Privacy and the Proceeds of Crime (Money Laundering) and Terrorist Financing Act for customer-facing employees

March 2012

Overview for point-of-service workers

Some organizations are required to collect information about clients and report it to the Financial Transactions and Reports Analysis Centre of Canada (FINTRAC) in accordance with the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA). However, these reporting requirements must always be balanced with customers’ privacy rights. This document outlines some basic information about Canada’s federal private-sector privacy law in relation to the PCMLTFA to help customer-facing employees better understand their privacy obligations.

What are my organization’s privacy obligations?

The Personal Information Protection and Electronic Documents Act (PIPEDA) is Canada’s federal private-sector privacy law. It applies to all personal information collected, used or disclosed in the course of commercial activities by private sector organizations, except in provinces with legislation that is deemed to be substantially similar to PIPEDA, such as Quebec, Alberta and British Columbia. PIPEDA regulates the collection, use and disclosure of personal information by businesses and other organizations and provides individuals with a general right of access to their personal information.

Even if your organization is subject to the PCMLTFA, it still must comply with PIPEDA.

How much personal information can I collect?

Organizations cannot indiscriminately collect personal information. PIPEDA states that organizations may only collect personal information that is necessary for their specified business purposes or required by legislation. For example, businesses in the financial sector may have “Know Your Customer” obligations that require them to collect specific personal information.

If you are collecting personal information for the purposes of complying with the PCMLTFA, make sure that you understand the legal requirements, and only collect what is required to comply with that Act.

What if I require an identity document to verify an individual’s identity?

In some situations, you may need to see or even record a customer’s identity document information to fulfill your organization’s legal obligations or for its business purposes. However, do not make a copy of an identity document unless it is required by law or it is needed for a legitimate business purpose. For identification purposes, the Office of the Privacy Commissioner of Canada also recommends that you avoid using a client’s:

• Health card - The information on health cards should only be collected in limited circumstances, such as when necessary or required by law. In fact, the use of a health card for identity purposes is prohibited or limited in certain jurisdictions; or
• Social Insurance Number (SIN) - Some private-sector organizations are required by law to request customers’ or employees’ SINs for income-reporting purposes; however, a SIN should not be used for general purposes of identification. FINTRAC also specifically instructs entities not to include SINs on any type of FINTRAC report.

Do I need customer consent to report personal information to FINTRAC?

In some circumstances, you do not need customer consent to report personal information to FINTRAC. For example, PIPEDA allows organizations to disclose personal information in a report to FINTRAC without the individual's knowledge or consent, provided the report is made in accordance with the requirements of section 7 of the PCMLTFA. Information about your organization’s personal information management practices should be clearly outlined in a privacy policy, including any requirements related to complying with the PCMLTFA. If you deal with customers, you should be familiar with your organization’s privacy policy and be prepared to explain it if you receive questions.

How can I ensure my reports to FINTRAC comply with PIPEDA?

If you are submitting personal information in reports to FINTRAC, it is your responsibility to know the requirements of PCMLTFA and submit only the personal information that is required to comply with that legislation. It is also important to verify that the information you submit is correct and up to date.

How do I respond to access requests about disclosures made to FINTRAC?

PIPEDA requires that upon request an individual shall be informed of the existence, use and disclosure of his or her personal information and shall be given access to that information. However, there are exceptions. PIPEDA sets out specific requirements for responding to access requests involving personal information that has been disclosed to FINTRAC. Pursuant to these requirements, you could be prohibited from providing an individual with any information relating to a disclosure of personal information to FINTRAC. It is important that you know the PIPEDA requirements that relate to access requests of this nature.

If you are uncertain about how to respond to an access request about a FINTRAC disclosure, speak to the individual who is accountable for privacy in your organization. If your organization has an anti-money laundering officer, that person should be able to assist you as well.

For more details about PIPEDA and financial reporting responsibilities consult our question and answer document titled PIPEDA and the Proceeds of Crime (Money Laundering) and Terrorist Financing Act, which can be found at www.priv.gc.ca.

For more information about obligations for reporting entities subject to the PCMLTFA, visit the website of the Financial Transactions and Reports Analysis Centre of Canada: www.fintrac.gc.ca.