Private-to-private information sharing : FINTRAC's compliance guidance

This guidance explains the requirements for reporting entities that voluntarily choose to engage in private-to-private information sharing under section 11.01 of the Act.

1. What is private-to-private information sharing

Private-to-private information sharing refers to the exchange of personal information without an individual’s knowledge or consent between reporting entities that participate in an approved code of practice. The purpose of this exchange is to detect and deter money laundering, terrorist activity financing and sanctions evasion.

Personal information refers to information relating to an identifiable individual as defined in the Personal Information Protection and Electronic Documents Act.

The Financial Action Task Force has recognized private-to-private information sharing as an important tool for disrupting money laundering and the financing of terrorism, while affirming the need to comply with data privacy and protection laws.

Criminals can take advantage of a lack of information sharing between reporting entities and may attempt to engage with multiple reporting entities to facilitate illicit activities and to evade detection, as each reporting entity only has a partial view of transactions.

Reporting entities that engage in private-to-private information sharing can gain a more complete view of client activity to inform their customer due diligence efforts and overall risk assessment of money laundering and terrorist activity financing. This broader view can enable reporting entities to more effectively identify and assess unusual transactions and submit suspicious transaction reports to FINTRAC.

Private-to-private information sharing results in enhanced collaboration between reporting entities, which helps close gaps that criminals exploit, strengthens risk assessments, and improves the overall integrity of Canada’s anti-money laundering and anti-terrorist financing regime.

2. Who can engage in private-to-private information sharing

All reporting entities have the option to engage in private-to-private information sharing to more effectively detect and deter money laundering, terrorist activity financing and sanctions evasion as per the provisions outlined in section 11.01 of the Act and in accordance with all the requirements in the Act and Regulations.

Reporting entities may only engage in private-to-private information sharing with other reporting entities. Engaging in private-to-private information sharing is voluntary and not required by the Act and associated Regulations.

3. When personal information may be disclosed, collected and used

Before any personal information can be shared between reporting entities, they must establish and implement a code of practice for the disclosure, collection and use of personal information.

This code of practice must be:

• submitted to FINTRAC and the Office of the Privacy Commissioner of Canada
• approved by the Office of the Privacy Commissioner of Canada

A reporting entity can only disclose information to other reporting entities that are participants in their code of practice, and who have approved the code of practice.

A reporting entity must ensure that the disclosure, collection and use of personal information is carried out in accordance with the code of practice approved by the Office of the Privacy Commissioner of Canada.

No person or entity will be liable in any criminal or civil proceedings for disclosing, collecting, or using personal information in compliance with the Act and Regulations, so long as it is done in good faith.

Disclosure of personal information

A reporting entity may disclose an individual’s personal information to another reporting entity without the individual’s knowledge or consent if all the following conditions apply:

• they have established and implemented a code of practice, are participants in it, and it has been submitted to FINTRAC and the Office of the Privacy Commissioner of Canada, and approved by the Office of the Privacy Commissioner of Canada
• the disclosure is carried out in accordance with the approved code of practice
• the personal information was collected during the reporting entity’s activities
• the disclosure is reasonable for the purpose of detecting or deterring money laundering, terrorist activity financing or sanctions evasion
• making the disclosure with the individual’s knowledge or consent would risk compromising the ability to detect or deter money laundering, terrorist activity financing or sanctions evasion

Collection and use of personal information

A reporting entity may collect or use the personal information of an individual without their knowledge or consent if all the following conditions apply:

• the information was disclosed to the reporting entity under the above conditions
• the collection or use is carried out in accordance with the approved code of practice

4. What a code of practice is and what information it must include

A code of practice is a written document established and implemented by reporting entities to outline and explain how they comply with the private-to-private information sharing provisions of section 11.01 of the Act.

A code of practice must include the following information:

• The name of the reporting entities that are subject to the code.
  • For validation purposes, the code of practice must include the reporting entity’s legal name(s) and the reporting entity number assigned at the time of enrolment in FINTRAC’s Web Reporting System.
  • If you do not have a reporting entity number assigned by FINTRAC, you must enroll to the FINTRAC Web Reporting System. To enroll, email your request to FINTRAC at F2R@fintrac-canafe.gc.ca. 
• A description of an individual’s personal information that may be disclosed, collected or used without their knowledge or consent.
• A description of the purposes for which an individual’s personal information may be disclosed, collected, or used without their knowledge or consent.
• A description of the manner in which an individual’s personal information may be disclosed, collected or used without their knowledge or consent.
• A description of the measures that will be taken to ensure the protection of personal information, including measures concerning the retention of such information and the keeping of records.
• Information demonstrating that the code complies with the requirements of the Act and provides for substantially the same or greater protection of personal information as that provided under the Personal Information Protection and Electronic Documents Act.

The Office of the Privacy Commissioner of Canada may request any additional information from the applicant that is necessary to decide whether the code of practice meets the Regulations’ requirements.

5. How to submit a code of practice

Before engaging in private-to-private information sharing, a reporting entity, or a representative acting on their behalf, must submit a code of practice to FINTRAC and to the Office of the Privacy Commissioner of Canada, and have that code approved by the Office of the Privacy Commissioner of Canada.

The code of practice must be accompanied by an acknowledgement that each participating reporting entity has approved the code of practice and has consented to its submission to FINTRAC and the Office of the Privacy Commissioner of Canada.

FINTRAC will review the code of practice and may provide comments to the applicant or to the Office of the Privacy Commissioner of Canada, or both, within 60 calendar days following the day it is received.

The Office of the Privacy Commissioner of Canada will review the code of practice for approval based on whether it meets the requirements of the Regulations and notify the applicant of its decision. In the case of a refusal, they will provide the reasons in writing. If they do not notify the applicant of their decision before the end of the period described in the next paragraph, the code of practice is deemed to be approved as of the end of that period. 

The Office of the Privacy Commissioner of Canada will have 120 calendar days to review, and an additional 15-day extension if required. In the case of an extension, they will notify the applicant of the extension. The Office of the Privacy Commissioner of Canada may send the applicant a request for any additional information that is necessary for deciding whether the code of practice meets the requirements of the Regulations and pause the time for processing an application until that information is provided.

6. Revision, suspension and renewal of approval to the code of practice

Revision

If a revision is made to an approved code of practice, the reporting entity must notify FINTRAC and the Office of the Privacy Commissioner of Canada as soon as feasible. and provide them a copy of the revised code of practice.

The Office of the Privacy Commissioner of Canada will determine whether the revision is significant. If the Office of the Privacy Commissioner of Canada considers the revision significant, it will notify the reporting entity within 30 calendar days and direct it to apply for approval of the revised code of practice, following the process described in section 5, How to submit a code of practice.

Throughout this process, a code of practice previously approved by the Office of the Privacy Commissioner of Canada remains in force until either of the following occurs:

• the Office of the Privacy Commissioner of Canada notifies the parties that the revised code is approved; or
• the Office of the Privacy Commissioner of Canada has not notified the parties within 30 calendar days that the revision is considered significant.

Suspension

If the Privacy Commissioner has reasonable grounds to believe that a person or entity has revised an approved code of practice but has failed to notify the Commissioner, the Commissioner may direct the person or entity to apply for approval of the revised code. If a person or entity fails to comply with the Commissioner's direction, the Commissioner may suspend the approval of the code of practice.

Renewal of approval

An approved code of practice must be submitted for re-approval every 5 years after the day of the most recent approval. Applications for re-approval are submitted using the same method described in section 5, How to submit a code of practice.

7. What FINTRAC expects from participants in an approved code of practice

Once a code of practice is approved and implemented, all participants must continue to comply with all the requirements set out in the Act and associated Regulations.

FINTRAC applies a risk-based supervisory approach, in line with its supervisory framework, when assessing reporting entities’ compliance with the Act and associated Regulations. 

In accordance with the suspicious transaction reporting requirements, reporting entities are expected to take measures that enable them to establish whether a transaction or attempted transaction is related to the commission of a money laundering, terrorist activity financing or sanctions evasion offence.

Participants in an approved code of practice must assess collected personal information as they would with other sources of information (for example, adverse media or sanctions screening) as this information may be used to detect or deter money laundering, terrorist activity financing or sanctions evasion.

Disclosure, collection and use of personal information under an approved code of practice may cause a reporting entity to reach reasonable grounds to suspect that a suspicious transaction has occurred or was attempted, prompting them to submit a Suspicious Transaction Report.

Similarly, participants in an approved code of practice are encouraged to consider the personal information they have collected as part of their client risk assessment and ongoing monitoring measures.

8. For assistance

If you have questions on your requirements, please contact FINTRAC by email at guidelines-lignesdirectrices@fintrac-canafe.gc.ca