Every regulation. Every requirement. Mapped to exactly how we solve it. Full transparency, zero ambiguity.
13 regulatory requirements. 13 concrete implementations.
Mortgage brokers must verify client identity using a recognized method before completing transactions.
Client scans their government-issued photo ID and takes a live selfie. Biometric facial matching confirms they are who they claim to be. Processed through an ISO 27001 certified verification provider with iBeta Level 1 biometric testing.
Identity verification records must be kept for at least 5 years from the date of the last business transaction with that client.
Verification records (status, date, method) are stored in our Canadian database. We retain for a minimum of 7 years, satisfying both FINTRAC (5-year minimum) and BCFSA (7-year minimum per MB 12-001) requirements.
All records must be retrievable and producible within 30 days of a FINTRAC compliance request.
All records are queryable in real-time through the broker dashboard. Complete session history with PDF generation on demand. No manual retrieval needed.
Biometric data must be permanently destroyed once no longer required for the stated purpose. Storage beyond verification is a liability.
Process-and-purge. Complai does not store ID images, selfies, or biometric templates in our database. Verification images are processed by our ISO 27001 certified verification provider and deleted from their servers via API immediately after we receive the verification result. Between the moment of verification and our deletion call, images exist on the provider's encrypted servers only. After deletion, they are permanently removed.
Biometric data is classified as sensitive personal information. Express, informed consent is required before any collection.
Client sees a clear privacy notice explaining exactly what will happen before clicking "Start Verification." No data is collected until the client takes explicit action. The notice explains process-and-purge in plain language.
The BC Mortgage Services Act (expected to take full effect in 2026) is anticipated to include record-keeping location requirements for BC mortgage brokers. PIPEDA holds the originating organization fully liable for cross-border breaches.
All client data is stored in AWS ca-central-1 (Montreal, Canada). All stored client data resides in Canada. During the verification process, ID images are transmitted to the verification provider's encrypted servers for real-time processing and are deleted after verification completes.
Security safeguards must protect personal information against loss, theft, unauthorized access, disclosure, copying, use, or modification.
At rest: AES-256 encryption (AWS managed keys). In transit: TLS 1.2+ on every connection between client, server, database, and verification provider. No exceptions.
Each broker's client data must be segregated. One broker must never access another broker's client information.
Every client session is linked to a specific broker via a foreign key. Row Level Security (RLS) is enabled on all database tables. The broker dashboard only displays sessions belonging to the authenticated broker. Cross-broker access is prevented at the database level through Row Level Security policies enforced on every query.
Identity verification must include screening against known sanctions lists and politically exposed persons (PEP) databases.
AML screening runs automatically as part of every identity verification. Results are recorded as clear, flagged, or review. Full screening details are stored for the broker's compliance records.
Organizations must publish clear, specific information about what data is collected, why, how long it is kept, where it is stored, who has access, and how to withdraw consent.
A transparency section is displayed on the completion screen and included in the client's confirmation email. It covers all 10 OPC-required disclosure points in plain language. No legal jargon. No hidden terms.
Individuals have the right to request access to any personal information an organization holds about them.
Stated explicitly in the transparency section. Broker contact information is provided. Clients can request all records at any time through their broker.
Personal information must be destroyed, erased, or made anonymous when no longer required for its stated purpose and all legal obligations have been met.
Retention policy requires deletion after the 7-year retention period. Deletion procedures will be implemented before the first records reach their retention date.
Organizations must maintain records sufficient to demonstrate compliance with identity verification obligations.
Every session records: creation timestamp, completion timestamp, full status history, source (manual or automated webhook), IDV and AML results. All broker authentication events are logged.
Step by step, from verification to storage to deletion.
Captured on the client's own device. Transmitted via TLS 1.2+ directly to the verification provider's servers.
The verification provider processes the verification in real-time. Facial match, document authenticity, and AML screening run in seconds.
We receive only the verification status (approved/declined/review) and AML result (clear/flagged). No images. No biometric data.
Immediately after receiving the verification result, we call the provider's delete API. ID images, selfies, and biometric data are removed from the provider's servers. A brief processing window exists between verification and deletion during which images are stored only on the provider's encrypted infrastructure.
The result (status, date, AML outcome) is stored in our Canadian database (AWS Montreal). Encrypted at rest with AES-256. Retained for 7 years per FINTRAC requirements.
Records are permanently deleted. Deletion procedures will be implemented before the first records reach their retention date.
| Data | Stored? | Details |
|---|---|---|
| Client name and email | Yes | Required for broker communication and record keeping |
| Verification status (approved/declined) | Yes | FINTRAC requires this record. Retained for 7 years. |
| AML screening result | Yes | Clear, flagged, or review. Full details in encrypted JSONB. |
| Date and time of verification | Yes | Timestamp of when IDV completed. Required for audit trail. |
| KYC questionnaire responses | Yes | Encrypted JSONB. Broker-accessible for compliance review. |
| Signed client agreement | Yes | Digital signature (hand-drawn on screen). PDF generated on demand. |
| Verification provider session reference | Yes | Session ID linking to the verification event. The provider session itself is deleted after processing. |
| ID card images | No | Deleted from provider servers after verification via API call |
| Selfie photos | No | Deleted from provider servers after verification via API call |
| Biometric templates or hashes | No | Never created in our system. Never stored. |
| Raw verification provider data | No | Only the status result is retained. Session data is purged. |
Every broker's data is completely separate. Always.
One database. Separate walls.
Row Level Security ensures each broker only sees their own clients.
Sees only their clients
47 sessions
Sees only their clients
123 sessions
PostgreSQL · AWS ca-central-1 (Montreal) · RLS Enabled
Clear lines between the broker's obligations and ours.
Complai is built for mortgage brokers across Canada (excluding Quebec).
| Province / Territory | Regulator | Key Notes |
|---|---|---|
| British Columbia | BCFSA | The BC Mortgage Services Act (expected to take full effect in 2026) is anticipated to include record-keeping location requirements for BC mortgage brokers. All data stored in AWS ca-central-1 (Montreal, Canada). |
| Alberta | RECA (Real Estate Council of Alberta) | Real Estate Act. No additional data residency requirement. PIPA (provincial privacy law) applies. |
| Saskatchewan | FCAA | Mortgage Brokerages and Mortgage Administrators Act. No additional data residency. PIPEDA applies. |
| Manitoba | MFSA | The Mortgage Brokers Act. No additional data residency. PIPEDA applies. |
| Ontario | FSRA | MBLAA, 2006. Provincial identity verification duty. Records must be stored in Ontario. Under review for electronic records in Canadian cloud hosting. |
| New Brunswick | FCNB | Mortgage Brokers Act, 2014. Provincial identity verification duty. No data residency requirement. |
| Nova Scotia | Registrar of Mortgage Regulation | Mortgage Regulation Act (effective 2021). Standards of Conduct regulations. No data residency requirement. |
| Prince Edward Island | None | No provincial mortgage broker legislation. Federal FINTRAC and PIPEDA apply. |
| Newfoundland and Labrador | Superintendent (DGSNL) | New Mortgage Brokerages and Brokers Act effective April 1, 2025. Enhanced licensing and disclosure. |
| Yukon | None | No territorial mortgage broker legislation. Federal FINTRAC and PIPEDA apply. |
| Northwest Territories | None | No territorial mortgage broker legislation. Federal FINTRAC and PIPEDA apply. |
| Nunavut | None | No territorial mortgage broker legislation. Federal FINTRAC and PIPEDA apply. |
From the moment of verification to the moment of deletion.
Client completes IDV. Deletion request sent to provider immediately after verification completes. Verification record created.
Record must be kept. Cannot delete even if client withdraws consent. This is a legal obligation.
FINTRAC 5-year minimum met. We retain for 2 additional years to satisfy BCFSA's 7-year record keeping requirement (MB 12-001, Mortgage Brokers Act Regulations).
Cryptographic erasure. Encryption keys destroyed. Data permanently unrecoverable. Nothing remains.
Straight answers to the questions that matter most.
If I leave Complai, what happens to my data?
You can export all records at any time. Upon contract termination, we either return all data to you or securely destroy it at your direction, after a grace period for export.
Does HNDL use my client data for anything else?
No. Client data is processed solely for the purpose of providing compliance services to you as a mortgage broker. We do not use it for marketing, analytics, training, or any other purpose.
Where exactly is my data stored?
PostgreSQL database on AWS ca-central-1 (Montreal, Canada). All data at rest is encrypted with AES-256. All data in transit uses TLS 1.2+. No data leaves Canada.
What certifications does your verification provider have?
Our verification provider holds ISO 27001 certification for information security management and iBeta Level 1 biometric PAD (Presentation Attack Detection) testing. All data encrypted with TLS 1.3 in transit and AES-256 at rest.
Do I need to keep records in my mortgage origination platform as well?
Yes. As the FINTRAC reporting entity, you should maintain your own copies of verification records in your mortgage origination platform. Complai retains records on your behalf as an additional safeguard, but your own copies ensure you are never dependent on any single system.
Can HNDL or Complai see my clients' personal information?
No. The Complai platform administrator (HNDL) does not have access to any client names, email addresses, identification documents, or personal information. The admin dashboard tracks only aggregate metrics (session counts, completion rates, system health) and references sessions by anonymous session ID. Only you, the broker, can see your clients' information.
What happens to the ID photos my client takes during verification?
ID photos and selfies are processed by our verification provider for real-time identity matching. After we receive the verification result, we call the provider's delete API to permanently remove all images from their servers. Complai never downloads or stores these images. Only the verification status (approved/declined) is retained.