FINTRAC has more personal information in its database than it needs, according to an audit conducted by the Office of the Privacy Commissioner of Canada (OPC).
The audit, which was tabled in Parliament today, followed up on recommendations from a previous audit conducted by the OPC in 2009. It found that FINTRAC needed to do more to ensure that the amount of personal information it acquires is kept to an absolute minimum.
“While FINTRAC continues to have sound security controls, it has made limited progress in addressing recommendations from our previous audit,” says privacy commissioner Jennifer Stoddart. “This is particularly disappointing, given that FINTRAC had previously indicated that it was committed to finding new ways to limit the amount of personal information it was accepting and holding.”
FINTRAC is mandated by law to receive financial transaction reports and voluntary information on money laundering and terrorist financing from persons and entities in various sectors, which are subject to the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA).
As of March 2012, FINTRAC’s databases held approximately 165 million reports containing personal information related to financial transactions, such as down payments for house and vehicle purchases, wire transfers received by international students residing in Canada, or funds sent by parents in Canada to children who are studying abroad. Some of these reports may be submitted to FINTRAC without the knowledge or consent of the individuals concerned.
Entities are required to report to FINTRAC large cash transactions or electronic funds transfers of $10,000 or more, as well as any transactions where there is “reasonable grounds to suspect” money laundering or terrorist financing activities. However, the OPC’s review of the FINTRAC database revealed a number of examples of reports that did not meet the $10,000 threshold, and reports that did not clearly demonstrate reasonable grounds for suspicion and, therefore, should not have been reported. For example:
- A young professional cashed three bank drafts worth almost US$ 100,000 purchased from a major Canadian bank. The organization that cashed the drafts had confirmed the validity of the drafts with the issuing bank but still filed a report because it felt that the amount of money did not match the individual’s age.
- An individual, who purchased a home from his childhood friend, released the deposit directly to the seller instead of to the seller’s lawyer. The notary for the transaction opted to submit a report only because he was unsure as to whether the transaction needed to be reported.
- A financial institution filed a report when a storekeeper deposited $570 in $100, $50 $20 and $5 bills without indicating why the transaction was considered suspicious.
“Given the examples we found, I have serious concerns about the extent to which FINTRAC’s information holdings are populated with personal information that should never have even been submitted,” says commissioner Stoddart.
The audit found that FINTRAC had made some progress since 2009 in addressing gaps that existed in its privacy management framework, for example it had implemented a privacy breach identification and reporting protocol and expanded security awareness initiatives.
The audit recommended that FINTRAC analyze and assess incoming reports; identify and dispose of information that it should not have received and is not directly related to its operating programs and activities; ensure that guidance issued by regulatory partners is consistent with PCMLTFA requirements; and ensure that staff fully comply with its security policies and procedures.
FINTRAC accepted all of the audit’s recommendations and provided responses as to how it intends to address them. Recently, FINTRAC has informed the OPC it has taken additional measures to enhance compliance with its security policies and procedures in response to a breach incident that occurred earlier this year.
“FINTRAC has proposed some measures to address the deficiencies we identified; however, there is more work to do,” notes Commissioner Jennifer Stoddart. “It still needs effective screening processes to ensure it no longer receives and retains sensitive personal information that it doesn’t need.”
The OPC will be following up with FINTRAC in two years to evaluate their progress on strengthening their privacy practices.