CIRO Third-Party-Risk Evidence Template (Free Download for Canadian Wealth Firms)
A line-by-line template Canadian wealth firms and CIRO-registered dealers can use to evidence third-party service provider risk per Guidance Note GN-2300-21-0 before a Financial and Operations compliance examination.
Built by Fusion Computing’s CISSP-led team. Mapped to the CIRO 2026 Annual Compliance Report priorities, OSFI Guideline B-13 expectations for federally regulated trust companies, and the cyber-insurance baseline. Field-tested with Canadian wealth firms before publication.
Why this template exists
The Canadian Investment Regulatory Organization (CIRO, the 2023 merger of IIROC and the MFDA) named third-party service provider risk as a top supervisory priority in its 2026 Annual Compliance Report. The report references CIRO Guidance Note GN-2300-21-0 as the framework dealers are expected to operate within. The same year, CIRO disclosed a cybersecurity incident affecting roughly 750,000 Canadian investor records sourced from its own systems, sharpening the expectation that CIRO-registered firms now demonstrate documented vendor due-diligence, not assumed vendor competence.
This template is the documented evidence packet a compliance officer can present in a CIRO Financial and Operations examination. Each row captures the inventory data the examiner asks for: vendor name, the data classes shared, the contract review date, the SOC 2 (or equivalent) attestation status, the residual risk decision, and the next review date.
CIRO’s 2026 third-party-risk expectations, in practice: The 2026 CIRO Annual Compliance Report names four cybersecurity priorities for dealers: third-party service provider risk management per Guidance Note GN-2300-21-0, continuous cybersecurity training for all personnel, an annual cybersecurity table-top exercise (CIRO itself will conduct one in 2026), and operational controls around AI tooling reviewed during Financial and Operations compliance examinations. The same report notes a steady increase in incident reports involving third-party vendors that have affected CIRO-registered dealers. Sources: ciro.ca, blg.com, investmentexecutive.com.
The template (six vendor-inventory columns)
Replicate the row structure below for each third-party service provider that touches your firm’s client data, advisor identity, or operational systems. Sort by data-sensitivity descending; review quarterly.
| Column | What to capture | Why CIRO cares |
|---|---|---|
| 1. Vendor name & service | Legal name, product line, primary URL, your firm’s account ID | Establishes the inventory baseline. CIRO asks “which vendors touch client data” first. |
| 2. Data classes shared | KYC, trade execution, statement generation, identity, advisor productivity, marketing only | Determines the risk tier and the regulator scope. |
| 3. Contract review date | Last full contract review (not just renewal); next scheduled review | Demonstrates active oversight, not auto-renew complacency. |
| 4. SOC 2 / attestation status | SOC 2 Type II date, ISO 27001 certificate number, or equivalent (note “none” if so) | Establishes the vendor’s independently-verified control posture. |
| 5. Residual risk decision | Accepted / mitigated / blocked, with the named partner who made the decision | Shows the firm’s governance posture, not a default acceptance. |
| 6. Next review date & trigger | Date OR triggering event (vendor breach, contract change, data-class change) | Demonstrates an ongoing monitoring discipline, not a one-time exercise. |
Vendor categories most Canadian wealth firms miss
1. Custodial & trade-execution
- Primary custodian (Fidelity Clearing Canada, NBIN, RBC IS, etc.) — SOC 2 Type II on file
- Trade-execution platform (Salesforce Financial Services Cloud, Croesus, Dataphile) — vendor SOC report
- Statement-generation provider — data-flow diagram to client mailbox
2. Practice-management & CRM
- Wealth-stack CRM (Salesforce FSC, Wealthbox, Redtail) — data-residency confirmation
- Financial planning software (NaviPlan, Conquest, RazorPlan) — client-data scope inventory
- eSignature platform (DocuSign, OneSpan, Adobe Acrobat Sign) — identity binding
3. Productivity & identity
- Microsoft 365 tenant (typically Business Premium or E5) — tenant region attestation
- Microsoft Copilot — tenant-scoped deployment with sensitivity-label-aware retrieval
- Identity provider (Entra ID, Okta if used) — conditional-access policy review
- Endpoint Detection & Response — coverage matrix per device class
4. Marketing & client-communication
- Email marketing platform (Mailchimp, Constant Contact, HubSpot) — data classes shared
- Website CMS & hosting — if any client-facing forms collect KYC or identity data
- CRM-to-marketing integrations — what flows where
5. The vendor everyone forgets
- Your IT vendor. Your MSP is the largest single third-party service provider in your firm. CIRO will ask for the MSP’s SOC 2 status, the data-flow diagram covering MSP-administrative access, and the contractual breach-notification clause. Fusion Computing maintains this evidence for every wealth-firm client.
How to use this template
Two passes. First pass: spend two hours with your operations lead and write down every vendor you can think of. Sort by data sensitivity. Most firms get to between 12 and 25 vendors. Second pass: ask each vendor for their SOC 2 Type II report (or equivalent). The vendors who can’t produce one within five business days are the ones with the residual-risk decision to make.
Once the inventory exists, the maintenance discipline is twenty minutes per quarter: walk the list, refresh dates, flag any vendor whose risk profile has changed. The compliance officer can produce the documented packet on a CIRO examiner’s request in five minutes. Without it, the same request becomes a two-week reconstruction project under time pressure.
For the full operating scope of how Fusion Computing manages this for Canadian wealth firms, see our IT for wealth management firms hub or our financial-services IT umbrella.
Frequently asked questions
Is this template a substitute for CIRO Guidance Note GN-2300-21-0?
No. It is a practitioner-built consolidation that helps a wealth firm produce the evidence CIRO examiners reference under GN-2300-21-0. For the underlying authoritative text, see the Canadian Investment Regulatory Organization’s published Guidance Note GN-2300-21-0 and the 2026 Annual Compliance Report. Fusion does not provide regulatory or legal advice. Your compliance officer and external counsel remain responsible for interpretation.
How is this different from the SOC 2 vendor questionnaire?
A SOC 2 vendor questionnaire is what your firm asks each vendor. The CIRO third-party-risk evidence template is the inventory and disposition record your firm produces from the answers, organized so a CIRO examiner can read it in five minutes. The questionnaire is an input; the template is the output. Both should exist.
Does this apply to portfolio managers registered with provincial securities commissions but not CIRO?
Yes, with framing changes. Provincial securities regulators (the OSC in Ontario, the BCSC in British Columbia, the AMF in Quebec) operate under separate registration regimes, but the same third-party-risk concept applies under National Instrument 31-103 outsourcing-of-functions guidance. The IT controls and the inventory discipline are identical; the regulator name and the citation change. A registrant operating in multiple jurisdictions typically uses the same evidence packet for all of them.
What does the OSFI Guideline B-13 expectation add on top of CIRO?
OSFI Guideline B-13 on Technology and Cyber Risk Management applies to federally regulated financial institutions, including some trust companies and bank-owned wealth platforms. The B-13 expectations on third-party-risk are aligned in concept to CIRO GN-2300-21-0 but use the OSFI terminology (technology risk profile, cyber resilience, third-party risk management framework). Wealth firms that fall under both regimes use a unified inventory and tag each row with the applicable regulator(s).
Does Fusion supply this evidence packet for wealth-firm clients?
Yes. For Fusion-managed wealth-firm clients, we maintain the vendor inventory, the dated SOC 2 attestation status, and the residual-risk decision log. We refresh it at each quarterly business review and on-demand for CIRO examinations or sophisticated-client due-diligence requests. The packet includes Fusion’s own SOC 2 status and a documented data-flow diagram covering our administrative access to client systems.
Get the PDF version
Want the printable PDF of this template for your compliance officer’s evidence packet? Book a 30-minute walk-through and we’ll send it after the call along with a gap analysis on your current vendor inventory.
