Information & Ethics Committee on May 29th, 2014

Good morning. I'm Philip Fisher, senior director of eChannels risk management, representing CIBC. I'm part of CIBC's retail banking fraud group. My particular specialty is in the area of online crime or cybercrime, but I'm able to speak on a variety of fraud issues.

First, on behalf of CIBC, I would like to thank the committee for giving us the opportunity to speak here today and to entertain any questions you might have. We'd also like to commend the committee for its willingness to study such an important issue to our industry, and to many Canadians who are impacted by identity theft every day. It's a complex subject, and your leadership is appreciated.

It is CIBC's view that identity theft is not a new or growing issue. Rather, it's an evolving issue. Identity theft has been part of the fraud landscape for some time. However, what has changed is how fraud is performed. Years ago we would have been talking about the theft of receipts, bills, a physical wallet, or telephone-based fraud. Now we talk about advanced persistent threats, merchant breaches, malware, and phishing. Advances in technology and the accompanying dispersal of personal information across the Internet has created a changing risk environment.

To help facilitate today's discussion, I think it's important to discuss what we mean when we talk about identity theft. The Criminal Code of Canada describes identity theft as knowingly obtaining or possessing another person's identity information for the purposes of committing an offence. Personal identity information is further described to include, among other things, name, address, date of birth, written signature, electronic signature, user name, credit card number, debit card number, financial institution account number, social insurance number, driver's licence, and password.

Financial institutions typically use a narrower definition of identity theft and tend to monitor and report fraud based on type. Before I explain more about these different types, it should be noted that financial institutions don't all share a common definition of what is meant by identity theft. That is one of the reasons why producing aggregate data on identity theft is a challenge.

As I was saying, fraud types are generally based on the source of the stolen information or how it is exploited. These fraud types could include copying of magnetic strip data at point of sale or automated banking machines. Information captured in this manner is typically used to create counterfeit cards or make card-not-present purchases. This type of fraud is something the banks have not traditionally counted as identity theft because of the limited amount of information involved. Information obtained from a consumer's computer which is infected with malicious software is the type of fraud that is concerning because of the amount of information at risk and the difficulty involved in identifying the issue and remediating it.

Use of e-mail fraud, phishing, to collect personal information, is one of the frauds that's undergoing evolution. Phishing e-mails have traditionally focused on capturing online banking sign-on credentials or credit card information; however, increasingly, we're seeing attempts to broaden the types of information being captured.

Another example is theft of a person's mail. With third party data breaches, examples are merchant and transaction processors. Recent media reports have highlighted that these breaches can, depending on the merchant, involve large numbers of consumers. A stolen wallet is a simple example of lost or stolen information from the consumer, or there can be disclosure by the consumer through the sharing with third parties or inappropriate disposal of information.

Some of these issues have been around for some time and have mature and robust controls in place to identify and respond to them. Others are newer and controls are still evolving. A number of my peers will speak to this at greater length in their remarks.

Even with sophisticated fraud detection controls in place, financial institutions cannot combat identity theft alone. To effectively combat identity theft, there needs to be a coordinated effort on the part of financial institutions, consumers, and the government. Consumers play an important role in protecting themselves from identity theft. Consumers know their personal information and how they are using it, and they are uniquely positioned to identify unauthorized use.

However, consumers are not fraud specialists and need guidance and support. Financial institutions and government agencies provide essential support, educating consumers on the risks and providing consumers with the tools they need to protect themselves. Good examples of the tools available are transactional alerts and free credit bureau monitoring offered by some financial institutions. One of my peers will delve deeper into this in his comments.

The government's role in protecting consumers from identity theft cannot be understated. As I explained earlier, technology is changing the landscape in rapid and meaningful ways. Having the right legislation in place with appropriate consequences for those who would commit identity theft is a strong deterrent. Financial institutions have advocated for identity theft legislation in the past. They will continue to support the government as it seeks to strengthen controls in this continuously evolving area.

I have first-hand experience where this partnership works. The copying of card information at bank-owned automated banking machines, known as ABM tampering, has changed significantly over the years.

When I first started working on it, CIBC would measure ABM tampering in terms of hundreds. Now with anti-tamper hardware common on ABMs, and an increase in the likelihood of jail time for those involved in this crime, CIBC now measures these incidents in the single digits. Other banks have had similar experiences. We look forward to carrying forward this success in other areas.

In closing, I would like to thank the committee again for the opportunity to address this important issue, and I would be pleased to answer any questions you may have.

Mr. Chair, thank you for the opportunity to be here today.

As an American living in Canada for the past five years, this is my first chance to appear before a Canadian parliamentary committee, and l am very much looking forward to it.

I'm sorry I can't speak to you in French, but I am American.

I think Philip has provided a very good framework for thinking about identity theft.

Identity theft is a crime. The active use of stolen identity to commit financial fraud is a separate and distinct act, and it is a separate and distinct crime. However, as a bank, our prevention strategies need to be seamless since there can be a causal relationship between identity theft and financial fraud. I would also note that our interests are very tightly aligned with those of our customers when it comes to both identity theft and fraud. Banks do everything they can to prevent their customers from becoming a victim of either one of these crimes.

How do we approach prevention? We think of this as a shared-responsibility approach, where customers and banks both need to act vigilantly. At TD, we have a four-step process aimed at ensuring that customers make responsible efforts to protect their personal information. Let me touch on each of them briefly.

First, we ask customers to be careful about sharing personal information. If you're asked to provide personal information, ask how it will be used, why it is needed, with whom it will be shared, and how it will be safeguarded. Never disclose your personal identification number, or PIN, your social insurance number, or passwords. Passwords used for banking should not also be used with social media.

Second, we ask that people use appropriate security measures. Keep account statements in a safe place. They contain sensitive and personal information. Take advantage of technologies that enhance security and privacy when you use the Internet, such as digital signatures, anti-virus software, personal firewalls, and data encryption. To use a specific TD example on this point, TD offers our customers a free download of Trusteer Rapport, which prevents phishing and some Man-in-the-Browser malware attacks, as well as a one-year subscription to McAfee anti-virus software. These tools are made available for free to all of our customers, to help them protect themselves while on the Internet, not just in their banking transactions, but in all of their use of the Internet.

Third, check statements for accuracy. Check account statements or online statements to ensure all transactions and charges are correct. Access your credit report from a credit reporting agency, such as Equifax or TransUnion, once a year to ensure it is accurate.

Four, guard your cards, cheques, and ID. When travelling, carry only the identification and credit cards you need. Don't carry your SIN card. Make a list of all your cards and their numbers and store this list securely.

Taking these actions will help a customer prevent identity theft and the potential for a resulting fraud.

On the other side of that shared responsibility, banks need to be clear about what personal information we retain about a customer, how a customer can access that information, and most importantly, how we protect our customer's personal information.

On retaining personal information, banks use personal information in order to establish the identity of customers. In order to provide a product or service to a customer, or to help with any money-laundering or other types of defence, we need a name, address, birthdate, occupation, and some sort of identification. For certain products, such as home loans, we may need to collect other personal information. We may also obtain information about customers from third parties, including credit reporting agencies, but this will only happen with the customer's consent.

Individuals can access or update the information that banks have at any time. There are also several privacy preferences available to customers, such as choosing not to be contacted by direct marketing officers or choosing not to participate in customer research surveys.

Specific to protecting customers' information at the bank, banks make significant investments to maintain strong security standards to protect our systems and customer information against unauthorized access and use. For example, our systems have been designed to ensure that the personal identification number, password, or other access codes are always held private and confidential. For your protection, your access codes are known only to you. Our employees cannot gain access to them and they will not ask you to reveal them. All our suppliers and agents, as part of their contracts with TD, are bound to maintain your confidentiality as well, and they may not use the information for an unauthorized purpose. We also require them to prove that they are operating with appropriate controls and defences.

In the online environment, banks have specific measures in place. At TD, these would include comprehensive threat intelligence, access management controls, transaction logging and analysis, secure firewalls, constant monitoring to proactively identify unusual customer account activity, phishing and spam protection, and the highest levels of encryption available to ensure that data can only be decoded and read by the customer or by our system.

In conclusion, the twin issues of identity theft and financial fraud will always be a concern for both banks and their customers. We will always be in a battle with criminal elements that want to steal data and use it for their benefit, but I can assure the committee that in terms of technology information risk management, Canada's federally regulated banks operate at the top global standards for information security and identity theft protection.

Thank you.

Good Morning, and thank you very much, Mr. Chairman.

On behalf of BMO Financial Group, l am pleased to join today's discussion on identity theft, and more specifically on how Canada's banks protect our customers, employees, and assets from harm against fraud and other criminal conduct.

It is timely to appear here today so shortly after the wrap-up of fraud prevention month at the end of March. In March, BMO joined other financial institutions, consumer groups, law enforcement agencies, and our partners in the Canadian Bankers Association to raise awareness about fraud and crime reduction.

BMO takes identity fraud and all criminal activity very seriously. We believe each of our employees has an important role to play in fraud reduction. At BMO, our corporate policies are designed to prevent, detect, and respond to suspected criminal activity. Our work in corporate security is the product of a nearly 200-year history of protecting our clients' information while providing them with convenient access to their accounts.

The protection of our clients' information means responding to evolving and complex criminal activities, such as fraud, corruption, cybercrime, and acts of violence. We provide all of our employees with clarity in their roles and responsibilities for individuals and their respective corporate groups to be engaged in the management of criminal risk.

Just two months ago we organized a number of activities that raised awareness, including hosting anti-fraud sessions with employees across our organization, ensuring that anti-phishing brochures were available for our customers in our branches, providing fraud avoidance tips on our bank statements, and getting our message out over Twitter and Facebook.

Our staff, serving across our lines of business and ranging from our customer service representatives in our local branches to our commodities and futures traders, are our front line in our fight against fraud. We work with them to develop programs to prevent and detect criminal risk in such areas of responsibility as managing internal controls on cash, credit and transaction processing, client and financial information management, and regulatory monitoring and compliance.

Our corporate environment continuously evolves with considerable innovation of our internal controls and processes. Our criminal risk environment changes daily, and the banks are organized to respond to it. We try through authentication to validate information and documentation; however, the quality and security of documents can be inconsistent across jurisdictions, and there are few reliable ways to universally authenticate documentation.

We have zero tolerance towards criminal activity and have practices in place to manage our response to any activity that takes place.

A part of those efforts is to identify individuals conducting financial fraud. As an industry, we invest millions of dollars and dedicate hundreds of employees to the prevention of, detection of, and response to criminal behaviour. As well, we collaborate on initiatives, in some cases organized as an industry by and through the CBA, to identify criminals and work with law enforcement to prosecute them.

Banks have highly sophisticated security systems and experts in place to protect customers' information and to protect them from being the victims of financial fraud. Each bank, as noted above, heavily invests in the identification of fraudulent activity. The adoption of chip and PIN standards alone has cost the industry millions of dollars to reduce the risk of card fraud in Canada.

However, as the environment changes daily, organized crime turns more and more to new technologies and has migrated and exploited other avenues. Industry forums and collaborative tools are in place to share fraud patterns and preventative controls. Through the CBA and other forums, we liaise with a multitude of parties to enable the protection of the industry. These could be ISPs for cybercrime, insurance for common fraud, or law enforcement to share trends.

We also do this internationally. As of two weeks ago, I met with my peers from more than 30 banks internationally to discuss the risks we face, the manner in which we can protect our institutions and customers, and how to best collaborate and expend our efforts.

Mr. Chairman, it's clear that the protection of the credentials you and I and members of the committee each establish as part of our unique digital identities is a team effort between the individuals who hold them and the vendors whom they trust with them.

At BMO we are proud of the Canadian banking sector's strong record of ensuring safe and convenient access to our clients' financial information.

On behalf of BMO, I'm pleased to be here today, and I would be happy to answer any questions you may have.

Good morning. My name is Jay Stark. I represent RBC in my former capacity as vice-president of fraud management, a position which I held for 11 years.

RBC is committed to providing our clients with secure financial services. We've a proud history of innovation and excellence in fraud management. Thank you for inviting RBC to address the committee today. We applaud both the committee and the government on this identity theft study.

Identify theft is a serious crime leading to substantial financial losses, significant inconvenience and loss of sense of security to consumers, funding further criminal activity, concealment of criminal identities, and it may assist terrorist activities.

You've heard from my colleagues and past witnesses. The definition of ID theft differs among industry participants, as does the understanding of fraud; however, we can all agree that ID theft is an important subset of financial crime. Previous research and testimony has undoubtedly shown that identity theft is a complex topic. Similar to the differing opinions on definition and quantum, there is no shortage of opinions and vendor solutions to address the issue. A timely, effective, and efficient response requires the application of a variety of fraud strategies against a proven framework. This is an area in which I believe my colleagues at the table and I can best assist the committee.

A successful framework must optimize relationships among what I call the four fraud management pillars. The first is consumer impact or inconvenience. The second is fraud losses. The third is cost, both to the banks and to society. The fourth is risk management.

The framework called the fraud value chain must balance the following key fraud management strategies: intelligence, for example, using negative data, linking criminal events, and sharing trends and best practices; prevention—consumer awareness and education, and chip and PIN are good examples; detection—sophisticated analytics and industry partnerships; investigation, including prosecution and asset recovery; and regression or root cause analysis.

Each of these fraud strategies has decreasing marginal returns. For example, it is practically impossible to prosecute all participants in a large organized debit scheme, nor would it be practical to prevent fraud by reducing withdrawal limits to $10 or freezing credit bureaus, for example, to disincent criminal activity. Further, strategies lead to fraud migration. For example, the implementation of chips and PINs led to substantial increases in cross-border and card-not-present fraud.

The most powerful fraud strategies in the past decade have been industry initiatives, and more importantly, advancements in detection analytics, including both the sophistication of analytics and the application of enhanced data in quality and breadth. Combined with elements of other available strategies, detection analytics allowed differentiated outcomes and optimized the overall fraud management program.

The framework and the strategies have been very successfully applied to a wide range of fraud schemes, including debit and credit card lending and cheque fraud. In fact, despite a growing portfolio and the increased sophistication of criminal activity, RBC enjoyed the lowest fraud loss experience in over a decade in absolute terms last year. At RBC we spend significant time and resources in reviewing, testing, and enhancing our strategies to address financial crime, including identity theft.

Unfortunately, my time is limited. We would be pleased to work with the committee and to provide any additional assistance as you continue to study this important issue. I look forward to your questions and comments today and working together in the future.

Thank you for the opportunity to present.

Good morning. My name is Jennifer Frook, and I'm the director of the fraud management office at Scotiabank. In my role I am responsible for the assessment of fraud and the reporting of fraud risk across the global Scotiabank group. This includes the proactive identification of fraud prevention practices and technologies to mitigate the bank's exposure to fraud loss. A large part of our ability to prevent fraud and protect our customers depends on our work with other stakeholders. I am also the current chair of the CBA's fraud specialists group.

I appreciate the opportunity to speak to this committee about an issue we all take very seriously, one that has a direct impact on our customers, our industry, and on the economy. This is a critical issue for the bank, given how important customer confidentiality and security is to banking. Without the trust of our customers that their information and identity is secure, we cannot perform our role.

To address the committee's interest in identity theft, I will focus my opening remarks on the following points related to fraud and identity theft: training and education, prevention, detection and mitigation, and last, collaboration.

An important part of preventing fraud is ensuring our staff has the proper training required to protect our customers from identity theft and other forms of fraud. Scotiabank has rigorous training programs in place for our employees, with customer-facing roles such as those in our branches, contact centres, and bank card security operations. Employees are required to go through a comprehensive onboarding training program, as well as to take annual refresher courses. Equally important is empowering our customers with the information and awareness necessary to help them protect their information and ensure that any time they are faced with a security concern, they know exactly what to do.

In terms of fraud prevention, we have instituted a number of security measures to help ensure the integrity of our customers' information. Several examples of that follow.

In Canada, 100% of retail credit cards and active debit cards, as well as all Scotiabank ABMs, have been converted to chip technology to support enhanced security against lost, stolen, and counterfeit card fraud.

Our debit cards are equipped with Interac Flash technology, which uses secure chip processing technology to protect customers against various skimming and counterfeit fraud. Many of our retail credit cards are equipped with a similar Visa payWave functionality. Scotia InfoAlerts are e-mail and/or text messages that provide an additional layer of protection and help our customers monitor activity on their accounts.

We also offer customers free software, as my colleagues have alluded to, at their institutions, to help them protect their information. We have partnered with McAfee, and offer all Scotia online customers 12 free months of McAfee AntiVirus, which helps customers protect their machines against viruses online and network threats. We also offer free Trusteer Rapport software, which helps to protect against malicious software, or malware.

In every channel and for every product we offer, there are a number of fraud controls in place to detect suspicious activity. These controls are multi-layered and dynamic. All of this is aimed at letting the true customer in and keeping the fraudster out.

We are also continuously testing our technologies and systems as well as repeatedly monitoring and reviewing our customer activities for any unusual or suspicious behaviour that could be fraudulent.

Naturally, despite our best efforts, our customers' credentials and other personal identification information is compromised and can be stolen. When banks are made aware of such compromises, we take appropriate measures to protect the customer and mitigate losses, such as notifying the customer that their card and/or account was compromised, blocking the stolen credential, and replacing it, when possible, with a new one, such as replacing a compromised credit card or resetting the customer's online or mobile log-in password.

We monitor account activity for fraudulent or suspicious transactions. We update customer profiles to include notes that this customer has been the victim of an identity theft, so that front-line employees are able to ensure enhanced know-your-customer policies are performed when authenticating customers on their account. Of course, we indemnify the customer for his or her loss, and make the customer whole.

Banks also collaborate and voluntarily report to the Privacy Commissioner any material or systemic breaches of personal information.

Identity theft is evolving, fast moving, and ever changing. We do our best to ensure that we are keeping on top of it by tracking and assessing the fraud associated with it and constantly developing new protective measures.

I should also say that since the act of identity theft nearly always takes place outside of the banking environment and is beyond our control, we need to work with other stakeholders to manage it. We provide information on our own internal tracking of fraud to a number of institutions and stakeholders, such as Visa, American Express, Interac, law enforcement agencies, and the CBA. These groups also compile information from other financial institutions and provide industry metrics and benchmarks from which we can measure our own mitigation of various types of fraud, many of which were enabled by some sort of theft of a customer's personal information. For example, the CBA fraud specialists group has a mandate to work together on fraud prevention and share information and best practices.

Allow me to conclude there, and to simply say, once again, that as a bank we are committed to doing our best to ensure the safety of our customers personal and financial information.

I look forward to your questions. Thank you.

I'll take the question. Thank you very much, sir.

On behalf of my peers, one of the questions we have been faced with is regarding the academics who have approached the institutions. None of us has been able to determine who they've approached within the institutions and how those requests were not met.

The other thing is that we would be willing to undertake a study of this, and as a group, go back, define it, and try to quantify it, again through our partner at the CBA. But it will take us some time.

Last, if I may speak on behalf of my institution and the others, we don't believe that crime is a competitive advantage. We do work together, and we actually do want to stop it. We work with our industry partners, as you've heard my peers articulate, on the best strategies through education or other measures to inform the public, as well as stop the impact of identity fraud, let alone identity theft.