The Discussion Paper identified a number of areas related to the exchange of information between various parties in order to facilitate the AML/ATF regime. A number of witnesses also provided comments on information sharing topics, which include:

• sharing and retention within government,
• sharing and retention between the government and the private sector,
• sharing and retention within the private sector, and
• de-risking.

A.  Information Sharing and Retention Within Government

(i) Background

Established by the Act and its regulations, FINTRAC is Canada’s financial intelligence unit led by the Department of Finance Canada. It collects finance intelligence and enforces compliance of reporting entities with the legislation and regulations. FINTRAC acts as a financial intelligence agency independent from the law enforcement agencies and has no investigative powers. It is authorized under the Act to only disclose “designated information” as defined by sections 55(7), 55.1(3) and 56.1(5), which is dependent on the nature of the disclosure.[14]

As described by the Privacy Commissioner of Canada, the Privacy Act sets out the privacy rights of Canadians in their interactions with the federal government, and obliges government institutions to control the collection, use, disclosure, retention and disposal of recorded personal information.[15] Section 8(1) of the Privacy Act details that personal information under the control of a government institution shall not, without the consent of the individual to whom it relates, be disclosed by the institution except in accordance with sections 8(2)–(8). In addition, all provinces and territories have legislations that apply to how provincial/territorial agencies handle personal information.

Notably, under section 8(2)(m) of the Privacy Act, government institutions may disclose the information of Canadians if the “public interest in disclosure clearly outweighs any invasion of privacy” or the “disclosure would clearly benefit the individual to whom the information relates.” When making a disclosure of this kind, the government institution must inform the Privacy Commissioner of the disclosure. Also, section 5(1) of the Security of Canada Information Sharing Act provides that specified government institutions – including FINTRAC – may, on their own initiative or on request, disclose information to another specified government institution if the information is relevant to the recipient institution’s jurisdiction or if the information relates to “activities that undermine the security of Canada, including in respect of their detection, identification, analysis, prevention, investigation or disruption.” Furthermore, the institution cannot be sued if they shared information in good faith under this Act. However, section 5(1) is “subject to any provision of any other Act of Parliament,” meaning that the specified government institutions must still conform to any other legislated disclosure requirements – such as those that are more rigorous – should they wish to make a disclosure under section 5(1).

In the United States, there is no single federal law that regulates the collection and use of personal data.[16] Instead, the U.S. has a patchwork system of federal and state laws as well as regulations that may overlap. In addition, there are many guidelines, developed by governmental agencies and industry groups that do not have the force of law, but are part of self-regulatory guidelines and frameworks that are considered "best practices". One such practice includes the “third agency rule.”

In the U.S., the Department of Justice defines the “third agency rule” as a restriction on information sharing between government departments and/or agencies. In effect, a government department or agency can only release information to a separate government department or agency under the condition that the receiving department or agency does not release the information to any other department or agency.

(ii) Witness Testimony

The Government of British Columbia observed that better information sharing is needed. Given the breadth of information at FINTRACs disposition, the Government of British Columbia feels that FINTRAC is in a better position to identify emerging and long-term trends and would like to see this type of information shared with the appropriate authorities at the provincial level. The Canadian Banking Association also recommended that the regime be enhanced through greater collaboration, communication, and information sharing between governments. This opinion was shared by the Government of British Columbia which recommended that an information-sharing mechanism between law enforcement and FINTRAC be regulated under the PCMLTFA. The Canadian Life and Health Insurance Association reminded the Committee that, in recent history, amendments have been made to enable FINTRAC to exchange information with more of its federal and provincial partners. For example, securities regulators and national intelligence agencies.

The Privacy Commissioner of Canada highlighted the need for rigorous legal standards around the collection and sharing of personal information, effective oversight, and minimization of risks to the privacy of law-abiding Canadians, in part through prudent retention and destruction practices. The Commissioner contends that there is a lack of proportionality in the regime, as disclosures to law enforcement and other investigative agencies made in a given fiscal year represent a very small number when compared with the information received during that same time frame; in addition, FINTRAC's retention of undisclosed reports increased from five to 10 years in 2007. Furthermore, he stated that once that information is analyzed and leads to the conclusion that someone is not a threat, it should no longer be retained; therefore, a risk-based approach of collection and retention of data should be implemented. The Commissioner highlighted the data retention practices that would be implemented by Bill C-59 An Act Respecting National Security Matters, where data is disposed of within 90 days unless a Federal Court is satisfied that its retention is likely to assist in the performance of the Canadian Security Intelligence Service's mandate. He also recommended that his office be mandated to undertake a review of proportionality review that would commence one year prior to each five-year review of the PCMLTFA by Parliament.

The Government of British Columbia raised the issue that law enforcement officials do not work within FINTRAC due to privacy concerns, and believed that there would be significant benefit to the regime if such a practice were to be implemented.

During the Committee’s travels, certain witnesses highlighted that long-term data retention is an important aspect of the AML/ATF regime, as the ability of criminals to obscure the financial aspects of their crime is often less advanced earlier on, and that once an individual becomes the target of an investigation, law enforcement’s ability to access their data from earlier in their “criminal career” is often very useful in building the prosecution’s case. FINTRAC explained that the reports it receives are disposed of after 10 years if they are not disclosed to law enforcement, and the Privacy Commissioner of Canada noted that this data retention limit was extended from the previous limit of 5 years in 2007.

Additionally, many of these witnesses believed that greater communication between government bodies leads to a more effective AML/AFT regime.

B.  Information Sharing and Retention Between the Government and the Private Sector

(i) Background

The Canadian Personal Information Protection and Electronic Documents Act (PIPEDA) details how private-sector organizations collect, use, and disclose personal information in the course of for-profit, commercial activities in Canada. PIPEDA also applies to the personal information of employees of federally regulated businesses such as banks, airlines and telecommunications companies. Alberta, British Columbia and Quebec have private-sector privacy legislation that have been deemed “substantially similar” to PIPEDA, and may apply instead of PIPEDA in some cases.

Information that FINTRAC receives and analyzes may be shared in the form of studies, methods and trends in order to educate the public – including the reporting entities – on money laundering and terrorist financing issues. For example, project PROTECT was launched in January 2016 and is a public‐private partnership between reporting entities and FINTRAC that targets human trafficking for the purposes of sexual exploitation by focusing on the money laundering aspect of the crime. After engagement with reporting entities, law enforcement and policy makers, FINTRAC published its operational alert, Indicators: The Laundering of Illicit Proceeds from Human Trafficking for Sexual Exploitation. This Alert focused on the types of financial transactions, financial patterns and account activity that may raise suspicions of money laundering and trigger the requirement to send a suspicious transaction report to FINTRAC.

The USA Patriot Act contains provisions aimed at the prevention, detection and prosecution of money laundering and financing of terrorism.[17] In particular, section 314(a) of the Patriot Act authorizes FinCEN to provide to financial institutions with a “Section 314(a) list,” which contains the names of individuals or entities suspected of criminal activity, and to compel those financial institutions to supply information regarding the named suspects. Federal, state, local, and certain foreign law enforcement agencies that are investigating money laundering or terrorism can request that FinCEN obtain certain information from one or more financial institutions. This request must be in the form of a written certification stating that each individual, entity, or organization about which the law enforcement agency is seeking information is engaged in, or is reasonably suspected of engaging in, terrorist activity or money laundering. Upon receiving a request from FinCEN, a financial institution must verify if it maintains accounts for, or does business with, the person or entity being investigated and report its findings to FinCEN.

The U.K.’s Joint Money Laundering Intelligence Taskforce (JMLIT) is a partnership – established in May 2016 – between the U.K. government and the financial sector with the goal of combating high-end money laundering. The partnership includes the British Bankers Association, law enforcement and over 40 major U.K. and international banks under the leadership of the Financial Sector Forum. Various levels of the JMLIT meet quarterly or monthly to improve intelligence sharing arrangements between organizations, strengthen the relationship between public and private sector bodies, and discuss potential improvements and/or best practices for the AML/ATF regime.[18]

JMLIT members meet to share their respective information and experiences to come to a better understanding of funding linked to bribery and corruption, trade based money laundering, funding flows linked to organized immigration crime, money laundering through capital markets and terrorist financing methodologies. According to the U.K.’s National Crime Agency, JMLIT has produced new and effective targeted and coordinated AML/ATF interventions by law enforcement and the financial sector. In particular, JMLIT has led to, among other outcomes, 63 arrests of individuals suspected of money laundering and the freezing of £7 million of suspected criminal funds.

(ii) Witness Testimony

The Investment Industry Association of Canada suggested that FINTRAC specifically work with other regulators to reduce duplication and overlap in rules and procedures. Vanessa Iafolla, who appeared as an individual, also suggested that there is a need for improved guidance and feedback to regulated entities that is provided by oversight bodies such as OSFI and FINTRAC to improve their AML/ATF reports.

The Canadian Life and Health Insurance Association generally supported measures – through privacy and AML legislation – which would promote better information-sharing between the private and public sectors, and suggested that Canada should adopt best practices from models used in other jurisdictions that permit effective information sharing. HSBC Bank Canada identified the need for additional action on the part of the federal government to increase information sharing and improve current feedback mechanisms.

A number of witnesses commented on the lack of feedback that FINTRAC provides to the reporting entities; in particular, the Government of British Columbia, the Investment Industry Association of Canada, the Canadian Jewellers Association, the Federation of Law Societies of Canada, the Canadian Bankers Association, and the Canadian Life and Health Insurance Association, as well as Shahin Mirkhan, John Jason, Vanessa Iafolla ,Christian Leuprecht and Mora Johnson – who appeared as individuals – explained that they do not feel that FINTRAC adequately communicates with reporting entities and that an increase in two-way communication would be beneficial. In particular, the Government of British Columbia described FINTRAC as a “black box” into which information is sent and from which no feedback is provided. In contrast, Jewellers Vigilance Canada Inc. noted that communication with FINTRAC has been very positive for over a decade. For its part, FINTRAC explained that information sharing is a careful balance between efficacy and protecting the rights of Canadians, and that they do perform outreach work with reporting entities to provide them with information on potentially suspicious transactions and indicators to identify money laundering trends.

The Investment Industry Association of Canada also believed that FINTRAC should engage in ongoing dialogue with securities dealers and other financial sector participants to ensure greater transparency in FINTRAC requirements.

In order to better assess the impact of the regime, Transparency International Canada highlighted the need for more transparency and feedback to be provided to reporting entities as well as the public, arguing that the government should create a performance measurement framework for the regime’s operations and make the findings public each year.

The Privacy Commissioner of Canada cautioned that increased information sharing with the public sector might be useful to identify threats, but must be accompanied by appropriate privacy safeguards or such an approach would further exacerbate its concerns with the proportionality of the regime.

During the Committee’s travels, a number of witnesses believed that the lack of direction from FINTRAC to the reporting entities constitutes a serious flaw of the regime. Reporting entities cannot properly assist FINTRAC with the identification of high-risk clients or patterns of money laundering without knowing what kinds of information is useful to the organization. They also noted that FinCEN and the National Crime Agency are able to communicate with U.S. and U.K. reporting entities, respectively, to provide them with these kinds of directions as well as request follow-up information.

Witnesses also signalled during the Committee’s travels that Canadian banks would benefit from greater information sharing under a model similar to the JMLIT.

C.  Information Sharing and Retention Within the Private Sector

(i) Background

PIPEDA limits the information businesses collect to what is essential for the business transaction. If further information is requested, individuals are entitled to ask for an explanation and may decline if they are dissatisfied with the answer without adversely affecting the transaction. According to the Privacy Commissioner of Canada, PIPEDA sets out ten "fair information principles" that collectively form the underpinnings of PIPEDA, and include the following:

• 1) Accountability: Organizations should appoint someone to be responsible for privacy issues. They should make information about their privacy policies and procedures available to customers.
• 2) Identifying purposes: Organization must identify the reasons for collecting your personal information before or at the time of collection.
• 3) Consent: Organizations should clearly inform you of the purposes for the collection, use or disclosure of personal information.
• 4) Limiting collection: Organizations should limit the amount and type of the information gathered to what is necessary.
• 5) Limiting use, disclosure and retention: In general, organizations should use or disclose your personal information only for the purpose for which it was collected, unless you consent. They should keep your personal information only as long as necessary.
• 6) Accuracy: Organizations should keep your personal information as accurate, complete and up-to-date as necessary.
• 7) Safeguards: Organizations need to protect your personal information against loss or theft by using appropriate security safeguards.
• 8) Openness: An organization’s privacy policies and practices must be understandable and easily available.
• 9) Individual access: Generally speaking, you have a right to access the personal information that an organization holds about you.
• 10) Recourse (Challenging compliance): Organizations must develop simple and easily accessible complaint procedures. When you contact an organization about a privacy concern, you should be informed about avenues of recourse.

Within the EU, the General Data Protection Regulation (GDPR) came into force in May 2018 and introduced new privacy obligations to all companies processing and/or holding the personal data of individuals residing in the European Union, regardless of the company’s location. These companies are now required to acquire the explicit and unambiguous consent from their customers to use or retain their “personal data,” based on specific purposes for use of their data and for specific periods of time. “Personal data” is defined broadly, and includes an individual’s name, identification number, location data or online identifier, reflecting changes in technology and the way organizations collect information.

Under the GDPR, individuals have the right to request a copy of the data that is held on them, including an explanation of how such data is used and if third parties have access to it. Individuals may also request that their data be deleted, and compensation can be claimed for any damage suffered by individuals caused by infringement of the GDPR. Organizations can be fined up to 4% of annual global turnover or €20 million for breaching the GDPR.

In the U.S., section 314(b) of the USA Patriot Act allows for financial institutions to voluntarily share – upon providing notice to FinCEN – information among each other through the circulation of a “Section 314(b) list,” and provides these institutions with immunity from private civil actions resulting from any disclosures that are in conformity with the Bank Secrecy Act. Financial institutions must establish and maintain procedures to safeguard the security and confidentiality of the information shared, and must only use shared information for the following purposes:

• identifying and, where appropriate, reporting on activities that may involve terrorist financing or money laundering;
• determining whether to establish or maintain an account, or to engage in a transaction; or
• assisting in compliance with anti-money laundering requirements.

(ii) Witness Testimony

The Canadian Life and Health Insurance Association was supportive of measures that would promote better information-sharing within the private sector through changes to privacy and AML legislation. It suggested that the government should adopt best practices from other jurisdictions. The Canadian Bankers Association supported the recent ethics committee recommendation that PIPEDA be amended to allow for a broader range of instances where financial institutions can share information, such as in cases of money laundering and terrorist financing. However, the Association recognized that any measures taken to enhance information sharing must be balanced with privacy considerations.

The Privacy Commissioner of Canada emphasized that any information sharing between the government and the private sector needs to be handled in a manner that complies with PIPEDA. He also recommended that the Department of Finance be legally required to consult with his office on draft legislation and regulations with privacy implications before they are tabled.

During the Committee’s travels, a number of witnesses noted that reporting entities in all jurisdictions are developing advanced artificial intelligence or computer modelling to assess their clients’ ML/TF risk. Some noted that these technologies can make use of publicly available data – such as that available on social media – to help develop a risk assessment of these clients, and that the private sector’s use of data in this manner is relatively unregulated.

These witnesses also contended that financial institutions are better able to combat ML/TF activity when they are capable of sharing information among themselves. This is particularly true given the sophistication of organized crime, as they spread their financial assets and transitions across many banks in order to limit any one bank’s ability to detect the criminal nature of their activity.

D.  Information Sharing and De-Risking

(i) Background

“De-risking” – also known as de-banking – refers to the practice of financial institutions closing the accounts of clients and ceasing all business with them because they are perceived to be high-risk.

(ii) Witness Testimony

With respect to money service businesses, the Government of British Columbia indicated that the volatility of the industry has been apparent in the United States as many financial institutions have been ending their relationship with these businesses as part of a de-risking process in order to avoid the added anti-money laundering risks which they can pose. In their brief to the Committee, Dominion Bitcoin Mining Company examined the issue of de‑risking, and underscored that money services businesses, including companies that work in the cryptocurrency space, have had a very difficult time establishing banking relationships due to the perceived risk of money laundering. Moreover, they outline that when FINTRAC examines financial institutions, they will automatically flag money service businesses as high risk, and therefore suggested that FINTRAC encourage financial institutions to conduct enhanced due diligence procedures instead of outright denying them banking services.

During the Committee’s travels, witnesses explained that approximately ten customers are de-banked from Canadian banks every day, but they have recourse to appeal this decision with the banking ombudsman. During these discussions, witnesses cautioned that increasing information sharing between reporting entities – particularly banks – would lead to a significant increase in de-risking, as reporting entities will prioritize their financial interests over consumer access to their services. For example, witnesses highlighted a “three strike rule,” under which a foreign bank will de-risk a client if it receives three separate requests from their financial intelligence unit for additional information on that client, despite the bank having no other evidence of wrongdoing with respect to that individual. As a result of de-risking behaviour, witnesses highlighted that “right to banking” legislation may be warranted in some jurisdictions, but that measures must be taken to ensure that the criminal activity does not simply move to the accounts guaranteed by this kind of legislation.

Some witnesses explained that de-risking can also pose a problem for law enforcement authorities because it is generally in their interest if the subject of an investigation continues their normal banking activity free from the suspicion of being investigated. They noted that law enforcement can be more effective when criminals make use of cellular phones and bank accounts. Throughout the U.S., U.K. and Canada, witnesses explained that law enforcement may make formal and informal requests to banks to refrain from de-risking specific clients who are under investigation, but that banks are reluctant to comply with such requests unless they are indemnified from any loss and liability resulting from their compliance.[19]

Chapter 2 Recommendations

Recommendation 14

That the Government of Canada examine the U.S. Government’s “third agency rule” for information sharing and determine whether this rule would assist in investigation / detection of money laundering and terrorist financing in Canada.

Recommendation 15

That the Government of Canada expands FINTRAC’s mandate to allow for:

• a greater focus on building actionable intelligence on money laundering and terrorist financing, akin to FinCEN in the United States, and provide FINTRAC with the necessary resources to effectively undertake the corresponding analysis;
• the retention of data for 15 years;
• an operational model to allow for two-way information sharing system (rather than strictly being an information gathering system);
  • FINTRAC should be able to share feedback, best practices and long-term trends, so that reporting entities can properly assist FINTRAC.
• the ability to request more information from specific reporting agencies to clarify reported suspicious activity or to build a stronger case before referring it to law enforcement;
• the ability to release aggregated data, subject to Canadian law, about a group of specific reporting agencies or a sector for statistical, academic or government purposes.

Recommendation 16

That the Government of Canada establish a round table partnership with industry leaders who are investing significantly in technology that more efficiently tracks suspicious activities and transactions, so as to promote best industry practices.

Recommendation 17

That the Government of Canada take steps to emulate the U.K.’s model of a Joint Money Laundering Intelligence Taskforce in Canada.

Recommendation 18

That the government of Canada consider tabling legislation that would allow information that is limited to AML/ATF subject matter to be shared between federally regulated financial institutions such as banks and trust companies, provided that FINTRAC is notified upon each occurrence of such sharing.

Recommendation 19

That the Government of Canada implement the necessary requirements to banking to determine a “low-risk threshold” and establish exemptions to ensure the most vulnerable Canadians are not being denied a bank account due to lack of adequate identification.

---