Recently, FINTRAC released crucial new guidance regarding private-to-private information sharing between Reporting Entities (REs) 🔐 

Private Information sharing is intended to help close gaps typically exploited by criminals and money launderers by enabling REs to obtain a more complete view of client activity and to better detect suspicious transactions.  

 The key takeaway?  

Information sharing is voluntary, but for those REs that wish to engage - they must do so legally according to the rules as set forth in the guidance. This includes: 

🟠 Establishing and implementing an internal Code of Practice for disclosure, collection and use of information. Codes of Practice are submitted to FINTRAC and the Office of the Privacy Commissioner of Canada (OPC) and approved by the OPC. The OPC has 120 days to review your application and provide a decision, with an additional 15-day extension if required. If no decision is communicated to you by the end of the review period, your Code of Practice will be deemed approved.  

🟠 The code of practice must be accompanied by an acknowledgement that each participating reporting entity has approved the code of practice and has consented to its submission to FINTRAC and the Office of the Privacy Commissioner of Canada. 

🟠 If your Code of Practice is approved, you may only share information with other reporting entities identified within your Code of Practice. Remember, information sharing is voluntary and not a mandatory requirement.  

What should a Code of Practice include?  

✅ The legal names and FINTRAC reporting entity numbers for all REs involved in private information sharing activities  

✅ A description of the personal information that may be shared, including the purpose for sharing and the way information is shared 

✅ Detailed measures to securely protect and retain shared information.  

✅ Your Code of Practice should demonstrate adherence with privacy regulations as set forth in the Proceeds of Crime (Money Laundering) and Terrorist Financing (PCMLTFA), meeting substantially the same or greater privacy protections as PIPEDA. 

Looking beyond compliance - why does having an approved Code of Practice matter? 🤔 

If your information sharing activities are completed in compliance with the PCMLTFA, regulations and in good faith, an approved Code of Practice could provide at least a soft layer of liability protection, although not a complete “safe harbour” for your business. 

Information sharing can be a complicated matter - especially when it comes to AML compliance, privacy and situations where REs may feel grey areas exist. 

Our team of AML and network of legal experts can help your business navigate these nuanced situations and figure out how to execute compliantly - please reach out to us today should you have any questions regarding this update or anything regarding AML and information sharing.