CIRO Audit: CSA Finds Crypto & Cloud Compliance Risks

Membership scrutiny and stricter IT expectations hit crypto platforms – CIRO audit: CSA finds crypto & cloud compliance risks. Specifically, the report highlights three medium-priority findings in CIRO’s operations and separately outlines expectations for improvements to certain policies and procedures.

Want your trades to actually mean something this month? Join the WWFC challenge and trade your way into the top. We’ve already got the team set up — all you need to do is register, trade and go for a piece of the $900K prize pool.

CERTS: Lack of a Full Independent Assessment of Internal Controls

The first finding concerns the lack of a full independent assessment of the internal control system of the Continuing Education Reporting and Tracking System (CERTS).

According to T&C 19(2) of the appendices to the Recognition Orders, CIRO is required to submit, once every two years, a report prepared by a qualified party by established audit standards. The report must confirm the existence of adequate internal controls, including the integration of CERTS into business continuity and disaster recovery plans.

CIRO submitted two penetration test reports on the CERTS system, but they didn't cover the full scope of the requirements set out in T&C 19(2). This finding was classified as medium priority. CIRO also stated that in 2023–2024, it was consolidating the CERTS infrastructure and migrating it to a new data center, with the migration completed in April 2024. As a result, a full independent review will be conducted in the 2025 fiscal year (FY26) by the Recognition Orders.

Cloud Service Outside Canada: 15% of Data in Transit

The second finding concerns the use of a cloud provider located outside Canada, which contradicts CIRO's own Procurement Policy and was likewise classified as a medium-priority finding.

In 2021, IIROC, a predecessor organization of CIRO, entered into an agreement with a provider whose servers were located in the United States. Although no data is currently stored on those servers, CIRO confirmed that approximately 15% of the data continued to transit through them.

CIRO clarified that this concerns encrypted KPI data that does not contain personal or confidential information. The service region is scheduled to be switched to Canada in July 2025.

Québec: Lack of Defined Authority in Handling Crypto Applications

The third finding concerns partial non-compliance with T&C 21(1) of the Recognition Order issued by the Autorité des marchés financiers (AMF) and relates to the functions of CIRO's Québec Regional Office.

As part of the Membership Intake review, it was found that in processing applications from firms whose head offices are located in Québec (including crypto platforms), there is no defined responsibility or staff assigned to produce regulatory recommendations on behalf of the Québec office.

Although the final decision is made by the Senior Vice-President for Québec and Atlantic Canada, the analytical materials are prepared entirely by the cross-functional MI team without the involvement of Québec-based specialists.

CIRO proposed to update MI procedures by establishing mandatory verification of all Québec-based applications by the relevant Relationship Manager or their Director. If the regional representative disagrees with the assessment, they must instruct MI on how to revise the final recommendation.

Want your trades to actually mean something this month? Join the WWFC challenge and trade your way into the top. We’ve already got the team set up — all you need to do is register, trade, and go for a piece of the $900K prize pool.

Additional Expectations from CSA Regarding Process Improvements

In addition to the three recorded findings, the regulators also noted the following expectations for CIRO, not classified as findings:

• clarification and documentation of the quarterly process for fulfilling the Recognition Order requirements related to CERTS (T&C 19)
• updates to forms and policies for processing Independent System Reports (ISR) from IT providers
• improvements to MI and TCC methodologies to reflect current legislative changes in review templates
• consistent documentation of decisions and deviations from standard procedures during the review of membership applications

Conclusion

The identification by CSA of three medium-priority findings in CIRO's operations is not merely a technical audit of an internal regulatory organization. It sets unequivocal signals for the cryptocurrency industry, particularly for those operating or seeking recognition within the Canadian jurisdiction.

First, the involvement of crypto trading platforms in the Membership Intake process is explicitly cited as a risk factor that influenced the selection of areas for review. This indicates that all processes related to crypto are treated by the regulators not as a formality, but as a subject of focused scrutiny with operational and procedural consequences.

Second, the attention to CIRO's use of cloud services, even in cases of minor transit of non-sensitive data, indicates that the issue of data localization and routing remains under supervisory control regardless of the type of organization. Thisapplies to custodial services, aggregators, and trading systems that rely on API integrations.

Finally, CSA's requirement for CIRO to conduct a full independent assessment of CERTS confirms that the oversight of IT stacks and their integration into BCP and DRP plans is regarded as a necessary condition for fulfilling the regulatory mandate, even in the context of technical upgrades and organizational restructuring.

As a result, we are presented with a clear precedent of heightened expectations for technological transparency, operational accountability, and territorial data governance across all segments of the crypto market seeking recognition in Canada.