Language selection

Government of Canada / Gouvernement du Canada

Search

Sign in

Sign in

Enhanced Financial Account Information Reporting Part XVIII - v3.0

Compliance Programs Branch
High Net Worth Compliance Directorate

On this page

Overview & Privacy Impact Assessment (PIA) Initiation 

Government institution

Canada Revenue Agency

Government official responsible for the PIA

Adrianna McGillivray
Director General
High Net Worth Compliance Directorate
Compliance Programs Branch

Head of the government institution or Delegate for section 10 of the Privacy Act

Lia Jackson
Director
Access to Information and Privacy Directorate

Name of program or activity of the government institution

Reporting Compliance

Standard or institution specific class of record:

Competent Authority Program Administration
CRA CPB 261

Standard or institution specific personal information bank:

Competent Authority
Bank Number: CRA PPU 085
TBS Registration: 002021

Legal authority for program or activity

Domestic Legal Framework

Part XVIII of the Income Tax Act (ITA), sections 263 – 269, and in particular:

In addition to Part XVIII, subsection 237(2) of the ITA provides the legal authority for a Canadian FI to collect a social insurance number, business number, or trust account number in order to comply with the reporting requirements of Part XVIII[Footnote 1 ].

Subsections 162(5), 162(6), and 162(7) of the ITA provide the legal authority to enforce the collection and reporting of identification numbers and to impose a penalty for failure to comply with a requirement. In addition, subsection 162(6) of the ITA allows for the imposition of a penalty for a U.S. person who fails to provide their U.S. Taxpayer Identification Number to a reporting Canadian FI, upon request.

Section 220 of the ITA – The requirement to administer and enforce the Income Tax Act. 

International Legal Framework

Subparagraph 241(4)(e)(xii) of the ITA contains the authority to share taxpayer information collected by the CRA with another jurisdiction under a provision contained in a tax treaty or in a listed international agreement. This includes:

Summary of the project, initiative or change

Overview of the Program or Activity

Canada is committed to strong international partnerships as part of its ongoing efforts to ensure a fair tax system for all. The exchange of financial account information between tax administrations is part of an array of better tools and approaches the CRA is using to combat tax evasion and promote voluntary compliance with tax laws.

Each year, the CRA automatically exchanges information with the United States (U.S.), in accordance with an Intergovernmental Agreement signed in 2014. These exchanges go in both directions, and can be summarized as follows:

  1. Outgoing Data (Part XVIII): Outgoing data pertains to U.S. persons who hold accounts with Canadian financial institutions. Information on these accounts is reported directly to the CRA by Canadian financial institutions on annual basis, pursuant to Part XVIII of the ITA. The CRA’s Competent Authority will then exchange this information with the U.S., in accordance with the intergovernmental agreement.
  2. Incoming Data (intergovernmental agreement): Incoming data pertains to Canadians who have financial accounts held in a Reporting U.S. Financial Institution. The U.S. will report information on these account holdings to the CRA’s Competent Authority on an annual basis, in accordance with the terms of the intergovernmental agreement.

What’s New

The privacy impact assessment has been updated to include the following new program activities, systems used within the program, and users of the personal information:

Financial institution compliance activities

Sections 265 of the Income Tax Act set out the requirements for Canadian financial institutions, and foreign financial institutions operating in Canada, to exercise due diligence in searching for and identifying all non-resident-held accounts which must be reported to the CRA under Part XVIII. The quality and completeness of due diligence checks regarding the tax residency of account holders and controlling persons, and the accuracy of the account information, are crucial to the usefulness of the information exchanged. The International Collaboration and Exchange of Information Division, within the CRA’s Compliance Programs Branch, is overseeing a compliance program to assess how well Canadian financial institutions are meeting their due diligence and reporting obligations under Part XVIII.

The key parts of the compliance program include financial institution population identification; risk management; risk treatment and implementation of desk-based reviews and onsite audits; monitoring; evaluation; and measurement. Risk analysis may involve the review and analysis of large samples of Part XVIII data to identify and quantify risk elements. Any resultant audits could include the review of a sample of all accounts held by a financial institution, as well the review of a financial institution’s policies and procedures related to Part XVIII requirements.

Because there is similarity in reporting requirements, the CRA may collaborate with other supervisory bodies (for example, the Financial Transactions and Reports Analysis Centre of Canada and the Office of the Superintendent of Financial Institutions) to streamline processes. Incoming intergovernmental agreement data will not be shared with any collaborating parties. Based on past dealings with financial-institution-sector reporting, the CRA expects the level of compliance to be fairly high.

Sharing of Intergovernmental Agreement information with Revenu Québec

In general, the Convention Between Canada and the United States of America With Respect to Taxes on Income and on Capital allows for information exchanged under the Intergovernmental Agreement to be shared with persons or authorities involved in the assessment or collection of, the administration and enforcement in respect of, or the determination of appeals in relation to taxes imposed by a political subdivision or local authority that are substantially similar to the taxes covered by the Convention. 

Further, the CRA has an agreement (memorandum of understanding) with Revenu Québec which enables the sharing of information regarding taxes and duties.

Pursuant to these agreements, it is anticipated that the CRA may provide Revenu Québec with Intergovernmental Agreement information received from the United States and associated with Québec taxpayers, so long as Revenu Québec is able to adhere to the secrecy provision set out in the Convention, in addition to those security requirements already established in the memorandum of understanding. Transfers of Intergovernmental Agreement information will be done in accordance with the memorandum of understanding and other related agreements to be developed.

System enhancements and additions

All incoming and outgoing exchanges of information in accordance with the intergovernmental agreement are conducted electronically, using an online, secure portal. This portal was developed by the U.S. and has been used by the CRA since the inception of the program. Only encrypted files in a specific format can be transferred through this portal. The CRA uses an internally developed application to (a) package and encrypt Part XVIII information uploaded to the portal, and (b) unpackage and decrypt intergovernmental agreement information received through the portal. This application has recently been updated to leverage managed file transfers for all exchanges since January 31, 2021.

The program is also using a new data mining workspace and application to enable the review and analysis of all incoming and outgoing data received. This application is used for the purpose of business intelligence, compliance workload, and program evaluation. Program evaluation includes the review of data quality, as well as the issuing of any feedback to the United States. 

Scope of the Privacy Impact Assessment

The operational requirements created by the intergovernmental agreement and Part XVIII data flows are the focus of this privacy impact assessment (PIA). This includes the storage, transmission, retention, handling, matching, disclosure, and retention/disposition of all Part XVIII information returns and summaries received from Canadian financial institutions, and all Part XVIII and intergovernmental agreement information exchanged with the U.S.

This PIA also covers the program’s use of personal information for the purpose ensuring Canadian financial institutions are in compliance with their record keeping, due diligence, and reporting requirements set out in Part XVIII of the ITA.

This PIA will not address personal information exchanged with other foreign jurisdictions in accordance with the Common Reporting Standard and Part XIX of the ITA. A separate PIA has been prepared for these exchanges, an update to which was completed in 2023.

This PIA also does not address the use of Part XVIII and intergovernmental agreement information by other CRA programs, which include Business Intelligence, Risk Assessment, Workload Development, Compliance Activities, Appeals and Collections. These are addressed in the corresponding program PIAs.

Risk identification and categorization

A) Type of program or activity

Compliance / Regulatory investigations and enforcement  

Level of risk to privacy: 3

Details:

Outgoing data (Part XVIII)

The Part XVIII data collected from Canadian financial institutions is for the primary purpose of exchanging with the U.S. It is also used to monitor and assess the filing compliance of Canadian financial institutions.

The data received under Part XVIII from Canadian financial institutions may also be used for existing domestic and non-resident tax compliance activities, including risk assessment, workload development, audit, and Part XIII determination of tax on income from Canada of non-resident persons. This includes manual and automated compliance activities.

Incoming data (intergovernmental agreement)

The intergovernmental agreement data provided to the CRA by the U.S. can only be used for tax compliance purposes, including risk assessment, workload development, audit, and collections. This includes manual and automated compliance activities. In a small number of instances, the data could also be referred to the CRA Criminal Investigations Directorate by audit program areas. In these cases, any follow-up activity would be conducted by the Directorate, bearing in mind the increased expectation of privacy required to conduct a criminal investigation and the need in many cases for prior judicial authorization in the form of a warrant or production order.

B) Type of personal information involved and context

Social insurance number, medical, financial or other sensitive personal information and/or the context surrounding the personal information is sensitive. Personal information of minors or incompetent individuals or involving a representative acting on behalf of the individual. 

Level of risk to privacy: 3

Details:

Outgoing Data (Part XVIII)

A Canadian financial institution is required to file Part XVIII Information Return slips with the CRA annually for any U.S. Reportable Account(s) that it maintains. These returns generally contain the following information*:

Incoming Data (intergovernmental agreement)

Under the intergovernmental agreement, the U.S. Internal Revenue Service (IRS) is required to transmit the following information to the CRA annually, with respect to Canadian residents who have financial accounts at U.S. financial institutions:

*Specific guidance regarding what Canadian FIs are required to report for Part XVIII can be found online, at Completing Part XVIII Information Return slips and summary - Canada.ca.

C) Program or activity partners and private sector involvement

Private sector organizations or international organizations or foreign governments

Level of risk to privacy: 4

Details:

Part XVIII information returns filed, and intergovernmental agreement information received from the U.S. are stored internally. Personal information captured is processed by the Information Returns Section within the Assessment, Benefit and Service Branch. Other CRA programs may then access the information on a need-to-know basis. The data is made available to other CRA programs for compliance purposes, including risk analysis, workload development, and audit. As a result of an administrative compliance action, the information could also be shared with the Criminal Investigations Directorate within the Compliance Programs Branch. Use of the information in the criminal context is subject to the same restrictions as other taxpayer data. There are no restrictions on the use of the information for criminal purposes expressed in the intergovernmental agreement or treaties.

In addition to these internal activity partners, the program is also partnered with the private sector and foreign governments, and in particular:

Outgoing Data (Part XVIII)

With respect to each financial account held at a Canadian financial institution by a U.S. person or a non-U.S. entity with one or more U.S. controlling persons, the information will be collected by the financial institution and reported to CRA, who in turn will transmit the information to the U.S. Internal Revenue Service.

Incoming Data (intergovernmental agreement)

With respect to each financial account held by a resident of Canada at a U.S. financial institution, the information will be collected by the Internal Revenue Service and then transmitted to the CRA.

The intergovernmental agreement information received from the Internal Revenue Service may also be provided to Revenu Québec, for the purpose of provincial tax administration. Provincial exchanges will be conducted in accordance with the agreement between the CRA and Revenu Québec concerning the exchange of information regarding taxes and other duties (the Memorandum of Understanding (MOU)). Such sharing is currently provisioned according to the Convention between Canada and the United States of America with Respect to Taxes on Income and on Capital. The CRA will subsequently provide Revenu Québec with the intergovernmental agreement information so long as Revenu Québec is able to adhere to the confidentiality and data safeguarding requirements set out in the Convention and the intergovernmental agreement, in addition to those security requirements already established in the MOU and other related agreements to be developed.  

D) Duration of the program or activity

Long-term program 

Level of risk to privacy: 3

Details:

This program has no sunset date.

E) Program population

The program affects certain individuals for external administrative purposes.

Level of risk to privacy: 3

Details:

Outgoing data (Part XVIII)

The program will affect U.S. persons and non-U.S. entities with U.S. controlling persons, who hold financial accounts at financial institutions operating in Canada.

Reporting Canadian financial institutions must take steps to identify and report to the CRA financial accounts held in Canada by, or for the benefit of, U.S. persons and non-U.S. entities with U.S. controlling persons.

Incoming data (intergovernmental agreement)

The program affects Canadian individuals and entities with Canadian resident controlling persons that hold or control financial accounts at financial institutions operating in the U.S.

F) Technology & privacy

  1. Does the new or modified program or activity involve the implementation of a new electronic system, software or application program including collaborative software (or groupware) that is implemented to support the program or activity in terms of the creation, collection or handling of personal information?
    Risk to privacy: Yes
  2. Does the new or modified program or activity require any modifications to IT legacy systems and/or services?
    Risk to privacy: Yes
  3. Does the new or modified program or activity involve the implementation of one or more of the following technologies?

Enhanced identification methods - this includes biometric technology (i.e. facial recognition, gait analysis, iris scan, fingerprint analysis, voice print, radio frequency identification (RFID), etc.) as well as easy pass technology, new identification cards including magnetic stripe cards, "smart cards" (i.e. identification cards that are embedded with either an antenna or a contact pad that is connected to a microprocessor and a memory chip or only a memory chip with non-programmable logic).

Risk to privacy: No

Use of Surveillance - this includes surveillance technologies such as audio/video recording devices, thermal imaging, recognition devices, RFID, surreptitious surveillance/interception, computer aided monitoring including audit trails, satellite surveillance etc.

Risk to privacy: No

Use of automated personal information analysis, personal information matching and knowledge discovery techniques - for the purposes of the Directive on PIA, government institutions are to identify those activities that involve the use of automated technology to analyze, create, compare, identify or extract personal information elements. Such activities would include personal information matching, record linkage, personal information mining, personal information comparison, knowledge discovery, information filtering or analysis. Such activities involve some form of artificial intelligence and/or machine learning to uncover knowledge (intelligence), trends/patterns or to predict behavior.

Risk to privacy: Yes

G) Personal information transmission

The personal information is used in a system that has connections to at least one other system.

Level of risk to privacy: 2

Details:

Outgoing (Part XVIII)

Financial institutions submit Part XVIII information returns electronically to the CRA. This data is systematically stored internally. There is no direct connectivity between the internet application and the internal database.

Automated processes convert the Part XVIII data to the format required for exchanges under the intergovernmental agreement. Following internal processing, the data is then encrypted and transmitted via secure delivery to the portal used for exchanges with the U.S. Internal Revenue Service.

None of the business processes allow for the transport of data to another platform, or to store it on a removable Universal Serial Bus storage device.

The Internal Revenue Service conducted the initial security assessment on the portal in January 2015. The Internal Revenue Service has confirmed that they conduct security assessments on an annual basis. Further, the Internal Revenue Service has issued an Authority to Operate which can only be issued to systems that meet the NIST 800.53 and 800.122 security guidelines.

Incoming (intergovernmental agreement)

The Intergovernmental Agreement data received from the U.S. is transmitted and received electronically. The International Collaboration and Exchange of Information Division is the only area that is authorized to decrypt the packaged file. The Division will then unpackage the file, ensure that the information was intended for Canada, and forward the file to the Electronic Exchange of Information Section.

In the improbable event that the information received was not intended for Canada or for years not covered by the Agreement, a notification is immediately sent to the U.S., and the file is deleted immediately.

The Part XVIII and Intergovernmental Agreement information that is saved internally is then copied and made accessible for matching, business intelligence, risk analysis, and workload development.

CRA employees use laptop computers with access controls. Access to the Agency network from remote locations must be done with full disk encryption and standard Secure Remote Access. The Information Technology Branch has developed an enterprise-wide telecommuting platform that offers users secure access to the network.

H) Potential risk that in the event of a privacy breach, there will be an impact on the individual or employee

Details:

In the event of a privacy breach, an individual may become a victim of identity theft, and their personal information may be used without their knowledge or consent in ways that could result in a financial or reputational loss, such as the misuse of credit card information or debts being incurred on their behalf.

Page details

2025-07-03