CICC Compliance Checklist for AI Tools in 2026

CICC Enforcement Is Intensifying

The College of Immigration and Citizenship Consultants (CICC) has significantly stepped up enforcement. In 2025 alone, over 5,400 websites were shut down for unauthorized immigration advice and non-compliant practices. Penalties for violations can reach up to $50,000 per offence, and the College has made clear that AI-powered tools are not exempt from scrutiny. Any firm using AI for intake, lead qualification, or client-facing conversations must ensure their technology meets CICC standards. This checklist helps you verify that your AI tools are compliant before deployment — and before an audit finds gaps.

Why Compliance Matters More for AI Tools Than Traditional Software

Traditional intake software — forms, CRMs, scheduling tools — typically collects data and routes it to humans. AI tools, by contrast, conduct conversations, interpret eligibility, and present information that could be construed as advice. That creates additional regulatory exposure. The CICC expects firms to demonstrate that AI systems clearly disclose their non-licensed status, obtain proper consent, avoid unauthorized advice, and maintain audit-ready records. A generic chatbot or off-the-shelf AI that wasn't built for immigration can put your licence at risk. The checklist below applies specifically to AI tools used in CICC-regulated contexts.

The 10-Point CICC Compliance Checklist for AI Tools

Use this checklist when evaluating any AI intake, chatbot, or qualification tool for your immigration practice. Each point should be verifiable before you go live.

1. AI disclosure: Does the tool clearly state that it is not a licensed consultant and does not provide immigration advice? The disclosure should appear at the start of every conversation and be unambiguous. Users must understand they are interacting with an information-gathering tool, not a regulated professional.
2. Consent collection: Is PIPEDA-compliant consent obtained before data collection? Consent must be informed, specific, and obtained at or before the point of collection. The tool should record when and how consent was given, and what the user consented to.
3. Data residency: Is all data stored on Canadian servers? Client information must remain under Canadian jurisdiction and PIPEDA governance. US-based or offshore cloud storage creates compliance and privacy risks.
4. Encryption: Does the system use AES-256 at rest and TLS 1.3 in transit? These are industry-standard encryption levels. Verify with the vendor that data is protected both when stored and when transmitted.
5. Conversation logging: Are all interactions timestamped and stored? Every AI conversation should be logged with a full transcript, timestamps, and metadata. Logs must be retained for a period consistent with your firm's record-keeping obligations.
6. Audit export: Can logs be exported for CICC audit? When the College requests documentation, you need to produce conversation records, consent records, and data handling evidence. The system should support one-click or straightforward export in a usable format.
7. No unauthorized advice: Does the AI avoid recommending specific immigration pathways? The tool should collect information and screen eligibility against publicly available criteria — it should not tell users which program to apply for, predict outcomes, or make representations on behalf of the firm. Learn more about our approach in our compliance page.
8. Fee disclosure: Does the system support retainer and fee disclosure automation? CICC requires clear fee disclosure before engagement. If the AI schedules consultations or collects commitment, the workflow should include proper fee and retainer disclosure.
9. Data deletion: Can client data be exported and deleted on request? PIPEDA gives individuals the right to access and correct their data, and in many cases to request deletion. The system should support data export and deletion workflows within reasonable timelines.
10. Regular updates: Does the vendor keep up with regulatory changes? CICC rules, IRCC program updates, and privacy law evolve. The vendor should have a process for updating disclaimers, consent flows, and logic when regulations change.

How to Verify Each Point Before Deploying

Don't rely on marketing claims. Request documentation: a compliance statement, a data processing agreement, and evidence of Canadian hosting. Run a test conversation and confirm the AI disclosure appears at the very start — before any questions are asked. Ask the vendor to demonstrate an audit export: can they produce a complete log for a sample conversation within minutes, including timestamps and consent records? Check the terms of service and privacy policy for explicit data residency and deletion commitments. Request a security or compliance whitepaper if available.

If the vendor cannot clearly answer each checklist item, consider a platform built specifically for CICC-regulated firms. Generic chatbots and off-the-shelf AI tools often lack the guardrails required for immigration practice. Brothers Digital is designed from the ground up for Canadian immigration compliance, with built-in AI disclosure, PIPEDA consent, Canadian data residency, and audit-ready logs. Our compliance approach addresses every point on this checklist.

Deploying AI without verifying compliance is a gamble. The 5,400 sites shut down in 2025 and the $50,000 penalty ceiling are reminders that the College is watching. Use this checklist before you go live — and sleep easier knowing your AI intake meets CICC standards.