Foreign Banking Services Privacy Impact Assessment

1. Introduction

In April 2002, the Receiver General of Canada (RG) reached an agreement with the Bank of America National Association, Canada Branch (B of A) to make payments to recipients, on behalf of the Government of Canada, in foreign countries. As part of this agreement, the B of A will produce payment instruments in the currency of the country in which the beneficiary has a postal address.

2. Business Model

Public Works and Government Services Canada (PWGSC), through the RG, has in place a process to make payments to recipients on behalf of the Government of Canada. The only changes to this process are to transfer the payment details (name, address, bank account number, type of payment and amount to be paid) from PWGSC's Standard Payments System (SPS) to the B of A, who will execute the payment, provide advice to the RG of a successful payment or return rejected payment transactions intact to the RG for their further action. No other changes are necessary to the current payment process used by PWGSC. The process will continue to entail receiving data required to issue payments to beneficiaries from departments and agencies of the federal government. The data will then be transferred electronically to the B of A, who will pay beneficiaries in the currency of the country in which they are domiciled.

The Foreign Banking Services (FBS) encompass that part of the process commencing with the receipt of payment files by the B of A from PWGSC. It includes the validation and processing of the payment instruction by the B of A, and culminates with the delivery of the payment to the beneficiary and confirmation of that delivery to PWGSC.

The personal information that will be received by the B of A from PWGSC comprises name, address and payment details, as noted above, which will only be processed when it is received. After this personal information is processed, the payment information will be stored as historical information that will be held in electronic and/or paper form in secure storage.

3. Data Analysis

3.1 Bank of America

Step 1. The issuing department sends a payment request to PWGSC.

Step 2. PWGSC formats the request into an appropriate and B of A recognized transaction and sends the transaction to Bank of America

Step 3. The B of A validates the payment data received, determines the amount to be paid in the settlement currency requested and determines the appropriate routing, either to a correspondent bank or to the customer, in the form of payment requested.

Step 4. Rejected payment instructions are returned to PWGSC and the issuing department notified. They may be corrected, resubmitted, cancelled or the payment is sent to an address in Canada.

Step 5. Cheque payment instructions may be accompanied by payment information details on an associated attachment (stub). The stub "record" contains the specific details of the payment.

Step 6. After issuing the payment as instructed, the B of A returns the following information to PWGSC:

  • results for Payment Requests;
  • results for Administrative Requests;
  • post issuance results of payments; and
  • post issuance results of administrative (non-monetary) requests.

3.2 Output Files

The B of A produces four "results" files, which contain the:

  • Results of the Payment Instructions File;
  • Results of the Administrative Orders file;
  • Post issuance results of payments file; and
  • Post issuance results of administrative (non-monetary) requests file.

The purpose of the results of Payment Instructions and results of Administrative Orders file is to inform PWGSC of the acceptance or rejection of instructions received and to provide additional data available for the payment such as the calculated Canadian or foreign amount and the rate used, the B of A reference number and the totals to be debited or credited. These files are returned to PWGSC following the processing of the Payment Requests and Administrative requests files. The B of A will not retain the stub information, which is electronic, so it is in effect destroyed. This process may occur once or twice a day. The records are retained for six fiscal years and then destroyed.

Table Summary FBS Data Flow Table includes information on the Payment Instruction Data Cluster, Beneficiary Account Information Cluster, and the Payment Results Data Cluster.
FBS Data Flow Table
Data Cluster Provided by Provided to Used for
Payment Instruction Data Cluster includes:
  • Payment date;
  • Payment amount (in both Canadian dollars and in the specific settlement currency if required)
  • Beneficiary name and address; and
  • Type of payment (wire, cheque, direct deposit);
  • Payment information
Receiver General Bank of America Making payments to beneficiaries
Beneficiary Account Information cluster includes:
  • Name;
  • Bank transit number (Bank, Branch);
  • Bank account number;
  • Account type for US DD only (savings or chequing) and
  • Amount of payment
  • SWIFT/BIC code (Bank Identification Code
  • Bank Name and address
Receiver General Bank of America Deposit funds to beneficiaries' bank accounts
Payment Results Data Cluster: (this is really a B of A number confirming that the information has been accepted, processed and issued.)
  • Payment date;
  • Payment amount (in both Canadian dollars and in the specific settlement currency.
  • Beneficiary name and address; and
  • Type of payment (wire, cheque, direct deposit);
  • Payment information
Bank of America Receiver General Provide notification of payments made to beneficiaries for accounting purposes. The purpose of the data is to inform PWGSC of the acceptance or rejection of the payment orders received and to provide additional data available for the payment, such as calculated Canadian or foreign amount, rate used, Bank of America reference number, totals to be debited/credited.

4. Privacy Risk Management

4.1 Security & Audits

System security is an integrated function of the system. Users are identified and authenticated by a single security mechanism, at the system level. All system objects are under security control.

Audit trails provide a record of system and application activity. B of A systems all record sufficient information to trace significant security events to the responsible individual, and create an audit trail of accesses to information and resources.

If a payment is greater than CAD $10,000.00 the B of A is required under the Proceeds of Crime (Money Laundering) and Terrorist Financing Act to report cross border electronic fund transfers to the Financial Transactions and Reports Analysis Centre of Canada (FINTRAC).

Records are stored in accordance with the Bank Act and Proceeds of Crime (Money Laundering) and Terrorist Financing Act regulations that are generally from 5 to 10 years from the date of the transaction. Storage and disposal take place at a secure site in accordance with the above regulations. Sensitive data that is to be destroyed immediately is stored in locked recycling bins and destroyed by a contracted vendor at a secured site.

The B of A is not responsible for ensuring the accuracy of payment details supplied by PWGSC but is responsible for ensuring that the file received from the PWGSC is formatted correctly and appropriately authorized. If the file received from PWGSC fails these edits, then the B of A will return the file to PWGSC for correction.

4.2 Conclusion

In sum, PWGSC has reviewed the changes to the Foreign Banking Service and can confirm that all potential privacy issues arising from the change to the process have been addressed. Therefore, no additional action is necessary to meet the requirements of the Privacy Act and the Personal Information Protection and Electronic Documents Act.