Privacy Law for Mortgage Brokers in Canada
By Yong Du
PIPEDA and provincial PIPA obligations for Canadian mortgage brokers — what borrower data you collect, breach reporting requirements, FINTRAC obligations, and compliance requirements under Alberta and BC regulation.
What makes mortgage brokers distinct
Mortgage applications require the deepest personal financial disclosure of almost any consumer transaction. A borrower must provide their SIN, employment history, income verification, bank statements, credit report, and government-issued identification before receiving approval. This data concentration makes mortgage broker files among the highest-risk for identity theft and financial fraud of any SMB sector.
Which laws apply
| Jurisdiction | Applies when | Regulator |
|---|---|---|
| PIPEDA | The broker handles personal information in commercial activity; or borrowers are in provinces without substantially similar legislation | OPC — priv.gc.ca |
| Alberta PIPA | Borrowers or employees are Alberta residents | OIPC Alberta — oipc.ab.ca / breachnotice@oipc.ab.ca |
| BC PIPA | Borrowers or employees are BC residents | OIPC BC — oipc.bc.ca |
Provincial regulatory overlay: In Alberta, mortgage brokers are licensed and regulated by RECA (Real Estate Council of Alberta). In BC, mortgage brokers are regulated by BCFSA under the Mortgage Brokers Act. Both regulators have record-keeping requirements that run alongside PIPEDA. A privacy breach may also trigger reporting obligations to RECA or BCFSA — contact your regulator for guidance on what professional disclosure is required.
What personal information mortgage brokers hold
Borrower application files: Full legal name, date of birth, SIN, current and previous addresses, employment history, employer name and contact, income verification (T4s, NOAs, pay stubs), bank statements (multiple months), credit report and score, existing debt obligations.
Identity verification (FINTRAC): Government-issued photo ID (driver's licence, passport), date of birth, address — retained for 5 years under FINTRAC regulations.
Property information: Property address, purchase price, appraised value, property type and description.
Lender submissions: The above information is typically transmitted to one or more lenders during the application process — each transmission is a disclosure of personal information that must be covered in your privacy policy and borrower consent.
Employee information: SINs, banking details, T4s, licensing records, employment records.
Common breach scenarios
Phishing and BEC: Mortgage brokers are targets for business email compromise because transaction emails contain banking details for down payments and closing fund transfers. An attacker who compromises a broker's email account can intercept or redirect those instructions. See Phishing and Business Email Compromise.
Ransomware: Mortgage application files containing SINs, financial records, and identity documents are high-value ransomware targets. Every borrower file in the affected system is a potential affected individual. See Ransomware Attack: What Canadian SMEs Must Do.
Cloud origination platform breach: If a mortgage origination or CRM platform is breached, borrower data held there is your accountability. See Vendor or Third-Party Breach.
Improper disposal: Application files, credit reports, and ID copies in recycling or not securely destroyed when files close. See Physical Records Breach.
RROSH in a mortgage broker breach
Mortgage application files contain SINs, financial records, government-issued ID, and banking details — all of the highest-sensitivity categories under PIPEDA. RROSH is present in virtually every mortgage broker breach involving borrower application files. The relevant question is usually which specific files were affected and how many borrowers must be notified.
Identity document exposure: If government-issued ID (passport, driver's licence) was in the breached files, advise affected borrowers to contact the issuing authority (Passport Canada, provincial motor vehicle registry) and to monitor their credit reports and existing accounts for signs of identity fraud.
Core compliance obligations
Privacy officer: Designate a named individual responsible for PIPEDA compliance. Their contact must appear in your privacy policy.
Privacy policy: Describe what borrower information you collect, why, how it is shared with lenders and other parties in the transaction, how it is protected, and how borrowers can access their information or make a complaint.
Consent at application: Borrowers must consent to the collection and use of their personal information before you collect it. Your application forms must include or reference your privacy disclosure and consent language that covers: what you collect, why, which lenders and third parties you may share it with, and the borrower's right to withdraw consent.
Retention: FINTRAC requires identity verification records to be retained for 5 years. Mortgage files generally should be retained for the applicable limitation period plus a buffer. After the retention period, files must be securely destroyed. See Personal Information Retention and Destruction.
Lender and platform vendor contracts: Every lender you submit applications to and every platform that processes borrower data must have written privacy and security obligations. The lender receiving the application is an accountable organization for the data it receives — but your disclosure to them must be authorized by borrower consent.
Safeguards: Encrypted transmission of application files to lenders, encrypted storage of borrower files, MFA on origination platforms, access limited to the broker handling the file, and secure destruction of paper applications and ID copies when the file closes.
Borrower notification specifics: When notifying affected borrowers of a breach, identify specifically what was involved (SIN, credit report, bank statements, ID). Advise them to place a fraud alert with Equifax (1-800-465-7166) and TransUnion Canada (1-877-525-3823), contact their financial institutions, and report to the Canadian Anti-Fraud Centre (1-888-495-8501) if they experience identity fraud.
Experienced a breach? ClearBreach walks mortgage brokers through their RROSH assessment across PIPEDA, Alberta PIPA, and BC PIPA and generates regulator reports and borrower notification letters in under 15 minutes. Start your assessment →
Related guides
- PIPEDA Breach Reporting Requirements
- Alberta PIPA Breach Notification
- BC PIPA Breach Reporting
- Phishing and Business Email Compromise
- Vendor or Third-Party Breach: What Canadian Organizations Must Do
- How to Write a Privacy Policy for a Canadian Business
This guide covers PIPEDA, Alberta PIPA, and BC PIPA obligations for mortgage brokers. RECA and BCFSA regulatory obligations and FINTRAC anti-money-laundering obligations are separate and not fully covered here. Quebec's Law 25 is not covered here.
Frequently asked questions
Does PIPEDA apply to mortgage brokers?
Yes. Mortgage brokers collect and process personal information in the course of commercial activity. PIPEDA applies. Alberta PIPA applies for Alberta-resident borrowers, and BC PIPA applies for BC-resident borrowers. Mortgage brokers are also subject to provincial regulatory requirements under RECA (Alberta) and BCFSA (BC), which have their own record-keeping obligations that run alongside PIPEDA.
A borrower's application file was breached — what are my obligations?
You must conduct a RROSH assessment immediately. A mortgage application file typically contains: SIN, employment information, income verification, employer name, T4s, bank statements, credit report, government-issued ID, and property details. This is one of the highest-risk data combinations for identity theft. RROSH is almost certainly present. You must notify the OPC, any applicable provincial regulator, and the affected borrower directly.
We use a cloud-based mortgage origination platform — who is responsible if it is breached?
You are. Under PIPEDA Principle 1, your accountability for borrower personal information does not transfer when you transmit it to a third-party platform for processing. If the platform is breached and borrower data is affected, your notification obligations apply regardless of whether the platform operator also notifies. Your contract with the platform must include privacy and security obligations and a requirement to notify you promptly if a breach occurs.
Do FINTRAC obligations affect our privacy compliance?
Yes, indirectly. FINTRAC requires mortgage brokers to verify client identity and retain those records for 5 years. The identity verification records — government-issued photo ID, name, address, date of birth — are personal information subject to PIPEDA in addition to FINTRAC requirements. A breach of FINTRAC records triggers both PIPEDA and potentially FINTRAC reporting obligations. FINTRAC obligations are separate from PIPEDA and must be addressed with FINTRAC guidance.
This guide is educational and does not constitute legal advice. It is grounded in the text of PIPEDA, Alberta PIPA, and BC PIPA and published guidance from the OPC, OIPC Alberta, and OIPC BC. If your situation involves regulatory investigation, litigation risk, or circumstances not addressed here, engage a qualified privacy lawyer.