Deterring potential cases of fraud and the financial abuse of vulnerable clients just got a little easier. That’s a result of the Digital Privacy Act (DPA), which includes new regulations that create exemptions to the usual consent requirements mandated by Canada’s privacy legislation.
Financial advisors have always had the power to report cases of suspected financial abuse under securities regulations. However, recent amendments to the Personal Information Protection and Electronic Documents Act (PIPEDA) clarify what has been an ambiguous area in Canada’s privacy law.
Notes Molly Reynolds, an associate with Torys LLP in Toronto: “There is a public policy component there, where [the government is] trying to facilitate the protection of individuals who may be vulnerable to financial abuse.
“[The DPA also takes] some of the guesswork and some of the legal analysis out of [preventing financial abuse] and provides more clearly worded exemptions.”
The DPA came into force in June 2015, updating PIPEDA and adding several new topics to Canada’s privacy laws. Now 15 years old, PIPEDA sets out rules for governing how private businesses can collect, use and disclose personal information during the course of normal operations. With a few provincial exceptions, both the DPA and PIPEDA apply to private-sector organizations carrying on business in Canada – not including the personal information of their employees. If the private-sector entity is federally regulated, such as banks, the legislation also applies to the personal information those firms collect about their employees. PIPEDA is enforced nationally except in provinces with substantially similar privacy legislation (notably Alberta, Quebec and British Columbia).
Under the DPA, financial advisors and their firms now may disclose personal information to the government, next of kin or an authorized representative of an individual when there is “reasonable grounds” to believe there is a case of financial abuse and that asking permission to disclose personal information would compromise an investigation.
The exemption makes approaching a third party, including the police, easier if financial abuse of a client is suspected. However, advisors should not feel that they have carte blanche to disclose a client’s personal information.
The legislation emphasizes that there must be reasonable grounds for an advisor to suspect there is a case to be made that a client is a victim of abuse.
Although there are a number of red flags signalling financial abuse, some of those flags “may go potentially higher up the flagpole than others,” says Ross McGowan, partner at Borden Ladner Gervais LLP in Vancouver and national chairman of the firm’s fraud law group.
For example, the transfer of large sums from a client’s account to a power of attorney (POA) without any apparent benefit to the accountholder is an obvious red flag.
In other cases, however, assessing the likelihood of abuse is likely to be more difficult. Although these signals may raise questions, they are not necessarily signs of abuse. McGowan gives the example of a client who is wheelchair-bound, and has a POA who sells wheelchairs. A transfer of $1,000 from the client’s account to the POA’s business as payment for a new wheelchair may cause an advisor to raise an eyebrow, but that is not a compelling argument that the client is the victim of financial abuse.
Similarly, advisors must be careful in how much of a client’s personal information they disclose, even if there are grounds to suspect financial abuse.
“The exemption itself is confined to the sole purpose relating to preventing or investigating the abuse,” says Patricia Wilson, partner with Osler Hoskin & Harcourt LLP in Ottawa. “If you disclose information irrelevant to that, you’re not qualified to do so using that exemption.”
Advisors and their firms must be able to provide the Office of the Privacy Commissioner of Canada (OPC) with sufficient documentation proving that a client is in fact the victim of financial abuse. An advisor’s compliance department can help in gathering proof by sitting in on meetings or phone calls.
Failing to prove that there are reasonable grounds or simply disclosing personal information without consent constitutes a breach of privacy under PIPEDA. If a breach occurs, the client can make a complaint to the OPC, which could lead to an investigation.
Depending upon the severity of the breach, financial services institutions could face consequences, such as court-ordered damages. These penalties typically are minor in nature, but could add up if there is a class action. There also may be unwanted publicity and mandatory changes to a firm’s privacy compliance regime.
Another disclosure exemption under the DPA makes sharing information and potentially stopping frauds before they take place easier for financial services institutions. One common fraud the DPA amendment is designed to deter is when a client’s personal computer is hacked and the digital thief uses information on the device to impersonate the individual when contacting a financial services institution. The hacker could authorize the transfer of money from the client’s account to the hacker’s personal account at a different bank or brokerage.
Previously, financial services institutions concerned about fraud would have to disclose an accountholder’s personal information to investigative bodies, such as the Investment Industry Regulatory Organization of Canada or the Bank Crime Prevention and Investigation Office.
Now, financial services institutions can exchange information quickly among themselves and verify the identity of the accountholder, possibly averting a fraud. Says McGowan: “If you do not have that immediacy in your response, the money is lost.”
In the November issue: A review of recent case law affecting privacy regimes in Canada.
This is the second instalment in a three-part series reviewing the impact of the new privacy rules on your firm, from procedures to penalties
© 2015 Investment Executive. All rights reserved.