Consultation Paper on “Strengthening Canada’s Anti-Money Laundering and Anti-Terrorist Financing Regime”

Submission by the Office of the Privacy Commissioner of Canada to the Department of Finance’s public consultation

March 2012

---

The Office of the Privacy Commissioner (OPC) of Canada appreciates the opportunity to comment on the Consultation Paper on “Strengthening Canada’s Anti-Money Laundering and Anti-Terrorist Financing Regime”.

The OPC has commented frequently on the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA) and on Canada’s anti-money laundering and anti-terrorist financing (AMLATF) regime. We appeared before the Senate in 2000 to comment on the legislation that created the regime; we participated in the five-year review of the PCMLTFA; and we appeared before the Senate to comment on Bill C-25 that significantly expanded the number of organizations covered by the Act and the types of transactions which are subject to scrutiny and reporting. In 2011, we commented on proposed amendments to the Proceeds of Crime (Money Laundering) and Terrorist Financing Regulations on Ascertaining Identity.

As a result of the passage of C-25 our Office was given a statutory mandate to conduct a biennial review of measures taken by the Financial Transactions and Reports Analysis Centre (FINTRAC) to protect information it receives or collects and report the results of such reviews to Parliament. We published our first review in 2009 – see http://www.priv.gc.ca/information/pub/ar-vr/ar-vr_fintrac_200910_e.cfm. We are now in the process of conducting our second review.

Beginning with our first appearance in 2000 commenting on Bill C-22, the Proceeds of Crime (Money Laundering) Act, we have consistently expressed a number of concerns about the regime:

• The legislation requires as many as 300,000 reporting entities to collect personal information over and above that needed for their business purposes and make subjective and speculative assessments based on the transactions of their customers and clients;
• FINTRAC collects significant amounts of information about individuals allowing it to create a comprehensive profile of an individual's life and behavior. As of March 31, 2011, FINTRAC had received more than 145 million reports from reporting entities;
• The threat of fines for failing to report creates an incentive to over report information. Our 2009 mandated review of FINTRAC found that FINTRAC received and retained information beyond its legislative authority. For example, we found cases of over reporting of Suspicious Transaction Reports (STRs) that did not meet the threshold of “reasonable grounds to suspect” that the transaction was related to money laundering or terrorist financing;
• The scope of the regime has expanded significantly since 2000 but it has been very difficult for our Office and for other observers to assess the seriousness of the problems that the legislation is intended to address, whether the changes that have been made to the regime were necessary, and the overall effectiveness of the legislation. In many cases, changes to the Act have been justified on the need to meet recommendations of the Financial Action Task Force (FATF) rather than on clearly articulated gaps in the legislation; and
• The regime is not transparent. The public has a limited understanding of the regime and individuals are unable to request access to their personal information held by FINTRAC.

As noted above, it is very difficult to assess the effectiveness of the regime. We appreciate that part of the challenge is a function of the illicit and hidden nature of money laundering and terrorist financing. Nonetheless, we were surprised that the “10-Year Evaluation of Canada’s Anti-Money Laundering and Anti-Terrorist Financing Regime”^{Footnote 1} did not directly address this issue. In terms of effectiveness, the most the Evaluation was able to say was that

“The Regime likely contributed to the creation of an environment that is hostile to ML/TF and/or that has been effective in deterring ML/TF and that has reduced the profitability of crime and the likelihood of terrorist activities.”

The Evaluation also concluded that, because of the lack of data, it was unable to report on changes over time in the number of investigations resulting in the laying of charges and/or convictions for ML offences.

The Evaluation recommends that the Department of Finance conduct a public opinion survey to determine the level of public awareness of the ML/TF threat and of the AML/ATF regime. We support this recommendation.

The PCMLTFA and PIPEDA

In addition to our mandate under the Privacy Act over federal government departments and agencies we also have a mandate under the Personal Information Protection and Electronic Documents Act (PIPEDA). PIPEDA applies to all personal information collected, used or disclosed by organizations in the course of commercial activities, except in provinces with legislation that is deemed to be substantially similar to PIPEDA.^{Footnote 2} PIPEDA or substantially similar provincial legislation applies to most or perhaps all organizations that are required to provide information to FINTRAC.

PIPEDA and the substantially similar provincial acts impose a number of obligations on organizations and it provides individuals with a general right of access to their personal information.^{Footnote 3} In particular, PIPEDA requires organizations to limit collection of personal information to “that which is necessary for the purposes identified by the organization.”

While PIPEDA specifically allows organizations to collect, use and disclose personal information without consent as required by law, they are still required to limit their collection and disclosure of personal information. The PCMLTFA does not relieve them of this obligation. This puts organizations in the difficult position of trying to weigh their respective obligations under the two Acts.

However, since the PCMLTFA gives FINTRAC the authority to issue administrative monetary penalties for a failure to report, organizations have a strong incentive to err on the side of over reporting. Monitoring over reporting is difficult for our Office since we can only audit an organization under PIPEDA if the Commissioner “has reasonable grounds to believe that the organization is contravening” the Act. Over reporting by organizations subject to provincial private sector laws is completely outside our mandate.

This is an issue that needs to be addressed. The Government should consider options to address this problem.

The Consultation Paper

The Consultation Paper contains a significant number of proposals and asks for comments on a large number of issues. However, we are not in a position to comment meaningfully on many of these issues. For example, the Paper asks for comments from financial institutions “regarding the security features that have been included in electronically provided bank statements and that would assist with determining the authenticity of such a statement.”

We will focus our comments on four issues that raise privacy concerns.

Eliminating the Electronic Funds Transfers Threshold

Reporting entities are currently required to report to FINTRAC any electronic funds transfer (EFT) of $10,000 or more entering or leaving Canada.

Under Proposal 2.1, the Government is considering eliminating the $10,000 threshold. As a result, financial entities, casinos and MSBs would be required to report all EFTs entering or leaving Canada.

The Consultation Paper justifies this proposal by referring to the interim report of the Special Senate Committee on Anti-Terrorism and the final report of the Commission of Inquiry into the Investigation of the Bombing of Air India Flight 182. Both reports suggest that the $10,000 threshold may present problems in detecting cases of terrorist financing. The Air India Report suggests that

“Terrorist financing can involve much smaller sums than are typically involved in money laundering. ... Techniques that may work well to identify money laundering, such as a focus on transactions over $10,000, may not work as well to identify those transactions indicative of terrorist financing.” (Vol 1 pp 187-188)”

Eliminating the threshold on international EFTs would greatly expand the number of EFTs reported to FINTRAC. We would have expected the Consultation Paper to provide an estimate of the impact of this change, but it does not provide any information about the impact of eliminating the threshold.^{Footnote 4} We would expect that the impact would be enormous. As well, eliminating the threshold completely appears to go further than necessary to meet FATF recommendations.

 In a multicultural country like Canada, large numbers of recent immigrants regularly send money to family members and friends in other countries. The overwhelming majority of these EFTs would presumably fall well below the $10,000 threshold. As well, removing the threshold would also capture other benign EFTs such as transfers to children studying or travelling abroad.  

The rationale for lowering the threshold – to capture lower value transfers that may involve terrorist financing – highlights one of the problems of combining anti-money laundering and anti-terrorist financing provisions in the same legislation and using a one-size-fits-all approach to both regimes.

Even if there is a case for lowering the threshold to detect more terrorist financing, lowering the threshold would have a significant unintended consequence of capturing large numbers of harmless transactions. The Consultation Paper does not present any evidence to suggest the threshold needs to be lowered for anti-money laundering purposes.

Prepaid Access

The Consultation Paper discusses the potential money laundering and terrorist financing risks posed by prepaid access. Prepaid access is a broad term that includes retail gift cards, prepaid cards issued by financial institutions that can be used to withdraw funds from automated teller machines and mobile payment devices. According to the Consultation Paper,

“A financial product is considered prepaid access if it allows customers to load funds to a product that can then be used for purchases and, in some cases, access to cash or person-to-person transfers. Prepaid access does not include credit or debit products.”

The Paper identifies two broad types of risks: the anonymity of prepaid access and the ability to use a prepaid device to transport large monetary amounts less conspicuously than is the case with cash.

Two potential ways to mitigate the possible money laundering and terrorist financing risks posed by prepaid access are mentioned in the Paper (proposals 2.2 and 2.3):

• Imposing customer due diligence (CDD) requirements on the providers (retailers, payment networks or financial institutions) of prepaid access devices; and
• expanding the definition of monetary instrument for the purpose of cross-border currency reporting under the Cross-Border Currency and Monetary Instruments Reporting Regulations to include prepaid access.

The Paper does not elaborate on the potential scope of the first measure. Introducing CDD requirements would result in the increased collection of personal information. Given the popularity of prepaid cards as gifts and to pay for small purchases such as coffee, requiring providers to obtain identifying information would be a huge and intrusive undertaking. This would potentially extend CDD obligations to an even greater number of organizations – including retailers – and require them to collect personal information that they do not need for internal business purposes. This information would have to be stored in databases creating additional privacy risks. Finally, this would potentially create a mechanism to track individuals as they used their prepaid devices since CDD information would presumably have to be linked to specific prepaid cards or devices.

Based on our understating, imposing identification requirements for the purchase of prepaid communication devices has been very challenging in jurisdictions where this has been attempted.

The second suggestion, defining prepaid access as monetary instruments, would be less intrusive but it would also raise significant privacy issues, if this, for example, resulted in the searching of mobile devices when an individual crossed a border.

If the Government is convinced that it needs to address the risk created by the growth of prepaid access, we would strongly suggest that the Government consider measures that do not necessitate the collection of personal information, the creation of databases or intrusive searches.

An October 2010 FATF Report, “Money Laundering Using New Payment Methods” suggests that even without implementing

“robust identification and verification procedures ... the risk posed by an anonymous product can be effectively mitigated by other measures such as imposing value limits (i.e., limits on transaction amounts or frequency) or implementing strict monitoring systems.”

Expanding the Information Contained in FINTRAC Disclosures

One of the built-in safeguards in the legislation is that it limits the information that FINTRAC can provide to law enforcement and other authorities. During the House of Commons Finance Committee’s review of Bill C-22 in 2000, Mr Roy Cullen, the Parliamentary Secretary to the Minister of Finance, assured the Committee that

“the collection, use, and disclosure of information by the centre will be strictly controlled. Only a specified, limited amount of information reported to the centre will be passed to the police and other designated agencies, and only under specified conditions. The information that can be disclosed is limited to key identifying information, such as the name of the client, the account number involved, the amount and location of the transaction, and other similar information.”^{Footnote 5}

However, these safeguards have been gradually weakened as the Act has been amended to allow FINTRAC to share more information with more departments and agencies.

The Act was originally restricted to combating money-laundering. It was then expanded to deal with the very different problem of terrorist financing. It has since been expanded to allow FINTRAC to share information with the Communications Security Establishment to fulfill its mandate and with the RCMP, CSIS, the Canada Revenue Agency, the Canada Border Services Agency and Citizenship and Immigration to investigate and presumably prosecute, fraud, tax evasion and other offences.

Proposals 4.1 to 4.7 propose to expand further FINTRAC’s ability to share information:

• 4.1 proposes expanding the current list of designated information that FINTRAC can disclose to law enforcement and intelligence agencies;
• 4.2 would allow FINTRAC to increase the information provided in the intelligence products it provides under section 58 of the PCMLTFA, including identifying foreign individuals and entities;
• 4.3 and 4.4. would allow CBSA and FINTRAC to disclose additional information concerning charities;
• 4.5 would require FINTRAC to disclose information relevant to a money laundering or terrorist financing offence to the CBSA where it would also be relevant to an offence related to illegal exportations;
• 4.6 would require FINTRAC to disclose designated information to the CBSA where there would be reasonable grounds to suspect that it would be relevant for the purpose of managing the access of people and goods to and from Canada that pose a threat to national security; and
• 4.7 would allow FINTRAC to disclose information to a police force that would assist with an investigation for the purpose of preventing the death of, or imminent physical injury to, an individual.

The Paper provides very limited justification for these proposals. The main argument is that additional information would be useful for regime partners. The paper does not explain how this would be useful or what types of information would be useful. For example, the only rationale offered for proposal 4.7 is that “It is possible that information collected by FINTRAC could also assist with investigations where an individual’s life is in danger.”

Before further expanding the amount of information and the number of agencies to which the information can be provided, the Government should make a compelling case for these proposals.

If FINTRAC is given the ability to share more information with more organizations, the Government should consider increasing oversight of FINTRAC to ensure these disclosures are appropriate. One option would be to establish an independent process to review FINTRAC’s decisions to disclose.

Broadening the Requirement to Report Suspicious Transactions

The legislation currently requires reporting entities to report suspicious transactions and completed or attempted financial transactions that give rise to a suspicion of money laundering or terrorist financing.

This is one of the most troubling aspects of the Act since it requires reporting entities to make judgments about the motives of their clients and customers. We are not aware of any other legislation that imposes similar requirement on this scale. In 2010-2011, FINTRAC received almost 60,000 suspicious transaction reports.^{Footnote 6}

The Consultation Paper suggests that the PCMLTFA be amended to redefine a suspicious transaction to include an activity undertaken for the purpose of a financial transaction that gives rise to a suspicion of money laundering or terrorist financing. The Paper suggests that might include a situation where an account application was considered suspicious.

The paper suggests that this is a simple clarification. We are concerned that would this would increase the risk of over reporting. As discussed above we believe the Government needs to address the problem of over reporting before implementing new measures that would further exacerbate the problem.

Conclusion

As discussed above, we have a number of concerns about the privacy impact of the AML/ATF regime. The proposals contained in the Consultation Paper will only further these concerns.

We understand that money laundering and terrorist financing are serious problems and that Canada has international commitments to honour. The Consultation Paper points out, however, that the Canadian regime is in the top tier of FATF members in terms of compliance with the FATF standards. This suggests that Canada is already meeting or exceeding its international commitments.

We are concerned that Canada’s AMLATF regime is again being expanded without any clear assessment of whether these changes are needed to address domestic problems. We do not think that further changes to the PCMLTFA should be considered without more compelling evidence of the problems that need to be addressed and evidence that the proposed measures will be proportionate and effective.

We would also like to raise the issue of oversight. The Consultation Paper refers frequently to the Commission of Inquiry into the Investigation of the Bombing of Air India Flight 182 but it does not discuss one of the key recommendations of the Commission of Inquiry into the Actions of Canadian Officials in Relation to Maher Arar. Commissioner O’Connor recommended that the government extend independent review, including complaint investigation and self-initiated review, to the national security activities of several organizations including FINTRAC. While our audit role is important it is not a substitute for ongoing, effective oversight.