Investment dealer needs personal information to comply with securities regulations
PIPEDA Case Summary #2006-347
[Principle 4.3.3 of Schedule 1 and subsection 5(3)]
An individual believed that the firm handling his investments was requesting an excessive amount of personal information, including proof of identity, as a condition of service for certain kinds of investments. However, securities regulations obligated the investment firm to establish the identities, creditworthiness and reputations of its clients. The Assistant Privacy Commissioner determined that the information collected by the firm was needed to meet its legal requirements and did not go beyond what was necessary to fulfill these legitimate purposes.
The following is an overview of the investigation and the Assistant Commissioner’s findings.
Summary of Investigation
The complainant is the president of a company that had a corporate account with an investment firm. As president, he received a letter from the firm, asking him to complete some forms. As he owned greater than a ten per cent interest in the corporation, he was asked for the following:
- Name
- Home address
- Occupation
- Name of employer
- Citizenship
- Whether he was an insider or controlling shareholder of a publicly traded corporation or similar entity; if yes, name and exchange.
He was also asked to provide photocopies of two pieces of identification, including one with a photograph. His SIN and the account numbers of any accounts he personally held with the investment firm were to be written on the copies. If he had no accounts with it, he was to present the two pieces of identification in person to the firm.
As for the purpose for collecting his personal information, the form noted that the firm was required under securities law to obtain beneficial ownership information on his account. The firm also indicated that it required the information as a result of a policy change by the Investment Dealers Association (IDA), to which it belonged. The complainant questioned the legitimacy of this requirement.
The IDA is the national self-regulatory organization of the Canadian securities industry. It regulates the solvency, educational proficiency, and sales and business practices of Canadian investment dealers. Non-compliance with its regulations can result in disciplinary action, including registration suspension and fines.
In collecting the personal information specified on its form, the firm was complying with IDA Regulation 1300.1, which deals with the supervision of accounts. Its purpose is to ensure that IDA members learn and remain informed of the essential facts relative to every customer, in keeping with members’ know-your-client and due diligence obligations. According to the IDA, a member may use a variety of methods to meet these obligations, provided that they enable the member to form a reasonable belief that it knows the true identity of the individual. The basic principle is that verification methods must be reliable and independent of the client.
The firm indicated that knowing the occupation and employer of a client also helps satisfy requirements under money-laundering regulations to identify accounts that pose a risk of money laundering or other illegal activity. This information is collected to help prevent insider trading and to see if the individual is working for a company that is either banned or watched by the securities commission. If so, trades would be monitored for irregular activity.
Furthermore, under the securities regulations of the province in which the complainant lives, all dealers and advisors are required to be able to establish the identity, creditworthiness and reputation of a client. Investment dealers may comply with this requirement by following the guidelines published by the Toronto Stock Exchange or the IDA.
Findings
Issued August 15, 2006
Application: Principle 4.3.3 states that an organization shall not, as a condition of the supply of a product or service, require an individual to consent to the collection, use, or disclosure of information beyond that required to fulfill the explicitly specified and legitimate purposes. Subsection 5(3) stipulates that an organization may collect, use or disclose personal information only for purposes that a reasonable person would consider are appropriate under the circumstances.
In making her determinations, the Assistant Commissioner deliberated as follows:
- Provincial securities regulations require the investment firm to establish the identity, creditworthiness and reputation of a client. Investment dealers may comply with this requirement by following IDA guidelines.
- The purpose of collecting the individual’s personal information was to ensure compliance with these securities regulations and with the requirements of the IDA, as stated in Regulation 1300.1.
- The purpose of Regulation 1300.1 appeared to be legitimate, reasonable, and explicitly stated in light of the legislated know-your-client and due diligence obligations of investment dealers.
- The personal information collected by the firm, including the requirement for identification, met IDA requirements and was not beyond that required to fulfill these legitimate purposes. The information also allowed the firm to satisfy its obligation to identify any potentially illegal activity.
- She therefore found that there were no contraventions of Principle 4.3.3 and subsection 5(3).
The Assistant Commissioner concluded that the complaint was not well-founded.
Other Considerations
The investment firm also asked for the same personal information from the company’s other shareholders owning greater than a ten per cent interest in the company. The information was provided to the investment firm with the shareholders’ knowledge and consent.
It is important to note that the company is considered to be an organization engaged in a commercial activity for the purposes of the Act. Under paragraph 7(3)(i) of the Act, an organization may disclose personal information without the knowledge or consent of the individual only if the disclosure is required by law.
In this instance, the investment firm cited securities laws that obliged it to collect the shareholders’ personal information and the complainant, as corporate representative, to disclose it. If the complainant had disclosed the shareholders’ information without their knowledge or consent, the exception to consent provided under paragraph 7(3)(i) would have applied. He would not have been in contravention of the Act.
Moreover, the investment firm’s indirect collection (from the complainant) of the shareholders’ information without their knowledge or consent would have been reasonable in the circumstances on the same grounds as the investment firm’s direct collection of the complainant’s personal information was reasonable.
- Date modified: