Financial Transactions and Reports Analysis Centre of Canada

Section 37 of the Privacy Act
Section 72(2) of the Proceeds of Crime (Money Laundering) and Terrorist Financing Act

Final Report 2017


Main Points

What we examined

The Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA) created the Financial Transactions and Reports Analysis Centre of Canada (FINTRAC or the Centre), and requires it to ensure that personal information under its control is protected from unauthorized disclosure. Sections 4 to 8 of the Privacy Act govern how federal institutions, including FINTRAC, can collect, use and retain personal information. The Office of the Privacy Commissioner of Canada (OPC) examined whether the policies, practices and processes FINTRAC has in place for managing the personal information it receives, collects, and retains comply with the Centre’s obligations under the PCMLTFA and the Privacy Act. Our review included an analysis of the amount and type of personal information FINTRAC collects directly from reporting entities when it monitors compliance with the reporting obligations imposed by the PCMLTFA.

We interviewed selected FINTRAC and Shared Services Canada (SSC) officials, reviewed pertinent documents, and analyzed a sample of transaction reports received by FINTRAC between April 2014 and July 2016. We also looked at a sample of compliance examination files compiled by FINTRAC between the period of April 2014 and March 2016. All examination activities were conducted in the National Capital Region.

Our review included an assessment of whether there are adequate technical safeguards in place to protect the personal information received, collected and retained by FINTRAC from inappropriate or unauthorized use and disclosure. Given that FINTRAC’s electronic data holdings reside on technical infrastructure now operated by SSC, we assessed the measures FINTRAC has taken to ensure that SSC has satisfactory information technology (IT) safeguards in place.

We also assessed the progress made by FINTRAC to address the observations and recommendations made in our 2013 audit report. We specifically examined how FINTRAC has addressed our observation that it received and retained personal information that did not meet legislated reporting thresholds set out in the PCMLTFA. This observation had also been made in our 2009 report. Both previous audit reports recommended that in order to mitigate that risk, FINTRAC should screen incoming reports before they enter the database so that such information is identified and destroyed at the earliest stage possible.

We did not review FINTRAC’s disclosure of personal information to regime partners, such as police services, the Canadian Security Intelligence Service (CSIS), the Canada Border Services Agency (CBSA) the Canada Revenue Agency (CRA), and provincial and territorial securities commissions. The Centre’s handling of personal information about its employees and the personal information handling practices of entities reporting to FINTRAC were also out of scope.

Why it is important

According to FINTRAC’s 2015-2016 Annual Report, financial transaction reporting has increased by 63 percent over the past five years, with the Centre receiving nearly 24 million reports in the past fiscal year alone. As of March 31, 2016, there were approximately 212 million reports containing personal information in FINTRAC’s databases.

Reports are submitted by reporting entities without the knowledge or consent of the individuals concernedFootnote 1, and are retained in FINTRAC databases for a minimum of 10 years. These records contain sensitive financial and other personal information, and a breach could potentially have serious implications for the individuals involved. The receipt of reports that do not meet legal thresholds and the lengthy retention period for these reports increases the risk of unwarranted scrutiny of law abiding individuals by FINTRAC. Additionally, the personal information in FINTRAC’s data holdings (other than Cross Border Currency Reports) is not accessible under Privacy Act requests, and individuals have no ability to check records or ask for corrections.Footnote 2

These factors heighten the need for FINTRAC to be diligent in ensuring it retains only the information it is legislatively entitled to possess, that the information it retains is as accurate as possible, and that such information is protected against inappropriate use and/or disclosure with safeguards commensurate to its sensitivity.

What we found

We concluded during this audit that the Centre has made significant efforts to enhance its personal information handling practices, resulting in improvements to privacy protections. However, we found issues related to the monitoring of internal user activity and the assignment of IT security roles and responsibilities that are now shared between SSC and FINTRAC. We also found that FINTRAC continues to receive and retain personal information that does not meet legal reporting thresholds.

In addition, we found indications that the vast majority of the reports received by the Centre may never be used. As of March 31, 2016, 37 million reports received by FINTRAC had reached the end of their 10-year retention periods and had been disposed of without having been used in a disclosure. This is almost the entire quantity of reports received by the Centre from its inception to March 31, 2006.

Our main findings are summarized below.

  • There is no formal assurance that the personal information acquired, retained and transmitted by the Centre is appropriately protected on the Shared Services Canada IT infrastructure. As of 2012, FINTRAC’s electronic data holdings have been housed on the SSC IT infrastructure, as mandated by the Shared Services Canada Act.Footnote 3 In recent years FINTRAC has experienced some difficulties in obtaining assurances from SSC that certain required technical safeguards are in place. In addition, Electronic Funds Transfers data, which is received from reporting entities by both FINTRAC and CRA, is transmitted to CRA using a mandated Government of Canada technical system for which SSC has not renewed the authority to operateFootnote 4. As a result, the sensitive personal information that is being transmitted to CRA via the SSC solution is no longer assured to be adequately protected from unauthorized use and/or disclosure.
  • FINTRAC continues to receive and retain personal information outside of the legislated thresholds for reporting. This presents risks to privacy by making personal information that should never have been provided to FINTRAC available for FINTRAC’s use and potential disclosure to other institutions. It is unlikely this issue will be resolved unless and until FINTRAC augments its current controls with more robust front-end screening to help ensure the reports it retains in its database meet reporting thresholds and do not contain unnecessary and/or excessive personal information.
  • FINTRAC also collects and retains unnecessary amounts and types of personal information from entities while evaluating their compliance with Part 1 or 1.1 of the PCMLTFA.

Introduction

  1. The Financial Transactions and Reports Analysis Centre of Canada (FINTRAC, or the Centre) is responsible for facilitating the detection, prevention, and deterrence of money laundering, terrorist activity financing and other threats to the security of Canada. It is an independent agency reporting to the Minister of Finance who is accountable to Parliament for the activities of the Centre. It was established by and operates under the legislative authority of the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA, or the Act) and its regulations.Footnote 5
  2. Under the PCMLTFA, specified businesses are required to collect information about their clients and transactions. They report some or all of this information to the Centre under prescribed circumstances. The number and type of entities which are required to report to FINTRACFootnote 6 are extensive and include:
    • Accountants;
    • Notaries (in British Columbia);
    • Casinos;
    • Dealers in precious metals and stones;
    • Financial entities (banks, credit unions, caisses populaires, financial services cooperatives, trust and loan companies);
    • Life insurance brokers and agents;
    • Real estate brokers and agents;
    • Money services businesses (foreign currency exchange, money transfers); and
    • Securities dealers.
  3. FINTRAC receives the following types of reports. All reports contain personal information.
    • Suspicious Transaction Report (STR): An STR must be submitted in relation to an attempted or completed financial transaction for which there are reasonable grounds to suspect that the transaction is related to the commission or attempted commission of a money laundering or terrorist activity financing offence. There is no monetary threshold for the reporting of a suspicious transaction.
    • Large Cash Transaction Report (LCTR): A large cash transaction report is submitted to FINTRAC when a reporting entity receives $10,000 or more in cash in the course of a single transaction, or when it receives two or more cash amounts totaling $10,000 or more made within 24 hours by or on behalf of the same individual or entity.
    • Electronic Funds Transfer Report (EFTR): An electronic funds transfer report is submitted to FINTRAC upon a transmission of instructions for the transfer of $10,000 or more out of or into Canada in a single transaction or in two or more transactions totaling $10,000 or more made within 24 hours by or on behalf of the same individual or entity, through any electronic, magnetic or optical device, telephone instrument or computer.
    • Casino Disbursement Report (CDR): Casinos must report to FINTRAC when a disbursement of $10,000 or more is made in the course of a single transaction, or when two or more disbursements totaling $10,000 or more are made within 24 hours on behalf of the same individual or entity.
    • Terrorist Property Report (TPR): Reporting entities must submit a terrorist property report for property that they know is owned or controlled by or on behalf of a terrorist or terrorist group, or that they have reason to believe is owned or controlled by or on behalf of a person listed under the Regulations Implementing the United Nations Resolutions on the Suppression of Terrorism.Footnote 7 Real estate, cash, bank accounts, insurance policies, money orders, securities, precious metals and stones and other types of assets are considered property.
    • Cross Border Currency Report (CBCR): A cross-border currency report is filed with the CBSA by a person entering or leaving Canada carrying a sum of currency or monetary instruments of $10,000 or more, or by a person mailing or sending such sums into or out of Canada. The CBSA then submits the report to FINTRAC. A cross-border seizure report is also submitted to FINTRAC by CBSA when unreported cash or monetary instruments are seized or upon the seizure of suspected proceeds of crime.
    • Voluntary Information Record (VIR): Individuals may voluntarily report their suspicions about money laundering or terrorist financing activities to FINTRAC. Law enforcement, government institutions and intelligence partners may also provide information to the Centre through the submission of a VIR.
  4. A variety of large but potentially legitimate purchases may be reported to FINTRAC as a matter of course. LCTRs, EFTRs and STRs submitted to FINTRAC by reporting entities subject to the Act could include transactions such as down payments and mortgage arrangements for home purchases, car, boat and recreational vehicle purchases, funds sent to family members abroad and money received by international students studying in Canada.
  5. FINTRAC analyzes and assesses information it receives and matches the information with other law enforcement and intelligence data, as well as publicly available information. FINTRAC analysts may conclude that the information to be disclosed provides “reasonable grounds to suspect” that it would be “relevant to investigating or prosecuting a money laundering offence or a terrorist activity financing offence”.
  6. When this is the case, FINTRAC must disclose defined information to the appropriate police force at the federal, provincial or municipal levels, to be used in the investigation of money laundering and/or terrorist activity financing. When FINTRAC has reasonable grounds to suspect the information to be disclosed is relevant to threats to the security of Canada, it must disclose the information to CSIS. If, in addition, FINTRAC also meets other specific legal thresholds set out under the PCMLTFA, the Centre must disclose the designated information to additional disclosure recipients including, the CRA, CBSA, the Communications Security Establishment, and any agency or body that administers the securities legislation of a province. FINTRAC may also disclose information to international foreign intelligence units where there are reasonable grounds to suspect that the information to be disclosed would be relevant to investigating or prosecuting a money laundering or a terrorist activity financing offence, or an offence that is substantially similar to either offence.
  7. FINTRAC also collects information directly from entities while evaluating their compliance with Part 1 or 1.1 of the PCMLTFA, as it is required to do under the Act.

What we found in previous audits

  1. The PCMLTFA requires the Privacy Commissioner of Canada to undertake a biennial review of the measures taken by the Centre to protect the information it receives or collects and to report on those measures to Parliament.Footnote 8 This is the third such review undertaken by the Commissioner; the previous reviews were completed in 2009 and 2013. Both of these reviews found that FINTRAC received and retained reports that did not comply with reporting thresholds established under the PCMLTFA. A table outlining recommendations made in 2013 and our assessment on the progress made to address them can be found at Annex A to this document.

Events since our last audit

  1. The Standing Senate Committee on Banking, Trade and Commerce undertook a statutory review of the PCMLTFA in 2013.Footnote 9 The Committee report made recommendations related to the evaluation of FINTRAC’s effectiveness and value in the prosecution of terrorist and money laundering offences, the need for expanded information sharing, and discussed the need for an appropriate balance between information sharing and the protection of personal information.
  2. In 2014, the PCMLTFA was amended by Bill C-31Footnote 10 to, among other things, provide more flexibility to reporting institutions when verifying client identity, enhance record keeping and registration requirements for financial institutions and intermediaries, include an express reference to online casinos in the Act, and extend the application of the Act to persons and entities that deal in virtual currencies and foreign money services businesses, though these provisions are not yet in force. Bill C-31 also enabled FINTRAC to disclose information relating to compliance with Part 1 of the PCMLTFA to the CRA.
  3. Of particular note for this audit, Bill C-31 also added subsection 54(2) to the PCMLTFA.Footnote 11 This provision requires the Centre to destroy information it receives from reporting entities that it determines, in the normal course of its activities, is not required to be reported to the Centre. FINTRAC must similarly destroy any information voluntarily provided by the public that it determines, in the normal course of its activities, is not about suspicions of money laundering or the financing of terrorist activities. The information must be destroyed “within a reasonable time after the determination is made”; the statute does not define what is reasonable in these circumstances.
  4. In 2015, Bill C-59Footnote 12 amended subsection 55(3) of the PCMLTFA to require FINTRAC to disclose certain information to provincial and territorial securities regulators if it has reasonable grounds to suspect that the information would be relevant to investigating or prosecuting a money laundering or a terrorist activity financing offence, as well as offences set out in securities legislation administered by the agency to which the disclosure is made.
  5. The 2015 Security of Canada Information Sharing Act (SCISA)Footnote 13 encourages and facilitates broader sharing of personal information among federal government departments for the purposes of protecting Canada against activities “undermining the security of Canada.” According to FINTRAC, the SCISA has not had a significant impact on its activities as FINTRAC can only receive and disclose information under the PCMLTFA.
  6. In June 2015, the House of Commons Standing Committee on Finance released its report on terrorist financing in Canada and abroad.Footnote 14 The Committee made a number of recommendations focused on increasing the effectiveness of global efforts to combat terrorist financing and of Canada’s Anti-Money Laundering/Anti-Terrorist Financing (AML/ATF) regime. Among other recommendations, it advised FINTRAC to urge financial institutions in Canada to improve the training provided to their compliance officers, in order ensure the correct identification of suspicious transactions.
  7. The Financial Action Task Force’s (FATF) most recent assessment report of Canada’s ALM/ATF regime was issued in September 2016. The FATF is an inter-governmental body with representation from jurisdictions around the world, including Canada. Its objectives are to set standards and promote effective implementation of legal, regulatory and operational measures for combating money laundering, terrorist financing and other related threats to the integrity of the international financial system.Footnote 15 The reportFootnote 16 analysed Canada’s compliance with international obligations, and the level of effectiveness of Canada’s ALM/ATF system. There were no recommendations related to privacy issues or the use of personal information.

FINTRAC data holdings on Shared Services Canada IT infrastructure

  1. Shared Services Canada (SSC) was created in 2011 to centrally manage information technology infrastructure for 42 other Government of Canada institutions, including FINTRAC. Ownership of the infrastructure supporting FINTRAC core systems and electronic data holdings was transferred to SSC in 2012. The two institutions have a shared responsibility relating to the protection of systems and personal information received, collected and electronically managed in the context of FINTRAC’s mandated activities. SSC is responsible under the Shared Services Canada Act for providing IT infrastructure.Footnote 17 FINTRAC is responsible for ensuring the personal information which it collects is managed and protected in compliance with both the Privacy Act and the PCMLTFA.

Focus of this audit

  1. The audit focused on whether FINTRAC has taken adequate measures to ensure there are appropriate safeguards in place to protect the personal information in FINTRAC’s electronic data holdings, which reside on the IT infrastructure for which SSC is now the service provider. This transition, which took place in 2012, was not examined during our 2013 audit.
  2. The audit also evaluated the collection of personal information from reporting entities by FINTRAC during its compliance assessment activities, and reviewed the progress made by FINTRAC in response to the observations and recommendations in our 2013 audit.
  3. We did not audit disclosures from FINTRAC to regime partners, the Centre’s handling of personal information about its employees, or the personal information handling practices of the entities reporting to FINTRAC.
  4. Audit evidence was obtained through the examination of records, interviews, and audit tests. We reviewed a sample of Suspicious Transaction Reports (STRs), Voluntary Information Records (VIRs), and examined all Terrorist Property Reports (TPRs) in the FINTRAC database. We also looked at how reports with certain financial reporting thresholds are managed, and made inquiries to SSC with regards to the protection of FINTRAC information.
  5. More information about the audit objective, criteria, scope and approach is found at Annex B to this document.

Observations and Recommendations

  1. Sections 4 through 8 of the Privacy Act limit the collection of personal information by federal government institutions and govern how that information can be used and disclosed. The Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA) requires FINTRAC to ensure that appropriate safeguards are in place to protect the personal information it collects and retains.
  2. We looked at how FINTRAC manages the personal information that it obtains, through reports and records submitted to it by financial institutions and other reporting entities, or through direct collection by the Centre during compliance assessment activities. We also looked at the measures FINTRAC takes to ensure that the personal information it acquires is protected with appropriate and sufficient safeguards while it is housed on the SSC IT infrastructure and when being transmitted to the CRA.
  3. We expected to find that FINTRAC receives and retains only that personal information which is directly related to its operating programs and activities and for which it has legislative authority; that the safeguards in place to protect such information comply with the relevant Government of Canada IT security policies, directives and standards and are sufficient to mitigate the risk of breaches and inappropriate disclosures; and that personal information is disposed of at the end of its scheduled retention period.
  • There is no formal assurance that the personal information collected, retained and transmitted by the Centre is appropriately protected on the Shared Services Canada IT infrastructure.
  1. The Treasury Board of Canada Secretariat’s (TBS) Policy on Government Security (the Policy)Footnote 18 prescribes safeguards to protect and preserve the confidentiality and integrity of government assets, including personal information, and establishes minimum mandatory security requirements. Federal institutions must conduct their own assessments to determine whether safeguards above baseline levels are necessary. The Policy also calls for continuous monitoring of the threat environment to ensure appropriate security measures are maintained.
  2. The Policy is given effect by standards and directives which must be followed by government institutions. The TBS Operational Security Standard: Management of Information Technology Security (MITS)Footnote 19 requires IT systems to be certified and accredited through a Security Assessment & Authorization (SA&A) process before they begin operating. An SA&A is used to assess and mitigate risks to an acceptable level. The process could include conducting Threat and Risk Assessments to determine security requirements, Statements of Sensitivity to assess the sensitivity of information or assets and Privacy Impact Assessments to assess and mitigate potential privacy risks.
  3. Ownership of the infrastructure supporting FINTRAC core systems was transferred to SSC in 2012. We noted that no SA&A had been completed by SSC for this legacy infrastructure. SSC will initiate a SA&A process for legacy systems only when significant changes are required or upon receipt of a formal request from the partner institution; however, FINTRAC has not made such a request. We found that FINTRAC had itself updated previous security assessments for its systems in consultation with SSC personnel specifically assigned to FINTRAC premises but without engaging SSC management. While SSC advised our office that they have security practices in place to help mitigate the risk of unauthorized access to FINTRAC data, such as the conduct of vulnerability scanning, these practices are not meant to replace the SA&A process. There is therefore no formal assurance that all privacy and security risks to FINTRAC information holdings on the SSC infrastructure have been appropriately identified and mitigated.
  4. Reporting entities are required to submit reports about Electronic Funds Transfers (EFTRs) of $10,000 or more to FINTRAC and to the Canada Revenue Agency (CRA). Operationally, reports are transmitted to CRA through the Managed Secure File Transfer (MSFT), which is a centralized SSC service. We noted that the accreditation letter, which is required for the system to operate, expired in February 2015. SSC confirmed that the accreditation for this government-wide system has expired. Therefore, the MSFT system used to transmit EFTRs to CRA does not currently have authority to operate.
Recommendation

FINTRAC should submit a formal request to SSC to initiate the Security Assessment and Authorization process to ensure that the SSC IT infrastructure on which FINTRAC’s data resides or flows is certified and accredited, in keeping with the TBS Operational Security Standard: Management of Information Technology Security (MITS).

FINTRAC response

FINTRAC accepts the recommendation.

FINTRAC has taken a number of measures to ensure the information that it receives is appropriately protected in the context of Shared Services Canada’s mandated infrastructure service delivery. For example, the Director of FINTRAC has articulated, in writing, his expectations and concerns in relation to IT security to the President of SSC; a Memorandum of Understanding has been established to ensure that all SSC personnel assigned to FINTRAC are appropriately screened; and the Centre has formally assessed and accredited its legacy infrastructure, which has not changed significantly since infrastructure operations were transferred to SSC.

Although SSC is accountable for the infrastructure and must ensure that such infrastructure aligns with the requirements of the TBS Operational Security Standard: Management of Information Technology Security (MITS), FINTRAC will formally request SSC to initiate the Security Assessment and Authorization process to update certification and accreditation of the IT infrastructure on which FINTRAC’s data resides or flows.

  • The roles and responsibilities between FINTRAC and SSC for privacy and security are not clearly defined
  1. Subsection 29.2(2) of the Financial Administration ActFootnote 20 requires written agreements to govern the provision of internal support services by one department to another. Such agreements should include specific clauses for the protection of personal information in order to ensure compliance with the Privacy Act and relevant TBS policies, directives, and standards. The TBS Guideline on Service Agreements: Essential ElementsFootnote 21 provides guidance regarding the content of and governance structure for service agreements, including those between two federal government departments. Privacy and security are recommended as essential elements of such agreements.
  2. FINTRAC’s Privacy Policy states that personal information must be protected from improper access, loss, use, disclosure or destruction through the inclusion of specific confidentiality provisions in contracts or other arrangements with third parties.
  3. We reviewed the business arrangement between FINTRAC and SSC which describes, in general terms, their ongoing business relationship. However, this document does not specify the roles and responsibilities of each department for the protection of FINTRAC data. It does not include privacy or security clauses outlining requirements for privacy and security risk assessments, management of access rights and monitoring, control and custody of personal information, or guidance on how to deal with privacy breaches. While FINTRAC and SSC have entered into a number of other agreements covering specific services, these agreements are not comprehensive and do not adequately address security and privacy for FINTRAC’s data holdings.
  4. The business arrangement between FINTRAC and SSC outlines an option for entering into an Operating Protocol to ensure that particular or specialized business needs or circumstances are accommodated, enabling the parties to deliver their respective programs and services in full compliance with legal requirements, policy obligations and management controls. Such a Protocol would provide an opportunity for clearly defining the roles and responsibilities of FINTRAC and SSC in relation to privacy and data security. However, an Operating Protocol has not been entered into by the parties.
  5. SSC, in consultation with partner departments including FINTRAC, has developed a table that outlines responsibilities and accountabilities between itself and its partners regarding the security of their information holdings. The table covers areas such as the development of security standards and departmental IT security risk management processes. While the table provides guidance on roles and responsibilities for securing partners’ information holdings, it is not binding and it is not intended to include relevant clauses that are normally included in an agreement, which is required by subsection 29.2(2) of the Financial Administration Act.
  6. The FINTRAC Privacy Breach Incident Guidelines describe a general process to follow in case of a breach of personal information, but are silent regarding the roles and responsibilities of FINTRAC and SSC if a breach of FINTRAC data occurs on SSC’s infrastructure. Section 6 of the SSC Directive on Privacy Breaches indicates that roles and responsibilities will be shared when breaches involve SSC’s IT infrastructure and a partner institution’s data, but does not elaborate on how this sharing of responsibility will be carried out.
Recommendation

In accordance with the Financial Administration Act and the TBS Guideline on Service Agreements: Essential Elements, FINTRAC should work with SSC to put in place an agreement which clearly defines IT security roles and responsibilities and relevant privacy and security clauses for the protection of FINTRAC information holdings.

FINTRAC response

FINTRAC accepts the recommendation.

FINTRAC has taken a number of measures to ensure the information that it receives is appropriately protected in the context of Shared Services Canada’s mandated infrastructure service delivery. For example, the Director of FINTRAC has articulated, in writing, his expectations and concerns in relation to IT security to the President of SSC; a Memorandum of Understanding has been established to ensure that all SSC personnel assigned to FINTRAC are appropriately screened; and the Centre has formally assessed and accredited its legacy infrastructure, which has not changed significantly since infrastructure operations were transferred to SSC. When issues are encountered, solutions are brought forward through the SSC Service Delivery Manager and other formal channels.

FINTRAC will engage Shared Services Canada to establish an agreement which clearly defines IT security roles and responsibilities and relevant privacy and security clauses for the protection of FINTRAC information holdings.

  • FINTRAC does not regularly monitor activity logs for IT systems to identify inappropriate access, use, or disclosure of personal information.
  1. Section 6.2.21 of the TBS Directive on Privacy PracticesFootnote 22 requires departments to adopt appropriate measures to ensure that the access, use and disclosure of personal information are monitored and documented, so that inappropriate or unauthorized activity in this regard can be identified and rectified in a timely fashion.
  2. Similarly, section 17 of the MITS requires departments to continuously monitor system performance in order to quickly detect attempted or actual unauthorized access to a system, or attempted or actual bypassing of security mechanisms. At a minimum, departments must include a security audit log function in all IT systems. Departments must incorporate automated, real-time, incident detection tools in high risk systems.
  3. The personal information received and collected by FINTRAC to fulfill its intelligence role is stored on several systems. This includes all reports submitted to the Centre. These systems contain detailed financial information and other sensitive personal information elements.
  4. A record is created and logged when users log in, create, modify, view or delete files on any of the networks. However, not all logs are actively monitored to ensure the timely identification of inappropriate or unauthorized access to, or disclosure of, personal information that is accessible to internal users.
Recommendation

FINTRAC should ensure that the activity logs of all IT systems are regularly monitored for indications of inappropriate access, use, or disclosure, and for attempts to defeat security protocols, in order to ensure that such activity is detected and addressed in as timely a fashion as possible.

FINTRAC response

FINTRAC accepts the recommendation.

FINTRAC is committed to protecting its data holdings. As noted in previous Office of the Privacy Commissioner (OPC) audits, the Centre has a robust and comprehensive approach to security, including a sound IT security infrastructure to protect its networks and applications. Following the 2013 OPC audit, FINTRAC undertook additional measures to further enhance the Centre’s monitoring capabilities in relation to activity on FINTRAC systems, including an IT Security Enhancements project and a Data Loss Prevention initiative.

Going forward, the Centre’s new Departmental Security Plan identifies a second phase of the Data Loss Prevention initiative. FINTRAC will also continue to evaluate options and implement appropriate measures to enhance its ability to proactively detect inappropriate or malicious internal activity.

  • FINTRAC continues to receive and retain personal information that does not meet reporting thresholds set out in the PCMLTFA.
  1. The PCMLTFA authorizes FINTRAC to receive reports from reporting entities and the CBSA. By July 31, 2016, FINTRAC had received almost 257 million such reports.
  2. Our 2009 and 2013 audits found that FINTRAC received and retained personal information that did not meet legal reporting thresholds. We issued recommendations calling on FINTRAC to mitigate this risk by implementing a process to screen incoming reports prior to retention.
  3. FINTRAC implemented several measures to validate incoming reports. As the majority of reports received by FINTRAC are submitted electronically, fields on incoming reports are automatically reviewed to validate, through a number of “validation rules” whether required information is provided, and whether it is in the correct format. Checks are also conducted for some types of personal information that should not be provided -- such as Social Insurance Numbers (SIN) and some provincial health card numbers. Reports may be rejected outright, or a warning message may be issued to the reporting entity.
  4. FINTRAC’s validation rules apply to the electronic submission of Suspicious Transaction Reports (STRs), Large Cash Transaction Reports (LCTRs), Electronic Funds Transfer Reports (EFTRs) and Casino Disbursement Reports (CDRs). As a result of the validation rules related to personal information, we noted that approximately 18,600 LCTRs, EFTRs, and CDRs submissions were rejected between June 1, 2014 and May 31, 2016.
  5. STRs are not rejected, even if the validation rules flag issues, as the Centre considers their content to be valuable. In some cases where STRs contained unnecessary information, warning messages were sent to reporting entities. Voluntary Information Records are not subject to automatic validation.
  6. These measures have been somewhat effective in identifying and deflecting non-compliant reports in some reporting categories. However, we found evidence through sampling that FINTRAC continues to receive and retain personal information that does not meet reporting thresholds.

Suspicious Transaction Reports

  1. We noted five STRs from a sample of 280 such reports which did not include any description of or justification for suspected money laundering or terrorist financing activities. The absence of such information in a report makes it difficult to assess whether the “reasonable grounds” threshold has been met.
  2. We identified STRs related to transactions that did not demonstrate “reasonable grounds to suspect” that they related to money laundering or terrorist financing activities; see examples below in Exhibit A. In each case a report was sent to FINTRAC – and FINTRAC retained the report in its database.
Exhibit A
  • A number of individuals identified themselves with Middle Eastern passports during a real estate transaction. The reporting entity filed an STR. No further details or justification for suspicion were provided.
  • An individual intended to conduct a financial transaction. When the individual said he had invested in the stock market, particularly in medical marijuana companies, the reporting entity filed a STR on the basis that “a person who is involved in the government regulated medical marijuana industry is also at high risk and may also have some relation to the illicit marijuana trade.”
  • A client of a financial institution wrote a cheque for more than $20,000 to a close relative. The entity filed a STR because it did “not know the reason why the cheque was issued nor for such an amount”. No further information justifying the report was given.
  1. FINTRAC has a process in place for segregating and subsequently disposing of reports which do not meet reporting thresholds. However, we found this process is not consistently followed. We were informed by FINTRAC that the Centre’s analysts may decide to retain reports that do not meet thresholds, in case additional information is received in the future that could make the report useful.

Voluntary Information Records

  1. We also examined a sample of Voluntary Information Records (VIRs). VIRs submitted by entities other than law enforcement, government entities or foreign agencies similar to FINTRAC must be about suspicions of money laundering or the financing of terrorist activities. However, we found a number of VIRs that were not submitted by these entities where there was no suspicion of money laundering or terrorist financing. Exhibit B below shows an example of such a situation.
Exhibit B

A financial institution’s client was charged with a fraud related offence, which came to the attention of the institution through a media report. The financial institution filed a VIR, indicating that “an STR was not filed because the transaction activity on the account was not deemed suspicious or indicative of money laundering.”

  1. The PCMLTFA states that FINTRAC shall receive information provided to the Centre by law enforcement agencies or government institutions or agencies. There is no reporting threshold associated with these VIRs. However, VIRs are routinely used to ask for information. Exhibit C shows an example of how a VIR is used in this regard.
Exhibit C

A VIR sent by a police force asked FINTRAC for information on members of an Indigenous protest group opposing pipeline development. The VIR noted that none of the individuals listed in the report was suspected to be a member of an organized crime or terrorist group. Despite this, the VIR requested information on each individual’s fundraising activities and charitable contributions.

  1. These examples indicate that VIRs - subject to a reporting threshold - and STRs that do not meet legislated thresholds for reporting continue to be submitted to and retained by FINTRAC. We acknowledge that the recent amendment adding subsection 54(2) to the PCMLTFA obliges the Centre to destroy information that does not meet reporting thresholds when this determination is made in the normal course of its activities. However, in the absence of a more stringent front-end screening mechanism, such reports will continue to be received by FINTRAC and retained in its databases, potentially for long periods of time, before they may be discovered and purged.
Recommendation

We encourage FINTRAC to continue its efforts to implement robust and comprehensive front-end screening for incoming submissions to ensure the records and reports it retains in its database meet legislated reporting thresholds and do not contain unnecessary and/or excessive personal information.

FINTRAC response

FINTRAC accepts the recommendation.

FINTRAC recognizes the importance of ensuring that its data holdings only contain information that the Centre has the legislative authority to receive. FINTRAC will continue to implement the robust and comprehensive front-end screening measures that have been established in recent years to minimize the receipt of unnecessary personal information.

Terrorist Property Reports

  1. Pursuant to the Criminal CodeFootnote 23 Reporting entities are required to file a Terrorist Property Report (TPR) to the RCMP and CSIS if they have property in their possession or under their control that they know is owned or controlled by or on behalf of a terrorist group within the meaning of the legislation. This information must also be given to FINTRAC pursuant to the PCMLTFA. Similarly, reporting entities must file a TPR if they have property in their possession or control that they believe is owned or controlled by or on behalf of a person listed under the Regulations Implementing the United Nations Resolutions on the Suppression of Terrorism. As of December 2016, FINTRAC had received a total 109 TPRs since its inception.
  2. We found in previous audits that almost half the TPRs submitted to FINTRAC were filed on the basis of a “possible match” to terrorist listings. It is FINTRAC practice to retain these reports regardless of whether “possible” terrorist affiliation is later confirmed. We previously recommended that FINTRAC explore avenues with its intelligence partners to ensure, to the extent possible, that terrorist affiliations were confirmed prior to FINTRAC’s retention of this data.
  3. FINTRAC committed to entering into a dialogue with its intelligence partners to explore ways to mitigate the risk of retaining information about individuals when it has been confirmed that no terrorist affiliation exists. Based on this commitment, our 2013 audit rated progress on this recommendation as satisfactory.
  4. Our inquiries during this audit found no evidence that such a dialogue took place, and FINTRAC confirmed that it has not received any communication from its law enforcement partners repudiating suspicions of terrorist affiliation for individuals named in TPRs. FINTRAC informed us that it is unable by law to contact law enforcement partners to confirm or refute terrorist affiliation unless the threshold for disclosure of information to partners has been met.
  5. We reviewed a sample of TPRs and noted that the type of issues observed in 2009 and 2013 remain. Reporting entities continue to submit reports on the basis of a “possible match” to terrorist listings. In addition, we found a TPR filed in 2007 on the basis of a “possible name match”; two months later, the reporting entity sent a correction to the first report indicating the individual was not affiliated with terrorism. Both the initial TPR and the subsequent correction remain in the database.
  6. We also observed that, as of December 2016, 42 TPRs – almost half the number that had been submitted to FINTRAC since its inception – reached the end of their ten-year retention periods and were disposed of by FINTRAC without ever having been used in a disclosure.
Recommendation

FINTRAC should manually review all TPRs, and immediately dispose of those which are identified as not meeting reporting thresholds.

FINTRAC response

FINTRAC accepts the recommendation.

FINTRAC will conduct a manual review of all Terrorist Property Reports in its data holdings. Should the Centre have, or receive, information from a reporting entity that has submitted a report or the appropriate authorities that a terrorist affiliation is no longer suspected to exist, FINTRAC will immediately segregate and dispose of that report.

Reports with financial thresholds

  1. We found that FINTRAC continues to receive and retain reports that do not meet the specific financial thresholds set out in legislation. FINTRAC receives four types of reports for which precise and objective financial thresholds apply. These are: Electronic Fund Transfer Reports (EFTRs), Large Cash Transaction Reports (LCTRs), Casino Disbursements Reports (CDRs), and Cross Border Currency Reports (CBCRs). FINTRAC is authorized under the PCMLTFA to collect reports only about transactions of $10,000 or more for these categories.
  2. If two or more transactions of less than $10,000 each are made by or on behalf of the same individual or entity within 24 hours, and together total $10,000 or more, these must also be reported. This is referred to as the “24 hour rule” and applies to EFTRs, LCTRs and CDRs.
  3. During our 2009 and 2013 audits, we found that FINTRAC did not have the capacity to match incoming reports under the 24 hour rule. FINTRAC was unable to match EFTRs and LCTRs under $10,000 to others submitted by or on behalf of the same individual or entity within the 24 hour time period. The same issue was found again in this audit.
  4. FINTRAC has made efforts to develop an automated solution for this problem; however, FINTRAC acknowledges that its attempted solution has not been successful. FINTRAC has advised us that an automated solution may not be possible. As a result, the risk level in this area has not improved since our first audit in 2009.
  5. As of July 31, 2016, FINTRAC had received over 254 million EFTRs and LCTRs since its inception. Among these are approximately 80,000 EFTRs and 150,000 LCTRs that are under the $10,000 reporting threshold and do not fall under the 24-hour rule. FINTRAC does not have the legislative authority to retain transactions under $10,000 unless they are matched to another transaction made within 24 hours by or on behalf of the same individual or entity.
Recommendation

FINTRAC should dispose of EFTRs and LCTRs that are below the $10,000 reporting threshold and that do not fall under the 24-hour rule, as the Centre has no legislative authority to retain this information.

FINTRAC response

FINTRAC accepts the recommendation.

FINTRAC recognizes the importance of ensuring that its data holdings only contain information that the Centre has the legislative authority to receive. The Centre has taken a number of concrete steps in recent years to limit the receipt of reports that do not meet the legislated threshold for reporting. For example, FINTRAC has put in place robust validation rules that reject the submission of purported reports that do not meet reporting thresholds. In addition, a well-defined process has been put in place to ensure that any such purported reports found in the Centre’s data holdings in the normal course of activities are segregated in order to ensure they are not used for the purpose of analysis and are not disclosed. FINTRAC destroys information it identifies as not meeting the threshold for reporting as per its disposition process and related schedules.

FINTRAC also undertakes numerous engagement and training activities with reporting entities to underscore the importance of ensuring that all reports sent to the Centre meet the legislative and regulatory thresholds. As well, FINTRAC is in the process of updating its guidelines for reporting entities with an enhanced focus on the 24-hour rule requirement in order to help further minimize the submission of information that does not meet the thresholds.

FINTRAC will also continue to ensure that its financial intelligence disclosures are made strictly in accordance with the legislation and do not contain reports that the Centre should not have received.

Going forward, FINTRAC will explore options to identify, segregate and destroy information that it should not have received.

  • FINTRAC collects and retains unnecessary amounts and types of client personal information from entities that fall under the PCMLTFA while performing compliance examinations.
  1. FINTRAC carries out a compliance program to ensure reporting entities meet their obligations under the PCMLTFA. As of March 31, 2016, FINTRAC had performed 7,450 compliance examinations. The PCMLTFA allows FINTRAC to collect information as part of its compliance examinations. The TBS Directive on Privacy PracticesFootnote 24 requires government institutions to limit collection of personal information to what is directly related to and demonstrably necessary for the government institution’s programs or activities.
  2. Our 2013 audit found that FINTRAC had collected and retained unnecessary personal information as part of its compliance files. This included photocopies of the tax records of deceased individuals, medical records, Proof of Death statements, credit reports, drivers’ licenses, passports, and Social Insurance Number (SIN) cards.
  3. FINTRAC has taken measures to address our 2013 recommendations related to these issues, including implementing a policy that only the specific records or information needed to support deficiencies should be kept. However, the sample of compliance examination files we reviewed for this audit indicated that information which is not needed to support deficiencies continues to be retained.
  4. We found that compliance examination files contained information that did not relate to the noted deficiency, and that information was retained where no deficiencies were found at all. Some of the information we noted in this regard included:
    • A business database showing multiple online payments with individuals’ names, addresses, dates of birth, and SINs;
    • Information on account openings including photocopies of drivers’ licences;
    • Forms containing personal information, including information on identity cards, hire date, occupation;
    • Photocopies of account opening forms, including name, date of birth, SINs, citizenship information;
    • Employee names, emails and performance comments.
Recommendation

FINTRAC should expand its outreach efforts to specifically address the issue of personal information unnecessarily provided by entities during compliance examinations. In addition, FINTRAC should undertake an internal data minimization and purging exercise in order to dispose of personal information in its compliance examination files that is not needed to support deficiencies.

FINTRAC response

FINTRAC accepts the recommendation.

FINTRAC has in place a comprehensive outreach program to inform reporting entities of their obligations under the PCMLTFA, including the types of information that should and should not be provided during compliance examinations. The Centre is currently revising its notification letters to make it even clearer to reporting entities that they are to provide only the information that is requested in the letter and that they are not to submit personal information that is not required.

Going forward, the Centre will look to expand its outreach efforts to address the issue of personal information unnecessarily provided by reporting entities during compliance examinations. FINTRAC is also implementing a Quality Assurance process that will underpin a data minimization and destruction exercise aimed at disposing of information received and collected in the context of its compliance examinations that does not support identified deficiencies.

Conclusion

  1. FINTRAC has made significant efforts to mitigate the risks of collecting information that is irrelevant to its mandate and/or exceeds its legislative authority. Progress has been made.
  2. This includes the implementation of automated front-end screening to ensure that mandatory fields in reports sent to FINTRAC are completed. The screening process has rejected thousands of transactions that did not meet reporting thresholds. FINTRAC has also undertaken compliance outreach activities to educate reporting entities as to what information is required, and what information should not be reported. In addition, there is a process in place by which information that should not have been reported can be segregated and destroyed when it is encountered by FINTRAC analysts in the course of their regular activities.
  3. However, our examination findings indicate that many thousands of reports containing information that should not have been reported to FINTRAC remain in its database. This risk will remain until FINTRAC enhances its current comprehensive front-end screening system that effectively filters out reports that do not clearly meet applicable legislative thresholds.
  4. FINTRAC needs to work with Shared Services Canada to ensure that the personal information acquired, retained and transmitted by the Centre is appropriately protected when being stored and while being transmitted on SSC IT infrastructure. This will require a collaborative effort between FINTRAC and SSC, as the two institutions have shared responsibilities relating to the protection of the information received and collected by FINTRAC and the certification and accreditation of the IT systems on which it resides and through which it is transmitted.

ANNEX A

Assessment of Progress Related to Previous Recommendations

Based on our assessment of the actions taken by FINTRAC in addressing the recommendations from our 2013 audit we assigned one of the following ratings:

  • Satisfactory—Progress is satisfactory, given the significance and complexity of the issue, and the time that has elapsed since the recommendation paragraph was made; or
  • Unsatisfactory—Progress is unsatisfactory, given the significance and complexity of the issue, and the time that has elapsed since the recommendation paragraph was made.

Our assessment of the actions taken by FINTRAC in addressing the recommendations from our 2009 audit was included in our 2013 audit report available at Audit of the Financial Transactions and Reports Analysis Centre of Canada. Final Report 2013.

2013 Recommendations 2017 Assessment
Protection of information holdings
FINTRAC should implement measures to ensure that all its staff members possess a sound awareness of FINTRAC’s privacy and security policies to safeguard personal information and their obligation to comply with them at all times. Satisfactory

Various training and awareness sessions on Privacy, Information Management and Security have been provided.
Compliance with the Code of Fair Information Practices
To reconcile its obligations under the PCMLTFA with those under the Privacy Act, FINTRAC should analyze and assess incoming reports to ensure that it receives and retains only information that meets legislated thresholds for reporting and which it needs or uses in an ongoing program or activity. Unsatisfactory

Our review found various instances of reports that did not meet reporting thresholds and therefore, should not be retained.
FINTRAC should assess the effectiveness of its outreach programs and strengthen them where necessary to mitigate the risk of receiving personal information beyond the parameters and thresholds specified by the PCMLTFA. Satisfactory

FINTRAC has conducted significant outreach activity. Likewise, it provides information and advice through its web site.
FINTRAC should identify and dispose of information that it should not have received and is not directly related to its operating programs and activities. Unsatisfactory

Reports that did not meet reporting thresholds are being retained.
FINTRAC should: a) finalize an agreement with LAC regarding terms and conditions for the transfer of its archival records, and b) implement a formal policy for information and records whose retention and disposal periods are not specifically covered by the PCMLTFA. Satisfactory

The agreement with LAC was signed. FINTRAC has implemented retention and disposal schedules.
FINTRAC’s Compliance Mandate
In keeping with privacy best practices and to ensure consistent data minimization by compliance officers, FINTRAC should update its policies and procedures to clearly identify what information compliance officers should record and retain on compliance files to support deficiencies. Satisfactory

Policies were updated to indicate that only information relevant to support deficiencies is to be retained on examination files.
FINTRAC should include a privacy compliance monitoring process in its QA program to determine if information collected and retained while performing compliance examinations is limited to that which is necessary to establish compliance with the Act. Unsatisfactory

A QA program is not yet in place. Our review found that information not relevant to support deficiencies was kept.
The “Consent to enter a dwelling house for compliance examination” form should be further amended to indicate the purpose of collecting the date of birth on the form and the uses that will be made of it. Satisfactory

The form was amended as recommended.
As regulators have issued Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA) guidance that instructs entities to report transaction below the legislated threshold, FINTRAC should take action to ensure that guidance issued by regulatory partners is consistent with PCMLTFA requirements. Satisfactory

FINTRAC sent correspondence to regulatory partners with emphasis to avoid over reporting and to achieve consistency in guidance issued to reporting entities.

ANNEX B

About the Audit

Authority

Section 37 of the Privacy Act authorizes the Privacy Commissioner to undertake compliance reviews of the manner in which government institutions manage their personal information holdings and make recommendations where appropriate. Under section 72.(2) of the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA) the Privacy Commissioner is required to conduct a biennial review of measures taken by the Financial Transactions and Reports Analysis Centre of Canada (FINTRAC) to protect information it receives or collects, and to report the results of such reviews to Parliament.

Objective

The audit objective was to assess whether FINTRAC has appropriate controls in place to protect the personal information it collects and retains, and whether FINTRAC manages this information in compliance with sections 4 through 8 of the Privacy Act. In addition, we focused on whether FINTRAC has taken adequate measures to ensure there are appropriate safeguards in place to protect the personal information in FINTRAC’s electronic data holdings, which reside on Shared Services Canada’s (SSC) IT infrastructure.

The audit also evaluated the collection of personal information from reporting entities by FINTRAC during its compliance assessment activities, and reviewed the progress made by FINTRAC in response to the observations and recommendation in our 2009 and 2013 audits.

Criteria

The criteria for conducting the audit are based on the authorities of the Privacy Act and associated Treasury Board Secretariat (TBS) policies, as well as the PCMLTFA. We expected FINTRAC to:

  • limit the receipt, collection and use of personal information to that which is necessary for the execution of its mandate;
  • retain and dispose of personal information in accordance with governing authorities;
  • have appropriate security measures in place for its information holdings, systems and infrastructure.

Scope and approach

The audit team examined FINTRAC programs and processes where the impact on privacy was deemed to be significant. In addition, the role of SSC in safeguarding FINTRAC information that resides or flows on its information technology infrastructure was reviewed.

We evaluated policies, guidelines, training materials, physical and IT threat and risk assessments, memoranda of understanding (MOUs), and privacy control checklists. We also interviewed FINTRAC and SSC staff members, examined reporting processes, and reviewed samples of reports and compliance examination files. All examination activities were conducted in the National Capital Region and our audit work was substantially completed on March 31, 2017.

Standards

The audit was conducted in accordance with the legislative mandate, policies and practices of the Office of the Privacy Commissioner of Canada, and followed the spirit of the audit standards recommended by Chartered Professional Accountants of Canada.

Audit Team

Acting Director General: Lara Ives

Sarah MacKay
Tauqeer Shaik
Ivan Villafan
Lindsay Scotton

Date modified: