One approval stands between your firm and a fuller view of every client
Canadian financial firms can share clients' personal information with each other - without consent - to detect money laundering, under FINTRAC compliance guidance.
The guidance, from the Financial Transactions and Reports Analysis Centre of Canada, explains how reporting entities can engage in what the agency calls private-to-private information sharing under section 11.01 of the Act. The logic is simple: criminals exploit the fact that any single firm sees only part of a client's activity, so letting firms compare notes gives each a fuller picture.
Participation is voluntary. Securities dealers, financial entities, and other reporting entities are not required to take part, and they can share information only with other reporting entities. For those that opt in, the payoff is a broader view of client activity that feeds customer due diligence, sharpens risk assessments, and can surface unusual transactions worth flagging to FINTRAC.
There is a gate. Before any information changes hands, firms must establish a code of practice setting out what personal information may be disclosed, collected, or used without a client's knowledge or consent, and how it will be protected. That code goes to FINTRAC and to the Office of the Privacy Commissioner of Canada, and it must be approved by the Privacy Commissioner's office. The code also has to provide protection substantially the same as or greater than that under the Personal Information Protection and Electronic Documents Act.
The timelines matter for planning. FINTRAC may comment within 60 calendar days of receiving a code. The Office of the Privacy Commissioner of Canada has 120 calendar days to review, with a possible 15-day extension. If the office does not respond in time, the code is deemed approved. Approved codes must be resubmitted for re-approval every five years.
The guidance offers a measure of cover. No person or entity will be liable in any criminal or civil proceedings for disclosing, collecting, or using personal information in compliance with the Act and Regulations, so long as it is done in good faith.
There are limits firms should note. A financial entity, life insurance company, or securities dealer that already exchanges information with its affiliates under section 9.8 of the Act does not need a code of practice to do so. And once a code is in place, FINTRAC expects participants to treat shared information much as they would adverse media or sanctions screening - as a signal that may prompt a suspicious transaction report. The Financial Action Task Force has recognized this kind of sharing as a tool for disrupting money laundering and terrorist financing, while affirming that data privacy and protection laws still apply.
The full text of FINTRAC's compliance guidance on private-to-private information sharing is available at https://fintrac-canafe.canada.ca/guidance-directives/sharing-echange/sharing-echange-eng#s7.
