Biennial review of the measures taken by the Financial Transactions and Reports Analysis Centre of Canada to protect personal information

Pursuant to subsection 72(2) of the Proceeds of Crime (Money Laundering) and Terrorist Financing Act

Final report 2024

December 5, 2024

Executive Summary

The Privacy Commissioner is required, pursuant to subsection 72(2) of the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (the PCMLTFA) to conduct a biennial review of the measures taken by the Financial Transactions and Reports Analysis Centre of Canada (FINTRAC) to protect the information it receives or collects.

The Office of the Privacy Commissioner of Canada (OPC)’s biennial reviews are an opportunity for the OPC to assess the security safeguards that protect FINTRAC’s information assets, and to identify potential deficiencies and the solutions required to address them, commensurate to the nature and sensitivity of FINTRAC’s personal information holdings.

Each review focuses on specific aspects of FINTRAC’s systems and safeguards to protect personal information, builds on previous review findings, and assesses FINTRAC’s progress to address the resulting recommendations, all while providing the foundation for future reviews.

The present review found that FINTRAC has made progress to enhance and improve privacy protections since the OPC’s last biennial review in 2021. It has addressed a number of our previous findings and recommendations, including 1) implementing measures to avoid the unnecessary collection of personal information, including below-threshold reports; 2) making enhancements to its threat detection and incident response processes, mainly through the onboarding of a Security Information and Event Management (SIEM) solution; and 3) making improvements to its Business Continuity Plan (BCP).

Nevertheless, we also concluded that there is still outstanding work to be completed for FINTRAC to fully address our previous findings and to enhance its controls and safeguards in relation to these same issues.

As a preliminary matter, we continue to have concerns regarding FINTRAC’s progress to address three recommendations made in the OPC’s 2021 biennial review relating to: (i) the disposal of Electronic Funds Transfer Reports (EFTRs) and Large Cash Transaction Reports (LCTRs) that are below the reporting threshold; (ii) the optimization of its use of the SIEM solution that is the cornerstone of its information technology (IT) security controls relating to the monitoring of activity logs to detect and respond to inappropriate or malicious external and insider threats; and (iii) the comprehensiveness of FINTRAC’s BCP to factor in all possible causes of operational disruptions.

We note that FINTRAC was impacted by two incidents during the review period, a cyber incident and an unauthorized disclosure of information by a FINTRAC employee, which prompted FINTRAC to notify the OPC. One of those incidents – a cyber incident reported to the OPC in March 2024 – prompted FINTRAC to make key organizational decisions that were contextually relevant to our review.

In particular, we remain concerned with the level of priority being given by FINTRAC to the disposal of historical below-threshold reports, which was previously raised as an issue by the OPC in its 2017 and 2021 biennial reviews. Furthermore, we note that FINTRAC’s automated processes to dispose of reports that are over 10 years are currently disabled, with no set timeline for resumption. These issues may represent a compliance issue for FINTRAC under the PCMLTFA, which we have taken into consideration to develop our recommendations.

While we did not assess FINTRAC’s post-incident recovery activities in the present review, the cyber incident underscores the importance of security practices and the processes that support them.

We commend, and are encouraged by, FINTRAC’s modernization efforts, including its increased cloud presence and use of automation and artificial intelligence (AI). As these advancements introduce new risks, an operationalization framework will be required to ensure that the necessary security and privacy controls are in place. It is also our expectation that FINTRAC conducts regular internal and external security assessments and penetration testing to evaluate systems and applications for vulnerabilities. We therefore make recommendations to FINTRAC related to the nature and frequency of these assessments to provide adequate assurance of the effectiveness of its safeguards.

FINTRAC’s move to a cloud architecture represents a fundamental shift in the delivery of its IT services. While we recognize the benefits, we also offer advice about the risks in relation to the complexity of maintaining security measures under the cloud’s shared responsibility model. Institutions such as FINTRAC must take appropriate steps to ensure that their in-house expertise, policies and processes support the maintenance of their security posture, as they remain accountable for protecting the confidentiality, integrity, and availability of IT services and information. Furthermore, challenges such as the demand for skills and talent in cloud technologies and the advancements in automation and AI, demonstrate the critical need for departments such as FINTRAC to invest in reskilling, hiring and retaining resources, given the acceleration of their move to the cloud and other cutting-edge technologies.

In this report, we make nine recommendations to FINTRAC, and one recommendation to Shared Services Canada (SSC), and both organizations have indicated their acceptance of these recommendations. We will continue to engage with FINTRAC to discuss its action plans for the implementation of these recommendations to address outstanding issues, and to ensure that safeguards commensurate to the sensitivity of its information holdings are in place. As for SSC, given the steps that it has initiated to action the recommendation, we consider the issue to be resolved.

It is also the OPC’s intention, during its next biennial exercise, to review the sufficiency of the controls and measures implemented by FINTRAC to mitigate against the recurrence of the March cyber incident. In the interim, FINTRAC provided the OPC with its updated Recovery and Modernization Strategy and committed to submit quarterly updates on its progress to implement the recommendations made for business recovery.

We take this opportunity to thank FINTRAC for the collaboration and transparency it demonstrated in the current review.

Introduction

The Privacy Commissioner is required, pursuant to subsection 72(2) of the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (the PCMLTFA) to conduct a biennial review of the measures taken by the Financial Transactions and Reports Analysis Centre of Canada (FINTRAC) to protect the information it receives or collects.
As Canada’s financial intelligence unit and anti-money laundering and anti-terrorist financing supervisor, FINTRAC’s mandate is to facilitate the detection, prevention and deterrence of money laundering and the financing of terrorist activities, while ensuring the protection of personal information under its control. In fulfilling its core financial intelligence and compliance mandates, FINTRAC must safeguard the significant volume of information it receives and discloses to Canada’s law enforcement and national security agencies, as this is critical to national security and the protection of Canadians’ right to privacy.^{Footnote 1}
FINTRAC is subject to a range of controls relating to its collection, use, disclosure and retention of information under the PCMLTFA.^{Footnote 2} As an institution subject to the requirements of the Privacy Act (the Act), FINTRAC is also subject to the policies and directives issued by the Treasury Board Secretariat (TBS) which support the Act’s administration.^{Footnote 3}
The TBS Policy on Government Security (the Policy) establishes minimum mandatory security requirements, and prescribes safeguards to protect and preserve the confidentiality and integrity of an institution’s assets, including personal information. The Policy is supported by the TBS Directive on Security Management which outlines the mandatory procedures for security controls.^{Footnote 4} Institutions are responsible for conducting their own assessments to determine whether safeguards above baseline levels are required. Given the nature and sensitivity of FINTRAC’s personal information holdings, there is a need for commensurate safeguards to protect it.
The Office of the Privacy Commissioner of Canada (OPC) has periodically conducted reviews of FINTRAC’s measures to protect personal information since the requirement came into force in 2007.^{Footnote 5} The present review specifically examined whether FINTRAC has appropriate controls in place to protect the personal information it collects, which resides on Shared Services Canada (SSC)’s Information Technology (IT) infrastructure,^{Footnote 6} and whether FINTRAC protects its personal information holdings in accordance with the Act and relevant TBS policies and directives.^{Footnote 7} The review was initiated in 2023 and took into account two incidents that were reported to the OPC in February and March 2024 (details to follow in the section below).
This review also assessed FINTRAC’s progress with respect to the implementation of measures flowing from recommendations made in the previous OPC biennial reports. These observations provided the foundation for our assessment of the safeguards FINTRAC currently has in place.

What’s new since the last biennial review

Incidents

During our engagement, FINTRAC reported two incidents to the OPC; while these are outside the scope of the present review, they are contextually relevant.
The first incident, reported in February 2024, related to the unauthorized disclosure of personal information by a FINTRAC employee. This incident underscored the importance of data security and safeguarding of personal information against all types of risks.
On March 5, 2024, FINTRAC reported a second incident to the OPC, which, as a precautionary measure, required FINTRAC to take several of its corporate systems offline to ensure their integrity and to protect the information it maintains.^{Footnote 8} FINTRAC reported publicly that, following extensive forensic analysis and due diligence, it found no evidence that information was lost or that data was removed through the cyber incident.^{Footnote 9} FINTRAC worked with relevant partners, including the Canadian Centre for Cyber Security (CCCS) and SSC, to contain, investigate and mitigate the impact of the incident, to ensure that affected environments were isolated, and that the right security precautions and measures were in place to protect data.
FINTRAC has continued to be engaged with the OPC in relation to the cyber incident and, at the time of writing of this report, continues its work to resume its full operations.^{Footnote 10} While the present review did not assess the cyber incident, nor FINTRAC’s post-incident recovery activities, we acknowledge FINTRAC’s ongoing efforts related to the restoration of its operational capabilities, its decision not to rebuild or restore outdated systems, and its accelerated move of legacy systems to the Cloud.
Following the cyber incident, FINTRAC provided the OPC with its updated Recovery and Modernization Strategy and committed to submit quarterly updates on its progress to implement the recommendations made for business recovery.
It is our intention to review the sufficiency of the controls and measures implemented by FINTRAC to mitigate against the recurrence of similar incidents during future reviews.

Legislative Amendments

There have been significant amendments to the PCMLTFA since the OPC’s last review. Some of these changes are already in force, and others are scheduled to come into force before the OPC’s next review cycle. While these amendments are not directly relevant to this review, they highlight the importance of FINTRAC discharging its mandate in a privacy-protective manner, given that they expand upon FINTRAC’s already extensive authority to collect, use, and disclose information, including personal information, by:
- Extending the application of the PCMLTFA to new entities;^{Footnote 11}
- Increasing information-sharing under the PCMLTFA among reporting entities subject to that Act;^{Footnote 12} and
- Creating new obligations for covered entities to collect, use, and disclose information.^{Footnote 13}
FINTRAC informed us that these changes and the related expanded collection of information is covered by its existing processes and controls and that therefore, it did not assess the need to change the security controls it has in place. The OPC accepts FINTRAC’s determination in this regard.

What we found

Summary

The present review assessed FINTRAC’s progress with respect to the implementation of the recommendations made in the OPC’s 2021 report. We are satisfied that FINTRAC has addressed two of those five recommendations,^{Footnote 14} the details of which can be found at Annex A.
Nevertheless, this report highlights outstanding gaps regarding FINTRAC’s implementation of the three other recommendations made in the previous review relating to: i) the disposal of Electronic Funds Transfer Reports (EFTRs) and Large Cash Transaction Reports (LCTRs) that are below the reporting threshold (a concern first raised by the OPC in 2009); ii) IT security controls (including the monitoring of activity logs to detect and respond to inappropriate or malicious insider activity); and iii) FINTRAC’s Business Continuity Plan (BCP) (implementation of measures to ensure the continued protection of personal information holdings in the event of a business disruption).
With respect to the OPC’s findings in the current review, we concluded that FINTRAC has made progress to enhance and improve privacy protections since the last biennial review. However, we made several observations and identified some shortcomings that require FINTRAC to take certain measures in relation to its i) move to the Cloud; ii) automation and artificial intelligence initiatives; and iii) security assessments.
In light of the foregoing, this report makes nine recommendations to FINTRAC, and one recommendation to SSC. A summary of these recommendations is at Annex B. As noted earlier, both organizations have accepted the recommendations.

Previous Findings

Disposal of Electronic Funds Transfer Reports (EFTRs) and Large Cash Transaction Reports (LCTRs) Below the Reporting Threshold

In its 2017 review, the OPC noted that FINTRAC continued to receive and retain personal information that did not meet reporting thresholds set out in the PCMLTFA. This issue was first raised by the OPC in its inaugural 2009 review, where there was a recommendation for FINTRAC to permanently delete from its holdings all information that it did not have the statutory authority to receive.^{Footnote 15}
In its subsequent reviews, the OPC continued to raise this question, especially since the PCMLTFA now requires the destruction of information that does not meet reporting thresholds when FINTRAC determines, in the normal course of its activities, that the report was not required.^{Footnote 16}
In its 2021 report, the OPC found that FINTRAC had not meaningfully addressed the 2017 recommendation regarding disposal of EFTRs and LCTRs, and highlighted FINTRAC’s silence regarding whether the reports had been destroyed. The OPC recommended that FINTRAC carefully review again the 2017 recommendation and take steps to fully implement it within 12 months.^{Footnote 17} FINTRAC accepted this recommendation “in principle.”^{Footnote 18} In the 2021 report, we therefore expressed concern about FINTRAC’s lack of commitment to follow-through on the OPC’s recommendation.
In this review, we assessed once again FINTRAC’s progress against the same recommendation – its disposal of EFTRs and LCTRs that are below the monetary thresholds for reporting and that do not fall under the 24-hour rule.^{Footnote 19}
FINTRAC reported that it has allocated resources to complete a self-audit, to analyze all existing holdings and delete below-threshold reports. In 2024 as part of the present review, FINTRAC reported that there is still approximately 10 years of existing data that requires review for below-threshold reporting, which represents approximately 400 million reports.^{Footnote 20} FINTRAC initially anticipated completion of this exercise by the end of March 2025; however, the March cyber incident impacted its efforts significantly. In fact, in September 2024, FINTRAC reported that this exercise is not on track to be completed as planned but that it will be considered a priority following its recovery from the March incident. FINTRAC informed us that capacity will be dedicated to review its existing holdings as soon as it has resumed full operations, most likely in fiscal year 2025-2026.
FINTRAC submitted that the modernization of its reporting forms will resolve the issue of receiving below threshold reports from reporting entities.^{Footnote 21} FINTRAC noted that the multi-year initiative to implement changes to its reporting forms (and related guidance) resulted in the introduction of the new second generation (Gen 2.0) form designs which will mitigate below-threshold reporting for future reports through new rules and guidance.^{Footnote 22} FINTRAC confirmed that it completed the implementation of the Gen 2.0 forms – we acknowledge FINTRAC’s efforts in this regard.
FINTRAC reported that it is also adopting new tools and technologies, including logic-driven, Cloud-based applications capable of processing all data records to identify below-threshold reports.
FINTRAC also indicated that it continues to delete reports identified in the normal course of business that are more than 10 years old and for which retention is no longer required. However, FINTRAC also reported that the March cyber incident impacted its disposal practices. FINTRAC’s ‘Reports Disposition System’ (RDS) – a system that performed automated disposition on a monthly basis for reports received that had reached their 10-year anniversary^{Footnote 23} – is currently disabled, with no timeline for its resumption.
While we found that FINTRAC made efforts to address the OPC’s previous recommendation, we note that it has not yet completed the review and disposal of EFTRs and LCTRs that do not meet reporting thresholds. Additionally, our review found that since the March cyber incident, FINTRAC is not proactively disposing of information that is over 10 years old. Over-retention of personal information carries a variety of risks, including legal, financial and reputational risks to both individuals and FINTRAC itself, especially in the event of a breach.
In light of the above, we find that the OPC’s recommendation remains unaddressed. We therefore make the following three recommendations:
Recommendation 1: that FINTRAC complete the analysis of its existing holdings and develop a plan to prioritize the disposal of below-threshold reports. FINTRAC should provide the OPC, by the end of March 2025, an action plan, including key milestones and dates to complete this exercise.

Recommendation 2: that FINTRAC securely reinstate its automated disposal activities to ensure that it remains compliant with the 15-year disposal requirements under the PCMLTFA.^{Footnote 24}

Recommendation 3: that FINTRAC monitor and evaluate the effectiveness of the Gen 2.0 forms with respect to eliminating the receipt of below-threshold reports. If required, FINTRAC should develop and implement a permanent process to identify and dispose of below-threshold reports in a timely manner.

IT Security Controls

FINTRAC’s Directive on IT Security defines the requirements for how it will achieve the base IT security control objectives, as required by the TBS Directive on Security Management. Key objectives include protecting IT systems from unauthorized use and compromise, continually monitoring of threats and vulnerabilities, detecting malicious activity and unauthorized access, and having IT system audit logs to monitor, analyze and investigate for user accountability. FINTRAC relies on the mandatory procedures for IT security control^{Footnote 25} to achieve these objectives.
In light of previous OPC findings and information received from FINTRAC, this review focused on FINTRAC’s security assessment and authorization (SA&A) processes, and information system audit management measures (monitoring system logs).

IT Security Assessment and Authorization

IT security SA&A processes ensure that an institution only implements in its IT environment authorized software and hardware, for which it has accepted the residual risk. Evaluating security practices and controls and the acceptance and authorization of related security risk(s) – known as the “Authority to Operate” (ATO) – are ongoing processes and a requirement under the Policy on Government Security.^{Footnote 26}
The OPC’s 2021 report raised questions about the accreditation of the IT infrastructure over which FINTRAC’s data flows, as well as the ongoing reliance on an “interim” ATO^{Footnote 27} for the Managed File Transfer Service (MFTS) – a SSC solution that FINTRAC (and other federal institutions) use to transfer certain information between institutions. We noted that the interim ATO had been renewed by SSC for more than five years and encouraged SSC to put in place a non-interim ATO on a priority basis. The prolonged use of interim ATOs could result in an institution assuming security risks beyond levels deemed acceptable.
Our present review found that a (non-interim) ATO for the MFTS was completed and implemented since the last biennial review. The updated ATO was signed in June 2022 and a copy was shared with the OPC. The ATO indicates that SSC assessed and accepted the level of risk associated with the MFTS, subject to specific terms and conditions to be met for the MFTS service.^{Footnote 28} To ensure compliance, the authorization was to be tracked by SSC throughout the service’s lifecycle.
In an update to the OPC, SSC advised that it had met all the conditions outlined in the non-interim ATO described above. Therefore, SSC has initiated a new ATO, which at the time of writing of this report was in the final stages of approval within SSC.
We are satisfied that SSC’s implementation of this (non-interim) ATO addresses the OPC’s previous concerns. We expect that SSC will take the steps necessary to verify that the ATO continues to be valid, and in compliance with the ATO conditions and terms.
In the current review, we sought assurance from FINTRAC that SA&A processes were being conducted in accordance with a formal process and in compliance with the Policy on Government Security, and the Directive on Security Management and its mandatory procedures. FINTRAC shared the list of approximately 60 SA&A documents that it finalized since the OPC’s last biennial review (e.g., the Security Assessment Statement (SAS) and Threat and Risk Assessment (TRA) for FINTRAC’s cloud tenant, the SAS for Microsoft Teams, and the SAS for the SIEM solution).
We found that FINTRAC makes use of interim ATOs in specific and limited circumstances (e.g., while there are ongoing or planned mitigation activities) and sets the interim period to allow completion of these activities (e.g., six months). At the time of writing this report, FINTRAC had seven interim ATOs in place, and procedures to track them. These procedures include conducting a review of the ATO at the end of the interim period to determine whether the mitigations were implemented, assessing the remaining residual risk, and identifying any associated actions.
Generally speaking, we found that FINTRAC assesses the residual risk(s) associated with its IT projects and solutions and documents its decision to accept these risk(s) through signed “security assessment statements”, in line with TBS requirements and FINTRAC’s own Standard on Security Assessment and Authorization.^{Footnote 29} FINTRAC’s approach to evaluating and mitigating risks through SA&A processes, and its ongoing evaluation and acceptance of the risks identified through these processes is satisfactory.
However, in line with the observations we previously made to SSC, we note that the use of interim ATOs may result in an institution assuming security risks beyond levels deemed acceptable. We therefore encourage FINTRAC to ensure that it properly assesses the requirement to use a service/solution and that the benefits gained justify the risks to be taken.

Information System Audit Management: Monitoring Activity Logs

To ensure an effective security posture, the Directive on Security Management requires institutions to create, protect and retain information system audit logs and records to enable monitoring, reporting, analysis, investigation and the implementation of corrective actions.
The monitoring of activity logs was a key issue highlighted by the OPC in 2017, and again in 2021, when we recommended that FINTRAC implement comprehensive measures to enable user activities to be authoritatively audited, to monitor the acceptable use of government information systems, and to act on potential instances of unacceptable use to ensure users are accountable for their activities.^{Footnote 30}
Federal institutions are obligated to authoritatively monitor their audit logs to detect and mitigate against external and insider threats. FINTRAC accomplishes these activities through its Vulnerability Assessment and Management Program (VAMP) for IT – under this program, FINTRAC periodically assesses and monitors system security controls to ensure the continued effectiveness of the controls in place.^{Footnote 31}
Since the 2021 review, FINTRAC procured, onboarded and configured a solution to run in its IT environment: the Security Information and Event Management (SIEM). The SIEM solution combines threat detection, monitoring and remediation with log management, and is designed to increase FINTRAC’s ability to detect and respond to inappropriate or malicious activity.
We find that the SIEM is an improvement over FINTRAC’s former centralized logging system as it offers more sophisticated capabilities to correlate and aggregate event logs, which is key to enhancing FINTRAC’s threat detection and incident response processes. To optimize the SIEM’s added value, FINTRAC will need to ensure that it is configured with the most appropriate functionalities to meet FINTRAC’s needs, and that it easily integrates with other security tools that FINTRAC already has.
During the review, FINTRAC shared information with the OPC regarding the ongoing work required to optimize its use of the SIEM tool. These activities have included identifying applications that are not capable of sending logs to the SIEM, adjusting applications so that the proper logs are collected and sent, completing the steps required to bring Cloud logs to the SIEM, assigning relevant resources to collaborate and develop response procedures, and optimizing the tool on an ongoing basis (e.g., education for SIEM engineers on the tool’s features).
In addition, FINTRAC reported that SSC (which has ownership and administrative control over all servers in the FINTRAC datacentre) denied FINTRAC access to some logs under its control^{Footnote 32} – a key data source that could feed the SIEM and be correlated with other data sources to enhance its ability to identify threats. FINTRAC reported that it escalated this issue with SSC and, at the time of writing of this report, was actively working to integrate those logs with its monitoring system.
We acknowledge that FINTRAC has improved its monitoring practices as a result of its implementation of the SIEM. We underscore the importance of the effective deployment of the SIEM solution in order for FINTRAC to fully take advantage of its capabilities and features. We therefore make the following recommendations:
Recommendation 4: that FINTRAC take the necessary steps to (i) optimize its use of the capabilities of the SIEM tool, and (ii) identify and address outstanding gaps with logging and enhance its ability to identify suspicious activities, including insider threats.

Recommendation to SSC: that SSC enable FINTRAC’s access to the logs associated with infrastructure it relies on to support FINTRAC’s efforts to identify and mitigate threats.
In response to this recommendation, SSC advised that it is in the process of enabling log access to FINTRAC. The OPC acknowledges SSC’s efforts and considers this issue resolved.

Business Continuity Management: Personal Information Protection

In 2021, the OPC raised questions regarding FINTRAC’s Business Continuity Plan (BCP). We found that it consisted mainly of staff evacuation procedures and lacked measures to ensure continued protection of personal information if FINTRAC’s operations were disrupted by a disaster or an emergency. Given the critical nature of FINTRAC’s personal information holdings to its operational activities and the legal obligation to protect them, we had recommended that FINTRAC update its BCP within 6 months of the issuance of that report and include measures to address its personal information holdings. FINTRAC accepted the OPC’s recommendation and shared the steps that it had taken and would take to implement this recommendation.^{Footnote 33}
During the present review, FINTRAC reported that it updated its BCP plan to address the protection of personal information and the OPC’s 2021 recommendation. Further, it made amendments to the BCP template^{Footnote 34} and engaged each sector to ensure that their personal information holdings were incorporated into their BCP plans. The OPC reviewed FINTRAC’s amended BCP against the requirements of the Directive on Security Management.^{Footnote 35} We acknowledge the updates that FINTRAC made to the BCP and note that it captures all six required procedures (business continuity practices, business impact analysis, continuity measures and arrangements, awareness and training, testing and exercises, and monitoring and corrective actions).
We also acknowledge that the BCP contains a brief section entitled “Protection of Information” which states that, “despite interruption to business, all privacy and security of information safeguards remain in place.” While this may apply to physical disruptions (e.g., a building evacuation), we are still unable to reconcile how this applies to digital or cyber disruptions. Based on the assumptions made in the BCP, these types of disruptions fall outside the scope of the BCP.^{Footnote 36}
We note that the BCP, while having been updated, seems to focus on disruptions that relate to offices and staff availability. While we understand that no single plan can account for all eventualities, we find that the assumptions in the BCP do not adequately account for all service disruptions that may impact personal information holdings.
In order to effectively plan for a comprehensive range of service interruptions, and to protect personal information that is under FINTRAC’s control, the BCP should consider additional event types that affect the use or access to IT networks or telecommunications systems. This includes incidents that could impact FINTRAC’s data availability and operational continuity, which could become a compliance issue with respect to FINTRAC’s legal obligations (e.g., retention and disposal of information).
We therefore find that FINTRAC’s BCP does not yet sufficiently address the protection of its personal information holdings nor our 2021 recommendation. We therefore make the following recommendation:
Recommendation 5: that FINTRAC revisit its BCP to ensure that it includes a full range of service interruptions, including disruptions to IT and telecommunications systems, and measures to ensure the continued protection of FINTRAC’s personal information holdings and compliance with legal obligations.

Observations and Recommendations on Safeguards Flowing from the Current Review

Move to the Cloud

During the present review, we noted FINTRAC’s continued advancement toward the adoption of cloud and advanced technologies, which formed part of its “Digital Strategy” (launched in 2022-23).
FINTRAC’s move to the cloud aligns with the Government of Canada’s (GC)’s strategy for the adoption of cloud services, which has evolved from a ‘cloud first’ adoption strategy in 2018, to the principle of a ‘cloud smart’ strategy in 2023.^{Footnote 37}
The GC’s decision to move to cloud-based solutions represents a fundamental shift in the delivery of IT services. Policies and tools to support organizations, along with processes and best practices to guide them in implementing these changes, continue to grow and evolve.
As organizations migrate to the cloud, the complexity of maintaining security measures increases, particularly in light of shared responsibility models. Organizations have a reduced control over their information assets, which could elevate risks for data and privacy protection. Indeed, organizations must recognize that cloud service providers could be targeted as a result of the information assets they hold. Consequently, institutions must take steps to ensure that their security posture^{Footnote 38} is not degraded, as they are still accountable for protecting the confidentiality, integrity, and availability of IT services and information.
In order for the GC, including FINTRAC, to use Protected B cloud services^{Footnote 39} securely and responsibly, there must be an underlying operationalization framework that includes thirteen minimum cyber security controls and architecture requirements. These thirteen (13) preliminary baseline cyber security controls are known as the Government of Canada Cloud Guardrails.
The OPC reviewed the Threat and Risk Assessment (TRA) for the FINTRAC Cloud Service Provider (CSP), as well as the infrastructure and security controls^{Footnote 40} to allow for Protected B processing in the cloud environment. FINTRAC reported that its Protected B cloud tenant account was assessed against the GC cloud guardrails and validated by SSC’s Cloud Services Directorate in March 2021.
We noted that the GC Cloud Guardrails (specifically, guardrail 13) require a plan for continuity of access and service – an “exit strategy” – that accommodates both expected and unexpected events.^{Footnote 41} An exit strategy would assist in minimizing disruptions, maintaining data integrity, and effectively transitioning from one cloud provider to another or from the cloud to an on-premises solution, if needed.^{Footnote 42}
FINTRAC reported that it does not have a formalized exit strategy plan (this is not addressed in its Directive on IT Security from a policy perspective); however, it indicated that this is being mitigated through system-specific security requirements for its cloud-based systems (e.g., in the context of its HR services, FINTRAC has addressed this by ensuring that procedures for the recovery of data are established).
While FINTRAC reported that it has measures in place to address recovery requirements, we are not satisfied that this approach is sufficient to meet the requirements of the GC cloud guardrails. We therefore make the following recommendation:
Recommendation 6: that FINTRAC develop a formalized cloud exit strategy to ensure business continuity and manage risks, in line with the principles of the Cloud Adoption Strategy and relevant GC Direction requirements.
As a final note, the OPC recognizes that there is a significant demand for skills and talent in cloud technologies, which poses challenges for government institutions. This demonstrates the critical need for departments such as FINTRAC, which have accelerated their move to the cloud, to invest in reskilling, hiring and retaining resources. This will help to sustain the delivery of services, to create modernization capacity, and to enhance future incident response capabilities.

Modernization: Automation and Artificial Intelligence

During the present review, we noted that FINTRAC has advanced a modernization initiative. FINTRAC is focused on moving forward with organization-wide digital automation, analytics and the use of artificial intelligence (AI) through the development of its own AI tools. According to FINTRAC, its focus on modernization will allow the Centre to do the following in real-time: identify, assess and communicate risk; support and respond to businesses; receive reporting from businesses; conduct its analysis; and generate valuable financial intelligence for law enforcement and national security agencies.^{Footnote 43}
The G7 data protection and privacy authorities (DPAs) have adopted statements on AI at the annual Roundtables in 2023 and 2024. These statements highlighted areas of concern where privacy and data protection risks may arise within the context of generative AI tools, including (i) legal authority for the processing of personal information (e.g., in relation to the datasets used to train, validate and test generative AI tools), (ii) security safeguards (e.g., to protect against unlawful scraping of personal information used to train AI algorithms), (iii) mitigation and monitoring measures (e.g., to ensure personal information generated is accurate, complete and up-to-date), (iv) transparency and accountability measures, (v) technical and organizational measures, and (vi) limiting collection of personal data.
The OPC and other provincial and territorial privacy commissioners have also identified considerations for the application of key privacy principles for responsible, trustworthy and privacy protective generative AI technologies.
Our review did not focus on FINTRAC’s use of automation or AI tools to support its operations. However, we take this opportunity to remind FINTRAC of its obligation to ensure that any collection, use and disclosure of personal information using generative AI systems comply with the Privacy Act and applicable guidance.

Security Assessments

In accordance with the TBS Directive on Security Management,^{Footnote 44} FINTRAC must implement measures to protect its information systems, their components and the information that they process and transmit against attacks that leverage vulnerabilities. The CCCS has noted that the cyber threat landscape continues to evolve, and that institutions must continuously reassess risks and review security efforts to address gaps and weaknesses.
Our review found that FINTRAC takes steps to mitigate risks through regular vulnerability assessments, audits and maintenance activities meant to ensure that the security configurations in place are sufficient.
Following the OPC’s last review, FINTRAC contracted a third party to conduct an independent review of its security posture and the effectiveness of its security controls against compromise. This assessment included a phishing exercise^{Footnote 45} and a penetration testing exercise.^{Footnote 46} Our review considered the key findings from these exercises, as well as the mitigations and recommendations that were proposed.
FINTRAC reported that the phishing exercise was effective in measuring user response and raising awareness internally. To sustain this activity, FINTRAC reported that it has established a phishing program to test user responses and to promote security awareness on an ongoing basis but noted that a planned schedule for exercises has not yet been established. It added that future exercises will be targeted and more sophisticated to measure not only the response but also the effectiveness of controls. FINTRAC noted that security awareness for all employees will be its first focus, which it will achieve through a partnership with a private sector security vendor.
During its recent penetration testing exercise, FINTRAC reported that it identified five main issues (and related gaps). It reported to the OPC on the mitigations that were recommended by the third party who conducted this exercise to strengthen the controls in place. We noted that while the majority of those recommendations had been implemented, several planned activities had not yet been actioned. At the time of writing this report, FINTRAC reported that another penetration testing engagement was ongoing for cloud reporting systems but that it has no planned schedule of regular future exercises.
It is the OPC’s expectation that institutions that protect significant volumes of sensitive personal information, such as FINTRAC, would conduct regular internal and external security assessments and penetration testing to evaluate systems and applications for vulnerabilities, and to provide adequate assurance of the effectiveness of safeguards.^{Footnote 47}
In addition to the mitigations FINTRAC has implemented, and consistent with previous OPC recommendations in other investigations^{Footnote 48} and internationally recognized standards and accepted norms,^{Footnote 49} we recommend the following:
Recommendation 7: that FINTRAC address the outstanding gaps identified following the phishing and penetration testing exercises by completing the mitigation activities recommended.

Recommendation 8: that FINTRAC conduct a comprehensive internal assessment of the security of its systems annually, and at least every two years, a comprehensive external (i.e., independent) security assessment.

Recommendation 9: that FINTRAC conduct regular penetration testing, including annual comprehensive external (i.e., independent) penetration testing.

Technology Expertise

The OPC’s observations in this section relate to FINTRAC, however, they apply equally to all federal government institutions and private sector organizations.
During our review, we observed that technology advancements at FINTRAC (e.g., use of tools such as the SIEM), its accelerated move to a cloud environment, as well as its modernization initiatives (including advancing organization-wide digital automation, analytics and AI), reflect the growing need for in-house ‘tech talent’. Expertise and knowledge to serve these initiatives and functions throughout their lifecycle require reskilling, upskilling^{Footnote 50} and potentially hiring new resources.
There is therefore a need for FINTRAC to invest in workforce development to enhance and strengthen its security posture. This is essential to sustain the delivery of its services, to create modernization capacity, and to enhance future incident response capabilities. FINTRAC’s workforce has a significant role in supporting its IT security strategy, including the implementation, testing and maintenance of security controls.
In light of the foregoing, we encourage FINTRAC to continue to ensure that the requisite skills and capacity exist to support its modernization efforts.

Conclusion

Our review revealed that FINTRAC has made efforts in relation to its implementation of our previously issued recommendations to address protection-related deficiencies, and more broadly, to strengthen its security safeguards to protect its personal information holdings. This includes: 1) measures to avoid the unnecessary collection of personal information, including below-threshold reports; 2) enhancements to its threat detection and incident response processes, including through the onboarding of a SIEM solution; and 3) improvements to its Business Continuity Plan.
We find that there is still outstanding work required for FINTRAC to fully address all of the OPC’s previous findings, including with respect to FINTRAC’s retention of personal information that it does not have the statutory authority to receive.
We expect FINTRAC to continuously review its measures and implement safeguards to mitigate any outstanding and new privacy risks, particularly following the March 2024 cyber incident. The expectations outlined in this report are based on TBS requirements and guidance,^{Footnote 51} and the underlying IT security risk management activities that should be undertaken by institutions to strike the proper balance between the implementation of security controls and acceptable levels of residual risk.
Institutions such as FINTRAC that protect significant volumes of sensitive personal information should also conduct regular internal and external security assessments and penetration testing to evaluate their systems and applications for vulnerabilities, and to provide adequate assurance of the effectiveness of safeguards.
In the context of FINTRAC’s modernization efforts – including its increased cloud presence and use of automation and AI – the importance of commensurate and evolving security and privacy controls becomes even more relevant.
Our review also revealed that FINTRAC’s technology advancements reflect the growing need for in-house expertise and knowledge to serve these new functions and initiatives throughout their lifecycle. This demonstrates how critical it is for departments that have accelerated their modernization efforts to invest in reskilling, hiring and retaining resources. This will help to sustain the delivery of services, to create modernization capacity, and to enhance future incident response capabilities.
Overall, we note that FINTRAC demonstrated a high level of collaboration and transparency in the current review. We expect its ongoing commitment to safeguard its data holdings to ensure the protection of Canadians’ privacy.

Annex A: FINTRAC’s Satisfactory Implementation of Previous Recommendations

2021 Findings and Recommendations	Assessment
1. Manually review and delete Terrorist Property Reports (TPRs) not meeting reporting thresholds: The OPC has consistently raised concerns regarding FINTRAC holding reports received based on ‘possible’ matches to terrorist listings. In 2017, FINTRAC accepted the OPC’s recommendation to manually review all TPRs, and immediately dispose of those which are identified as not meeting reporting thresholds. In 2021, FINTRAC confirmed each of the 48 TPRs received over the last 4 years were manually reviewed, and none met the threshold for destruction. However, it did not address the existence of previously received reports within FINTRAC’s holdings based on “possible matches” to terrorist listings (as described in the 2017 report). The OPC noted that it is at odds with FINTRAC’s express commitment in 2017 to review all TPRs in its holdings and dispose of those where a terrorist affiliation is no longer suspected to exist. The OPC was concerned by this lack of follow-through by FINTRAC on its express commitment and did not see this as fulfilling or being responsive to our recommendation.	Satisfactory FINTRAC confirmed that it has manually reviewed all TPRs in its holdings to ensure they meet the legal threshold. Further, FINTRAC reported that it manually reviews all TPRs upon receipt to ensure they comply with the PCMLTFA. FINTRAC also advised that all TPRs received since the last review have met the threshold to be received and retained (for a minimum of 10 years).
2. Avoid collection of unnecessary personal information in the course of compliance exercises (and dispose of it where received): In addition to its financial intelligence mandate, FINTRAC’s function includes ensuring that reporting entities comply with their obligations under the PCMLTFA and its Regulations. This function implicates personal information held by the reporting entities for their own business and regulatory purposes. In 2017, the OPC made recommendations to FINTRAC to address concerns that its compliance program (to ensure reporting entities meet their obligations under the PCMLTFA), was collecting and retaining unnecessary personal information. FINTRAC accepted those recommendations and shared the actions it took to address the OPC’s concerns. However, the 2021 review identified one outstanding issue: FINTRAC had provided no indication that unnecessary personal information had been purged from other pre-existing compliance files (only those related to examinations conducted on the banking sector in Toronto). FINTRAC also provided no timeline for the implementation of several ‘planned actions’ it noted in response to the OPC’s recommendation. The OPC reiterated its recommendation that FINTRAC dispose of personal information in its pre-existing compliance examination files from 2017 and prior that was not needed to support deficiencies. The OPC also expressed its concern with FINTRAC’s lack of commitment to follow-through on this recommendation.	Satisfactory In March 2023, FINTRAC disposed of documents held in non-bank compliance examinations from 2017 and prior, as well as bank compliance examinations from 2017 and prior. FINTRAC also reported on the actions it took in response to the OPC’s recommendation: (i) a validation exercise of a select sample of examination files was undertaken in December 2021 (the final report was shared internally in January 2023); (ii) as a result of the validation exercise, FINTRAC updated its training materials, and aligned its Standard Operating Procedures with OPC guidance and principles; (iii) two internal quality assurance reviews were completed to determine whether client information was kept properly and to assess adherence to internal policies and procedures in relation to data minimization and purging exercises (i.e., purging of data from examination files that was not needed to support the citation of deficiencies); (iv) an automated purge in bulk of certain document types was completed;^{Footnote 52} (v) a list of two-year review documents subject to manual review for disposal was created; (vi) an annual quality assurance review program has been implemented to continually assess adherence to policies and procedures relating to purging data from examination files.
Update from FINTRAC: Front end screening to ensure reports retained by FINTRAC meet reporting thresholds: In 2021, the OPC was satisfied with FINTRAC’s actions to continue its efforts to implement robust and comprehensive front-end screening for incoming submissions to ensure the reports it retains meet legislative reporting thresholds and do not contain unnecessary and/or excessive personal information. FINTRAC advised that changes to reporting systems would be implemented in conjunction with pending changes to reporting forms.	FINTRAC reported on its staggered, multi-year process of developing and releasing new “Generation 2.0” forms for all types of reporting. These forms include indicators that should capture more over-reporting, and eliminate, as much as possible, the concerns related to collecting and retaining reports without authority by linking transactions, addressing challenges related to exchange rates and transactions values, and other measures to reduce human error and improve data quality. Relatedly, FINTRAC has devoted significant effort to generating reference materials and educating reporting entities about the changes to the reporting process and how to use Generation 2.0 forms.

2021 Findings and Recommendations

Assessment

1. Manually review and delete Terrorist Property Reports (TPRs) not meeting reporting thresholds:

The OPC has consistently raised concerns regarding FINTRAC holding reports received based on ‘possible’ matches to terrorist listings. In 2017, FINTRAC accepted the OPC’s recommendation to manually review all TPRs, and immediately dispose of those which are identified as not meeting reporting thresholds.

In 2021, FINTRAC confirmed each of the 48 TPRs received over the last 4 years were manually reviewed, and none met the threshold for destruction. However, it did not address the existence of previously received reports within FINTRAC’s holdings based on “possible matches” to terrorist listings (as described in the 2017 report). The OPC noted that it is at odds with FINTRAC’s express commitment in 2017 to review all TPRs in its holdings and dispose of those where a terrorist affiliation is no longer suspected to exist. The OPC was concerned by this lack of follow-through by FINTRAC on its express commitment and did not see this as fulfilling or being responsive to our recommendation.

Satisfactory

FINTRAC confirmed that it has manually reviewed all TPRs in its holdings to ensure they meet the legal threshold. Further, FINTRAC reported that it manually reviews all TPRs upon receipt to ensure they comply with the PCMLTFA. FINTRAC also advised that all TPRs received since the last review have met the threshold to be received and retained (for a minimum of 10 years).

2. Avoid collection of unnecessary personal information in the course of compliance exercises (and dispose of it where received):

In addition to its financial intelligence mandate, FINTRAC’s function includes ensuring that reporting entities comply with their obligations under the PCMLTFA and its Regulations. This function implicates personal information held by the reporting entities for their own business and regulatory purposes.

In 2017, the OPC made recommendations to FINTRAC to address concerns that its compliance program (to ensure reporting entities meet their obligations under the PCMLTFA), was collecting and retaining unnecessary personal information. FINTRAC accepted those recommendations and shared the actions it took to address the OPC’s concerns. However, the 2021 review identified one outstanding issue: FINTRAC had provided no indication that unnecessary personal information had been purged from other pre-existing compliance files (only those related to examinations conducted on the banking sector in Toronto). FINTRAC also provided no timeline for the implementation of several ‘planned actions’ it noted in response to the OPC’s recommendation.

The OPC reiterated its recommendation that FINTRAC dispose of personal information in its pre-existing compliance examination files from 2017 and prior that was not needed to support deficiencies. The OPC also expressed its concern with FINTRAC’s lack of commitment to follow-through on this recommendation.

Satisfactory

In March 2023, FINTRAC disposed of documents held in non-bank compliance examinations from 2017 and prior, as well as bank compliance examinations from 2017 and prior.

FINTRAC also reported on the actions it took in response to the OPC’s recommendation: (i) a validation exercise of a select sample of examination files was undertaken in December 2021 (the final report was shared internally in January 2023); (ii) as a result of the validation exercise, FINTRAC updated its training materials, and aligned its Standard Operating Procedures with OPC guidance and principles; (iii) two internal quality assurance reviews were completed to determine whether client information was kept properly and to assess adherence to internal policies and procedures in relation to data minimization and purging exercises (i.e., purging of data from examination files that was not needed to support the citation of deficiencies); (iv) an automated purge in bulk of certain document types was completed;^{Footnote 52} (v) a list of two-year review documents subject to manual review for disposal was created; (vi) an annual quality assurance review program has been implemented to continually assess adherence to policies and procedures relating to purging data from examination files.

Update from FINTRAC:

Front end screening to ensure reports retained by FINTRAC meet reporting thresholds:

In 2021, the OPC was satisfied with FINTRAC’s actions to continue its efforts to implement robust and comprehensive front-end screening for incoming submissions to ensure the reports it retains meet legislative reporting thresholds and do not contain unnecessary and/or excessive personal information. FINTRAC advised that changes to reporting systems would be implemented in conjunction with pending changes to reporting forms.

FINTRAC reported on its staggered, multi-year process of developing and releasing new “Generation 2.0” forms for all types of reporting. These forms include indicators that should capture more over-reporting, and eliminate, as much as possible, the concerns related to collecting and retaining reports without authority by linking transactions, addressing challenges related to exchange rates and transactions values, and other measures to reduce human error and improve data quality.

Relatedly, FINTRAC has devoted significant effort to generating reference materials and educating reporting entities about the changes to the reporting process and how to use Generation 2.0 forms.

Annex B: Summary of the OPC’s Recommendations to FINTRAC and SSC

Recommendations to FINTRAC

Recommendation 1: that FINTRAC complete the analysis of its existing holdings and develop a plan to prioritize the disposal of below-threshold reports. FINTRAC should provide the OPC, by the end of March 2025, an action plan, including key milestones and dates to complete this exercise.

Recommendation 2: that FINTRAC securely reinstate its automated disposal activities to ensure that it remains compliant with the 15-year disposal requirements under the PCMLTFA.

Recommendation 3: that FINTRAC monitor and evaluate the effectiveness of the Gen 2.0 forms with respect to eliminating the receipt of below-threshold reports. If required, FINTRAC should develop and implement a permanent process to identify and dispose of below-threshold reports in a timely manner.

Recommendation 4: that FINTRAC take the necessary steps to (i) optimize its use of the capabilities of the SIEM tool, and (ii) identify and address outstanding gaps with logging and enhance its ability to identify suspicious activities, including insider threats.

Recommendation 5: that FINTRAC revisit its BCP to ensure that it includes a full range of service interruptions, including disruptions to IT and telecommunications systems, and measures to ensure the continued protection of FINTRAC’s personal information holdings and compliance with legal obligations.

Recommendation 6: that FINTRAC develop a formalized cloud exit strategy to ensure business continuity and manage risks, in line with the principles of the Cloud Adoption Strategy and relevant GC Direction requirements.

Recommendation 7: that FINTRAC address the outstanding gaps identified following the phishing and penetration testing exercises by completing the mitigation activities recommended.

Recommendation 8: that FINTRAC conduct a comprehensive internal assessment of the security of its systems annually, and at least every two years, a comprehensive external (i.e., independent) security assessment.

Recommendation 9: that FINTRAC conduct regular penetration testing, including annual comprehensive external (i.e., independent) penetration testing.

Recommendation to SSC

Recommendation 1: that SSC enable FINTRAC’s access to the logs associated with infrastructure it relies on to support FINTRAC’s efforts to identify and mitigate threats.

Footnotes

Footnote 1

FINTRAC receives, stores and secures over 35 million new financial transaction reports every year, and generates actionable financial intelligence for Canada’s law enforcement and national security agencies. In 2022–23, FINTRAC generated 2,085 unique financial intelligence disclosures in support of money laundering and terrorist financing investigations across Canada and around the world. Source: FINTRAC 2022-23 Annual Report: Safe Canadians, Secure Economy.

Return to footnote 1

Footnote 2

See for example, section 55 of the PCMLTFA (“Disclosure and use of information”). For an overview of FINTRAC’s collection, use, and disclosure of personal information see the introduction portion of the OPC’s 2021 FINTRAC Review.

Return to footnote 2

Footnote 3

Including the Policy on Privacy Protection and the Directive on Privacy Practices, which incorporates Appendix C: Standard on Privacy Impact Assessment.

Return to footnote 3

Footnote 4

This includes security screening, IT security, physical security, business continuity management, information management security, security requirements associated with contracts and other arrangements, security event management, and security awareness training.

Return to footnote 4

Footnote 5

In previous reviews, the OPC assessed FINTRAC’s compliance with various provisions of the Privacy Act (e.g., sections 4 to 8 of the Act that govern how institutions collect, use, retain, or disclose personal information).

Return to footnote 5

Footnote 6

Ownership of the infrastructure supporting FINTRAC core systems and electronic data holdings was transferred to SSC in 2012. The two institutions have a shared responsibility relating to the protection of systems and personal information received, collected and electronically managed in the context of FINTRAC’s mandated activities. SSC houses FINTRAC’s data holdings on its IT infrastructure, consistent with its mandate to implement enterprise-wide approaches for managing IT infrastructure services and employ effective and efficient business management processes: See SSC Mandate and the Shared Services Canada Act.

Return to footnote 6

Footnote 7

This included a review of relevant documentation, including policies, standards, guidelines, frameworks and business processes, and meetings with key officials. This review did not undertake an examination of the implementation of policies and processes or conduct testing of systems.

Return to footnote 7

Footnote 8

FINTRAC: Implementing online systems.

Return to footnote 8

Footnote 9

FINTRAC: Assurance of data protection and resumption of online systems.

Return to footnote 9

Footnote 10

FINTRAC implemented interim measures for reporting entities to identify and report transactions and also published guidance and timelines for the implementation of its online systems: Modernization and upcoming changes impacting reporting entities.

Return to footnote 10

Footnote 11

The list of reporting entities under the PCMLTFA includes financial entities (such as banks, cooperative credit societies, life insurance companies, and trust companies); casinos; dealers in precious metals and stones; money services businesses; real estate brokers, sales representatives, and developers (when carrying out certain activities); and more (see PCMLTFA section 5). Since the OPC’s last review, crowdfunding platforms, payment service providers, and armoured car companies were added to the list of reporting entities. Additionally, on October 11, 2024, persons or entities in the mortgage sector became subject to requirements under the PCMLTFA (see FINTRAC’s requirements: Mortgage administrators, brokers and lenders).

Return to footnote 11

Footnote 12

During the course of the OPC’s review, Budget Implementation Act, 2024, which includes amendments to the PCMLTFA, received royal assent on June 20, 2024. For example, a private-to-private information sharing regime that will facilitate information sharing between financial institutions and other reporting entities. For additional details on the OPC’s comments and recommendations related to information sharing, see the Submission of the Office of the Privacy Commissioner of Canada (OPC) to Finance Canada (August 10, 2023).

Return to footnote 12

Footnote 13

For example, Budget Implementation Act, 2024, also prescribes circumstances in which FINTRAC can disclose information to Citizenship and Immigration Canada and provincial civil asset forfeiture agencies.

Return to footnote 13

Footnote 14

These previous findings relate to: (i) reviewing and deleting Terrorist Property Reports (TPRs) that do not meet reporting thresholds; and (ii) avoiding the collection of unnecessary personal information in the course of compliance exercises. We also share an update from FINTRAC in relation to the OPC’s previous recommendation regarding front-end screening.

Return to footnote 14

Footnote 15

FINTRAC: Final Report (2009): paragraph 79.

Return to footnote 15

Footnote 16

See PCMLTFA ss.54(2): Destruction of certain information.

Return to footnote 16

Footnote 17

In 2017, the OPC recommended that FINTRAC dispose of EFTRs and LCTRs that it had received that fell below the reporting threshold and that did not fall under the 24-hour rule, citing the lack of legislative authority to retain the information. FINTRAC accepted the recommendation and shared its plans to dispose of these reports.

Return to footnote 17

Footnote 18

According to FINTRAC, it had recently updated guidance for reporting entities in relation to the reporting under the 24-hour rule and had several planned initiatives (without any timelines attached). In 2021, the OPC did not find FINTRAC’s proposed actions, and lack of attached timeline, to meaningfully address the existence of previously received reports within its holdings that are outside its legislative authority.

Return to footnote 18

Footnote 19

Reporting entities must consider multiple transactions made within a 24–hour period as a “single transaction.” This concept is referred to as “the 24–hour rule.” Specifically, the 24–hour rule is the requirement that reporting entities aggregate multiple transactions that are the same transaction type when they: i) total $10,000 or more together; ii) have been made within a consecutive 24–hour window; and iii) have the same aggregation type (conductor, beneficiary or on behalf of (third party)). See Reporting transactions to FINTRAC: The 24-hour rule.

Return to footnote 19

Footnote 20

FINTRAC reported that it has historically received below-threshold reports from reporting entities that it does not have the legislative authority to receive and retain. As of July 2016, FINTRAC had received approximately 80,000 EFTRs and 150,000 LCTRs that it did not have the legislative authority to retain (i.e., the reports were under the $10,000 reporting threshold and did not fall under the 24-hour rule). Concerns were raised in the OPC’s 2017 and 2021 reports regarding FINTRAC’s lack of commitment to follow-through with the disposal of the reports that it should not legally retain.

Return to footnote 20

Footnote 21

FINTRAC’s existing systems make identifying and removing below-threshold reports difficult due to deficiencies in the report forms and business rules (e.g., existing systems lack the functionality to perform the kind of analytical work required to identify below-threshold reports from large datasets).

Return to footnote 21

Footnote 22

For instance, linked transactions must be submitted together within 24-hour windows; report and transaction totals and exchange rates are made much easier to identify; and the introduction of reusable definitions will ensure, with 100% certainty, that the same individual is being referenced across transactions (“entity matching”).

Return to footnote 22

Footnote 23

FINTRAC is required under the PCMLTFA to retain reports for 10 years and destroy reports at 15 years (if the report wasn’t included in a disclosure to law enforcement (FINTRAC has an extended retention and disposition schedule for disclosed reports). FINTRAC’s policy is to dispose of reports at their 10-year anniversary. For context, FINTRAC disposed of more than 17 million reports in 2021-2022, more than 18 million reports in 2022-2023, and more than 16 million in 2023-2024 for surpassing the 10-year mark.

Return to footnote 23

Footnote 24

FINTRAC relied on the Reports Disposition System to automatically dispose of reports that reached their 10-year anniversary to comply with its obligations under paragraph 54(1)(e) of the PCMLTFA (to dispose of reports 15 years after the day in which they are received, if the report was not disclosed to law enforcement).

Return to footnote 24

Footnote 25

See Appendix B of the Directive on Security Management.

Return to footnote 25

Footnote 26

As outlined in the Policy on Government Security, security assessment is an ongoing process that evaluates security practices and controls to establish the extent to which they are implemented correctly, operating as intended, and achieving the desired outcome with respect to meeting defined security requirements. Security authorization is the ongoing process of obtaining and maintaining a security risk management decision and to explicitly accept the related residual risk, based on the results of a security assessment. This authorization is referred to as the “Authority to Operate” (ATO). An ATO certificate is a key document that contains the results of the security assessment completed for software and hardware used by federal departments, as well as the department’s acceptance of the risks associated with the software or hardware.

Return to footnote 26

Footnote 27

Interim ATOs may be granted to for applications that have not met all security compliance requirements, but where the outstanding security controls are considered not to exceed an acceptable level of risk. A plan to implement the outstanding security control recommendations must be prepared and demonstrate how the controls will be implemented within the interim period of operation.

Return to footnote 27

Footnote 28

The ATO is subject to the following conditions: (i) continued hardening of the systems (through lifecycle processes and routine patching), (ii) ensuring the governance of the service through its lifecycle, and (iii) verifying successful deployment and functionality of host-based sensors to detect malicious activity. The general terms relate to (i) vulnerability management activities, (ii) seeking new or updated authorizations in designated circumstances, and (iii) properly decommissioning in the event of the service being decommissioned.

Return to footnote 28

Footnote 29

FINTRAC’s Standard on Security Assessment and Authorization describes the processes and related responsibilities used to evaluate and measure key requirements of information system security risk management activities established by FINTRAC’s Directive on IT Security.

Return to footnote 29

Footnote 30

As required under Appendix B (B.2.3.8: Information System Audit Management) of the Directive on Security Management.

Return to footnote 30

Footnote 31

The VAMP includes all environments and infrastructure owned or used by FINTRAC, including network, server, workstation, and application infrastructure software and hardware. The VAMP has six key components, including host assessment (physical and virtual), network assessment, application assessment, IT alerts and response, security audit and maintenance, and penetration testing.

Return to footnote 31

Footnote 32

SSC houses FINTRAC’s data holdings on its IT infrastructure, consistent with its mandate to implement enterprise-wide approaches for managing IT infrastructure services. See footnote 6.

Return to footnote 32

Footnote 33

FINTRAC indicated that it had already taken steps to update its BCP template with the requirements of the TBS Directive on Security Management. Further, it reported that its Business Continuity Planning unit will work with each sector to ensure that the personal information holdings as described in FINTRAC’s Disaster Recovery Plan are incorporated in their BCP plans within 6 months.

Return to footnote 33

Footnote 34

The BCP template outlines the continuity measures and arrangements for each sector, including: sector-specific critical services/activities; business continuity activities (three phases, including: immediate response, business continuity implementation and demobilization); supporting resources required to assist with the continuity of business functions; client identification (stakeholders that may be affected by the disruption); and a critical employee list.

Return to footnote 34

Footnote 35

Appendix D of the Directive on Security Management outlines the Mandatory Procedures for Business Continuity Management Control. These include: business continuity practices, business impact analysis, continuity measures and arrangements, awareness and training, testing and exercises, and monitoring and corrective actions. We also considered the Government of Canada Cyber Security Event Management Plan (GC SEMP) which identifies BCPs as one of a number of possible mechanisms of response to cyber incidents; as well as the Centre for Resiliency and Continuity Management Business Continuity Management Program Guide (2023).

Return to footnote 35

Footnote 36

The OPC recognizes that a range of security and IT policy guide the response to any digital or cyber disruption. However, business planning is an obligation for all federal departments and, as discussed in the OPC’s 2021 report, should include measures to address the protection of personal information holdings.

Return to footnote 36

Footnote 37

Cloud Adoption Strategy: 2023: In evolving to the principle of cloud smart, the GC will rationalize application portfolios and align to the most appropriate hosting model. This strategy will help departments navigate modernization decisions while also addressing challenges they are experiencing.

Return to footnote 37

Footnote 38

Security posture refers to an organization’s/institution’s overall state of cybersecurity readiness.

Return to footnote 38

Footnote 39

FINTRAC uses cloud services to support its business activities (business processes and their associated data) with a security categorization up to Protected B.

Return to footnote 39

Footnote 40

The security controls for the cloud infrastructure cover user accounts and permissions for internal users, external user authentication, application gateway proxy controls, web applications firewall, CCCS cloud-based sensors and perimeter monitoring, encrypted communications, logging and alerting.

Return to footnote 40

Footnote 41

The GC Cloud Guardrails were selected to ensure that cloud service environments have a minimum set of configurations to achieve the objectives outlined therein, including to meet the requirements of the Direction on the Secure Use of Commercial Cloud Services: SPIN 2017-01. This Direction provides that departments must address and adjust security requirements throughout all stages of the system development lifecycle, including as part of a cloud exit strategy. In addition, the cloud adoption principles outlined in the TBS Cloud Adoption Strategy require departments to develop an appropriate exit strategy to ensure business continuity and to manage risks.

Return to footnote 41

Footnote 42

A cloud exit strategy is a set of actions put in place by an organization to transition its data, applications and services from a cloud computing environment back to an on-premises infrastructure or to another cloud provider. It is essentially a contingency plan that ensures the organization can smoothly and efficiently disengage from its current cloud service provider if needed (e.g., in the event of a cloud outage).

Return to footnote 42

Footnote 43

Statement on FINTRAC’s use of artificial intelligence.

Return to footnote 43

Footnote 44

See Appendix B (Mandatory Procedures for Information Technology Security Control.

Return to footnote 44

Footnote 45

These exercises simulate phishing attacks: the practice of sending fraudulent communications that appear to come from a reputable source. The attack is usually performed through email.

Return to footnote 45

Footnote 46

Penetration testing is a security exercise where a cyber-security expert attempts to find and exploit vulnerabilities in a computer system. The purpose of FINTRAC’s exercise was to evaluate the risk that an adversary could compromise the environment (i.e., via exploit or insider threat).

Return to footnote 46

Footnote 47

This expectation is consistent with internationally recognized standards, including the National Institute of Standards and Technology (NIST) 800-53. The OPC has applied this expectation in both the private and public sector context when evaluating the effectiveness of safeguards.

Return to footnote 47

Footnote 48

See for example, OPC’s Investigation into Equifax Inc. and Equifax Canada Co.’s compliance with PIPEDA in light of the 2017 breach of personal information and OPC’s Investigation of unauthorized disclosures and modifications of personal information held by Canada Revenue Agency and Employment and Social Development Canada resulting from cyber attacks.

Return to footnote 48

Footnote 49

See footnote 47.

Return to footnote 49

Footnote 50

Upskilling involves employees learning new skills to enhance their current role performance.

Return to footnote 50

Footnote 51

See Appendix B [Mandatory Procedures for Information Technology Security Control] of the TBS Directive on Security Management, as well as the Direction on the Secure Use of Commercial Cloud Services: Security Policy Implementation Notice (SPIN).

Return to footnote 51

Footnote 52

FINTRAC exempted two document types: policies and procedures, and risk assessment, because they were considered low-risk for containing personal information.

Return to footnote 52

Date modified:: 2024-12-05

Language selection

Search and menus

Search