KCS ResearchRegulatoryApril 202617 min read

The CIRO Digital Asset Custody Framework, Explained. Three entities, tiered capital, weekly proof.

February 2026 brought the formal CIRO framework. Three-entity separation, tiered capital, weekly custody monitoring, segregated client assets, and a structural model the entire Canadian institutional tokenization stack is now organizing around. This is the institutional implication map for any firm operating tokenized assets in Canada, and the reason "trust us" is no longer an acceptable answer.

0:00 / 0:00 All Research →

Executive summary

The Canadian Investment Regulatory Organization published its Digital Asset Custody Framework in February 2026. The framework specifies the structural conditions under which a Canadian firm may operate qualified digital custody for tokenized assets at institutional scale. Five elements define it: three-entity separation between holding, operating, and custody activities; tiered minimum capital requirements scaled to assets under custody; weekly reserves-to-liabilities monitoring with public attestation; segregated client assets enforced at the transaction layer rather than the policy layer; and a defined permission pathway operated under CIRO marketplace and dealer oversight.

The framework is not, in form or intent, a sandbox. It is a production rulebook. It tells any firm that wants to operate institutional tokenized custody in Canada exactly what the structural prerequisites are, exactly what the capital posture must look like, exactly what proof has to be public on what cadence, and exactly which CIRO permissions must be in place to operate. It is, in effect, the regulatory specification that converts the architectural validation Project Samara delivered into a permissioned production environment.

The reason this matters beyond compliance is that the framework decides what kind of firm can credibly operate the institutional tokenization layer in Canada. A firm that started as a retail crypto exchange and tried to retrofit institutional custody into the same legal entity cannot meet the structural separation. A firm that did not architect entity separation from inception faces a serious corporate reorganization to qualify. A firm that did design to the framework from day one is now operating with a regulatory tailwind. This is precisely the design choice KCS Capital made in structuring 4orm Finance as HoldCo / OpCo / CustodyCo, and this report is the institutional implication map for what the framework requires and why.

The companion brief When "Trust Us" Fails (November 2025) is the policy argument for why opacity is no longer an acceptable design choice. This report is the technical and operational map of what the CIRO framework now requires Canadian institutional firms to build instead.

1 · The five elements of the framework

The framework consists of five operative elements. None is novel in isolation, each maps to long-standing precedents in traditional financial regulation. The novelty is the package: applied to a digital-asset operator, in Canada, at the layer below institutional adoption, by the dealer-and-marketplace regulator.

Element one, three-entity separation. A firm operating institutional tokenized custody in Canada must structure across three distinct legal entities: a HoldCo (the parent holding entity that owns the platform and capitalizes the operating businesses), an OpCo (the operating entity that runs the technology platform and the marketplace functions), and a CustodyCo (the custody entity that holds client assets and is permissioned as a qualified Canadian digital custodian). The three must be separately capitalized, separately governed, and separately operated. Cross-entity loans, asset commingling, and shared operational accounts are prohibited. The structural intent is that the failure of any one entity, operational, financial, or governance, cannot cascade to the others, and specifically that operating-entity stress cannot reach client custody assets.

The precedent is the bank holding company structure that has been the foundation of Canadian banking regulation since the 1980s, and the broker-dealer custody-segregation rules that have governed Canadian securities firms since the early days of CDS. CIRO's framework applies the same logic to digital assets, with two adjustments: the custody entity must be specifically permissioned as a qualified Canadian digital custodian, and the technology-platform entity is separately scoped from the custody entity in a way that has no direct analogue in traditional finance.

Element two, tiered minimum capital. The CustodyCo entity must hold minimum capital scaled to assets under custody. The framework specifies tiers: a base tier for custody operations below C$500 million in client assets; an intermediate tier for operations between C$500 million and C$5 billion; and an advanced tier for operations above C$5 billion. Each tier has minimum cash-equivalent capital requirements, minimum liquid-asset coverage requirements, and minimum loss-absorbing capacity. The published structure is consistent with OSFI's risk-weighted approach to bank capital, scaled to the operational risk profile of digital custody rather than the credit risk profile of bank lending.

The capital tiers are the framework's primary tool for ensuring the custody operation can absorb operational losses without reaching client assets. They also create a meaningful barrier to entry that is structural and proportional: a firm operating at the base tier does not face the capital cost of the advanced tier; a firm growing into the advanced tier must capitalize accordingly. The model is not "qualifying" or "unqualifying", it is graduated, in a way that allows operations to scale up the framework rather than re-architect against it.

Element three, weekly proof of reserves. The custody entity must publish, on a weekly cadence, an attestation of reserves against client liabilities. The attestation must be performed by an independent third-party (a Canadian-licensed accounting firm or a qualified attestor under CIRO permissioning), must cover the full client asset base, and must be public. The framework specifies the cadence (weekly), the scope (full asset base), the standard (independent third-party), and the disclosure surface (public). It does not specify the technology, Merkle-tree attestations, full balance disclosure, or hybrid approaches are all permissible, but it specifies the outcome: a client, an auditor, a regulator, or a journalist can verify reserve coverage on a known cadence.

The precedent is the proof-of-reserves practice that emerged in the global crypto-custody sector after the FTX collapse in 2022 and the broader 2023 sector failures. CIRO's framework formalizes the practice into a regulatory requirement and raises the bar on the cadence (weekly, not quarterly), the scope (full base, not sample), and the verifier (independent, not internal). The intended effect is that the question "does the custodian actually hold the assets" is no longer a trust question. It is an answered question, on a public schedule, with an audit trail.

Element four, segregated client assets at the transaction layer. Client assets must be segregated from operating-entity funds, from the custody entity's own treasury, and from any other client's assets. The framework specifies that segregation must be enforced at the transaction layer, meaning that an attempted commingling is structurally blocked, not policed by exception report, and that the segregation must be auditable on-ledger.

This is the element of the framework most directly responsive to the failures that motivated it. The FTX collapse, the Cryptomus AML penalty referenced in When "Trust Us" Fails, and the broader pattern of opaque custody operations failing at scale all share the same operational mechanic: client assets were not, in fact, segregated from operating funds, and the absence of structural segregation allowed undisclosed commingling to develop and to remain undisclosed until insolvency. CIRO's framework treats segregation as a structural property of the system rather than a policy promise of the operator. The distinction is the most consequential single design choice in the framework.

Element five, CIRO marketplace and dealer permissioning. The operating entity that runs marketplace functions (matching, execution, listing) must be permissioned under CIRO marketplace rules. The firms that interact as dealers must be permissioned as CIRO members. The framework folds tokenized institutional marketplaces into the same dealer-and-marketplace regulatory perimeter that governs traditional Canadian securities marketplaces, with adjustments for the specific operational characteristics of digital assets.

The permissioning is not a one-time approval. It is a continuing supervisory relationship. The operating entity is subject to CIRO marketplace oversight, capital requirements, and operational reporting on the same continuing basis as a traditional Canadian alternative trading system or recognized marketplace. The framework, in this dimension, treats tokenization as a marketplace structure rather than as an asset class.

2 · Why the framework is structured this way

The CIRO three-entity separation. HoldCo, OpCo, CustodyCo.
The CIRO three-entity separation. HoldCo, OpCo, CustodyCo.

The framework's design is best understood by looking at the failure modes it is built to prevent.

Failure mode 1: operating-entity stress reaches client custody. The historical pattern in failed crypto-asset custodians is operating-entity losses that the operator covered by drawing on client assets, undisclosed. The three-entity separation breaks the operational pathway: the operating entity simply does not have access to custody-entity client assets. The legal and operational separation is the structural prevention.

Failure mode 2: undercapitalized custody operations. The pattern of crypto-custodian failures has consistently involved operations that were technically functional but materially undercapitalized for their scale, so that a single operational event (a hack, a counterparty default, a price dislocation) absorbed the full equity cushion. The tiered capital requirements ensure capital scales with custody assets, with a meaningful loss-absorbing cushion at every tier.

Failure mode 3: opaque reserves. Quarterly attestations that show reserve coverage at a single point in time, while operations may be running undercollateralized for the other 89 days of the quarter, are not sufficient supervision. The weekly cadence reduces the window in which undisclosed undercollateralization can develop. The independent third-party requirement removes the conflict of interest. The public disclosure surface removes the question of who has the right to verify.

Failure mode 4: commingling as a policy violation rather than a structural impossibility. Promising not to commingle is not the same as not being able to commingle. The transaction-layer enforcement converts the question from one of compliance posture to one of system architecture. The on-ledger auditability ensures that any attempted commingling produces a trail.

Failure mode 5: operations outside the existing regulatory perimeter. A tokenized marketplace that does not interact with CIRO supervision is, in the framework's logic, an open question on whether the marketplace is properly regulated at all. The marketplace and dealer permissioning closes that question: tokenized institutional marketplaces are CIRO-regulated marketplaces, the participants are CIRO-permissioned, and the supervisory relationship is continuous.

The framework is not the only possible response to the failure modes. It is, however, a coherent one, and it has the meaningful feature that it composes with the rest of the Canadian financial regulatory perimeter (OSFI capital treatment, FINTRAC AML supervision, RPAA payments supervision, OSC and AMF securities oversight) rather than asking the regulator to invent new authority. That is the design choice that distinguishes the CIRO approach from the more sandbox-oriented frameworks emerging in other jurisdictions.

3 · The implications for institutional firms

Every Canadian firm operating, or planning to operate, in the tokenized institutional layer faces a sequence of decisions the framework now structures. Six categories of implication matter.

Implication 1, for incumbent Canadian custodians. Tetra Trust, Balance Trust, and Brane Trust were named as qualified Canadian digital custodians in the framework. Each was already operating to broadly the structural requirements the framework codified, which is part of how the framework was able to be published in the form it took. The custodians' role in the production stack is well-defined and the operational implications of the framework on them are limited to ongoing compliance.

Implication 2, for firms operating outside the framework. Firms operating institutional tokenized custody in Canada without entity separation, without the capital tiers, without the weekly proof, or without the CIRO permissioning are now operating outside the framework. The framework does not retroactively prohibit prior operations, but it sets the structural test for forward operation. Firms in this position face a choice: restructure to the framework, narrow operations to a non-custodial layer, or operate outside Canada. The framework does not force a choice. It makes the choice explicit.

Implication 3, for firms designing new platforms. Firms designing institutional tokenization platforms in 2026 and forward face a strong structural incentive to design to the framework from inception. Retrofitting entity separation, capital tiers, weekly proof, and transaction-layer segregation onto a platform that was not architected for them is a serious corporate, technical, and operational exercise. Designing for them from inception is straightforward. KCS Capital's decision to structure 4orm Finance as HoldCo / OpCo / CustodyCo from the firm's inception is the canonical example of the latter pathway, and the structural rationale is the framework.

Implication 4, for the major Canadian banks. The Tier-1 banks that have been running tokenization pilots, RBC, TD, BMO, Scotiabank, CIBC, National Bank, now operate against a framework that defines what their counterparty institutional custody and marketplace operations look like. The framework does not require the banks to operate custody themselves. The framework allows the banks to interact with a separately operated, framework-compliant custody entity as a counterparty. This is the architectural reason the multi-institution model is the indicated structure: it allows the banks to participate without owning the operational stack and without accepting another bank as the systemic custodian.

Implication 5, for asset issuers. Pineapple Financial, AuCan Gold, T-RIZE, Ocree Capital, and the broader set of Canadian asset issuers operate in a structural environment where the institutional layer their assets must clear through is now defined. The relevant decision for issuers is not whether to interact with the framework, the framework is the operating environment, but which operating-rail custodian and marketplace they integrate with. The decision becomes a vendor-selection question.

Implication 6, for foreign operators. Foreign tokenization platforms operating in Canada, and the activity routing offshore as discussed in Capital Repatriation: $20B to $40B Leaking Offshore, face a framework that does not directly prohibit cross-border activity but does specify the conditions for institutional Canadian custody. Foreign operators wanting to serve Canadian institutional clients at scale must either operate a framework-compliant Canadian entity, partner with a framework-compliant Canadian operator, or remain in the cross-border / retail layer outside the institutional perimeter. The framework, in its export effect, structurally favours domestic infrastructure.

4 · The relationship to Project Samara, the CSA, and OSFI

The CIRO framework does not exist alone. It is the custody-layer element of a stack of Canadian regulatory developments that together define the institutional tokenization environment.

Project Samara (Bank of Canada, March 2026) validated the settlement and lifecycle architecture. The CIRO framework is the custody architecture that production-grade Samara successors must operate within.

CSA Project Tokenization (Q2 2026) elevated tokenization to a national regulatory initiative. The CIRO framework is one of the deliverables that fits within the CSA's coordinating mandate.

OSFI crypto-asset capital and liquidity guidance (2025) specified the bank capital treatment of digital asset exposures. The CIRO framework operates downstream of OSFI: a bank interacting with a framework-compliant custodian as a counterparty does so under OSFI's capital rules.

Retail Payment Activities Act (Bank of Canada, since 2024) supervises non-bank payment service providers. The CIRO framework's settlement-asset assumption (tokenized bank deposits, as Project Samara used and BMO has announced for production) sits inside the existing bank-payments regulatory perimeter and does not require RPAA's expansion.

Alberta Financial Innovation Act (2026) created the provincial regulatory sandbox. The CIRO framework operates federally and applies to firms operating across Canada. Alberta's sandbox provides a regulatory experimentation environment that is compatible with, but separate from, the CIRO production framework.

The composition is what matters. The Canadian regulatory environment, as of mid-2026, is not a patchwork of partial permissions. It is an aligned stack: payments supervision, capital treatment, sandbox testing, custody framework, settlement validation, and national coordinating initiative. Each layer was finalized within an eighteen-month window. The cumulative effect is that the operating environment for a Canadian institutional tokenization platform is now structurally complete.

5 · The structural test of the framework, and what 4orm Finance does about it

The framework is, in the deepest sense, a structural test. It asks every firm wanting to operate in the institutional layer: can you separate the entities, capitalize the custody business, prove the reserves on a weekly public cadence, enforce segregation at the transaction layer, and operate under continuous CIRO supervision?

If yes, the firm has a regulator-aligned pathway to operate at production scale.

If no, for any of the five elements, the firm faces either a serious corporate restructuring or a structural constraint on its addressable market. The framework does not block the no-answer firms from operating. It blocks them from operating in this layer. The retail-grade firms, the off-Canada-domiciled firms, the firms that emerged from non-institutional origins all retain their operating optionality outside the institutional perimeter. The framework's effect is to define what the institutional perimeter is, not to expand or contract the perimeter outside it.

4orm Finance is being built as a yes-answer firm. The HoldCo / OpCo / CustodyCo structure is the structural separation. The capital posture is being aligned to the published tier requirements from the firm's early build phase, with the explicit goal of operating in the tier-2 (intermediate) range at production launch and scaling to tier-3 (advanced) as assets under custody grow. The weekly proof-of-reserves attestation is built into the platform from day one rather than retrofitted onto it. Segregation is enforced at the smart-contract layer through asset-binding logic that makes commingling impossible without an explicit, audited governance action. CIRO marketplace and dealer permissioning is the pathway under preparation.

The structural design is not the source of the firm's competitive advantage on its own. It is the table-stakes that allow the firm to operate where the framework draws the institutional perimeter. The competitive advantage is the architecture above the framework, the multi-institution rail, the tokenized CAD deposit settlement asset, the marketplace design, the integration with the Canadian banking sector, the asset-class breadth from precious metals to mortgages to private credit. The framework does not produce the advantage. The framework allows the advantage to operate.

6 · The constructive read

The framework is a closing question, not an opening one. For most of the 2023 to 2025 period, the question Canadian institutional firms asked of tokenization was: under what regulatory framework can this operate at scale. The CIRO Custody Framework, the OSFI capital guidance, the RPAA supervision, Project Samara, and CSA Project Tokenization together close that question. The remaining questions are operational: which platform, which counterparties, which asset classes, which timeline.

The closing of the regulatory question is the moment institutional tokenization in Canada transitions from a thesis to a build. The build is led by firms that designed to the framework. The framework was published in February 2026. The build year is 2026 to 2027.

The companion KCS Brief When "Trust Us" Fails: Canada's Record Crypto Penalty (November 2025) is the policy argument for why opacity is no longer an acceptable design choice and why the framework is the constructive response. The companion research reports Project Samara & the Canadian Tokenization Pathway (March 2026) and Canada's $1.9B RWA Infrastructure TAM (March 2026) develop the settlement-architecture and economic-opportunity sides of what the framework now permits to be built.

Trust is no longer the question. Proof is. The framework is the specification of the proof.

Background & Sources

This report is original market intelligence produced by KCS Capital and is provided for informational purposes only. It does not constitute investment, financial, legal, or tax advice, or an offer or solicitation to buy or sell any security or financial product. Regulatory references describe publicly reported developments and are not legal analysis. KCS Capital Inc. is an independent technology and research firm; 4orm Finance operates as a separate regulated entity with independent governance, structured as HoldCo / OpCo / CustodyCo per the CIRO Digital Asset Custody Framework.

↑ Top All Research