Many financial services businesses are subject to legal or regulatory obligations that require them to verify the identity of their customers. Although innovative technological tools, including those using artificial intelligence and biometrics, are simplifying the identity verification process, these tools must be used in a way that complies with privacy and financial sector laws.
In this bulletin, we summarize five best practices for ensuring regulatory compliance when engaging in a new digital identification or verification project.
1. Know Your Regulations
Most financial services businesses operating in Canada, including banks, savings and credit unions, insurers, trust companies, loan companies and securities dealers (financial entities, or FEs), are required to verify the identity of an individual or an entity under the Proceeds of Crime (Money Laundering) and Terrorist Financing Act in connection with certain transactions.
As verifying an individual’s identity requires handling an individual’s personal information, multiple Canadian privacy laws could apply to the process, depending on where the FE is conducting their activities. For instance, the federal Personal Information Protection and Electronic Documents Act or provincial laws like Quebec’s Act respecting the protection of personal information in the private sector could both apply to the verification purposes in question.
2. Consider Quebec’s Biometric Rules
Biometric data is considered sensitive personal information and must be handled in compliance with applicable privacy laws. Quebec’s Act to establish a legal framework for information technology (Quebec IT Act) sets out additional requirements when biometric characteristics or measurements are collected and used to verify or authenticate identity. Organizations planning to use a biometric system for identification purposes must declare it to the Commission d’accès à l’information (CAI) before its use and must declare the creation of a biometric database to the CAI at least 60 days before deployment.
The Quebec IT Act also requires that the organization obtain the individual’s express consent for any use of biometrics to verify or confirm identity (which is consistent with the requirement under all Canadian privacy laws to obtain express consent for the processing of sensitive information). The CAI also takes the position that organizations must provide a non-biometric alternative to verify identity.
3. Carefully Manage Vendors
FEs deploying digital identity verification tools often rely on service providers. FEs operating in Canada will be expected to have robust vendor management programs in place as part of their privacy practices and execute data protection agreements that provide for appropriate physical, organizational and administrative safeguards. They must also ensure that all personal information is only used for appropriate and lawful purposes.
FEs should ensure that these agreements directly address Canadian obligations and do not solely rely on international privacy law frameworks, which may not be sufficient to comply with Canadian law.
4. Limit Collection and Retention
Canadian privacy laws require that organizations limit the personal information they collect to only what is necessary for the purposes. Laws also require organizations to securely erase or destroy personal information once the purposes for which it was collected have been met.
However, FEs may also have record-keeping obligations that require them to collect or keep certain information about the individual’s identity. FEs should carefully assess their record-keeping obligations and only collect the information that they actually need, and only for as long as they need it. For instance, if an FE is required to review a government identification document like a driver’s license, it should consider whether the FE can collect and retain only the identification number, or even simply a data point confirming that the document was reviewed, rather than an image of the document.
5. Ensure Consent Is Meaningful
The type of personal information typically collected for identity verification, such as government-issued identifiers, biometric data and date of birth, is likely to be considered sensitive personal information. Canadian privacy laws require express consent for any collection, use or disclosure of sensitive personal information, with limited exceptions.
To ensure valid express consent for identity verification is obtained, FEs should provide clear and detailed information to individuals before consent is sought. Burying this information in a privacy policy will not be considered sufficient to inform a request for express consent. Using tools like information boxes or cascading menus can help ensure that meaningful consent is obtained while also satisfying requirements under other applicable regulatory regimes.
For more information, please contact the authors or any member of our Privacy & Data Protection or Financial Services groups.
More insights
Blakes and Blakes Business Class communications are intended for informational purposes only and do not constitute legal advice or an opinion on any issue. We would be pleased to provide additional details or advice about specific situations if desired.
For permission to republish this content, please contact the Blakes Client Relations & Marketing Department at [email protected].
© 2025 Blake, Cassels & Graydon LLP
