The Financial Transactions and Reports Analysis Centre of Canada (FINTRAC), the department responsible for monitoring bank accounts across the country for counter terrorist funding and anti-fraud purposes, is collecting more personal information on Canadians than is necessary, according to the Office of the Privacy Commissioner of Canada (OPC).
The FINTRAC audit tabled in Parliament yesterday followed recommendations from a previous audit of the database conducted by the OPC in 2009. The earlier audit found that FINTRAC needed to do more to ensure that the amount of personal information it collects is kept at an “absolute minimum.”
“While FINTRAC continues to have sound security controls, it has made limited progress in addressing recommendations from our previous audits,” said Privacy Commissioner Jennifer Stoddart in a statement yesterday. “This is particularly disappointing, given that FINTRAC had previously indicated it was committee to finding ways to limit the amount of personal information it was accepting and holding.”
FINTRAC is mandated by law to receive financial transaction reports and voluntary information on money laundering and terrorist financing from persons and entities in various sectors, which are subject to the Proceeds of Crime (money laundering) and Terrorist Financing Act (PCMLTFA).
As of March 2012, FINTRAC’s databases held approximately 165 million reports containing personal information related to financial transactions, such as down payments for house and vehicle purchases, wire transfers received by international students residing in Canada, or funds sent by parents in Canada to children who are studying abroad.
Some of these reports may be submitted to FINTRAC without the knowledge or consent of the individuals concerned, the OPC reported.
The commission is considers it an infringement of individual privacy rights when information of innocent citizens are being collected and stored in a database that is intended to track criminal activity. Keeping such a large amount of personal information in a database also puts the personal data of individuals at risk of a data breach without their knowledge or consent.
The mere inclusion in a database without justification is a violation of privacy rights, according to OPC.
For example, Stoddart said, her office found that the personal information of a store owner was stored in the FINTRAC database after a financial institution filed a report on the person. The report was filed for no other reasons than the bank was suspicious because the individual deposited $570 in $100, $20 and $5 dollar bill.
She also cited the case of a young person who cashed three bank drafts worth almost US$100,000 which were purchased from a Canadian bank. The organization concerned cashed the drafts, confirmed their validity but still reported the individual to FINTRAC because it felt it odd that such a young person would have that much money.
In another case, An individual, who purchased a home from his childhood friend, released the deposit directly to the seller instead of to the seller’s lawyer. The notary for the transaction opted to submit a report only because he was unsure as to whether the transaction needed to be reported.
“When individuals suddenly find themselves of interest to say Canadian Border Services, of the Canada Revenue Agency…we don’t know how much of this leads back to FINTRAC,” said Michael Vonn, of the B.C. Civil Liberties Association, in an interview with the broadcast stations CBC.
He also said that there is no evidence that FINTRAC is actually effective in countering terrorist financing and money laundering.
FINTRAC however, said it does not have the resources to screen all the information that it receives. The agency only has 350 employees but receives more than 20 million reports a year, according to FINTRAC spokesperson Peter Lamey.
The audit found that FINTRAC had made some progress since 2009 in addressing gaps that existed in its privacy management framework, for example it had implemented a privacy breach identification and reporting protocol and expanded security awareness initiatives.
The audit recommended that FINTRAC analyze and assess incoming reports; identify and dispose of information that it should not have received and is not directly related to its operating programs and activities; ensure that guidance issued by regulatory partners is consistent with PCMLTFA requirements; and ensure that staff fully comply with its security policies and procedures.
FINTRAC accepted all of the audit’s recommendations and provided responses as to how it intends to address them. Recently, FINTRAC has informed the OPC it has taken additional measures to enhance compliance with its security policies and procedures in response to a breach incident that occurred earlier this year.
“FINTRAC has proposed some measures to address the deficiencies we identified; however, there is more work to do,” Stoddart said. “It still needs effective screening processes to ensure it no longer receives and retains sensitive personal information that it doesn’t need.”
The OPC will follow up with FINTRAC in two years to evaluate their progress on strengthening their privacy practices.