The Canadian Investment Regulatory Organization’s (CIRO) decision to abandon its retail client-data project is indefensible. Canada’s investment regulator just walked away from the foundational evidence it needs to do its job — and did so at the worst possible moment.
The facts are straightforward. CIRO announced in April that it would collect year-end 2026 data from dealers in 2027, giving the industry a clear timeline after multiple delays. This week, the regulator shelved the project indefinitely. No new timeline. No commitment to restart. Just an open-ended pause that transforms essential regulatory infrastructure into a dead letter.
This matters because supervisors cannot regulate what they cannot see. CIRO’s predecessor, the Mutual Fund Dealers Association (MFDA), collected this data regularly — in 2017, 2020 and 2022. Those reports gave regulators actual evidence about retail holdings, concentration risks and investor behaviour. Now that evidence stream has been cut off precisely when it matters most.
Markets are changing, oversight is not
Consider what is happening in Canadian retail markets right now. Digital distribution channels are proliferating. Hybrid advice models are expanding. Product shelves keep growing. Household balance sheets are under strain. Fee structures are fragmenting. All of this demands better data, not less.
Instead, CIRO has chosen to supervise a rapidly evolving market with tools designed for a static one. The regulator will continue to rely on complaint data, episodic examinations and anecdotal evidence. That approach catches what breaks loudly. It misses what fails quietly.
Without systematic data collection, CIRO cannot identify structural risks before they metastasize. It cannot distinguish between isolated problems and industry-wide patterns. It cannot benchmark firm practices against market norms. And it cannot provide the evidence needed to justify proportionate, risk-based rules.
The cybersecurity excuse
CIRO has pointed to its August 2025 cybersecurity breach as justification for the pause. That is the wrong lesson from the wrong problem.
Yes, the breach was serious. Registration data for all CIRO member firms and individuals was compromised — names, addresses, dates of birth, bank account numbers and more. The organization is now offering two years of credit monitoring to affected registrants.
But a data breach is not a reason to stop collecting data. It is a reason to fix security architecture, harden systems and improve protocols. Every organization that handles sensitive information faces cyber risks. The solution is better defences, not abandoning the mission.
By treating the breach as justification for shelving the data project, CIRO conflates two separate issues. The result is that Canada’s investment regulator has allowed an operational failure to become a policy retreat. That helps no one.
What Canada loses
The pause breaks continuity. Past MFDA reports provided comparable snapshots over time, allowing regulators to track trends and measure change. Stop collecting data now, and that timeline fractures. When — or if — CIRO eventually restarts the project, it will be starting from scratch with no basis for comparison.
Canada also falls further behind international peers. The U.K.’s Financial Conduct Authority runs its Financial Lives survey on a regular cadence, publishing transparent, public-facing data that informs both regulation and debate. The FINRA Foundation in the United States does the same with its National Financial Capability Study. These programs are not perfect, but they provide something Canada now lacks: a shared evidence base.
The alternative is policy by anecdote. Regulators respond to whatever makes headlines. Industry pushback becomes more effective because supervisors cannot cite hard data to justify their decisions. And when the next crisis arrives — and it will — Canada will be importing foreign research to understand domestic problems.
This decision hurts everyone. Investors lose because their regulator is operating partly blind. Structural problems — inappropriate leverage, dangerous concentrations, fee drag among vulnerable populations — become harder to detect and address.
Firms lose because they get less intelligent regulation. Without data to support targeted interventions, CIRO will default to broad, one-size-fits-all rules. Good actors will face the same compliance burden as bad ones. The regulator will struggle to provide relief where risks are low because it cannot prove what the evidence shows.
And the industry loses credibility. After pushing back repeatedly on the data project — securing delays from 2024 to 2025 to 2026 — firms have now seen it delayed indefinitely. That creates a troubling precedent: complain long enough and regulators will back down, even on foundational issues.
What should happen
CIRO should immediately recommit to this project with a clear, public timeline. Strip the data request to the essential minimum. Focus on what is absolutely necessary to understand retail holdings and behaviour. Set a realistic deadline — not 2027, but sooner — and meet it.
Publish aggregated, anonymized findings so the industry and public can see what the data reveals. Make this an ongoing exercise, not a one-time event. And stop treating data collection as optional.
Other jurisdictions have proven that regular, bounded data collection works. Canada does not need to reinvent this wheel. It needs to get back on the path.
Shelving this project signals that CIRO is comfortable supervising a changing market with incomplete information. That is a choice, not a necessity. And it is the wrong choice.
Investors deserve better. The industry deserves better. And Canada’s capital markets deserve a regulator that treats evidence as the foundation of its work, not an inconvenience to be deferred indefinitely.