Add Canada (CSA / CIRO) regulatory reference data file

[mthomcfa]

Summary

Adds docs/_data/csa-ciro-canada.yml — a new jurisdictional regulatory reference file covering Canadian securities regulators (CSA, CIRO) and analogous federal prudential and international guidance (OSFI, IOSCO) relevant to AI governance for securities-registered firms in Canada.

Addresses #253 (Canadian Mappings — standards + regulations alignment). This PR is a first step: it contributes the reference data foundation. Follow-up PRs to the _risks/*.md files will add the actual AIGF-to-Canada mappings themselves, starting with ri-22_regulatory-compliance-and-oversight (the most obvious fit) and extending to the other risks noted at the bottom of this description.

This is the first Canada-specific contribution to AIGF's reference data, scoped to securities-registered firms (CIRO investment dealers and CSA-registered portfolio managers, investment fund managers, and exempt market dealers). See "Perimeter" below for what's intentionally out of scope for this initial contribution.

What's in the file

20 entries in three tiers (tiers are expressed via YAML comments; the schema itself stays flat).

Tier 1 — AI-specific Canadian regulatory guidance (3)

• csa-sn-11-348 and csa-sn-11-348-pdf — CSA Staff Notice and Consultation 11-348 (2024-12-05), the CSA's authoritative view on how existing Canadian securities law applies to AI systems used by market participants.
• ciro-acr-2026 — CIRO Compliance Report for 2026 (2026-02-17), which includes a dedicated AI section addressing operational controls and the material business change notification trigger.

Tier 2 — Binding Canadian securities rules and staff notices (14)

• ni-31-103, ni-31-103cp — the core registration / conduct / suitability instrument and its Companion Policy.
• csa-ciro-sn-31-363, csa-ciro-sn-31-368 — Joint CSA/CIRO Client Focused Reforms reviews on conflicts of interest and KYC/KYP/suitability practices.
• ni-33-109-f5 — Form 33-109F5, the material business change notification mechanism CIRO has flagged as potentially triggered by AI adoption.
• csa-sn-11-326, csa-sn-11-332, csa-sn-33-321 — CSA cyber security staff notices (2013, 2016, 2017).
• ciro-idpc-rules, ciro-dealer-member-rules — the currently operative CIRO rulebook for investment dealers and its landing page.
• ciro-rules-proposed, ciro-rules-consolidation-project, ciro-rules-phase-4, ciro-rules-phase-5 — the Rule Consolidation Project materials for the Proposed CIRO Rules, which are complete in draft across Phases 1–5 (final phase published 2025-03-27, comment period closed 2025-06-25) and remain subject to revision in response to comments before coming into force. Phase 4 specifically carries forward a proposed Rule 3900 requirement that Dealer Members ensure Supervisors understand how automated tasks and activities work — an explicit AI-adjacent supervisory expectation in the draft consolidated rulebook.

Tier 3 — Broadly consistent with / "inspired by" (3)

• osfi-e-23-2027 — OSFI Guideline E-23 Model Risk Management (2027), published 2025-09-11 and effective 2027-05-01. Not binding on CSA or CIRO registrants but the dominant Canadian benchmark for AI/ML model risk.
• osfi-b-13 — OSFI Guideline B-13 Technology and Cyber Risk Management.
• iosco-cr-01-2025 — IOSCO Consultation Report CR/01/2025 Artificial Intelligence in Capital Markets.

Schema

Mirrors eu-ai-act.yml and ffiec-itbooklets.yml:

key:
  title: <title>
  url: <canonical URL>
  issuer: <CSA | CIRO | CSA/CIRO | OSFI | IOSCO>

issuer is an optional extension field analogous to booklet_abbrev in ffiec-itbooklets.yml. Its purpose is to distinguish binding Canadian securities regulators (CSA, CIRO, CSA/CIRO jointly) from analogous non-binding material (OSFI federal prudential, IOSCO international). Happy to drop or rename per maintainer preference.

One entry per instrument with key section numbers cited in titles, rather than per-section granularity, because Canadian source pages URL at the instrument level rather than per provision (unlike the EU AI Act explorer). Can split later if preferred.

Perimeter (and what's intentionally out of scope)

In scope: CIRO investment dealers and CSA-registered portfolio managers, investment fund managers, and exempt market dealers.

Out of scope for this initial contribution:

• Mutual fund dealers (legacy MFDA rulebook) — will be addressed when the Proposed CIRO Rules come into force and unify the rulebooks.
• Marketplaces and ATSs (NI 21-101 / 23-101).
• Non-investment-fund reporting issuers (disclosure obligations under CSA SN 11-348).

Verification

All URLs in the file were verified against canonical issuer sites (osc.ca, ciro.ca, osfi-bsif.gc.ca, iosco.org) on 2026-04-10.

Follow-up contributions

If this lands, I plan to follow up with PRs to individual _risks/*.md files adding csa-ciro-canada_references: entries, starting with ri-22_regulatory-compliance-and-oversight (the most obvious fit) and extending to ri-16, ri-17, ri-18, ri-19, ri-20, and the data-leakage risks ri-1 / ri-2.

Notes on durability

Two of the entries point to material currently in flux that may need maintenance:

1. Proposed CIRO Rules — draft, subject to revision based on comments received before coming into force. When adopted, several entries should be updated and the IDPC Rules entry eventually retired.
2. CSA Staff Notice 11-348 — consultation comment period closed 2025-03-31. CSA may publish a response-to-comments or a revised notice in future; this entry should be refreshed at that point.

DCO

All commits signed off.

[mthomcfa]

Will add the framework mapping once this has been picked up. First PR to a FINOS project here from a non-engineer/dev, pls be gentle!

[alvin-c-shih]

Some of the titles seem quite long, which might not look good on the sidebar.
Worth including some example mappings and generating the site to see if it looks ok.