Foreign Banking Services: Privacy impact assessment summary
In April 2002, the Receiver General of Canada (RG) reached an agreement with the Bank of America National Association, Canada Branch (B of A) to make payments to recipients, on behalf of the Government of Canada, in foreign countries. As part of this agreement, the B of A will produce payment instruments in the currency of the country in which the beneficiary has a postal address.
Public Works and Government Services Canada, through the RG, has in place a process to make payments to recipients on behalf of the Government of Canada. The only changes to this process are to transfer the payment details (name, address, bank account number, type of payment and amount to be paid) from the department's Standard Payments System to the B of A, who will execute the payment, provide advice to the Receiver General of Canada of a successful payment or return rejected payment transactions intact to the Receiver General of Canada for their further action. No other changes are necessary to the current payment process used by the department. The process will continue to entail receiving data required to issue payments to beneficiaries from departments and agencies of the federal government. The data will then be transferred electronically to the B of A, who will pay beneficiaries in the currency of the country in which they are domiciled.
The Foreign Banking Services encompass that part of the process commencing with the receipt of payment files by the B of A from the department. It includes the validation and processing of the payment instruction by the B of A, and culminates with the delivery of the payment to the beneficiary and confirmation of that delivery to the department.
The personal information that will be received by the B of A from the department comprises name, address and payment details, as noted above, which will only be processed when it is received. After this personal information is processed, the payment information will be stored as historical information that will be held in electronic or paper form in secure storage.
Bank of America payment process
Step 1: The issuing department sends a payment request to Public Works and Government Services Canada
Step 2: Public Works and Government Services Canada formats the request into an appropriate and B of A-recognized transaction and sends the transaction to Bank of America
Step 3: The B of A validates the payment data received, determines the amount to be paid in the settlement currency requested and determines the appropriate routing, either to a correspondent bank or to the customer, in the form of payment requested
Step 4: Rejected payment instructions are returned to Public Works and Government Services Canada and the issuing department is notified. They may be corrected, resubmitted, cancelled or the payment is sent to an address in Canada
Step 5: Cheque payment instructions may be accompanied by payment information details on an associated attachment (stub). The stub "record" contains the specific details of the payment
Step 6: After issuing the payment as instructed, the B of A returns the following information to Public Works and Government Services Canada:
- results for payment requests
- results for administrative requests
- post issuance results of payments
- post issuance results of administrative (non-monetary) requests
The B of A produces four "results" files, which contain the:
- results of the payment instructions file
- results of the administrative orders file
- post issuance results of payments file
- post issuance results of administrative (non-monetary) requests file
The purpose of the results of payment instructions and results of administrative orders file is to inform Public Works and Government Services Canada of the acceptance or rejection of instructions received and to provide additional data available for the payment, such as the calculated Canadian or foreign amount and the rate used, the B of A reference number and the totals to be debited or credited. These files are returned to the department following the processing of the payment requests and administrative requests files. The B of A will not retain the stub information, which is electronic, so it is in effect destroyed. This process may occur once or twice a day. The records are retained for six fiscal years and then destroyed.
|Data cluster||Provided by||Provided to||Used for|
|Payment instruction data cluster includes:
||Receiver General||Bank of America||Making payments to beneficiaries|
|Beneficiary account information cluster includes:
||Receiver General||Bank of America||Deposit funds to beneficiaries' bank accounts|
|Payment results data cluster (this is really a B of A number confirming that the information has been accepted, processed and issued):
||Bank of America||Receiver General||Provide notification of payments made to beneficiaries for accounting purposes. The purpose of the data is to inform Public Works and Government Services Canada of the acceptance or rejection of the payment orders received and to provide additional data available for the payment, such as calculated Canadian or foreign amount, rate used, Bank of America reference number and totals to be debited or credited|
Privacy risk management
Security and audits
System security is an integrated function of the system. Users are identified and authenticated by a single security mechanism, at the system level. All system objects are under security control.
Audit trails provide a record of system and application activity. B of A systems all record sufficient information to trace significant security events to the responsible individual, and create an audit trail of accesses to information and resources.
If a payment is greater than CAN$10,000.00, the B of A is required under the Proceeds of Crime (Money Laundering) and Terrorist Financing Act to report cross border electronic fund transfers to the Financial Transactions and Reports Analysis Centre of Canada (FINTRAC).
Records are stored in accordance with the Bank Act and Proceeds of Crime (Money Laundering) and Terrorist Financing Act regulations that are generally from 5 to 10 years from the date of the transaction. Storage and disposal take place at a secure site in accordance with the above regulations. Sensitive data that is to be destroyed immediately is stored in locked recycling bins and destroyed by a contracted vendor at a secured site.
The B of A is not responsible for ensuring the accuracy of payment details supplied by Public Works and Government Services Canada but is responsible for ensuring that the file received from the department is formatted correctly and appropriately authorized. If the file received from the department fails these edits, then the B of A will return the file to the department for correction.
In sum, Public Works and Government Services Canada has reviewed the changes to the Foreign Banking Service and can confirm that all potential privacy issues arising from the change to the process have been addressed. Therefore, no additional action is necessary to meet the requirements of the Privacy Act and the Personal Information Protection and Electronic Documents Act.
- Date modified: