The Financial Transactions and Reports Analysis Centre of Canada (FINTRAC) has more personal information in its database than it needs, according to an audit conducted by the Office of the Privacy Commissioner of Canada (OPC).
The audit, which was tabled in Parliament Thursday, followed up on recommendations from a previous audit conducted by the OPC in 2009. It found that FINTRAC needed to do more to ensure that the amount of personal information it acquires is kept to an absolute minimum.
FINTRAC is mandated by law to receive financial transaction reports and voluntary information on money laundering and terrorist financing from persons and entities in various sectors, which are subject to the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA).
As of March 2012, FINTRAC’s databases held approximately 165 million reports containing personal information related to financial transactions, such as down payments for house and vehicle purchases, wire transfers received by international students residing in Canada, or funds sent by parents in Canada to children who are studying abroad. Some of these reports may be submitted to FINTRAC without the knowledge or consent of the individuals concerned.
Entities are required to report to FINTRAC large cash transactions or electronic funds transfers of $10,000 or more, as well as any transactions where there is “reasonable grounds to suspect” money laundering or terrorist financing activities. However, the OPC’s review of the FINTRAC database revealed a number of examples of reports that did not meet the $10,000 threshold, and reports that did not clearly demonstrate reasonable grounds for suspicion and, therefore, should not have been reported.
“Given the examples we found, I have serious concerns about the extent to which FINTRAC’s information holdings are populated with personal information that should never have even been submitted,” says Privacy Commissioner of Canada, Jennifer Stoddart.
The audit recommended that FINTRAC analyze and assess incoming reports; identify and dispose of information that it should not have received and is not directly related to its operating programs and activities; ensure that guidance issued by regulatory partners is consistent with PCMLTFA requirements; and ensure that staff fully comply with its security policies and procedures.
FINTRAC accepted all of the audit’s recommendations and provided responses as to how it intends to address them. Recently, FINTRAC has informed the OPC it has taken additional measures to enhance compliance with its security policies and procedures in response to a breach incident that occurred earlier this year.
“FINTRAC has proposed some measures to address the deficiencies we identified; however, there is more work to do,” notes Stoddart. “It still needs effective screening processes to ensure it no longer receives and retains sensitive personal information that it doesn’t need.”