Good morning. I'm Philip Fisher, senior director of eChannels risk management, representing CIBC. I'm part of CIBC's retail banking fraud group. My particular specialty is in the area of online crime or cybercrime, but I'm able to speak on a variety of fraud issues.
First, on behalf of CIBC, I would like to thank the committee for giving us the opportunity to speak here today and to entertain any questions you might have. We'd also like to commend the committee for its willingness to study such an important issue to our industry, and to many Canadians who are impacted by identity theft every day. It's a complex subject, and your leadership is appreciated.
It is CIBC's view that identity theft is not a new or growing issue. Rather, it's an evolving issue. Identity theft has been part of the fraud landscape for some time. However, what has changed is how fraud is performed. Years ago we would have been talking about the theft of receipts, bills, a physical wallet, or telephone-based fraud. Now we talk about advanced persistent threats, merchant breaches, malware, and phishing. Advances in technology and the accompanying dispersal of personal information across the Internet has created a changing risk environment.
To help facilitate today's discussion, I think it's important to discuss what we mean when we talk about identity theft. The Criminal Code of Canada describes identity theft as knowingly obtaining or possessing another person's identity information for the purposes of committing an offence. Personal identity information is further described to include, among other things, name, address, date of birth, written signature, electronic signature, user name, credit card number, debit card number, financial institution account number, social insurance number, driver's licence, and password.
Financial institutions typically use a narrower definition of identity theft and tend to monitor and report fraud based on type. Before I explain more about these different types, it should be noted that financial institutions don't all share a common definition of what is meant by identity theft. That is one of the reasons why producing aggregate data on identity theft is a challenge.
As I was saying, fraud types are generally based on the source of the stolen information or how it is exploited. These fraud types could include copying of magnetic strip data at point of sale or automated banking machines. Information captured in this manner is typically used to create counterfeit cards or make card-not-present purchases. This type of fraud is something the banks have not traditionally counted as identity theft because of the limited amount of information involved. Information obtained from a consumer's computer which is infected with malicious software is the type of fraud that is concerning because of the amount of information at risk and the difficulty involved in identifying the issue and remediating it.
Use of e-mail fraud, phishing, to collect personal information, is one of the frauds that's undergoing evolution. Phishing e-mails have traditionally focused on capturing online banking sign-on credentials or credit card information; however, increasingly, we're seeing attempts to broaden the types of information being captured.
Another example is theft of a person's mail. With third party data breaches, examples are merchant and transaction processors. Recent media reports have highlighted that these breaches can, depending on the merchant, involve large numbers of consumers. A stolen wallet is a simple example of lost or stolen information from the consumer, or there can be disclosure by the consumer through the sharing with third parties or inappropriate disposal of information.
Some of these issues have been around for some time and have mature and robust controls in place to identify and respond to them. Others are newer and controls are still evolving. A number of my peers will speak to this at greater length in their remarks.
Even with sophisticated fraud detection controls in place, financial institutions cannot combat identity theft alone. To effectively combat identity theft, there needs to be a coordinated effort on the part of financial institutions, consumers, and the government. Consumers play an important role in protecting themselves from identity theft. Consumers know their personal information and how they are using it, and they are uniquely positioned to identify unauthorized use.
However, consumers are not fraud specialists and need guidance and support. Financial institutions and government agencies provide essential support, educating consumers on the risks and providing consumers with the tools they need to protect themselves. Good examples of the tools available are transactional alerts and free credit bureau monitoring offered by some financial institutions. One of my peers will delve deeper into this in his comments.
The government's role in protecting consumers from identity theft cannot be understated. As I explained earlier, technology is changing the landscape in rapid and meaningful ways. Having the right legislation in place with appropriate consequences for those who would commit identity theft is a strong deterrent. Financial institutions have advocated for identity theft legislation in the past. They will continue to support the government as it seeks to strengthen controls in this continuously evolving area.
I have first-hand experience where this partnership works. The copying of card information at bank-owned automated banking machines, known as ABM tampering, has changed significantly over the years.
When I first started working on it, CIBC would measure ABM tampering in terms of hundreds. Now with anti-tamper hardware common on ABMs, and an increase in the likelihood of jail time for those involved in this crime, CIBC now measures these incidents in the single digits. Other banks have had similar experiences. We look forward to carrying forward this success in other areas.
In closing, I would like to thank the committee again for the opportunity to address this important issue, and I would be pleased to answer any questions you may have.