Investment brokerage not over collecting personal information to open self-directed investment account
PIPEDA Report of Findings #2015-006
April 23, 2015
An individual opening a new self-directed investment account with an investment brokerage was required to provide personal information including net worth, marital status and spouse’s occupation. The individual objected to providing the information given that it was a self-directed investment account and the brokerage would not need to determine the individual’s suitability for certain types of investments.
In response to the individual’s concerns, the brokerage indicated that it was collecting the information in order to comply with certain regulatory and legislative requirements, and not to determine suitability with respect to investments.
The individual was not satisfied with the brokerage’s response. Since she refused to provide all the information, the brokerage would not open the account for her. She therefore filed a complaint with our Office, alleging that the brokerage was collecting more personal information than necessary and making the collection a condition of service.
During our investigation, the brokerage argued that because it was a securities dealer, the Investment Industry Regulatory Organization of Canada (IIROC) required it to obtain complete “Know Your Client” (KYC) information about an individual applying for investment accounts, including self-directed investment accounts. Furthermore, the brokerage argued that the federal Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA) required it to collect certain information for compliance with applicable anti-money laundering (AML) requirements. Finally, the brokerage explained that its reporting obligations under provincial securities legislation obliged it to ascertain if the individual or her spouse were insiders or in control of a publicly traded company, or closely associated with an investment dealer.
After examining the IIROC’s Dealer Member Rules, as well as sections of the applicable provincial securities legislation and of the PCMLTFA, our Office was satisfied that the requested information was required by the investment brokerage in the circumstances to meet its KYC requirements imposed by the IIROC, as well as its obligations under the PCMLTFA and provincial securities laws, including its requirement to identify suspicious transactions, an “associate” of an investment dealer, or an insider trader for the purposes of securities legislation.
We therefore determined that: the purposes for the collection were properly identified; these purposes were appropriate in the circumstances; and the complainant was not being required to consent to the collection of more personal information than necessary as a condition of providing the service. Consequently, we found that the complaint was not well-founded.
Lessons Learned
- Organizations may collect, use or disclose personal information only for purposes that a reasonable person would consider are appropriate in the circumstances, which can include complying with a regulatory or legislative obligation.
- Despite the self-directed nature of investment accounts, investment brokerages may be entitled to require an individual to consent, as a condition of service, to the collection of certain personal information where the information is required for compliance with regulatory obligations such as IIROC's Know Your Client requirements, legislative obligations relating to anti-money laundering requirements under Canada’s Proceeds of Crime (Money Laundering) and Terrorist Financing Act, and legislative requirements under provincial securities legislation relating to identifying whether an individual can be deemed an insider or an “associate”.
Report of Findings
Complaint under the Personal Information Protection and Electronic Documents Act (the “Act”)
- The complainant alleges that the respondent required an unreasonable amount of personal information on its Know Your Client Form in order to open a self-directed investment account, namely, “net worth”, “marital status”, and “spouse’s occupation” (the “Requested Information”).
- The respondent argued that it collects the Requested Information to comply with the Investment Industry Regulatory Organization of Canada’s (“IIROC”) “Know Your Client” (“KYC”) requirements. The respondent also relied on the requirement of complying with anti-money laundering (“AML”) requirements under Canada’s Proceeds of Crime (Money Laundering) and Terrorist Financing Act (“PCMLTFA”) and various provincial securities laws to further support its position that the Requested Information was required.
- In light of the analysis that follows, our Office finds that the Requested Information collected by the respondent is required to fulfil specified and legitimate purposes, and that the respondent is not collecting more information than is required in the circumstances.
Summary of Investigation
Timeline
- In 2013, the complainant visited the respondent to open a self-directed investment account, whereby the complainant would not receive investment advice from the respondent.
- At that time, the respondent asked her to fill out the respondent’s new investment client account application form (the “Form”). On account of the complainant’s refusal to provide the information requested on the Form, the respondent declined to open the account for her.
- In the complainant’s view, given the self-directed and suitability exempt nature of this account, certain information should not be requested. The complainant indicated that the respondent did not need to know the Requested Information.
- The complainant then sent an email to the respondent’s Ombudsman Office outlining her concerns. Specifically, the complainant believes that providing spouse’s occupation was overbroad in order to determine a potential industry insider, and the specific information requested was contrary and not in compliance with the exempt nature of a self-directed investment account.
- A vice-president for the respondent (“VP”) sent a letter to the complainant, explaining the reasons for requiring the Requested Information from the complainant.
- In his letter, the VP indicated that the Requested Information was not being requested for the purpose of determining the complainant’s suitability with respect to certain investments, but rather to comply with securities legislation. With respect to the spousal information requested, the VP explained that this information was required to ascertain if the complainant or her spouse is an insider or control person of a publicly traded company or are closely associated with an investment dealer, which would have an impact on the respondent’s reporting obligations under provincial securities legislation.
- He further explained that the respondent is also required to obtain complete KYC information in order to comply with AML requirements. With respect to IIROC’s brochure entitled “Opening your Retail Account — What your investment dealer needs from you — and why” (the “Brochure”), these legal requirements apply to both advice-providing and no-advice securities dealers.
- Finally, he explained that while advice-providing securities dealers may use KYC information for determining whether trades in securities are suitable for their investors, the respondent is still required to complete KYC information to ensure that all trades are executed in accordance with securities laws, even as a no-advice dealer. The VP further explained that while the respondent is a no-advice brokerage granted waiver of suitability by IIROC, it was still bound by KYC requirements imposed by applicable securities laws and IIROC as a registered dealer.
- The respondent’s Ombudsman advised the complainant that a resolution was beyond the scope of its mandate. However, the Ombudsman was also of the view that the respondent was legally bound by KYC responsibilities, which apply to both suitability and suitability-exempt dealers. This meant that the respondent would need to take steps when opening accounts to identify its clients and conduct due diligence in managing its own risks associated with opening self-directed investment accounts. As well, the respondent had to ensure compliance with AML requirements and securities laws, rules and regulations, as it determines.
- The Ombudsman further explained the respondent’s position that while it was granted a waiver of suitability under IIROC Rule 3200, it is still required to comply with KYC responsibilities and other applicable regulations set out in IIROC Rules 1300 and 2500 other than those solely related to suitability. Specifically, he indicated that it is the respondent’s interpretation of its obligations for compliance with rules, laws and regulations together with an evaluation of management discretion that it should collect the information outlined in its Form and require spousal and financial information in order to open accounts for clients.
- The complainant filed a complaint with our Office, which we accepted.
Information from IIROC
- According to IIROC’s website:Footnote 1
IIROC carries out its regulatory responsibilities under Recognition Orders from the provincial securities commissions that make up the Canadian Securities Administrators (CSA). IIROC is subject to oversight and regular operational reviews by CSA members.[…] In Canada, each province or territory has government bodies - securities commissions, authorities, administrators- that rely on an SRO [Self-Regulatory Organization] such as IIROC to carry out certain regulatory responsibilities. […] Securities legislation requires investment dealers to apply and be accepted for membership with an SRO if they wish to operate in Canada. Securities legislation also requires that individual employees who are carrying out certain functions within investment dealers be registered.
- The various provincial securities regulators in Canada have issued orders that have recognized the IIROC as a self-regulatory organization (“Recognition Orders”). These Recognition Orders require IIROC to, among other things: (i) regulate investment dealers; (ii) establish, administer and monitor its rules, policies and other similar instruments; and (iii) enforce compliance with its rules by regulated dealer firms (“Dealer Members”).
- IIROC has enacted a number of Dealer Member Rules, which generally set out detailed requirements with which its Dealer Members are required to comply. According to IIROC, the Dealer Member Rules are long standing and are approved by the various provincial securities commissions Footnote 2. Further, IIROC indicated that there is both a recognition and reliance by the provincial securities commissions on IIROC for the regulation of Dealer Members.
- Specifically, IIROC Dealer Member Rule 1300.1 provides that: “Each Dealer Member shall use due diligence to learn and remain informed of the essential facts relative to every customer and to every order or account accepted.”
- Dealer Member Rule 1300.2 provides that a Dealer Member must designate a supervisor to be responsible for the opening of new accounts and for establishing and maintaining procedures acceptable to IIROC for account supervision to ensure that the handling of client business is within the bounds of ethical conduct, consistent with just and equitable principles of trade and not detrimental to the interests of the securities industry. Dealer Member Rule 1300.2 further provides that, as part of this supervision, each new account must be opened pursuant to a new account form that includes the applicable information required by IIROC’s New Client Application Form (“Form 2”) for retail customer accounts.
- Form 2 is not a mandatory form that Dealer Members are required to use, as presented, under Dealer Member Rule 1300.2, but rather sets out the categories of information that Dealer Members are required to collect, consistent with the Brochure. Information requested on Form 2 includes: spouse’s name, spouse’s occupation, number of dependents, investment knowledge, net worth broken down by net liquid and fixed assets, and annual income from all sources.
- IIROC Dealer Member Rule 2500 Part II sets out further requirements for opening new retail accounts, including that KYC procedures must also be directed at meeting a Dealer Member’s gatekeeper obligations by identifying clients that present a high risk of conducting improper activities in the securities markets by, among other things, making a reasonable effort to determine the nature of the client’s (or their spouse’s) business.
- Dealer Member Rule 2500 Part II further provides that KYC procedures must also meet the requirements of the PCMLTFA. Through a memorandum of understanding with the Financial Transactions and Reports Analysis Centre of Canada (“FINTRAC”), IIROC monitors compliance with AML requirements and reports to FINTRAC, as appropriate.
- Dealer Member Rules 1300 and 2500 are principle-based and so the categories of information set out in the Rules and in Form 2 are not exhaustive. IIROC has published a Guidance Note setting out IIROC’s interpretation, expectations and suggested best practices relating to these KYC and account opening requirements [IIROC Notice 12-0109 — Know your client and suitability — Guidance (March 26, 2012)]. The document states in part:
IIROC Dealer Member Rule 1300.2 requires that each account be opened pursuant to a new account application which includes, at a minimum, the collection of applicable information required by Form 2, also referred to as the New Account Application Form.
Information from the respondent
- In response to our Office’s inquiry as to why the Requested Information is required, the respondent claimed that there were a number of legal and regulatory reasons for requiring its collection, apart from determining suitability.
KYC requirements
- According to the respondent, all of the Requested Information was required byIIROC. In support of this, the respondent provided a copy of the Brochure, which explainsIIROC’s role and why certain information is required. According to the Brochure,IIROC:
…regulates all investment dealers in Canada. […] Your advisor's firm is required by IIROC rules and other laws to gather certain information about you. It may be unable to open an account for you if you are unwilling to provide this information. This brochure sets out the basic information requirements for the initial application and ongoing maintenance of your account. […] Most investment firms are required to determine the suitability of each proposed transaction in your account. This applies whether or not the trades are the result of recommendations by the firm's staff. To determine suitability, your firm and advisor need to fully understand your financial situation, investment needs, objectives, investing experience and tolerance for risk. These can only be assessed by collecting from you accurate information about your personal and financial circumstances. This requirement, part of the Know-Your-Client rule, is one of the cornerstones of securities regulation.
In order for your firm and advisor to comply with the Know-Your-Client rule, you will be asked to provide and keep up to date the following information:
- marital status
- age
- occupation
- income and net worth
- number of dependents
- risk tolerance
- investment objectives
- investment knowledge and experience
[Emphasis added]
- The respondent expanded upon the nature of the regulatory requirements, stating that the National Instrument 31-103 Registration Requirements and Exemptions, and in particular Part 13 requires Dealer Members to do reasonable due diligence and collect sufficient information to satisfy IIROC’s KYC requirements.
- Part 13 describes the KYC and suitability requirements. With respect to the suitability requirements, these would not have applied to the respondent in the circumstances since the complainant was interested in opening a self-directed trading account whereby she would not be receiving advice from the respondent. However, the information required for suitability requirements overlap in some measure with the information required to comply with the separate KYC rules that relate to collecting sufficient information regarding a client or prospective client, which includes the client’s investment needs, financial circumstances, risk tolerance and credit worthiness. In this regard, the respondent indicates that it collects net worth information in order to determine the credit-worthiness of even clients who request a self-directed investment account.
AML requirements
- In addition to the KYC requirements, the respondent also argued that all the Requested Information is required for compliance with applicable AML requirements under the PCMLTFA.
- The respondent advised that it is required to comply with Part 1 (Record Keeping, Verifying Identity, Reporting Suspicious Transaction and Registration) of the PCMLTFA pursuant to paragraph 5(g) of the PCMLTFA.
- The respondent stated that net worth is used as part of its monitoring program required under thePCMLTFA. They stated:
In order to determine whether a transaction is related to the commission or attempted commission of a money laundering or terrorist activity financing offense (known as a “suspicious transaction”), the respondent must establish a transaction monitoring program. FINTRAC, where such transactions are reported, has published guidelines to assist firms in meeting this obligation.
- In support of this, the respondent quoted from “FINTRAC Guideline 2: Suspicious Transactions” that cites a “client’s apparent financial standing…” as a relevant piece of personal information to be used to identify a suspicious transaction in a monitoring program “based on [a Dealer’s] knowledge of [the] client”. Therefore, according to the respondent, one of the factors it must know about its clients in order to evaluate whether a transaction can be deemed suspicious is net worth, as it provides baseline knowledge of a client’s financial standing.
- With respect to marital status and spouse’s occupation, the respondent added that the PCMLTFA requires monitoring to determine if the respondent is dealing with a politically exposed foreign person or a prescribed family member thereof under section 9.3 of the PCMLTFA. Therefore, the respondent is of the view that it is required to take reasonable measures to determine whether the respondent is dealing with a politically exposed foreign person or a prescribed family member. FINTRAC Guideline 6E states that “reasonable measures” include asking the client, or consulting a credible source of commercially or publicly available information, about politically exposed persons. According to the respondent, it first requests the marital status of the applicant and then further asks the spouse’s name and employment details, to satisfy this requirement.
Provincial securities legislation
- Finally, the respondent argued that some of the Requested Information, namely, marital status and spouse’s occupation, is required for compliance with certain provisions of applicable securities legislation. For example, pursuant to the applicable provincial securities legislation, a person is typically deemed to be acting jointly or in concert with an “associate” for the purposes of assessing triggers under insider and early warning reporting as well as in respect of control positions and take-over bid thresholds.
- “Associate” is defined under that legislation as including any relative that lives in the same home as a person, and any person that lives in the same home that is a spouse or equivalent. According to the respondent, a client or prospective client may be deemed to fall within one of these categories, although not appearing to be so of their own accord. The respondent has to ensure that it is meeting any resulting reporting or order market obligations, as well as not facilitating inappropriate trading.
- Furthermore, as stated in the “Legal Requirements” section of IIROC’s Brochure, a spouse’s occupation is required under securities laws because an applicant must advise its advisor and firm if they or their spouse is legally defined as an insider or control person of a publicly traded company, or is a partner, director, employee affiliate or associate of an investment firm. In order to collect spousal occupation information, the respondent first determines the marital status of an applicant.
Application
- In making our findings, our Office applied subsection 5(3) of Part 1 of the Act, and Principles 4.2, 4.3.3 and 4.4 of Schedule 1 of the Act.
- Subsection 5(3) stipulates that an organization may collect, use or disclose personal information only for purposes that a reasonable person would consider are appropriate under the circumstances.
- Principle 4.2 stipulates that the purposes for which the personal information is collected shall be identified by the organization at or before the time the information is collected.
- Principle 4.3.3 states that an organization shall not, as a condition of the supply of a product or service, require an individual to consent to the collection, use or disclosure of information beyond that required to fulfill the explicitly specified and legitimate purposes.
- Principle 4.4 stipulates that the collection of personal information shall be limited to that which is necessary for the purposes identified by the organization.
Analysis
Requiring Consent for the Collection of Information Beyond What is Required
Explicitly Specified Purposes
- In determining whether there has been a contravention of Principle 4.3.3, our Office must first determine whether the purposes for which the respondent collected the personal information were explicitly specified, as required by Principle 4.2.
- The respondent informed both the complainant and our Office that the Requested Information was required for the purpose of compliance with IIROC’s KYC requirements, as well as compliance with AML requirements and securities laws. The Brochure provided to the complainant also described the information a Dealer Member is required to collect and why that information is necessary. As a result, in our view, the respondent did identify its purposes for the collection of the Requested Information.
Legitimate Purposes
- Second, our Office must consider whether the purposes of collecting the Requested Information are appropriate, as required under subsection 5(3).
- National Instrument 31-103 requires Dealer Members to conduct reasonable due diligence and collect sufficient information to satisfy IIROC’s KYC requirements.
- As a recognized SRO to regulate investment dealers, IIROC has enacted Dealer Member Rules requiring Dealer Members to learn and remain informed of essential facts relative to each of its customers.
- Moreover, AML requirements under the PCMLTFA and securities laws require the establishment of a monitoring program to determine whether a transaction is suspicious, needing an understanding of a customer’s financial position, whether it is dealing with a politically exposed foreign person or a prescribed family member thereof, needing information about marital status and spouse’s occupation and whether it is dealing with an insider or control person of a publicly traded company or a person closely associated with an investment dealer.
- Our Office is of the view that a reasonable person would consider the collection of information for the purpose of complying with the KYC requirements, as well as AML requirements under the PCMLTFA and securities laws, as being appropriate in the circumstances.
- From the outset, our Office is of the view that ensuring compliance with IIROC requirements, as well as any applicable AML requirements or securities legislation, as being legitimate in the circumstances. A number of regulatory and legislative requirements apply to securities dealers, even when they are not offering specific investment advice, and securities dealers must undertake the necessary precautions to ensure compliance with such requirements.
More Information than Necessary to Achieve the Purpose
- Next, our Office must considered whether the respondent is requiring more information than necessary to achieve the purpose of compliance with KYC requirements, AML requirements under the PCMLTFA and securities laws, as a condition of service. At issue is whether all the Requested Information is required to achieve that purpose. In our view, the Requested Information was required by the respondent in order to meet applicable regulatory and legislative requirements.
- The non-exhaustive categories of information set out in the Dealer Member Rules and Form 2 include, among other items:
- marital status,
- spouse’s occupation, and
- net worth (net liquid and fixed assets)
- IIROC Notice 12-0109 highlights that IIROC Dealer Member Rule 1300.2 requires that each account be opened pursuant to a new account application form which includes, at a minimum, the collection of applicable information required by Form 2.
- The personal information requested from the complainant by the respondent tracks the information identified in Form 2. In light of IIROC’s responsibilities to regulate investment dealers, and given the approval of the Dealer Member Rules by the provincial securities commissions, notably those related to KYC requirements, our Office accepts that the respondent appropriately required the Requested Information in the circumstances.
- The self-directed nature of the complainant’s investment account with the respondent does not eliminate the respondent’s responsibility to comply with IIROC’s requirements. As noted in the Brochure, such responsibility “applies whether or not the trades are the result of recommendations by the firm's staff.”
- As well, our Office is satisfied that the Requested Information is also required in order for the respondent to meet its obligations under the PCMLTFA and provincial securities laws. Namely, the collection of an applicant’s net worth, marital status and his or her spouse’s occupation would be required to either identify suspicious transactions based on a dealer’s knowledge of a client, determine if the respondent is dealing with a politically exposed foreign person or a prescribed family member thereof, determine whether an individual could be deemed an “associate” of a client, or identify whether a client or their spouse could be considered an insider trader for the purposes of securities legislation.
Conclusion
- Our Office concludes that the Requested Information collected by the respondent is required to fulfill specified and legitimate purposes and that the respondent is not collecting more information than is required in the circumstances. Accordingly, the allegation that the respondent requires more information than necessary as a condition of service is not well-founded.
Footnotes
- Date modified: