A Practice Note discussing the laws, regulations, and guidance governing bank secrecy in Canada under the common law, the Personal Information Protection and Electronic Documents Act (S.C. 2000, c. 5) (PIPEDA), and the Bank Act. This Note provides general guidance for a banking institution handling customer data in Canada on complying with bank secrecy obligations, the circumstances in which it can disclose customer data to third parties, and required steps to permit disclosure.

Bank secrecy laws generally prohibit banking institutions, and their officers and employees, from disclosing customer data to third parties. However, banks commonly need to disclose customer data for routine business purposes including:

  • Providing products or services to customers.
  • Making inter-company transfers
  • Outsourcing to third-party service providers.
  • Responding to litigation and regulatory inquiries.

Global banks operating in jurisdictions with bank secrecy laws must find practical solutions to perform business functions or face sanctions including fines, regulatory actions, private lawsuits, and, in severe cases criminal sanctions for disclosing customer data in violation of bank secrecy laws.

This Note discusses the laws, regulations, and guidance governing bank secrecy in Canada. It provides guidance for a banking institution handling customer data collected in Canada on complying with bank secrecy and outsourcing obligations, the circumstances in which it can disclose customer data to third parties, and required steps to permit disclosure.

CANADA BANK SECRECY LEGAL FRAMEWORK

Unlike many other jurisdictions, Canada does not have specific legislation governing bank secrecy. However, banks collecting customer data in Canada are subject to certain laws that collectively establish a legal framework for the collection, use, and disclosure of customer data including:

  • The common law duty of confidentiality, which banks owe to their customers (see Common Law Duty).
  • The Personal Information Protection and Electronic Documents Act (S.C. 2000, c. 5) (PIPEDA) (see PIPEDA).
  • „ Certain provisions of the Canada Bank Act (Bank Act, S.C. 1991, c. 46) (Bank Act) (see Bank Act).

COMMON LAW DUTY

Canadian courts have followed the English Court of Appeal's decision in Tournier v. National Provincial and Union Bank of England [1924]1 K.B. 461 (C.A.), which is the leading authority on a banker's common law duties owed to a customer. Tournier held that a banker owes a customer an implied contractual duty not to disclose the customer's data to third parties except under certain circumstances (see Exceptions Permitting Disclosure).

COVERED PERSONS AND ENTITIES

The common law duty to protect customer data applies to the relationship between the bank and the customer. A bank includes banks identified under the Bank Act and any person acting in the capacity of a banker in Canada.

The duty generally lies with the bank, as an institution, to protect customer data. Banks must therefore take steps to ensure that their employees, directors, officers, agents, and other representatives maintain customer data under the common law duty.

The common law duty to protect customer data continues even after termination of the relationship between the bank and the customer (Tournier, 1 K.B. at 473).

PROTECTED CUSTOMER DATA

The common law duty to protect customer data applies to all data obtained by the bank from any source that relates to a customer (individual or corporate), except for information that is or becomes public (other than due to the fault of the bank). This includes data relating to:

  • The customer's identity.
  • Investments maintained and the value of the investments.
  • Deposits and withdrawals.
  • Loan information.
  • Value of investments.
  • Information given by the customer about the customer's financial circumstances.
  • The customer's relationship with other banks, if any

The common law duty to protect customer data from disclosure protects information relating to the applicable customer. Banks seeking to anonymize or aggregate customer data before disclosure so that the customer is not identified should ensure that they comply with PIPEDA (see PIPEDA: Disclosing Anonymized Personal Data)

EXCEPTIONS PERMITTING DISCLOSURE

Under Tournier, a bank's common law duty of confidentiality to its customers is not absolute and is subject to exceptions where:

  • Applicable law requires disclosure (see Disclosure Required by Law).
  • There is a duty to the public to disclose (see Duty to the Public to Disclose Customer Data).
  • The interests of the bank require disclosure (see Bank's Interests Require Disclosure).
  • The customer provides express or implied consent (see Customer Express or Implied Consent).

(See Haughton v. Haughton (1964), [1965] 1 O.R. 481 (Ont. S.C.); Guertin v. Royal Bank, (1983) 43 O.R. (2d) 363 (Ont. S.C.).)

The Tournier exceptions (other than consent) do not allow for many disclosures that banks typically need to make to third parties including to third-party service providers and related corporate entities. Banks should seek to rely on written customer consent rather than the other Tournier exceptions to disclose customer data to make necessary disclosures and avoid customers challenging the bank's grounds for disclosure (see Customer Express or Implied Consent).

Disclosure Required by Law

Canadian courts invoking Tournier have allowed banks to disclose customer data when the disclosure is required by law, which generally means under court orders and legislation (see, for example, Haughton, [1965] 1 O.R. 481 (the court held that a bank manager may only be compelled to testify by a specific order of the court and that a subpoena is insufficient to override the banker's duty of confidentiality); Royal Bank of Canada v. Art's Welding & Machine Shop (1980) Ltd., (1989), 34 C.P.C. (2d) 190 (Alta. Q.B.) (the court held that a court order constitutes the compulsion of law to allow disclosure of customer data)).

An example of a disclosure required by law is section 628(1) of the Bank Act which requires banks to provide the Superintendent of Financial Institutions with information it requires (see Bank Act).

The compulsion of law exception may also include compulsion of a law outside of Canada (see Park v. Bank of Montreal, [1997] B.C.J. No. 787 (B.C.S.C.) (the court found that disclosure made by a Canadian branch of a Korean bank to the Korean criminal prosecutor's office constituted a compulsion of law because Korean law required the disclosure).

Duty to the Public to Disclose Customer Data

A duty to protect public interests can override the common law duty of bank secrecy in limited circumstances, such as where there is a danger to the state or the public (Jubbal v. Royal Bank of Canada, [1987] B.C.J. No. 1715) (B.C.S.C.). For example, courts have held that banks may disclose customer data under the public interest exception:

  • For the purposes of preventing fraud whether it constitutes fraud or deceit in law (Canadian Imperial Bank of Commerce v. Sayani (1993), 11 B.L.R. (2d) 28 (B.C.C.A.)).
  • For a liquidator of the Canadian Commercial Bank to disclose customer data under what is now known as the Winding-Up and Restructuring Act (see Canada Deposit Insurance Corp. v. Canadian Commercial Bank (1989), 71 C.B.R. 239) (Alta. Q.B.)).

Customer Express or Implied Consent

Banks may also disclose customer data with the consent of the customer. Courts have held that certain relationships may provide the bank the customer's implied consent to disclose their data. For example, by giving a bank a security interest in property, courts have found that a customer consents to the bank disclosing that security interest to other interested parties (see, for example, Vincenzi, [1994] B.C.W.L.D. 1221).

However, banks should generally attempt to obtain express, written consent to disclose customer data rather than rely on implied consent for evidentiary purposes. Banks commonly obtain customer consent at the time the customer opens an account by requiring the customer to agree to the bank's standard terms and conditions and privacy policy. The standard terms and conditions and privacy policy should set out the bank's policies and practices concerning the collection, use, and disclosure of customer data under industry practice in Canada.

To read the full article click here

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.