For the compliance officer

The operational map, end to end.

Every check the engine runs, every regulator the platform reports to, every gate that stops a non-compliant transfer. Built to OSFI, FINTRAC, CSA, BoC and CIRO expectations, structured against the CIRO Digital Asset Custody Framework.

PCMLTFA s.105 reliance ready ISO 20022 messaging Canadian data residency

Pre-transfer gates

eligibility checks before any move

Regulators mapped

FINTRAC / OSFI / CSA / BoC / CIRO / FCAC

Incident response window

< 72h

detection to disclosure target

Data residency

100%

Canadian, sovereign

The gate

AML, KYC & the eligibility gate.

Every participant is onboarded before they can transact. Eligibility is enforced at every step, never just at intake.

Visual: pass the gate, or no action moves

The compliance engine checks

If all five pass

✓ KYC, identity & beneficial owners
✓ AML exposure & sanctions screening
✓ PEP & adverse-media screening
✓ Accreditation, jurisdiction & policy eligibility
✓ FINTRAC reporting hooks (LCTR / EFTR / 24-hour)

→

If any one fails

No eligibility, no action

× No issuance
× No transfer
× No settlement
× No redemption
× Auditable rejection record written

Eligibility is continuously enforced, not a one-time check at onboarding. Walk it in the sandbox.

When something goes wrong

Incident response, four stages.

Detection to disclosure target inside 72 hours, structured against OSFI B-13, FINTRAC reporting timelines, and CSA market integrity.

Stage 01

< 15 min

Detect

Automated monitors flag the event. Canonical ledger pauses any in-flight transactions for the affected scope. Institution's CAMLO and CRO are paged.

Stage 02

< 4 h

Contain

Scope assessed. Affected accounts, custodian, and rail segment quarantined. Institution decides on customer notification posture; 4orm executes.

Stage 03

< 24 h

Disclose

Institution-led reporting begins to applicable regulators (OSFI B-13, FINTRAC, CSA). 4orm provides the technical record under the institution's instruction.

Stage 04

< 72 h

Resolve

Root-cause analysis, remediation, and lessons-learned circulated to the affected institutions. Audit trail of the entire incident kept on canonical ledger.

Who holds the assets

Custody & settlement finality.

Who holds the assets, and what "settled" actually means.

Qualified custody

Assets and cash are held with a licensed Canadian trust company under the CIRO Digital Asset Custody Framework. Segregated accounts, separation of duties. 4orm never self-custodies.

Atomic DvP finality

The asset leg and the cash leg move in the same instant, or not at all. No open settlement window. Treasury, custody, and canonical ledger commitment all complete together.

Who reports what

Regulatory obligation mapping.

Six Canadian regulators. The institution stays the entity of record; 4orm provides the technical surface.

Visual: who reports what, and how 4orm helps

FINTRAC ↗

AML / financial intelligence

PCMLTFA s.105 reliance framework

LCTR (C$10,000 cash threshold)
EFTR (international funds transfers)
STR (suspicious transaction reports)
24-hour aggregation rule
Records auto-generate; CAMLO files

OSFI ↗

Prudential supervision

FRFI capital & operational

Capital treatment per guideline B-12
Operational risk reporting
Crypto-asset exposure (in motion)
Read-only aggregate feed available

CSA ↗

Securities

Provincial / territorial harmonisation

Value-referenced crypto asset framework
NI 45-106 (prospectus exemptions)
NI 23-101 (order protection)
EMD registration for issuance

Bank of Canada ↗

Payments & settlement asset

Settlement-asset infrastructure

Lynx high-value rail interoperability
ACSS retail rail interoperability
Project Samara compatible (validating standard)
Future CBDC integration slot

CIRO ↗

Investment-dealer conduct

Digital Asset Custody Framework

Marketplace / exchange / custody separation
Member firm conduct obligations
4orm Trust Co. structured to Tier 2

FCAC ↗

Consumer protection

Retail-facing obligations

Access to Funds Regulations
Disclosure obligations
Cheque hold rules

Bank-grade controls

Security & data residency.

Targets for the pilot build; not yet independently certified. Canadian sovereign by design.

SOC 2

Type I in pilot phase; Type II targeted before scaled deployment.

Key protection

HSMs and multi-party computation for key material. No single-key custody.

Canadian data residency

Regulated workloads kept on Canadian infrastructure under Canadian governance.

Immutable audit logs

Append-only records for every transaction and administrative action.

Encryption

End-to-end encryption of data in transit and at rest.

Resilience

HA deployment, DR with defined RTO/RPO, continuous monitoring.

Integration philosophy: 4orm connects to your existing core banking, treasury, custody and reporting systems (ISO 20022, REST API, SFTP) rather than replacing them.

Once the controls land, the next question is your team

Train your treasury, risk and audit teams to work this way.

The 4orm Academy walks Canadian institutional teams through tokenization mechanics, supervisory posture, and operating procedures, using the same diagrams they read here. Live sessions and on-demand modules.

See how we teach you →

The operational map lands — now ready your people

Train your treasury, risk and audit teams.

The 4orm Academy walks Canadian institutional teams through the gates, regulators, and incident response procedures you just reviewed. Built for the operational reality your CAMLO works in.

See how we teach you → Step in the institutional walk · the waitlist sits at the end

Ready to walk this with your compliance team?

Bring the map to your CAMLO and CCO.

The next step is a walk-through of each gate and each regulator's obligation. For the strategic story, open Risk Approach. For the supervisory feed, open Supervision.

Join the institutional waitlist → Open Risk Approach