Recently the Compliance Officer from a small reporting entity reached out to me to ask an uncomfortable question: should they provide copies of the Suspicious Transaction Reports (STRs) that they had filed with the Financial Transactions and Reports Analysis Centre of Canada (FINTRAC) to their financial services providers such as a credit union or bank?
This was a difficult situation for the reporting entity’s Compliance Officer because they were afraid of pushing back too much with the financial services provider. Like most non-bank reporting entities, they rely heavily on the services provided by the bank in order to be able to operate their business. Financial service providers, such as banks and credit unions, have the ability to close the accounts of businesses in Canada (often called de-risking), and it can be difficult for some types of reporting entities to establish new banking or payments relationships. The financial services provider in this situation has significantly more power than the reporting entity that is dependent on them.
My gut reaction was that the reporting entity should not disclose the contents of their STR reports, or provide copies. In Canadian legislation, disclosing the fact that an STR was made, or disclosing the contents of such a report, with the intent to “prejudice a criminal investigation” can be punishable as a criminal offence, with penalties of up to 2 years imprisonment (this is also known as “tipping off”). While there did not appear to be any intent to prejudice a criminal investigation in this case, it still seemed like a bad idea. I did a quick check-in with fellow AML geeks on LinkedIn. There are some great comments here, and I had a number of conversations in DMs and by phone. No one seemed to think that the reporting entity should be providing copies of STRs.
The question then became how to best empower the reporting entity to push back effectively. I submitted the following request to FINTRAC and to the Office of the Privacy Commissioner (OPC), both of which have mechanisms to allow Canadians and Canadian companies to ask the regulators to opine on matters free of charge:
One of our clients, a Canadian Money services business (MSB) has been asked by their financial services provider (bank/credit union) to provide copies of the suspicious transaction reports (STRs) and Attempted Suspicious Transaction Reports (ASTRs) that have been filed with the Financial Transactions and Reports Analysis Centre of Canada (FINTRAC) on an ongoing basis. This struck us as being an overreach in terms of the information that should be disclosed to a service provider, and we are reaching out for an opinion on the appropriateness of these requests.
The financial service provider appears to be of the opinion that this is a reasonable request, and that they may close the MSB’s bank account if the STRs and ASTRs are not provided by the MSB.
I let both FINTRAC and OPC know that I had submitted requests to both. So far, only FINTRAC has responded. Their response is below in full (TL:DR: reporting entities should not share copies of STRs reported to FINTRAC).
Thank you for contacting the Financial Transactions and Reports Analysis Centre of Canada (FINTRAC), Canada’s independent agency responsible for the receipt, analysis, assessment and disclosure of information in order to assist in the detection, prevention and deterrence of money laundering and the financing of terrorist activities in Canada and abroad.
I am writing further to your email of July 16th, 2020, wherein you requested clarification regarding the sharing of suspicious transaction reports (STRs) submitted to FINTRAC.
As you know, section 8 of the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA) states that no person or entity shall disclose that they have made, are making, or will make a report under section 7, or disclose the contents of such a report, with the intent to prejudice a criminal investigation, whether or not a criminal investigation has begun.
The PCMLTFA sets out a regime in which the information contained in financial transaction reports sent to FINTRAC (including STRs) is protected from disclosure except in very limited circumstances. The Act also includes specific provisions aimed at protecting the personal information under FINTRAC’s control. For example, as you may be aware, the PCMLTFA is founded on a prohibition on disclosure (s. 55(1), PCMLTFA). Any disclosure of information or intelligence by FINTRAC must fall under one of the exceptions to this prohibition. Outside of these exceptions, FINTRAC is prohibited from disclosing the contents of financial transaction reports, or even acknowledging their existence.
While reporting entities (REs) are not subject to the same prohibitions, FINTRAC strongly believes that STRs should be regarded as highly sensitive documents, given the role FINTRAC plays in the fight against money laundering (ML) and terrorist activity financing (TF) in Canada, and the fact that STRs are a key source of FINTRAC’s intelligence holdings. From FINTRAC’s perspective, it is not in the public interest for REs to disclose financial transaction reports and the information contained therein. Even beyond this, the collection or disclosure of financial transaction reports, including STRs, without a valid purpose and authority, may infringe on legislated privacy protection obligations. Almost all information within financial transaction reports is personal information about an identifiable individual and is considered financial intelligence by
FINTRAC, collected for the sole purpose of reporting to FINTRAC. The potential harm that could occur from the disclosure of the information in these financial transactions reports is great, and includes compromising: (1) police and national security investigations that are both ongoing or could be undertaken in the future; (2) sources of the information/intelligence within the reports, placing those sources at risk of retaliation; and (3) FINTRAC’s compliance activities, given that data provided by REs is always provided in confidence and that confidence is expected to be maintained by all parties. FINTRAC relies on the information included within STRs to support disclosure of financial intelligence to police and other law enforcement and national security organizations, in the interest of detecting, preventing and deterring ML and TF.
Therefore, while your client (MSB) is not prohibited from sharing the STRs it has submitted to FINTRAC with its service provider (Bank/CU), unless it is with the intent to prejudice a criminal investigation, strong consideration should be given to the above.
If you would like a PDF copy of the complete question and policy position for your due diligence files, or to provide to an external party that is requesting copies of your STRs, or information about their content, you can download it here.
Response from FINTRAC – Re_ Sharing Copies of STRs_ASTRs
A version of this Q&A is also now posted on FINTRAC’s website (PI-10662).
The response from OPC, in contrast, was underwhelming. In essence, they will investigate specific complaints, but they will not issue advanced rulings. That said, if any service provider is insisting that copies of STRs must be shared with them, a complaint to the OPC may be an option.
Response from the Office of the Privacy Commissioner of Canada – INFO-084075
Need a hand?
If you have AML or privacy-related questions, we can help. You can get in touch using our online form, by emailing info@outliercanada.com, or by calling us toll-free at 1-844-919-1623.