Canada’s retail advice framework was built on a simple promise: the client’s interest must prevail in practice, not just on paper. Core expectations regarding know-your-client protocols, product due diligence and conflict management should, by now, be settled industry standards.
CIRO’s 2026 annual compliance report makes clear they are not. The regulator documents serious, recurring deficiencies, yet responds to each of them the same way it did last year — with guidance, reminders and recommendations. The approach reads more like coaching than enforcement.
When the industry’s repeated failure to meet core obligations is matched with patience rather than consequences, firms are encouraged to conclude that this level of non-compliance will continue to be tolerated.
The gap between policy and practice
The client-focused reforms were intended to fundamentally change the investor’s experience. Instead, the report reveals an ongoing tendency among firms to emphasize paperwork over protection.
The report found that many firms have still not provided their sales force with tailored compliance procedures, relying instead on generic policies that simply restate high-level regulatory principles without translating those principles into concrete steps advisors are expected to follow.
Firms were supposed to build systems ensuring a client’s advisor genuinely knows their situation, understands the products being recommended and can demonstrate that a recommendation suits them specifically. Instead, many copied the regulatory language into a policy manual and called it done. The rules changed. The experience of being an investor did not.
The findings are worse on conflicts of interest. CIRO documented examinations where firms identified conflicts in internal registries but failed to provide adequate disclosure to clients. A conflict that stays inside the firm is not managed — it is merely filed.
The entire purpose of the obligation is to ensure the investor knows what is influencing the advice before acting on it. When that information never reaches the client, it protects the firm’s compliance record, not the person across the desk.
The report also flags communications through non-approved channels — personal email, messaging apps, platforms the firm cannot monitor. If the firm cannot see the conversation, it cannot supervise what is being recommended, cannot detect pressure tactics, cannot preserve records if something goes wrong and cannot catch early signs of elder financial abuse. When the risk is invisible, the investor is on their own.
Weaknesses in trade supervision compound the problem. Incomplete reports and inadequate review of confirmations mean oversight is often a retrospective exercise. Without a verifiable audit trail, supervision becomes a story told after an investor has already been harmed.
On referral arrangements, CIRO cites instances where dealers failed to conduct due diligence on referral entities or provide disclosures until after services were delivered. Referral fees are a direct conflict of interest. Late disclosure means the client learns of that influence only after the fact — which is no disclosure at all.
The persistence of failure
The core issue is not the existence of these gaps but their repetition. Guidance is useful early in a reform cycle. It is a spent force when applied year after year to recurring deficiencies in areas as fundamental as conflict disclosure, supervisory coverage and audit trails.
CIRO’s stance on cybersecurity illustrates this inertia. Despite experiencing its own data breach in 2025 — caused by staff falling for a phishing email — the regulator continues to treat robust cyber-defences as “highly recommended” rather than a hard requirement. A regulator urging the industry to do what it has not yet managed to do itself is not setting the standard. It is hoping one emerges.
This tolerance points to a fundamental tension in CIRO’s identity as a self-regulatory organization. Funded by the very firms it must discipline, the regulator appears to struggle with moving past a member-service culture.
When “should” becomes a habitual substitute for “must,” it reflects a regulator more attentive to member comfort than investor protection. That is not an accusation of bad faith. It is a structural observation about what happens when the line between regulator and service provider is not clearly drawn.
CIRO does not need a new rulebook. It needs to make the escalation path predictable and unavoidable. That means drawing a bright line: first-time gaps justify remediation, but recurrence in core areas must trigger a non-negotiable response.
The standard of evidence also needs to shift — from reviewing policy manuals to demanding operational proof that controls work. If the consequences for recycling the same deficiencies year after year remain performative, the system is simply teaching the industry that non-compliance is a routine cost of doing business.
The 2026 compliance report provides a competent diagnosis of familiar weaknesses. The unresolved question is whether CIRO will close the gap between finding problems and making them matter. If repeat failures continue to be met with best-practice guidance, firms will behave accordingly — and investors will continue to absorb the cost of that tolerance.