Private-to-private information sharing : FINTRAC's compliance guidance

This guidance explains the requirements for reporting entities that voluntarily choose to engage in private-to-private information sharing under section 11.01 of the Act.

1. What is private-to-private information sharing

Private-to-private information sharing refers to the exchange of personal information, without the individual's knowledge or consent, between reporting entities who are participants in an approved code of practice, for the purpose of detecting and deterring money laundering, terrorist activity financing and sanctions evasion.

Personal information means information about an identifiable individual as defined in the Personal Information Protection and Electronic Documents Act.  

Private-to-private information sharing has been recognized by the Financial Action Task Force as an important tool for disrupting money laundering and terrorist activity financing, while affirming the need to comply with data privacy and protection laws.

Criminals can take advantage of a lack of information sharing between reporting entities and may attempt to engage with multiple reporting entities to facilitate illicit activities and to evade detection, as each reporting entity only has a partial view of transactions.

Reporting entities that engage in private-to-private information sharing can gain a more complete view of client activity to inform their customer due diligence efforts and overall risk assessment of money laundering and terrorist activity financing. This broader view can enable reporting entities to more effectively identify and assess unusual transactions, and submit suspicious transaction reports to FINTRAC.

Private-to-private information sharing results in enhanced collaboration between reporting entities, which helps close gaps that criminals exploit, strengthens risk assessments, and improves the overall integrity of Canada's anti-money laundering and anti-terrorist financing regime.

2. Who can engage in private-to-private information sharing

All reporting entities have the option to engage in private-to-private information sharing to more effectively detect and deter money laundering, terrorist activity financing and sanctions evasion as per the provisions outlined in section 11.01 of the Act and in accordance with all the requirements in the Act and regulations.

Reporting entities may only engage in private-to-private information sharing with other reporting entities. Engaging in private-to-private information sharing is voluntary and not required by the Act and associated Regulations.

3. When personal information may be disclosed, collected and used

Before any personal information can be shared between reporting entities, they must establish and implement a code of practice for the disclosure, collection and use of personal information.

This code of practice must be:

• submitted to FINTRAC and the Office of the Privacy Commissioner of Canada
• approved by the Office of the Privacy Commissioner of Canada

A reporting entity can only disclose information to other reporting entities that are participants in their code of practice, and who have approved the code of practice.

A reporting entity must ensure that the disclosure, collection and use of personal information is carried out in accordance with the code of practice approved by the Office of the Privacy Commissioner of Canada.

No person or entity will be liable in any criminal or civil proceedings for disclosing, collecting, or using personal information in compliance with the Act and regulations, so long as it is done in good faith.

Disclosure of personal information

A reporting entity may disclose an individual's personal information to another reporting entity without the individual's knowledge or consent if all these conditions apply:

• they have established, implemented and are both participants of a code of practice that has been submitted to FINTRAC and the Office of the Privacy Commissioner of Canada, and approved by the Office of the Privacy Commissioner of Canada
• the disclosure is carried out in accordance with the approved code of practice
• the personal information was collected in the course of the reporting entity's activities
• the disclosure is reasonable for the purpose of detecting or deterring money laundering, terrorist activity financing or sanctions evasion
• making the disclosure with the individual's knowledge or consent would risk compromising the ability to detect or deter money laundering, terrorist activity financing or sanctions evasion

Collection and use of personal information

A reporting entity may collect or use the personal information of an individual without their knowledge or consent if all these conditions apply:

• the information was disclosed to the reporting entity under the above conditions
• the collection or use is carried out in accordance with the approved code of practice

4. What a code of practice is and what information it must include

A code of practice is a written document established and implemented by reporting entities that outlines and explains how they comply with private-to-private information sharing under section 11.01 of the Act.  

A code of practice must include the following information:

• the reporting entities that are subject to the code
  • for validation purposes, the code of practice must include their legal name(s) and reporting entity number(s) assigned by FINTRAC
• a description of the personal information of an individual that may be disclosed, collected or used without their knowledge or consent
• a description of the purposes for which an individual's personal information may be disclosed, collected, or used without their knowledge or consent
• a description of the manner in which an individual's personal information may be disclosed, collected or used without their knowledge or consent
• a description of the measures that will be taken to ensure the protection of personal information, including measures concerning the retention of such information and the keeping of records
• information demonstrating that the code complies with the requirements of the Act and provides for substantially the same or greater protection of personal information as that provided under the Personal Information Protection and Electronic Documents Act

The Office of the Privacy Commissioner of Canada may request from the applicant any additional information necessary for deciding whether the code of practice meets the requirements of the regulations.

5. How to submit a code of practice

Before engaging in private-to-private information sharing, a reporting entity must submit a code of practice to FINTRAC and to the Office of the Privacy Commissioner of Canada, and have that code approved by the Office of the Privacy Commissioner of Canada.

The code of practice must be accompanied by an acknowledgement that each participating reporting entity has approved the code of practice and has consented to its submission to FINTRAC and the Office of the Privacy Commissioner of Canada.

FINTRAC will review the code of practice and may provide comments to the applicant or to the Office of the Privacy Commissioner of Canada, or both, within 60 calendar days following the day it is received.

The Office of the Privacy Commissioner of Canada will review the code of practice for approval based on whether it meets the requirements of the regulations and notify the applicant of its decision. In the case of a refusal, they will provide the reasons in writing. If they do not notify the applicant of their decision before the end of the period described in the next paragraph, the code of practice is deemed to be approved as of the end of that period. 

The Office of the Privacy Commissioner of Canada will have 120 calendar days to review, and an additional 15-day extension if required. In the case of an extension, they will notify the applicant of the extension.The Office of the Privacy Commissioner of Canada may send the applicant a request for any additional information necessary for deciding whether the code of practice meets the requirements of the regulations and pause the time for processing an application until that information is provided.

6. Revision, suspension and renewal of approval to the code of practice

Revision

If a revision is made to an approved code of practice, the reporting entity must notify FINTRAC and the Office of the Privacy Commissioner of Canada as soon as feasible. and provide them a copy of the revised code of practice.

The Office of the Privacy Commissioner of Canada will determine if the revision is significant. If the Office of the Privacy Commissioner of Canada considers the revision significant, it will notify the reporting entity within 30 calendar days and direct them to apply for approval of the revised code of practice following the process described in section 5 How to submit a code of practice.

Throughout this process, a code of practice previously approved by the Office of the Privacy Commissioner of Canada remains in force until either of the following occurs:

• the Office of the Privacy Commissioner of Canada notifies the parties that the revised code is approved

or

• the Office of the Privacy Commissioner of Canada has not notified parties within 30 days that the revision is considered significant

Suspension

If the Privacy Commissioner has reasonable grounds to believe that a person or entity has revised an approved code of practice but has failed to notify the Commissioner, the Commissioner may direct the person or entity to apply for approval of the revised code. If a person or entity fails to comply with the Commissioner's direction, the Commissioner may suspend the approval of the code of practice.

Renewal of approval

An approved code of practice must be submitted for re-approval every 5 years after the day of the most recent approval. Applications for re-approval are submitted using the same method described in section 5 How to submit a code of practice.

For assistance

If you have questions on your requirements, please contact FINTRAC by email at guidelines-lignesdirectrices@fintrac-canafe.gc.ca