The Privacy Commissioner of Canada, Philippe Dufresne, has tabled a biennial review in Parliament assessing the Financial Transactions and Reports Analysis Centre of Canada (FINTRAC)’s handling of personal information under anti-money laundering and anti-terrorism laws.
The report highlighted both improvements and ongoing challenges in safeguarding sensitive information.
The review, mandated under subsection 72(2) of the Proceeds of Crime (Money Laundering) and Terrorist Financing Act, evaluates FINTRAC’s measures to protect the personal data it collects and analyzes. Commissioner Dufresne’s report acknowledged FINTRAC’s progress in addressing recommendations made in previous reviews, including steps to avoid collecting unnecessary information and bolstering threat detection and incident response systems. Enhancements to FINTRAC’s Business Continuity Plan (BCP) were also noted.
Despite these advancements, the commissioner emphasized the need for further improvement in critical areas. The report raised concerns about FINTRAC’s delayed efforts to dispose of certain historical data, such as reports below the statutory reporting threshold. Automated processes designed to purge data older than 10 years have been disabled without a set timeline for resumption. These delays could pose compliance risks under the governing legislation.
The review also highlighted two security incidents during the evaluation period, including a cyber event in March and an unauthorized disclosure by an employee. While the incidents did not form part of the review’s scope, the cyber breach underscored the importance of robust security measures. The commissioner recommended that FINTRAC prioritize regular security assessments and penetration testing to mitigate such risks.
The report also noted FINTRAC’s ongoing modernization, including its expanded use of cloud technology, automation, and artificial intelligence. While these innovations promise operational efficiencies, they introduce new security and privacy risks. The commissioner urged FINTRAC to strengthen its expertise and processes to manage these challenges effectively under the cloud’s shared responsibility model.
In total, the Privacy Commissioner made nine recommendations to FINTRAC, which the agency has accepted, along with one recommendation to Shared Services Canada (SSC). Both organizations have committed to implementing the suggested improvements. FINTRAC has also pledged to provide quarterly updates to the commissioner on its progress. The commissioner expressed appreciation for FINTRAC’s collaboration and transparency during the review and plans to assess the agency’s ongoing efforts in the next biennial review.