Hot on the heels of a string of 2026 priority releases from U.S. financial regulators, the Canadian Investment Regulatory Organization (CIRO) is the latest to weigh in with its compliance focuses for the year ahead, with an overarching theme being the balance between evolving risks and innovation.
Within its Annual Compliance Report for 2026, CIRO illuminates the most pertinent compliance risks facing the financial industry and offers recommendations on how firms can best strengthen supervisory and risk management processes to manage them.
What is on CIRO’s 2026 compliance agenda?
While CIRO’s report lists a variety of industry-wide considerations applicable to registered dealers, including ongoing focuses from last year, several topics were of note in reflection of the fast-changing compliance climate.
Cybersecurity and third-party management
Carrying on from last year, CIRO placed cybersecurity high on its list of priorities. With the regulator itself experiencing a data breach due to a phishing cyberattack that targeted over 75,000 people, cyber-threats are becoming increasingly common and complex.
The report highlighted an increase in cybersecurity disruptions involving third-party providers, although it also noted progress toward remediating cybersecurity-related acitivty. Over the course of 2025, various breaches have affected firms and providers – from Oracle Cloud to Capita – reinforcing the need for thorough security measures and monitoring practices, as well as due diligence when managing third parties, to remain protected.
Alongside implementing controls “to protect clients’ information and their own critical systems,” CIRO stated that firms should prioritize training to ensure that personnel are aware of and equipped to manage security-related vulnerabilities. As the risk environment becomes more complex, the regulator also stated that firms must “understand how AI shapes both offensive and defensive dynamics” to build resilient systems.
Risks associated with emerging technologies like AI
AI is increasingly implemented into firm’s workflows, with CIRO noting that it’s an important tool that “enables dealers to manage complexity, improve efficiency, and strengthen decision-making.”
AI is increasingly implemented into firms’ workflows, with CIRO noting that it’s an important tool that “enables dealers to manage complexity, improve efficiency, and strengthen decision-making.”
From generative AI (GenAI) chatbots like ChatGPT to Large Language Models (LLMs), firms are more commonly utilizing AI to optimize workflows. Though as AI implementation increases, so do regulatory expectations around responsible use and output retention – seen by a 3,000% increase in the number of firms capturing ChatGPT data as detailed in Global Relay’s Data Insights: Communications Capture Trends in 2025/2026 report.
Social media communications
Social media has become an invaluable tool for firms to promote products and services across wider audiences and communicate with clients. One of the ways that firms can do this is by working with financial influencers – or “finfluencers” – to expand reach. However, inaccurate promotions could easily teeter the line of misleading marketing, landing firms in hot water.
CIRO’s report paid special attention to finfluencer activity, stating that firms have a responsibility to perform due diligence on finfluencers prior to engaging them, ensure finfluencers understand how to promote services compliantly, and monitor finfluencers’ statements to verify they are fair, balanced, and not misleading.
CIRO emphasizes compliance building blocks
A major component of CIRO’s compliance agenda was emphasizing the importance of strong compliance frameworks. In a series of recent examinations, the regulator identified that the most common failure across firms was a lack of comprehensive policies and procedures tailored to their risk profile. Specifically, it noted vulnerabilities in supervisory practices to flag instances of business communications on unapproved channels.
With off-channel communications having the potential to contain information indicative of risk, as stated by regulators like the Securities and Exchange Commission (SEC) in past enforcement cases, these recordkeeping and monitoring policies are fundamental to meet compliance standards and effectively address risk before it becomes a more serious issue.
CIRO advised firms to review their policies, procedures, and practices to maintain complete compliance with these expectations:
“[Firms] should enforce strict controls over approved communication channels and deploy monitoring tools to detect any use of non-approved platforms. In addition, dealers must provide regular training to employees on reporting requirements…and approved communication practices to ensure consistent compliance.”
Aligned focuses across regulatory agendas
Alongside CIRO, U.S. regulators like the SEC and Financial Industry Regulatory Authority have released similar priorities for the year ahead, with main crossovers including GenAI, cybersecurity, third-party oversight, and the effectiveness of compliance programs – painting a clear picture of aligning regulatory expectations and increased attention on firms’ proactivity to manage intensifying risk.
As the industry evolves and regulators across borders reassess their enforcement approaches and guidance to keep pace, those that do well to ensure that their compliance standards are up to par will be in the best position moving forward.
CIRO’s 2026 agenda puts a particular emphasis on effective compliance frameworks as a priority in 2026. To remain ahead of evolving industry risk, firms should look to utilize a secure and protected third-party provider that can ensure complete compliance with increasingly regulatory expectations.
