Archived information is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.
Office of the Privacy Commissioner of Canada's Submission in Response to Finance Canada's Enhancing Canada's Anti-Money Laundering and Anti-Terrorist Financing Regime consultation:
Office of the Privacy Commissioner
Commissariat la protection de
September 29, 2005
Ms Diane Lafleur
Director, Financial Services Division
Department of Finance
140 O'Connor Street
Dear Ms Lafleur:
We are responding to the Department of Finance's consultation paper, "Enhancing Canada's Anti-Money Laundering and Anti-Terrorist Financing Regime."
When Bruce Phillips, the Privacy Commissioner at the time, appeared before the Senate Committee on Banking, Trade and Commerce in June 2000 to comment on Bill C-22, the Proceeds of Crime (Money Laundering) Act, he posed two questions:
"First is this legislation necessary-is it a major improvement on existing legislation? And second, if you decide it is necessary, are there ways to reduce the loss of privacy that will result from the passage of the legislation in its current form?"
These questions are equally appropriate with respect to the consultation paper. Are the changes being proposed in the consultation paper necessary? We do not know and the paper does not present a compelling case for the proposed changes. Answering this question is extremely difficult for an organization with limited knowledge of the world of money laundering or terrorist financing. We do not have a sense of the scope of the problem or if the measures being proposed will be effective.
As the paper notes, the 2004 Auditor General's report concluded that "Canada has a comprehensive anti-money-laundering system that is generally consistent with international standards." Many of the recommendations in the Auditor General's report dealt with the relationship between the Financial Transactions and Reports Analysis Center of Canada (FINTRAC) and law enforcement and national security agencies. The proposals in the paper appear to go beyond the recommendations in the report.
Nor are we convinced by the argument that Canada has to update its anti-money laundering/anti-terrorist financing (AML/ATF) regime to meet international commitments. Canada is a member of the Financial Action Task Force (FATF), the inter-governmental agency that establishes and oversees AML/ATF initiatives.
One of the difficulties with this rationale for revising Canada's anti-money laundering/anti-terrorist financing (AML/ATF) regime is that it is a "one size fits all" approach. Some of the FATF's recommendations may be more relevant in some jurisdictions than in others, but it would appear that all counties are expected to adopt them. We recognize the need to ensure that Canada does not become a safe haven for money launderers, but Canada should not be expected to adopt every measure proposed by the FATF without asking whether it is really necessary.
This harmonized international approach to dealing with money laundering and terrorist financing also fails to recognize that different countries have different approaches to privacy and the protection of personal information. Some of the members of the FATF have relatively weak or even non-existent privacy/data protection laws. Canada, in comparison, has a recent and comprehensive private sector privacy law, the Personal Information Protection and Electronic Documents Act (PIPEDA) and three provinces-Quebec, Alberta and British Columbia-have private sector legislation. The federal Privacy Act applies to government departments and agencies.
The Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA) significantly weakens the protections provided by the two Acts. The public's ability to lodge complaints and the Privacy Commissioner's power to investigate complaints will be meaningless given the secrecy surrounding the collection of information by FINTRAC. As a result of this secrecy members of the public will not know that information is being collected about them or that they are being investigated.
Nor will citizens be able to use the Privacy Act or PIPEDA to determine if information has been collected about them. Although FINTRAC is expressly subject to the federal Privacy Act, we have been informed that the Centre will routinely deny access requests pursuant to section 16 or subsection 22(1)(b) of the Act. As well, the PCMLTFA amended PIPEDA to prohibit private sector organizations from informing individuals that they have provided information to FINTRAC, or from providing access to the information, if on the advice of FINTRAC the disclosure of the information could reasonably be expected to be injurious to the detection, prevention or deterrence of money laundering.
In addition to restricting individual's information rights, the legislation is inherently troubling from a privacy perspective-it treats everyone as a potential suspect. Furthermore, by requiring a long list of private sector organizations to monitor and report on the activities of their customers, it forces these organizations into service in support of law enforcement and national security activities. This is arguably one of the most troubling aspects of this legislation and of other public safety and national security initiatives.
Commissioner Stoddart's comments about enlisting businesses in the fight against terrorism that she made when she appeared before the Senate Standing Committee on Transport and Communications in March 2004 to discuss Bill C-7, the Public Safety Act, 2002 are equally appropriate with respect to the PCMLTFA:
"This legislation establishes a new and troubling precedent. What's next? Are we going to start requiring car rental firms, couriers and telecommunication companies to collect information for the purpose of turning it over to law enforcement agencies?
This runs directly counter to the increased recognition of the importance of privacy as reflected in Parliament's decision to pass the Personal Information Protection and Electronic Documents Act. PIPEDA, over which my Office has oversight, prevents private sector organizations from collecting or disclosing personal information without consent. As a nation we have decided that it is important to put restrictions on how private sector companies collect, use and disclose our personal information.
Are we now prepared to stand back and allow law enforcement and national security agencies to demand that same information and use it in ways that are dramatically at odds with fair information principles?"
A more general concern with the PCMLTFA is that is has received surprisingly little public attention. While the Anti-terrorism Act, and the Public Safety Act and even the federal government's proposed "lawful access" legislation have received a great deal of media and public attention, this legislation has flown under the radar. This is surprising, and unfortunate, because in many ways this legislation is as intrusive and as much of a threat to privacy rights as these other initiatives. We would urge the Government to engage in meaningful public consultation before proposing such extreme measures. The extensive surveillance generated by these proposals warrants an enlightened public debate.
The government of Canada is now proposing to exacerbate these privacy concerns by dramatically expanding the AML/ATF regime in a number of ways:
the types of entities/businesses subject to reporting requirements will be expanded to include dealers in precious stones and metals and real estate developers. As well, the government is proposing to revisit the contentious issue of applying the reporting requirements to lawyers;
the monetary threshold is being lowered and the types of transactions that trigger reporting requirements are being expanded. For example, new provisions re: electronic funds transfers are being proposed and covered entities will be required to report attempted suspicious transactions, not just completed transactions;
the "know your customer"/due diligence requirements are being strengthened in several ways. Covered entities are expected to take measures to verify identity in non-face-to-face transactions. There will be new requirements to keep information up-to-date and entities are expected to make greater efforts to identify individuals when there are doubts about previously obtained customer information;
covered entities will be required to place special emphasis on "politically exposed persons"-heads of states, senior bureaucrats, military officials, etc.;
a registration process, including the collection of specified information, will be introduced for money service businesses and foreign exchange dealers- FINTRAC will act as the registrar;
in order to address concerns about charities being used to fund terrorist organizations the government is proposing to allow increased sharing of information between the Canada Revenue Agency and FINTRAC; and
the list of designated information that FINTRAC can disclose to law enforcement and intelligence agencies will be expanded.
If these proposals are implemented, the number of organizations required to monitor and to collect information about their clients and customers will increase, the amount of personal information being collected will expand, more transactions will be subject to scrutiny and reporting and the number of people whose financial transactions will be scrutinized will be greater than ever. With the exception of proposal 1.7, which exempts certain low risk transactions from the client identification and record-keeping requirements, it would appear that all of the proposed changes are designed to expand the scope of the AML/ATF regime.
We have specific comments on a number of the proposals. We will discuss them in the order in which they are presented in the consultation paper.
1.5 Politically Exposed Persons
The justification for this proposal is not clear, particularly in Canada. The "definition" of a politically exposed person in the paper is extremely broad and would capture thousands if not tens of thousand of Canadians. The notion that people will be subjected to extra scrutiny, not because of suspicion, but simply because of their position is alarming. In many cases, this scrutiny would be in addition to the security checks and other screening that would have taken place prior to their appointments.
We have a great deal of difficulty accepting the need for this provision. If this proposal goes forward, the scope of this provision must be as narrow as possible.
Proposals 1.8 and 1.9
There are several troubling aspects to these proposals. The paper suggests that a reporting entity could rely on "another person or entity to ascertain the identity of their customer provided that the reporting entity has a contractual arrangement with the person or entity for the purpose of ascertaining customer identity." This leaves open the possibility-in fact it may well be perceived as a requirement-that reporting entities will use private investigators, data brokers or other third parties to verify the identity of their clients. These proposals raise the possibility that these third parties will collect far more information than necessary to verify identity. It may also open the door to misuse of the information by those third parties.
This requirement to identify non-face-to-face customers does not appear to be limited to situations in which the entity suspects that illegal or suspicious activities are taking place.
This proposal is an amendment to the regulations to require that reporting entities (all of them it would appear) "monitor their business relationships with their customers, including transactions, on an ongoing basis." This requirement for ongoing due diligence appears to be new along with the requirement to keep information up-to-date.
The paper offers no rationale for dropping the $3,000 threshold that would require an entity to ascertain the identity of the customer and keep records of electronic funds transfers. Requiring entities to take these steps for any electronic funds transfer seems excessive and unnecessary.
This proposal amends the PCMLTFA and regulations by requiring that not just suspicious transactions, but suspicious attempted transactions, be subject to the reporting requirements. The Proposal indicates that "Guidance" would be provided on this. No detail is provided in this regard, so it is not possible to comment on the underlying rationale for this amendment, nor on its potential breadth. It is also not clear whether the "Guidance" will form part of the amendments to the Act and regulations.
The Income Tax Act will be amended as required to permit the Canada Revenue Agency to disclose tax information about charities to FINTRAC and law enforcement and intelligence agencies where there is evidence that the charity is being used for money laundering or terrorist financing activities. It is not clear whether or not personal information will be disclosed under this proposal.
Proposals 2.3 to 2.5
These proposals, to include dealers in precious metals and stones and real estate developers are one of the many examples of proposed changes to the PCMLTFA that will expand the scope of the legislation and for which little or no rationale is provided.
The PCMLTFA already provides for penalties of up to $2 million for non-compliance. One of the several concerns we expressed when Bill C-22 was being passed was that given the substantial penalties for non-compliance with the reporting requirement, financial service providers and other covered entities may have a strong incentive to over-report rather than under-report. Creating an additional administrative and monetary penalties regime will increase this pressure.
This concern is not entirely hypothetical. The Wall Street Journal carried a story in its July 7, 2005 edition, "U.S. Says Banks Overreport Data for the Patriot Act" in which the Director of the Financial Crimes Enforcement Network suggested that banks are overreporting transactions to minimize the risk of being fined for failing to report.
New legislative authority will allow FINTRAC to share compliance-related information with foreign entities that have similar compliance functions. Currently the legislation limits FINTRAC to the exchange of information for investigation and prosecution purposes. The proposal states that the details will be set out in a MOU between FINTRAC and its foreign counterparts that will outline the terms and conditions for sharing compliance-related information, including the type of information eligible for exchange, limits on the use of the information and restrictions on third party dissemination of the information.
Information sharing MOUs with other countries are problematic for a number of reasons. In some cases, the country receiving the information may have weak or non-existent privacy laws. Another concern is that, particularly when there is a perceived crisis, the safeguards built into these agreements or arrangements may be ignored. Some of the evidence presented at the ARAR inquiry suggests that there is a basis for this concern. Rather than relying on MOUs we would strongly urge that, if information sharing is considered necessary, detailed provisions be set out in the legislation.
This is a proposed amendment to the Act and regulations expanding the current list of designated information that FINTRAC can disclose to law enforcement and intelligence agencies. This includes such things as "additional account information" and "type of transaction". Under the current regime, the RCMP and CSIS have to apply to the court for a production order to access additional details on transactions. The RCMP and CSIS claim this information is needed to "enhance the critical identifiers and investigative links". We would wish to be satisfied that this expansion is circumscribed to the extent possible.
The consultation paper discusses creating an advisory committee that "would serve as a discussion forum among various public sector and private sector stakeholders in Canada." We do not have a problem with the concept; in fact, this could be a positive step. However, there is nothing to suggest that the public, civil society or any other non-governmental or non-business organizations would be on the committee. In other words, the range of stakeholders would appear to be limited. At a minimum we would recommend that the protection of privacy and personal information be explicitly stated as part of the committee's mandate. We would also stress the importance of ensuring that all key stakeholders are effectively represented on this committee.
Proposals 6.18 to 6.21
These proposals would permit FINTRAC to disclose information to other government agencies for purposes which appear to be unrelated to the prevention of money-laundering or terrorist funding. The disclosures could be made for purposes such as investigating possible tax evasion, customs offences, and immigration offences as well as to support the Communications Security Establishment's general foreign intelligence mandate.
Allowing an organization to disclose information to other organizations to be used for purposes unrelated to the original purpose is contrary to widely accepted fair information principles. This is particularly troubling in this case because the original information has been collected by private sector organizations under the threat of significant penalties. We will undoubtedly want to comment further on these provisions if they go forward in legislation.
Proposals 6.26, 6.27 and 6.29
These proposals permit more sharing of information by the Canada Border Services Agency with its counterparts in other countries, within the agency itself, and with the Canada Revenue Agency. Again, it would appear that, with the possible exception of the cross-border sharing, this is for purposes unrelated to money-laundering or terrorist financing activities. Currently CBSA customs officers can share information obtained in the course of administering Part 2 of the Act only with FINTRAC and law enforcement agencies. This raises concerns about the misuse of this information by foreign jurisdictions and the same types of concerns as proposals 6.18 to 6.21.
We would be pleased to discuss any of these issues in further depth if this would be useful to you. We also look forward to reviewing the amendment package that is eventually put forward, with a view to possible further comment.
Assistant Privacy Commissioner