Canada Draws the Line Between Financial Crime Intelligence & Privacy
Key Takeaways
- Privacy Guidance Supports AML Information Sharing: The Privacy Commissioner of Canada has issued guidance explaining how reporting entities can obtain approval for codes of practice governing the sharing of personal information to detect money laundering, terrorist financing, and sanctions evasion.
- 2025 Legislative Changes Enter Implementation Phase: The guidance operationalizes amendments introduced in March 2025, which permit certain reporting entities to share personal information without an individual's knowledge or consent in prescribed circumstances under the PCMLTFA.
- Governance Is a Prerequisite: Organizations must establish an approved code of practice before relying on the new information-sharing framework, making governance a mandatory condition rather than an administrative formality.
- Privacy Protections Must Be Preserved: Approved codes must ensure protections for personal information that are equivalent to or greater than those provided under Canada's Personal Information Protection and Electronic Documents Act (PIPEDA), reinforcing that expanded information sharing does not diminish privacy obligations.
Deep Dive
The Privacy Commissioner of Canada has published new guidance explaining how financial reporting entities should seek approval for codes of practice governing the sharing of personal information to detect money laundering, terrorist financing, and sanctions evasion. On its face, the document is procedural. It explains what organizations need to submit and what the Commissioner will expect before approving a code. But procedural documents often reveal where policymakers believe the difficult work actually lies, and this one suggests the challenge is no longer whether institutions should collaborate. It is how they can do so without weakening the privacy protections that made collaboration difficult in the first place.
The guidance applies to reporting entities regulated under the Proceeds of Crime (Money Laundering) and Terrorist Financing Act, including banks, credit unions, trust companies, life insurance providers, and loan providers. It follows legislative changes that came into force in March 2025, when Canada created a framework allowing those organizations, in certain prescribed circumstances, to share personal information with one another without an individual's knowledge or consent.
That authority is broader than what many organizations previously possessed. It is also more conditional than it first appears. Before any institution can rely on those information-sharing provisions, it must establish a code of practice governing how personal information will be shared and obtain approval from the Privacy Commissioner of Canada. The newly issued guidance exists for that purpose. Rather than introducing new legal obligations, it clarifies what information organizations must provide to demonstrate that their proposed code satisfies the approval requirements established in the regulations.
A code of practice is not intended to function as an administrative formality attached to a regulatory permission slip. It is the mechanism through which organizations must show that expanding the flow of information does not come at the expense of the protections embedded in Canada's Personal Information Protection and Electronic Documents Act (PIPEDA). The expectation is explicit: any approved code must provide privacy protections that are at least equivalent to those required under Canada's federal private-sector privacy law.
That balance has become increasingly familiar across financial regulation. Governments want institutions to identify illicit financial activity sooner, connect risks that individual firms cannot see in isolation, and disrupt criminal networks before suspicious transactions become successful ones. Yet every additional pathway for information sharing raises equally legitimate questions about how personal information is collected, disclosed, governed, and ultimately protected. One objective does not eliminate the other. It simply makes both harder.
The Office of the Privacy Commissioner has framed its new guidance as a way of helping organizations build those governance frameworks before information begins moving between institutions.
"This new guidance will support organizations as they establish codes of practice that maintain strong privacy protections in the context of information sharing meant to detect and prevent money laundering, terrorist financing, and sanctions evasion," Privacy Commissioner Philippe Dufresne said in announcing the guidance.
The document arrives less as a policy announcement than as an implementation manual for authorities that already exist. The legislative decision was made more than a year ago. What remains is the slower, more exacting work of proving that information can travel farther without privacy protections becoming any weaker than they were before.
The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.

