Thursday, July 11, 2024

Your finances are being snooped on. Here's how


We all have a pretty good idea that our finances are being snooped on, but most of us aren't quite able to articulate how. We know that we're being snooped on by two groups, corporations and the government. This post will focus on how the government surveils our transactions, because democratic governments generally (but certainly not always!) tell us ahead of time what information they will gather, and how the data will be used.

Governments snoop on law abiding citizens' financial data for good reasons  they are trying to trace the money in order to catch bad guys. The government has been given the power to collect this information without having to ask a judge for approval, say by requesting a search warrant. 

I think there is a degree of acceptance among citizens that some amount of warrantless financial snooping is okay, because it reduces crime. But as the intensity of surveillance increases it eventually reaches creepy territory, at which point most of us would prefer the brakes be applied.

Where is this line? I'm a committed comparativist. To get a good sense of how one is snooped on, and whether it has passed over the line to being creepy, one needs a reference point. So in this blog post, I'll compare how two groups of citizens  Americans and Canadians are being surveiled by their respective governments, so that both groups can better understand, by reference to each other, where they stand.

The first section focuses on the inflows of personal financial data from citizens to the government. The second section will focus on the outflows of data from the government to law enforcement.

***How citizens' personal financial data flows into the government***

Both the U.S and Canadian governments collect large amounts of financial data about their citizens. They do so by requiring banks and other financial institutions to record information about their customers and submit reports to the government about their customers' transactions when certain triggers have been met.

First, let's touch on the total amount of data being hoovered up. On this count, Canada far exceeds the U.S. In the 2022-23 reporting period, Canadian financial institutions submitted a total of 36 million reports to the government containing information about Canadians' financial transactions. That's almost one report per Canadian every year. 

Meanwhile, U.S. institutions sent 27.5 million reports to their government about Americans' financial dealings in 2023, a rate of around 0.1 report for every American, which is ten-times less intensive than in Canada. So based purely on the quantity of data collected, Canada seems to be closer to the "it's getting uncomfortable" level than the U.S. (See table below).

What accounts for this big difference in reporting intensity? In short, it's due entirely to cross-border wire transfers. In Canada, every electronic fund transfer leaving or arriving in Canada must be reported by banks to the government if it sums up to $10,000 or more. So if you've sent an $11,500 wire transfer from your Bank of Montreal account to your son or daughter who lives in London or Paris, congratulations, your name is in a Canadian government database. Or if you run a business and have received a $15,000 digital payment from a U.S. company for services rendered, your corporate data is sitting somewhere in an Ottawa government server.

If you're an American making a foreign wire transfer, your information will not get sent to a government database. The U.S. authorities do not require financial institutions to submit personal information on digital cross-border flows. (Mind you, they have been trying for some time to get the ability to collect this data.)

In the 2022-23 financial year, 27 million of these cross-border wire reports were submitted by Canadian banks, accounting for the lion's share of all 36 million reports submitted to the Canadian government that year.

Apart from cross-border transaction reporting, the nature of Canadian and U.S. eavesdropping is broadly similar.

Let's start with cash transaction reports, or CTRs. When a Canadian goes to their bank and deposits $10,000 or more in cash, the bank will generate a report that it sends to the Canadian government. U.S. banks report deposits and withdrawals of $10,000 in cash to the US government.

So if you're selling a used car and the buyer pays you $12,000 in banknotes, and you deposit that to your bank account, you're now in a government database, whether that be in Canada or the U.S.

Canadian banks generated 8 million CTRs in 2022-23 whereas U.S. banks generated 20.8 million in 2023. Pound for pound, Canadian banks submit more cash transaction reports to their government than U.S. banks, around 0.21 per Canadian compared to 0.06 per American. I'm not sure why. The threshold for reporting a cash transaction in Canada is lower in the U.S. (CAD$10,000 is worth around US$7,300) which may explain some of the difference? Dunno.

With CTRs and cross-border wire transfers, the invasiveness is kept relatively low thanks to the objective criteria that triggers a filing. Exceed the $10,000 threshold and at least you know ahead of time that your information is going to be recorded. A law-abiding citizen who is uncomfortable having their finances being collected by the government can choose to avoid sending cross-border payments or dealing in large amounts of cash. But this objectivity doesn't exist with the next type of report: those related to suspicious activities. 

On both sides of the border, financial institutions must submit reports about transactions deemed suspicious to their respective governments. If you've made a transaction that a bank deems to be suspicious, you'll never know that you've landed in a government database. That's because banks are prohibited from notifying their customers that their activity has been snitched on.  

The determination of what qualifies as suspicious involves a fair amount of subjectivity. Canada requires that financial institutions have a reasonable grounds to suspect that a transactions is linked to terrorism or money laundering before reporting it. That means that mere hunch won't cut it  a Canadian banker must be able to articulate a clear reason for suspicion. Mind you, there's no penalty for banks that fail to attach a specific reason to a report, so the reasonable grounds to suspect standard is often ignored. 

We know that many of these hunch-based reports end up in the government's database. Over the years the Office of the Privacy Commissioner of Canada has collected a list of reports that failed to reach the reasonable grounds to suspect standard, including one case in which some individuals were suspected simply because they had Middle Eastern passports:

From the Office of the Privacy Commissioner's 2017 audit of FINTRAC [source]

My reading of the U.S. requirements for reporting a suspicious transaction suggest a looser standard than in Canada. While U.S. bankers are encouraged to provide a specific red flag in their CTRs, the implementing regulations say they can still file a report if they merely "suspect" a transaction to be associated with money laundering or terrorism, which is a lower standard then the requirement to have a "reason to suspect."

In Canada, there is no size threshold for suspicious activity reporting: even a $50 payment can be reported by a bank. By contrast, the U.S. has set a $5,000 threshold before a suspicious action report must be filed. (When suspicious activity reports were first introduced to the U.S. in 1994, the government floated the idea of not including a threshold at all, as Canada would later do in 2001, but retreated because this would impose a "burden of reporting.")

This difference in thresholds suggests Canada should have a much higher intensity of suspicious transaction reporting than the U.S. Not so. Canadian banks generated 560,858 suspicious transaction reports in 2022-23, around 1.4 reports for every 100 Canadians. Compare this to the 4.6 million reports filed by U.S. banks in 2023, which also comes out to 1.4 reports per 100 Americans. So even though bankers in the U.S. are required to ignore small suspicious transactions below $5,000, they more than make up for it by reporting a larger proportion of transactions than Canadian bankers do. I can only guess why, but this may be due to the looser standard for suspicion, discussed above.

There are several other types of transactions that must be reported to the government, including large virtual currency reports in Canada and foreign bank and financial accounts reports (FBAR) in the U.S., but the volume of this sort of reporting isn't as significant as the other types already discussed, so I won't touch on them.

So to briefly sum up, pound for pound a Canadian is more likely to appear in their government's financial database than an American is. This is because Canadian financial institutions collect personal information linked to cross-border wire transfers the U.S. doesn't. The most privacy-invasive reports are suspicious ones. Compared to Canadian banks, U.S. banks are more trigger-happy when it comes to deeming a given transaction as suspicious, but the US$5,000 floor on reporting suspicious transactions somewhat mitigates this eagerness. 

Having dealt with what sorts of data flow in to the government, let's talk about what happens next with the data.    

***How personal financial data flows from the government to law enforcement***

The personal financial data accumulated by the two governments are managed by each nation's respective financial intelligent unit, or FIU. In Canada, this institution is known as the Financial Transactions and Reports Analysis Centre of Canada, or FINTRAC. In the U.S., the body that collects personal financial data is known as the Financial Crime Enforcement Network, or FinCEN.

It's here with the management of harvested financial data that the policies of the two countries really start to diverge.

To begin with, let's start with the length of time that data can be kept. In the U.S., FinCEN holds data indefinitely, so its database is forever growing. Canada allows FINTRAC to keep data for at least ten years and up to fifteen years, but after that FINTRAC must destroy any identifying information if it was not disclosed to law enforcement. Since most of FINTRAC's data is not disclosed, that means large amounts of data fall out of FINTRAC's database every year, and thus the amount of personal information collected grows at a slower rate than FinCEN's data hoard.

The differences between the two countries grows even wider when it comes to the question of who has access to citizens' financial data. In brief, U.S. law enforcement is granted broad access to the raw data whereas Canadian law enforcement's ability to see the data is strictly limited.

472 different U.S. law enforcement agencies at the Federal, state, and local levels have the ability to directly query FinCEN's database of CTRs, suspicious activity reports, and more. This amounts to around 14,000 law enforcement officers who can search through the personal financial data of American citizens. In 2023, these 14,000 users conducted 2.3 million searches using FinCEN's query tool.

FinCEN's data can also be downloaded in bulk form to the in-house servers of eleven different federal agencies, including the FBI, ICE, and the IRS. Bulk access (also known as Agency Integrated Access) means that the FBI, ICE, IRS, and eight other agencies don't need to use FinCEN's query tool. This bulk data can be access by another 35,000 agents. Alas, FinCEN doesn't track how many in-house searches were conducted by these agents in 2023, but I'd guess it's in the tens if not hundreds of millions.

By contrast, Canadian law enforcement agencies do not get direct access to FINTRAC's financial data trove. Instead, FINTRAC employs an internal force of a few hundred data analysts to parse the database for clues that suggest participation in money laundering or terrorist financing. Only when FINTRAC employees have attained a reasonable grounds to suspect that a pattern of transactions has crossed the line can they pass a report on to a Canadian law enforcement body, such as the RCMP or municipal police. This report is known as a financial intelligence disclosure and includes information like the name of the transactor, their address, telephone number, criminal record, and more.

FINTRAC submitted 2,085 of these disclosures to law enforcement in 2022-2023.

So to step back for a moment, tens of thousands of U.S. law enforcement officials conduct tens of millions of searches through Americans' personal financial data to get leads. In Canada, this same database can only be accessed a small number of FinCEN FINTRAC analysts, who selectively push a few thousand reports out to Canadian law enforcement each year. 

That's quite the contrast. Put differently, unlike their U.S. equivalents the RCMP, Sûreté du Québec, Ontario Police Police, and other policy agencies do not have the power to pull personal financial data willy-nilly from the government's database. This means far fewer eyeballs on Canadian financial records. As far as protecting the financial privacy of citizens, the Canadian access model does a better job. The U.S. access model is friendlier to law enforcement and stopping crime.

A disadvantage (or advantage, depending on your tolerance for being watched) of the American system is it allows the 11 agencies with bulk access to create "data cocktails"  personal financial data downloaded from FinCEN spiked with their own data sources  in order to better investigate suspects. For instance, according to a 2009 report from the Government Accountability Office, the FBI incorporates bulk FinCEN suspicious activity reports into its Investigative Data Warehouse along with 50 other data sets from different sources. The IRS's Reveal System, portrayed below, ingests FinCEN reports along with tax data to conduct more complex investigations.

The IRS's Reveal System, which ingests FinCEN CTRs along with other non-FinCEN data [source]

I don't know if the FBI and IRS data cocktails still exist, and in what form, but they certainly give a flavor of what sorts of broad access law enforcement can get to personal financial records in the U.S.

By contrast, Canadian law doesn't allow for U.S.-style data cocktails. An agency like the RCMP can't mix FINTRAC's store of personal financial data with their own bespoke data sources because the RCMP is prohibited from pulling raw CTRs, cross-border wire transfer reports, and suspicious transaction reports out of FINTRAC. Only FINTRAC gets to determine what information gets pushed out to the RCMP.

This firewall isn't accidental. As Horst Intscher, a former director of FINTRAC explains, a degree of privacy protection was purposefully built into FINTRAC's original design: "Because of the very broad range of information that the [Proceeds of Crime (Money Laundering) and Terrorist Financing Act] makes it possible for us to receive from reporting entities, it was determined at the original passage of the legislation that protections had to be built, so it would not be construed that there was a flow-through of massive amounts of personal information directed to law enforcement agencies."

In other words, FINTRAC was designed to prevent the likes of the RCMP from creating an FBI-style Investigative Data Warehouse. 

However, the wall imposed between Canadian law enforcement and FINTRAC does have a degree of porosity, enough to provide law enforcement with an indirect way for pulling data out of FINTRAC. If the RCMP is investigating a suspected money launderer, it can submit information about the suspect to FINTRAC in the form of a voluntary information record. For example, it might say that "Joe Blow and his sister-in-law Martha are the subjects of an investigation for drug trafficking and money laundering, and we just thought you should know that." This new data becomes part of FINTRAC's database, against which FINTRAC's agents will check all other data. If the agents spot a match, and it meets the bar for a "reasonable grounds for suspicion", then they must send the RCMP a disclosure containing the relevant personal financial information.  

In 2022-23 FINTRAC received 2,550 voluntary information records from Canada’s law enforcement and national security agencies (including from members of the public), a large number of these eventually boomeranging back to law enforcement in the form of a disclosure. How many? The head of FINTRAC once claimed that "65% to 70%" of FINTRAC's ultimate disclosures to law enforcement are triggered by voluntary information submitted by law enforcement, which hints at how porous the wall is.

----

That sums up my comparison of the inflows and outflows of personal financial data to the U.S. and Canadian governments. This is just a cursory analysis. There are all sorts of other vectors across which to compare the scope of the two nations' data collection efforts that I haven't explored. I've focused on the factors that I think are the most important.

Readers from other countries may be curious to find out about their own FIUs to determine where they stand relative to Canada and the U.S. If so, leave your findings in the comments. My Australian readers, for instance, may be interested to note that their government collects far more private information than the U.S. and Canada combined. AUSTRAC, the Australian FIU, collected 192 million transaction reports in 2023, an astonishing 7 reports per Australian!  This is because AUSTRAC receives information on all cross-border wires, with no lower threshold.

At the outset of this article I suggested that many of us would tolerate some loss of privacy in order to make it easier for the police to catch criminals. A few of us will accept a large loss. Others will not tolerate even the smallest infringement on privacy. An individual's line in the sand is very much a personal matter. I'm going to leave it to the reader to decide which country (if either) approaches the right balance. Is Canada too lax relative to the U.S.? Does the firewall we've erected between the cops and the trove of financial information give criminals free rein? Or does the U.S. not sufficiently respect privacy? Should the FBI and its sister agencies lose some of their unfettered access to Americans' personal financial data?

18 comments:

  1. Small error.... FinCEN analysts instead of FINTRAC analysts

    ReplyDelete
  2. Another important difference in the use of transaction reports is US law enforcement can use it to investigate any crimes. In Canada, FINTRAC needs to have an ML/TF/TH nexus in order to disclose to law enforcement.

    ReplyDelete
    Replies
    1. Great point. Odd that, given a wider scope for reporting a transaction to FinCEN than to FINTRAC, the per capita intensity of reporting isn't much higher for the US than Canada.

      By the way, ML is money laundering and TF is terrorist financing, but what is TH?

      Delete
    2. Threats to the security of Canada PCMLTFA 55.1(1). Primarily disclosures to CSIS but also secondary mandate for disclosure to law enforcement and others.

      Delete
    3. It would be hard to compare the number of STRs/SARs received without knowing a lot more about how the US system works for banks. To sum up the comparison problem though would be to say... one STR does not necessarily equal one suspicious transaction.

      A bank's suspicion is probably more often based in a pattern of transactions, rather than a single transaction. When a bank sends in an STR to FINTRAC, it can actually contain up to 99 different transactions that are bundled together. This number is a limitation of FINTRAC's system (that said, this may be changing or have changed - there are always improvements). Further complicating things, one STR with 99 transactions can also be linked with other related STRs with up to 99 transactions that the bank submitted at the same time. Because this is a system limitation issue, they should be counted as one STR.

      You would have to get into the specifics of bank reporting to FinCEN to make an accurate comparison.

      Clear as mud...

      Delete
  3. "Mind you, there's no penalty for banks that fail to attach a specific reason to a report, so the reasonable grounds to suspect standard is often ignored."

    FINTRAC is to destroy any reports that should not have been submitted. PCMLTFA 54(2).

    An incomplete transaction should be considered one that should not have been submitted.

    Whether that STR meets the bank's threshold of RGS that the transaction is related to ML or TF is of concern.

    As noted by the OPC, banks' RGS's have been suspect or biased.

    FINTRAC has fought with the OPC re: handling of STRs with suspect RGS.

    OPC told FINTRAC to delete these reports. FINTRAC had told OPC they have to receive all reports submitted. FINTRAC has committed only to better front-end screening of STRs, not to deleting existing reports.

    ReplyDelete
    Replies
    1. Given that it's plainly outlined in the PCMLTFA that FINTRAC must destroy shoddy suspicious reports submitted by banks, on what legal basis is FINTRAC deciding to do the opposite and keep them?

      Delete
  4. I don't remember when the PCMLTFA was amended with the obligation to destroy and before there was this obligation in place, one would question if the PCMLTFA permitted FINTRAC to destroy reports it received.

    OPC has always been on top of FINTRAC for this with OPC's position strengthened with the change in legislation.

    This is what OPC has had to say...

    2009
    "While we found no evidence to suggest FINTRAC is collecting information beyond what is authorized, we noted that it has received and retains information beyond the Centre's legislative authority."

    2013
    "In carrying out its analysis and disclosure functions, FINTRAC continues to receive and retain personal information not directly related to its mandate."

    2017
    "FINTRAC continues to receive and retain personal information outside of the legislated thresholds for reporting."

    2021
    "FINTRAC is obliged to destroy information that does not meet reporting thresholds when this determination is made in the normal course of its activities.

    However, such reports were being received by FINTRAC and retained in its databases, potentially for long periods of time. In February 2021, FINTRAC provided a status update on its commitment to implementing action plan items related to our recommendations. However, as described below, with the exception of front-end screening, FINTRAC’s reported activities did not include clear evidence of implementation of our recommendations."

    ReplyDelete
  5. I should note that these OPC references do not all relate to STRs but also to other report types that the OPC found to be outside FINTRAC's authorities (e.g. under-threshold LCTRs). I would have to go back and re-read the OPC reports to see if specific concerns regarding STRs rolled off at some point.

    ReplyDelete
  6. FINTRAC requires little(more like no) reporting of Canadians living outside of Canada. FINCEN requires extensive reporting of non resident US citizens.

    ReplyDelete
    Replies
    1. Interesting...
      FINTRAC's reporting rules are all transaction-based (with the exceptions of sanctions and TPRs). All transactions are treated the same regardless of citizenship.

      Are foreign banks required to report on non-resident US citizens, or just US banks? Can FinCEN track a foreign-to- foreign transaction from a US citizen?

      Delete
    2. No. The reporting rules in the US are US citizens wherever they located(i.e. in the US itself or living in any foreign country) must report all foreign accounts they have signature authority over to FINCEN on Form 114. Why was this rule ever implemented and what is the point? Who the hell knows? Note it has nothing specifically to do with taxation. It is purely an anti money laundering requirement. A lot of people think in an AML context requiring people to self report on there financial activities is downright weird against the whole point of AML law. I do have a couple of thoughts that I will share later as to why this requirement was instituted in the early 1970s.

      Delete
    3. Again... interesting.

      This does seem to fit with a US approach to the criminal justice system. Perhaps in the same way there are offences for lying to law enforcement (which is sometimes easier to prove than the underlying offence), some money laundering is captured through a failure to report offence, rather than the actual laundering...

      Delete
    4. Tim, what you're referring to is FBAR reports, no? Are those different from FACTA reports?

      Delete
    5. They are. FATCA reports are part of the income tax system. FBAR reports a part of AML law. Now yes FINCEN delegates a lot of day to administration of FBAR reporting to the IRS just like FINCEN delegates to the IRS supervision of MSB's but at the end of the day the FBAR is a AML reporting requirement.

      Delete
    6. Thanks, interesting. I suppose that fits in with the general theme of my post which is that the U.S. regime is more invasive than the Canadian one, except for the reporting of cross-border transfers.

      In Canada is it Canadian financial institutions that are obligated to submit FBAR reports to the IRS or are American individuals required to do so themselves?

      Delete