Information & Ethics Committee on May 29th, 2014

For the free credit bureau monitoring, we have a relationship with the credit bureau. Our clients can go onto our site and they can sign up for this service. Then when the credit bureau gets an inquiry on the client's account, what happens is they pass the information back to us, and then we ultimately send it on to the client to investigate.

We'll tell the client which merchant was inquiring on their credit bureau file, what type of hit it was, and when it was done. There is even contact information available for the merchant who was doing the inquiry.

In this particular case, we would be fronting for the credit bureau.

We've actually established a relationship with the credit bureaus, and particularly with Equifax, where we screen all the credits using both analytics and negative databases. So I think it's a joint effort among the credit bureaus and the banks.

I think to Mr. Rosenberg's point, we need to spend a little bit more time and go through the whole cycle.

We see some manifestation of identity theft in the cheque space. Somebody might take over an account—an account takeover. What I worry about more is where the funds are going, so where the frauds are going. We follow those frauds and we mark those frauds. We see a number of instances where people will come in with false identities to set up corporations, for instance, and be beneficial owners, or they'll be directors. Those ones are a little bit more problematic because they will now be laundering funds.

We spend a lot of time looking at that. We also spend time looking at the account takeovers of somebody's particular account.

Cheque fraud is pretty prevalent, whether it has a piece of identity theft or not, or whether it's just a straight-out fraud. We call it a first party fraud.

In the specific case that you mention in terms of a credit card fraud, when we at Scotiabank are made aware of a number of our customers who have been the victim of a compromise, we do reach out to our customers. We explain that we believe their credit card has been compromised and that we are going to take proactive measures to protect them from having fraud on their accounts.

Even in individual cases, again speaking specifically to your comments about debit and credit fraud, we at Scotia would never reach out and just cut off your access to credit. We would attempt to notify you. We very much like some of the technology we have available where we can reach out to you with electronic means. You don't have to wait for that telephone message at home; we can alert you immediately.

I'm sorry. I apologize—

It is TD's practice today to notify all individuals who have been compromised, or we suspect have been compromised. For all material or larger systemic things, we would also notify regulators, the Privacy Commissioner, etc., but on an individual basis, to answer your specific question, it is our policy to do that today.

Scotiabank would echo that.

I believe we generally are supportive of the model and the legislation that's before the House. That's the first statement.

On the second one, the individual basis, most of our systems aren't geared to identify fraud at the individual level. I think Mr. Fisher articulated that we rely upon our customers to review their own transactions. In fact, they become the first line of defence for us. Then it becomes a one-on-one relationship with the customers, and through that dialogue, if they are a victim of identity theft, there are steps that we lead them through to protect them, and it's the bank's obligation to do that.

I would echo TD's comment.

We notify the individuals, and we would notify the Privacy Commissioner if there was a relevant or significant breach. We do have a joint committee of compliance and fraud, and a number of other parties that would actually look at that and make sure that the appropriate parameters have been put forward to ensure that the Privacy Commissioner is told.

CIBC shares the same views as the other witnesses.