Close

 

 

 

Home Research and Advocacy Fraud and Security Bank Crime Prevention and Investigation Office

S M L

Bank Crime Prevention and Investigation Office

Last modified: 11 October 2011

Crimes committed against banks and their customers are a significant problem. The banking industry's crime investigation and prevention activities are co-ordinated through the Canadian Bankers Association's Bank Crime Prevention and Investigation Office (BCPIO).

The purpose of the BCPIO is to protect bank customers against financial crime, including credit card and debit card fraud, bank robbery, counterfeiting, cyber crime, money laundering, the use of forged documents and more.

Information about suspected fraud and criminal activity is shared among members of the BCPIO and, as appropriate, with law enforcement agencies, resulting in the detection, prevention and prosecution of crime that could cost banks and their customers hundreds of millions of dollars in losses each year. Industry personnel involved in investigations of criminal activity follow strict privacy policies and must sign annual confidentiality agreements.

The CBA's BCPIO has been designated as an investigative body under the federal Personal Information Protection and Electronic Documents Act that is overseen by the Privacy Commissioner of Canada.

BCPIO privacy policies

Personal information handled by the BCPIO is subject to the following provisions, rather than the CBA's general Privacy Policy.

Accountability

The BCPIO is responsible for all personal information in its control.

The CBA's Director, Security is accountable for compliance with these policies and procedures.

The BCPIO will obtain certificates of compliance from CBA Members and will assist Members with training of the BCPIO staff about the importance of maintaining the privacy of the information collected by the BCPIO.

An annual compliance audit of the practices of the BCPIO will be reported by the CBA Privacy Officer to the CBA's Executive Council (Board of Directors).

Identifying the purpose of personal information

The purpose for which the BCPIO collects and uses personal information is to facilitate the investigation and prevention of criminal and dishonest activity including contraventions of the laws of Canada, a province or a foreign jurisdiction in accordance with the Personal Information Protection and Electronic Documents Act. Personal information collected, used and retained necessarily includes information on:

  • Employees who were dismissed from a bank for criminal acts or for serious breaches of a bank's code of conduct, including dishonesty;
  • Credit card merchants who have had their merchant privileges terminated;
  • Individuals who are innocent customers or victims of the crime whose data has been or is suspected of being compromised;
  • Criminal activity involving financial institutions, including personal information about related suspects.

BCPIO personnel are trained to explain the purposes of collecting the information to any individual who asks for an explanation.

Consent

Obtaining consent of the individuals would defeat the purposes of the BCPIO's collecting, using and disclosing the personal information. Personal information will only be collected, used and disclosed without consent in accordance with section 7 of the Personal Information Protection and Electronic Documents Act.

Limits for collecting personal information

The BCPIO collects information about individuals only if there are reasonable grounds to believe that the information relates to dishonest conduct or criminal breaches of agreement or a contravention of the laws of Canada, a province or a foreign jurisdiction that has been, is being or is about to be committed.

The BCPIO collects only the personal information that is required for the preventative and investigative purposes set out above.

The BCPIO collects personal information using procedures that are fair and lawful. BCPIO information is based on the results of BCPIO or law enforcement agencies' investigations and prosecutions of criminal activity related to financial institutions.

Limits for using, disclosing and keeping personal information

The BCPIO uses or discloses personal information only for the purposes for which it was collected. It only keeps information for as long as it is required for the stated purposes.

BCPIO members disclose personal information only to law enforcement authorities for the purposes of investigating or preventing a crime or prosecuting a suspect or as is reasonably necessary for purposes relating to its investigations or in response to supoena or other court order or otherwise expressly provided for in the Personal Information Protection and Electronic Documents Act.

BCPIO data is reviewed on an annual basis to ensure that personal information that is no longer required is destroyed, erased or made anonymous.

Keeping personal information accurate

The BCPIO ensures to the best of its ability that the information it holds is accurate, complete, current and relevant to the identified purposes.

The BCPIO keeps a record of those who have used the personal information held by the BCPIO so that where appropriate or where it may affect a decision being made about that individual, any corrections to the information can be given to those parties.

Safeguarding personal information

The BCPIO ensures that personal information is stored in electronic and physical files that are secure. Security measures include secure locks on filing cabinets and restricted access to offices and the computer server room.

There is restricted access to sensitive data through secured passwords limited to those who have a need to use the personal information contained in sensitive databases. For example, access to information on former employees terminated "for cause" would be restricted to the Director, Security or his designate and the senior corporate security staff member of each bank along with up to two designates. Other members of the BCPIO, who have no need to check potential employee references, would not have access to that information.

BCPIO communication with authorized members utilizes Entrust encryption technology to provide the maximum protection for the sensitive information being transmitted.

Distribution of information on suspected criminal activity is restricted to the staff within the BCPIO.
Investigators of a particular (potential) crime or fraud limit the exchange of personal information about suspects to those within the BCPIO with a need to know. For example, where only two banks are involved in investigating a fraud scheme, only those two banks have access to the related personal information.

All members of the BCPIO who are authorized to access any of the BCPIO data will sign annually a confidentiality agreement to abide by the privacy policies and procedures.

Physical BCPIO files containing personal information deleted from the files is shredded under the supervision of BCPIO staff. Deleted electronic files will be permanently removed from the system.

Making information about policies and procedures available

Easily understandable information about the BCPIO privacy policies and procedures are made public with other information about the BCPIO and its purpose in hard copy and on the CBA website. This information is readily available to bank employees and customers who may have their information collected, used or disclosed by the BCPIO.

Access to personal information

In accordance with paragraph 9(3)(c.1) of the Personal Information Protection and Electronic Documents Act, if such disclosure does not defeat the purposes for which the information was collected, when individuals request it, the BCPIO will tell them whether the BCPIO has personal information about them, what that information is, what it is being used for and to whom the information has been disclosed.

Individuals should send their written request for access, with contact information and enough information about themselves to identify them, to the Director, Security, Canadian Bankers Association, P.O. Box 348, Commerce Court Postal Station, Toronto, Ontario M5L 1G2

Individuals can get information about how to request the personal information that the BCPIO has about them by calling the Banking Information Centre at 1-800-263-0231 or by sending an e-mail at inform@cba.ca, where procedures can be explained or assistance can be provided in preparing the request.

To respond to your enquiry the Canadian Bankers Association, (CBA) will need to confirm your identity. Please submit your request with copies of two pieces of personally signed and dated identification from the list below. One of these documents must bear your photograph, address and date of birth.

  • A drivers’ licence issued in Canada, as permitted to be used for identification purposes under provincial law.
  • A Canadian passport
  • A Certificate of Canadian Citizenship or Certificate of Naturalization, in the form of a paper document or card but not a commemorative issue
  • A Permanent Resident card or Citizenship and Immigration Canada Form IMM 1000 or IMM 1442
  • A birth certificate issued in Canada
  • A Social Insurance Number card issued by the Government of Canada
  • An Old age Security card issued by the Government of Canada
  • A Certificate of Indian Status issued by the Government of Canada
  • A Provincial Health Insurance card, as permitted to be used for identification purposes under provincial law
  • A document or card, bearing the individual’s photograph and signature, issued by any of the following authorities or their successors:
    • Insurance Corporation of British Columbia
    • Alberta Registries
    • Saskatchewan Government Insurance
    • Department of Service Nova Scotia and Municipal Relations
    • Department of Transportation and Public Works of the Province of Prince Edward Island
    • Service New Brunswick
    • Department of Government Services and Lands of the Province of Newfoundland and Labrador
    • Department of Transportation of the Northwest Territories
    • Department of Community Government and Transportation of the Territory of Nunavut
  • A Canadian National Institute for the Blind (CNIB) client card bearing the individual’s photograph and signature.
  • A foreign passport

These documents will be returned to you once your identification has been verified.

The BCPIO will respond, within 30 days of receiving the request, in a form that the individual can understand. There is no cost to the individual.

If the individual can provide proof of an error in the personal information held by the BCPIO, the BCPIO will correct the information and, where appropriate, send the corrected information to others who have used the incorrect information. If the individual challenges certain information but cannot disprove its accuracy, the BCPIO will note the challenge so that those using the information will be aware of the unresolved challenge.

If the BCPIO denies the individual's request for access, it will state the reasons for the denial. The individual may then choose to file a complaint with the Office of the Privacy Commissioner of Canada at 112 Kent Street, Ottawa, Ontario K1A 1H3.

Handling individual's complaints and questions

Individuals may send any complaints concerning the BCPIO's compliance with its own privacy policies and procedures to the President of the Canadian Bankers Association at P.O. Box 348, Commerce Court Postal Station, Toronto, Ontario M5L 1G2. The President or a designate will investigate the complaint and respond to the individual.

If an individual's complaint is justified, the BCPIO will change its polices and procedures related to that matter so that other individuals will not experience the same problem.

If still not satisfied, an individual may file a complaint with the Privacy Commissioner of Canada who can be contacted by:

  • e-mail, at info@privcom.gc.ca
  • telephone, at (613) 995-8210, toll-free 1-800-282-1376
  • fax, at (613) 947-6850 or
  • mail, 112 Kent Street, Ottawa, Ontario K1A 1H3.

 

Back to top
Research and Advocacy:
In this section:

© 2011 Canadian Bankers Association