International Electronic Funds Transfers Business Intelligence
Privacy Impact Assessment (PIA) summary - Offshore Compliance Directorate, Compliance Programs Branch
Overview & PIA Initiation
Government institution
Canada Revenue Agency
Government official responsible for the PIA
Richard Montroy
Assistant Commissioner, Compliance Programs Branch
Head of the government institution or Delegate for section 10 of the Privacy Act
Marie-Claude Juneau
ATIP Coordinator
Name of program or activity of the government institution
Reporting Compliance – International and Large Business
Description of the class of record and personal information bank
Standard or institution specific class of record:
International and Large Business Income Tax Audits and Examination (CRA ILBIB 415) - previously (CRA CPB 295)
Standard or institution specific personal information bank:
Tax Avoidance Cases (CRA PPU 035) - previously (CRA PPU 411)
Legal authority for program or activity
Subsection 220 (1) of the ITA provides as follows:
"The Minister shall administer and enforce this Act and the Commissioner of Revenue may exercise all the powers and perform the duties of the Minister under this Act.
Similarly, subsection 275(1) of the ETA provides:
"The Minister shall administer and enforce this Part and the Commissioner may exercise all the powers and perform the duties of the Minister under this Part."
Subsection 244.2(1) of the ITA states:
"Every reporting entity shall file with the Minister an information return in prescribed form in respect of
(a) the sending out of Canada, at the request of a client, of an electronic funds transfer of $10,000 or more in the course of a single transaction; or
(b) the receipt from outside Canada of an electronic funds transfer, sent at the request of a client, of $10,000 or more in the course of a single transaction."
Section 273.3 of the ETA states:
"For greater certainty, information obtained by the Minister under Part XV.1 of the Income Tax Act may be used for the purposes of this part."
The Minister of National Revenue has a mandate to administer and enforce the ITA and Part IX of the ETA. To carry out this mandate, the Minister must collect information. There are specific reporting obligations for taxpayers and others such as, for example, financial institutions and employers as well as specific audit and inspection powers in the above-noted Acts. In cases of non-compliance the Minister may require information from a variety of sources to administer and enforce the ITA and ETA. The authority of the Minister to collect such information is implicit in the general language of the statutory mandate as set out above.
Summary of the project / initiative / change
Budget 2013 highlighted that international tax evasion and aggressive tax avoidance (ITEATA) entail a fiscal cost to governments and taxpayers worldwide, and are unfair to businesses and individuals who play by the rules. The Government of Canada is committed to protecting the revenue base and ensuring public confidence in the fairness and equity of the Canadian tax system.
Economic Action Plan 2013 (EAP 2013) introduced new measures to address international tax evasion and aggressive tax avoidance including the requirement that certain Financial Intermediaries (FIs) report international electronic funds transfers (EFTs) of $10,000 or more to the CRA. In addition, EAP 2013 provided the CRA with $15 million of additional funding, over 5 years to develop and implement the necessary system changes to accept and analyze the EFT information, as well as to fund the Electronic Funds Transfer & Business Intelligence Section (EFTBIS) within the Offshore Compliance Division of the Compliance Programs Branch. EFTBIS will be responsible for the receipt and analysis of the EFT information.
This reporting requirement will apply to the same Reporting Entities (REs) that are currently required to report international EFTs to the Financial Transactions and Reports Analysis Centre of Canada (FINTRAC) under the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA). This includes banks, credit unions, caisses populaires, trust and loan companies, money services businesses and casinos.
The EFT reports will be submitted to the CRA no later than 5 (five) business days after the day of the transfer and will require REs to provide information on the person conducting the transaction, the recipient of the funds, the transaction itself and the FIs facilitating the transaction. Transmission of EFT reports to the CRA will commence January 1, 2015.
In order to receive the EFT data, CRA has reached an agreement with FINTRAC, which currently receives EFT reports. Under the agreement each agency will receive its own discrete, identical record for each EFT submitted through the existing reporting channel managed by FINTRAC. FINTRAC will continue to manage this process. All REs will be advised at either the time of submission or through re-signing their Public Key Infrastructure (PKI) agreements with FINTRAC that any EFT reported through this channel will be submitted to both agencies. The EFTs will not be modified in any way by FINTRAC prior to being received by the CRA. A Memorandum of Understanding (MOU) and a Service Agreement are currently being drafted that would allow FINTRAC to recover incremental costs incurred, to permit the limited exchange of information for the purpose of ensuring compliance with EFT reporting obligations, and to establish protocols for the shared EFT reporting channel.
The main business objective of the EFTBIS unit is to generate intelligence and leads relevant to tax non-compliance, particularly offshore tax non-compliance. Once fully operational the EFTIBS will undertake the following as its main functions:
In cooperation with CRA Information Technology Branch manage IT solutions that will house the EFT data and help analyze international electronic funds transfers (EFTs) of $10,000 or more from REs by January 1, 2015.
Utilize risk assessment models and business rules to identify potential instances of tax non-compliance in the EFT data. EFT data will also be compared against other CRA corporate data (i.e. T1, T2) as part of this process. The comparison of EFT data to other CRA corporate data will initially be a manual process, although the aim is to automate this as much as possible.
Provide EFT data to different program areas within CRA in response to queries, where the query relates to civil tax non-compliance. The EFT data will complement other data sources available to auditors in other CRA program areas.
Risk identification and categorization
A) Type of program or activity
Compliance / Regulatory investigations and enforcement
Level of risk to privacy: 3
Details: The EFT data reported to the CRA as part of this program is to be used to monitor and assess tax compliance in a minimally intrusive manner. The vast majority of the leads generated by the EFT initiative and EFT data provided to different audit groups will be utilized for civil audits. In other words, EFT data would primarily be utilized for compliance programs and activities that have administrative consequences. In a small number of instances EFT data could also be referred to the CRA Criminal Investigations Directorate by audit program areas. In these cases, any follow-up activity would be conducted by the Criminal Investigations Directorate bearing in mind the increased expectation of privacy required to conduct a criminal investigation and the need in many cases for prior judicial authorization in the form of a warrant or production order. Thus, the highest level of risk associated with the EFT program is category 3.
B) Type of personal information involved and context
Social Insurance Number, medical, financial or other sensitive personal information and/or the context surrounding the personal information is sensitive. Personal information of minors or incompetent individuals or involving a representative acting on behalf of the individual.
Level of risk to privacy: 3
Details: The personal information contained in EFT reports fits into category 3 as each EFT report will contain limited financial information and may contain personal information, such as addresses, identification documents and numbers, and bank account numbers. EFTs can include the names of organizations and limited elements of free text. Thus, in rare instances EFTs could include information related (accurately or not), to the health, religious, or lifestyle choices of identifiable individuals. After the EFT data has been matched with other CRA corporate data (i.e. T1, T2) and analyzed, a fraction of files will be identified for further analysis or audit. This is a risk assessment process related to tax compliance, not an allegation or suspicion.
C) Program or activity partners and private sector involvement
Private sector organizations or international organizations or foreign governments
Level of risk to privacy: 4
Details: Personal information reported in EFTs will be collected and managed by a small group of specialized EFTBIS employees. Only the EFTBIS unit will have direct access to the EFT database. Information will be shared with other CRA program areas when relevant to civil tax non-compliance. In most cases the data would be shared with audit groups. It could also be shared with the Criminal Investigations Directorate on a limited basis subject to necessary authority and controls.
Certain information may be exchanged between CRA and FINTRAC for the purpose of ensuring that reporting entities comply with their statutory obligations for EFT reporting. These exchanges are statutorily authorized, although both the ITA and the PC(ML)TFA respectively contain provisions which prohibit the CRA and FINTRAC from sharing information that would identify specific EFT clients. To the extent that these exchanges include personal information, it would be limited information related to reporting entities such as the name and contact information of officials, employees and sole proprietors of the RE. The process is governed by a detailed MOU, a copy of which is attached.
EFT data could be shared with foreign governments in accordance with existing tax treaties or tax information exchange agreements (TIEA). Subparagraph 241(4)(e)(xii) of the ITA allows for the exchange of taxpayer information between two Competent Authorities representing treaty or TIEA partners. Information is typically exchanged to either ascertain the facts in relation to which rules of an income tax convention are to be applied or to assist one of the contracting parties in administering and enforcing its domestic tax law. In the case of EFT data this could be provided to any treaty or TIEA partners if the CRA determines that it could be relevant to the administration of their tax laws. Likewise the CRA could provide information from an EFT record to a treaty partner in order to receive information in return that would allow the CRA to administer and enforce Canadian tax law. These exchanges would be done on a limited case by case basis and there would be no systematic provision of EFT information to any foreign government.
IBM is contributing to the development of the IT solution that will house EFT reports; however, they will not be provided with any actual taxpayer information. Any IT development work that requires access to real taxpayer data will be restricted to CRA employees only.
D) Duration of the program or activity
Long-term program
Level of risk to privacy: 3
Details: The receipt of EFTs by CRA is part of a permanent continuing CRA program with no scheduled end date.
E) Program population
The program affects certain individuals for external administrative purposes.
Level of risk to privacy: 3
Details: The EFTBIS program will collect information relating to any individual who conducts an international electronic funds transfer of more than $10,000 to or from Canada, including those who conduct an EFT on behalf of another individual. The CRA expects to receive approximately 10 million reports per year from approximately 1500 different financial intermediaries which are defined as reporting entities in the ITA. Because many individuals conduct multiple transfers, there will be far fewer people affected than the number of reports received. The population will include individual taxpayers, individuals associated with business taxpayers as well as non-residents, some of whom are not required to file a Canadian tax return.
F) Technology & privacy
Does the new or modified program or activity involve the implementation of a new electronic system, software or application program including collaborative software (or groupware) that is implemented to support the program or activity in terms of the creation, collection or handling of personal information?
Risk to privacy: Yes
Does the new or modified program or activity require any modifications to IT legacy systems and/or services?
Risk to privacy: No
The new or modified program or activity involves the implementation of one or more of the following technologies:
Enhanced identification methods - this includes biometric technology (i.e. facial recognition, gait analysis, iris scan, fingerprint analysis, voice print, radio frequency identification (RFID), etc...) as well as easy pass technology, new identification cards including magnetic stripe cards, "smart cards" (i.e. identification cards that are embedded with either an antenna or a contact pad that is connected to a microprocessor and a memory chip or only a memory chip with non-programmable logic).
Risk to privacy: No
Details: N/A
Use of Surveillance - this includes surveillance technologies such as audio/video recording devices, thermal imaging, recognition devices , RFID, surreptitious surveillance / interception, computer aided monitoring including audit trails, satellite surveillance etc.
Risk to privacy: No
Details: N/A
Use of automated personal information analysis, personal information matching and knowledge discovery techniques - for the purposes of the Directive on PIA, government institutions are to identify those activities that involve the use of automated technology to analyze, create, compare, identify or extract personal information elements. Such activities would include personal information matching, record linkage, personal information mining, personal information comparison, knowledge discovery, information filtering or analysis. Such activities involve some form of artificial intelligence and/or machine learning to uncover knowledge (intelligence), trends/patterns or to predict behavior.
Risk to privacy: Yes
Details: After the EFT data is received by the CRA it will be matched against Canadian postal validation reference files to verify the accuracy of addresses reported in EFTs and to standardize addresses for the purposes of retrieving and analyzing this information. The name of the product being used is IBM QualityStage Address Verification. Only Canadian addresses are going to be standardized.
Names of individuals involved in EFTs will also be compared to reference files of standardized names for the purpose of identifying multiple EFTs involving the same taxpayer. For example: An individual conducts two EFTs. In one EFT record his name is recorded as Bill, and in the other as William, but the other identifying data in the two EFTs is essentially the same (surname, address). In such a case, the system will flag these EFTs on the basis that they likely involve the same individual. Names that are missing characters will also be corrected, so a name entered as Michae might be corrected to Michael. The name of the product being used is IBM InfoSphere Global Name Recognition.
An automated system will be utilized to identify EFTs that fit certain risk criteria that have been pre-defined by the EFTBIS unit. For example the system would automatically flag certain high risk wire transfers.
G) Personal information transmission
The personal information is transferred to a portable device or is printed.
Level of risk to privacy: 3
Details: The EFT data will be housed on workstations that are also connected to the internet/intranet and other CRA systems and applications. EFT reports can also be printed. All EFT reports will be designated as Protected B and subject to all storage and security policies that apply to this classification. In accordance with CRA policies for handling Protected B information, any information stored on removable media, such as USB keys, diskettes, or laptop computers, must be encrypted. Any e-mails containing Protected B information must also be encrypted. All printed materials must be stored in a locked drawer or a security container, or in a locked office with limited access. Paper records must be destroyed with a security approved shredder.
A Threat and Risk Assessment (TRA) and Statement of Sensitivity (SOS) (Annex E) have been completed to ensure that all IT networks, systems, and applications being developed or modified as part of this project adhere to CRA security standards and that any potential new risks have been addressed. The EFT data will reside on Revenue Canada Network (RCNET) and therefore will allow access via secure remote access (SRA) to those who have the appropriate tools and login profiles installed on their laptops.
H) Risk impact to the individual or employee
Level of risk to privacy: 3
Details: The EFT data may contain some key financial and identity elements such as passport numbers, driver’s license numbers, bank account numbers, and dates of birth. If these data elements were improperly used or disclosed it could result in inconvenience and reputational harm to an individual. These elements might also be utilized to obtain or gain access to other personal data which could result in financial damage through identity theft or other improper uses.
I) Risk impact to the institution
Level of risk to privacy: 4
Details: If the confidential information contained in an EFT was lost, misplaced, or accessed by unauthorized individuals in a position to benefit from the data or to cause harm with it, there would be severe damage to the reputation of the CRA which could potentially undermine the confidence of the public in the CRA’s ability to manage information in accordance with CRA’s statutory mandate.
Page details
- Date modified: