The Canadian Investment Regulatory Organization (CIRO) has set out its priorities for fiscal year 2027 (April 1, 2026, to March 31, 2027), composing the final leg of a three-year strategic plan that began in 2024.
CIRO says the year ahead will focus on finishing the work of compiling and simplifying the rules systems it inherited from the IIROC-MFDA merger while tackling investor protection, market oversight, and bolstering cybersecurity.
Post-merger rule consolidation
CIRO’s current rule structure was created when Canada’s former investment dealer and mutual fund dealer self-regulators – the Investment Industry Regulatory Organization of Canada (IIROC) and the Mutual Fund Dealers Association of Canada (MFDA) – were combined into one organization, the New Self-Regulatory Organization of Canada (now called CIRO).
The self-regulatory organization (SRO) said it plans to publish a final harmonized rulebook for investment dealers and mutual fund dealers, revise continuing education requirements, and consult on rule amendments related to a compensation option that would allow advisers to be paid through a personal corporation.
It also plans to finalize changes that could help reduce the need for the current dual registration model used by some firms and advisors.
Investor protection
CIRO said it would continue working with its government agency counterpart, the Canadian Securities Administrators (CSA), to disrupt fraudulent investment websites as well as research whether behavioral “speed bumps” could stop investors from falling victim to mistakes or scams.
CIRO also said it would review how long it takes to resolve complaints. The rules currently require firms to provide a substantive response within 90 calendar days, or 60 days in Quebec.
The SRO also plans to continue work on account transfer reforms and issue guidance to help firms meet their obligations under Canada’s client-focused legal reforms, which include obligations involving account appropriateness, know-your-client, know-your-product, product due diligence, suitability, conflicts of interest, and relationship disclosure.
Cybersecurity
CIRO said it wants to expand the use of technology and automation in its own policy, compliance, and registration work. It will also develop its InnovateSafe regulatory sandbox, which lets firms test experimental products, services, technologies, and business models in a time-limited, CIRO-controlled environment.
The focus on cybersecurity is salient; in August 2025 CIRO suffered a massive cyberattack that compromised the data of over 750,000 investors.
CIRO’s efforts to improve cybersecurity will include implementing a new framework for collecting and managing cyber data, and the release of a cybersecurity tabletop exercise aimed at small and medium-sized firms: discussion-based workthroughs of simulated cyber incidents.
CIRO also plans to assess feedback on a framework for tailored online advice, continue rolling out delegated registration responsibilities across Canadian jurisdictions, and publish its first annual market regulation operations report.
Finally, it will review the Universal Market Integrity Rules (UMIR) to identify changes that could better support small dealers and junior issuers.