XMC is committed to fairly and lawfully collecting and maintaining accurate personal information and to protecting the confidentiality of all personal information that we collect, retain, use or disclose to others in the course of our business activities.
Protecting client privacy and the confidentiality of personal information has always been fundamental to the way we do business at XMC. We collect, use, and disclose personal information only in compliance with applicable privacy legislation, and strive to exceed all the privacy standards established by the federal, provincial, and industry authorities in all our dealings with past, current, and prospective clients.
Personal Information means information about an identifiable individual. It includes an individual’s name, residential address and telephone number, e-mail address, age and gender, personal financial records, identification numbers including their social insurance number, personal health information, and personal references.
Publicly available information, such as business contact information or a public directory listing of individuals’ names, addresses, and telephone numbers, or information that is aggregated and not associated with a specific individual, including demographic information and statistics, is not considered to be personal information.
The Personal Information Protection and Electronic Documents Act (PIPEDA), and similar provincial legislation (currently in British Columbia, Alberta and Quebec) is based on the 10 principles of PIPEDA, to which XMC must adhere to. These practices will provide the necessary assurances that personal information obtained and utilized by XMC will be accurate, held in confidence and be retained in a secure environment.
The main compliance obligations under PIPEDA include the following privacy principles:
- Identifying purposes
- Limiting Collection
- Limiting use, disclosure and retention
- Individual access
- Challenging compliance
A Privacy Officer has been designated by XMC to be responsible for compliance with PIPEDA and provincial privacy legislation. Accountability for the organization’s compliance with the principles rests with the designated Privacy Officer, even though other individuals within the organization may be responsible for the day-to-day collection and processing of personal information. In addition, other individuals within the organization may be delegated to act on behalf of the Privacy Officer.
We will obtain consent to collect, use or disclose personal information unless we are permitted or required by law to collect, use or disclose personal information without consent. Consent may be given orally, in writing, or electronically, and may be express or implied. We will ensure that the form of consent that we use is appropriate in the circumstances, and will take into account, how sensitive the personal information is, the circumstances in which the information is being collected, and the reasonable expectations of the person from whom is being collected in determining which form of consent to use. We will always obtain express consent when we are collecting, using, or disclosing sensitive personal information.
We collect, use and disclose different types of personal information in respect of our clients. We only collect, use, and disclose personal information in accordance with applicable privacy legislation.
Opt Out Policy
A client may choose not to provide us with some or all of their personal information. This may, however, severely restrict the products that XMC can then provide. The client may also withdraw their consent to our use of their personal information at any time upon providing reasonable notice, as long as all of the following conditions are met:
- the client provides XMC notice in writing by either of the following methods:
XMC Mortgage Corporation
200 King Street West, Suite 600
Toronto, ON M5H 3T4
- withdrawing consent does not result in our or the client’s ability to fulfill the financial contract already in place with us; or ii) the client’s consent does not relate to a credit product we have granted to the client, where we are required pursuant to a legal obligation to collect and exchange some or all personal information on an ongoing basis, with credit insurers, other investors/lenders, or a credit bureau, or to maintain the integrity of the credit- granting system and the completeness of information held by credit bureau.
When a client indicates that they wish to withdraw their consent to our use of their personal information, we will explain the implications of this withdrawal to them.
Collection and use
We may collect personal information for the following purposes:
- to verify the identity of a client, and to protect the client and XMC from error, fraud or other misrepresentations;
- to support and maintain the accuracy and integrity of the credit reporting system, which includes clients’ past credit and repayment history as well as other financial transactions;
- with respect to SINs, when required under the Income Tax Act for a client’s income tax reporting, or to verify credit bureau information against one or more XMC products owned by the same individual;
- to comply with a variety of legal requirements, such as provincial and federal tax reporting, anti-money laundering and unclaimed property obligations;
- to determine clients’ initial and ongoing eligibility for financial products;
- to allow account administration by the Independent Mortgage Brokers;
- to investigate specific transactions or patterns of transactions for the purpose of detecting unauthorized or illegal activities;
- to ensure that a client’s instructions can be properly verified;
- to investigate client complaints;
- to implement risk management programs;
- to provide specific services associated with an account; and
- to understand the current and future needs of our clients, for example, to conduct client surveys and other forms of market research and analysis.
We will only collect, use, and disclose as much personal information as we require to fulfill the purposes for which the personal information is being collected, unless we are required or permitted by law to collect additional information.
In circumstances where XMC is required by law to collect SINs, for example in respect of term deposit accounts, we will require clients to provide their SINs. In all other circumstances, for example to assist us to verify clients’ credit related information, provision of SINs is optional, though in some circumstances alternative information may be required to verify identity or may otherwise be required in order to provide a particular product or service.
In addition, we may collect personal information in connection with our mortgage financing or other financial services through the use of a mortgage commitment letter or a credit application during the credit application and review process.
We will notify the individual from whom we are collecting information of the purpose or purposes for which we are collecting the information at or before the time that we collect the personal information so that they may choose whether to provide us with their personal information for those purposes. We may provide this notice either orally or in writing.
If a client refuses to provide us with certain personal information, we will not refuse to provide them with a product or service unless we are unable to provide it without this information.
If we intend to use the personal information that we have collected for a new purpose that we have not previously disclosed, we will communicate the new purpose prior to using the information for the new purpose, unless we are required or permitted by law to use the information for this new purpose without consent.
Other than as required or permitted by law, clients’ personal information will not be used for any other purpose without consent.
We collect personal information when it is provided to us. XMC may collect personal information directly from the person to whom the personal information relates. XMC also collects personal information from third parties, such as brokers, or individuals that are opening an account to be operated on behalf of a third party, in accordance with anti-money laundering legislation, and provided that such third parties have obtained consent from the individual to whom the information relates to provide this personal information to us. In most circumstances where the personal information that we collect is collected from a third party, we will obtain client permission before we seek out this information unless we are authorized by law to collect this information without a client’s consent. If we do not obtain client permission, we take reasonable steps to ensure that such third parties have the right to share such personal information with us.
From time to time, we may utilize the services of third parties in our business. For example, we may use third party suppliers to print statements, conduct telemarketing, collect accounts, or process transactions on our behalf. We select third party suppliers carefully and ensure through contractual means that they have privacy and security standards that meet XMC’s requirements, and comply with applicable privacy laws. Similarly, payment transactions may be processed through payment systems operated by others and we may share personal information with these operators on a confidential basis to process transactions, provide client service, and for other reasonable purposes. These third parties will only be provided with as much personal information as they need to provide services to us. In some cases, these third parties may be located outside of Canada, and therefore personal information that has been collected by us may be processed and stored outside of Canada. Under the laws of foreign jurisdictions, in certain circumstances foreign courts, government authorities, regulators, or law enforcement agencies may be entitled to access this personal information without notice. Clients will always be notified of this fact, and will be made aware that by submitting their personal information to us, they agree to this transfer, storing, or processing.
Disclosure of Personal Information Outside of XMC
XMC has a strict policy of not disclosing personal information about our clients, subject to the important exceptions discussed below, and in the section “Sharing Personal Information”.
The most common reason for release of a client’s personal information is that the client has given consent. We will not release a client’s personal information without consent unless we are permitted or required to do so pursuant to applicable laws.
We also may be authorized or required by law to release personal information, such as pursuant to a court order, or we may need to protect our assets, or the public’s interest. For example, we may release personal information about a client to legal authorities in cases of criminal activity, or for the detection and prevention of fraud. If we release information for any of the reasons described in this paragraph, we shall keep a record of what, when, why, and to whom such information was released.
We do not keep a record of why a client’s personal information is disclosed to third parties for routine purposes, such as reporting to Canada Customs and Revenue Agency (T5 and other reports) and reporting to third parties when cheques are returned NSF for insufficient funds.
XMC does not sell or rent lists of our clients or any other personal information to others for their use.
If we wish to disclose a client’s personal information for a purpose that has not previously been consented to, we will ask for the client’s consent before disclosing their personal information for that purpose, unless we are permitted or required by law to disclose this information without consent.
Sharing Personal Information
We may also share our clients’ personal information with certain of our business partners who provide us with products and services in the course of our business with the client.
Personal information is only shared with business partners to the extent permitted by law, and to the extent necessary to provide the client with the best service pertaining to account due diligence and general account administration. We only share as much personal information with our business partners as they require to fulfill the purposes for which the personal information is being shared. In some cases, these business partners may be located outside of Canada, and therefore personal information that has been collected by us may be transferred outside of Canada. Under the laws of foreign jurisdictions, in certain circumstances foreign courts, government authorities, regulators, or law enforcement agencies may be entitled to access this personal information without notice.
We require our business partners to protect the personal information that we share with them in a manner that is consistent with this Policy, and any other XMC policy and/or procedure that relates to the collection, use, and disclosure of personal information that is in effect from time to time.
We will not collect, use or disclose personal information without consent unless we are authorized or permitted by law to do so. The limited exceptions to the requirement to obtain consent for the collection, use, or disclosures of personal information are set out in applicable privacy legislation.
Keeping Personal Information Accurate
We are committed to maintaining the accuracy of our clients’ personal information for as long as it is being used for the purposes set out in this Policy and we will take reasonable steps to ensure that your personal information is accurate. A client can play an active role in keeping us up-to- date, and we will ask clients to update us if any of their personal information changes. Prompt notification by the client of any changes, for example, to the client’s address or telephone number, will help us provide the client with the best possible service. We will update clients’ personal information only if it is necessary for us to do so to fulfill the purposes for which the information was collected.
Clients are always free, upon review of their personal information, to request amendments be made under the terms set out in this Policy. If the request is reasonable, we will make the amendment as soon as we reasonably can, and will notify any third party to which we have disclosed this information of the amendment.
If we do not agree to make the amendments that a client requests, we will notify the client of this in writing, and will keep a record of the requested amendments. The client may challenge our decision. We will make a record of this challenge, which will be kept on file.
Safeguarding of Personal Information
We use appropriate safeguards to secure and protect personal information that is in our custody and/or control. We use physical, technical, and procedural safeguards that are appropriate to the sensitivity of the personal information in question. We ensure that we have comprehensive security controls and other safeguards to protect against unauthorized use, alteration, duplication, destruction, disclosure, loss or theft of, or unauthorized access to clients’ personal information.
XMC may use other companies to provide services to our clients on our behalf, such as the printing of correspondence, storage of information files in a secured environment, or to conduct client satisfaction surveys. In such cases, we have contracts in place, holding these companies to the same high standards of confidentiality by which we are governed and requiring that any information provided by us must be kept strictly confidential and used only for the purposes of the contract.
XMC ensures the physical, organizational and electronic security of a client’s personal information through the use of secure locks on filing cabinets and doors, and restricted access to our information processing and storage areas. XMC limits access to relevant information to authorized employees and business partners only, and through the use of pass keys and computer passwords and, where necessary, the encryption of electronically transmitted information.
XMC has procedures in place when destroying, deleting, or disposing of personal information when it is no longer required for the purposes as set out in this Policy, or by law, to ensure that personal information is securely disposed of and to prevent unauthorized access to such personal information.
Retention of Personal Information
XMC only keeps a client’s personal information for as long as it is needed to meet the purposes for which it was collected, unless we are required pursuant to applicable laws to retain this information for a different period of time. The length of time we retain personal information is affected by: (1) the type of product the client has from us, and (2) any legal requirements we may have to meet such as regulatory file retention periods or for being able to respond to any concerns the client may have even if the client is no longer a client of ours. Personal information that has been used to make a decision that directly affects an individual shall be kept for at least one year after it has been used.
Individuals will have access, as permitted by law, to their personal information that is in our custody or control, and information provided will be clear and in a format that is easy to understand. Individuals will also be able to request that corrections and/or updates be made to their personal information.
XMC ensures that individuals have reasonable means of accessing their personal information. XMC does so by:
- providing guidance to individuals regarding requests for access to personal information;
- obtaining sufficient information to identify the individual;
- responding to requests within 30 days after receipt of the request;
- extending, where required, the normal 30-day response time limit for a maximum of 30 additional days:
- if responding to the request within the original 30 days would unreasonably interfere with activities of the XMC;
- if additional time is necessary to undertake consultations; and
- if additional time is necessary to convert personal information to an alternate format;
- in the event XMC extends the normal 30-day response time, notifying the individual making the request within 30 days of receiving the request as well as the individual’s right to complain to the Privacy Commissioner of Canada;
- giving access at minimal or no cost to the individual;
- notifying the individual of the approximate costs before processing the request, notifying the individual of the fact that the full amount of these costs must be paid before access will be granted, and confirming that the individual still wants to proceed with the request;
- giving individuals access to their personal information, as well as information regarding the ways in which their personal information has been used, and the identity of the persons to whom it has been disclosed; and
- informing the individual in writing when refusing to give access to all or part of a record containing an individual’s personal information, setting out the reasons and any recourse available.
Review and Amendments
We will only collect, use, or disclose personal information in the ways in which we have disclosed in this Policy. Therefore, changes to our policies and personal information handling practices of XMC will result in amendments to this document from time to time.
Roles and Responsibilities
Any XMC employee, who believes personal information is not being handled in accordance with this Policy, should immediately advise their Department Manager and the Privacy Officer.
Any Department Manager required to resolve privacy issues (as per the second step in our privacy question and complaint handling process) shall maintain appropriate records of any issue brought forward, and the steps taken in their resolution, and shall report them to the Privacy Officer.
Questions or Concerns
XMC is accountable for all personal information that is in our custody or control, and we have designated a Privacy Officer that is ultimately responsible for the handling of this information, and for ensuring that we are complying with this Policy. The contact information for the Privacy Officer is set out below.
If a client has privacy questions, concerns or complaints, we want them to be answered satisfactorily or resolved as quickly as possible and ask that the client follow, in order, the following two steps.
First: The client should direct his or her complaints and/or questions in writing to XMC’s Privacy Officer.
XMC Mortgage Corporation
200 King Street West, Suite 600
Toronto, ON M5H 3T4
Second: The client may also call our Customer Service Centre and speak to a representative. If the Customer Service Representative is unable to resolve the matter to their satisfaction, the client should advise them that they wish the matter to be reviewed by the department manager who will contact them to resolve the issue. You can reach XMC Customer Service by calling:
Telephone (toll free): 1-855-213-6226
If, upon completion of a review by XMC’s Privacy Officer, the client’s concerns are not resolved to his/her satisfaction, those concerns may be reviewed by the Privacy Commissioner of Canada, or one of the provincial Privacy Commissioners, if applicable. The client may contact the Privacy Commissioner of Canada by either of the following methods:
Office of the Privacy Commissioner of Canada
30 Victoria Street
Telephone (toll free): 1-800-282-1376
We will also notify the client that they may also contact the Commissioner at any time during the resolution process.
Cookies and Other Technologies
A Cookie is a small text file that is placed on the browser or device you are using. Cookies allow us to tailor the Site to better match your interests and preferences. With most Internet browsers, you can erase Cookies from your computer hard drive, block the creation of Cookies, or receive a warning before a Cookie is stored, although doing so may affect your use of the Site and your ability to access certain features of the Site.
Our Site may use Web beacon, gif, or other technologies. When you access certain of our web pages, a non-identifiable notice of that visit is generated. These technologies usually work in conjunction with Cookies. If you don’t want your Cookie information to be associated with your visits to these pages, you can set your browser to turn off Cookies. If you turn off Cookies, Web beacon and other technologies will still detect visits to these pages, but the notices they generate cannot be associated with other non-identifiable Cookie information and are disregarded.
We may use third-party advertising companies to serve ads when you visit our web site. These companies may use non-personally identifiable information about your visits to this and other web sites to provide advertisements about good and services of interest to you on this or other websites. You can learn more about targeted advertising, its benefits and how you can opt out of targeted advertising through the Digital Advertising Alliance of Canada’s websiteat http://youradchoices.ca/choices/.
The website allows you to:
- Find out which companies have currently enabled customized ads for your browser.
- View a list of all companies and learn more about their advertising and privacy practices.
- Opt out of online interest-based advertising by any of the participating companies listed on the tool.
We collect certain non-personal information which is recorded by the standard operation of our internet servers on an anonymous basis, such as your IP address, the operating system you are using, the sections of the Site you visit, and the Site pages read and images viewed. This non-identifiable information is used on an aggregate basis and in a non-personally identifiable form, including: (i) for Site and system administration purposes, (ii) to improve the Site, (iii) to conduct internal reviews of the number of visitors to the Site (iv) to help us better understand visitors’ use of our Site; (v) to respond to specific requests from our visitors; and (vi) to protect the security or integrity of our Site when necessary. We do not use your IP address to identify you.
Security and Fraud Education
Security can be defined as freedom from, or resilience against, potential harm from external forces. Understanding some key threats and the simple precautions you can take can help protect you from being a victim of crimes such as identity theft and fraud.
What is identity theft?
Identity theft is a criminal act in which an imposter obtains key pieces of someone else’s personally identifiable information to impersonate the victim and commit a crime. Among other things, identity thieves may use the stolen information to gain access to your financial accounts and computer files; make purchases; apply for mortgages, personal loans and credit cards; obtain passports; and hide their criminal activities.
Identity thieves are generally looking for the following information:
- Social Insurance Numbers, driver’s license numbers, passport numbers
- Bank account numbers
- Usernames, passwords and PINs for online services
- Credit card information (numbers, expiry dates, CVV codes)
Identity theft: Preventative Tips
- Never share your passwords, PINs or verification questions with anyone
- Beware of mail, phone and internet promotions or fraudulent websites that ask for personal information
- Don’t send financial or other confidential information via email
- Don’t reply to any e-mail or pop-up message that requests you update or provide personal information
- Don’t open attachments unless you are sure it is from a valid and reputable source
- Equip your computer with a firewall which helps prevent outsiders from accessing the data on your computer, and ensure virus protection software is up to date
- If you are providing sensitive or financial information online, limit business with financial institutions and online merchants that you know and trust – and be sure the site is secure. Look for a URL that begins with https:// and shows a padlock
- Request a copy of your credit report from a national credit bureau each year and ensure information is correct
- Shred/destroy sensitive information before throwing it out
- Review financial statements regularly and report any discrepancies
What is mortgage fraud?
Mortgage fraud is a criminal act that occurs when there is a deliberate misrepresentation of information to obtain mortgage financing that would not have been granted if the truth had been known. This can include:
- Misstating occupation, inflating income or the length of employment.
- Misstating type of employment (e.g. salaried/full time employee instead of contract, part time, hourly or commission-based employee, or are self-employed)
- Misrepresenting the amount and/or source of down payment.
- Purchasing a rental property and misrepresenting it as owner-occupied.
- Not disclosing existing mortgage and/or debt obligations.
- Misrepresenting property details or omitting information to inflate the property value.
- Adding co-borrowers who will not be residing in the home and do not intend to take responsibility for the mortgage.
- A con artist who convinces someone with good credit to act as a “straw buyer”. A straw buyer is someone who agrees to put his or her name on a mortgage application on behalf of another person. In return for their participation, straw buyers may be offered cash or promised high returns when the property is sold. Often, straw buyers are deceived into believing they will not be responsible for the mortgage payments.
Mortgage Fraud: Preventative tips
To protect yourself and your family from becoming victims of, or accomplices to mortgage fraud, be an informed consumer. This means:
- Never deliberately misrepresent information when applying for a mortgage.
- Use licensed or accredited mortgage and real estate professionals.
- Never accept money, guarantee a loan or add your name to a mortgage unless you fully intend to purchase the property, otherwise you could be held responsible for the debt.
- Never sign legal documents without thoroughly understanding them, and get independent legal advice from your own lawyer.
- Never sign any documents that are blank or contain blank fields.
- Obtain the sales history of any property you are thinking about buying, and consider having it inspected and appraised.
- Make sure any deposit for an offer to purchase is payable to and held “in trust” by the realty company or lawyer.
- Be wary of anyone who approaches you with an offer to make “easy money” in real estate.
Reporting Identity Theft and Fraud
If you suspect that you or know that you are a victim of identity theft or mortgage fraud, you should contact The Canadian Anti-Fraud Centre Toll-free line: 1-888-495-8501
Collection and Use of Personal Information
While using our website and services, we may ask you to provide certain personally identifiable information that can be used to contact or identify you, such as your email address. We may use your personal information to contact you with email, marketing or promotional materials or other content relevant to your use of this site and our services. You may opt out of any or all of these communications at any time via a link provided in any email we send you.