FINTRAC releases new information-sharing guidance for reporting entities

Financial Transactions and Reports Analysis Centre of Canada has published updated guidance on exchange of personal material between informing entities. This material sets out procedure for entities that intend to voluntarily exchange data for purpose of combating money laundering and terrorist financing, in compliance with mandatory requirements for defense of personal data.

New clarifications are based on provisions of section 11.01 of Anti-Money Laundering and Terrorist Financing Act and related ordinances, as well as on practice of cooperation with Privacy Commissioner of Canada. Source contains FINTRAC’s official provisions and explanatory comments from practitioners in this field.

Our company also provides services to support implementation of information exchange mechanisms between reporting organisations, including analysis of applicable FINTRAC requirements, preparation of internal procedures, and advice on personal data defend issues within framework of current legislation.

General provisions and subject matter of recommendations

In its new publication, FINTRAC defines private information sharing as exchange of personal data between two or more reporting organisations that are parties to agreed and approved code of practice. This exchange is carried out without knowledge or agreement of individual whose data is being transferred and is intended to improve effectiveness of anti-financial crime system.

Informing entity is financial institution, insurance firm, investment intermediary, or other entity included in relevant FINTRAC list and subject to anti-money laundering and anti-terrorist financing legislation. Exchange of information between such organisations is voluntary, but only possible if all requirements established by FINTRAC regulations and clarifications are met.

In its publication, FINTRAC emphasises that private information sharing does not override basic requirements for internal anti-money laundering procedures and confidentiality. The main goal is to provide entities with clear algorithm for structuring data exchange in such way that it complies with current information security requirements and helps identify patterns that are not accessible when analysing data from single organisation.

Essence of private information exchange

FINTRAC defines private material sharing as exchange of personal data that relates to identifiable individuals and was collected in course of fulfilling reporting obligations, between entities participating in agreed code of practice. Such data may include information that is normally stored and processed for internal reporting purposes but which, when combined across multiple participants, can reveal more complex patterns of suspicious activity.

Key element is that this data is transferred without customer’s consent, as consent may hinder timely detection of money laundering and terrorist financing. However, even in absence of consent, entity must act within framework of approved code of practice and applicable law.

FINTRAC notes that FATF recognises private information sharing as important tool in architecture of national regimes for combating financial crime, provided that personal data protection demands are met.

Code of Practice: Content and Requirements

Basis for compliance is code of practice. This is document developed by reporting organisations participating in exchange and must:

• contain exact legal names of all participants and their registration numbers in FINTRAC system,
• describe categories of personal material that may be transferred,
• justify purposes of such transfers in relation to combating financial crime;
• establish procedures for collection, use and transfer of information;
• determine measures for defence of information and rules for receptacle of data obtained.

It is important that code not only reflects technical aspects of exchange, but also provides legal basis for such actions. It specifies conditions and scope under which data can be exchanged, and describes measures for protecting data and tracking its use.

FINTRAC provides model code of practice that entities can use as guide. Model serves as example of what sections and provisions should be included, but it is not mandatory template – code should be adapted to specific needs of participants and specific context of their activities.

Procedure for submitting and approving code of practice

In order to engage in private information sharing, reporting organisation must submit code of practice to FINTRAC for review and to Office of Privacy Commissioner of Canada for approval. Only after code has been approved by Privacy Commissioner can participants begin sharing data.

Process involves several key steps:

• Preparation of code of practice specifying all mandatory elements.
• Submission of FINTRAC code of practice with accompanying confirmation of consent from all participants.
• Forwarding of code for assessment to privacy officer, who reviews conformity with personal data defend demands.
• If necessary, authorised representative may request additional material or changes.
• If authorised representative does not issue negative decision within time limit set for verification, code is considered approved.

FINTRAC hereby gives notice that, while under review, code may be in process of being assessed and, in absence of negative decision, will be deemed to have been adopted at end of specified period. This allows organisations to plan for material sharing without undue delay.

Legal guarantees and liability

Legislation contains provision that individuals and organisations acting within framework of approved code of practice and in good faith compliance with demands of Act and regulations shall not be subject to criminal or civil liability for exchange of material. This provision is intended to reduce legal risks for participants in exchange and to encourage compliance with legal demands.

Nevertheless, compliance with personal data protection ordinances remains critical. Any violations of code of practice or information protection demands may result in administrative and other consequences under applicable law, including liability for data breaches.

Management and modification of code of practice

FINTRAC emphasizes that approved code of practice is not static document. If participants modify, they are required to notify FINTRAC and privacy officer immediately. Privacy Commissioner will assess whether changes are significant and, if deemed necessary, will require re-approval of updated code.

Code remains in force until:

• updated code is approved by authorized representative,
• or until authorized representative notifies participants of its termination.

Practical aspects and conclusions

FINTRAC publication provides clearly structured path for entities that wish to incorporate private information sharing into their compliance programmes. Main requirement is to have approved code of practice that legally justifies sharing and protects personal data. Firms considering such practices are advised to analyze their internal processes in advance, prepare necessary documents and consult with competent advisors to ensure compliance with all procedural requirements.

New clarifications do not introduce mandatory requirement for information sharing, but provide clear mechanism for those who consider it appropriate in order to improve effectiveness of detecting financial crime schemes. Compliance with data protection demands and approval mechanisms is essential component of this approach.

FAQ

What are the informing entities for FINTRAC?

Informing to FINTRAC is mandatory for so-called informing organisations. These include:

• banks and credit unions,
• trust and loan companies,
• life insurance companies, securities brokers and dealers,
• investment fund managers,
• money transfer companies,
• as well as certain non-financial entities.

Which 3 reports must be submitted to FINTRAC?

There are three types of reports that are fundamental for most informing organizations.

The first is fishy transaction inform, which is submitted when there are rational reasons to suspect money laundering or terrorist financing. Second is large cash transaction report, which is submitted when cash exceeding specified threshold is received or paid in single transaction or series of related transactions. Third is inform on international electronic funds transfers, which covers transfers outside Canada or from abroad that exceed specified threshold. These reports form basis for FINTRAC’s monitoring of financial flows.

What is the information Sharing Act in Canada?

In context of AML/CTF, this refers to legal mechanism enshrined in Anti-Money Laundering and Counter-Terrorist Financing Act. It allows reporting firms to exchange personal information with each other without customer’s consent, subject to strictly defined conditions. Such exchange is only possible within framework of approved code of practice and under supervision of Privacy Commissioner.

What is reporting limit for FINTRAC?

There is set limit for cash transactions and international electronic transfers, above which report must be submitted. There is no threshold for suspicious transactions – report must be submitted regardless of amount if organization has reasonable grounds to believe that transaction is related to money laundering or terrorist financing. Thus, key factor is not only amount, but also nature of transaction and context of customer’s behavior.