FINTRAC New Guidance on Private-to-Private Information Sharing

While the compliance landscape for monitoring is growing under Canada’s anti-money laundering and counter-terrorist financing framework, the direction of enforcement in relation to the various regulated entities being controlled by the agency continues to consolidate and move towards more coordinated mechanisms of coordination. Though the guidance does not amend the Proceeds of Crime (ML) and Terrorist Financing Act (PCMLTFA), it is to provide much-needed interpretative guidance on a subject area that has, for too long, created uncertainty. A practical concern is in how there might be private actors working in partnership with each other to identify and mitigate the risks of financial crime and to do so within existing law.

Regulatory Landscape and Policy Framework

Canadian reporting organizations have historically been operated under rules that prioritize compliance through vertical reporting to regulators instead of horizontal cooperation among their peers. Whilst limited information sharing has long been legally possible, most institutions avoided sharing information due to privacy concerns, reputational risk and an expectation for an inconsistent regulation. FINTRAC’s recommendations are consistent with an understanding of the fact that modern money laundering and terrorist financing schemes frequently involve numerous institutions, sectors and service providers. Fragmented oversight can hamper the effectiveness of individual compliance efforts. This guidance thus brings Canadian practice closer to international standards that underscore collective intelligence and risk-based cooperation.

Core Principles to the Guidance

FINTRAC’s position is designed around a number of key principles which determine when and how private-to-private information sharing may occur. These rules serve as interpretive anchors and not prescriptive guidelines. Key principles include:

• Limitation of intent, which is to say, information may be disclosed for some legitimate AML/CTF purposes only;
• Proportionality, where only what is reasonably necessary should be shared when the data is available for use;
• Relevance, that disclosures are related to identifiable indicators of risk;
• Accountability, with clear internal ownership and oversight mechanisms;
• Confidentiality safeguards that apply to access policies and data protection and security measures. The guidance emphasizes information sharing is not a self-defining purpose.

The action must be substantiated by establishing a clear association with the detection, prevention, or deterrence of financial crime.

Category of Information That Can Be Discussed

FINTRAC notes that a variety of types of information can be traded between private entities as long as the principles outlined above are adhered to. The focus is on targeted, risk-based sharing, as opposed to aggregating vast data. Permitted categories might include:

• Examples of suspicious transaction patterns;
• Current or emerging typologies of money laundering, known and/or new kinds of money laundering;
• Signs or symptoms of red flags related to clients or transactions;
• Risk indicators linked to products or channels;
• Examples of contextual information aiding in better due diligence.

Significantly, however, the guidance does not mean that full customer files may be shared unrestrictedly. Information must be chosen and put into context to support a defined compliance purpose.

Treatment of personal information and privacy alignment

It is one of the most important points in the guidance. FINTRAC establishes that personal data may be shared between private organizations when reasonably necessary for AML/CTF purposes, provided such sharing complies with applicable privacy legislation, including PIPEDA. In achieving this goal, reporting entities shall establish internal controls which shall prescribe the disclosure of personal information:

• Policies for disclosing and discussing of information permitted in writing;
• Describes escalation and approval boundaries.;
• Documentation of rationale for each disclosure;
• Limitations on further dissemination;
• Regular reviews of shared information practices;
• AML-compliance and privacy protection are not counterbalanced requirements, but, rather, parallel obligations that need to be harmonised effectively in operations, the guidance reiterates.

Operational Expectations and Governance

Governance is a big part of FINTRAC’s mission. It is important that information sharing be included in a reporting entity’s broader compliance framework, not as an informal or undocumented practice. In practice, this can refer to:

• Cooperation agreements between institutions in the formal sense;
• Engagement in purposeful sector-by-sector forums;
• Embedding sharing standards in AML-policies;
• Educating staff on what disclosures are permitted;
• Keeping audit trails of information shared.

Regulator doesn’t require a single model, meaning that institutions can differ on considerations of size, complexity and risk exposure. Yet, poor documentation or lack of accountability might itself be considered a failure to comply.

Risk, Responsibility, & Supervision

While the guidance lessens interpretative uncertainty, it does not remove legal or operational risk. Reporting entities will still need to assure that any shared information complies with both AML and privacy norms. FINTRAC provides no immunity for inappropriate disclosures. Potential risk areas include next-described.

1. Oversharing or sharing data for no reason.
2. Poor security of shared information.
3. Decision making that is not well-documented.
4. Distinction between claimed purpose and applied reality.

Therefore legal oversight and ongoing legal review would necessarily play an essential role in any information-sharing system.

Consideration of Strategic Implications for AML Activities

Strategically, the advice indicates a move from one-off compliance to coordinated risk identification. FINTRAC is encouraging reporting agencies to re-conceptualise information sharing as a legitimate compliance tool, rather than a regulatory liability, subject to proper regulation if done on their part appropriately. Entities that adopt structured, highly-regulated sharing arrangements, in turn, could develop their ability to detect such sophisticated schemes, as well as their overall compliance. On the other hand, institutions that depend extensively on internal monitoring could see little visibility into their own risks more and more.

Limitation of practical implementation

Although the guidance delineated some of these issues and gave clarity to it in issuing the guidance, this is of course not feasible in practice as the private-to-private sharing of information is complex with real-life applications. Reporting authorities are constrained by a narrow compliance corridor in the data landscape, and need to weigh the risk that if they are too transparent – and, as a result, the risk of missing out on the successful discovery of money laundering or terrorist financing – they may end up exposing employees under their contractual, privacy or confidentiality obligations. This balance is dynamic and needs to be continually re-evaluated as institutional profiles of risk change, emerging threat typologies develop and supervisory expectations may arise. The lack of fixed thresholds for the provision of information also places the onus on internal governance processes to assess when information sharing is warranted and show that each disclosure is proportionate, necessary, and that it is consistent with specified AML/CTF-objectives.

Supervision: the challenge in Supervision and alignment of implementation

As we continue to expose information-sharing practices as part of AML program assessments over time, the regulatory sensitivity in that area is likely to continue to grow. Supervisors might expect reporting entities to show grown-up governance systems, clear documentation, and a defined accountability for both outbound and inbound disclosures. Cross-sector or trans-institutional efforts further complicate the dynamics, where differences in regulatory obligations or compliance cultures can mean compliance obligations for relevance, retention or escalation are interpreted differently. Institutions should facilitate operationalization of shared intelligence into internal monitoring and decision making frameworks, as the receipt of risk information through external sources without a clear analytical or investigative response may instead weaken, not enhance, the overall effectiveness of the AML-compliance program.

Our Professional Support for Private-to-Private Information Sharing Compliance

We support our reporting entities in creating, reviewing, and instituting private-to-private information-sharing frameworks conforming to FINTRAC expectations and applicable privacy laws. From the standpoint, our services encompass both the strategic and operational aspects, policy formulation, governance arrangements, risk assessments, to legal review of proposed sharing agreements. We offer financial institutions, fintech firms, and designated non-financial businesses, and help to make sure that information sharing efforts are proportionate, defensible and comprehensively incorporated into current AML-initiatives.

This refers to assistance in the field of regulatory scrutiny and internal audits with external bodies as well as the adaptation of cross-institutional co-working models as the supervisory guidance evolves on the basis of cross-institutional support mechanisms and supervisory guidelines.