A new audit by the Office of the Privacy Commissioner of Canada reveals
that, despite commitments made by FINTRAC in the wake of a 2009 audit,
the agency continues to accept and retain personal information not
relevant to its mandate.
OTTAWA, Oct. 24, 2013 /CNW/ - The Financial Transactions and Reports Analysis Centre of Canada
(FINTRAC) has more personal information in its database than it needs,
according to an audit conducted by the Office of the Privacy
Commissioner of Canada (OPC).
The audit, which was tabled in Parliament today, followed up on
recommendations from a previous audit conducted by the OPC in 2009. It
found that FINTRAC needed to do more to ensure that the amount of
personal information it acquires is kept to an absolute minimum.
"While FINTRAC continues to have sound security controls, it has made
limited progress in addressing recommendations from our previous
audit," says Privacy Commissioner of Canada, Jennifer Stoddart. "This
is particularly disappointing, given that FINTRAC had previously
indicated that it was committed to finding new ways to limit the amount
of personal information it was accepting and holding."
FINTRAC is mandated by law to receive financial transaction reports and
voluntary information on money laundering and terrorist financing from
persons and entities in various sectors, which are subject to the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA). As of March 2012, FINTRAC's databases held approximately 165
million reports containing personal information related to financial
transactions, such as down payments for house and vehicle purchases,
wire transfers received by international students residing in Canada,
or funds sent by parents in Canada to children who are studying abroad.
Some of these reports may be submitted to FINTRAC without the knowledge
or consent of the individuals concerned.
Entities are required to report to FINTRAC large cash transactions or
electronic funds transfers of $10,000 or more, as well as any
transactions where there is "reasonable grounds to suspect" money
laundering or terrorist financing activities. However, the OPC's review
of the FINTRAC database revealed a number of examples of reports that
did not meet the $10,000 threshold, and reports that did not clearly
demonstrate reasonable grounds for suspicion and, therefore, should not
have been reported. For example:
A young professional cashed three bank drafts worth almost US$ 100,000
purchased from a major Canadian bank. The organization that cashed the
drafts had confirmed the validity of the drafts with the issuing bank
but still filed a report because it felt that the amount of money did
not match the individual's age.
An individual, who purchased a home from his childhood friend, released
the deposit directly to the seller instead of to the seller's lawyer.
The notary for the transaction opted to submit a report only because he
was unsure as to whether the transaction needed to be reported.
A financial institution filed a report when a storekeeper deposited $570
in $100, $50 $20 and $5 bills without indicating why the transaction
was considered suspicious.
"Given the examples we found, I have serious concerns about the extent
to which FINTRAC's information holdings are populated with personal
information that should never have even been submitted," says
The audit found that FINTRAC had made some progress since 2009 in
addressing gaps that existed in its privacy management framework, for
example it had implemented a privacy breach identification and
reporting protocol and expanded security awareness initiatives.
The audit recommended that FINTRAC analyze and assess incoming reports;
identify and dispose of information that it should not have received
and is not directly related to its operating programs and activities;
ensure that guidance issued by regulatory partners is consistent with
PCMLTFA requirements; and ensure that staff fully comply with its
security policies and procedures.
FINTRAC accepted all of the audit's recommendations and provided
responses as to how it intends to address them. Recently, FINTRAC has
informed the OPC it has taken additional measures to enhance compliance
with its security policies and procedures in response to a breach
incident that occurred earlier this year.
"FINTRAC has proposed some measures to address the deficiencies we
identified; however, there is more work to do," notes Commissioner
Jennifer Stoddart. "It still needs effective screening processes to
ensure it no longer receives and retains sensitive personal information
that it doesn't need."
The Office will be following up with FINTRAC in two years to evaluate
their progress on strengthening their privacy practices.
About the Office of the Privacy Commissioner of Canada
The Privacy Commissioner of Canada is mandated by Parliament to act as
an ombudsman and guardian of privacy in Canada. The Commissioner
enforces two federal laws for the protection of personal information:
the Privacy Act, which applies to the federal public sector; and the Personal Information Protection and Electronic Documents Act (PIPEDA), which applies to organizations engaged in commercial
activities in the Atlantic provinces, Ontario, Manitoba, Saskatchewan
and the Territories. Quebec, Alberta and British Columbia each has its
own law covering the private sector. Even in these provinces, PIPEDA
continues to apply to the federally regulated private sector and to
personal information in interprovincial and international transactions.
To view the audit report:
• 2013 Audit of the Financial Transactions and Reports Analysis Centre of
SOURCE: Office of the Privacy Commissioner of Canada
For further information:
Heather Ormerod, Office of the Privacy Commissioner of Canada
NOTE: Journalists are asked to please send requests for interviews or further information via e-mail.