Financial Transactions and Reports Analysis Centre of Canada

Section 37 of the Privacy Act
Section 72(2) of the Proceeds of Crime (Money Laundering) and Terrorist Financing Act

Final Report 2017

---

Main Points

What we examined

The Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA) created the Financial Transactions and Reports Analysis Centre of Canada (FINTRAC or the Centre), and requires it to ensure that personal information under its control is protected from unauthorized disclosure. Sections 4 to 8 of the Privacy Act govern how federal institutions, including FINTRAC, can collect, use and retain personal information. The Office of the Privacy Commissioner of Canada (OPC) examined whether the policies, practices and processes FINTRAC has in place for managing the personal information it receives, collects, and retains comply with the Centre’s obligations under the PCMLTFA and the Privacy Act. Our review included an analysis of the amount and type of personal information FINTRAC collects directly from reporting entities when it monitors compliance with the reporting obligations imposed by the PCMLTFA.

We interviewed selected FINTRAC and Shared Services Canada (SSC) officials, reviewed pertinent documents, and analyzed a sample of transaction reports received by FINTRAC between April 2014 and July 2016. We also looked at a sample of compliance examination files compiled by FINTRAC between the period of April 2014 and March 2016. All examination activities were conducted in the National Capital Region.

Our review included an assessment of whether there are adequate technical safeguards in place to protect the personal information received, collected and retained by FINTRAC from inappropriate or unauthorized use and disclosure. Given that FINTRAC’s electronic data holdings reside on technical infrastructure now operated by SSC, we assessed the measures FINTRAC has taken to ensure that SSC has satisfactory information technology (IT) safeguards in place.

We also assessed the progress made by FINTRAC to address the observations and recommendations made in our 2013 audit report. We specifically examined how FINTRAC has addressed our observation that it received and retained personal information that did not meet legislated reporting thresholds set out in the PCMLTFA. This observation had also been made in our 2009 report. Both previous audit reports recommended that in order to mitigate that risk, FINTRAC should screen incoming reports before they enter the database so that such information is identified and destroyed at the earliest stage possible.

We did not review FINTRAC’s disclosure of personal information to regime partners, such as police services, the Canadian Security Intelligence Service (CSIS), the Canada Border Services Agency (CBSA) the Canada Revenue Agency (CRA), and provincial and territorial securities commissions. The Centre’s handling of personal information about its employees and the personal information handling practices of entities reporting to FINTRAC were also out of scope.

Why it is important

According to FINTRAC’s 2015-2016 Annual Report, financial transaction reporting has increased by 63 percent over the past five years, with the Centre receiving nearly 24 million reports in the past fiscal year alone. As of March 31, 2016, there were approximately 212 million reports containing personal information in FINTRAC’s databases.

Reports are submitted by reporting entities without the knowledge or consent of the individuals concerned^{Footnote 1}, and are retained in FINTRAC databases for a minimum of 10 years. These records contain sensitive financial and other personal information, and a breach could potentially have serious implications for the individuals involved. The receipt of reports that do not meet legal thresholds and the lengthy retention period for these reports increases the risk of unwarranted scrutiny of law abiding individuals by FINTRAC. Additionally, the personal information in FINTRAC’s data holdings (other than Cross Border Currency Reports) is not accessible under Privacy Act requests, and individuals have no ability to check records or ask for corrections.^{Footnote 2}

These factors heighten the need for FINTRAC to be diligent in ensuring it retains only the information it is legislatively entitled to possess, that the information it retains is as accurate as possible, and that such information is protected against inappropriate use and/or disclosure with safeguards commensurate to its sensitivity.

What we found

We concluded during this audit that the Centre has made significant efforts to enhance its personal information handling practices, resulting in improvements to privacy protections. However, we found issues related to the monitoring of internal user activity and the assignment of IT security roles and responsibilities that are now shared between SSC and FINTRAC. We also found that FINTRAC continues to receive and retain personal information that does not meet legal reporting thresholds.

In addition, we found indications that the vast majority of the reports received by the Centre may never be used. As of March 31, 2016, 37 million reports received by FINTRAC had reached the end of their 10-year retention periods and had been disposed of without having been used in a disclosure. This is almost the entire quantity of reports received by the Centre from its inception to March 31, 2006.

Our main findings are summarized below.

• There is no formal assurance that the personal information acquired, retained and transmitted by the Centre is appropriately protected on the Shared Services Canada IT infrastructure. As of 2012, FINTRAC’s electronic data holdings have been housed on the SSC IT infrastructure, as mandated by the Shared Services Canada Act.^{Footnote 3} In recent years FINTRAC has experienced some difficulties in obtaining assurances from SSC that certain required technical safeguards are in place. In addition, Electronic Funds Transfers data, which is received from reporting entities by both FINTRAC and CRA, is transmitted to CRA using a mandated Government of Canada technical system for which SSC has not renewed the authority to operate^{Footnote 4}. As a result, the sensitive personal information that is being transmitted to CRA via the SSC solution is no longer assured to be adequately protected from unauthorized use and/or disclosure.
• FINTRAC continues to receive and retain personal information outside of the legislated thresholds for reporting. This presents risks to privacy by making personal information that should never have been provided to FINTRAC available for FINTRAC’s use and potential disclosure to other institutions. It is unlikely this issue will be resolved unless and until FINTRAC augments its current controls with more robust front-end screening to help ensure the reports it retains in its database meet reporting thresholds and do not contain unnecessary and/or excessive personal information.
• FINTRAC also collects and retains unnecessary amounts and types of personal information from entities while evaluating their compliance with Part 1 or 1.1 of the PCMLTFA.

Introduction

1. The Financial Transactions and Reports Analysis Centre of Canada (FINTRAC, or the Centre) is responsible for facilitating the detection, prevention, and deterrence of money laundering, terrorist activity financing and other threats to the security of Canada. It is an independent agency reporting to the Minister of Finance who is accountable to Parliament for the activities of the Centre. It was established by and operates under the legislative authority of the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA, or the Act) and its regulations.^{Footnote 5}
2. Under the PCMLTFA, specified businesses are required to collect information about their clients and transactions. They report some or all of this information to the Centre under prescribed circumstances. The number and type of entities which are required to report to FINTRAC^{Footnote 6} are extensive and include:
   • Accountants;
   • Notaries (in British Columbia);
   • Casinos;
   • Dealers in precious metals and stones;
   • Financial entities (banks, credit unions, caisses populaires, financial services cooperatives, trust and loan companies);
   • Life insurance brokers and agents;
   • Real estate brokers and agents;
   • Money services businesses (foreign currency exchange, money transfers); and
   • Securities dealers.
3. FINTRAC receives the following types of reports. All reports contain personal information.
   • Suspicious Transaction Report (STR): An STR must be submitted in relation to an attempted or completed financial transaction for which there are reasonable grounds to suspect that the transaction is related to the commission or attempted commission of a money laundering or terrorist activity financing offence. There is no monetary threshold for the reporting of a suspicious transaction.
   • Large Cash Transaction Report (LCTR): A large cash transaction report is submitted to FINTRAC when a reporting entity receives $10,000 or more in cash in the course of a single transaction, or when it receives two or more cash amounts totaling $10,000 or more made within 24 hours by or on behalf of the same individual or entity.
   • Electronic Funds Transfer Report (EFTR): An electronic funds transfer report is submitted to FINTRAC upon a transmission of instructions for the transfer of $10,000 or more out of or into Canada in a single transaction or in two or more transactions totaling $10,000 or more made within 24 hours by or on behalf of the same individual or entity, through any electronic, magnetic or optical device, telephone instrument or computer.
   • Casino Disbursement Report (CDR): Casinos must report to FINTRAC when a disbursement of $10,000 or more is made in the course of a single transaction, or when two or more disbursements totaling $10,000 or more are made within 24 hours on behalf of the same individual or entity.
   • Terrorist Property Report (TPR): Reporting entities must submit a terrorist property report for property that they know is owned or controlled by or on behalf of a terrorist or terrorist group, or that they have reason to believe is owned or controlled by or on behalf of a person listed under the Regulations Implementing the United Nations Resolutions on the Suppression of Terrorism.^{Footnote 7} Real estate, cash, bank accounts, insurance policies, money orders, securities, precious metals and stones and other types of assets are considered property.
   • Cross Border Currency Report (CBCR): A cross-border currency report is filed with the CBSA by a person entering or leaving Canada carrying a sum of currency or monetary instruments of $10,000 or more, or by a person mailing or sending such sums into or out of Canada. The CBSA then submits the report to FINTRAC. A cross-border seizure report is also submitted to FINTRAC by CBSA when unreported cash or monetary instruments are seized or upon the seizure of suspected proceeds of crime.
   • Voluntary Information Record (VIR): Individuals may voluntarily report their suspicions about money laundering or terrorist financing activities to FINTRAC. Law enforcement, government institutions and intelligence partners may also provide information to the Centre through the submission of a VIR.
4. A variety of large but potentially legitimate purchases may be reported to FINTRAC as a matter of course. LCTRs, EFTRs and STRs submitted to FINTRAC by reporting entities subject to the Act could include transactions such as down payments and mortgage arrangements for home purchases, car, boat and recreational vehicle purchases, funds sent to family members abroad and money received by international students studying in Canada.
5. FINTRAC analyzes and assesses information it receives and matches the information with other law enforcement and intelligence data, as well as publicly available information. FINTRAC analysts may conclude that the information to be disclosed provides “reasonable grounds to suspect” that it would be “relevant to investigating or prosecuting a money laundering offence or a terrorist activity financing offence”.
6. When this is the case, FINTRAC must disclose defined information to the appropriate police force at the federal, provincial or municipal levels, to be used in the investigation of money laundering and/or terrorist activity financing. When FINTRAC has reasonable grounds to suspect the information to be disclosed is relevant to threats to the security of Canada, it must disclose the information to CSIS. If, in addition, FINTRAC also meets other specific legal thresholds set out under the PCMLTFA, the Centre must disclose the designated information to additional disclosure recipients including, the CRA, CBSA, the Communications Security Establishment, and any agency or body that administers the securities legislation of a province. FINTRAC may also disclose information to international foreign intelligence units where there are reasonable grounds to suspect that the information to be disclosed would be relevant to investigating or prosecuting a money laundering or a terrorist activity financing offence, or an offence that is substantially similar to either offence.
7. FINTRAC also collects information directly from entities while evaluating their compliance with Part 1 or 1.1 of the PCMLTFA, as it is required to do under the Act.

What we found in previous audits

8. The PCMLTFA requires the Privacy Commissioner of Canada to undertake a biennial review of the measures taken by the Centre to protect the information it receives or collects and to report on those measures to Parliament.^{Footnote 8} This is the third such review undertaken by the Commissioner; the previous reviews were completed in 2009 and 2013. Both of these reviews found that FINTRAC received and retained reports that did not comply with reporting thresholds established under the PCMLTFA. A table outlining recommendations made in 2013 and our assessment on the progress made to address them can be found at Annex A to this document.

Events since our last audit

9. The Standing Senate Committee on Banking, Trade and Commerce undertook a statutory review of the PCMLTFA in 2013.^{Footnote 9} The Committee report made recommendations related to the evaluation of FINTRAC’s effectiveness and value in the prosecution of terrorist and money laundering offences, the need for expanded information sharing, and discussed the need for an appropriate balance between information sharing and the protection of personal information.
10. In 2014, the PCMLTFA was amended by Bill C-31^{Footnote 10} to, among other things, provide more flexibility to reporting institutions when verifying client identity, enhance record keeping and registration requirements for financial institutions and intermediaries, include an express reference to online casinos in the Act, and extend the application of the Act to persons and entities that deal in virtual currencies and foreign money services businesses, though these provisions are not yet in force. Bill C-31 also enabled FINTRAC to disclose information relating to compliance with Part 1 of the PCMLTFA to the CRA.
11. Of particular note for this audit, Bill C-31 also added subsection 54(2) to the PCMLTFA.^{Footnote 11} This provision requires the Centre to destroy information it receives from reporting entities that it determines, in the normal course of its activities, is not required to be reported to the Centre. FINTRAC must similarly destroy any information voluntarily provided by the public that it determines, in the normal course of its activities, is not about suspicions of money laundering or the financing of terrorist activities. The information must be destroyed “within a reasonable time after the determination is made”; the statute does not define what is reasonable in these circumstances.
12. In 2015, Bill C-59^{Footnote 12} amended subsection 55(3) of the PCMLTFA to require FINTRAC to disclose certain information to provincial and territorial securities regulators if it has reasonable grounds to suspect that the information would be relevant to investigating or prosecuting a money laundering or a terrorist activity financing offence, as well as offences set out in securities legislation administered by the agency to which the disclosure is made.
13. The 2015 Security of Canada Information Sharing Act (SCISA)^{Footnote 13} encourages and facilitates broader sharing of personal information among federal government departments for the purposes of protecting Canada against activities “undermining the security of Canada.” According to FINTRAC, the SCISA has not had a significant impact on its activities as FINTRAC can only receive and disclose information under the PCMLTFA.
14. In June 2015, the House of Commons Standing Committee on Finance released its report on terrorist financing in Canada and abroad.^{Footnote 14} The Committee made a number of recommendations focused on increasing the effectiveness of global efforts to combat terrorist financing and of Canada’s Anti-Money Laundering/Anti-Terrorist Financing (AML/ATF) regime. Among other recommendations, it advised FINTRAC to urge financial institutions in Canada to improve the training provided to their compliance officers, in order ensure the correct identification of suspicious transactions.
15. The Financial Action Task Force’s (FATF) most recent assessment report of Canada’s ALM/ATF regime was issued in September 2016. The FATF is an inter-governmental body with representation from jurisdictions around the world, including Canada. Its objectives are to set standards and promote effective implementation of legal, regulatory and operational measures for combating money laundering, terrorist financing and other related threats to the integrity of the international financial system.^{Footnote 15} The report^{Footnote 16} analysed Canada’s compliance with international obligations, and the level of effectiveness of Canada’s ALM/ATF system. There were no recommendations related to privacy issues or the use of personal information.

FINTRAC data holdings on Shared Services Canada IT infrastructure

16. Shared Services Canada (SSC) was created in 2011 to centrally manage information technology infrastructure for 42 other Government of Canada institutions, including FINTRAC. Ownership of the infrastructure supporting FINTRAC core systems and electronic data holdings was transferred to SSC in 2012. The two institutions have a shared responsibility relating to the protection of systems and personal information received, collected and electronically managed in the context of FINTRAC’s mandated activities. SSC is responsible under the Shared Services Canada Act for providing IT infrastructure.^{Footnote 17} FINTRAC is responsible for ensuring the personal information which it collects is managed and protected in compliance with both the Privacy Act and the PCMLTFA.

Focus of this audit

17. The audit focused on whether FINTRAC has taken adequate measures to ensure there are appropriate safeguards in place to protect the personal information in FINTRAC’s electronic data holdings, which reside on the IT infrastructure for which SSC is now the service provider. This transition, which took place in 2012, was not examined during our 2013 audit.
18. The audit also evaluated the collection of personal information from reporting entities by FINTRAC during its compliance assessment activities, and reviewed the progress made by FINTRAC in response to the observations and recommendations in our 2013 audit.
19. We did not audit disclosures from FINTRAC to regime partners, the Centre’s handling of personal information about its employees, or the personal information handling practices of the entities reporting to FINTRAC.
20. Audit evidence was obtained through the examination of records, interviews, and audit tests. We reviewed a sample of Suspicious Transaction Reports (STRs), Voluntary Information Records (VIRs), and examined all Terrorist Property Reports (TPRs) in the FINTRAC database. We also looked at how reports with certain financial reporting thresholds are managed, and made inquiries to SSC with regards to the protection of FINTRAC information.
21. More information about the audit objective, criteria, scope and approach is found at Annex B to this document.

Observations and Recommendations

22. Sections 4 through 8 of the Privacy Act limit the collection of personal information by federal government institutions and govern how that information can be used and disclosed. The Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA) requires FINTRAC to ensure that appropriate safeguards are in place to protect the personal information it collects and retains.
23. We looked at how FINTRAC manages the personal information that it obtains, through reports and records submitted to it by financial institutions and other reporting entities, or through direct collection by the Centre during compliance assessment activities. We also looked at the measures FINTRAC takes to ensure that the personal information it acquires is protected with appropriate and sufficient safeguards while it is housed on the SSC IT infrastructure and when being transmitted to the CRA.
24. We expected to find that FINTRAC receives and retains only that personal information which is directly related to its operating programs and activities and for which it has legislative authority; that the safeguards in place to protect such information comply with the relevant Government of Canada IT security policies, directives and standards and are sufficient to mitigate the risk of breaches and inappropriate disclosures; and that personal information is disposed of at the end of its scheduled retention period.

• There is no formal assurance that the personal information collected, retained and transmitted by the Centre is appropriately protected on the Shared Services Canada IT infrastructure.

25. The Treasury Board of Canada Secretariat’s (TBS) Policy on Government Security (the Policy)^{Footnote 18} prescribes safeguards to protect and preserve the confidentiality and integrity of government assets, including personal information, and establishes minimum mandatory security requirements. Federal institutions must conduct their own assessments to determine whether safeguards above baseline levels are necessary. The Policy also calls for continuous monitoring of the threat environment to ensure appropriate security measures are maintained.
26. The Policy is given effect by standards and directives which must be followed by government institutions. The TBS Operational Security Standard: Management of Information Technology Security (MITS)^{Footnote 19} requires IT systems to be certified and accredited through a Security Assessment & Authorization (SA&A) process before they begin operating. An SA&A is used to assess and mitigate risks to an acceptable level. The process could include conducting Threat and Risk Assessments to determine security requirements, Statements of Sensitivity to assess the sensitivity of information or assets and Privacy Impact Assessments to assess and mitigate potential privacy risks.
27. Ownership of the infrastructure supporting FINTRAC core systems was transferred to SSC in 2012. We noted that no SA&A had been completed by SSC for this legacy infrastructure. SSC will initiate a SA&A process for legacy systems only when significant changes are required or upon receipt of a formal request from the partner institution; however, FINTRAC has not made such a request. We found that FINTRAC had itself updated previous security assessments for its systems in consultation with SSC personnel specifically assigned to FINTRAC premises but without engaging SSC management. While SSC advised our office that they have security practices in place to help mitigate the risk of unauthorized access to FINTRAC data, such as the conduct of vulnerability scanning, these practices are not meant to replace the SA&A process. There is therefore no formal assurance that all privacy and security risks to FINTRAC information holdings on the SSC infrastructure have been appropriately identified and mitigated.
28. Reporting entities are required to submit reports about Electronic Funds Transfers (EFTRs) of $10,000 or more to FINTRAC and to the Canada Revenue Agency (CRA). Operationally, reports are transmitted to CRA through the Managed Secure File Transfer (MSFT), which is a centralized SSC service. We noted that the accreditation letter, which is required for the system to operate, expired in February 2015. SSC confirmed that the accreditation for this government-wide system has expired. Therefore, the MSFT system used to transmit EFTRs to CRA does not currently have authority to operate.

• The roles and responsibilities between FINTRAC and SSC for privacy and security are not clearly defined

29. Subsection 29.2(2) of the Financial Administration Act^{Footnote 20} requires written agreements to govern the provision of internal support services by one department to another. Such agreements should include specific clauses for the protection of personal information in order to ensure compliance with the Privacy Act and relevant TBS policies, directives, and standards. The TBS Guideline on Service Agreements: Essential Elements^{Footnote 21} provides guidance regarding the content of and governance structure for service agreements, including those between two federal government departments. Privacy and security are recommended as essential elements of such agreements.
30. FINTRAC’s Privacy Policy states that personal information must be protected from improper access, loss, use, disclosure or destruction through the inclusion of specific confidentiality provisions in contracts or other arrangements with third parties.
31. We reviewed the business arrangement between FINTRAC and SSC which describes, in general terms, their ongoing business relationship. However, this document does not specify the roles and responsibilities of each department for the protection of FINTRAC data. It does not include privacy or security clauses outlining requirements for privacy and security risk assessments, management of access rights and monitoring, control and custody of personal information, or guidance on how to deal with privacy breaches. While FINTRAC and SSC have entered into a number of other agreements covering specific services, these agreements are not comprehensive and do not adequately address security and privacy for FINTRAC’s data holdings.
32. The business arrangement between FINTRAC and SSC outlines an option for entering into an Operating Protocol to ensure that particular or specialized business needs or circumstances are accommodated, enabling the parties to deliver their respective programs and services in full compliance with legal requirements, policy obligations and management controls. Such a Protocol would provide an opportunity for clearly defining the roles and responsibilities of FINTRAC and SSC in relation to privacy and data security. However, an Operating Protocol has not been entered into by the parties.
33. SSC, in consultation with partner departments including FINTRAC, has developed a table that outlines responsibilities and accountabilities between itself and its partners regarding the security of their information holdings. The table covers areas such as the development of security standards and departmental IT security risk management processes. While the table provides guidance on roles and responsibilities for securing partners’ information holdings, it is not binding and it is not intended to include relevant clauses that are normally included in an agreement, which is required by subsection 29.2(2) of the Financial Administration Act.
34. The FINTRAC Privacy Breach Incident Guidelines describe a general process to follow in case of a breach of personal information, but are silent regarding the roles and responsibilities of FINTRAC and SSC if a breach of FINTRAC data occurs on SSC’s infrastructure. Section 6 of the SSC Directive on Privacy Breaches indicates that roles and responsibilities will be shared when breaches involve SSC’s IT infrastructure and a partner institution’s data, but does not elaborate on how this sharing of responsibility will be carried out.

• FINTRAC does not regularly monitor activity logs for IT systems to identify inappropriate access, use, or disclosure of personal information.

35. Section 6.2.21 of the TBS Directive on Privacy Practices^{Footnote 22} requires departments to adopt appropriate measures to ensure that the access, use and disclosure of personal information are monitored and documented, so that inappropriate or unauthorized activity in this regard can be identified and rectified in a timely fashion.
36. Similarly, section 17 of the MITS requires departments to continuously monitor system performance in order to quickly detect attempted or actual unauthorized access to a system, or attempted or actual bypassing of security mechanisms. At a minimum, departments must include a security audit log function in all IT systems. Departments must incorporate automated, real-time, incident detection tools in high risk systems.
37. The personal information received and collected by FINTRAC to fulfill its intelligence role is stored on several systems. This includes all reports submitted to the Centre. These systems contain detailed financial information and other sensitive personal information elements.
38. A record is created and logged when users log in, create, modify, view or delete files on any of the networks. However, not all logs are actively monitored to ensure the timely identification of inappropriate or unauthorized access to, or disclosure of, personal information that is accessible to internal users.

• FINTRAC continues to receive and retain personal information that does not meet reporting thresholds set out in the PCMLTFA.

39. The PCMLTFA authorizes FINTRAC to receive reports from reporting entities and the CBSA. By July 31, 2016, FINTRAC had received almost 257 million such reports.
40. Our 2009 and 2013 audits found that FINTRAC received and retained personal information that did not meet legal reporting thresholds. We issued recommendations calling on FINTRAC to mitigate this risk by implementing a process to screen incoming reports prior to retention.
41. FINTRAC implemented several measures to validate incoming reports. As the majority of reports received by FINTRAC are submitted electronically, fields on incoming reports are automatically reviewed to validate, through a number of “validation rules” whether required information is provided, and whether it is in the correct format. Checks are also conducted for some types of personal information that should not be provided -- such as Social Insurance Numbers (SIN) and some provincial health card numbers. Reports may be rejected outright, or a warning message may be issued to the reporting entity.
42. FINTRAC’s validation rules apply to the electronic submission of Suspicious Transaction Reports (STRs), Large Cash Transaction Reports (LCTRs), Electronic Funds Transfer Reports (EFTRs) and Casino Disbursement Reports (CDRs). As a result of the validation rules related to personal information, we noted that approximately 18,600 LCTRs, EFTRs, and CDRs submissions were rejected between June 1, 2014 and May 31, 2016.
43. STRs are not rejected, even if the validation rules flag issues, as the Centre considers their content to be valuable. In some cases where STRs contained unnecessary information, warning messages were sent to reporting entities. Voluntary Information Records are not subject to automatic validation.
44. These measures have been somewhat effective in identifying and deflecting non-compliant reports in some reporting categories. However, we found evidence through sampling that FINTRAC continues to receive and retain personal information that does not meet reporting thresholds.

Suspicious Transaction Reports

45. We noted five STRs from a sample of 280 such reports which did not include any description of or justification for suspected money laundering or terrorist financing activities. The absence of such information in a report makes it difficult to assess whether the “reasonable grounds” threshold has been met.
46. We identified STRs related to transactions that did not demonstrate “reasonable grounds to suspect” that they related to money laundering or terrorist financing activities; see examples below in Exhibit A. In each case a report was sent to FINTRAC – and FINTRAC retained the report in its database.

47. FINTRAC has a process in place for segregating and subsequently disposing of reports which do not meet reporting thresholds. However, we found this process is not consistently followed. We were informed by FINTRAC that the Centre’s analysts may decide to retain reports that do not meet thresholds, in case additional information is received in the future that could make the report useful.

Voluntary Information Records

48. We also examined a sample of Voluntary Information Records (VIRs). VIRs submitted by entities other than law enforcement, government entities or foreign agencies similar to FINTRAC must be about suspicions of money laundering or the financing of terrorist activities. However, we found a number of VIRs that were not submitted by these entities where there was no suspicion of money laundering or terrorist financing. Exhibit B below shows an example of such a situation.

49. The PCMLTFA states that FINTRAC shall receive information provided to the Centre by law enforcement agencies or government institutions or agencies. There is no reporting threshold associated with these VIRs. However, VIRs are routinely used to ask for information. Exhibit C shows an example of how a VIR is used in this regard.

50. These examples indicate that VIRs - subject to a reporting threshold - and STRs that do not meet legislated thresholds for reporting continue to be submitted to and retained by FINTRAC. We acknowledge that the recent amendment adding subsection 54(2) to the PCMLTFA obliges the Centre to destroy information that does not meet reporting thresholds when this determination is made in the normal course of its activities. However, in the absence of a more stringent front-end screening mechanism, such reports will continue to be received by FINTRAC and retained in its databases, potentially for long periods of time, before they may be discovered and purged.

Terrorist Property Reports

51. Pursuant to the Criminal Code^{Footnote 23} Reporting entities are required to file a Terrorist Property Report (TPR) to the RCMP and CSIS if they have property in their possession or under their control that they know is owned or controlled by or on behalf of a terrorist group within the meaning of the legislation. This information must also be given to FINTRAC pursuant to the PCMLTFA. Similarly, reporting entities must file a TPR if they have property in their possession or control that they believe is owned or controlled by or on behalf of a person listed under the Regulations Implementing the United Nations Resolutions on the Suppression of Terrorism. As of December 2016, FINTRAC had received a total 109 TPRs since its inception.
52. We found in previous audits that almost half the TPRs submitted to FINTRAC were filed on the basis of a “possible match” to terrorist listings. It is FINTRAC practice to retain these reports regardless of whether “possible” terrorist affiliation is later confirmed. We previously recommended that FINTRAC explore avenues with its intelligence partners to ensure, to the extent possible, that terrorist affiliations were confirmed prior to FINTRAC’s retention of this data.
53. FINTRAC committed to entering into a dialogue with its intelligence partners to explore ways to mitigate the risk of retaining information about individuals when it has been confirmed that no terrorist affiliation exists. Based on this commitment, our 2013 audit rated progress on this recommendation as satisfactory.
54. Our inquiries during this audit found no evidence that such a dialogue took place, and FINTRAC confirmed that it has not received any communication from its law enforcement partners repudiating suspicions of terrorist affiliation for individuals named in TPRs. FINTRAC informed us that it is unable by law to contact law enforcement partners to confirm or refute terrorist affiliation unless the threshold for disclosure of information to partners has been met.
55. We reviewed a sample of TPRs and noted that the type of issues observed in 2009 and 2013 remain. Reporting entities continue to submit reports on the basis of a “possible match” to terrorist listings. In addition, we found a TPR filed in 2007 on the basis of a “possible name match”; two months later, the reporting entity sent a correction to the first report indicating the individual was not affiliated with terrorism. Both the initial TPR and the subsequent correction remain in the database.
56. We also observed that, as of December 2016, 42 TPRs – almost half the number that had been submitted to FINTRAC since its inception – reached the end of their ten-year retention periods and were disposed of by FINTRAC without ever having been used in a disclosure.

Reports with financial thresholds

57. We found that FINTRAC continues to receive and retain reports that do not meet the specific financial thresholds set out in legislation. FINTRAC receives four types of reports for which precise and objective financial thresholds apply. These are: Electronic Fund Transfer Reports (EFTRs), Large Cash Transaction Reports (LCTRs), Casino Disbursements Reports (CDRs), and Cross Border Currency Reports (CBCRs). FINTRAC is authorized under the PCMLTFA to collect reports only about transactions of $10,000 or more for these categories.
58. If two or more transactions of less than $10,000 each are made by or on behalf of the same individual or entity within 24 hours, and together total $10,000 or more, these must also be reported. This is referred to as the “24 hour rule” and applies to EFTRs, LCTRs and CDRs.
59. During our 2009 and 2013 audits, we found that FINTRAC did not have the capacity to match incoming reports under the 24 hour rule. FINTRAC was unable to match EFTRs and LCTRs under $10,000 to others submitted by or on behalf of the same individual or entity within the 24 hour time period. The same issue was found again in this audit.
60. FINTRAC has made efforts to develop an automated solution for this problem; however, FINTRAC acknowledges that its attempted solution has not been successful. FINTRAC has advised us that an automated solution may not be possible. As a result, the risk level in this area has not improved since our first audit in 2009.
61. As of July 31, 2016, FINTRAC had received over 254 million EFTRs and LCTRs since its inception. Among these are approximately 80,000 EFTRs and 150,000 LCTRs that are under the $10,000 reporting threshold and do not fall under the 24-hour rule. FINTRAC does not have the legislative authority to retain transactions under $10,000 unless they are matched to another transaction made within 24 hours by or on behalf of the same individual or entity.

• FINTRAC collects and retains unnecessary amounts and types of client personal information from entities that fall under the PCMLTFA while performing compliance examinations.

62. FINTRAC carries out a compliance program to ensure reporting entities meet their obligations under the PCMLTFA. As of March 31, 2016, FINTRAC had performed 7,450 compliance examinations. The PCMLTFA allows FINTRAC to collect information as part of its compliance examinations. The TBS Directive on Privacy Practices^{Footnote 24} requires government institutions to limit collection of personal information to what is directly related to and demonstrably necessary for the government institution’s programs or activities.
63. Our 2013 audit found that FINTRAC had collected and retained unnecessary personal information as part of its compliance files. This included photocopies of the tax records of deceased individuals, medical records, Proof of Death statements, credit reports, drivers’ licenses, passports, and Social Insurance Number (SIN) cards.
64. FINTRAC has taken measures to address our 2013 recommendations related to these issues, including implementing a policy that only the specific records or information needed to support deficiencies should be kept. However, the sample of compliance examination files we reviewed for this audit indicated that information which is not needed to support deficiencies continues to be retained.
65. We found that compliance examination files contained information that did not relate to the noted deficiency, and that information was retained where no deficiencies were found at all. Some of the information we noted in this regard included:
    • A business database showing multiple online payments with individuals’ names, addresses, dates of birth, and SINs;
    • Information on account openings including photocopies of drivers’ licences;
    • Forms containing personal information, including information on identity cards, hire date, occupation;
    • Photocopies of account opening forms, including name, date of birth, SINs, citizenship information;
    • Employee names, emails and performance comments.

Conclusion

66. FINTRAC has made significant efforts to mitigate the risks of collecting information that is irrelevant to its mandate and/or exceeds its legislative authority. Progress has been made.
67. This includes the implementation of automated front-end screening to ensure that mandatory fields in reports sent to FINTRAC are completed. The screening process has rejected thousands of transactions that did not meet reporting thresholds. FINTRAC has also undertaken compliance outreach activities to educate reporting entities as to what information is required, and what information should not be reported. In addition, there is a process in place by which information that should not have been reported can be segregated and destroyed when it is encountered by FINTRAC analysts in the course of their regular activities.
68. However, our examination findings indicate that many thousands of reports containing information that should not have been reported to FINTRAC remain in its database. This risk will remain until FINTRAC enhances its current comprehensive front-end screening system that effectively filters out reports that do not clearly meet applicable legislative thresholds.
69. FINTRAC needs to work with Shared Services Canada to ensure that the personal information acquired, retained and transmitted by the Centre is appropriately protected when being stored and while being transmitted on SSC IT infrastructure. This will require a collaborative effort between FINTRAC and SSC, as the two institutions have shared responsibilities relating to the protection of the information received and collected by FINTRAC and the certification and accreditation of the IT systems on which it resides and through which it is transmitted.

ANNEX A

Assessment of Progress Related to Previous Recommendations

Based on our assessment of the actions taken by FINTRAC in addressing the recommendations from our 2013 audit we assigned one of the following ratings:

• Satisfactory—Progress is satisfactory, given the significance and complexity of the issue, and the time that has elapsed since the recommendation paragraph was made; or
• Unsatisfactory—Progress is unsatisfactory, given the significance and complexity of the issue, and the time that has elapsed since the recommendation paragraph was made.

Our assessment of the actions taken by FINTRAC in addressing the recommendations from our 2009 audit was included in our 2013 audit report available at Audit of the Financial Transactions and Reports Analysis Centre of Canada. Final Report 2013.

2013 Recommendations	2017 Assessment
Protection of information holdings
FINTRAC should implement measures to ensure that all its staff members possess a sound awareness of FINTRAC’s privacy and security policies to safeguard personal information and their obligation to comply with them at all times.	Satisfactory Various training and awareness sessions on Privacy, Information Management and Security have been provided.
Compliance with the Code of Fair Information Practices
To reconcile its obligations under the PCMLTFA with those under the Privacy Act, FINTRAC should analyze and assess incoming reports to ensure that it receives and retains only information that meets legislated thresholds for reporting and which it needs or uses in an ongoing program or activity.	Unsatisfactory Our review found various instances of reports that did not meet reporting thresholds and therefore, should not be retained.
FINTRAC should assess the effectiveness of its outreach programs and strengthen them where necessary to mitigate the risk of receiving personal information beyond the parameters and thresholds specified by the PCMLTFA.	Satisfactory FINTRAC has conducted significant outreach activity. Likewise, it provides information and advice through its web site.
FINTRAC should identify and dispose of information that it should not have received and is not directly related to its operating programs and activities.	Unsatisfactory Reports that did not meet reporting thresholds are being retained.
FINTRAC should: a) finalize an agreement with LAC regarding terms and conditions for the transfer of its archival records, and b) implement a formal policy for information and records whose retention and disposal periods are not specifically covered by the PCMLTFA.	Satisfactory The agreement with LAC was signed. FINTRAC has implemented retention and disposal schedules.
FINTRAC’s Compliance Mandate
In keeping with privacy best practices and to ensure consistent data minimization by compliance officers, FINTRAC should update its policies and procedures to clearly identify what information compliance officers should record and retain on compliance files to support deficiencies.	Satisfactory Policies were updated to indicate that only information relevant to support deficiencies is to be retained on examination files.
FINTRAC should include a privacy compliance monitoring process in its QA program to determine if information collected and retained while performing compliance examinations is limited to that which is necessary to establish compliance with the Act.	Unsatisfactory A QA program is not yet in place. Our review found that information not relevant to support deficiencies was kept.
The “Consent to enter a dwelling house for compliance examination” form should be further amended to indicate the purpose of collecting the date of birth on the form and the uses that will be made of it.	Satisfactory The form was amended as recommended.
As regulators have issued Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA) guidance that instructs entities to report transaction below the legislated threshold, FINTRAC should take action to ensure that guidance issued by regulatory partners is consistent with PCMLTFA requirements.	Satisfactory FINTRAC sent correspondence to regulatory partners with emphasis to avoid over reporting and to achieve consistency in guidance issued to reporting entities.

ANNEX B

About the Audit

Authority

Section 37 of the Privacy Act authorizes the Privacy Commissioner to undertake compliance reviews of the manner in which government institutions manage their personal information holdings and make recommendations where appropriate. Under section 72.(2) of the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA) the Privacy Commissioner is required to conduct a biennial review of measures taken by the Financial Transactions and Reports Analysis Centre of Canada (FINTRAC) to protect information it receives or collects, and to report the results of such reviews to Parliament.

Objective

The audit objective was to assess whether FINTRAC has appropriate controls in place to protect the personal information it collects and retains, and whether FINTRAC manages this information in compliance with sections 4 through 8 of the Privacy Act. In addition, we focused on whether FINTRAC has taken adequate measures to ensure there are appropriate safeguards in place to protect the personal information in FINTRAC’s electronic data holdings, which reside on Shared Services Canada’s (SSC) IT infrastructure.

The audit also evaluated the collection of personal information from reporting entities by FINTRAC during its compliance assessment activities, and reviewed the progress made by FINTRAC in response to the observations and recommendation in our 2009 and 2013 audits.

Criteria

The criteria for conducting the audit are based on the authorities of the Privacy Act and associated Treasury Board Secretariat (TBS) policies, as well as the PCMLTFA. We expected FINTRAC to:

• limit the receipt, collection and use of personal information to that which is necessary for the execution of its mandate;
• retain and dispose of personal information in accordance with governing authorities;
• have appropriate security measures in place for its information holdings, systems and infrastructure.

Scope and approach

The audit team examined FINTRAC programs and processes where the impact on privacy was deemed to be significant. In addition, the role of SSC in safeguarding FINTRAC information that resides or flows on its information technology infrastructure was reviewed.

We evaluated policies, guidelines, training materials, physical and IT threat and risk assessments, memoranda of understanding (MOUs), and privacy control checklists. We also interviewed FINTRAC and SSC staff members, examined reporting processes, and reviewed samples of reports and compliance examination files. All examination activities were conducted in the National Capital Region and our audit work was substantially completed on March 31, 2017.

Standards

The audit was conducted in accordance with the legislative mandate, policies and practices of the Office of the Privacy Commissioner of Canada, and followed the spirit of the audit standards recommended by Chartered Professional Accountants of Canada.

Audit Team

Acting Director General: Lara Ives

Sarah MacKay
Tauqeer Shaik
Ivan Villafan
Lindsay Scotton