The Financial Transactions and Reports Analysis Centre of Canada (FINTRAC) in Ottawa is receiving and holding on to too much personal information, and reporting entities such as securities dealers and other financial services organizations are not without blame, suggests a recent audit conducted by the Office of the Privacy Commissioner of Canada (OPC), also in Ottawa.
The audit, released in October as a followup to a previous one conducted in 2009, found that FINTRAC continues to receive and retain personal information outside its mandate. The extra information includes reports of deposits below the $10,000 threshold, suspicious transactions reports (STR) submitted without reasonable grounds and other information, such as social insurance numbers and health card numbers. In particular, FINTRAC had roughly 165 million reports in its database as of March 2012, according to the OPC.
The danger of retaining too much personal information, according to the OPC, is that it can inadvertently cast innocent Canadians in a negative light. “The mere fact of being in a database — that is, essentially, [being] under a cloud of suspicion,” says Chantal Bernier, assistant commissioner with the OPC, “is a violation to your right to privacy.”
FINTRAC is a financial intelligence unit reporting to the Department of Finance Canada. The centre was established in 2000 as part of the Proceeds of Crime (Money Laundering) and Terrorist Financing Act. Entities such as securities dealers, financial services entities and insurance brokers must report suspicious transactions to FINTRAC.
FINTRAC is not the only government agency holding on to too much personal information. Between April 2012 and March 31, 2013, the OPC received 2,273 privacy-related complaints about federal organizations from the public — 986 more than in the previous year.
Many of the complaints related to data breaches at Employment and Social Development Canada and Justice Canada. As well, the OPC recently completed an audit of the Canada Revenue Agency, which was the subject of multiple complaints. During that audit, the OPC found “weaknesses in key privacy and security practices that led to taxpayer information not being protected as it should.”
In response to the OPC’s audit, a statement from FINTRAC director Gérald Cossette says the centre accepts the OPC’s recommendations and is working toward changing its systems and processes, including segregating reports that do not meet the $10,000 threshold.
According to the OPC audit report, that process involves manually reviewing each report. Given the level of detail that reporting entities are expected to track and report for their high-risk accounts, Matt McGuire, national anti-money-laundering practice leader with MNP LLP in Toronto, finds it “ludicrous” that FINTRAC does not have the appropriate technology to identify easily and destroy reports based on whether the transaction reaches a specific monetary amount.
Education both of reporting entities and their employees is another key component to avoiding unnecessary information being sent to FINTRAC in the first place. Securities dealers and other financial services entities have a particular responsibility to educate their employees better regarding what should be reported to FINTRAC, Bernier says: “The issue starts with the reporting entities. They need to exercise greater care in providing the provisions of the anti-money-laundering regime.”
In fact, as Peter Lamey, a spokesman for FINTRAC, wrote in an email to Investment Execu-tive: “FINTRAC has a comprehensive outreach program in place that informs reporting entities of their obligations, and, through this program, provides guidance regarding information they are not required to report to FINTRAC.”
For instance, FINTRAC has a unit dedicated to managing its relationship with large financial services institutions. Other programs include sector-specific consultations and access to a reporting entities’ obligations on FINTRAC’s website, along with guidelines and interpretation notes. FINTRAC also participates in a biannual public/private-sector advisory committee together with financial services industry associations, regulators and law-enforcement partners.
But, despite these programs, the OPC report notes that there’s still confusion regarding how much to report. There’s a bias toward overreporting, says Bernier, by reporting entities out of fear of incurring substantial fines and possible jail time for underreporting.
As well, the OPC found at least one case in which FINTRAC failed to discourage a financial services institution from overreporting by arguing that the added information might be useful for intelligence or analytical purposes.
Although filing extra personal information with a report is a privacy risk, filing several reports on a client could pose other problems for a securities dealer. Part of the guidance on anti-money-laundering from Toronto-based Investment Industry Regulatory Organization of Canada includes the need for firms to outline criteria for determining whether they continue to deal with a client who has been reported to FINTRAC.
McGuire also notes that the Office of the Superintendent of Financial Institutions (OSFI) has stated in meetings that firms that report a client three times should have to justify why that person remains a client. “It’s a threat to your reputation to continue to report these things,” he says, “because what you’re essentially saying is ‘I suspect this [client] of money laundering’.”
To avoid overreporting, Mc-Guire adds, FINTRAC needs to provide reporting entities with clearer criteria for exactly what is reasonable grounds for submitting an STR, replacing the current list of indicators. IE