BMO Global Privacy Policy & Data Protection Framework

Effective Date: March 20, 2026

---

At BMO (Bank of Montreal), your privacy is fundamental to our relationship. This policy extensively details how BMO Online Banking, SmartProgress™, and our institutional platforms handle your personal and corporate information across all digital endpoints, including bmo.gr.com.

1. Scope and Application

This Privacy Policy applies to the collection, use, disclosure, and safeguarding of personal information by the Bank of Montreal and its affiliates globally. This includes interactions via BMO Online Banking, BMO InvestorLine, BMO Business Xpress™, and our mobile applications. By accessing our services, you acknowledge the terms outlined in this comprehensive framework.

2. Information We Collect

To provide you with secure, personalized, and robust banking services, BMO collects various categories of personal and financial information. This collection is strictly limited to what is necessary for functional, regulatory, and security purposes.

• Direct Identifiers: Name, address, date of birth, Social Insurance Number (SIN) or Social Security Number (SSN), government-issued ID, and biometric data (such as voiceprints or facial recognition vectors used for secure login).
• Financial Data: Account balances, transaction history, credit history, investment portfolios (via BMO Global Asset Management and BMO InvestorLine), and tax-related information.
• Digital Traceability: IP addresses, browser types, device hardware identifiers, localized geolocation (for fraud prevention), and behavioral analytics detailing how you interact with our SmartProgress™ dashboard.
• Communications: Records of correspondence with our customer service, chat transcripts, and recorded audio calls for quality and security assurance.

3. How We Use Your Data

We process your data securely through encrypted pipelines to deliver and enhance our services. BMO utilizes your information to:

• Verify your identity and authenticate your access according to Zero-Trust architectural protocols.
• Process domestic and cross-border transactions safely and efficiently.
• Personalize your SmartProgress™ insights, offering algorithms that predict savings patterns and suggest optimizing strategies.
• Conduct continuous behavioral monitoring to preemptively identify and block unauthorized access attempts.
• Fulfill strict legal and regulatory compliance obligations, including Anti-Money Laundering (AML) and Know Your Customer (KYC) mandates globally.

4. Disclosure of Information

Your data is yours. BMO does not and will never sell your personal information to third-party data brokers. Information is only shared under the following strict conditions:

• Service Providers: We may securely share data with audited partners who assist us in providing services (e.g., credit bureaus, card manufacturers). These entities are bound by strict non-disclosure and processing agreements.
• Legal Requirements: When mandated by valid legal processes such as subpoenas, court orders, or regulations from governing financial authorities (e.g., OSFI, FINRA, SEC).
• Fraud Prevention: With global fraud monitoring networks to prevent systemic cyber threats and protect our customer base.

5. Data Security & Cryptography Infrastructure

Our commitment to security is absolute. The distributed architecture of BMO ensures that sensitive identifiers are never stored in a single, vulnerable location. Our defenses include:

• End-to-End Encryption: All data in transit and at rest is secured using AES-256 standards and TLS 1.3 cryptographic protocols.
• Hardware Security Modules (HSMs): Cryptographic keys used for biometric and transactional verification are isolated in tamper-resistant physical servers.
• Sub-Millisecond Threat Detection: Predictive AI monitors user behavior anomalies in real-time, executing account locks instantly if a session is hijacked.

6. Your Data Rights & Sovereignty

Depending on your jurisdiction (including but not limited to the GDPR in Europe, CCPA in California, and PIPEDA in Canada), you have comprehensive rights regarding your personal data:

• The Right to Access: You may request a detailed report of all personal data BMO currently holds regarding your profile.
• The Right to Rectification: You may correct or update any inaccurate or incomplete personal data via your Online Banking portal.
• The Right to Erasure (Right to be Forgotten): Subject to mandatory financial data retention laws (e.g., holding transaction records for taxation and AML purposes for a minimum of 7 years), you may request the deletion of your personal data.
• The Right to Portability: You can export your financial history formatted as a machine-readable CSV or JSON file structured by our Open Banking APIs.
• Opting Out: You have the right to opt-out of secondary analytical tracking and marketing communications seamlessly via your SmartProgress™ dashboard.

7. Cookie Policy and Digital Tracking

BMO utilizes non-persistent session tokens and encrypted cookies primarily for maintaining active login states and verifying anti-fraud metrics. For a detailed breakdown of how we manage tracking technologies, please reference our distinct BMO Cookie Policy.

8. Cross-Border Data Transfers

As a leading North American financial institution with global operations, your data may be processed and stored in secure server clusters outside of your country of residence (primarily in Canada and the United States). In all instances, data transit is governed by strict inter-company data transfer agreements and standard contractual clauses that uphold international data sovereignty laws.

9. Updates to this Policy

BMO reserves the right to update this Privacy Policy continuously as digital landscapes and regulatory environments evolve. We will notify you of material changes via direct mail, secure message within Online Banking, or a prominent notice on bmo.gr.com.

10. Contacting the BMO Privacy Office

If you have inquiries, concerns, or wish to exercise your data rights under this framework, please contact our dedicated Data Protection Officer (DPO):