Amanda Ramkissoon

Senior Regulatory Adviser, OSC LaunchPad

Ontario Securities Commission

aramkissoon@osc.gov.on.ca

Ruxandra Smith

Senior Accountant, Market Regulation

Ontario Securities Commission

ruxsmith@osc.gov.on.ca

Gloria Tsang

Senior Legal Counsel, Compliance and Registrant Regulation

Ontario Securities Commission

gtsang@osc.gov.on.ca

Timothy Baikie

Senior Legal Counsel, Market Regulation

Ontario Securities Commission

tbaikie@osc.gov.on.ca

Lise Estelle Brault

Senior Director, Data Value Creation, Fintech and Innovation

Autorité des marchés financiers

Lise-estelle.brault@lautorite.qc.ca

Serge Boisvert

Senior Policy Advisor

Autorité des marchés financiers Serge.boisvert@lautorite.qc.ca

Nataly Carrillo

Senior Policy Advisor

Autorité des marchés financiers

nataly.carrillo@lautorite.qc.ca

Sophie Jean

Executive Advisor, Supervision of Intermediaries

Autorité des marchés financiers

Sophie.Jean@lautorite.qc.ca

Denise Weeres

Director, New Economy

Alberta Securities Commission

Denise.weeres@asc.ca

Katrina Prokopy

Senior Legal Counsel, Market Regulation

Alberta Securities Commission

Katrina.prokopy@lautorite.qc.ca

Cathy Tearoe

Senior Legal & Policy Counsel

New Economy

Alberta Securities Commission

Cathy.tearoe@asc.ca

Dean Murrison

Executive Director, Securities Division

Financial and Consumer Affairs Authority of Saskatchewan

Dean.murrison@gov.sk.ca

Michael Brady

Manager, Derivatives

British Columbia Securities Commission

mbrady@bcsc.bc.ca

Rina Jaswal

Senior Legal Counsel, Capital Markets Regulation

British Columbia Securities Commission

jaswal@bcsc.bc.ca

Peter Lamey

Legal Analyst, Corporate Finance Nova Scotia Securities Commission peter.lamey@novascotia.ca

Chris Besko

Director, General Counsel

The Manitoba Securities Commission chris.besko@gov.mb.ca

David Shore           

Legal Counsel, Securities Division

Financial and Consumer Services Commission (New Brunswick)

david.shore@fcnb.ca

Sonali GuptaBhaya

Director, Market Regulation Policy

IIROC

sguptabhaya@iiroc.ca

Victoria Pinnington

Senior Vice President, Market Regulation IIROC

vpinnington@iiroc.ca

Commenter

1.         

Allan C. Hutchinson

2.         

Dr. Stephen Castell (Castell Consulting)

3.         

Eric Swildens

4.         

Atlantic Blockchain Company

5.         

Piotr Piasecki

6.         

Canadian Foundation for Advancement of Investor Rights

7.         

Investor Advisory Panel (Neil Gross)

8.         

Leede Jones Gable Inc.

9.         

Crowdmatrix Inc.

10.      

Brane Inc.

11.      

Omega Securities Inc. and 4C Clearing Corporation

12.      

Wall Street Blockchain Alliance

13.      

Raymond Chabot Grant Thornton LLP

14.      

Bull Bitcoin Inc. and Satoshi Portal et al.

15.      

Durand Morisseau LLP and IJW & Co.

16.      

Paradiso Ventures Inc.

17.      

Aquanow

18.      

Jonathan Hamel

19.      

Coinsquare Capital Markets

20.      

Dominion Mining Company and Bitcanuck

21.      

Chamber of Digital Commerce Canada

22.      

Fidelity Clearing Canada ULC

23.      

Fern Karsh

24.      

Roger Miller

25.      

Tritum Inc. (John Willcock)

26.      

DV Chain, LLC (Dino Verbrugge)

27.      

Payward Canada Inc. and Affiliates (Kraken)

28.      

State Street Corporation (James J. Biancamano)

29.      

Octonomics (Elisabeth Prefontaine)

30.      

The Canadian Bankers Association

31.      

Vakeesan Mahalingam

32.      

Global Digital Finance

33.      

SoapBox Network Inc.

34.      

Investment Industry Association of Canada (Annie Sinigagliese)

35.      

Chartered Professional Accountants of Canada (Gordon Beal)

36.      

Catalx Exchange Inc.

37.      

KNOX Industries

38.      

TD Securities

39.      

The Jersey Company (Robert Young)

40.      

ViewFin Canada (Adnan Tahir)

41.      

ComplyChain Solutions (Adnan Tahir)

42.      

Canadian Digital Asset Coalition

43.      

TMX Group Limited (Deanna Dobrowsky)

44.      

Alloy Blockchain Solutions

45.      

Blockchain Technology Coalition of Canada

46.      

National Digital Asset Exchange

47.      

Bitvo

48.      

National Crowdfunding & Fintech Association of Canada

49.      

CC Corporate Counsel Professional Corporation

50.      

Anonymous

51.      

Fiach_Dubh (Reddit)

52.      

Market Data Company (Alexander Izak Levesque)

Topic

Summarized Comment

Response

General comments

Support for the proposed regulatory framework described in CP 21-402 (Proposed Framework)

Several commenters indicated support for the Proposed Framework. A few commenters agreed that the existing regulatory framework for dealers and marketplaces, with some modifications, could be extended to CTPs and noted that a different regime could create arbitrage opportunities.

We thank the commenters for their support.

Principles to consider in developing regulation for CTPs

Several commenters noted principles that the CSA and IIROC should consider in developing the regulatory framework for CTPs. These include:

•         regulation should be principles based, outcome focused, flexible and technology neutral to ensure that it is the least intrusive on innovation as possible;

•         regulation should be proportionate to allow innovative firms in the development stages to succeed while protecting investors or businesses may leave to other jurisdictions; a regulatory “light touch” approach should be taken to avoid stifling the development of new technologies;

•         regulation should consider the entire crypto-asset ecosystem, the different entities in the space (centralized and decentralized CTPs, custodial and non-custodial CTPs, custodial and non-custodial wallets, payment processors, etc.) and the multiple functions they perform;

•         requirements should mirror existing frameworks where appropriate;

•         to the extent possible, regulation should be harmonized across Canada and consistent with global regulation and international best practices; and

•         requirements should protect participants from counterparty risks and cover market integrity, surveillance, fair pricing, custody, clearing, disclosure of conflicts of interests, and systems and business continuity planning.

Many commenters suggested that further consultation and collaboration with the industry is required before developing a framework for CTPs that appropriately balances innovation and ecosystem growth with the objective of protecting participants and market integrity. A few commenters suggested the establishment of a task force of industry experts to work with policy makers and regulators (in the policy areas of finance, economic development, innovation, consumer protection and privacy), including the Department of Finance, FINTRAC and the CRA, to study and review each aspect of a CTP and the broader regulatory framework and objectives and to ensure that regulations are aligned, consistent and not overly burdensome.

We thank the commenters for these suggested principles. We have considered many of these principles and will continue to keep them at the forefront of any additional regulatory work. Securities legislation is principles based and may evolve as the industry evolves.

We have conducted extensive consultations with industry participants, both through the public comment process to CP 21-402 and through our ongoing discussions with industry participants, including CTP representatives. We will continue to consult with and work with CTPs to understand new business models and developments in the industry.

The approach applies existing regulatory requirements, to the extent these requirements are appropriate and relevant in light of the CTPs’ functions and the risks they introduce to the market. Although the scope of jurisdiction set out in CSA Staff Notice 21-327 in Canada may be broader than some international jurisdictions, our approach to regulating those platforms that fall within our jurisdiction, i.e. applying our existing regulatory framework, but tailoring it as appropriate, is consistent with that taken in foreign jurisdictions

We acknowledge the comment suggesting regulation should be harmonized across Canada and note that, given that the regulatory framework outlined in the Notice is based on existing regulatory requirements set out in various National Instruments. CSA members recognized the importance of harmonization and strive to develop a harmonized approach.

Concerns about the applicability of securities and/or derivatives regulation to CTPs

Concerns about the Proposed Framework included:

•         securities or derivatives regulation is not appropriate for CTPs that allow the trading of crypto assets that operate solely as a form of payment. The current regulatory framework for marketplaces may not be the appropriate starting point as it does not achieve the right balance for crypto assets that are not securities and have different inherent risks;

•         different crypto-assets have distinct classifications and purposes which need to be examined individually;

•         CTPs that facilitate the trading of non-securities, such as bitcoin, are MSBs and should be regulated as such;

•         the Proposed Framework is responsive to abusive businesses and risks alone, however addressing abuses in the crypto industry with rules designed for securities marketplaces could create additional risks;

•         there should be a focus on actual and material risks with a tiered approach used to establish the requirements that should apply as the risks increase or other requirements become more relevant;

•         the Proposed Framework creates barriers for new entrants and new business models and does not consider the potential impact of a stifling of innovation and the use of DLT;

•         a balance needs to be struck to ensure that Canadian CTPs are not at a competitive disadvantage as a result of the high costs of domestic compliance with requirements that may not be relevant; and

•         foreign CTPs may stop providing services to Canadians and, as a result, Canadian CTPs may be locked out of their ability to source liquidity from global markets; another comment was made, however, that foreign CTPs should be prohibited from doing business in Canada if they do not comply with the Proposed Framework.

Securities legislation applies to CTPs that trade products that are securities or derivatives, including in the situation described in CSA SN 21-327. A CTP, like other market participants, may be subject to various forms of regulation e.g., AML, MSB, deposit-taking regulations, privacy, in addition to being subject to securities legislation. 

We have reviewed the securities regulatory-related risks introduced by CTPs and how these risks can be addressed through existing principles-based securities regulatory requirements.

We contemplate that requirements will be tailored to address the unique risks.  We recognize the need to be flexible in order to foster innovation. We also recognize the need to have an appropriate level of regulatory oversight in order to provide investor protection and foster fair and efficient markets.

Many of the CTPs we have seen conduct activities that are similar to those of dealers or existing equity marketplaces.  Where CTPs trade Security Tokens or Crypto Contracts, we are of the view that the approach we describe in this Notice - based on the existing regulatory framework applicable to marketplaces and dealers with flexibility to take into account bespoke business models - is appropriate. Regulatory requirements will be tailored depending on the functions and operational model of a CTP, which may include providing exemptions from existing requirements circumstances justify it.

Alternatives to the Proposed Framework

Commenters suggested a number of approaches, including:

•         self-regulation combined with industry certifications; it was noted that number of leading CTPs in the U.S. have collaborated to create the Virtual Commodity Association with the goal of forming a self-regulatory organization specifically for virtual commodity exchanges and custodians to work with the CFTC;

•         establishment of a quasi-autonomous non-governmental organization (QUANGO) that is comprised of a full range of stakeholders, but is separate from the government, with some ties. The commenter noted that QUANGO could adopt best practices and voluntary registration as the first step; and

•         federal regulation - crypto assets that are not securities should be regulated at the federal level to limit regulatory burden and confusion.

A few commenters suggested that the focus of regulators should be on consumer education and the development of industry standards as an alternative approach to the Proposed Framework. One of the commenters suggested developing standards with bodies like the Canadian Standards Association or the Canadian Centre for Cybersecurity.

We note that industry participants may form, and some have already formed, associations that provide guidance and best practices for their members. Where the products traded on a CTP are securities or derivatives, the regulation of the CTP necessitates consistency in application with other types of marketplaces so that we can ensure that the risks are appropriately managed and a level playing field is maintained where appropriate. That being said, the applicable requirements will be considered based on the functions performed.

We agree with the importance of investor education. The CSA has already published, over time, various investor alerts regarding trading in crypto assets.

Question 1: The Consultation paper notes that the CSA is evaluating the specific facts and circumstances of how trading occurs on Platforms to assess whether or not a security or derivative may be involved and lists several factors we are considering. Are there factors in addition to those listed that should be considered?

Classification of crypto assets

Several commenters suggested that there needs to be a comprehensive taxonomy for different crypto assets.

Many commenters indicated that there needs to be further clarification on which crypto assets are securities, so that market participants are aware of the applicable requirements. It was suggested that the lack of clarity over when securities legislation applies may cause projects and businesses to move to jurisdictions that offer greater clarity. A few commenters highlighted factors to be considered in assessing whether a CTP is subject to securities legislation.

Some commenters provided comments on the meaning of “delivery” in the context of CTPs. A couple of commenters suggested the CSA should consider the approach of the CFTC and their proposed interpretation of “actual delivery”.

There are various ways of categorizing crypto assets for different purposes. Unfortunately, this will not necessarily assist with an assessment of the application of securities legislation.  The definition of “security” is broad and inclusive.  The definition of “derivative” is similarly broad.  Further, on January 16, 2020, we published CSA Staff Notice 21-327 that provides guidance on some of the factors to be considered for determining whether securities legislation applies even where the crypto asset is not itself a security or derivative.  This guidance is largely consistent with the CFTC’s interpretation of “actual delivery” with differences to account for the specific limitations on jurisdiction within the U.S. Commodity Exchange Act.

Question 2: What best practices exist for Platforms to mitigate the risks outlined in Part 3 of the Consultation Paper? Are there any substantial risks which we have not identified?

Comments on best practices

Best practices suggested by commenters to mitigate the risks outlined in CP 21-402 included:

Safeguarding of crypto assets

•         multi-signature wallets, segregation of accounts and segregation of duties;

•         custodial services should be separated from other services;

•         custody should only be provided by IIROC dealers, banks or trust companies;

•         third-party custodians should maintain a certain reserve ratio;

•         a majority of assets should be held in cold-storage;

•         CTPs should operate on a “full reserve basis” with segregated accounts;

•         CTP could set aside some of its profits (in fiat or crypto) in a segregated account intended to be an emergency re-capitalization fund which it could deploy to recoup losses in the event of a hack;

Policies and procedures

•         CTPs should have well documented policies and procedures and internal controls in place including, but not limited to, adequate disaster recovery and business continuity planning protocols;

Disclosure

•         CTPs should be required to provide disclosure to participants on the CTP, including in the following areas:

o   information about the crypto assets available for trading on the CTP;

o   the selection criteria for admitting a crypto asset for trading on the CTP;

o   policies for managing hard and soft forks;

o   CTP rules and practices including frequently asked questions;

o   ownership, possession and control parameters;

o   conflicts of interest including whether the CTP trades as principal;

o   fees;

o   trading limits;

o   how prices are determined;

o   crypto assets that have been stolen or were involved in a fraud, as reported by investors;  and

o   risks related to the CTP’s operations, safeguarding of crypto assets and trading;

Security and compliance

•         employees should go through extensive background checks;

•         CTP executives should be required to pass certain amended regulatory exams and should certify that the CTP is in compliance with applicable rules and regulations;

•         attestation by CTP participants that the controls required by the user are in place and working;

Conflicts of interest

•         CTP employees should be prohibited from trading on information that gives them an advantage over non-employees;

Cybersecurity and system resiliency

•         regular testing for adequacy of security controls and vulnerabilities;

•         mandatory implementation of processes and procedures like those that exist for traditional marketplaces, such as enterprise risk management, information security management systems and control frameworks (COSO and COBIT);

Order and trade transparency

•         requiring users and related parties to be identified so that CTPs can identify fake trading volume;

•         use of central information processors, like those used for marketplaces;

Reporting

•         CTPs should be required to provide third-party reports on volume and trade data;

Client confidentiality

•         access to participants’ confidential information should require two-factor identification and be limited to a small number of CTP employees that are required to have access to perform their duties;

•         “zero-knowledge proofs” or technologies such as RingCT could be used to ensure the confidentiality of participants’ trades;

•         CTPs should consider whether trades could be executed between parties without the CTP knowing the identity of the parties, but rather by trusting a third-party that has verified the identity of the parties so that sensitive information is not required to be sent to a CTP that may not have the proper security in place to store user data;

Prudential requirements

•         capitalization requirements should be imposed on business models where customer assets are held in omnibus or commingled accounts;

Insurance

•         appropriate and sufficient insurance coverage is important to mitigate the key risks associated with CTPs;

Independent reviews

•         regular financial and technology audits should be conducted on CTPs, both internally and by third-parties, as well as audits of underlying assets where the CTP permits the trading of crypto assets that are digital representations of a tangible asset; and

•         regular on-site field reviews by regulators.

We thank the commenters for providing suggestions for best practices that would help manage the risks outlined in CP 21-402. We will consider these best practices in assessing whether the CTP complies with applicable requirements. It is our intention to be flexible, so that the principles-based requirements can be met through different means, as long as the risks introduced by CTPs are addressed.

Other substantial risks

Commenters noted a number of risks:

Safeguarding crypto assets

•         there are risks related to multi-signature implementation, key management and asset verification;

•         risks related to the transfer of crypto assets including address verification and transaction approvals;

Insider fraud

•         greater risk of delay in detecting insider fraud given CTPs are often involved in all aspects of a trade;

Lack of policies and procedures

•         many CTPs lack policies and procedures to detect and monitor fraud and AML activities within and across CTPs;

Fake trading volume

•         the practice of creating inflated trading volumes, particularly for CTPs that issue their own tokens

Lack of reliable banking services

•         risks related to the use of third-party payment processors and off-shore banks, including that funds may become frozen or lost when relationships are terminated or there is reliance on suppliers in risky jurisdictions outside of Canada;

•         the lack of a reliable banking partner may also create barriers to audits, insurance and efficient price discovery

Forked crypto assets

•         forks can come with different security and economic implications as they may be unsupported by the CTP’s infrastructure or the new wallets may introduce security vulnerabilities to the CTP;

Initial Coin Offerings (ICO) and Initial Token Offerings (ITO)

•         risk of pump and dump schemes for crypto assets that are created through ICOs and ITOs;

•         misappropriation by founders of funds raised through ICO/ITO; and

Decentralization

•         decentralization will result in heightened risks due to the diffusion of accountability; that tracking the risk will become more and more difficult unless guidelines are well developed now.

We thank the commenters for highlighting these risks. We believe that the approach outlined in the Notice will help mitigate the risks identified, to the extent that they are applicable to CTPs. For example:

•         risk of lack of policies and procedures – CTPs will be required to establish and maintain policies and procedures that ensure compliance with securities legislation and manage the risks associated with their business.

•         risk of artificially higher trading volume due to practices such as wash trading – CTPs will be required to comply with requirements in NI 21-101 to maintain fair and orderly markets; Platform participants will be required to comply with the UMIR (as amended as may be necessary to accommodate the unique features of CTPs and the crypto assets they trade) which, among others, prohibit manipulative and deceptive trading activities and the entering of orders with the goal of creating a false or misleading appearance of trading activity or interest in a particular security.

•         risks associated with security and vulnerability due to forks – CTPs will be required to have adequate systems and information technology controls, including controls over the security of their systems, and to provide disclosure of risks where the DLT has undergone a fork or other irreversible change.

Question 3: Are there any global approaches to regulating Platforms that would be appropriate to be considered in Canada?

General comments

A number of commenters have indicated that Toronto is quickly becoming a hub for innovation and investments in DLT. A few commenters have cautioned that firms will leave Canada to jurisdictions with lower barriers to entry if regulation is too costly, onerous or restrictive. It was noted that, without domestic access, Canadian investors will increase the use of foreign CTPs with potentially heightened risks. One commenter, however, cautioned against adopting approaches in jurisdictions with more accommodating policies.

Other comments raised included:

•         views that there are no leading global approaches yet;

•         it is mostly non-G20 countries that have adopted tailored frameworks that create more room for innovation.

As we indicated in CP 21-402, many jurisdictions globally are applying their existing regulatory requirements to regulate CTPs that trade products that fall within their regulatory jurisdictions. We are of the view that the approach described in the Notice, which leverages existing regulatory requirements, is consistent with the approaches taken in other jurisdictions.

We note that, to the extent that foreign CTPs are accessed by Canadian clients, we would consider a registration or exemption regime for those CTPs depending on the regulatory regime applicable and whether the risks are addressed.

Global approaches that should be considered

Commenters suggested the CSA and IIROC consider approaches taken in the following jurisdictions:

•         Asia Securities Industry and Financial Markets Association’s (ASIFMA) guidance;

•         Abu Dhabi;

•         Australia;

•         Bahamas;

•         Bahrain;

•         Barbados - it was noted that Barbados does not intend to regulate utility tokens (or protocol tokens) as securities and has also developed legislation that is focused on the security of CTPs;

•         Bermuda – Digital Asset Business Act (DABA) - it was noted that DABA is a comprehensive regulatory regime that provides regulatory certainty and consumer protection without sacrificing innovation;

•         Estonia;

•         France - it was noted that the AMF has adopted a draft bill (action plan for business growth and transformation) that establishes an optional visa regime for ICOs and an optional license regime for crypto asset service providers;

•         Germany;

•         Gibraltar – it was noted that the Gibraltar Financial Services Commission (GFSC) requires that any company “storing or transmitting value belonging to others” using DLT, including CTPs, be licensed by the GFSC. The GFSC regulations cover obligations of DLT providers to have adequate infrastructure in place for AML and CFT, solvency, corporate governance and cybersecurity;

•         Japan;

•         Mauritius – it was noted that Mauritius has developed a regulatory framework for custodial services by working with industry experts;

•         Malta - it was noted that Malta was implementing certification programs to facilitate the creation of a set of credentialed advisors that could serve as a second vetting layer for industry participants.

•         Singapore;

•         Switzerland; 

•         UK;

•         United States

o   a few commenters indicated that due to the close alignment between Canadian and U.S. markets, the approach of the SEC should be considered (whose position is that CTPs trading in crypto assets that are securities should be registered with FINRA as a broker dealer);

o   a few commenters also pointed to the approach by Wyoming state where a bill was enacted exempting utility tokens from being classified as securities;

o   a few commenters have also suggested the approach taken by the NYDFS;

o   one commenter suggested considering guidance issued by the US Financial Crimes Enforcement Network (FinCEN) regarding the application of regulation to certain business models involving crypto assets; and

o   a few commenters cited self-regulatory efforts in the United States including the creation of the virtual commodity association (VCA).

We thank the commenters for these suggestions.

We have and are continuing to monitor closely regulatory developments and approaches in other jurisdictions, including the countries that are part of the G20 and also those identified in the responses to CP 21-402.

Global approaches that should not be considered

Some commenters suggested that the following approaches should not be considered:

•         NYSDF’s BitLicense – it was noted that the BitLicense hampers investors and has caused CTPs to leave NY state and blacklist residents of NY state;

•         Malaysia - a few commenters cautioned against sweeping regulations, such as Order 2019 in Malaysia, which specifies that all digital currencies be classified as securities; and 

•         China and Vietnam – one commenter expressed that an outright ban on crypto assets should not be considered as it will result in the creation of an underground network and would not advance the goal of protecting Canadian investors. 

We thank commenters for their suggestions. We note that we are not considering an outright ban on crypto assets.

As indicated above, we have published CSA Staff Notice 21-327 that provides guidance on when entitlements to crypto assets that are not themselves securities or derivatives, may be considered securities or derivatives.

Question 4: What standards should a Platform adopt to mitigate the risks related to safeguarding investors’ assets? Please explain and provide examples both for Platforms that have their own custody systems and for Platforms that use third-party custodians to safeguard their participants’ assets.

General comments

A few commenters were of the view that CTPs should not be allowed to have their own custody systems and one commenter noted that custody of crypto assets should be limited to regulated entities, such as banks and trust companies. One commenter, however, indicated that using third-party custody services will increase costs for the CTP and its participants. Another commenter identified jurisdictional risk in using foreign third-party custodians.

The risk that investors’ assets are not appropriately safeguarded is one of the key risks identified in CP 21-402.

We expect that standards to mitigate risks associated to the safeguarding of assets will evolve as the industry evolves and we intend to continuously consider the appropriate tools and mechanisms to ensure the safety of client assets.

For example, where CTPs outsource custody services to third-party providers, they will also be subject to the requirements applicable to dealer or marketplaces that outsource key services or systems to a service provider set out in NI 31-103 or NI 21-101, respectively, which include ensuring that the securities regulator has access to all data, information and systems maintained by the third-party service provider. The purpose of these requirements is to ensure CTPs have policies and procedures to evaluate and approve outsourcing agreements and monitor the ongoing performance of the service provider.

Minimum standards that should be met by CTPs that offer custody services and for those using third-party custodians

One commenter suggested that CTPs should be provided the flexibility to choose the minimum standards they must maintain so long as they are able to demonstrate the adequacy of such standards.

Most commenters, however, provided suggestions on minimum standards that could be adopted both by CTPs that provide custody services and by those using third-party custodians. They included:

•         segregation of assets;

•         maintaining a majority of assets in cold storage;

•         ensuring privacy of data and cybersecurity;

•         verification of assets;

•         imposing special capital requirements or, if financially feasible, insurance to protect assets,

•         requiring ISO 27001 and ISO 27017 certification if cloud-based technology is used;

•         requiring National Institute of Standards and Technology (NIST) minimum level 3 certification; it was noted that NIST also has standards for generating public and private cryptographic keys that should be considered;

•         requiring standards similar to other financial market infrastructures, such as those outlined by the Committee on Payment and Settlement Systems of IOSCO;

•         requiring the Crypto Currency Security Standard published by the Crypto Currency Certification Consortium, which provides guidance for security best practices for crypto assets; and

•         imposing requirements similar to those of the SEC.

Since the requirements under securities legislation are principles based, CTPs will have the flexibility to implement different mechanisms as long as they can confirm that the risks associated with safekeeping of investors’ crypto assets are adequately managed. The suggestions provided will be helpful for the CSA when evaluating whether CTPs’ internal controls and policies and procedures regarding custody are adequate.

We would expect that, at a minimum, CTPs will seek to ensure the following as part of their custody solution:

•         control over access to investors’ assets;

•         segregation of investors’ assets from the CTP’s own assets;

•         verification of crypto assets;

•         use of cold storage for a majority of participants’ crypto assets; and

•         adequate levels of insurance or alternative risk management strategies.

Best practices for CTPs offering custody services

Commenters suggested a number of best practices for CTPs offering custody services, as follows:

System controls

•         maintaining and demonstrating robust system design, specifically intended to avoid “single points of failure”;

•         clearly documenting and following policies and procedures; and

•         enterprise risk management and financial and systems controls, regardless of whether CTPs self-custody or use a third-party custodian for their participants’ assets;

Internal controls

•         ensuring that a sufficient number of senior management has access to wallets;

•         restricting access to crypto assets to personnel that undergo background and criminal checks;

•         recording access to funds on tamper-proof logs residing outside of the CTP and making such records available to participants;

•         requiring multiple signatures in order for transactions to be completed;

•         a “Dead Man Switch”, where the former responsibilities of a deceased individual can get transferred safely to a trusted third party;

Segregation of client assets

•         segregating client assets from the assets of the CTP and, in the case of third-party custodians, from assets of other businesses stored by the custodians;

•         one commenter noted that client assets should be held separately for each client;

Storage of client assets

•         generating and managing digital wallet keys offline for the lifetime of the key, on dedicated hardware (such as HSMs) that have received a rating of FIPS 140-2 Level 3 or higher; it was noted, however that HSMs, while used pervasively in the industry, may be appropriate for lower value, high volume-high speed transactions in which the storage of information is ephemeral but not for long-term storage of high value crypto assets;

•         maintaining redundant sites to protect participants’ assets;

•         storing assets in multiple geographic locations;

•         a CTP’s corporate headquarters should not store or contain crypto assets of material value;

•         limiting the storage of crypto assets to Canada to manage potential jurisdiction risks;

•         ensuring no two keys for the same wallet are present on a single device;

•         maintaining a majority of crypto assets in cold storage; it was further suggested that the private keys should be maintained on a computer or hardware device that has never been on the internet and is physically secured in a vault;

•         giving participants a choice in whether to store their assets on the CTP or in their own wallets;

•         maintaining fiat currency with a regulated financial institution located in a trusted jurisdiction;

Other

•         establishing voting pools where multiple CTPs get together to secure one another’s funds; with this concept, a CTP on its own would not be able to move funds, even its own funds; CTPs would cross-audit one another and will be responsible for countersigning transactions;

•         requiring CTPs to have proof of reserves (proof that a CTP maintains a minimum amount of assets);

•         establishing limits for the level of assets that can be maintained in hot wallets; one commenter indicated that only amounts required to facilitate daily trading liquidity on the CTP and those needed to satisfy withdrawal requests made by customers should be held in the hot wallet;

•         limiting withdrawals to a specific, narrowly defined timeframe (for example, allowing withdrawals only once a day);

•         for CTPs that use third-party custodians, implementing a reconciliation process between its internal accounts and the assets custodied by the third parties;

•         custody of digital assets should be limited to regulated custodial entities (banks and trust companies). This is necessary because of risks in “hybrid” nature of platform operations; and

•         development of a standardized settlement cycle, reconciliation requirements and dispute adjudication procedures.

We thank commenters for the suggested best practices identified. As noted above, we are of the view that it is important to allow CTPs’ flexibility to implement their own processes, policies and procedures, as long as the risks introduced when they offer custody services are managed and adequately disclosed. Consequently, we will consider these suggestions when evaluating whether a CTP has implemented adequate custody arrangements, including adequate internal controls, policies and procedures over custody services.

CTPs that retain third-party custodians

Comments specific to CTPs that retain third-party custodians were as follows:

•         CTPs should be required to conduct thorough due diligence on third-party custodians before retaining them;

•         CTPs should conduct ongoing due diligence to ensure agreements with custodians are being fulfilled as expected;

•         CTPs should disclose to their participants the use of third-party custodians

•         there should be requirements that third-party custodians be insured for theft and subject to regular external security audits;

•         users should be enabled to verify their funds by using view keys or moving the funds to temporarily show that they are actually under their control; and

•         there is jurisdiction risk when using foreign third-party custodians.

A few commenters noted that third-party entities should:

•         provide verification of policies and procedures regarding conflicts of interest, fair access, segregation of participants’ assets and insider theft;

•         issue independent audit reports on internal controls;

•         verify assets and issue a report; and

•         verify that there is full segregation of crypto assets for each client.

As noted above, Dealer Platforms will be subject to the requirements applicable to custody in Division 3 of NI 31-103 or, if they are Marketplace Platforms, those applicable to marketplaces that outsource key services set out in section 5.12 of NI 21-101.

The suggestions regarding third-party entities may be helpful for CTPs in determining whether they have adequately assessed a third-party service provider.

Question 5: Other than issuance of Type I and Type II SOC 2 Reports, are there alternative ways in which auditors or other parties can provide assurance to regulators that a Platform has controls in place to ensure that investors’ assets exist and are appropriately segregated and protected, and that transactions with respect to those assets are verifiable?

Scope of SOC 2 reports

•         Some commenters noted it is important for regulators to understand the scope of SOC 2 reports, since not all cover the same scope of controls;

•         One commenter noted that the scope and baseline of controls be determined before options regarding how to provide assurance over the design and effectiveness of these controls can be considered; the same commenter indicated that, once this is done, the CTP can decide whether to obtain a SOC 1 or SOC 2 report;

•         It was also suggested that regulators could review the scope proposed by a CTP on a case by case basis;

•         It was noted that, currently, SOC 2 reports are based on the Trust Service Criteria, but regulators should require that a SOC 2 report cover certain controls such as those related to system availability, processing integrity, confidentiality and privacy, as well as regulatory controls such as those related to client acceptance, transaction processing and custody;

•         One commenter indicated that the Trust Service Criteria should be supplemented by other frameworks dealing with a specific subject matter, for example, the NIST 800-53 Cloud Controls Matrix when reporting on cloud solutions; and

•         One commenter noted that the issuance of SOC2 Type I and Type II reports is not an adequate measure of safety for this industry.

A number of commenters indicated that it is not possible that CTPs provide an unqualified opinion in a SOC 2 Type I or Type II report until it has been in operation for a reasonable period of time and suggested that a SOC 2 Type I report should be accepted for a period covering the initial operations (for example, six months), and a SOC 2 Type II report thereafter.

We thank commenters for their suggestions. It is our intention to focus the SOC 2 reports on critical systems for example, custody, order entry, and order execution systems. The determination of critical systems for a particular CTP will be dependent on the functions provided by the CTP.

The scope of the SOC 2 reports will be discussed with each CTP at the time that the independent systems review is being planned.

We acknowledge that CTPs may not be able to provide an unqualified opinion for a SOC 2 report at the time of launch.

We will consider other possible mechanisms to obtain the necessary assurance.

Alternatives to SOC 2 reports

Commenters suggested a variety of ways for CTPs to provide assurance to regulators that a CTP has controls in place to ensure that investors’ crypto assets exist and are properly protected, and that transactions are verifiable. These include:

•         regulators having special teams dedicated to emerging technology, including blockchain, that would, among other things, conduct reviews to ensure that investors’ assets exist and are properly segregated and protected;

•         establishing an SRO with a division that specifically deals with this issue;

•         regulators engaging a third party that offers security evaluation services to the government and industry;

•         accepting reports from qualified experts which are not necessarily auditors, as long as relevant qualifications concerning independence and expertise can be established (similar to mining experts);

•         accepting SOC 1 reports with the appropriate scope and control objectives; it was noted, however, that a SOC 1 report should be required in addition to a SOC 2 report, because it focuses on a service organization’s controls likely to be relevant to an audit of financial statements, which may include controls over custody systems if they are relevant to financial reporting;

•         requiring frameworks such as COSO, COBIT or CSAE 3000;

•         accepting a SOC 2 Type I report alone;

•         accepting SOC 3 Type I and Type II reports, as these are easier for investors to understand;

•         performing audits of specified procedures that are designed to target key areas of risk and security concerns; and

•         requiring CTPs to provide ‘Proof of Reserve’.

We thank commenters for their suggestions. It is our intention to generally require third-party systems reviews to be conducted on an annual basis once operations begin to provide assurance to regulators that a CTP has appropriate internal controls in place, similar to the existing requirements for marketplaces.

If it is not possible to provide a SOC 2 report, CTPs may propose alternatives to provide regulators with this assurance. Such alternatives may be acceptable if the appropriate or a similar level of comfort is provided.

In our view, from an investor protection perspective and given the high risk associated with safekeeping of investors’ assets, it is especially important for CTPs that offer custody services to provide a third-party report on relevant controls. CTPs outsourcing such services would have to ensure that the service entity to which the custody functions were outsourced can provide such a report.

That said, as indicated above, there will be flexibility on the types of entities qualified to provide custody and the scope of the reviews, as long as the risks are addressed and required assurance is provided.    

Question 6: Are there challenges associated with a Platform being structured so as to make actual delivery of crypto assets to a participant’s wallet? What are the benefits to participants, if any, of the Platforms holding or storing crypto assets on their behalf?

Benefits associated with CTPs maintaining participants’ assets

Commenters noted the following benefits associated with CTPs maintaining participants’ assets:

•         CTPs have security and technology resources that individuals do not have;

•         there is no risk of participants losing their own private keys as a result of participant error;

•         investors may not be interested in maintaining wallet technology;

•         lower fees (for example, there are no on-chain transaction fees, no mining verification costs);

•         higher speed of trading (because there is no on-chain transaction verification

•         participants are able to sell crypto assets quickly in response to market developments, which better allows them to manage market risk;

•         holding multiple participants’ assets allows a CTP to aggregate multiple trades easier and ensure that large orders can be cleared in a simple fashion, without triggering a lot of small, on-chain transactions;

•         requiring CTPs to hold participants’ assets in individual segregated wallets could publicly reveal confidential information about the participants’ holdings, trades and counter-parties;

•         holding participants’ crypto assets would mitigate the risk that a participant selling crypto assets will fail to complete a sale; and

•         for crypto asset to fiat trading, a centralized party is needed to store and distribute the fiat to investors.

We thank the commenters for these responses. While it is not our intention to mandate how crypto assets are held, these considerations will help us better understand the risks associated with CTPs’ operations and whether they have the proper processes to manage these risks.

Challenges and concerns associated with CTPs holding crypto assets for their customers

A few commenters indicated challenges and concerns associated with CTPs holding crypto assets for their customers, including:

•         the fact that facilitating the transfer of crypto assets in and out of a CTP is viewed by many third parties (insurance providers, banks etc.) as a high-risk activity from both a money laundering and fraud perspective;

•         there is an expectation for CTPs holding private keys to keep up with events such as “hard forks”, “airdrops” and “dividends”, which would require additional programming and technical modifications by the CTP;

•         CTPs may not be qualified custodians or use the services of a qualified custodian and may not utilize acceptable controls,

•         CTPs may not segregate participants assets from the CTP’s assets;

•         CTPs may become target for attacks by hackers when they hold a large quantity of crypto assets; and

•         the creation of difficulties for legal ownership determination.

We thank the commenters for these responses. They raise important considerations that will help regulators understand the risks associated with CTPs holding crypto assets for their investors, and whether they have adequate processes to ensure that the investors’ assets are safe.

Question 7: What factors should be considered in determining a fair price for crypto assets?

Comments on factors to consider in determining a fair price

A number of commenters noted that pricing should be determined by supply and demand in the market, and that market forces will ensure that CTPs have an economic incentive to maintain fair prices.

Commenters listed factors that should be considered in determining a fair price for crypto assets. They included:

•         for ICO tokens, the progress made on the underlying technology and the type and purpose of the utility underlying a crypto asset;

•         whether the founding members or representatives of the crypto asset are active participants on social media and respond quickly and appropriately to questions and critiques;

•         the bid and the ask, for crypto assets that do not derive their value from underlying products;

•         for tokens backed by an asset, such as gold or a fiat currency, the asset and liquidity of the token;

•         whether the underlying asset produces dividends;

•         mining costs and difficulty of mining;

•         the number of tokens issued / that will be issued and whether there is a small group that has possession or control of a large portion of the issued tokens;

•         volume of crypto assets that cannot be traded (e.g., lost, locked up in a smart contract, hack or ICO);

•         transaction speed and cost;

•         price of other / related crypto assets;

•         legitimate level of trading volume / liquidity, and the mix of types of order flow;

•         jurisdiction and regulatory oversight for a particular CTP or crypto asset;

•         use of liquidity pools and arbitrage bots;

•         shorting and / or margin trading can have benefits in preventing market manipulation (and thus efficient pricing that is in line with other CTPs and creates a more consistent global price for digital assets); and

•         third party reference data (reliable and vetted).

We thank commenters for describing the factors that should be considered in determining a fair price for crypto assets.

Where the CTP or an affiliate is trading on the CTP as principal, the CTP will be required to provide participants a fair price. In addition, a CTP will be expected to not do anything that interferes with a fair and orderly market, which would include offering unfair prices.

IIROC’s fair pricing requirements allow dealers flexibility in determining what policies and procedures are needed, as long as they meet the requirement to provide a fair price. In the context of their oversight, regulators review their policies and procedures to assess whether they are adequate.

Question 8: Are there reliable pricing sources that could be used by Platforms to determine a fair price, and for regulators to assess whether Platforms have complied with fair pricing requirements? What factors should be used to determine whether a pricing source is reliable?

Pricing sources that may be used by CTPs to determine a fair price

While one commenter indicated that they were not aware of any pricing sources that were reliable, many commenters suggested a number of pricing sources that could be considered, including:

•         Coinmarketcap.com (it was noted, however, that this source can simply add or remove data from specific CTPs only);

•         Poloniex (for less liquid crypto assets);

•         Bloomberg (which encompasses data from large CTPs such as Coinbase, Kraken and Bitstamp);

•         a weighted average of prices on the large CTPs (examples given were Coinbase, Bitfinex, Binance) or CTPs with high depth of the market. It was noted, however, that an approach where prices are aggregated across CTPs may not be adequate because there may be misleading trading activity;

•         MV Index Solutions GmbH (MVIS), an index provider based in Frankfurt and regulated as an index administrator by BaFin, as they administer the MVIS CryptoCompare Bitcoin Index

•         the CME CF Bitcoin Reference Rate published by the CME and the CME CF Bitcoin Real Time Index (BFTI);

•         the Ethereum Reference Rate and Real-Time Index; and

•         Brave New Coin has indices supported by NASDAQ.

We thank the commenters for the responses. We will be considering this information.

Factors that should be used in determining whether a pricing source is reliable

One commenter indicated that key signs that a pricing source is unreliable are: fake volume, increasing volume without an increasing number of users and consistent uniform volume that is not consistent with what is expected on a CTP.

One commenter noted that a pricing source is reliable if the price is established based on the most recent legitimate transaction completed. Another commenter stated that the onus is on a CTP to communicate their best execution strategy and provide sufficient data to substantiate based on own methodology. Another commenter noted that regulators should focus on global markets that afford same level of protection to arrive at a “consolidated national (global) best bid/offer”.

We thank commenters for the input on means of determining whether a pricing source is reliable.

Question 9: Is it appropriate for Platforms to set rules and monitor trading activities on their own marketplace? If so, under which circumstances should this be permitted?

Circumstances under which a CTP may be permitted to set their own rules and monitor trading activities on their CTP

A few commenters were of the view that CTPs should not monitor their own trading activities. One commenter suggested that a CTP be required to retain a regulation services provider (RSP), at least initially, and use its own surveillance system in parallel. If the two monitoring regimes produce the same results, then the CTP may be permitted to conduct its own surveillance. One commenter raised questions regarding IIROC’s capacity to surveil and supervise these CTPs if multiple applicants become registered.

Another small subset of commenters expressed that it is reasonable for CTPs to set and enforce their own rules and noted that CTPs have already started to monitor their own trading. It was noted that a number of CTPs are currently using Nasdaq’s proprietary monitoring software (SMARTS). Some thought that this should be allowed at least until such time as regulatory authorities are able to provide full market oversight.

Most commenters, however, supported an approach where the CTP (or a third party that is not a regulator) would monitor trading activities, subject to regulatory oversight. Commenters noted that this could be done in a few different ways, for example:

•         by allowing the CTP to monitor compliance with marketplace specific rules and activities but also requiring the CTP to engage an RSP such as IIROC to conduct market surveillance;

•         allowing CTPs to monitor for manipulative and deceptive trading, with regular reporting of transactions to the RSP; and

•         allowing CTPs to monitor their own trading, subject to regulatory access and oversight where the activities are relatively straightforward and the CTP presents a relatively low risk.

We thank commenters for their responses. We remain open to options regarding surveillance of trading activities under the interim approach to regulation described in the Notice, provided these are appropriate and adequate for the marketplaces operated. We expect IIROC to monitor trading of the Marketplace Platforms it regulates to ensure, among others, a consistent level of regulatory oversight across Marketplace Platforms and, where appropriate and trading activities are similar, to existing marketplaces.

Question 10: Which specific market integrity requirements should apply to trading on Platforms? Please provide specific examples.

Comments on the UMIR that should apply to CTPs

The responses varied. A small number of commenters thought that the UMIR in its current form should apply to trading on CTPs.

Some commenters thought that, while the entire UMIR may not apply, or may need to be modified to account for specific nuanced elements of CTPs (such as the fact that they operate outside of regular market hours), at least some of the provisions of the UMIR should apply, such as:

•         Part 2 – Abusive Trading

•         Part 3 – Short Selling

•         Part 4 – Front Running

•         Part 5 – Best Execution

•         Part 6 – Order Entry and Exposure

•         Part 7 – Trading on a Marketplace

•         Part 8 – Client Principal Trading

•         Part 10 – Compliance

We contemplate that, generally, the trading activity on a Marketplace Platform will be subject to the UMIR or requirements consistent with those in the UMIR, although tailoring of such requirements may be appropriate to accommodate the novel aspects of CTPs.

Prohibition of dark trading and short selling activities

Three commenters cautioned against prohibiting short selling and margin trading without doing further analysis on their prevalence and significance. It was noted that short-selling activities may help crypto assets become legitimate assets in the mainstream financial markets, provide a means of stability and risk management, and prevent market manipulation.

As noted in CP 21-402, CTPs will not be allowed to permit dark trading or short selling activities, or to extend margin to their participants in the near term. We will revisit this once we have a better understanding of the risks introduced by CTPs to the market and how these risks are managed.

Question 11: Are there best practices or effective surveillance tools for conducting crypto asset market surveillance? Specifically, are there any skills, tools or special regulatory powers needed to effectively conduct surveillance of crypto asset trading?

Comments on crypto-asset market surveillance tools

While one commenter noted that there are no reliable third-party surveillance tools currently in the market, others gave the following examples:

•         Blockchain.com;

•         Etherscan.io;

•         Nasdaq’s SMARTS market surveillance technology;

•         the Irisium Surveillance platform from Cinnober;

•         specialized blockchain analysis such as Elliptic, CipherTrace or Chainalysis, which can trace transactions;

•         surveillance software that can monitor “Know Your Transaction”; and

•         FinCEN.

We thank the commenters for these responses. As we noted above and in the Notice, we have proposed an interim approach to regulation for CTPs that need more time before IIROC membership can be obtained. We will consider these surveillance tools in assessing whether the CTP is adequately managing their risks.

Question 12: Are there other risks specific to trading of crypto assets that require different forms of surveillance than those used for marketplaces trading traditional securities?

Commenters noted the following risks:

•         where transactions are conducted wallet-to-wallet, investors may not be dealing with a trusted counterparty;

•         trading occurring outside of displayed venues;

•         inflated transaction volumes on CTPs;

•         the global nature of the business;

•         the highly technical nature of the business;

•         security risks;

•         anonymity of wallets;

•         money laundering / terrorism financing; and

•         not all cryptocurrencies have surveillance software.

We thank commenters for identifying these risks. We will take them into consideration in determining the appropriate surveillance for CTP trading.

Question 13: Under which circumstances should an exemption from the requirement to provide an ISR by the Platform be appropriate? What services should be included/excluded from the scope of the ISR? Please explain.

Circumstances under which an exemption from the ISR requirement may be appropriate

While two commenters indicated that there are no circumstances where an exemption to provide an ISR by a CTP would be appropriate, most commenters supported some flexibility in applying the requirement. Other commenters indicated that ISRs can be prohibitively expensive for small firms, and that there should be flexibility depending on the level of complexity and risk of the CTP.

Commenters noted the following circumstances in which such an exemption may be appropriate:

•         where the CTP is decentralized and matches and settles the transactions without holding private keys and its participants use a multi signature wallet;

•         if there is regular and independent self-assessment of internal controls conducted by the CTP, the CTP provides reports of its monitoring of controls, no significant issues are identified, and exposure is limited; and

•         for CTPs that leverage well established third-party systems (such as cloud-based infrastructure, trade matching engines and surveillance tools developed by traditional equity market providers).

Other comments included:

•         marketplaces should voluntarily submit ISRs for the next five years until patterns can be observed and a generalized approach conceived; and

•         There should be a transitional period to determine whether an ISR is needed.

While there should be some flexibility in applying the requirement for an ISR, the reliance on critical systems for trading and management of client assets is a key risk for CTPs. For this reason, we are of the view that the right balance needs to be struck to ensure the reliability, resilience and security of these systems.

We may consider exemptions from the requirement to conduct third party systems reviews on critical systems where assurance is provided that the risks are appropriately being managed and that systems and controls used are assured to be reliable, resilient and secure.

Services that should be included or excluded from the scope of an ISR

One commenter noted that the scope of an ISR should be determined by insurance providers, as policies are priced partly on the basis of independent system reviews.

Other commenters noted the following services that should be included in the scope of an ISR:

•         custodial services;

•         system capacity to handle changing market conditions;

•         robustness of BCP and DRP; and

•         effectiveness of incident reporting and remediation.

The purpose of ISRs is to provide regulators with independent assurance that CTPs have adequate internal and information technology controls for its critical systems. While insurance providers may price their policies partly based on independent system reviews, the scope of any independent reviews they require may not be similar and not transparent to regulators. For these reasons, we are of the view that it would be inappropriate to rely on ISRs whose scope is dictated by insurance providers.

As indicated above, we agree that custodial services should always be included in the scope of an ISR. We may consider exemptions for other non-critical functions, in certain circumstances.

Other comments

One commenter noted that the existing requirement in subsection 12.4(2) of NI 21-101 regarding the resumption of operations following the declaration of a disaster by a marketplace should not apply to CTPs trading digital securities, as they trade a few unique securities.

We note that the requirement in subsection 12.4(2) of NI 21-101 requires that a marketplace have policies and procedures for resumption of operations of their systems. The requirement allows for flexibility in circumstances where this is not possible.

Question 14: Is there disclosure specific to trades between a Platform and its participants that Platforms should make to their participants?

Disclosure specific to trades between a CTP and its participants

Commenters indicated that CTPs should disclose that the CTP acted as principal and any discrepancies between the trade and the terms of an equivalent trade, if that trade were to be made on the market.

It was also suggested that designated market makers on a CTP should have unique identifiers, so that participants can identify trades executed against a market maker.

CTPs should disclose all conflicts of interest, including those that would arise when a CTP trades as principal.

We will consider the suggestion that designated market makers should have unique identifiers to allow participants to identify trades against a market maker. We note that currently, designated market makers trading on equity exchanges do not have unique identifiers to the public but IIROC is able to identify them in its surveillance system.

Question 15: Are there any particular conflicts of interest that Platforms may not be able to manage appropriately given current business models? If so, how can business models be changed to manage such conflicts appropriately?

Conflicts of interest related to the multiple functions performed by CTPs

Multiple commenters noted that the combination of the multiple functions that may be performed by CTPs, specifically, acting as a marketplace, clearing agency, dealer and custodian, presents conflicts of interest. Commenters indicated that these conflicts could be managed in a number of ways, including:

•         by bifurcating a CTP’s role as a dealer and marketplace;

•         by providing transparency of these functions, risks and mitigating controls;

•         by separating the functions of order matching, market making and deposit taking;

•         by limiting access by proprietary trading desk to customer information; and

•         careful consideration of the market making function.

Some commenters believed that CTPs should not be permitted to provide custody of participants assets to avoid operational conflicts.

Other conflicts of interest identified included:

•         participants’ funds may not be segregated from the funds of the CTP;

•         the CTPs may trade as principal (although one commenter thought this could have benefits, such as increased liquidity);

•         CTPs have more information than their participants (for example, they hold information of previous participants) and may develop derivative information;

•         CTPs may have information about their participants’ upcoming trades, which could lead to front running;

•         CTPs and their employees may have access to non-public information, including information related to which crypto assets will be listed on the CTP and could trade on that knowledge;

•         CTPs may issue their own security tokens that are also traded on the CTP;

•         CTPs may receive payments in exchange for listing certain crypto assets;

•         Potential use or sale of investor information (including data on specific holdings); and

•         payment for order flow.

We thank the commenters for the responses.

It is not our intention to mandate how a CTP will structure its operations, as this would be inconsistent with our goal of facilitating innovation that benefits investors and our capital markets. Rather, CTPs are required to comply with the applicable requirements, and we will assess the risks introduced by the CTPs and whether they have the internal controls and processes in place to address them.

As noted in the Notice, CTPs will be required to identify and manage potential conflicts of interest. Their policies and procedures, including those dealing with conflicts of interest, will be examined by regulators both in the context of reviewing their initial application for registration and/or IIROC membership and on an ongoing basis, as part of our regulatory oversight. These comments will help us better understand the full range of potential conflicts of interest that may arise at a CTP and whether they have appropriate policies and procedures to manage them.

Question 16: What type of insurance coverage (e.g. theft, hot-wallet, cold-wallet) should a Platform be required to maintain? Please explain.

Types of insurance coverage a CTP should be required to maintain

Approximately a quarter of the commenters that responded to this question thought CTPs should be required to maintain full insurance. A few commenters thought CTPs should not be required to have insurance and noted that requiring insurance would be prohibitive to small start-up CTPs. 

Other comments included:

•         there should be insurance for hot and warm wallets, but it is debatable whether insurance is needed for assets held in cold wallets, especially if appropriate controls and policies are put in place, as evidenced by a SOC 2 report;

•         the appropriate nature and extent of the insurance will vary with the circumstances, considering the nature of the risks, other forms of risk transfer and risk mitigation processes in place at the CTP;

•         insurance should be optional, and the market should decide the right mix of insurance and security; and

•         a cautious approach to insurance requirements should be taken.

Most commenters provided feedback on the types of insurance that should be required. This included:

•         the same insurance required for traditional dealers and custodians;

•         crime and theft insurance coverage for all fiat funds and crypto assets, regardless of the method of storage;

•         crime and theft insurance if CTPs are holding material amounts of crypto assets in hot wallets;

•         errors and omissions and cybersecurity insurance;

•         insurance in case of death or incapacity of a key holder;

•         financial Institution Bonds to cover employee dishonesty, forgery, vendor-related fraud and theft;

•         cyber insurance to protect impact of damages to computer systems (outages & failures); and

•         director and officer insurance.

We thank the commenters for the responses. We will consider the need for insurance and the type in the context of the functions performed by a particular CTP. However, we are of the view that CTPs will likely require insurance where they have custody or control over client assets unless they can demonstrate an adequate alternative risk mitigation strategy.  Such insurance should cover specific risks including, but not limited to, the risk of theft and cyber-attacks.

Question 17: Are there specific difficulties associated with obtaining insurance coverage? Please explain.

Many commenters noted a number of difficulties associated with obtaining insurance coverage. The main concern identified was that it is difficult and expensive for CTPs to obtain any type of insurance (hot wallet, cold storage, theft and other). It was noted that few insurance providers are willing to cover CTPs, and those that do charge high premiums (one commenter noted that premiums can be 1-2% of the insurable assets). Commenters also noted that:

•         the market for underwriting the risks associated with crypto assets is limited and the underwriters’ understanding of the technology and industry remains limited;

•         insurance companies are hesitant to work with CTPs, largely because the money laundering risks;

•         there is no historical and actuarial data in the crypto markets to determine appropriate premiums;

•         CTPs are not able to have the stringent controls expected by insurance providers;

•         coverage for cyber theft is expensive and does not provide a significant degree of protection to customers; and

•         cold wallets are not insured by all insurers.

One commenter noted, however, that CTPs are becoming increasingly able to obtain insurance for the assets they custody and gave the examples of Coinbase, Bakkt and BitGo.

We acknowledge the concerns raised regarding the ability to obtain insurance coverage. We will continue to monitor this over time.

Acknowledging the current possible difficulties in obtaining insurance, there will be flexibility regarding the type and level of insurance required, as long as the risks associated with the custody of client crypto-assets are addressed.

Question 18: Are there alternative measures that address investor protection that could be considered that are equivalent to insurance coverage?

Member-funded insurance

A large number of commenters that responded to this question indicated that there should be member funded insurance such as CIPF or CDIC. Commenters noted their expectation that, if required to register as an IIROC dealer, CTPs will be CIPF members.

One commenter suggested a form of self-insurance where CTPs contribute premiums to compensate participants in cases of loss, and such premiums are based on trading volume, history of losses, quality of audit reports, use of RSPs, or whether the CTPs provides custody.

CTPs that will be IIROC dealer members will be CIPF members. CIPF will assess the coverage it offers on a case by case basis.

While we do not intend to mandate how CTPs compensate participants in cases of loss, we will consider their processes in our assessment of the type and level of insurance they will be required to maintain. 

Alternatives to insurance coverage

Commenters listed a number of alternative measures that could be considered equivalent to insurance coverage. These included:

•         robust practices, policies and procedures with respect to handling participants’ assets;

•         an adequate level of capitalization, so that a loss of assets can be absorbed by the CTP;

•         segregation of participants’ assets from a CTP’s assets (although it was noted that this constitutes an inherent safeguard that offers investor protection in the event of bankruptcy, but not theft);

•         a fund maintained by the CTP that is funded using a percentage of the trading fees or the CTP’s profit (many commenters suggested a fund similar to the Secure Asset Fund for Users established by Binance);

•         maintaining fiat balances in amounts equivalent to the crypto assets held on behalf of participants in hot wallets;

•         maintenance of participants’ and CTPs’ crypto asset across multiple wallets, to distribute the risk and responsibility of security, reducing the amount of insurance required;

•         proof of distributed authority, key management systems, Dead Man’s Switch;

•         decentralized CTPs with multi signature wallets for participants;

•         maintaining 95-100% of the balances in cold wallets, to mitigate the risk of hot wallet theft;

•         insurance intermediation platforms, which involve the use of crypto assets as a form of premium that participants can exchange with the CTP in return for an insurance policy being placed with an insurer; the CTP acts as a digital provider of insurance intermediation services and still relies on the traditional insurance market;

•         evidence of funding, such as bonds, letters of credit or sufficient working capital,

•         the investors’ own insurance; and

•         a card with security features, which could be printed by Canadian Mint, which would be loaded with crypto assets; the investor is the only one that can store and access the assets.

We thank the commenters for the responses. We will consider these measures in assessing the level and type of insurance that should be maintained by CTPs.

Question 19: Are there other models of clearing and settling crypto assets that are traded on Platforms? What risks are introduced as a result of these models?

Models of clearing and settlement for CTPs

Commenters identified the following models for matching trades and clearing and settling transactions:

•         CTPs maintain an internal ledger that maintains a record of all transactions; once matched, transactions are settled on the blockchain;

•         the decentralized model, where users’ orders are matched with each other on a CTP, but the CTP does not, at any point in the transaction, hold users’ funds;

•         a central counterparty clearing system with net settlement similar to CDS or CDCC; and

•         new technology is being developed that will allow holders of one crypto asset to swap or trade with a holder of another crypto asset on the blockchain, without the involvement of any third party.

We thank the commenters for providing information on other models for matching trades and clearing and settling transactions.

Risks and concerns introduced by the models of clearing and settlement for CTPs

Commenters noted that:

•         where CTPs perform both clearing and custody functions, there is counterparty risk and credit risk (for example, if participants are permitted to trade on margin, with settlement at a later date); it was noted that counterparty risk could be mitigated, for example, by the imposition of a requirement for participants to pre-fund trading accounts with fiat currency before completing a trade;

•         with respect to the new technology that permits holders of one crypto asset to swap with a holder of another crypto asset on the blockchain, there is the risk that the technology could be flawed and funds lost through a technical error; at the same time, there is reduced risk of a third-party losing funds;

•         the use of currently available clearing houses or establishing identical requirements for new CTPs ignores the value and reasons for using distributed ledger; and

•         all models of clearing and settling crypto assets presently utilized by CTPs introduce a centralized point of failure.

One commenter stated that decentralized models have less cyber-security risk.

We thank the commenters for these responses. We will consider these risks in assessing the requirements that should apply to CTPs performing clearing and custody functions.

Question 20: What, if any, significant differences in risks exist between the traditional model of clearing and settlement and the decentralized model? Please explain how these risks could be mitigated.

Commenters identified the following differences between the traditional model of clearing and settlement and the decentralized model:

•         all transactions that take place on the distributed ledger are permanent and irreversible;

•         there is a higher possibility of human error in the traditional model, where settlement occurs days after the trade, with trade matching and payments occurring in a more manual and costly model;

•         there is significant systemic risk in the traditional model, due to concentration of this risk in one entity;

•         counterparty risk is eliminated on decentralized CTPs, however participants have no way of knowing who they are trading against, which makes it difficult to manage compliance risks;

•         the key risk for transactions settled on a decentralized model is ensuring delivery versus payment; the payment is made when the client deposits fiat or crypto assets as the means to purchase a crypto asset. The delivery and settlement are confirmed by receipt of the crypto asset at the custodian, verifiable “on-chain” by anyone running a node, including a custodian;

•         when transactions are executed on a distributed ledger, the assets may become lost if there is a software bug in the smart contract development or deployment;

•         identity fraud is easier in a digital ecosystem; complete decentralization may not provide sufficient KYC/AML protection, and has not evolved to the point where it provides frictionless AML controls; and

•         with the decentralized model trades are cleared in real time, where in a traditional model it is subsequent to the trade day.

One commenter indicated that the risk associated with not having third-party clearing and settlement could be mitigated by having a hybrid model where CTPs maintain an internal ledger and transactions are also executed on the blockchain.

We thank the commenters for these responses. We will consider these differences, and the specifics of the decentralized model of clearing and settlement, in determining the appropriate clearing and settlement requirements that should apply to CTPs.

Question 21: What other risks could be associated with clearing and settlement models that are not identified here?

One commenter noted risks specific to stable coins, which may be backed by complex systems of collateral. The commenter noted that, if the underlying asset crashes, there is a risk that a cascade of smart-contracts are triggered, and a large volume of clearing and settlement is executed.

Additional comments on other risks associated with clearing and settlement included:

•         faster asset and payment movement create higher turnover on networks;

•         reputational risk;

•         inter-organizational settlement (complexity) risk in using CTPs like Ripple or Ethereum to settle interbank transfers;

•         regulatory risks (no designated regulatory body monitoring transactions); and

•         liquidity and timing risk with decentralized exchanges.

We thank the commenters for the responses and note that we will consider these specific risks in determining the appropriate clearing and settlement requirements that should apply to CTPs.

Question 22: What regulatory requirements (summarized at Appendices B, C and D), both at the CSA and IIROC level, should apply to Platforms or should be modified for Platforms? Please provide specific examples and rationale.

Regulatory requirements that should apply to CTPs

One commenter stated that its it more productive to start with the risks and then identify the relevant requirements.

Commenters indicated that the following regulatory requirements, should also apply to CTPs:

•         transparency of a CTP’s operations, including how orders are entered and executed;

•         daily reconciliations between CTP and third-party data;

•         disclosure of a CTP’s governance structure;

•         disclosure of the CTP’s rules;

•         disclosure of the CTP’s fees;

•         disclosure of conflicts of interest;

•         transparency of crypto assets traded, including its features, attributes, use, value, risk factors and the method of valuation;

•         daily reporting of funds, transactions and volumes;

•         the requirement to send account statements to participants on a regular basis, and at least quarterly;

•         trading information should be confidentially maintained;

•         recordkeeping; and

•         the principle of fair and orderly markets but interpreted in the context of CTPs.

We agree and note that this is the approach we have taken in developing the regulatory framework applicable to CTPs. We will continue to evaluate the risks and the appropriate regulatory requirements as the industry evolves.

We thank commenters for the suggestions. We are of the view that the approach, which is based on the Marketplace Rules and NI 23-103, will cover these requirements.

Regulatory requirements that should not apply or should be modified – suitability requirements

One commenter indicated that all the requirements applicable to dealers may be relevant, with the exception of suitability if no advice or recommendations regarding the buying and selling of specific crypto assets are made by the CTP. Another commenter suggested that new categories of qualified investors be introduced, in the spirit of democratizing investments.

The suitability requirements will apply to Dealer Platforms, but where a Dealer Platform only offers Crypto Asset Rights and is not providing recommendations or advice, we may consider whether, similar to order-execution-only platforms, an assessment at onboarding may be more appropriate compared to trade-by-trade suitability.

Regulatory requirements that should not apply or should be modified

Comments included:

•         capital requirements should only be imposed on CTPs where the participants’ assets are held in omnibus or commingled accounts;

•         capital adequacy requirements for CTPs should be modest where the CTP does not custody participants’ assets; and

•         there should be exemptions from the requirement to clear and settle trades through a recognized entity.

The CSA and IIROC will consider each CTP’s operational model, risks introduced and how these risks are managed by the CTP to determine what regulatory requirements should apply or be modified. Flexibility in the application of regulatory requirements would be achieved through exemptions from existing requirements where justified.