Evidence of meeting #25 for Access to Information, Privacy and Ethics in the 41st Parliament, 2nd Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was banks.
A recording is available from Parliament.
11:35 a.m.
Vice-President and Chief Security Officer, Legal, Corporate and Compliance Group , BMO Financial Group
As of this week, we are.
Again, I'm accountable for fraud within the bank itself. None of my staff, and no one within my chain of command, has ever been approached, so we're unclear as to where that request actually went.
11:35 a.m.
NDP
Mathieu Ravignat NDP Pontiac, QC
That's peculiar.
We've heard from first nation individuals and bands that indicated the issue of identity theft is linked to a lack of access to information by many first nations people. Some bands have complained that banks are taking advantage of this particular situation, particularly the lack of credit bureau information, to create consumer credit that is way beyond what is acceptable. There are numerous examples of first nations individuals being charged interest rates 300% higher than non-natives.
Are you trying to tackle some of the issues inherent with dealing with first nations? Is there a consultation process in place by your institutions in dealing with a population that is much more vulnerable to identity theft than others?
11:40 a.m.
Senior Vice-President, Head of Technology Risk Management and Information Security, TD Bank Financial Group
Yes. I'm not sure whether we'll be able to answer it closely. As retail institutions our branch strategies, especially in areas with predominantly first nations populations, do offer different types of training and different types of materials to attempt to help with the problem. But I think most of us would probably say it's not so much our area of the business, and we'd be interested in getting back to you with some information on what we would do differently.
11:40 a.m.
NDP
Mathieu Ravignat NDP Pontiac, QC
That would certainly be appreciated. Maybe you can discuss with your various organizations that this is indeed a problem. I have two first nations in my riding and many of my colleagues do as well. The first nations are being gouged and there are high rates of identity theft in these communities. We need to respond.
I'd like to come back to my previous question, but from a consumer perspective perhaps.
There's tension between keeping financial information that you need to be competitive and your products in house and educating the public and the relationship to identity theft in that context. How are you providing tools to consumers to make sure they have access to what they need to prevent their identity from being stolen? I'm not talking post-identity theft; I'm talking prevention. It's not necessarily the responsibility of government to do it.
11:40 a.m.
Senior Director, eChannels Risk Management, Integrated Business Control Services, Canadian Imperial Bank of Commerce
I'd be happy to address that.
First of all, CIBC would not view the security and integrity of their clients' information as being a competitive advantage or anything that we would want to compete with anybody regarding it. We would view that as an expectation on the part of the customer that their information is protected.
I think it's important from an education tools perspective. We keep the client informed as to what's happening with their account. CIBC, through its online banking service, has a variety of transaction alerts. You can go in and see when your personal information changes, when your PIN changes, when your password changes, when any large transactions are performed. We even offer free credit bureau monitoring. We do that because we think it's important for the client to know what's happening with their account and for them to know it real time. Clients who subscribe to those services would get an e-mail or an SMS telling them what's happening with their account in real time so they could intervene and ask any questions they might have of the organization.
11:40 a.m.
NDP
The Chair NDP Pat Martin
We'll have to leave it at that, Mr. Fisher. Thank you very much.
Your time is up, Mr. Ravignat.
For the Conservative Party we have David Anderson. Welcome to the committee, Mr. Anderson.
11:40 a.m.
Conservative
David Anderson Conservative Cypress Hills—Grasslands, SK
Thank you, Mr. Chair. It's good to be here today.
When you're talking about things like return e-mails and SMS texts and those kinds of things, is it gained at the password level? Is it gained at a failure to log out of a site and someone can access through that? Is it gained through phony websites? Over the last while, one of your banks has been sending me something that is obviously not from you, and I'm wondering when you run into these problems where the access point usually is.
11:45 a.m.
Senior Director, eChannels Risk Management, Integrated Business Control Services, Canadian Imperial Bank of Commerce
There is actually a variety of them. You have listed quite a few. The core is that we see a considerable number of phishing e-mails; we see malicious software on the clients' computer—that is one I would highlight as highly problematic—and we see clients providing their information to third parties and then see disclosures happening there. But I think each of these ebbs and flows.
If you were to ask me about phishing, I would tell you that the number of phishing incidents over the years has increased, but the number of clients who actually fall victim to them has declined over the years. When I first started doing this, I did a rough calculation which said that for every phish that went out, I would see 40 clients provide their information. Now I see one to about half a client, on average, who provides information to those sources.
You held up your mobile device. This is one of the challenges. People with a large screen can see the visual aspects that are saying something is wrong with this, but when you shrink it down to a mobile device, it becomes significantly more difficult to pick out those cues that might tell you that something is actually wrong with it.
11:45 a.m.
Conservative
David Anderson Conservative Cypress Hills—Grasslands, SK
I don't know much about this, but often you go back to the e-mail address. That is really the only thing that, to my mind, gives it away, because there are some pretty attractive-looking website presentations out there.
I want to ask what percentage of crime is related to what you would call petty attempts to get information and what percentage would be much more due to organized crime. I think Ms. Frook talked about its being evolving, fast-moving, changing, sophisticated technology. Is it increasingly organized crime, or is it still people who are hacking from home and who are fairly smart at being able to punch through those systems?
11:45 a.m.
Senior Director, eChannels Risk Management, Integrated Business Control Services, Canadian Imperial Bank of Commerce
Certainly the card-based fraud, such as the copying of debit and credit cards, is the area in which you tend to see the larger organized crime groups involved. But when you get into phishing and malware, the barriers to entry for fraudsters to get in are considerably lower. You can go onto the Internet and buy a kit that will help you phish a bank. You need very little technical capability. You buy this kit; it does all the work for you, and it sends it out.
You will start to see more individuals appearing in some of those types of frauds, because it is a do-it-yourself kind of thing compared with the larger-scale organized crime and debit and credit card types of fraud.
May 29th, 2014 / 11:45 a.m.
Conservative
David Anderson Conservative Cypress Hills—Grasslands, SK
Okay.
My financial institutions are regularly sending me their online agreements. They keep changing. They keep shifting around. They're almost indecipherable for an average person to read anyway, but one thing that seems to be fairly common in them is that they seem to lessen institutional responsibility each time I get one of those, and to increase my responsibility.
Do you hear from the public that they're frustrated with that kind of thing? It looks to me, when I get them, as though there may be some change in technology, but it's typically because it looks as if the financial institution is trying to absolve itself of a responsibility rather than improve my protection.
Is there any comment from anybody?
11:45 a.m.
Senior Director, eChannels Risk Management, Integrated Business Control Services, Canadian Imperial Bank of Commerce
I can continue, if you'd like.
Certainly, looking at some of those electronic access agreements is somewhat intimidating for consumers. But from a bank's perspective, we try to understand that our clients are not technology experts and are not information security experts, and so we try to keep expectations of them fairly low. We want you to have anti-virus, and we want you to try to protect your computer, but we understand that this is difficult for some clients to do.
We review these cases on a case-by-case basis. We would look at one and ask whether we are erring on the side of the client: are we giving them the benefit of the doubt?
11:45 a.m.
NDP
The Chair NDP Pat Martin
Mr. Fisher, I'm going to have to cut you off.
Mr. Anderson, you can tell that the bells are ringing.
With the unanimous consent of the committee, we might extend this for 15 minutes or so. These are half-hour bells, and we're in the same building.
Is it the will of the committee to continue for 15 minutes?
11:45 a.m.
Some hon. members
Agreed.
11:45 a.m.
NDP
The Chair NDP Pat Martin
Okay, we have agreement.
Carry on, Mr. Anderson. You have about two minutes left in your seven-minute round.
11:45 a.m.
Conservative
David Anderson Conservative Cypress Hills—Grasslands, SK
Thank you, Mr. Chair.
My question is about one of the small things in those agreements. How realistic is it to have people changing their passwords every 90 days, when they have a dozen different places that they use passwords? You're not allowed to use the same one, so you're expected to keep different accounts and change passwords regularly. I just think that for some people that's okay, but for many people it is a real source of frustration.
How do you deal with that frustration?
11:45 a.m.
Senior Director, eChannels Risk Management, Integrated Business Control Services, Canadian Imperial Bank of Commerce
Certainly from CIBC's perspective, we do not require you to change your online banking password every 30 days. We understand that it is difficult for clients to remember their passwords. Even within our own site you occasionally need multiple passwords or personal verification questions.
From the perspective of evolving online banking, CIBC is moving to a two-factor authentication system that we're going to launch next month. We're going to take away some of the personal verification questions and we are going to start sending clients SMS messages with one-time use codes for use when they want to do a higher-risk transaction and when they really need them, putting the security where it needs to be at the moment that the client needs it. We will try to make it such that they don't have to remember all of these things.
11:50 a.m.
Conservative
David Anderson Conservative Cypress Hills—Grasslands, SK
I probably only have time for one more question, but I want to know the difference between the U.S. and Canadian protection. Some of the technology to me really seems to be lagging in the United States. I think we're ahead of it in a number of areas here. Here you get the magnetic strip cards. Down there you get a failure to be able to transfer money electronically. How does that contribute to or how does that prevent this kind of identity theft and fraud?
11:50 a.m.
Senior Vice-President, Head of Technology Risk Management and Information Security, TD Bank Financial Group
TD, obviously, has a very large presence in the United States and is the largest foreign-owned retail bank operating in the United States. What we would see is that there are variations in the protections between the two countries. We would say that chip and PIN, in particular, have been a huge advantage to the Canadian consumer. Frankly, seeing some data from both sides of the border, we would say we've seen techniques like skimming at ATM machines literally migrate south of the border because of the superior control of the Canadian environment. We would say there are other areas where I think large institutions in the U.S. and Canada are working very hard to accelerate their efforts. Transactional data analytics, that is, gathering information on what a normal transaction in our bank looks like, is something that both are working on very hard. You would say there's a set of shared problems that we're all working on. There are certainly, currently, some advantages in Canada over the U.S.
The other thing that's different, I believe, in Canada is that the banks and some other key industry players, like the telecommunications firms, are working more closely with public safety. The possibility of either a legislative change or even an interpretational change of existing legislation in Canada will most likely allow Canada to leapfrog the U.S. in making progress at a national level. The public-private partnership here is a bit more accessible. In the U.S. we're seeing signs that they're likely to continue to lag in terms of really forward-looking legislation on privacy and on security itself.
11:50 a.m.
NDP
The Chair NDP Pat Martin
Mr. Milkman, I'll have to stop you there.
Thank you, Mr. Anderson.
For the Liberal Party, Mr. Scott Andrews, for seven minutes.
We'll probably have time for you to do your round of questioning. I'm pleased because all three parties will have had an opportunity. Then we'll release our witnesses with thanks, adjourn, and go and vote. I'll ask the committee members to come back for 10 or 15 minutes. We need to discuss future business and witnesses for next Tuesday.
With that, Mr. Andrews, for seven minutes.
11:50 a.m.
Liberal
Scott Andrews Liberal Avalon, NL
Thank you very much, Mr. Chair.
Mr. Fisher and Mr. Stark, I think you both mentioned that the definition of identity theft is not consistent. Do you want to elaborate on that, as we're looking at identity theft? What is the definition that we should be drilling down on?
11:50 a.m.
Vice-President, Internal Audit Services, Personal and Commercial Banking, RBC
One of the key examples would be credit card and debit card skimming. Some people will look at debit and credit card as covering identity theft in that case. A lot of the banks don't look at that. We look more at things when credentials are stolen, or it could be paperwork, or it could be credit bureau data, and an application is made to a bank in the name of another party. That would be identity theft. But the big problems we have are really the grey areas.
In my opening remarks, I wanted to present the whole of financial crime, then we would split out, to the best of our ability, what we agree on for identity theft, and then show the grey areas, so the committee could look at it and make their own opinions.
11:50 a.m.
Senior Director, eChannels Risk Management, Integrated Business Control Services, Canadian Imperial Bank of Commerce
From CIBC's perspective, we tend to monitor fraud at a much lower, more granular level. Some of it's operational and organizational, where we have, say, a team that's responsible for identity theft. We have a dedicated identity theft team. They have a defined set of duties and responsibilities that they have for certain types of frauds, which may be different from how another organization would split it up. When we talk about trying to get information up to an identity theft level, the challenge we have is making sure that we get those apples to apples, and the same types of information are being put in the same categories. Then what we're providing is obviously meaningful, right?
11:55 a.m.
Liberal
Scott Andrews Liberal Avalon, NL
For me, in the last couple of days on the committee, it's been trying to compartmentalize individuals who actually are people. I don't think anyone talked about synthetic identity theft. I had that from our last group. There are ones that affect actual people and then ones that are synthetic identity theft. How big is the synthetic identity theft issue in the bank?