Audit of the Financial Transactions and Reports Analysis Centre of Canada - page 5

Main Points
Main Points
The Office of the Privacy Commissioner (OPC)
examined the progress that the Financial Trans­
actions and Reports Analysis Centre of Canada
(FINTRAC) made to address the recommendations
from our 2009 audit. We also examined how FINTRAC
manages personal information collected, received,
used and disclosed in its capacity as a financial
intelligence unit and also while carrying out its
compliance function as required by the
of Crime (Money Laundering) and Terrorist
Financing Act
(PCMLTFA or the Act).
We reviewed FINTRAC’s personal information
management policies, procedures and guidelines
modified or established since the last audit. In
addition, we examined privacy impact analyses,
training materials, compliance examination files,
security assessments and information sharing
agreements. We also reviewed a purposive sample
drawn through a statistical random selection of
all types of reports that FINTRAC receives, as
well as information it discloses to law enforcement
agencies, federal departments and foreign financial
intelligence units.
Finally, we examined changes in the way in which
FINTRAC assigns privacy responsibilities, manages
privacy risks and ensures compliance with its
obligations under the
Privacy Act
As of March 2012 there were approximately 165
million reports containing personal information in
FINTRAC’s databases. The databases include reports:
where there is a suspicion of money laundering or
terrorist activity financing; cash transactions over
a prescribed threshold; certain electronic funds
transfers; movements of currency or monetary
instruments in specified circumstances or their
seizure; and information provided by foreign or
domestic counterparts. These reports might include
transactions such as, but not limited to, down
payments for house and vehicle purchases, wire
transfers received by international students residing
in Canada, or funds sent by parents in Canada to
children who are studying abroad.
Persons and entities in various sectors (see
Appendix 1), which are subject to the Act, must
scrutinize and report on the financial transactions
of clients. These entities, potentially up to 300,000
in number, transmit reports containing Canadians’
sensitive personal information to FINTRAC. Some
of these reports may be submitted without the
knowledge of the individuals concerned. Reporting
entities do not require the individuals’ consent to
submit the reports and the information may not
be accessible to those individuals.
Our 2009 audit identified weaknesses in FINTRAC’s
personal information management practices and
recommended that they be addressed. Our previous
recommendations and those included in this report
are intended to assist FINTRAC in meeting its
obligations under the
Privacy Act
While FINTRAC continues to have sound security
controls, we found that it has made limited progress
in addressing five of ten audit recommendations
made in 2009.
1,2,3,4 6,7,8,9,10,11,12,13,14,15,...42
Powered by FlippingBook