Add Canada (CSA / CIRO / OSFI / OPC) regulatory reference data

[pmerrison]

Credit

This PR consolidates and restructures the work of two open PRs already on the project. The substantive research is theirs; this PR's contribution is to combine them into a single coherent reference dataset.

• Create canada-regulations.yml #285 — Luca Borella (Create canada-regulations.yml): contributed the broader scope (OSFI E-23 and B-13, PIPEDA, CSA, CIRO, FCAC), the layout wiring into risk.html and mitigation.html, and the practical filename canada-regulations.yml.
• Add Canada (CSA / CIRO) regulatory reference data file #290 — mthom (Add Canada (CSA / CIRO) regulatory reference data file): contributed current sources (OSFI E-23 2027, CIRO Annual Compliance Report 2026, the Proposed CIRO Rules and Phases 4–5, IOSCO CR/01/2025), an explicit perimeter, and a clean schema mirroring eu-ai-act.yml / ffiec-itbooklets.yml.

If maintainers prefer to land one of the original PRs instead, please feel free to close this one. It is offered as a possible reconciliation of the two and assumes both authors are happy for their work to be combined this way.

Summary

Adds docs/_data/canada-regulations.yml — 48 entries covering Canadian AI and financial-sector regulatory references — and wires the new dataset into the existing reference-card includes on the risk and mitigation layouts.

Coverage (issuer / count): OSFI 17 · CSA 14 · CIRO 11 · CSA/CIRO 2 · OPC 2 · IOSCO 1 · FCAC 1.

Out of scope (deferred to follow-up PRs): adding canada-regulations_references: entries to individual _risks/*.md and _mitigations/*.md files. This PR is the reference-data foundation only.

Schema

Mirrors eu-ai-act.yml and ffiec-itbooklets.yml:

key:
  title: <short, single-line citation>
  url: <canonical URL>
  issuer: <CSA | CIRO | CSA/CIRO | OSFI | OPC | FCAC | IOSCO>
  description: <optional richer context; not rendered by current layouts>

The issuer field is analogous to FFIEC's booklet_abbrev. The optional description field preserves contextual research (effective dates, applicability, AI relevance) without requiring layout changes today — a future enhancement could surface it as muted secondary text under the title. Happy to drop or rename either field per maintainer preference.

All titles are short single-line citations (longest is 94 characters), consistent with existing reference-card visual norms.

Granularity

Split where the source has real numbered structure so that follow-up risk/mitigation PRs can cite specifics without churn:

• OSFI E-23 (2027) — 12 numbered principles (1.1–1.3, 2.1–2.3, 3.1–3.6) under sections A–D
• OSFI B-13 — 3 domains (Governance and Risk Management; Technology Operations and Resilience; Cyber Security)
• NI 31-103 — key sections 11.1, 11.5, 13.2, 13.2.1, 13.3, 13.4
• CIRO IDPC Rules — rule groups 1500, 3100–3600, 3800, 3900
• CIRO Rule Consolidation Project — Phases 4 and 5 separately
• PIPEDA — Schedule 1 separately

Synthetic topical splits (e.g., per-topic CSA SN 11-348 carve-outs) are kept at document level since they don't correspond to real document sections.

Source verification corrections

While reconciling the two PRs I verified entries against current source documents and made the following corrections:

• OSFI E-23 (2027) — restructured to the actual document. The 2027 revision has 12 principles organised as 1.1–1.3, 2.1–2.3, 3.1–3.6 under sections A–D, not the 7-principle structure of the older E-23 that was in Create canada-regulations.yml #285.
• PIPEDA Schedule 1 — URL updated to use the verified anchor (#h-417659); description corrected from 9 to 10 principles (the previous summary omitted Principle 4.5, "Limiting Use, Disclosure, and Retention").
• Bill C-27 (CPPA + AIDA) — omitted. The bill died on the order paper in the 44th Parliament (last activity at INDU committee 2024-09-26) and has not been reintroduced in the 45th Parliament. A YAML comment notes the trigger for re-adding once a successor bill is introduced.

NI 31-103 sections and CIRO IDPC rule numbers could not be independently verified (BCSC returned 404, OSC and CIRO blanket-403 to automated fetches). The cited section/rule list from #290 was used; it is consistent with the well-known IIROC-inherited IDPC structure.

Layout wiring

Adds the new dataset to the existing reference-card include block in both _layouts/risk.html and _layouts/mitigation.html. The include is a no-op for files that don't declare canada-regulations_references: in their front matter (the existing reference-card.html partial guards on references.size > 0), so this change has no visible effect until follow-up PRs add references on individual risks/mitigations.

Notes on durability

Two entries point to material currently in flux that will need maintenance:

1. Proposed CIRO Rules — draft, subject to revision based on comments before coming into force. When adopted, several entries should be updated and the IDPC Rules entry eventually retired.
2. CSA Staff Notice 11-348 — consultation comment period closed 2025-03-31. CSA may publish a response-to-comments or revised notice in future; this entry should be refreshed at that point.

Test plan

• jekyll build runs cleanly from docs/ (0.42s, no errors)
• YAML parses; all 48 entries have title and url; longest title 94 chars
• Maintainer review of consolidation approach, schema (issuer + optional description), and granularity calls
• Confirmation from Create canada-regulations.yml #285 / Add Canada (CSA / CIRO) regulatory reference data file #290 authors (cc @lucaborella89 @mthomcfa) that they are happy for this combined version to land in place of their PRs

[mthomcfa]

Hi all - I'm pushing a revised/dependent PR that is dependent on PR #290 and adds the reference data/linkages. I'm wondering if it makes sense to wrap that into this PR or fast-follow, given the noted open items here? I'm fine with either approach, and will push the PR today.