Guidance on submitting Codes of Practice under the Proceeds of Crime (Money Laundering) and Terrorist Financing Regulations
Together, paragraph 7(3) (d.21) of the Personal Information Protection and Electronic Documents Act (PIPEDA) and section 11.01 of the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA) allow reporting entities under the PCMLTFA to disclose an individual’s personal information among each other without the individual’s knowledge and consent in certain circumstances. To do so, reporting entities must first establish a code of practice governing this information sharing, and have it approved by the Office of the Privacy Commissioner of Canada (OPC). Part 8 of the Proceeds of Crime (Money Laundering) and Terrorist Financing Regulations (PCMLTFR) sets out the process for submitting a code of practice for approval, as well as the key regulatory requirements.
This guidance is meant to help organizations developing a code of practice by clarifying what information is required to satisfy the Privacy Commissioner that a code of practice meets the requirements for approval set out in section 160 of the PCMLTFR.
As the Regulatory Impact Analysis Statement for this initiative notes, this type of information sharing is voluntary, and it is not mandatory for reporting entities to develop a code of practice unless they intend to engage in such information sharing.
While this guidance is intended to be helpful to potential applicants, it does not constitute legal advice.
Applying for approval of a Code of Practice
If you would like to submit a code of practice for review, please first contact the OPC by completing our form or by phone at 1-800-282-1376.
Applicants are also required to notify the Financial Transactions and Reports Analysis Centre of Canada (FINTRAC) on the same day that they submit a code of practice to the OPC for approval.Footnote 1 As a government institution with expertise in detecting and deterring money laundering, terrorist financing and sanctions evasion, FINTRAC is well-positioned to provide important information to the OPC to help inform its assessment.
Once a code of practice is submitted for approval, the OPC has 120 calendar days to make a decision,Footnote 2 with the ability to extend by an additional 15 days with notification to the applicant.Footnote 3 The OPC will let you know if additional information is required regarding your code of practice and may “pause the clock” if additional information is requested.Footnote 4
Defining the scope of a Code of Practice
Per subsection 161(1) of the PCMLTFR, any person or entity referred to in section 5 of the PCMLTFA (“reporting entities”), or any person or entity acting on their behalf, can apply to the OPC for approval of a code of practice.
When defining the scope of a code of practice, applicants should consider that disclosures under paragraph 11.01(b) of the PCMLTFA have to be reasonable for the purpose of detecting or deterring money laundering, terrorist activity financing or sanctions evasion. As outlined in the OPC’s guidance on Applying paragraphs 7(3)(d.1) and 7(3)(d.2) of PIPEDA, “reasonable for the purpose” means that disclosures must be reasonably related and proportionate to a specified purpose and should not over-reach in their scope.
While the OPC encourages organizations to develop comprehensive policies governing their privacy practices, the scope of a code of practice should be limited to information that is disclosed, collected and used under section 11.01 of the PCMLTFA.
What to include in a Code of Practice
The OPC will review applications based on the criteria outlined in section 160 of the PCMLTFR. To avoid delays in the approval process, an organization should ensure that its proposed code of practice includes sufficient detail for the OPC to be able to assess the code of practice against these requirements.
Under section 160 of the PCMLTFR, a code of practice must:
- Identify the reporting entities that are subject to the code of practice;
- Describe the personal information that may be disclosed, collected or used without knowledge or consent;
- Describe the purposes for which personal information may be disclosed, collected or used without knowledge or consent;
- Describe the manner in which personal information may be disclosed, collected or used without knowledge or consent;
- Describe the measures to be taken to ensure the protection of personal information, including measures related to the retention of personal information and the keeping of records; and
- Include information demonstrating that the code of practice complies with the requirements of the PCMLTFA and provides for substantially the same or greater protection of personal information as that provided under PIPEDA.
To help applicants demonstrate that a code of practice meets the last requirement, the OPC has outlined below relevant items to be addressed under PIPEDA’s principles. Applicants are also encouraged to refer to the OPC’s suite of guidance documents related to complying with PIPEDA for more information.
To help with the review process, applicants should ensure that their proposed code of practice covers the following:
Accountability
- List all reporting entities that are signatories to the code of practice, including their legal name.
- Demonstrate how each participating reporting entity (“participating entity”) will be responsible for personal information under its control, including confirming that there are specific policies, procedures and associated training in place. These policies and practices must include:
- implementing procedures to protect personal information;
- establishing procedures to receive and respond to complaints and inquiries;
- training staff and communicating to staff information about the organization’s policies and practices; and
- developing information to explain the organization’s policies and procedures.
- Include details on any related assessments, such as a privacy impact assessment, that the applicant has completed relevant to the information sharing in question.
- Participating entities are expected to be able to demonstrate compliance, this means that policies and procedures should include a requirement to maintain records of what is being disclosed, collected or used, as well as the rationale for decisions to disclose, collect or use, and account for internal audit and assurance procedures.
Identifying purposes
- Describe the purposes for which personal information may be disclosed, collected or used pursuant to the code of practice. This must include:
- Identifying the specific purpose(s) for which participating entities will disclose, collect and use personal information and how these purposes relate to detecting or deterring money laundering, terrorist activity financing or sanctions evasion, as required by paragraph 11.01(1)(b) of the PCMLTFA.
- Describing the mechanisms in place to determine what information needs to be collected to fulfill the specific purposes.
- Detailing the mechanisms in place to ensure that the specified purposes are only those that a reasonable person would consider appropriate in the circumstances.Footnote 5
- Outlining the legislative authority being relied upon for any collection and/or use, including the specific provision or schedule of the PCMLTFA and/or PCMLTFR, to meet the obligations in section 11.01 of the PCMLTFA.
Limiting collection
- Describe the personal information to be collected pursuant to the code of practice (i.e. received from another participating entity). This must be specific and not only include broad categories of personal information. Applicants can refer to the OPC’s Interpretation Bulletin: Personal Information to help assess what constitutes personal information.
- Specify how each participating entity will ensure that it does not collect personal information indiscriminately. This must also include details on how both the amount and the type of information are limited to that which is necessary to fulfill the purposes provided for under section 11.01 of the PCMLTFA.
- Where the collection of contextual information may be required under the PCMLTFA, PCMLTFR, and/or by FINTRAC guidance, Footnote 6 the code of practice must outline how participating entities assess what contextual personal information needs to be collected, including the thresholds used for making this determination. The code of practice must also confirm that the frameworks used and decisions made are documented.
Limiting use, disclosure, and retention
- Outline how participating entities will limit the personal information disclosed pursuant to the code of practice to that which is necessary to meet the purposes in section 11.01 of the PCMLTFA.
- Describe how participating entities will ensure that personal information received pursuant to the code of practice will only be used or disclosed for the purposes for which they are collecting it consistent with the purposes in section 11.01 of the PCMLTFA.
- Outline the retention periods for personal information disclosed, collected or used pursuant to the code of practice and any applicable legislation, regulations, or other regulatory instruments, including reference to the associated provisions, that may affect those retention periods, where applicable.
- When determining what retention period may be appropriate, an organization must consider the following:
- Why the personal information was collected pursuant to the code of practice.
- If personal information was used to make a decision about an individual, it must be retained for the legally required period of time thereafter – or a reasonable amount of time in the absence of legislative requirements – to allow the individual to access that information in order to understand, and possibly challenge, the basis for the decision.
- Once the purpose for which the information was collected has been fulfilled, the personal information should be disposed of, unless otherwise required to be retained by law.Footnote 7
- Confirm that each participating entity has a documented policy for how they will destroy, erase or anonymize any personal information that was collected pursuant to the code of practice and is no longer needed.
Accuracy
- Describe how participating entities will ensure that personal information disclosed, collected or used pursuant to the code of practice is accurate, complete, and up to date for the purposes and to minimize the possibility that inappropriate information may be used to make a decision about an individual.
- Outline how participating entities will correct inaccurate information, including by notifying any other reporting entities who received the inaccurate information.
- Specify what training will be provided to staff on common accuracy issues in the money laundering/terrorist financing/sanctions evasion context, such as systemic bias, mistaken identity, etc.
- Detail how an individual will be able to challenge the accuracy of information about them that is held by a participating entity.
- Confirm that participating entities will amend personal information when an individual successfully demonstrates the inaccuracy or incompleteness of that information.
- Confirm that participating entities will record the substance of an unresolved challenge to the accuracy of personal information and notify other participating entities that have access to that information of the existence of unresolved disputes, as appropriate.
Safeguards
- Describe what security safeguards are in place to protect personal information against loss or theft, as well as unauthorized access, disclosure, copying, use, or modification, including physical, organizational and technological measures.
- This must include references to policies and procedures that participating entities’ have in place to limit and monitor employee access to personal information, including proactive measures such as audits and access controls, as well as what entities will do if personal information is accessed without authorization.
- Organizations may wish to reference any recognized standards that participants will adhere to.
- Provide details on how these measures are appropriate given the sensitivity of the information, the amount, distribution, and format of the information, and the method of storage.
- Specify how more sensitive information will be safeguarded by a higher level of protection.Footnote 8
- Detail how participating entities will ensure that personal information is securely shared among participating entities.
- Outline how breaches of security safeguards and other incidents will be monitored and responded to, including reporting to relevant regulators, providing notice to impacted individuals, and recordkeeping.Footnote 9
Openness
- Describe how participating entities will make readily available information about their policies and practices relating to the disclosure, use and collection of personal information pursuant to the code of practice, including that personal information may be shared without consent to detect or deter money-laundering, terrorist financing and sanctions evasion.
- Consider reporting publicly on the number and types of disclosures made on an annual or semi-annual basis, using aggregate and anonymized data.
Individual access
Confirm that:
- individuals will be informed of the existence, use, and disclosure of their personal information and be given access to that information, upon request.
- participating entities will respond to individual requests within a reasonable time and at minimal or no cost to the individual.
- participating entities will record and provide reasons to individuals who are denied access to their personal information.
Challenging compliance
- Confirm that there is a process pursuant to which participating entities handle complaints and inquiries pertaining to personal information that has been disclosed, collected or used and that if a complaint is found to be justified, that entities will take appropriate measures, including, if necessary, amending policies and practices.
- Describe how participating entities will inform individuals of relevant complaint procedures, and the ability to file a complaint with the OPC.
Amending an approved Code of Practice
Applicants amending an approved code of practice must notify the Commissioner and provide a copy of the revised code of practice as soon as feasible. The OPC will notify the applicant within 30 days of receiving this notice if it considers the revision(s) to be significant. In such a case, applicants will be directed to apply for approval of the revised code of practice.
To ensure an efficient review, it is recommended that changes be clearly denoted and integrated into the body of the code of practice when being sent to the OPC. In assessing significance, the Commissioner will consider whether the change has a material impact on the character, volume, or implications of information sharing under the code of practice.
If the Commissioner has reasonable grounds to believe that a person or entity has revised an approved code of practice without notifying the Office, the OPC can direct the person or entity to apply for approval of the revised code of practice. If the person or entity fails to comply with this direction, the OPC may suspend its previous approval of the code of practice.Footnote 10
Resubmitting a Code of Practice after 5 years
A code of practice must be resubmitted for approval five years after the day of its most recent approval. Any code of practice that was approved more than 5 years prior that has not been resubmitted for approval will no longer be considered to be approved.
Access to information
Please be advised that the OPC may be required to disclose information obtained as part of a code of practice approval under the Access to Information Act (ATIA),Footnote 11 the Privacy Act, or where disclosure is legally compelled, such as pursuant to a court order. There could, however, be statutory exemptions that would apply to the release of the information.
- Date modified: