Public Consultation on Strengthening Canada’s Anti-Money Laundering and Anti-Terrorist Financing Regime
Submission of the Office of the Privacy Commissioner of Canada (OPC) to Finance Canada
August 10, 2023
Erin Hunt
Director General, Financial Crimes and Security Division
Financial Sector Policy Branch
Department of Finance Canada
90 Elgin Street
Ottawa ON K1A 0G5
Dear Erin Hunt,
Subject: OPC Response to Public Consultation on Strengthening Canada’s Anti-Money Laundering and Anti-Terrorist Financing Regime
I appreciate the opportunity to provide comments to Finance Canada on the Consultation Paper (“the Consultation Paper”) which examines how Canada’s Anti-Money Laundering/Anti-Terrorist Financing Regime might be strengthened. I note that results from this consultation will inform the Parliamentary Review of the Proceeds of Crime (Money Laundering) and Terrorist Financing Act, as required every five years under section 72(1) of the Act.
The OPC has had a longstanding interest in, and engagement with, Canada’s AML/ATF regime. Privacy Commissioner Bruce Phillips appeared before the Senate in 2000 to comment on the legislation that created the regime; the OPC has participated in the five-year review of the PCMLTFA in 2005; and Privacy Commissioner Jennifer Stoddart appeared before the Senate in 2006 on legislation which expanded the Act. In 2011, the OPC commented on proposed Regulatory amendments on Ascertaining Identity and the following year, provided our input on another Consultation Paper from Finance Canada on the AML/ATF Regime as a whole. Our latest consultative engagement on this matter occurred in 2018 when we shared our views on amending Certain Regulations Made Under the PCMLTFA. We look forward to participating in the next Parliamentary Review, expected in the coming months.
While the Consultation Paper presents an extensive list of issues and consultation questions, I have confined our engagement to what we view as the most critical privacy issues, addressed largely in the order in which they were presented. I welcome the opportunity to elaborate on any of what follows, and thank you again for the opportunity.
Lara Ives,
Executive Director, Policy, Research and Parliamentary Affairs
30 Victoria Street, 1st Floor
Gatineau QC K1A 1H3
OPC Comments
Protection of Privacy Rights
Certain aspects of the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA) are inherently privacy invasive. We were therefore pleased that the Consultation Paper identifies privacy protection as a foundational aspect of Canada’s anti money laundering and terrorist financing (AML/ATF) regime. Far from reducing the effectiveness of this regime, treating privacy as foundational will enhance its effectiveness by lending credibility to both FINTRAC specifically, and to the regulation of the financial sector in general. The clearest way to ensure that the PCMLTFA respects privacy is to apply a proportionality lens to all aspects of the regime. Combatting money laundering and terrorist financing is obviously an important government objective. To satisfy proportionality however, measures adopted in furtherance of that objective must be effective enough to justify any intrusion into privacy. Proportionality also requires that measures infringe on privacy as minimally as possible to achieve their objective. With this in mind, the OPC has consistently encouraged the government to adopt a risk-based approach in the PCMLTFA – one that minimizes the risks of over-collection, and of retaining information of law-abiding individuals.Footnote 1 By adopting proportionality as a touchstone for your review of the PCMLTFA, you will not only protect privacy but will also improve the overall functioning of the anti money laundering and terrorist financing regime by avoiding ineffective regulatory measures.
Oversight is another critical feature of privacy protective laws. In this regard, the Consultation Paper highlights the OPC’s Parliamentary review function under subsection 72(2) of the PCMLTFA. In addition to that, the OPC also investigates complaints and receives and reviews information about certain disclosures under both the Privacy Act and Personal Information Protection and Electronic Documents Act (PIPEDA). While OPC oversight has been effective to a point, we would like to highlight a few features of the anti money laundering and terrorist financing regime that have challenged our ability to provide meaningful oversight.
An area that merits consideration is the OPC’s role in reviewing certain refusals to access requests under PIPEDA, specifically those based on the objections of government institutions (such as FINTRAC). Section 8 and clause 4.9 of Schedule 1 of PIPEDA provide individuals with a right of access to their personal information under the control of a (private sector) organization. Access requests will sometimes relate to personal information that an organization has disclosed to a government institution. PIPEDA contains several authorities for the disclosure of personal information to government institutions without the knowledge or consent of the individual to whom the information relates.
For example, paragraph 7(3)(c.2) authorizes disclosures to FINTRAC as required by section 7 of the PCMLTFA. When an organization receives an access request related to information it has disclosed to a government institution it may be required by subsection 9(2.2) of PIPEDA to notify that organization before it processes the request. Once notified, the government institution can object to the organization granting access on the grounds listed in subsection 9(2.3) of PIPEDA. These include that complying with the access request could reasonably be expected to be injurious to the detection, prevention or deterrence of money laundering or financing of terrorist activities. Where an organization receives an objection from a government institution, it is required under subsection 9(2.4) of PIPEDA to refuse access. The organization is also required to notify the OPC.
However, PIPEDA does not prescribe the content of notifications under subsection 9(2.4). In practice these notifications can lack sufficient detail for the OPC to meaningfully assess the merit of the decision by the government institutions to object to access. For example, some of the notifications we have received did not even specify the government institution to which a disclosure of personal information was made. This lack of detail significantly hampers the OPC’s ability to assess whether government institutions such as FINTRAC are appropriately exercising their discretionary authority to object to access.
As you review the AML/ATF regime we encourage you to explore ways to improve upon the quality of the information that the OPC receives with respect to refusals to grant access under PIPEDA that are based on the objections of FINTRAC or other government institutions. For example, you may wish to consider whether the reporting requirement on private sector organizations under subsection 9(2.4) of PIPEDA could be augmented with a corresponding reporting requirement on government institutions.
Beneficial Ownership Registry
The Consultation Paper calls for the government to commit to a collaborative, harmonized approach to the collection and reporting of beneficial ownership information, while respecting our provincial and territorial responsibilities for corporations. This would address a perceived lack of access by authorities to beneficial ownership information which represents a potential gap in the AML/ATF Regime. This is consistent with the High-Level Principles on Beneficial Ownership Transparency, developed at a G20 leaders summit in Australia in 2014, one of which requires members to:
“[…] ensure that competent authorities (including law enforcement and prosecutorial authorities, supervisory authorities, tax authorities and financial intelligence units) have timely access to adequate, accurate and current information regarding the beneficial ownership of legal arrangements.”Footnote 2
There appears to be an appetite for moving forward on creating a beneficial ownership registry. At time of writing, Bill C-42 – An Act to amend the Canada Business Corporations Act and to make consequential and related amendments to other Acts, which proposes such a registry, has received First Reading in the Senate. We are also aware of recent legislative changes in Quebec and British Columbia to implement registries in their respective jurisdictions, which include privacy protection that could serve as a model to emulate. These protections include excluding the personal information of minors, and implementing processes for subjects to have their information removed where there may be safety considerations.
Of note is a recent decision of the Court of Justice of the European Union which found that the EU public beneficial ownership registry was not strictly necessary or proportionate and that access to the general public interfered with Article 7 and 8 EU Charter rights.Footnote 3 While the Court struck down the public access to the beneficial ownership registry, it found that some groups did have a legitimate interest in the registry, including journalists, civil society organizations, and AML/ATF organizations. This is similar to what the Canadian Bar Association has said regarding Bill C-42: “…the general public should not be granted unfettered access to personal and sensitive information in the beneficial ownership registry. Individuals should demonstrate a ‘legitimate interest’ to access the registry. This could include journalists, researchers, and civil society organisations, upon application.”Footnote 4
That said, there may be merit in taking into consideration what the courts in Europe have found and what the Canadian Bar Association has suggested, when contemplating potential privacy options when it comes to options for a public beneficial ownership registry. In our view, any efforts to expand collection, use, and/or disclosure in the context of a beneficial ownership regime must take into consideration necessity and proportionality and include mechanisms to identify and mitigate any privacy risks. The government should ensure that, if such a registry is developed, mechanisms are put in place to determine risks to privacy. The development of a Privacy Impact Assessment (PIA) is a good first step in this regard; we would welcome the opportunity to share our expertise.
Access to Subscriber Information/Electronic Devices
The Consultation Paper proposes adding several new criminal investigative powers of general application to the Criminal Code. Before considering these, we would like to share an overarching recommendation: where possible, investigative powers should be carefully tailored to the specific investigative context for which they are intended. Enacting tailored, context-specific criminal investigative powers will allow for the establishment of more precise privacy safeguards. Narrowly defined investigative powers furthermore help avoid unanticipated uses. Should an unanticipated investigative need arise, the Criminal Code already contains broad investigative powers (with appropriately higher investigative thresholds), such as the general warrant in section 487.01 and the general production order in section 487.014.
Having said that, we are interested to hear more from the government about the proposal in the Consultation Paper to amend the Criminal Code to include an order for subscriber information. This proposal is consistent with the core finding from the Supreme Court’s decision in R. v. Spencer, 2014 SCC 43 (CanLII) that subscriber information can attract a reasonable expectation of privacy. The Spencer decision makes it clear that judicial pre-authorization is a minimal requirement for access to basic subscriber information in criminal investigations. In addition to judicial pre-authorization, incorporating the following features into an order for subscriber information would help strike the appropriate balance between privacy and law enforcement interests:
- Use of a well-known, judicially recognized investigative threshold such as "reasonable grounds to suspect", or, if more sensitive information is sought, "reasonable grounds to believe". Use of one or both of these investigative thresholds would promote greater certainty as to what level of evidence is required to obtain judicial authorization to access basic subscriber information. This is furthermore consistent with the OPC’s recent appearance before the Senate Committee on National Security and Defence concerning Bill S-7, An Act to Amend the Customs Act and the Preclearance Act, 2016.Footnote 5 In it, we recommended against the novel standard of "reasonable general concern" for searches of digital devices at the border. Considering the diminished expectation of privacy at the border, we instead recommended the standard of ‘reasonable grounds to suspect’. Although Bill S-7 has not yet received Royal Assent, we note that the Senate ultimately accepted our recommendation.
- Inclusion of transparency-related measures such as internal and external audits, regular public and/or Parliamentary reporting requirements, notification of individuals whose personal information is disclosed. These measures would help mitigate the adverse privacy impacts of this proposal. Note that some of these measures were proposed in former Bill C-52, An Act regulating telecommunications facilities to support investigations, which was introduced in November 2010 but did not pass second reading in the House of Commons. Among other reasons, we were critical of Bill C-52 because it would have allowed warrantless access to basic subscriber information. That said, Bill C-52 would have mandated regular internal and external audits of law enforcement (including by the OPC), as well as Parliamentary reporting, which are privacy-protective measures. In addition to audit measures applicable to law enforcement, we encourage the government to consider establishing transparency-related requirements such as audits for telecommunications service providers.
- Inclusion of statutory use limitations with respect to basic subscriber information. Limitations on secondary use is a widely accepted privacy safeguard that can help defend against systemic uses of basic subscriber information outside of the purpose for which they were obtained. Along these lines, former Bill C-52 contained a provision limiting use of basic subscriber information to the purpose for which it was obtained or a consistent purpose. We urge the government to consider including a comparable provision in any basic subscriber information authority. In addition to limiting secondary uses, Bill C-52 would also have limited the basic subscriber information request power to “designated officers”. The government should explore the merit of a limitation along these lines, or other internal controls on the use of this power.
Other investigative powers
The Consultation Paper proposes other investigative powers for inclusion in the Criminal Code but does not provide much detail about the rationale for these proposals. For example, citing subsection 11(5) of the Controlled Drugs and Substances Act, and subsection 87(5) of the Cannabis Act as precedents, the Paper proposes amending the search warrant provision in section 487 of the Criminal Code to explicitly authorize a peace officer executing a search warrant to search any individual who is present at the site specified in the warrant for items, (including electronic devices) that are listed in the warrant. The stated objective of this proposal is to explicitly allow for the seizure of electronic devices that are located on an individual present at the site where a search warrant is being executed. The Consultation Paper notes that a separate warrant would still be required to actually search the contents of any electronic device that is seized. We note, however, that personal devices reveal sensitive information even without a search.
Furthermore, irrespective of whether they are purposively limited to uncovering items listed in a search warrant, searches of the person represent a significant invasion of privacy. They have the potential to engage bodily autonomy. With this in mind, Canadian courts have consistently held that personal privacy is deserving of special protection under the law, (see for example, R. v. Dyment, [1988] 2 S.C.R. 417; R. v. Tessling, 2004 SCC 67). Furthermore, despite the purposive limitation of this proposal, when combined with the common law plain view doctrine as well as the statutory plain view provisions in section 489 of the Criminal Code, a personal search power could result in the seizure of a broad range of evidence that is not specified in the search warrant. While there may be authorities to engage in this type of personal search in the Controlled Drugs and Substances Act and the Cannabis Act, they should only be imported into the broader criminal law if they are both necessary from an investigative standpoint, and proportional to the significant invasion of privacy.
The Consultation Paper also proposes a “keep open regime” whereby financial institutions could be ordered, or perhaps merely provided with the authority to, keep a personal financial account open at the request of law enforcement. We appreciate that the paper emphasizes the importance of privacy protectiveness. With this in mind, we would like to flag that even if a “keep open” regime does not actually entail any disclosure of personal information to law enforcement it has the potential to be a highly privacy-invasive tool. For example, a “keep open” request would effectively amount to disclosing that a particular account holder may be implicated in criminal activity. There may furthermore be unintended financial and other consequences, (e.g. implications for joint account-holders, credit implications, etc.). Therefore, as it considers the merit of enacting a "keep open regime", we recommend that the government carefully consider the potential for adverse consequences for individual account holders. Should the government adopt a “keep open” regime, it is critical that privacy safeguards, such as use limitations, time limits, record keeping and reporting requirements, be incorporated.
Politically Exposed Persons (PEPs)
The PCMLTFA requires reporting entities to undertake certain kinds of reporting for Politically Exposed Persons (PEPs) or Heads of International Organizations (HIOs).Footnote 6 The Consultation Paper solicits input on whether the federal government should develop a database of domestic and foreign PEPs, HIOs and family members of both, and, if so, what privacy considerations could be in play.
Section 9.3 of the PCMLTFA requires that reporting entities that identify politically exposed persons shall make this determination in accordance outlined in Regulations; that is, by taking “reasonable measures” to determine whether a person is a PEP. FINTRAC has issued guidance to the effect that such a determination is not simply a review of certain tombstone information:
“While a name match is a fact, it is not necessarily a fact that constitutes reasonable grounds to suspect that an existing client is a PEP, HIO, or family member or close associate of a PEP or HIO. As a best practice, you could apply additional criteria (for example, address, date of birth, age, transaction activities, etc.) to a name match, to meet the reasonable grounds to suspect threshold.”Footnote 7
A PEP database would, presumably, include some of this additional information. In the absence of specifics, it is unclear what personal information may be involved, to what extent privacy principles such as limiting collection have been considered, and how the information would be safeguarded. We would expect that any database would include mechanisms to meet FINTRAC’s obligations under PIPEDA, including the capacity to address accuracy in cases of status change, or challenging compliance in cases where an individual’s information was added or retained in error. We recommend that FINTRAC ensure that privacy best practices are built into the development of any such database, including deployment of access restrictions, conduct of periodic audits for data quality, establishment of ongoing threat risk assessments and penetration testing. We would welcome the opportunity for my officials to be engaged as this initiative takes shape.
Collecting Publicly Available Personal Information
Subsection 54(1)(b)(i) of the PCMLTFA currently authorizes FINTRAC to collect publicly available information – including datasets from commercially available sources – if it considers it relevant to AML/ATF activities. However, the Consultation Paper stresses that “acquisition and analysis” of databases of this information is not “expressly allowed” under the law, so that datasets useful to support analysis cannot be accessed or may be limited to a search-by-search basis. The Consultation Paper questions whether expanding FINTRAC authority to collect publicly available information, commercially available datasets and government-accessible datasets raise privacy considerations; we believe that it would.
Privacy risks from collection of publicly available personal information
As more and more routine activities take place wholly in the digital sphere, it becomes unclear when personal information posted online is (or is not) “publicly available”. In the OPC’s 2021 submission on the Access to Information Act, we observe that modern technologies also produce metadata, inferences, and patterns about our daily routines, further complicating what is, or is not, personal information.Footnote 8 We have seen an increasing interest on the part of law enforcement and security agencies to leverage the ability of commercial firms to collect, analyze, process, and repackage publicly available personal information.Footnote 9
Some third party developers create and enable new software tools such as facial recognitionFootnote 10, while others collect and repackage personal information specifically for use by public-sector organizations.Footnote 11 The global marketplace for commercial data re-sellers and brokers was recently estimated at $365 billion, and is dominated by firms from jurisdictions like the US with a lengthy industry history of credit agencies and information services firms.Footnote 12 This is a lucrative, and growing, industry. In the past decade, more of these firms have begun to harvest publicly available personal information in bulk (e.g., geo-location data, transactional data, etc.) which are then used to augment or “enrich” government databases.
In Canada and the US, this has proven a controversial practice, as vendors like Palantir, Clearview AI, and others have taken a very generous interpretation of what personal information they can legally collect from individuals (or acquire, repackage, and resell from third-party intermediaries).Footnote 13 In the OPC’s 2021 Special Report to Parliament on the RCMP’s use of Clearview AI, for example, we found that the RCMP accessed datasets to screen people against the company’s databank of billions of records, scraped from publicly available websites.Footnote 14 We concluded that this represented a breach of the Privacy Act, effectively amounting to unlawful surveillance.
There is a growing trend for federal agencies to propose widescale collection of information via social media monitoring. In 2020-2021, for example, we reviewed a PIA and completed a consultation engagement with Immigration, Refugees and Citizenship Canada (IRCC) on their social media monitoring activity, in which social media platforms are scraped to collect data on posts and commentary relevant to the department’s mandate, policies, and activities. We recommended that IRCC ensure measures are in place to minimize the collection of personal information from such sites to that which is clearly necessary for legitimate government business and the stated purposes of the program.
The OPC has provided similar advice to other institutions engaged in similar activities, as government interest in accessing or monitoring publicly available information sources has grown. It should be noted that section 4 of the Privacy Act restricts federal institutions from collecting personal information that is not directly related to an operating program or activity. There is no exemption for commercial or public availability.Footnote 15
Current Legislative context
We would therefore encourage the government to take a cautious approach to this aspect of FINTRAC data gathering, recalling the OPC’s previous findings and/or recommendations in this context.Footnote 16 At present, “publicly available” is an undefined term in both the Privacy Act and the Access to Information Act (ATIA), yet that forms the basis for an exception – allowing for disclosure of personal information.Footnote 17 Given that both those statutes have quasi-constitutional status, proposed modifications being contemplated for FINTRAC specifically should address that broader context.
In 2020, the Department of Justice published discussion paper on modernizing the Privacy Act, which proposed an updated framework for the use of publicly available personal information, including defining personal information as “publicly available” in three instances:
- When it has been made manifestly public by the individual the information relates to;
- When it is broadly and continuously available to all members of the public and the individual has no reasonable expectation of privacy in the information; and
- When another act of Parliament or a regulation requires the information to be publicly available.Footnote 18
In the OPC’s March 2021 response to this paper, we agreed that such a definition is overdue, but that amendments should balance rights of access with privacy, given that both underpin government transparency and accountability. Furthermore, we recommended that any definition of “publicly available” (as a category) should explicitly exclude personal information where an individual has a reasonable expectation of privacy.Footnote 19
An ideal solution would be for the Privacy Act to include a clear definition of “publicly available personal information”, which considers context, the reasonable expectation of privacy, accessibility of information, including with new technologies, and the collecting organizations’ obligations for accuracy, currency, and completeness. These same principles should guide current considerations as Finance Canada considers broadened authorities for FINTRAC under the PCMLTFA.
To fulfill its mandate, FINTRAC receives tens of millions of records every year.Footnote 20 The scope of their collection activities – and those of other government agencies in the intelligence contexts – adds considerable complexity to the privacy analysis undertaken when the ATIA and Privacy Act were first enacted. The PCMLTFA gives FINTRAC the authority to “collect information that the Centre considers relevant to money laundering activities or the financing of terrorist activities and that is publicly available, including in a commercially available database”.Footnote 21 That is broad, particularly when combined with a discretionary collection threshold of “potential relevance” as determined by FINTRAC itself.Footnote 22 We recommend that Finance Canada give due consideration to that latitude before expanding it further.
Information Sharing — private sector
The Consultation paper notes that the government is exploring options to enhance information sharing within the private sector in order to identify and disrupt money laundering and terrorist financing activities. It further notes that other jurisdictions have a more permissive information sharing framework, and that exceptions to consent in S. 7(3)(d.1) and (d.2) of the Personal Information Protection and Electronic Document Act (PIPEDA) may be too restrictive. What is proposed instead is the introduction of a safe harbour provision to facilitate private sector organizations to share information amongst each other and to increase sharing of information between FINTRAC and reporting entities.
Certain jurisdictions, such as the United States and United Kingdom, have implemented safe harbour provisions which contain a number of guardrails and safeguards, including conditions for when and how and in what circumstances safe harbour can apply. They also contain limits on the collection, use and disclosure of information, and outline notification and reporting requirements prior to being able to participate in a safe harbour program. Should the government decide to implement a safe harbour, these models can prove useful for lessons learned. We welcome the opportunity to engage further on privacy risks and mitigations at any discussions concerning a safe harbour.
The Consultation paper also notes that the government is seized with enhancing information sharing between FINTRAC and the private sector, and whether FINTRAC should be provided with additional powers to request information from reporting entities, and what that information might be. If such expansions are being contemplated, we recommend FINTRAC engage with us in order to identify and mitigate privacy risks by undertaking a PIA.
Information Sharing — within federal agencies
The Consultation Paper proposes to widen the scale and scope of information being shared across federal agencies. That model would alter an important protection that has been in place since the regime was first established; numerous sections of the PCMLTFA place limits upon the amount of information that FINTRAC could provide to law enforcement and other authorities.Footnote 23 During Parliament’s initial review of the Act, the Parliamentary Secretary to the Minister of Finance stated that:
“… collection, use, and disclosure of information by the centre will be strictly controlled. Only a specified, limited amount of information reported to the centre will be passed to the police and other designated agencies, and only under specified conditions. The information that can be disclosed is limited to key identifying information, such as the name of the client, the account number involved, the amount and location of the transaction, and other similar information. Law enforcement authorities will be required to build a case for prosecution purposes and obtain a court order for disclosure before any further information could be passed on.” Footnote 24
While expanding collection and sharing of information may prove useful to identify crime, appropriate privacy safeguards remain crucial to ensure the regime is necessary, reasonable, and proportionate. To mitigate that concern, across both government institutions and reporting entities, a risk-based approach should be adopted to minimize risks of over-collection, inaccuracy, or bias. With respect to disclosures by FINTRAC to other public bodies, while some limited decisions are subject to statutory or judicial review by the Federal Court, in most cases, an individual whose information is disclosed by FINTRAC will very likely never know that disclosure took place. This means that avenues for recourse, review and oversight are limited.
It is worth bearing in mind that many review organizations, including the OPC, that were established to oversee government institutions are complaints-based. However, in the AML/ATF context, a complaint-based regime breaks down when individuals have difficulty substantiating issues or raising concerns about sharing or overcollection of their personal information when they have no way of knowing whether either had occurred. Furthermore, while the National Security Intelligence Review Agency (NSIRA) has jurisdiction to examine the activities of federal departments and agencies involved in national security (like FINTRAC), NSIRA will not review those activities as they relate to domestic law enforcement (i.e., money laundering), which results in a potential accountability gap.
Given this, any expansion of information-sharing between FINTRAC and other federal public sector departments and organizations will necessitate regular, robust, and comprehensive review, given the oversight limitations and gaps summarized above. Other information-sharing legislation enacted at the federal level should also be taken into consideration, such as the Security of Canada Information Disclosure Act (SCIDA) which was enacted in 2015 to address many of the same risks and concerns (e.g. terrorism and foreign interference) enumerated throughout the consultation paper.Footnote 25 FINTRAC is explicitly one of the security and intelligence organizations empowered to share and receive information under SCIDA. As a result, understanding the limitations of that regime should likely be considered before expanding other information-sharing initiatives.Footnote 26
Finally, we would like to draw attention to an innovative undertaking which may prove useful as this issue is being considered. The Bank for International Settlements (BIS), an association of Central Banks (including the Bank of Canada) from across the globe whose mission it is to support financial stability, recently completed a Proof of Concept (“Project Aurora”) that investigated the deployment of privacy-enhancing technologies, including the use of synthetic data for the detection of complex money laundering schemes.Footnote 27 The BIS undertook this project to find new ways to explore how privacy-enhancing technologies can be used effectively to address modern day anti-money laundering challenges. We applaud this innovative undertaking to meet AML/ATF objectives in a privacy-protective fashion, and suggest it could yield valuable lessons for Canada.
We finally note that in July 2021, the Financial Action Task Force noted the importance of privacy‑enhancing technologies “…to enable multiple parties to interact meaningfully to achieve an application goal, without revealing underlying private information to one another or to third parties.”Footnote 28 We would recommend that FINTRAC consider this as a model for how public-to-public and public-to-private information sharing can be accomplished in as privacy‑sensitive a manner as possible. We look forward to working with FINTRAC to determine how they can be adapted for the Canadian context.
Reporting Framework — Suspicious Transaction Reports (STRs)
The OPC recognizes the legitimacy of the government establishing anti-terrorism and anti-money laundering measures. Our preoccupation is, as always, that such measures be enacted in a manner that balances national security objectives with privacy imperatives. The reporting framework under the PCMLTFA provides the basis for FINTRAC to develop financial intelligence for Canada’s AML/ATF regime. The Consultation Paper discusses reporting entities’ obligation to submit various types of reports. Among them, it highlights suspicious transaction reports (STRs), which reporting entities must submit if there are reasonable grounds to suspect that a financial transaction that occurs or is attempted in the course of their activities is related to the commission or the attempted commission of a money laundering or terrorist financing offence.
The Consultation Paper highlights that having a non-monetary threshold for STRs “ensure[s] a flexible approach for covering all manner of suspicious transactions and attempted transactions” and STRs are “one of the most valuable and unique report types submitted to FINTRAC and is a valuable product for the development of financial intelligence.” On the other hand, the government recognizes the regulatory burden on the industry that reporting requirements create. Further, the government recognizes that reporting entities submit a large volume of reports annually to FINTRAC, possibly to avoid any financial sanctions should they fail to report, which can be severe.Footnote 29
In our previous audits, the OPC has identified problems with how STRs are reported and handled by FINTRAC. We found a number of STRs related to transactions that do not demonstrate “reasonable grounds to suspect” that they related to money laundering or terrorist financing activities. Examples from the OPC’s 2017 review:Footnote 30
- A client of a financial institution wrote a cheque for more than $20,000 to a close relative. The entity filed a STR because it did “not know the reason why the cheque was issued nor for such an amount.” No further information justifying the report was given.
- A number of individuals identified themselves with Middle Eastern passports during a real estate transaction. The reporting entity filed an STR. No further details or justification for suspicion were provided.
- We have also seen STRs that did not include any description of or justification to suspect money laundering or terrorist financing activities at all, which makes it difficult to assess whether the report met the threshold.
Our previous audit findings are instructive in this regard. In our 2009 report, we found that FINTRAC’s acquisition of information extended beyond its legislative authority. In the 2013 follow-up to that report, we determined that little progress had been made to address over reporting.Footnote 31 In both cases, we recommended that FINTRAC work with reporting entities to ensure that it does not receive information it has no authority to receive. Furthermore, we recommended that FINTRAC implement front-end screening to ensure that information it should not have received is expunged from its databases. However, FINTRAC is of the view that it cannot conduct such front-end screening, and that it must keep whatever information is in its databases for ten years at minimum, regardless of whether they should have received it or not.Footnote 32
According to a recent annual report, FINTRAC reported that out of 24.7 million records received that fiscal year, only 2,015 actionable disclosures took place (i.e., less than 1 in 10,000).Footnote 33 Yet all records are still retained, in some instances for up to 15 years. That raises risks for privacy and brings into question overall proportionality. In short, the PCMLTFA regime is a mandatory reporting scheme allowing government to access personal information for investigatory purposes, without judicial authorization, and without satisfying the standard requirement of reasonable and probable grounds. While sharing financial transaction data may indeed lead to the identification of threats, once information is analyzed and leads to the conclusion that someone is not a threat, it should no longer be retained. The most recent review, concluded in 2021, demonstrates that this issue has not yet been fully addressed.Footnote 34
While FINTRAC has implemented measures to validate incoming reports, we have previously recommended that FINTRAC continue its work in implementing front-end screening measures to minimize the receipt of unnecessary personal information. As you review the AML/ATF regime, we encourage you to explore ways to increase two-way communication between FINTRAC and reporting entities with a view to providing clearer direction and assistance with reporting obligations.
By ensuring that reporting entities are properly educated, have sufficient resources and clear guidance on the interpretation and practical application of the PCMLTFA and its regulations, the Government can reduce uncertainty around reporting obligations, and ensure accountability for the protection of individuals’ privacy. The government can consider a range of potential tools, such as engagement through outreach activities, promoting dialogue and transparency, and publishing and continually updating guidance products and tools. Another area that merits further consideration is whether the government could better support reporting entities by embedding clear obligations in the law to support the legal threshold of reasonable grounds to suspect. Especially as it considers expanding the range of entities obliged to report, the government can take steps to reduce the administrative burden by working with entities to ensure that they report only what meets the threshold of collection, and not more. Similarly, the government can enhance these entities’ regulatory compliance by requiring them to document their decisions properly and clearly. Overall, by limiting collection to what is necessary and lawful, the government can improve privacy practices and the value of intelligence for sharing purposes.
Exemptive relief for new technologies
The Consultation Paper notes that banks and financial services firms subject to AML requirements are continually adopting new business practices and technologies to detect money laundering and terrorist financing. Collectively, the banking sector spends billions of dollars annually on AML compliance.Footnote 35 Consequently, the Consultation Paper wishes to explore how a “nimble legislative and regulatory framework that allows experimentation of promising new business-enabling technologies, subject to appropriate guardrails, can further foster innovation and development of new tools and solutions aimed at increasing efficiency, effectiveness and/or burden reduction.”Footnote 36
That said, the paper stresses that any exemption from FINTRAC reporting requirements introduced into the PCMLTFA to allow for such industry experimentation would “only be contemplated under limited circumstances, with clearly defined parameters, checks, and balances.”Footnote 37 In order for the OPC to provide meaningful feedback, we would welcome further clarity on issues including:
- The precise scope of industries or sectors where new technologies are being contemplated;
- Whether the experimental technologies being referred to involve bulk cross-border data transfers, which could trigger specific extraterritorial data protection requirements;
- The involvement of third-party intermediaries in the disclosure and processing of data, which may invoke contractual requirements;
- The anticipated use of artificial intelligence and/or machine learning; and,
- How algorithmic ranking will factor into potential experimentation (and the “de-risking” of clients noted in the following section).
We recommend that FINTRAC work closely with us on any anticipated exemptive relief regime, to better define its precise scope. Given the OPC’s ongoing statutory oversight role in reviewing FINTRAC operations, our compliance function is closely attuned to the federally regulated banking and financial services sector. That regulatory role applies irrespective of particular technologies or businesses’ phases of experimentation, and creates compliance obligations wholly outside the PCMLTFA regime.
Alternatively, if the “novel tech” is the primary focus of amendments, and what is being envisaged actually refers to experimentation with Artificial Intelligence (AI) tools, we would reiterate recent commitments made by Canada at the G7 Ministerial level, namely, that AI related laws, regulations, policies, and standards “should be human centric and based on democratic values, including the protection of human rights and fundamental freedoms and the protection of privacy and personal data”.Footnote 38
On partnerships between private and public institutions, and the longer-term implications of the Clearview AI case, institutions remain responsible for ensuring that third-parties’ collection, use or disclosure of personal information is compliant with the law, before then assessing whether the Institution's activities are also compliant with the Privacy Act. Contracting out does not remove legal responsibilities from government institutions.
Similarly, if AI tools are used by reporting organizations in the financial sector to collect and process personal information, individuals should also be able to exercise their rights to access their personal information, rectify inaccurate personal information, and refuse to be subject to solely automated decisions with significant effects. The potential for data bias affects ancillary information generated by the AI, so machine content often reflects broader social bias. This also creates privacy risks for individuals.
In conclusion, at the level of general principles, when the related concept of “regulatory sandboxes” for novel experimentation has been raised in other jurisdictions, involving personal information, our position has been to stress that privacy and data protection laws remain wholly at play (given that these are fundamental rights) and that experimentation needs to be tightly circumscribed. Again, we recommend that FINTRAC leverage the OPC’s expertise as this initiative takes shape.
Broadening of Canada’s AML/ATF Regime
FINTRAC collects data from a broad range of covered entities, including financial institutions, foreign exchange dealers, casinos, securities brokers, accountants, real estate companies and several other types of business. These entities must collect specified information and maintain detailed records on their clients’ identities and transactions, must report any dealing involving $10,000 or more, and must report any transaction when reasonable grounds to suspect money laundering or terrorist financing arise.
Over the past two decades, Canada’s AML/ATF regime has expanded in scope, depth, range, and justification. Beginning with the inclusion of money laundering in the Criminal Code in the late 1980s, Canada passed legislation in 2000 expanding reporting obligations beyond banks to include accounting, gaming, and the legal profession. Following the 9/11 attacks, the scope of the regime was broadened to include terrorist financing. In 2002, more detailed “know your customer” record keeping obligations were introduced. In 2006, new entities were made subject to the PCMLTFA, including real estate developers, currency exchanges and money services, as well as dealers in precious metals and gemstones. That same year, measures regarding the use of charitable organizations for terrorist financing were also enacted, broadening the Canada Revenue Agency’s authority to share information with FINTRAC, CSIS, and the RCMP.Footnote 39 In 2014, subject institutions were required to report on “politically exposed foreign persons” and members of their families. In 2021, new regulations expanded AML/ATF reporting requirements to chartered professional accountants and, in 2022, virtual currency / crypto-currency transactions and crowdfunding platforms.
The rationale and duration for information sharing has also broadened; originally conceived to address money laundering specifically, financial data in certain circumstances can be used to investigate and prosecute terrorist financing, tax evasion, false immigration claims and fraudulent charities. The period of data retention has lengthened since legislation passed in 2000 from five, then ten, and now to fifteen years in some cases.Footnote 40 The Consultation Paper proposes a further expansion of the scope of activities – to combat sanctions evasion, screen potentially harmful foreign investments, and counter economic security threats. We would recommend that this goal be carefully circumscribed by necessity and proportionality, supplemented by robust oversight mechanisms, including regular audits.
Conclusion
The work of intelligence agencies is necessarily secret; FINTRAC, as Canada’s financial intelligence agency, is no different. Given that, audits are critical accountability measures, which can give the public reassurance that their personal information is being handled in accordance with the law. We look forward to engaging further to ensure that any change or augmentation anticipated to the AML/ATF regime is undertaken in a manner which is circumscribed by necessity and proportionality, and we welcome the opportunity to expand on any of the issues raised in the context of this consultation.
- Date modified: