As in most jurisdictions the pandemic has caused widespread disruption in Canada. The historic level of disruption has expedited reliance on technology and e-commerce across all sectors, setting the stage for a perfect storm when it comes to fraud and white-collar crime risks. Canada has long been considered a nation soft on white-collar crime, with the country’s ranking on Transparency International’s Corruption Perception Index reaching an all-time low recently. Among other concerning statistics, in 2021 the Criminal Intelligence Service estimated that between CA$45 and CA$113bn is laundered through Canada annually.
Over the past three years Canadian authorities have seen a clear rise in a range of fraudulent activity. It is apparent that the rise in fraudulent activity during the pandemic has caused the government to fast-track overdue initiatives in Canadian anti-fraud legislation, particularly in relation to cyber-crime and e-commerce fraud. This article provides a summary of steps under way to advance three aspects of the Canadian anti-fraud regime, namely: (i) the response to increasing data-breach incidents and cyber-crime, (ii) steps taken to address the increasing number of crypto businesses offering services in Canada and associated fraud, and (iii) the response to increasing money laundering activity.
Laws addressing increasing levels of data-breach and cyber-crime
The Covid-19 pandemic and the subsequent shift to online work and online learning has dramatically highlighted the need for effective cyber security practices and laws. The global ‘attack surface’ has grown, giving cyber criminals increased access to connected devices. There has been an estimated 30% increase in data breaches in 2021, as compared to 2020. Efforts have been made across all levels of government to address increasing levels of data breach and cybercrime.
At the federal level, in April 2020, the Canadian Internet Registration Authority (CIRA), with the support of the government of Canada, launched the Canadian Shield initiative: a free Domain Name System that filters internet connections against known cyber threats.
In November 2020, the government of Canada introduced Bill C-11, the Digital Charter Implementation Act. It proposes a Consumer Privacy Protection Act (CPPA) to replace PIPEDA as the consumer privacy legislation in Canada. Under the new CPPA, the Office of the Privacy Commissioner (OPC) would have the power to launch an official inquiry, and will be armed with enhanced order-making powers. In addition, the OPC would have the ability to recommend monetary penalties to a new Tribunal, which would be established by companion legislation and will serve as the appeals body for OPC decisions. Maximum penalties would be the higher of CA$10m or 3% of global revenues. Knowing failure to report breaches could result in indictable offences and maximum penalties of CA$25m or 5% of global revenues. If the CPPA is passed, Canada would have the strongest financial penalties for privacy violations in the G7.
At the provincial level, there have been significant legislative developments in Quebec and British Columbia. In September 2021, Quebec passed Bill 64, an Act to modernise legislative provisions as regards the protection of personal information. Once enacted, the Act will require organisations to notify the regulator of any data breaches that present a ‘risk of serious injury’ to the affected persons. It will bring Quebec’s consent rules closer to that of the European General Data Protection Regulation (GDPR). On 3 December 2021, Quebec passed Bill 6, an Act to enact the Act respecting the Ministère de la Cybersécurité et du Numérique and to amend other provisions. This Act creates a new cybersecurity watchdog, the Minister of Cybersecurity and Digital Technology, charged with investigating cybersecurity incidents. The passage of Bill 64 and Bill 6 signals an increase in regulatory scrutiny over cybersecurity practices throughout the province.
On 13 April 2021, British Columbia’s Legislative Assembly agreed to appoint a Special Committee to review the province’s Personal Information Protection Act (PIPA), the statute that governs the private sector collection, use, and disclosure of personal information. On 6 December 2021, the Special Committee published a report making 34 recommendations for amending PIPA. Among the recommendations, the Committee called for the creation of: (1) a ‘right of portability’ for individuals to obtain their own personal information from an organisation; (2) a requirement for organisations to create privacy impact assessments in the context of projects involving the processing of sensitive information; and (3) a requirement for organisations to notify the regulator of data breaches.
The Ontario government has begun a consultation process to determine whether to implement its own private sector privacy laws. As it stand, Ontarians only have access to the federal PIPEDA and provincial legislation in the context of personal health related data. In June, 2021 the Ontario government released a white paper proposing standalone private sector legislation. If implemented it would represent an important shift in the oversight of data collection, use and disclosure by private organisations. The proposals would bring Ontario closer to the regime under the GDPR.
Laws addressing the proliferation of crypto businesses and related fraud
For crypto-asset businesses operating in Canada, 2021 brought into force significant regulation. We also saw aggressive enforcement steps commenced against both domestic and foreign players offering services in Canada.
Canadian regulators have now adopted a registration regime for crypto assets trading platforms (CTPs) offering custodial services to Canadian clients. In March 2021, the Canadian Securities Administrators and Investment Industry Regulatory Organization of Canada (IIROC) released Staff Notice 21-329 Guidance for Crypto-Asset Trading Platforms: Compliance with Regulatory Requirements (Staff Notice 21-329). Staff Notice 21-329 makes it clear that dealer registration under securities laws is required for CTPs that facilitate the trading of: (i) cryptoassets that are securities (Security Tokens), and (ii) Crypto Contracts, which the CSA considers to be securities and/or derivatives when the CTP retains custody of the private keys to the cryptoassets on behalf of its clients, rather than immediately delivering the cryptoassets to a blockchain address specified by the client.
Canadian securities regulators have also increased enforcement steps against CTPs, including enforcement against foreign CTPs offering services to domestic investors. In March 2021, for example, the Ontario Securities Commission (OSC) alerted CTPs offering services in Ontario that they must engage with the OSC by 19 April 2021 on how to bring their business into compliance with the new regime. Starting in May 2021, the OSC commenced aggressive enforcement steps against a number of non-Canadian based platforms that failed to bring their businesses into compliance.
Laws addressing increasing money-laundering activity
Canada’s anti-money laundering laws
The federal Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA) imposes obligations on financial institutions and certain other businesses to prevent money laundering through record keeping, identity verification, and ongoing monitoring and reporting, as well as through anti-money laundering compliance programmes. The PCMLTFA is enforced by the Financial Transactions and Reports Analysis Centre of Canada (FINTRAC), the federal financial intelligence agency.
Persons found in contravention of the PCMLTFA may be subject to a fine of up to CA$500,000 and/or imprisonment of up to five years, or an administrative monetary penalty of up to CA$100,000 for individuals or up to CA$500,000 for organisations, for most offences. Parties may be offered the opportunity to enter into a formal compliance agreement with FINTRAC in exchange for a reduced penalty.
It is an also offence under the Criminal Code to engage in money laundering. To establish the offence, a person must have (i) laundered property or any proceeds of any property, in any manner and by any means, (ii) with the intent to conceal or convert that property or those proceeds, (iii) knowing or believing that, or being reckless as to whether, all or a part of that property or of those proceeds was obtained or derived directly or indirectly as a result of an offence in Canada (or one occurring outside Canada, that, if it occurred in Canada, would constitute an offence). Money laundering is punishable by imprisonment for up to ten years. Courts may also order the forfeiture of certain property.
Amendments to anti-money laundering laws
In June 2021, significant amendments to the regulations under the PCMLTFA came into force. The amendments brought Canada’s efforts in this regard into line with standards established by the inter-governmental Financial Action Task Force. The amendments include changes that impact all reporting entity sectors, as well as sector specific changes. The changes are also explained in a range of new FINTRAC guidance documents. Changes impacting all reporting entity sectors include:
- new virtual currency transaction record keeping and reporting obligations;
- updates to the 24-hour rule for reporting large cash and virtual currency transactions;
- easing the requirement to maintain records document ‘all reasonable measures taken’;
- updated know your client verification checks;
- new requirements for confirming the accuracy of information regarding beneficial ownership;
- new rules for screening politically exposed persons and heads of international organisations; and
- update compliance programme requirements.
New sector specific changes impact accounting firms, casinos, government agencies, dealers in precious metals and real estate agents.
Financial Crimes Co-ordination Centre – continued emphasis on enforcement
The Financial Crimes Co-ordination Centre (FC3) recently held Canada’s first large-scale conference of anti-money laundering professionals in late 2021. The virtual conference brought together investigators, prosecutors and experts from across Canada to discuss anti-money laundering. Covid-19’s impact on money laundering trends and sophisticated money laundering tactics using virtual currency were key topics at the conference. The FC3 is a five-year initiative first announced in 2019. The FC3 co-ordinates support to investigators and prosecutors across the provincial jurisdictions. The federal government’s creation of the FC3 is promoted as part of Canada’s commitment to taking stronger action on combatting financial crime.