Privacy commissioner releases codes of practice submission guide for financial reporting entities

The guidance is aligned with efforts to flag money laundering and sanctions evasion
Privacy commissioner releases codes of practice submission guide for financial reporting entities

The Privacy Commissioner of Canada has released a guidance for financial reporting entities on submitting codes of practice for personal information disclosure.

The guidance is targeted towards banks, credit unions, trust companies, and life insurance and loans providers under the Proceeds of Crime (Money Laundering) and Terrorist Financing Act. It outlines the commissioner’s criteria for approving a code of practice in line with regulation requirements.

Per March 2025 legislative amendments, PCMLTFA-bound reporting entities may disclose personal information to one another without requiring an individual’s consent in specific cases. Nonetheless, this disclosure must be governed by a code of practice approved by the privacy commissioner.

Such codes bolster the detection and prevention of money laundering, terrorist financing, and sanctions evasion while safeguarding personal information under the Personal Information Protection and Electronic Documents Act.

“This new guidance will support organizations as they establish codes of practice that maintain strong privacy protections in the context of information sharing meant to detect and prevent money laundering, terrorist financing, and sanctions evasion,” said Philippe Dufresne, Canada privacy commissioner, in a statement.

The guidance indicated that information sharing of this nature is voluntary, and reporting entities need only set a code of practice if they intend to share information this way. Entities may submit codes of practice for the privacy commissioner’s review through an online form or by phone.

A code of practice must include the following information per s. 160 of the Proceeds of Crime (Money Laundering) and Terrorist Financing Regulations:

  • Name the reporting entities bound to the code
  • Define the personal information that could be shared, obtained, or utilized without knowledge or consent
  • Outline why this information must be collected and used thusly
  • Describe how this information will be obtained, shared, or applied thusly
  • Define the steps to be taken to protect the information, including personal information storage and record keeping measures
  • Outline how the code is compliant with PCMLTFA requirements and protects information under PIPEDA

Entities must inform the Financial Transactions and Reports Analysis Centre of Canada the day they submit a code of practice to the Office of the Privacy Commissioner for approval, as FINTRAC will assist the OPC with its evaluation. The OPC must then issue a decision within 120 calendar days, although it may inform an applicant should it wish to extend the decision-making period by 15 days.

Earlier this month, the Information and Privacy Commissioner of Ontario and the Office of the Information and Privacy Commissioner for British Columbia inked a memorandum of understanding on mutual assistance and information sharing in the administration and enforcement of laws protecting personal information.

Firm(s)

Privacy Commission of Canada