Law 25 and AMF: The Dual Compliance Layer for Financial Advisors

If you're a financial advisor, mutual fund dealer, or insurance representative in Quebec, you're subject to two distinct regulatory frameworks for personal information protection. On one side, Law 25 and the Commission d'accès à l'information (CAI). On the other, the Autorité des marchés financiers (AMF) and the Canadian Investment Regulatory Organization (CIRO, formerly IIROC and MFDA). Both frameworks coexist, overlap on several points, and create friction on others.

The good news: many obligations overlap, and a firm that seriously complies with one framework is already well on its way to compliance with the other. The bad news: friction zones exist, and you need to know how to navigate them.

What the AMF Already Requires Regarding Confidentiality

Even before Law 25, financial advisors in Quebec had significant obligations regarding information protection. These obligations come from several sources.

The Representatives' Code of Ethics. The code imposes a duty of discretion and confidentiality regarding all information obtained in the course of professional practice. A representative may only disclose client information in cases provided by law or with the client's consent. This obligation survives the end of the business relationship. The Know Your Client (KYC) obligation. AMF and CIRO rules require the representative to collect and maintain detailed, up-to-date information about each client's financial situation, investment objectives, risk tolerance, and investment horizon. This information is inherently sensitive, and its collection is mandatory, not optional. Communications retention. The AMF and CIRO require firms to retain client communications for a minimum period. For CIRO, the standard period is 7 years for account statements, transaction confirmations, and business correspondence. For electronic communications (emails, messages), retention requirements vary by communication type, but the principle is the same: you must retain and be able to retrieve exchanges with your clients. Information security. AMF guidelines on governance and risk management require firms to implement appropriate security measures to protect client information. This includes physical security (office access, locked cabinets), logical security (passwords, access controls, encryption), and incident management. Activity monitoring. The AMF requires firms to monitor their representatives' activities to detect anomalies, infractions, and risks to clients. This monitoring necessarily involves access to clients' personal information by compliance personnel.

What Law 25 Adds on Top

Law 25 doesn't replace AMF/CIRO obligations. It adds to them. Here are the obligations that didn't exist in the financial framework before Law 25.

Explicit and granular consent. The AMF requires consent for collecting information as part of KYC, but Law 25 goes further. Consent must be requested for each purpose separately, in plain language. If you use client data for financial services AND marketing communications, you need two separate consents. Pre-checked boxes are no longer valid. Mandatory PIA. Before Law 25, no formal privacy impact assessment obligation existed in the AMF/CIRO framework. Now, every new information system and every data transfer outside Quebec requires a documented PIA. [Our PIA guide details the process](/blog/pia-privacy-impact-assessment-law-25). Mandatory CAI notification for incidents. The AMF already expected to be informed of significant incidents, but there was no formal legal notification obligation with a structured process. Law 25 creates a separate obligation to notify the CAI and affected individuals when there is a risk of serious harm. [Our guide on the first 72 hours covers the complete procedure](/blog/confidentiality-incident-law-25-72-hours). Right to erasure. Before Law 25, clients had no formal right to request deletion of their personal information. This right now exists, subject to exceptions provided by law (notably regulatory retention obligations). Data portability. Clients can now demand to receive their information in a structured, commonly used format, or to have it transferred directly to another firm. This obligation didn't exist in the AMF/CIRO framework. Incident register. Maintaining a register of all privacy incidents, even minor ones, is an obligation specific to Law 25. The AMF didn't require such a register specifically for privacy incidents.

Overlap Zones: What You're Already Doing

Several obligations overlap between the two frameworks. If you're already compliant with AMF/CIRO requirements, you have a head start on Law 25 for these elements.

Client information confidentiality. The Code of Ethics and Law 25 both impose a confidentiality obligation. The practices you already have in place to respect professional secrecy (restricted access, locked cabinets, clean desk policy) contribute directly to your Law 25 compliance. Information security. The security measures required by the AMF (access controls, encryption, incident management) are essentially the same as those required by Law 25. A firm that has already invested in cybersecurity to meet AMF expectations doesn't need to start from scratch. Document retention. Both frameworks require retaining certain documents for defined periods. Your retention practices for AMF/CIRO also serve you under Law 25. Oversight and governance. The compliance structure you've built for the AMF (compliance officer, internal policies, activity monitoring) can serve as a foundation for Law 25 governance. The privacy officer can be the same person as the AMF compliance officer, provided the delegation is formalized.

Friction Zones: Where the Two Frameworks Create Tension

On two important topics, AMF and Law 25 obligations may seem contradictory. They aren't really, but you need to understand how to reconcile them.

Right to Erasure vs. Retention Obligation

This is the most visible friction. Law 25 grants individuals the right to request deletion of their personal information. The AMF and CIRO require firms to retain client files, statements, and communications for a minimum of 7 years (and sometimes longer depending on the document type).

How to navigate this tension: Law 25 explicitly provides that the right to erasure doesn't apply when retention is necessary to fulfill a legal obligation. AMF/CIRO requirements are legal obligations. A client who requests file deletion cannot force you to destroy documents that the AMF requires you to retain.

In practice, your response to an erasure request should be: "We have deleted all information we were no longer required by law to retain. The following documents are retained in accordance with our regulatory obligations to the AMF/CIRO and will be destroyed upon expiration of the applicable retention period." Document each erasure request, your response, and your justification in the client file.

Mandatory KYC Collection vs. Data Minimization

Law 25 imposes the minimization principle: collect only the information necessary for the determined purposes. AMF/CIRO KYC rules require collecting detailed, sometimes extensive, information about the client's financial situation.

How to navigate this tension: There is no real contradiction. Law 25 requires that collection be limited to what is "necessary for the determined purposes." If the determined purpose is the financial service regulated by the AMF, KYC information is necessary by definition. The critical point is not to collect additional information beyond what KYC and the financial service require. Asking for a client's SIN solely for an address change, for example, exceeds the necessary purposes.

The practical rule: for each piece of information you collect, you should be able to identify the specific purpose (KYC, transaction execution, regulatory compliance, marketing communications). If you can't justify the purpose, you shouldn't collect it.

AI in Financial Services: A Convergence Zone

Both frameworks are increasingly focused on the use of artificial intelligence in financial services, but from different angles.

The AMF and the 30 practices for responsible AI. In 2024, the AMF published a discussion paper titled "Best Practices for the Responsible Use of AI in the Financial Sector," organized around 30 practices covering governance, transparency, explainability, fairness, risk management, and human oversight. These practices are not legally binding, but they clearly express the regulator's expectations. A firm using AI tools for client profiling, investment recommendations, or communications drafting should be familiar with them. Law 25 and automated decisions. Law 25 imposes specific obligations when a decision is made exclusively based on automated processing of personal information. The enterprise must inform the individual that such a decision is being made, give them the opportunity to present observations, and allow them to request human review of the decision. If your CRM uses an algorithm to segment clients or suggest products, these obligations apply. The "shadow AI" risk. The AMF's document highlights the risk of uncontrolled AI use by employees. An administrative assistant who copy-pastes client data into ChatGPT to draft an email is making an unauthorized transfer of personal information to a foreign vendor, without a PIA, without a DPA, without client consent. Both frameworks converge on the need for an acceptable AI use policy and staff training. [Our article on AI and compliance explores this topic in depth](/blog/ai-financial-firm-law-25-amf).

How to Organize Your Compliance Without Doubling the Work

The two frameworks don't require two separate compliance teams. Here's how to integrate them effectively.

One officer, two hats. Your AMF compliance officer can also serve as your Law 25 privacy officer. Simply formalize the delegation in writing and publish the contact information on your website. The person already has regulatory expertise and knowledge of the firm's data flows. One policy, two sections. Rather than drafting a separate Law 25 privacy policy and AMF compliance policy, integrate the requirements into a single framework. The "collection and use of information" section covers both KYC (AMF) and consent (Law 25). The "retention and destruction" section covers AMF timelines and Law 25 erasure rights. One expanded incident register. Your Law 25 privacy incident register can also serve as the security incident register for the AMF. Simply add a "reported to AMF" column alongside "reported to CAI." The information to document is essentially the same. One integrated training program. Train your staff once covering both frameworks. Explain why you collect certain information (KYC, AMF), how to protect it (security, AMF + Law 25), what to do in case of an incident (notification, CAI + AMF), and what rights clients have (access, rectification, erasure subject to AMF retention). One vendor evaluation process. Your Law 25 PIA and your AMF due diligence on technology vendors can be combined into a single document. Add AMF considerations (business continuity, data access for oversight, vendor regulatory compliance) to the Law 25 criteria (data residency, certifications, DPA). [Our vendor evaluation article covers the Law 25 criteria in detail](/blog/quebec-law-25-vendor-compliance-evaluation).

---

*This article is part of a series on Law 25 and compliance for financial services firms. See also:*

• *[Quebec Law 25: What Every Financial Advisor Needs to Know in 2026](/blog/quebec-law-25-guide-financial-advisors)*
• *[The 7 Law 25 Obligations Your Firm Must Meet Now](/blog/law-25-obligations-checklist)*
• *[Using AI in Your Firm: What Law 25 and the AMF Require You to Know](/blog/ai-financial-firm-law-25-amf)*
• *[Law 25 Fines: Understanding Penalty Calculations for Your Firm](/blog/law-25-fines-penalty-calculations)*