Yes, I have lots of hats to wear.
Thank you very much to committee members for inviting me as well. I apologize that my presentation will be completely in English. I don't have the skills in French like those of my colleague, so my apologies for that.
What I'd like to talk to you about today is the role of the banks in combatting identity theft and its increasing impact on the economy. I'd like to start with a recent study that my colleagues and I did on a growing industry that's called the financial aggregator industry and the risks that they pose. Then I'd like to talk very briefly about the role the banks play with the financial aggregator industry. Then I'd like to talk more generally about the banks and the role that the banks play.
Let me start with our research. This was research that was funded by the Office of the Privacy Commissioner of Canada's contribution program and it was led by a colleague from Sherbrooke University, Anastassios Gentzoglanis, so I want to give credit there.
The financial aggregator industry is an industry that pulls together for customers financial information from a variety of sources. If I have a credit card with one bank and a chequing account with another bank and a savings account with a third bank, the aggregator puts that all together in front of me, whether I'm doing that on my desktop, my iPad, or in some cases on my phone. We were curious in the research about the consumer attitudes with respect to that, as well as with respect to, more importantly, the security provisions that they have for the information that they take from customers, and the privacy concerns as well.
It's a growing market. There are seven operators that are operating right now in Canada. They're not Canadian necessarily. You may be familiar with some of the names, companies such as Mint, or some people may know Quicken. There's Check, which was once known as Pageonce. There's Yodlee. There's Mvelopes. There's a number of other companies. Our research proposed to talk to them in confidence without attributing anything to them, just to learn about how they work, what kind of security they offer, what safeguards they put in place, all the things that according to PIPEDA at the very least they should be able to provide. No one from that industry agreed to talk to us as academics about their provisions.
I would think that if they have good security and safety provisions for our financial information, they wouldn't hesitate to broadcast that. That would be a good news story for them. But not one in this industry agreed to talk to us. As they said to us, “There is no upside in it for us to talk to you.” We found that very, very concerning and troubling. From what we can surmise, there are about one and a half million people in Canada, and potentially more, who are using these services. We're talking about a younger crowd who's more interested in that as well and more open to vulnerabilities. That raises a number of questions with respect to this industry.
First of all, who regulates this industry? Is it the OFSI, the Office of the Superintendent of Financial Institutions? What's the role of FCAC, the Financial Consumer Agency? What about the Office of the Privacy Commissioner? Who do they report to? They're not Canadian businesses. They don't necessarily see the Canadian landscape as something that has anything to do with them.
I'll quickly talk about what role our banks are playing with respect to this specific industry. Our banks are telling us that the risk is entirely upon us as customers. They're treating it in their language as an authorized transaction, meaning it's the same as if I used my credit card for a purchase at a store or another vendor: I authorize that transaction, and therefore, if something goes wrong with it, that's my responsibility as a customer.
I think that's questionable as well, because I think the banks should be a lot more cautious in terms of this industry and a lot more protective of customers in terms of educating them, also just in terms of safety and security provisions, but the banks have taken the attitude so far with respect to financial aggregators that they want nothing to do with them. They see them somewhat as competition. Of course, each of the banks also has their mobile and desktop services by now. Some of them are interested in doing financial aggregation as well. I think between these cracks, consumers sort of fall. That's a problem with respect to this financial aggregator industry.
Let me talk at the end of my brief comments about the banks themselves. The question to be asked is, are the banks themselves any better with respect to identity theft and identity fraud and financial fraud that's related to the theft?
For several years now, my colleagues and I have been trying to get the banks themselves to provide us with information about identity theft and breaches that are related to identity theft. We have received no response. We asked the banks individually. We asked the banks collectively through the CBA, Canadian Bankers Association, which is their association, to provide information to us.
What we are interested in is exactly what would help the committee in its work. We would like to know the sources of fraud. Can you break it down for us by category, source, or origin? I'll give you some examples. How much originates in customers' and consumers' practices? For example, we just saw a story in the news the other day about easy passwords. What percentage of identity theft is because people have easy passwords or because people don't hide their personal identification number properly when they use it at a bank machine or a point of sale terminal? What percentage is because people are negligent and just carry it in their pocket or stick it on their forehead? We don't have the answers to this information.
Further, what percentage is because Canadian criminals are committing crimes, for example, by placing devices on ABMs, automatic banking machines, and stealing people's passwords that way? What percentage is by people using skimmers on point of sale terminals and stealing information like that? What percentage of crime would be characterized as petty and what percentage could be organized crime? What percentage is the result of rogue employees, whether they are working for a retailer or a bank? What percentage originates outside Canada in other countries where a lot of criminal activity originates, whether it's the United States, or some country in eastern Europe, or whether it's Russia, China, or another Asian country? As academics, how are we to know what to think about the reasons for identity theft and identity fraud? How is the Government of Canada and Parliament going to say this is the best policy going forward on these issues without having access to that information?
I would just like to be clear that we are not journalists, and we are not interested in attacking any specific bank. When we go to the banks we say that we are really interested in this anonymously and we're not going to attribute anything to any particular bank. We went to the CBA again and said to just give us the data as an aggregate, but as far we know, the banks don't even share that data with the CBA. We are forced to rely on whatever is put out there publicly, which to the best we know is old data from 2012. There is some information on the CBA website that makes no mention of these categories. Some information that goes back to mid-2013 was given by the Canadian Anti-Fraud Centre. That's the last data I saw, but it doesn't break it down by categories. It gives the overall numbers. It doesn't give a good road map for the future as to how you would like to proceed.
We know by talking to people informally that there are hundreds, if not thousands, of incidents that the banks characterize internally as problematic. I'm talking about thousands per bank on a yearly basis. What all these incidents are we don't know. Are they all serious? We don't know. Do they all involve identity theft? We don't know. Something about them triggered a response somewhere at the bank that says this is an incident that needs to be dealt with. As my colleague said, will they be breaches that will require notification to the commissioner or the consumers? We don't know. We have no good solid information about them or their impact on the economy or on us.
I should say that as part of our due diligence before coming in front of you, over the last couple of weeks we contacted all the banks again. As I said, this has been going on for several years. To date we have received no response to our requests from any of the banks or from the CBA. I think the banks have a key role to play here. They have to be transparent. They have to be accountable. As individual businesses they don't have to put themselves at any kind of disadvantage over their competitors in the banking industry, but as an industry group, it's part of what I would call their corporate responsibility to deal with this issue.
I urge you as a committee to call on the banks to share that information with the public and with academics, at the very least with committee members, so that you have in front of you the information you need in order to do the important work you've been engaged in.
With that, I'd like to thank everybody. I'd be happy to take questions, if we have time.