Finance Committee on March 4th, 2014

I haven't worked with the Privacy Commissioner, but I am familiar with EULAs and user-licensing agreements being too big. Many times it's not necessarily due to us, it may be a third party that has built an app. It may be a bank that's built an application. A loyalty company may be doing it all for a right, and we can't necessarily control what they do. So if they want to offer a service to an end user, it's their EULA to allow the customer to disclose their location. As an example, a customer could say, “I'm close to this restaurant, send me an offer.” It's entirely up to them.

In terms of how we can address it, I'm not sure there's much we can do as a device manufacturer, other than bigger, clearer screens so people can read it. I don't think we can do much more than that.

It's not my area of expertise. I know we've come across it. We've heard complaints regarding third-party applications. It's an area under review. The privacy people at BlackBerry could get back to you, if you're interested.

Do you mean disputes in terms of a transaction, a customer—

Any dispute would be handled through the financial institution's complaint handling process, and all the financial institutions have pretty robust complaint handling procedures. So if there are any issues, those would be handled through that channel.

No, we're still in the rollout stage in mobile. If you're looking at fraudulent transactions, a couple of years ago the Canadian Code of Practice for Consumer Debit Card Services, which is overseen by the Financial Consumer Agency.... That's a voluntary code, although the financial institutions, and we as a network, subscribe to it. We embedded that into our rule framework so that anybody who's issuing a Interac Debit or Interac Flash would have to subscribe to that code. There are clear specifications on how to handle a dispute if there are fraudulent or disputed transactions.

The Financial Consumer Agency of Canada monitors those, so if it escalates to a certain level—level 2—those are reported to the FCAC for oversight, as well there are ombudsman and third-party dispute resolution processes as part of the FI's complaint handling.

We didn't have concerns. We had heard that concern from the business community and things like that. There was a lot of belief that when mobiles came and the payments were coming out, that the wireless industry was in it because they wanted to get a cut of the per transaction fee. That is not the case, and that model, I believe, was briefly tried in the United States where wireless companies wanted a piece of the interchange, and it just stalls the rollout. The real benefit is having more people using these options.

As I said, it's just like a dumb-pipe relationship. It's a flow through, especially with the secure element on the SIM, where your credit card information resides on the SIM card inside the phone. You don't even have to be connected to the wireless network to make a payment. It's the same as a contactless card. So the wireless provider doesn't know that the payment came from the phone. It could have come from the same credit card that you would have used. So there's no opportunity to build in a fee. If a financial institution made an agreement with a wireless company to give them a per transaction fee, it would have to be based on some kind of algorithm or prediction on how many payments were from mobile. But it wouldn't be an increased fee for retailers or consumers.

It's a great question.

I think a lot of the regulations that could cover most of this stuff already exist. We submitted to the mobile addendum proceedings by finance over a year ago. We welcome them and the idea of bringing mobile into the credit and debit card code of conduct, just to make sure it's captured, because you're really just replicating debit and credit cards with mobile phones. The terminology needed to be changed to make sure one was not exempt versus the other. That was a very light-handed way to make sure this is included and to make sure you use technology that captures all types of payment options.

On the other side, in terms of personal information we have good privacy frameworks in place as well. That's already there. We have new anti-spam legislation, in terms of businesses taking this information and reaching back out to people. I don't know that special mobile payments regulation is needed. I think we can just look at how things can be addressed through the existing frameworks.

Right.

Thank you for the question.

As has been mentioned, the frameworks, rules, and standards are largely in place. In the case of the Canadian Payments Association, those are firmly established. They've been modified over time. They've been modified with an eye to newer payment technologies, so they're in place.

I think part of the issue and challenge for governments—and all of us—is that you can't just put something in place and leave it, you have to monitor it in some way. Things are evolving so quickly, and part of it is that we don't know what we don't know. That's one of the big issues, security and cyber-security. So at the Canadian Payments Association, because what we do and need to do every day—20 hours a day, open settlement, open markets—we have to run all the time. We're concerned about things like cyber-security risk. Again, we have frameworks, standards, approaches to mitigate that risk, but we can't just rest on what we have. We have to keep up.

I can confirm that no one's ever indicated that to me as being a goal at all.