In a bid to banish the ghosts of the QuadrigaCX collapse, Canada’s top investment regulator has introduced a tiered custody framework for digital assets, setting unified rules that contrast to the fragmented approach in the US.
Canada Sets Unified Crypto Custody Rules as US Struggles with Regulatory Patchwork
4 February 2026 - 22:26 CET
By Ana Pereira
According to the new arrangements, the Canadian Investment Regulatory Organization (CIRO) will link custody limits directly to a custodian's capability and risk profile. Dealer members must either use approved third-party custodians or meet stringent conditions to self-custody a limited share of client crypto assets.
Three-tier model
At the core of the framework is a three-tier custody model that calibrates regulatory requirements based on who holds the crypto assets and how they are safeguarded, rather than treating all custody arrangements equally.
"We considered whether a single, uniform set of custody requirements would be appropriate for crypto assets," CIRO said in a 3 Feb notice. "We determined that such an approach could unnecessarily exclude capable crypto custodians, exacerbate concentration risk, and reduce competition including among Canadian service providers."
The framework imposes a strict 20% limit on internal custody, effectively barring dealers from holding the bulk of client assets in-house. To exceed this cap, firms must implement enhanced security technology and obtain legal opinions demonstrating that client funds are shielded from creditors if the dealer fails.
CIRO’s custody overhaul comes against the backdrop of the 2019 collapse of QuadrigaCX, once Canada’s largest cryptocurrency exchange.
Following the reported death of founder Gerald Cotten, investigators saw that QuadrigaCX had no meaningful separation between client assets and company funds and relied on a single individual to control private keys. The collapse left more than $169 million in client assets missing.
"The crypto custodian must be established in a Basel Accord jurisdiction and be regulated in its home country either as a bank or a trust company," CIRO said in the notice, adding that banks and trust companies are “typically subject to strict rules covering capital, governance, risk management, cybersecurity, and safeguarding of client assets."
US rules
South of the border, custody rules for digital assets remain fragmented across regulatory regimes, despite recent clarifications by the Securities and Exchange Commission.
The SEC has recently outlined staff-level guidance for broker-dealers seeking to custody “crypto asset securities” under existing customer protection rules, while also expanding the use of state-chartered trust companies as qualified custodians for investment advisers. The watchdog has also rescinded accounting guidance that many banks said discouraged them from offering crypto custody services.
Still, US custody standards continue to depend heavily on the type of regulated entity, broker-dealer, investment adviser, fund or bank, rather than a unified crypto custody framework.
Much of the guidance remains interpretive or staff-issued, rather than codified in binding rulemaking, though lawmakers have renewed efforts in 2025 to establish clearer statutory frameworks for digital asset market structure and custody.
Custody under the EU's MiCA
In the European Union, digital asset custody is governed primarily under the Markets in Crypto-Assets Regulation (MiCA), overseen by national regulators and coordinated by the European Securities and Markets Authority.
Unlike Canada’s CIRO framework, MiCA places emphasis on safeguarding client assets and segregation, with custody obligations assigned directly to specialized crypto-asset service providers. While MiCA offers a bloc-wide regime, it is principles-based in several areas, leaving significant implementation of discretion to national authorities.
