Model code of practice : Private-to-private information sharing
Disclaimer: This document is a model Code of practice and is intended to support reporting entities by providing an example of what could be considered in the voluntary development of more specific codes of practice that would meet the needs of each participating reporting entity's particular use case(s) or sector.
This document is meant for general guidance only. Each section highlights examples of what could be included in a Code of practice. However, it is the responsibility of the submitting reporting entities to develop and determine the relevant information and details necessary to meet the requirements for a Code of practice.
Codes of practice that are submitted to the Financial Transactions and Reports Analysis Centre of Canada (FINTRAC) and the Office of the Privacy Commissioner should be tailored to the participating reporting entity's unique context. Emulating this document is not a guarantee of approval by the Office of the Privacy Commissioner. All codes are to be submitted to FINTRAC for review and to the Office of the Privacy Commissioner of Canada for approval.
Alternate Format
On this page
- Application
- Purposes for which personal information may be disclosed, collected or used
- Personal information that may be disclosed, collected or used
- Manner of sharing of personal information
- Measures to ensure the protection of personal information disclosed, collected or used
- Compliance with the requirements of the Act
- Provisions for substantially the same or greater protection of personal information as that provided under PIPEDA
- Annex A: Code participants
- Annex B: Meaning of personal information
- Annex C: Section 11.01 of the Act
Application
This Code of practice applies to all participants identified in Annex A of this document. All participants are persons and entities referred to in section 5 of the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA).
Purposes for which personal information may be disclosed, collected or used
Note: It is recommended that you list specific purposes relevant to your specific situation to further demonstrate the context to the Office of the Privacy Commissioner.
The disclosure, collection and use of personal information by the participants of this Code of practice are specific for the purposes of detecting or deterring money laundering, terrorist financing, and sanctions evasion, consistent with the Act (as detailed in section 6 of this Code). Participants may only use information for purposes permitted or required by applicable law.
In furtherance of these purposes, personal information disclosed, collected and used as part of this Code of practice will support:
- the identification and disruption of illicit activity across different financial networks, transactions and platforms;
- the effective implementation of legislative and regulatory requirements per the Act, such as reporting of suspicious transaction reports (STRs);
- the reduction of information silos and blind spots exploited by criminals; and
- increased effectiveness of customer risk assessment and monitoring commensurate to the risk level.
For the purposes of this Code of practice, "personal information" has the same meaning as that provided within the Personal Information Protection and Electronic Documents Act (PIPEDA), as cited in Annex B.
Upon receipt of information, Code participants are required to assess what, if anything, is required of them. Participants are not required to take any action upon receipt of information.
Personal information that may be disclosed, collected or used
The personal information that may be disclosed, collected or used, includes information that was lawfully acquired in the course of the participant's activities and is reasonable for the purposes of detecting or deterring money laundering, terrorist financing or sanctions evasion.
The following categories of personal information may be disclosed, collected or used by participants of this Code of practice, for the purposes outlined above:
- Information collected in the course of a participant's activities with respect to any relevant person or entity. Some examples may include name, address, email address, telephone number, identity documents, citizenship, employer, beneficial ownership.
- Information collected in the course of a participant's activities on relevant transactions or attempted transactions. Some examples may include, date, time and location of transactions, the types and amount of funds or other assets involved, transaction identifiers.
- Information collected in the course of a participant's activities relating to accounts. Some examples may include account holders, account numbers, reference numbers, branch numbers, institution numbers.
- Information collected in the course of a participant's activities associated with the use of online interfaces. Some examples may include information related to devices used in transactions, Internet Protocol addresses, data of online sessions.
- Circumstantial and contextual information collected in the course of a participant's activities that may assist in assessing whether there are reasonable grounds to suspect a transaction relates to an applicable offence under section 7 or section 7.1 of the Act. Some examples may include detailed descriptions, previous analysis and assessments done by a participant, previous action taken such as de-risking, or any previous suspicions of commissioning or attempting to commission a money laundering, terrorist financing or a sanctions evasion offence.
- Publicly accessible information that was lawfully collected in the course of a participant's activities. Examples of publicly accessible information may include public records, media reports, social media profiles, financial disclosures or industry publications.
To ensure that the information is disclosed, collected or used for the purpose that a reasonable person would consider appropriate in the circumstances, the Code participant will ensure that the disclosure, collection and use is necessary to achieve the purpose detailed in section 3. Any harms that are likely to result are proportionate to the benefits gained; and that the purposes cannot be achieved effectively through the sharing of less personal information.
Manner of sharing of personal information
Relevant personal information will be disclosed, collected or used via one of the below-noted secure methods that provides for privacy protections consistent with PIPEDA and section 5 of the Code.
- Secure electronic or virtual methods of communication, such as encrypted emails, the use of APIs, Virtual Data Rooms, and Secure Collaboration networks, secure file transfer services and/or information technology protocols.
- Secure physical or person-to-person methods of communication, such as secure telephone lines, secure video conference, or registered mail.
These measures will ensure relevant personal information is protected against loss, unauthorized access during transfer, or unauthorized access in the use of this information. If the relevant personal information is not considered accurate, the participant(s) may take reasonable steps to inform a relevant participant and rectify this information where possible.
Measures to ensure the protection of personal information disclosed, collected or used
Note: Applicants should detail the measures to ensure the protection of personal information with as much detail as possible, including the reference to recognized industry standards (OSFI, NIST, ISO, etc.) adhered to by the participants to demonstrate that personal information is adequately safeguarded.
Retention and disposal
To ensure the protection of relevant personal information disclosed, collected or used among participants, information is only retained for the duration required for its use in accordance with the outlined purposes, or according to the participant's own retention policies on information pertaining to money laundering, terrorist financing or sanctions evasion, such as those required by the Act and associated Regulations.
Participants will implement mechanisms to ensure that personal information is not retained for longer than is necessary. Participants will dispose of personal information in a manner that will ensure this information is no longer accessible or usable. Disposition methods could include, but are not limited to, data wiping, secure deletion software or physical destruction.
Note: Applicants should include a retention schedule for all personal information collected, used and disclosed under section 11.01 of the Act.
Record keeping
The participants of this Code shall keep records in accordance with requirements in the Proceeds of Crime (Money Laundering) and Terrorist Financing Regulations and PIPEDA. These requirements include keeping records or copies of records in machine-readable or electronic form if a paper copy can readily be produced from it. Physical copies of records may also be retained.
Participants will keep information in electronic documents, physical documents or records in a manner that is readable or perceivable by any person who is authorized to have access to the document or record.
For the purposes of record keeping, participants will document, classify and categorize relevant personal information. Participants will also document and retain records of decision to disclose, collect or use personal information as well as the rational for that decision, taking into account relevant criteria as set out in established frameworks.
Participants will store relevant personal information and records in a manner in which the origin can be identified.
Safeguards
Relevant personal information to be retained and shared will be protected by safeguards appropriate to the sensitivity of the information. Recognizing that the information in question will often be highly sensitive, the personal information disclosed, collected and used pursuant to this Code will be protected by robust safeguards.
Participants of this Code of practice will apply internal procedures for assessments to determine the level of sensitivity attributed to relevant personal information.
Code participants will conduct assessments to identify vulnerabilities and threats to the information while the information is retained and while it is in transit. They will implement security measures appropriate to the sensitivity of the personal information to be shared or used to address the risks and threats identified.
Physical forms of relevant personal information will be retained in secure physical environments, which may include, but are not limited to locked filing cabinets or a safe. Digital forms of relevant personal information will be stored in secure spaces, and shared via secure mechanisms, with physical and digital forms of access control. These controls may include, encryption (in transit and at rest), multi-factor authentication software, key management, role-based access control permissions and other types of encryption algorithms currently used by participants' anti-money laundering and anti-terrorist financing programs.
Access to digital or physical forms of relevant personal information will be limited based on necessity and role permissions. Measures to protect personal information may include but are not limited to, access log monitoring or audit trails, intrusion detection systems, role-based access controls and other reasonable methods.
Additional storage and sharing safeguards shall include established and secure methods to protect information, such as two-factor authentication protocols; secure generation, distribution, storage and rotation of encryption keys; and IT protocols on secure network architectures. The safeguards shall also include established personnel management, risk management and privacy management protocols and procedures to safeguard relevant information throughout its disclosure, collection or use such as strong password policies, regular software updates and employee training on privacy and proper ways to use of information.
Safeguards shall also include established methods to verify accuracy and completeness of data, such as data validation practices, established internal data governance frameworks or established employee training.
Participants will limit information access and sharing within the organization. Individuals involved in information access or receipt must:
- Have a role that relates to the participants' anti-money laundering, anti-terrorist financing and counter sanctions evasion functions for information disclosed, collected, or used in relation to the code, or any associated audit or review, legal, information security or other relevant corporate functions for information disclosed, collected, or used in relation to the code.
- Complete privacy and anti-money laundering, terrorist-financing and sanctions evasion training.
- Have access to, reviewed, and understand the Code of practice.
- Be aware of and apply permitted mechanisms for the secure disclosure, collection and use of relevant information.
- Apply all relevant policies and procedures to safeguard privacy.
Breach response
Where there may be a breach of security safeguards concerning information collected pursuant to section 3 of this Code, participants will follow their organization's incident management protocols. These protocols must accord with PIPEDA and other applicable laws and should address, without limitation, immediate containment, investigation and assessment to determine the reason for and extent of the breach, risk assessments to evaluate harm, identification of affected individuals and communication with relevant authorities and implementation of measures to prevent a similar breach in future.
If a breach occurs after the personal information has been collected from another Code participant, the recipient Code participant is responsible for the incident management protocols. The recipient Code participant will notify the disclosing participant if there was a breach related to information that was received from the disclosing participant. If the breach occurs in transit or is jointly held as part of a data exchange mechanism, participants will ensure appropriate policies and procedures are applied, including incident management protocols and notification procedures.
Should a breach of security safeguards of personal information be believed to create a real risk of significant harm to an individual, the concerned participant or participants will follow established procedures to comply with sections 10.1, 10.2 and 10.3 of PIPEDA and the relevant provincial laws, including by reporting the breach to the Office of the Privacy Commissioner of Canada and/or relevant provincial authorities as well as affected individuals.
Compliance with the requirements of the Act
The purposes outlined by this Code of practice demonstrate a direct link to section 3 of the Act. The purpose of sharing relevant personal information is in accordance with section 3 of the Act outlining the need to implement specific measures to detect and deter money laundering and the financing of terrorist activities and to facilitate the investigation and prosecution of money laundering offences, terrorist activity financing offences, and sanctions evasion.
The relevant personal information shared may also enable for better responses to the threat posed by organized crime by providing information needed to deprive them of the proceeds of their criminal activities, while ensuring that appropriate safeguards are put in place to protect the privacy of persons with respect to their personal information.
This Code also aligns with the requirements of the Act, insofar as it supports Canada's international commitments and enhances Canada's capacity to take targeted measures to protect its financial system and to mitigate the risk posed by money laundering and terrorist financing activities to this system.
The elements of this Code of practice on record keeping and retention align with section 6 of the Act and associated Regulations. The processes, protocols and measures outlined by this Code, underline that this Code of practice meets, or exceeds the expectations associated with record keeping and retention of relevant information to anti-money laundering, anti-terrorist financing or counter-sanctions evasion activities associated to the Act and associated Regulations.
This Code of practice adheres with the limitations on disclosure found in section 8 of the Act, and aligns with provisions on disclosure, collection, use, and immunity contained in section 11.01 of the Act. For specific provisions, please consult Annex C of this Code of practice.
This Code of practice will enable participants to ensure they are meeting requirements found in section 7 and/or section 7.1 of the Act.
No participant shall disclose that they have disclosed, collected or used any relevant personal information for the purposes outlined by this Code of practice, with the intent to unlawfully prejudice a criminal investigation whether or not a criminal investigation has begun.
Provisions for substantially the same or greater protection of personal information as that provided under PIPEDA
Principle 1: Accountability
Only eligible individuals from each participant are to engage in the disclosure, collection and use of information. All participants will undertake to have comprehensive privacy and anti-money laundering and anti-terrorist financing programs to ensure compliance with all applicable laws.
All participants have agreed to the terms of this Code of practice.
Applicant has, or will, implement measures consistent with accountability requirements in PIPEDA to ensure that the privacy requirement detailed in this Code are followed. These measures include but not limited to secured manners of sharing personal information, retention and disposal measures, record keeping, breach response policies and safeguards such as limited role access.
Each participant will also make available the name or title, and the address, of the person who is accountable for the organization's privacy policies and practices and to whom complaints or inquiries can be forwarded.
Principle 2: Identifying purposes
Section 2 of this Code of practice identifies the purposes for sharing relevant information, which are compliant with Canada's anti-money laundering and anti-terrorist financing legislative and regulatory requirement.
Principle 3: Consent
This Code relates to collection, use, or disclosure where the parties have determined that consent is not required pursuant to subsection 11.01(1) of the Act.
Principle 4: Limiting collection
Note: Applicants should explain what specific policies and procedures have been or will be implemented in order to prevent overcollection, and how specifically the parties will ensure that the information disclosed, and therefore collected by the recipient, is not more than necessary for the identified purposes.
Participants will only collect personal information under this Code as part of the participants' current anti-money laundering and anti-terrorist financing requirements and only for the purposes set out by this Code of practice.
Principle 5: Limiting use, disclosure and retention
Only select individuals from each participant are to engage in the use, disclosure and collection of personal information pursuant to this Code of practice, consistent with limits and controls in section 5, above. Participants shall not use, disclose or retain personal information under this Code except for a specific purpose outlined in this Code of practice in section 3. Participants shall have procedures in place for setting aside planned disposal of personal information when continued retention may be legally necessary.
Principle 6: Accuracy
Note: Applicant to provide specific information about how they will ensure information is accurate and complete, particularly in the context of information that is to be, or has been, shared with one or more participants. This may include, without limitation, the evaluation of the reliability of sources from which personal information may be collected, and processes in place to update information that may be, or may have been, shared.
This Code of practice outlines that participants shall have methods to ensure information is sufficiently accurate, up to date and complete for the purposes for which it is to be used, taking into consideration the interests of the individual implicated. Should a participant determine that the information in question is not sufficiently accurate, complete or up to date, this Code of practice outlines that participants shall take reasonable steps to inform participants of inaccurate information and rectify where needed.
Principle 7: Safeguards
Section 5 of this Code of practice outlines the safeguards that shall be applied by the Code of practice participants. Section 5 also outlines the record keeping, breach response and retention and disposal measures.
Principle 8: Openness
All participants of this Code of practice have readily available, public and comprehensible documentation that explains each participant's privacy policies regarding personal information.
Principle 9: Individual access
Participants of this Code shall apply policies and procedures to provide access consistent with requirements under PIPEDA and relevant provincial privacy laws. These procedures will provide for conducting a reasonable search to identify relevant records, consideration of the applicability of available exemptions, and provision of a response to the request including any responsive records within timelines as provided under the relevant legislation. This process will also consider that the purpose of the Code of practice is to ensure personal information is not shared with the knowledge or consent of an individual.
Participants will implement a protocol and process to determine appropriate coordination and responsibilities in a context where the request is for access to information that has been shared by one participant with one or more other participants.
Principle 10: Challenging compliance
Note: Applicant to explain procedures by which an individual can file a complaint with a participant and procedures for handling complaints, in particular where the complaint relates to information disclosed to or received from another participant or where the information is jointly held.
Any person or entity who believes that a participant has not complied with any element of this Code of practice may file a complaint with the Commissioner of the Office of the Privacy Commissioner and/or the relevant participant. Code participants will implement a protocol and process for accepting, investigating, addressing and responding to privacy complaints and enquiries that comply with PIPEDA and other relevant privacy laws.
Annex A: Code participants
Participant 1: Legal Operating Name
Reporting entity number:
Contact Information:
John Smith
Chief Compliance Officer
Jsmith@participant1.ca
(555)-555-5555
123 Road Rd, Toronto, Ontario, Canada M5M 1R5
Participant 2: Legal Operating Name
Reporting entity number:
Contact Information:
Jane James
Chief Compliance Officer
Jjames@participant2.ca
(555)-555-5555
456 Road Rd, Ottawa, Ontario, Canada K1H 1H1
Annex B: Meaning of personal information
PIPEDA, subsection 2(1):
"personal information means information about an identifiable individual."
Annex C: Section 11.01 of the Act
Disclosure without consent
11.01 (1) A person or entity referred to in section 5 may disclose an individual's personal information to another person or entity referred to in that section without the individual's knowledge or consent if
- (a) the information was collected in the course of the person or entity's activities;
- (b) the disclosure is reasonable for the purpose of detecting or deterring money laundering, terrorist activity financing or sanctions evasion;
- (c) making the disclosure with the individual's knowledge or consent would risk compromising the ability to detect or deter money laundering, terrorist activity financing or sanctions evasion; and
- (d) the disclosure is made in accordance with the regulations.
Collection and use
(2) A person or entity referred to in section 5 may collect or use an individual's personal information without their knowledge or consent if the information was disclosed to the person or entity under subsection (1) and the collection or use is carried out in accordance with the regulations.
Immunity
(3) No criminal or civil proceedings lie against a person or an entity that, in good faith, discloses information under subsection (1) or collects or uses information under subsection (2).
- Date Modified: