Skip Ribbon Commands
Skip to main content

FINTRAC Falls Under Scrutiny for Over-Reporting and Privacy Transgressions


On October 24, 2013, The Office of the Privacy Commissioner of Canada released a report citing significant and continued privacy lapses within Canada’s intelligence unit responsible for money laundering and terrorist financing (known as FINTRAC). As in their 2009 audit, the Commissioner found that FINTRAC was receiving and keeping information it should not, that the agency and its partners were encouraging over-collection and reporting of information and was not sufficiently protecting the information it held.

As of March 2013, FINTRAC held about 165 million reports containing personal information, including reports regarding sizeable cash and wire transactions from a base of 300,000 reporting entities such as financial institutions, casinos, insurance companies, real estate companies, accountants and others. FINTRAC’s dual roles involve first ensuring the right companies collect the prescribed information and report the required transactions. Secondly, they are responsible for the analysis and disclosure of that information to domestic and foreign law enforcement intelligence and tax agencies when their legislative threshold has been compromised. Unlike other countries, Canada adopted an administrative intelligence unit model, which is meant to be a privacy barrier between personal banking information and law enforcement. Over-reporting was observed by the Commissioner in these key areas:

  1. Large cash transaction reports and electronic funds transfer reports: When a reporting entity receives cash of $10,000 or sends / receives an electronic funds transfer report of $10,000 or more – either in one transaction or through a combination of transactions over 24 hours – they are obligated to send a report to FINTRAC with details about the transaction and the parties involved. For the second time, the Commissioner noted that reporting entities were sending transactions where the dollar threshold was not met. In addition, for the second time FINTRAC responded that it did not have the technical capability to prevent this excessive reporting, although they suggest the reporting entities should have had that technical capability since the inception of the reporting obligation was nearly a decade ago.

  2. Suspicious transaction reports: Reporting entities are required by law to report actual and attempted transactions to FINTRAC when they have reasonable grounds to suspect that a transaction relates to an actual or attempted money laundering or terrorist financing offence. The Commissioner found that FINTRAC and partner organizations that help evaluate some sectors on its behalf are encouraging reporting transactions that don’t meet the threshold through their guidance, examinations and in their policy interpretations. FINTRAC has responded (in both 2009 and for this report) that it has not reviewed the guidance of its partner organizations. The report exhibits a number of cases where the threshold for reporting was not met, including one instance where the reporting entity wrote: “I have no reason to suspect money laundering or terrorist activity”, a report which was received and retained by FINTRAC. Despite advisories to the contrary, reporting entities continue to send social insurance and health card numbers to FINTRAC in their suspicious transaction reports.

  3. Terrorist financing reports: Reporting entities are required to file a report immediately after becoming aware that they hold terrorist property. In their 2009 audit, the Commissioner found that about half of all reports filed were on the basis of a possible match against terrorist listings. They found similar results in the analysis for this report and noted that FINTRAC retains all such reports and keeps them accessible in databases. Possible matches appear frequently since terrorist listings are rife with data quality and content issues, as well as common names.

Although FINTRAC’s practices for collecting and retaining information it does not have statutory authority for were pointed out in the 2009 report, the current audit found that FINTRAC still hasn’t taken satisfactory measures to permanently delete illicitly maintained information.

The report also cited areas in which compliance enforcement activities did not align with privacy laws:

  1. Compliance records: In 2009, FINTRAC was found to have been collecting certain types of records and personal information that were not necessary to fulfill its compliance function, including medical records, photocopies of identification documents, credit reports, employee training records and Canadian Police Information Centre (CPIC) checks taken from the MSB registration database without personal information redacted. Two years following that report, FINTRAC issued a directive that compliance staff should collect and scan only the records and documents needed to support deficiencies and destroy all other information. In their procedures for this report, the Commissioner observed a lack of criteria or guidelines to determine what documents are considered ‘relevant’ to support deficiencies, as well as inconsistent practices amongst regional offices.

  2. Security practices: The report also found security lapses, including instances while on-site where a contractor roamed unescorted, talking on a cell phone in a secure area where those devices are prohibited. They also highlighted an instance where a compliance officer’s unencrypted USB key and laptop containing the personal information of 777 individuals were stolen from the trunk of his car.

What does this mean for companies that have to report?

FINTRAC’s examinations and speeches (including ones conducted this week) focus on the need for intelligence to carry out their function, and particularly on their desire for many suspicious transaction reports. We do not expect that focus to change, even in light of this report. FINTRAC’s response to the over-reporting deficiencies cited is telling, because it does not speak to deterring the activity (other than to broadly refer to ‘outreach’ activities), but instead focuses on excluding those reports from their analysis and destroying them at some point. Reporting entities continue to have an incentive to over-report because only under-reporting is punished with substantial penalties. In our view, reporting entities should report only prescribed transactions by developing and consistently applying strict criteria to determine which transactions meet the legislative threshold for reporting.