PIPEDA Report of Findings #2015-006: Financial institution takes strong remedial measures after insufficient safeguards and unnecessary storage leaves sensitive data vulnerable to breach
An individual complained that an investment brokerage collected more personal information than necessary to open a self-directed investment account. The brokerage stated the information was required to comply with regulatory obligations, including "Know Your Client" rules from the Investment Industry Regulatory Organization of Canada (IIROC) and anti-money laundering (AML) requirements under the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA), as well as provincial securities legislation. The OPC found that the requested information, including net worth, marital status, and spouse's occupation, was necessary for these regulatory purposes.
- Whether the brokerage collected more personal information than necessary for opening a self-directed investment account.
- Whether the collection of information was a condition of service contrary to PIPEDA.
- Whether the brokerage's collection purposes met regulatory requirements.
- The applicability of "Know Your Client" and AML rules to self-directed accounts.
Complaint not well-founded.
The OPC determined that the requested information was necessary for the brokerage to comply with legitimate regulatory and legislative obligations, including "Know Your Client" and anti-money laundering requirements, and thus was not more information than necessary.
AI-generated summary for reference only. Always verify against the official decision ↗
- s. 5(3) PIPEDA
- Principle 4.2 PIPEDA
- Principle 4.3.3 PIPEDA
- Principle 4.4 PIPEDA
This summary is informational only and not legal advice.