GICs are a dangerous game

Who would have thought that a simple Guaranteed Investment Certificate (GIC) would be in the middle of a controversy that involves the federal government, Parliament, the banking industry, powerful government agencies, privacy law and ethics?

One of the most powerful but least known Canadian government agencies is FINTRAC. Who are they and what do they do?

According to their web site, FINTRAC’s mission is to: “To contribute to the public safety of Canadians and help protect the integrity of Canada's financial system through the detection and deterrence of money laundering and terrorist financing.”

Part of their mandate is to ensure the compliance of reporting entities with legislation and regulations (“Reporting entities” for the sake of this discussion refer to banks, trust companies and credit unions.)

FINTRAC reports directly to the Minister of Finance and their mandate is to enforce the Proceeds of Crime Money Laundering and Terrorist Financing Act.

In the great pecking order of financial things, which government body, agency or regulatory organization, regulates the banks, trust companies and credit unions?

A simple question – but the answer is far more complex.

Some financial institutions say that no, the Proceeds of Crime Money Laundering and Terrorist Financing Act does not apply to them as the bank regulators overrule the Act. In other instances, some credit unions might say they operate under provincial government statutes and federal rules do not apply.

Others have hired risk management lawyers in order to ensure that on-going client data collection can be justified despite the exemptions in the Proceeds of Crime Money Laundering and Terrorist Financing Act.

Although one of FINTRAC’s primary and most important roles is to enforce the Proceeds of Crime Money Laundering and Terrorist Financing Act, they are not enforcing the exemptions regarding registered plans. The Office of the Privacy Commissioner (OPC) has criticized FINTRAC for allowing the over-collection of confidential client data, but FINTRAC’s stance regarding individual Canadian’s privacy rights is that privacy questions are outside their mandate. And the OPC lacks the enforcement powers other than perhaps, moral suasion and fear of audit to force a financial institution to comply. On the public OPC web site, it appears that no financial institution has been brought to task concerning the use of confidential and private information with respect to registered plans.

A minimum of zero?

FINTRAC’s own view of The Proceeds of Crime Money Laundering and Terrorist Financing Act is curious if not contradictory. Although FINTRAC’s mandate is to enforce the Act, they are interpreting the Act by saying that the exemptions regarding registered plans do exist, were passed by Parliament, have force of law, must absolutely be followed but privately, the exemptions in their view are merely minimum requirements.

FINTRAC’s argument that exemptions are minimums makes no sense. What is clear is that Parliament intended RRSPs and other registered plans to be exempt from record-keeping and client identification requirements.

FINTRAC’s role is to enforce that law and to ensure compliance of reporting entities (deposit taking institutions) with the legislation and regulations.

The law specifically states that all registered plans (RRSPs, RRIFs, TFSAs, etc.) are exempted from record-keeping and client identification requirements.

The problem is that most of the banking industry doesn’t like this law and many have largely ignored it as too lenient, too expensive to implement and creates a perceived risk for the banking industry.

These are all valid objections but the law is clearly stated and is the law – no record-keeping and client identification requirement for registered plans like RRSPs.

For almost all deposit taking institutions in Canada, the above Act exemptions are mostly ignored and the banks continue to use and collect record-keeping and client identification information for the opening of registered plans. I only know of one chartered bank in Canada that has a clearly defined policy regarding their RRSP products and they make it absolutely clear that record keeping and client identification requirements are exempted. However, almost all other institutions have redesigned their RRSP applications so that the client or bank customer has to give the extra client information including identification and then the client has to sign the application. Because the client has signed “voluntarily” to give up his personal information, this neatly side-steps the Act’s registered plan exemptions.

FINTRAC, Canada’s financial watchdog, according to the OPC Audit, appears to happily accept whatever unfiltered confidential information financial institutions send them.

Who stands up for the little guy?

Alas, we have a problem or set of unique problems here. We have deposit-taking institutions collecting information they are not supposed to collect. We have FINTRAC that is supposed to be strictly enforcing the Act but may not be. We have the OPC doing a lot of finger wagging at FINTRAC and the banking industry, but not much else.

While the above controversies have been argued about for some time, my view is simplistic. In case of doubt, it is always best to take the moral high road. I do not give client’s personal and confidential information to anyone where it is not required. Bottom line for all registered plans – if is not required, then the information should not be given.

For bank customers who are asked for identification to open up a RRSP or TFSA, I would certainly question the bank as to why they need this information. If the bank or credit union insists or demands that you give up your information and you do not wish to divulge this information, your options are limited. If you refuse, the bank will merely refuse to give you the investment.

As far as I know, no one has filed a complaint with respect to possible FINTRAC violations and/or privacy act violations with respect to registered plans.

Privacy laws are often touted by financial institutions to be very important but in practice, privacy concerns appear to be way down on the priority list. In the view of the OPC, the majority of financial institutions are over-collecting massive amounts of personal and confidential information that is not required.

While the OPC is being critical of FINTRAC and Canada’s financial institutions for the over-collection of Canadian’s personal and private information, the OPC is not totally blameless either. The OPC makes allowances for “know your client” information without defining what “know your client” means. This small hole has, in effect, become big enough to drive a truck through. Financial institutions have interpreted this as carte blanche permission to gather additional information to create their own “know your client” requirements. These internal policies vary greatly from institution to institution resulting in “Babel-esque” confusion about how much or what is required for internal compliance reasons.

Inadvertently, the OPC manages to shoot itself in the foot as financial institutions can use “know your client” rules to over-collect client information as per the OPC’s very own guidelines. From a legal perspective, you have to admire the financial institutions neat end-run around the federal government privacy rules by using the privacy rules themselves as an argument for increased data collection.

One of the basic tenets of Canadian privacy law is that information should not be collected if it is not required. Every day it seems, we hear about or read about millions of customer records being lost or stolen. Information can’t be lost, stolen or misused (even accidentally) if it is not collected. Why bear the risks and enormous costs of acquiring and safeguarding information that does not have to be collected in the first place?

As we all know from the headlines, privacy is becoming an increasingly scarce resource. Information is the new currency and institutions are astonishingly desperate to get their hands on your personal data even if it is not required. It is up to us to safeguard our personal and confidential information as best we can.

Note: The above discourse refers to client name deposits that are held directly by a bank, trust company or credit union. The above mentioned FINTRAC Guideline 6G does not apply to securities dealers (brokerage firms, mutual fund dealers, etc.) as they are exempt.


Proceeds of Crime (Money Laundering) Terrorist Financing Regulations (PCMLTFR)


Paragraph 62.2 (i):

FINTRAC Guideline 6G (exemptions for registered plans):

Office of the Privacy Commissioner (OPC) 2013 audit of FINTRAC:

Privacy concerns with FINTRAC remain:



Joomla Template: by JoomlaShack