mercenarywork
← Back to Home
Business Editorial Team

What Canadian Banks Are Required to Tell You — and What They Can Legally Keep Private

Banking privacy in Canada is not the blanket protection many customers assume it to be. There are clear legal boundaries around what a bank must disclose, to whom, and under what circumstances — and customers have more rights than most people realise.

Canadian banking and financial privacy

What Banking Confidentiality Actually Means in Canada

Canadian banks have a duty of confidentiality toward their customers, established through common law and reinforced by the Personal Information Protection and Electronic Documents Act (PIPEDA) and, in provinces with substantially similar legislation, by provincial privacy laws. In practice, this means a bank cannot share your account details, transaction history, or financial behaviour with third parties without your consent — in ordinary circumstances.

The phrase "in ordinary circumstances" carries significant weight. There are several well-established situations in which that duty is overridden entirely, and most customers are never clearly informed about them when they open an account.

When a Bank Is Legally Required to Disclose Your Information

There are four main circumstances under which a Canadian bank will share customer data without seeking permission:

  • 1.
    CRA requests. The Canada Revenue Agency has broad legal powers to require financial institutions to provide account and transaction data as part of tax compliance and audit processes. Banks are legally obliged to comply and are generally not permitted to notify the customer that a request has been made.
  • 2.
    Court orders. A Canadian court can compel a bank to produce financial records in both civil and criminal proceedings, covering the account holder and in some cases connected third parties. Production orders under the Criminal Code are commonly used by law enforcement in financial crime investigations.
  • 3.
    Suspicion of financial crime. Under the Proceeds of Crime (Money Laundering) and Terrorist Financing Act, banks are required to submit Suspicious Transaction Reports (STRs) to FINTRAC when they suspect a customer of money laundering, fraud, or terrorist financing. Informing the customer that a report has been filed — known as "tipping off" — is a criminal offence under Canadian law.
  • 4.
    Regulatory oversight. OSFI (the Office of the Superintendent of Financial Institutions) and the Financial Consumer Agency of Canada (FCAC) both have powers to access bank records as part of their supervisory and consumer protection functions. The Bank of Canada may also access certain data in its role overseeing systemic financial stability.

Automatic International Sharing: The Common Reporting Standard

Canada participates in the Common Reporting Standard (CRS), a global tax transparency framework under which financial institutions automatically exchange account information with the tax authorities of over 100 participating countries each year. If you hold accounts in Canada and are a tax resident elsewhere — or vice versa — that information is shared automatically, without any individual request being required. Canada also participates in FATCA reporting obligations with the United States.

For anyone with international financial connections, the assumption that a Canadian bank account is a strictly private matter no longer holds in any practical sense.

What Your Bank Must Tell You Directly

Separate from what banks share with authorities, Canadian customers have the right to request specific information directly:

  • Transaction history — banks must provide records going back at least seven years on request, in accordance with the Bank Act.
  • Fee explanations — if charges have been applied to your account, you are entitled to a clear explanation of what they relate to under FCAC disclosure requirements.
  • Credit decision reasoning — if you are declined for a loan or credit product, the bank must inform you in general terms why, and must advise you of the credit bureau used.
  • All personal information held about you — under PIPEDA, you can submit an access request to your bank at no charge. The bank must respond within 30 days with all personal information it holds, including internal notes, risk assessments, and correspondence records.

What Banks Are Not Required to Reveal

Certain categories of information remain legitimately protected. Internal fraud investigation processes, the specific algorithms used in automated credit scoring decisions, and the details of any Suspicious Transaction Report filed with FINTRAC about you are all shielded from disclosure. Banks are legally prohibited from notifying customers that an STR has been lodged — doing so constitutes a criminal offence under the Proceeds of Crime Act.

Banks will also not share information about other customers, even where those customers appear in transactions within your own account history. Internal risk classifications and watchlist designations are similarly protected from customer access requests.

How to Request Your Data: A Practical Note

Any Canadian bank customer can submit a personal information access request in writing — by email or mail — addressed to the bank's Chief Privacy Officer. There is no fee for a standard PIPEDA access request. The bank has 30 days to respond with a full account of the personal information it holds, including transaction records, internal notes, credit assessments, and correspondence logs. This is a right that most customers are unaware of and that banks rarely advertise proactively, but it is one of the most useful tools available for anyone who wants to understand exactly what their financial institution knows about them. Complaints about access refusals can be directed to the Office of the Privacy Commissioner of Canada.

Canadian banking financial privacy PIPEDA consumer rights FINTRAC

Stay Informed

Subscribe to our newsletter for practical guides and updates delivered to your inbox.