Appearance before the House of Commons’ Standing Committee on Finance for its statutory review of the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA)

February 28, 2018
Ottawa, Ontario

Opening Statement by Daniel Therrien
Privacy Commissioner of Canada

(Check against delivery)

---

Introduction

Thank you Chair and members of the Committee for the opportunity to appear before you today as part of your statutory review of the Proceeds of Crime (Money Laundering) and Terrorist Financing Act, or PCMLTFA.

We of course support Canada’s efforts to combat money laundering and terrorist financing. However, the manner in which these efforts are undertaken must strike an appropriate balance between the need to combat such activities and respecting privacy rights of Canadians.

The PCMLTFA Regime and Privacy

The most apparent privacy implication with this regime is that it casts a wide net capturing a great deal of information about law-abiding Canadians conducting financial transactions, with a view to uncovering threats to national security or incidents of money laundering.

In our previous Parliamentary briefs on Bills C-51 and C-59, we signaled concerns around information collection and sharing regimes in the context of national security.

Specifically, we have highlighted the need for rigorous legal standards around the collection and sharing of personal information, effective oversight, and minimization of risks to the privacy of law-abiding Canadians, in part through prudent retention and destruction practices.

Results of our reviews of FINTRAC

As you are aware, subsection 72(2) of the PCMLTFA provides my Office with a mandate to conduct biennial reviews of how FINTRAC protects information it receives or collects under this Act.  We can also conduct reviews under section 37 of the Privacy Act.

All of our audits have identified issues with FINTRAC receiving and retaining reports which do not meet legislative thresholds for reporting.

In 2014, the PCMLTFA was amended by Bill C-31 to add subsection 54(2), which requires that FINTRAC destroy information in its holdings which was either not required to be reported, or any information voluntarily provided to it by the public that it determines is not about suspicions of money laundering, or the financing of terrorist activities.

Although FINTRAC has implemented measures to validate incoming reports, resulting in the rejection of thousands of them, we continue to identify information in FINTRAC databases that did not meet thresholds and should not have been retained. 

We have recommended improvements, and FINTRAC responded that it will continue its work in implementing front-end screening measures to minimize the receipt of unnecessary personal information.

Also, we have generally found FINTRAC to have a comprehensive approach to security, including controls to safeguard personal information.  Our most recent audit did identify governance issues between FINTRAC and Shared Services Canada, which FINTRAC has committed to addressing.

Proportionality

Beyond these issues which we are mandated to review under the PCMLTFA, our principal concern, based on our experience reviewing FINTRAC over the past 10 years, relates to the lack of proportionality of the regime.  Disclosures to law enforcement and other investigative agencies made in a given fiscal year represent a very small number when compared to the information received during that same timeframe. Information received is also retained for long periods.

According to their latest annual report, FINTRAC reported that out of 24.7 million records received during the last fiscal year there were only 2,015 actionable disclosures, which represents less than 1 in 10,000.^{Footnote 1}

FINTRAC’s retention of undisclosed reports increased from 5 to 10 years in 2007.

Even if one accepts that sharing financial transaction data related to law-abiding citizens may lead to the identification of threats of money laundering or terrorist financing activities, once that information is analyzed and leads to the conclusion that someone is not a threat, it should no longer be retained.

More broadly, we have noted a trend to broaden the regime, and we note Finance Canada’s vision of moving towards a holistic information collection scheme which would create an environment supporting increased analytics and information sharing.  We have already seen discussion about lowering existing thresholds for reporting, which could be made through Regulations.  In the consultation paper, Finance also suggests increasing the number of reporting agencies and a new model for engagement of the private sector.

Enhancing proportionality in collection and retention: a risk based approach

While I appreciate that a holistic approach to the collection and sharing of information might be useful to identify threats, what is proposed, unless appropriate privacy safeguards are adopted, would further exacerbate our concerns with proportionality. Instead, I would suggest that a risk based approach be adopted in order to minimize the risk of over-collecting and retaining the financial and personal information of law-abiding individuals.

Under such an approach, FINTRAC, based on a thorough risk based analysis of its data, would develop criteria to limit collection, sharing and retention to only situations likely to represent potential manifestations of terrorist financing or money laundering. We realize this may be challenging, but as privacy experts, we at the OPC believe we can play a role in the assessment of these factors.

Currently, our review mandate under the PCMLTFA and the Privacy Act is limited to ensuring that these statutes and regulations as enacted, including monetary thresholds for collection, are respected. We think a more useful contribution would be to provide advice, after review, on amendments that could be made, either to the statutes, regulations or practices of FINTRAC, to ensure greater proportionality, including the assessment of risk factors which might govern information collection, sharing and retention.

The government is recommending that the PCMLTFA be amended to provide that the reviews we currently undertake every two years under section 72, occur every four years. We agree in part and would recommend that:

1. the purpose of our reviews under the PCMLTFA be modified to include advice or recommendations on proportionality, as just mentioned; and
2. that they begin at least one year before every anticipated 5-year review that Parliament must undertake.

The OPC would continue to conduct compliance reviews under section 37 of the Privacy Act.

As it relates to proportionality, the Committee may wish to consider Part 4 of Bill C-59, concerning CSIS datasets and their retention, which might be instructive.  Under that model, CSIS must screen data promptly (within 90 days), and can only retain Canadian datasets if the Federal Court is satisfied it is likely to assist in the performance of CSIS’s mandate, including the detection of threats to the national security of Canada

In addition, with respect to any contemplated changes to reduce existing thresholds through Regulations, which would also affect proportionality, I would reiterate my recommendation in the context of Privacy Act reform that government institutions should be legally be required to consult with my office on draft legislation and regulations with privacy implications before they are tabled.

Addressing gaps in oversight

In terms of review and oversight of this regime, there are some review mechanisms in place and others proposed in Bill C-59, but I would argue that there are still some gaps in terms of comprehensive oversight.

While some decisions are subject to statutory or judicial review by the Federal Courts, a decision by FINTRAC to disclose information is more likely to be challenged in the context of a proceeding involving a disclosure to an investigate body, such as a law enforcement agency.  In many cases however, an individual whose information is disclosed by FINTRAC may never know the disclosure took place.

C-59, if passed, would create a new expert review body, the National Security Intelligence Review Agency (NSIRA), with broad jurisdiction to examine the activities of all departments and agencies involved in national security, which will include FINTRAC. The new National Security and Intelligence Committee of Parliamentarians will also have a role to produce well informed and comprehensive reviews of the work of these agencies.

However, NSIRA will not review all of FINTRAC’s activities, given the latter’s mandate to identify criminality related to money laundering.  Its national security review may also be limited given that not all of FINTRAC’s disclosures are within the federal family.

The OPC has an important mandated role, as already explained, and insight on the privacy aspects, including ten years of audit experience in this area.  However, we currently would not have the legal authority to work with other national security review bodies, such as NSIRA, to cooperate and provide effective oversight in this area.  This is point we raised in the context of C-59.

Conclusion and Recommendations

To summarize then, I would recommend that:

1. the purpose of our reviews under the PCMLTFA be modified to include advice or recommendations on proportionality;
2. that they begin at least one year before every anticipated 5-year review that Parliament must undertake; and
3. with respect to any contemplated changes to the Regulations, Finance Canada should be legally required to consult with my office on draft legislation and regulations with privacy implications before they are tabled.

Thank you for inviting me to provide this Committee with comment – and I look forward to your questions.