside activities and assessments for potential conflicts of interest;
Other
- incidents where client communications are made through non-approved channels; and
- inadequate daily and monthly trading supervision, including findings that certain systems produce incomplete reports.
Anti-money laundering (AML) compliance
Under the MOU between CIRO and FINTRAC, the two organizations cooperate and share information. During BCC examinations CIRO use a risk-based approach to evaluate AML compliance. The most common deficiency found by CIRO is a failure to conduct the required biennial AML Compliance Effectiveness Review. BLG conducts these AML effectiveness reviews and would be happy to assist. Please contact us should you require assistance.
Registration and proficiency
The national delegation to CIRO of CSA-registration functions for investment dealers, mutual fund dealers, and associated individuals is complete in all jurisdictions, except British Columbia and Manitoba. CIRO also received delegated authority in most jurisdictions to review acquisition notices under sections 11.9 and 11.10 of National Instrument 31-103 Registration Requirements, Exemptions and Ongoing Registrant Obligations where a CIRO Dealer Member is involved. Any such proposed transactions require notice to be provided to CIRO, and for CIRO to provide its non-objection, prior to closing.
Firms are required to provide notice in writing to CIRO before making any material changes to their business activities. CIRO’s Business Changes for Dealer Members webpage provides additional information that may assist firms in assessing when this is required. BLG recommends that Dealer Members take a well documented and reasoned approach when evaluating whether a change is a material change to its activities or operations. We are happy to assist Dealer Members in providing guidance on what, in our experience, constitutes a “material change”.
The Report also reminds Dealer Members of the new assessment‑centric proficiency model that took effect on Jan. 1, 2026; information on the new IDPC rules, guidance, and exam requirements can be found on CIRO’s Proficiency page. Dealer Members are encouraged to communicate these new requirements to their personnel, maintain policies that ensure timely completion of Conduct Training for Approved Persons, and consult CIRO’s Guidance Notice on Proficiency Exemption Requests prior to applying for any proficiency exemption requests.
CIRO rules consolidation, dual registration & integration
We anticipate that CIRO-registered firms will also want to review and provide feedback on the future of CIRO rules. Concurrent with the publication of the Report, CIRO published its consolidated rules for final comment as well as proposed rules to amend CIRO’s dual registration model – stakeholder feedback on both proposals are due June 12. CIRO also finalized its new oversight of mutual fund dealers with a head office in Québec, which includes the oversight of financial filings.
What’s next
CIRO’s Report pinpoints areas of improvement and offers firms a clear roadmap to strengthen their compliance architecture. Proactively addressing these issues helps dealers navigate future regulatory examinations more smoothly while demonstrating a genuine commitment to regulatory best practices. Contact any of the authors below or your usual BLG lawyer if you have any questions about this update or should you require assistance, including in updating your policies and procedures, employee training, or on any privacy, cyber or AI-related matters.
