Mr. Chair, thank you for the opportunity to be here today.
As an American living in Canada for the past five years, this is my first chance to appear before a Canadian parliamentary committee, and l am very much looking forward to it.
I'm sorry I can't speak to you in French, but I am American.
I think Philip has provided a very good framework for thinking about identity theft.
Identity theft is a crime. The active use of stolen identity to commit financial fraud is a separate and distinct act, and it is a separate and distinct crime. However, as a bank, our prevention strategies need to be seamless since there can be a causal relationship between identity theft and financial fraud. I would also note that our interests are very tightly aligned with those of our customers when it comes to both identity theft and fraud. Banks do everything they can to prevent their customers from becoming a victim of either one of these crimes.
How do we approach prevention? We think of this as a shared-responsibility approach, where customers and banks both need to act vigilantly. At TD, we have a four-step process aimed at ensuring that customers make responsible efforts to protect their personal information. Let me touch on each of them briefly.
First, we ask customers to be careful about sharing personal information. If you're asked to provide personal information, ask how it will be used, why it is needed, with whom it will be shared, and how it will be safeguarded. Never disclose your personal identification number, or PIN, your social insurance number, or passwords. Passwords used for banking should not also be used with social media.
Second, we ask that people use appropriate security measures. Keep account statements in a safe place. They contain sensitive and personal information. Take advantage of technologies that enhance security and privacy when you use the Internet, such as digital signatures, anti-virus software, personal firewalls, and data encryption. To use a specific TD example on this point, TD offers our customers a free download of Trusteer Rapport, which prevents phishing and some Man-in-the-Browser malware attacks, as well as a one-year subscription to McAfee anti-virus software. These tools are made available for free to all of our customers, to help them protect themselves while on the Internet, not just in their banking transactions, but in all of their use of the Internet.
Third, check statements for accuracy. Check account statements or online statements to ensure all transactions and charges are correct. Access your credit report from a credit reporting agency, such as Equifax or TransUnion, once a year to ensure it is accurate.
Four, guard your cards, cheques, and ID. When travelling, carry only the identification and credit cards you need. Don't carry your SIN card. Make a list of all your cards and their numbers and store this list securely.
Taking these actions will help a customer prevent identity theft and the potential for a resulting fraud.
On the other side of that shared responsibility, banks need to be clear about what personal information we retain about a customer, how a customer can access that information, and most importantly, how we protect our customer's personal information.
On retaining personal information, banks use personal information in order to establish the identity of customers. In order to provide a product or service to a customer, or to help with any money-laundering or other types of defence, we need a name, address, birthdate, occupation, and some sort of identification. For certain products, such as home loans, we may need to collect other personal information. We may also obtain information about customers from third parties, including credit reporting agencies, but this will only happen with the customer's consent.
Individuals can access or update the information that banks have at any time. There are also several privacy preferences available to customers, such as choosing not to be contacted by direct marketing officers or choosing not to participate in customer research surveys.
Specific to protecting customers' information at the bank, banks make significant investments to maintain strong security standards to protect our systems and customer information against unauthorized access and use. For example, our systems have been designed to ensure that the personal identification number, password, or other access codes are always held private and confidential. For your protection, your access codes are known only to you. Our employees cannot gain access to them and they will not ask you to reveal them. All our suppliers and agents, as part of their contracts with TD, are bound to maintain your confidentiality as well, and they may not use the information for an unauthorized purpose. We also require them to prove that they are operating with appropriate controls and defences.
In the online environment, banks have specific measures in place. At TD, these would include comprehensive threat intelligence, access management controls, transaction logging and analysis, secure firewalls, constant monitoring to proactively identify unusual customer account activity, phishing and spam protection, and the highest levels of encryption available to ensure that data can only be decoded and read by the customer or by our system.
In conclusion, the twin issues of identity theft and financial fraud will always be a concern for both banks and their customers. We will always be in a battle with criminal elements that want to steal data and use it for their benefit, but I can assure the committee that in terms of technology information risk management, Canada's federally regulated banks operate at the top global standards for information security and identity theft protection.
Thank you.