Webull Canada Crypto Limited

Attachment 1 – Terms and Conditions relating to Custody of Digital Assets

Webull’s custodial arrangement with Coinbase Custody Trust Company, LLC (Coinbase Custody) are subject to the following terms and conditions:

1. Definitions and Interpretation

1.1 In these Terms and Conditions:

"Acceptable Crypto Custodian" means a custodian of crypto assets that satisfies the Common Crypto Custodian Requirements set out in Schedule A, Part I and the applicable tier-specific Requirements set out in Schedule A, Part II.

"Acceptable Tokenized Asset Custodian" means a custodian of tokenized assets that satisfies the Tokenized Asset Custodian Requirements set out in Schedule C

"Approved Crypto Custody Location" means an Acceptable Crypto Custodian that has been approved by the Corporation in accordance with section 5 for the purpose of holding Crypto Assets.

"Approved Tokenized Asset Custody Location" means an Acceptable Tokenized Asset Custodian that has been approved by the Corporation in accordance with section 5 for the purpose of holding Tokenized Assets.

"Crypto Asset" means a Digital Asset that is not a Tokenized Asset.

"Digital Asset" means an asset that is recorded, transferred, or represented using distributed ledger technology, cryptography, or similar digital systems, and includes both Crypto Assets and Tokenized Assets.

"Internal Custody" means the holding of digital assets directly by the Dealer Member, using wallets, blockchain addresses, systems or infrastructure that are owned, operated, and controlled by the Dealer Member and which provide the Dealer Member with exclusive access to and control of the private keys associated with the digital assets it holds.

"Segregated Location" means a location designated in accordance with section 8.1 for the holding of client digital assets that is under the exclusive control of an Approved Crypto Custody Location, Approved Tokenized Asset Custody Location, or the Dealer Member's approved internal custody function.

"Tokenized Asset" means a digital representation of a traditional financial asset that confers legal rights and obligations equivalent to an underlying traditional financial asset or instrument, and that is issued or recorded using distributed ledger or similar technology. Tokenized Assets may include digital representations of deposits, debt, equity, or other financial instruments as well as certain digital assets designed to maintain a stable value by reference to a fiat currency (also referred to as stablecoins).

1.2 For greater certainty, approval or recognition of a custodian as an Acceptable Securities Location under the CIRO Rules does not, on its own, constitute approval as an Approved Crypto Custody Location or an Approved Tokenized Asset Custody Location.

2. Custody of Crypto Assets

2.1 The Dealer Member shall ensure that all crypto assets are held either:

  1. with one or more Approved Crypto Custody Locations; and / or
  2. in accordance with the internal custody provisions set out in section 8.

3. Custody of Tokenized Assets

3.1 The Dealer Member shall ensure that all Tokenized Assets are held with one or more Approved Tokenized Asset Custody Locations.

4. Capital requirements

4.1 The Dealer Member shall provide out of its Risk Adjusted Capital an amount equal to

  1. the value of crypto assets held at any custodian that is not an Approved Crypto Custody Location, and
  2. the value of tokenized assets held at any custodian that is not an Approved Tokenized Asset Custody Location,

excluding proprietary positions fully provided for out of the Dealer Member's Risk Adjusted Capital.

5. Approval of Acceptable Crypto Custodians and Acceptable Tokenized Asset Custody Locations

5.1 Prior to holding digital assets with a custodian, the Dealer Member shall apply in writing to the Corporation for approval of the custodian as an Approved Crypto Custody Location or an Approved Tokenized Asset Custody Location, as applicable.

5.2 The Dealer Member's application shall be approved by the Dealer Member's Board of Directors and shall include documentation satisfactory to the Corporation, including

  • a crypto-asset custodian certificate;
  • audited financial statements of the custodian;
  • applicable SOC 2 or ISAE 3000 (Type 2) reports; and
  • a copy of the custody agreement between the Dealer Member and the custodian.

5.3 For greater certainty, the Dealer Member shall apply under this section for approval as an Approved Tokenized Asset Custody Location if they wish to hold Tokenized Assets whether for its own account or on behalf of its clients.

6. Custody Limits

6.1 The Dealer Member shall ensure that the value of crypto assets held at Approved Crypto Custody Locations does not exceed the applicable limits set out in Schedule B, calculated as a percentage of all crypto assets held by the Dealer Member, excluding proprietary positions fully provided for out of the Dealer Member's Risk Adjusted Capital.

6.2 For greater certainty, no custody limits apply to Tokenized Assets held at Approved Tokenized Asset Custody locations.

7. Internal Custody

7.1 The Dealer Member may hold under Internal Custody up to 20% of the value of crypto assets held for clients and for its own account, provided that the Dealer Member meets requirements equivalent to those applicable to Tier 4 Crypto Custodians, except to the extent that a requirement is expressly limited to third-party custodians or is inapplicable by its nature to internal custody.

7.2 Proprietary positions fully provided for out of the Dealer Member's Risk Adjusted Capital are excluded from the limit in section 7.1.

7.3 The Dealer Member may hold Tokenized Assets for its own account or on behalf of its clients without limits provided that the Dealer Member has been approved under section 5 as an Approved Tokenized Asset Custody Location.

8. Segregation

8.1 The Dealer Member shall arrange with Approved Crypto Asset Locations, and with Approved Tokenized Asset Custody Locations, and configure the custody technology it uses for Internal Custody, to designate specific addresses as Segregated Locations such that the digital assets held at Segregated Locations are not available to satisfy claims of the Dealer Member's creditors, including under the bankruptcy and insolvency act or a provincial or foreign law dealing with bankruptcy and insolvency, other than to satisfy claims of the Dealer Member's clients with respect to their digital assets.

8.2 The Dealer Member shall, at the discretion of the Corporation, provide additional evidence, including legal opinions, assurance reports, or attestations, in form and substance satisfactory to the Corporation, where necessary to confirm that the segregation outcomes required under section 8.1 is achieved and maintained.

8.3 The Dealer Member shall calculate segregation requirements and compare them to the quantities they hold in designated Segregated Locations at least once each business day, excluding weekends and statutory holidays.

8.4 The Dealer Member shall transfer digital assets necessary to meet segregation requirements into designated Segregated Locations without unreasonable delay following the calculation required under section 8.3.

8.5 The Dealer Member shall determine, based on an assessment of operational need, maximum levels of proprietary positions that Dealer Member will hold in Segregated Locations at any given time. The assessment shall:

  • identify the specific operational reasons requiring proprietary assets to be held in segregation; and
  • incorporate historical and reasonably projected requirements for each such reason.

8.6 The Dealer Member shall transfer out of designated Segregated Locations, without unreasonable delay, proprietary digital asset positions that exceed the maximum levels determined under section 8.5 following the calculation required under section 8.3.

8.7 The Dealer Member shall undertake to buy in any position it is required to segregate but which it has not received within 5 business days.

9. Policies and Procedures

9.1 The Dealer Member shall establish, maintain, and enforce policies and procedures reasonably designed to ensure ongoing compliance with all applicable requirements under these Terms and Conditions and any applicable law or regulation.

10. Monitoring limits

10.1 The Dealer Member shall monitor compliance with:

  1. the custody limits applicable to an Approved Crypto Asset Location as set out in section 6; and
  2. the internal custody limits as set out in section 7,
  3. at least once weekly and more frequently when holdings approach the applicable limits.

10.2 Where the Dealer Member identifies a breach of any limit referred to in section 10.1, the Dealer Member shall, within one business day, take all necessary steps to bring the value of crypto assets into compliance with the applicable limit.

11. Reporting to the Corporation

11.1 The Dealer Member shall promptly notify the Corporation of any material change that could reasonably be expected to affect the eligibility of an Approved Crypto Custody Location or an Approved Tokenized Asset Custody Location.

11.2 The Dealer Member shall report to the Corporation, in the manner and frequency specified by the Corporation, the quantity, value, and location of each digital asset traded on its platform.

11.3 The Dealer Member shall report to the Corporation any breaches described in section 10 within one business day:

  1. the details of the breach;
  2. the steps taken by the Dealer Member to remediate the breach and the results of those steps; and
  3. where compliance cannot be achieved within one business day due to extenuating circumstances, a description of those circumstances, the measures to be taken to achieve compliance, and the expected timeline.

12. Regulatory Consequences for Repeated Breaches

12.1 Where the Dealer Member experiences repeated breaches of:

  • the custody limits applicable to an Approved Crypto Asset Location, as set out in section 6; or
  • the internal custody limits, as set out in section 7,

the Corporation may designate the Dealer Member in Early Warning Level 2 in accordance with the applicable IDPC Rules.

12.2 Where the Dealer Member has been designated in Early Warning Level 2 pursuant to section 12.1, the Corporation may direct the Dealer Member to reduce its holdings at the Approved Crypto Asset Location or internal custody location in respect of which the applicable limit has been breached, in the manner and within the timeframe specified by the Corporation.

12.3 Any direction issued under section 12.2 are subject to the notice and review provisions of IDPC Rule subsection 4136(2) and (3).

12.4 For greater certainty, nothing in this section limits or restricts the Corporation's authority under applicable CIRO Rules, including its authority to designate a Dealer Member in Early Warning, impose additional terms and conditions, or take any other supervisory or enforcement action as the Corporation considers appropriate.

Schedule A - Crypto Custodian Eligibility Framework

Part I - Common Crypto Custodian Requirements (All Tiers)

All Acceptable Crypto Custodians shall:

A. Minimum Capital

Maintain capital in excess of the applicable minimum set out below, based on audited financial statements prepared under IFRS or U.S. GAAP.

TierCanadianForeign
Tier 1 Crypto Custodian$100,000,000$150,000,000
Tier 2 Crypto Custodian$10,000,000$100,000,000
Tier 3 Crypto Custodian$10,000,000$100,000,000
Tier 4 Crypto Custodian$10,000,000$100,000,000

B. Assurance Reports

Provide a SOC 2 or ISAE 3000 (Type 2) report covering all elements of the technology infrastructure and based on the Trust Service Criteria relevant to Security and Availability.

C. Establishment and Registration

Be regulated in a Basel Accord country as a bank or trust company, in good standing with its regulator, and legally and functionally independent of any exchange or marketplace.

D. Custody Agreement

Enter into a written custody agreement with the Dealer Member, that is enforceable in the crypto custodian's jurisdiction, that, at a minimum, establishes:

  1. the role of the crypto custodian as fiduciary for the Dealer Member;
  2. the standard of care, such that the crypto custodian shall be liable for losses arising from its negligence, fraud, or willful misconduct;
  3. the crypto custodian's liability for failures in technology that are reasonably within its control;
  4. the crypto custodian's obligation to provide the Dealer Member with audited financial statements at least annually and SOC 2 reports at least annually, each within 90 days of the applicable reporting period-end; and
  5. the crypto custodian's obligations with respect to sub-custodians, including:
    1. to identify proposed sub-custodians and obtain the Dealer Member's prior written consent before transferring crypto assets held for the Dealer Member to a sub-custodian; and
    2. to provide the Dealer Member with ongoing disclosure of the assets held by each sub-custodian.

E. Annual Approval

Be approved annually by the Dealer Member's Board of Directors, with certification filed with the Corporation.

F. Policies and Procedures

Represent that it maintains policies and procedures describing its methods and practices for securing crypto assets.

Part II - Tier-Specific Requirements

Tier 1 Crypto Custodians

In addition to Part I, a Tier 1 Crypto Custodian shall:

  • provide SOC 2 / ISAE 3000 assurance covering Confidentiality and Processing Integrity
  • be supervised by a regulator that (1) includes a department dedicated to the licensing of entities providing custody services and performs prudential oversight functions; and (2) has an acceptable bilateral regulatory information sharing arrangement with the Corporation, or with a Canadian provincial or territorial securities regulator, or with a Canadian federal prudential regulator provided that such federal prudential regulator maintains a bilateral regulatory information-sharing arrangement with the Corporation or with a Canadian provincial or territorial securities regulator
  • maintain insurance appropriate for its assets under administration, including a Fidelity or equivalent policy covering losses from all crypto asset storage locations.

Tier 2 Crypto Custodians

In addition to Part I, a Tier 2 Crypto Custodian shall:

  • be governed by legislation related to insolvency and the treatment of segregated assets, such that (1) the custody contract is enforceable in the crypto custodian's jurisdiction; and (2) the legal environment in the crypto custodian's jurisdiction is such that assets segregated for customers are preserved from the estate of a bankrupt or insolvent crypto custodian.
  • be supervised by a regulator that (1) includes a department dedicated to the licensing of entities providing custody services and performs prudential oversight functions; and (2) has an acceptable bilateral regulatory information sharing arrangement with the Corporation or with a Canadian provincial or territorial securities regulator, or with a Canadian federal prudential regulator, provided that such federal prudential regulator maintains a bilateral regulatory information-sharing arrangement with the Corporation or with a Canadian provincial or territorial securities regulator.
  • provide SOC 2 / ISAE 3000 assurance covering Confidentiality and Processing Integrity, and crypto asset-specific risks
  • provide independent cybersecurity assurance by a qualified professional
  • represent that it engages an independent professional to perform penetration testing annually
  • provide assurance reports prepared by qualified independent professionals assessing the crypto custodian's controls with reference to recognized frameworks for third party risk management and business continuity or be supervised by a regulator that has specified public minimum requirements regarding third party risk management and business continuity
  • maintain insurance appropriate for its assets under administration, including a Fidelity or equivalent policy covering losses from all crypto asset storage locations.

Tier 3 Crypto Custodians

In addition to Part I, a Tier 3 Crypto Custodian shall:

  • be governed by legislation related to insolvency and the treatment of segregated assets, such that (1) the custody contract is enforceable in the crypto custodian's jurisdiction, and (2) the legal environment in the crypto custodian's jurisdiction is such that assets segregated for customers are preserved from the estate of a bankrupt or insolvent crypto custodian
  • be supervised by a regulator that (1) includes a department dedicated to the licensing of entities providing custody services and performs prudential oversight functions; and (2) has an acceptable bilateral regulatory information-sharing arrangement with the Corporation or with a Canadian provincial or territorial securities regulator, or with a Canadian federal prudential regulator, provided that such federal prudential regulator maintains a bilateral regulatory information-sharing arrangement with the Corporation or with a Canadian provincial or territorial securities regulator
  • provide a SOC 2 or ISAE 3000 (Type 2) assurance report based on the Trust Service Criteria relevant to security and availability for each outsourced custody technology provider
  • provide a SOC 2 or ISAE 3000 (Type 2) assurance report covering crypto-asset specific risks for proprietary technology
  • represent that it engages an independent professional to perform penetration testing annually
  • represent that it adheres to recognized frameworks for third party risk management and business continuity
  • maintain insurance appropriate for its assets under administration, including a Fidelity or equivalent policy covering crypto assets in hot and warm storage and, unless covered by its Fidelity policy, Specie coverage for crypto assets in cold storage.

Tier 4 Crypto Custodians

In addition to Part I, a Tier 4 Crypto Custodian shall:

  • be governed by legislation related to insolvency and the treatment of segregated assets, such that (1) the custody contract is enforceable in the crypto custodian's jurisdiction; and (2) the legal environment in the crypto custodian's jurisdiction is such that assets segregated for customers are preserved from the estate of a bankrupt or insolvent crypto custodian
  • represent that it engages an independent professional perform penetration testing annually
  • maintain insurance appropriate for its assets under administration, including a Fidelity or equivalent policy, covering crypto assets in hot and warm storage and, unless covered by its Fidelity policy, Specie coverage for crypto assets in cold storage.

Schedule B - Custody Limits for Approved Crypto Custody Locations

TierMaximum Percentage
Tier 1 Crypto Custodian100%
Tier 2 Crypto Custodian100%
Tier 3 Crypto Custodian75%
Tier 4 Crypto Custodian40%

Schedule C - Tokenized Asset Custodian Eligibility Framework

An Acceptable Tokenized Asset Custodian shall:

A. qualify as an Acceptable Securities Location under IDPC Rule 4342 and the General Notes and Definitions to IDPC Form 1

B. represent that it maintains policies and procedures describing its methods and practices for securing tokenized assets

C. provide a SOC 2 or ISAE 3000 (Type 2) report covering all elements of the technology infrastructure and based on the Trust Service Criteria relevant to Security, Availability, Confidentiality, and Processing Integrity

D. enter into a written custody agreement with the Dealer Member, that is enforceable in the tokenized asset custodian's jurisdiction, that, at a minimum, establishes:

  1. the role of the tokenized asset custodian as fiduciary for the Dealer Member;
  2. the standard of care, such that the tokenized asset custodian shall be liable for losses arising from its negligence, fraud, or willful misconduct;
  3. the tokenized asset custodian's liability for failures in technology that are reasonably within its control;
  4. the tokenized asset custodian's obligation to provide the Dealer Member with audited financial statements at least annually and SOC 2 reports at least annually, each within 90 days of the applicable reporting period-end; and
  5. the tokenized asset custodian's obligations with respect to sub-custodians, including:
    1. to identify proposed sub-custodians and obtain the Dealer Member's prior written consent before transferring tokenized assets held for the Dealer Member to a sub-custodian; and
    2. to provide the Dealer Member with ongoing disclosure of the assets held by each sub-custodian

E. maintain insurance appropriate for its assets under administration, including a Fidelity or equivalent policy covering losses from all tokenized asset storage locations

F. at the Corporation's direction, comply with additional digital custody requirements where the Corporation determines, based on the nature, scale, complexity, or risk profile of the tokenized asset, custody arrangement, or the custodian itself, that additional safeguards are warranted, provided that such additional requirements shall not exceed the digital custody requirements applicable to Tier 2 Crypto Custodians.

Attachment 2 – Other Terms and Conditions

Trading Information

1. Webull Canada Crypto Limited (Webull) at its cost, shall be responsible for providing CIRO, in the form and format specified by CIRO, with (i) access to information relating to trades executed utilizing Webull’s trading platform and (ii) any other information reasonably required by CIRO to effectively monitor the conduct of trading.

2. At CIRO's request, Webull shall, at Webull’s cost, provide CIRO with historic trade information and trading related activity on Webull’s trading platform. Such information shall be provided in such form and in such format as CIRO requests and within such time periods as CIRO shall reasonably direct.

Liquidity Providers

3. Webull will take reasonable steps to verify, before using a Liquidity Provider, that the Liquidity Provider is appropriately registered and/or licensed to trade in crypto assets in their home jurisdiction or that their activities do not require registration in their home jurisdiction and that they are not in default of securities legislation in Canada.

4. If Webull becomes aware that a Liquidity Provider is not appropriately registered or licensed to trade in crypto assets in their home jurisdiction as required or that the Liquidity Provider is in default of securities legislation in any jurisdiction in Canada, Webull will seek approval from CIRO to continue use of the Liquidity Provider, or, failing that approval, will follow established policies and procedures to promptly cease trading of any crypto assets with the Liquidity Provider except to allow clients to liquidate their positions.

Accounting Treatments

5. Webull CTP will apply the following accounting policies to the extent that Webull CTP or its Panel Auditor believes either that any one of them does not comply with IFRS, or that IFRS allows Webull CTP an alternative accounting choice:

  1. Webull CTP to account for clients’ crypto asset holdings off-balance sheet.
  2. Webull CTP to record gains and losses on proprietary trading in crypto assets on a net basis on Statement E.
  3. Webull CTP to account for long-term proprietary positions in crypto assets as inventory.

Training for Approved Persons

6. Webull will provide training, as represented to CIRO, to all Approved Persons, including Executives, Investment Representatives and Supervisors, as well as compliance staff, upon approval of the CIRO membership in order to ensure ongoing compliance with training and proficiency requirements in IDPC Rules 2602 and 2604(1).

7. Webull will provide CIRO staff with notice of any substantive changes to its internal training plan including detailed analysis and explanation of the change, no later than 30 days in advance of the change.

Welcome to CIRO.ca!

You can find the Canadian Investment Regulatory Organization (CIRO) at CIRO.ca with our fresh look and feel.