In a newly released audit report, privacy commissioner Jennifer Stoddart says the Financial Transactions and Reports Analysis Centre has made limited progress in addressing the problem since she flagged it four years ago.
The centre, known as FinTRAC, zeros in on cash linked to money laundering, terrorism and other crimes by sifting through data from police, intelligence officers, banks, insurance companies, securities dealers, money service businesses, real estate brokers, casinos and others.
Institutions must report large cash transactions or electronic fund transfers of $10,000 or more, as well as any transactions where there are reasonable grounds to suspect money laundering or terrorist financing.
Stoddart found in 2009 that although reports about allegedly dubious transactions were reviewed and prioritized, they were not assessed for reasonable suspicion of illicit money movement.
The privacy commissioner said Thursday she is disappointed in the latest results.
FinTRAC spokesman Darren Gibb said the agency is acting on Stoddart's findings and he stressed that any sensitive information the organization has collected is not being misused.
"I don't want to minimize concerns that she's raised, because we're moving to address those concerns," he said. "But Canadians need to be reassured that the information they provide us will be protected, and that is our No. 1 priority."
As of March 2012, FinTRAC's databases held approximately 165 million reports containing personal information related to transactions such as house down payments, car purchases and wire transfers sent by parents to children studying abroad, the audit says.
Stoddart uncovered a number of reports that did not meet the $10,000 reporting threshold, along with examples that didn't clearly spell out reasonable grounds for suspicion.
In one case, a financial institution filed a report when a storekeeper deposited $570 in $100, $50, $20 and $5 bills, but it did not indicate why the transaction was considered suspicious.
"Given the examples we found, I have serious concerns about the extent to which FinTRAC's information holdings are populated with personal information that should never have even been submitted," Stoddart said in a news release.
The audit report found the anti-money laundering agency had made some advances on privacy issues, including improved security awareness initiatives. But it found unsatisfactory progress on other fronts.
Among other things, Stoddart recommends the agency analyze and assess incoming reports and identify and toss out information it should not have received.
The agency accepted all recommendations and provided responses as to how it intends to address them, Stoddart acknowledged in the release.
"FinTRAC has proposed some measures to address the deficiencies we identified," she said. "However, there is more work to do. It still needs effective screening processes to ensure it no longer receives and retains sensitive personal information that it doesn't need."
Stoddart says she plans to follow up with the agency in two years to gauge progress.