Finance Committee on March 28th, 2018

Thank you very much.

The Canadian Bankers Association would like to thank members of the committee for inviting us to participate in the review of the Proceeds of Crime (Money Laundering) and Terrorist Financing Act. On behalf of our member banks, we welcome the opportunity to contribute our comments on this important piece of legislation.

From the beginning, the financial industry has taken its responsibility in this area very seriously and has worked co-operatively with the Department of Finance, law enforcement agencies, prudential regulators, and FINTRAC on the development and implementation of the regime. Banks in Canada are fully committed to supporting the fight against money laundering and terrorist financing. The banks' central role in the regime gives them hands-on experience and insight into where the regime could be improved to be more effective and efficient in its fight against money laundering and terrorist financing.

Today I will speak to our recommendations with respect to the following three topics: strengthening the regime, information sharing under PIPEDA, and client identification in a digital economy.

With regard to strengthening Canada's AML-ATF regime, we note that new provisions, regulations, and guidance are always being added to the AML-ATF regime in order to keep pace with the changing landscape for financial services. While we fully support ongoing efforts to strengthen the regime, it is becoming increasingly complex, with significant regulatory, resource, and operational costs that continue to grow.

In that regard, the banking industry is a strong supporter of using a more risk-based approach to the regime. Reporting entities should be encouraged to focus on risk typologies and customers who demonstrate significant AML-ATF risk. By focusing on high-risk transactions and patterns, banks would be able to effectively dedicate resources where they can achieve the greatest benefit.

The CBA also recommends that the regime be enhanced through greater collaboration, communication, and information sharing between governments, law enforcement, and financial institutions. This includes, one, using a more aligned and consultative approach to legislation and guidance; two, working jointly to develop typologies and identify high-risk transaction patterns; three, sharing information on individuals or entities under investigation; and four, allowing FINTRAC to request additional information once it has reasonable grounds to suspect money-laundering or terrorist financing activities.

We believe that overall, these changes would help strengthen the regime. Also, in order to ensure the regime is functioning effectively, we support the collection and publication of data with respect to investigations, prosecutions, and convictions.

The next topic I'd like to go over is information sharing under PIPEDA. We believe the ability of banks to help protect against financial crime would be enhanced if PIPEDA were amended to allow financial institutions to share information among themselves to detect and prevent other types of serious criminal activity beyond fraud. Currently, the relevant provision in PIPEDA is limited to where it is reasonable for the purposes of detecting or suppressing fraud, or of preventing fraud.

This makes it challenging for the financial system to effectively restrict a customer who is considered to present higher risk for money laundering or terrorist financing from having access to services. If one financial institution, for instance, believes that one of its customers is involved in one of these activities and accordingly terminates the relationship, there's virtually nothing to stop them from just moving down the street and going to another institution.

We strongly support the recent ethics committee's recommendation that PIPEDA be amended to allow for a broader range of instances where financial institutions can share information. It should go beyond financial fraud to include money laundering and terrorist financing, to strengthen the regime as a whole. At the same time, we recognize that any measures taken to enhance information sharing must be balanced with privacy considerations.

My last topic is related to client identification in a digital economy. It is imperative that the AML-ATF regulations continue to be flexible and adaptive in an environment of rapid development and adoption of emerging technologies. Banks need to harness the ever-changing world of digital technology solutions, including innovative and secure means of performing identification, to meet the consumer demands of banking in a non-face-to-face environment. There is still a reliance on physical viewing of identification documents. We believe the legislation needs to be expanded to allow for the use of advanced technology that has the ability to perform remote identification.

This can be done through mechanisms such as online scanning, data extraction, and document authentication; live video connections; blockchain; biometrics; and other methods as they become available in the near future. Many of these methods have the potential to provide greater security and accuracy for client identification than reliance on the viewing of physical documentation at a branch.

In closing, we would like to reiterate the strong support of the banking industry for the AML-ATF regime. We are pleased to have an opportunity to work co-operatively with the government and parliamentarians to ensure that Canada's system is effective and efficient.

Thank you once again for providing the CBA with this opportunity to offer our views.

Thank you for the opportunity to talk about the 2018 statutory review of the Proceeds of Crime (Money Laundering) and Terrorist Financing Act.

I'm going to approach this issue from the perspective of our 260-plus members that we often characterize as the small businesses of the Canadian financial sector. Our concerns, as you'll see in my comments, are really oriented from that perspective.

I would note first of all that the credit union system is pleased to see that the government is seeking a balance between regulatory compliance and the associated costs. Credit unions know they have a role to play in fighting these criminal activities. They are apprehensive, however, about the expansion of this framework to include sectors in which small entities, such as credit unions, do not always have the required resources or knowledge.

We also recognize that financial institutions have a responsibility to know who they are dealing with. That is the foundation of our business model. That said, our members maintain that due diligence as regards money laundering, collecting information, and documentation requirements is costly and prevents them from focusing on their core mandate, which is serving their members.

All this matters because our research, and research internationally, have found repeatedly that regulatory compliance, especially with money laundering and terrorist financing obligations, impose a disproportionately large and heavy burden on credit unions, smaller institutions, and smaller credit unions in particular. In fact, I think this creates a barrier to entry or good competition in the banking sector. It's a serious issue for us.

With the proposed expansion of the framework to cover new sectors, it would seem this load will spread to more entities. I know it's difficult to argue against the logic behind moving towards functional regulation, but it's also hard to imagine how collecting more information will necessarily lead to a more successful policy outcome. So far, the evidence we've seen does not bear that out.

It's true that some of the proposed changes try to make the overall framework more efficient and responsive. We are concerned, however, that some of these are just tweaks to what is frankly often a burdensome and not always efficient or effective system.

We'd like to suggest a different approach. We'd like to suggest the adoption of a model built around a simplified due diligence process for use in situations where there is little risk of services or customers becoming involved in money laundering or terrorist financing. Other jurisdictions have already adopted this approach. We believe that following their example would lead to the same results, namely reducing or at least limiting the increase in administrative burden imposed by the framework. Further, we think it would do so without affecting the value or quality of the gathered information.

This alternative model could also leverage new technologies to achieve the goal of capturing useful information while minimizing the cost of doing so. For example—I think this has been discussed publicly—the public sector might consider creating industry-wide information clearing houses. These clearing houses could collect beneficial ownership information, from annual tax reports, that could be keyed to unique identifiers assigned to each tax filer. By limiting a reporting entity's obligations to obtaining this unique number from their clients, the resulting compliance burden could be meaningfully reduced. Reporting entities would no longer need to go through the inefficient and duplicative effort of gathering this information from each account holder.

From the client's perspective, it would be less time-consuming and repetitive, especially for clients who hold accounts at several reporting entities. For the public sector, this approach could increase confidence that the information is secure, consistent, verified, and accurate. Since the detection of money laundering often hinges on observing the flow of funds among parties, policy-makers may also want to consider tying this approach into some of the changes that are being proposed as part of the payments modernization effort.

In short, we think the approach we are proposing would give credit unions and other reporting entities more time to focus on what is truly important, namely, explaining the context of transactions, rather than recording the usual, factual information.

The measures we are proposing are not simple to implement. We admit that. Yet if we are to strike a balance between costs and results, we encourage policymakers to carefully consider our proposals.

As I wrap up, I'd like to briefly shift to thanking this committee for the support it gave to credit unions as we worked to secure the right to use generic banking terms. Yesterday, as you know, the federal government introduced proposed changes as part of its budget implementation act that for us represent important progress on this file. This committee deserves credit for its support.

I'd be happy to take your questions on today's topic and also to appear on your Bill C-74 review.

Thank you very much.

Thank you, Mr. Chair.

As you mentioned, my name is Ethan Kohn. I'm Counsel at the CLHIA. My colleague Jane Birnie from Manulife Financial is here. She is the Assistant Vice-President, compliance.

We'll begin with an opening statement, and then we'd be pleased to address any questions the committee might have.

The Canadian Life and Health Insurance Association is a voluntary association with member companies that account for 99% of Canada's life and health insurance business. The life and health insurance industry is a significant economic and social contributor in Canada. It protects over 28 million Canadians and makes $88 billion a year in benefit payments to residents in Canada. In addition, the industry has over $810 billion invested in Canada's economy. In total, 99 life and health insurance providers are licensed to operate in Canada, and three Canadian life companies rank among the 15 largest life insurers in the world.

Our industry is proud to do its share in fighting money laundering and terrorist financing. When proceeds of crime are introduced, layered, and integrated into the financial system, public confidence is eroded. Companies with weak controls risk having significant administrative penalties imposed, and they also risk considerable damage to their reputation.

This committee has heard from a number of witnesses, including FINTRAC, that a risk-based approach to compliance and to enforcement is an objective of Canada's AML regime. Because neither reporting entities nor government agencies enjoy unlimited resources, it is important that they focus on the areas of greatest potential exposure. In this regard, I would note that the insurance industry is relatively low risk. We offer long-term protection products for which a significant majority have a clear source of funds, which makes it unlikely that bad actors will exploit the insurance sector. To illustrate this point, in 2016 over three-quarters of premiums received were in regard to products that carry a low risk for money laundering and terrorist financing. These products include term life, group life, registered annuities, disability insurance, and uninsured health contracts.

I would also note that the personal insurance industry is unique among all reporting entity sectors—not only are insurers subject to the act, but so too are their primary distribution network, life insurance advisors.

Each individual advisor must have controls in place similar to those required of insurers.

For our industry, there really are belts and suspenders in place.

I will turn now to the question at hand, this committee's examination of the PCMLTFA as part of the five-year review. You've heard from previous witnesses that the FATF assessed Canada's regime as being largely effective in containing ML-TF threats, and that Canadian financial institutions have a good understanding of their risks and obligations, and generally apply adequate mitigation measures. We agree with that, though there is always room for improvement.

With that, I'll turn the floor over to Ms. Birnie.

Policy-makers have made good strides in examining and improving aspects of the system that present real challenges for insurers. One example is the requirement that institutions identify the beneficial owners of corporations. As you know, the government is working with the provinces in devising a system that would have corporations report their controlling shareholders. We understand there could be sensitive information in such a repository, and unfettered access may not be appropriate. Limited access by authorized financial institutions, however, would avoid the need for each institution to replicate the work of determining beneficial ownership. It would make a better customer experience when applying for our products, as there would be fewer questions to ask and less documentary evidence to produce. This would have a dual benefit of enhancing privacy rights and reducing regulatory burden on every legal entity in Canada.

We also appreciate recent enhancements to identification requirements. Last year, the government responded to industry and introduced greater flexibility in the documents that constitute acceptable forms of identification. Going forward, we support further efforts to expand ID methodologies, such as digital identification.

Over the past couple of years, amendments have also been made to enable FINTRAC to exchange information with more of its federal and provincial partners, such as securities regulators and national intelligence agencies. If this were extended to allow FINTRAC to share information with reporting entities, there would be benefit to industry and to Canadians alike.

In each of these areas, we see real signs of progress, and we encourage Finance, FINTRAC, and OSFI to continue their efforts in identifying and addressing other aspects of the regime that would benefit from streamlining, bearing in mind the primary objective of the act: minimizing the abuse of Canada's financial system by money launderers and terrorists.

Thank you for inviting us today, and we're pleased to answer any questions.

I will be pleased to answer your questions.

FINTRAC is given information. It currently doesn't have the ability to provide information back down to private industry. There is sharing at the governmental level, obviously, but there's no ability to share back down.

No, but that is also one of our recommendations: that they have the ability to come back. Again, that would allow for more targeting, so you're not boiling the ocean so much with all of this reporting. With information sharing, etc., you can have a more targeted approach.

I think this is an incremental change. There's already a provision in PIPEDA under paragraph 7(3)(d.2) that allows for sharing for preventative purposes for fraud. It states specifically that it's where it's likely to be committed. It's not a wholesale sharing of information. It's a limited purpose for where it's likely to be committed. If you swapped in money laundering for fraud, it would be where money laundering is likely to be committed. I think it's an incremental ask. There are already constraints around how you could use it, to protect privacy.

Exactly. It would just be adding in another element. It's not just fraud but predicate offences to money laundering, as well as money-laundering offences.

I'll start with the framing. You're right. In the larger urban centres, that's where we tend to find the larger credit unions, as you might expect. In the rural settings, I would hazard to say that most credit unions do know most of their members. You're right. In the bigger institutions, there would be more challenges in that respect.

Similar to our friends at the CBA, we are advocating for a risk-based approach. That's where the simplified due diligence approach would help address the regulatory burden side of things while still keeping the trappings of the broader framework. Again, we know that other countries have implemented this, and this is a good way to address the regulatory burden side while still maintaining a robust system. Australia and the U.K., for example, have set thresholds where you report if a transaction goes above a certain amount or you do it on a periodic basis.

I might get my colleague Sabrina to add to this, if she has anything she'd like to build on.

Your comment that perhaps the smaller credit unions are not able to use technology as much is partially true, but most do have very sophisticated banking systems that do allow detection of the types of transactions you're talking about. For transactions that would violate the 24-hour rule, definitely, we do have the ability to pick those out from a technological perspective.

That said, there certainly is a component of knowing your customer, because it's a small community. In the larger credit unions, that is lost somewhat, but I don't think we're in any different position there than a bank or any other financial institution.

I'll start off and then I'll ask my colleague to fill in.

The U.K. example is one that we've documented a little bit, and we'd be pleased to share more information after the meeting as well. In the U.K., they would approach the application of the simplified due diligence approach in cases where, for example—and I'll just read off my list here—the person's total annual turnover in terms of financial activity does not exceed 64,000 pounds, for example; the financial activity does not exceed 5% of the person's total annual turnover; the financial activity is ancillary and directly related to the person's main activity.... There is a long list of instances in which they would apply this simplified due diligence approach.

I don't know if Sabrina would like to add anything to that.

The FATF has actually, within its recommendations on financial inclusion in particular, put out quite a significant paper on how a simplified approach to due diligence can encourage financial participation in the economy. Some of the things they are citing are issues like verifying the customer identity or beneficial ownership after the establishment of a business account so that in cases of a small business you're not crippling that business from moving ahead financially by putting all this process around it. Then they put limits on it. Once you have done this for 12 months, you have to start meeting the full requirements of customer due diligence, or if you exceed certain transaction thresholds, you start doing it.

The idea is not dissimilar to the idea of fintechs and sandboxes in which, for a certain length of time, you allow participation on a compliance-relief basis, and then slowly move to a full compliance.

Yes.

We haven't done an analysis for AML-ATF in particular. We've done analyses around total regulatory burden, but AML-ATF is always cited as the number one most burdensome regulatory policy out there.

I can give you some numbers from a study one of our member centrals did of Ontario and B.C. credit unions. They found that the compliance cost per member—and, again, this is for the entire suite of regulatory policy and positions—was $75 at the smaller credit unions, those with $250 million or less in assets. At the larger credit unions it was $22 per member, for those with $2 billion.

Just within the credit union system, you can see that the impact of regulatory burden is quite disproportionate, depending on your size, per member. We can imagine that, if we extended that to the large banks, the gap would be that much bigger.

These are real numbers we have gotten from surveys, from analysis, and again, this kind of research has been replicated in the U.S., in Italy, and elsewhere in Europe. We even did a study earlier, in 2011, with almost identical results where, within the credit union system, the big guys have five times less cost, from an FTE perspective, than smaller guys do.

I would be pleased to.

That is not quite right. There are rules for transfer pricing, which applies to the extent that it is possible to identify which assets were part of transactions. If the funds are only entering Canada, the recipient company has to fill out form T1134 and indicate the foreign country and the specific activity in that country that generated the funds.

On the assumption of good faith, it is assumed that the real activity will be reported. Since there is no tax audit, however, people can answer those questions as they wish. As a result, funds can enter the country relatively easily. Since we cannot control something we do not see, this is where things get tricky. This can pose a major problem.

Yes. There is no control upstream, that is, on the source of the funds. The Canada Revenue Agency has limited resources. So the payer would have to be subject to more rigorous control. That might require an on-site expert to certify the amount and source of the funds. In the event of fraud, the person would of course be subject to significant penalties.

No, not enough. I have worked in the field of bearer shares, but I am not the right person to answer questions about beneficial ownership.

With regard to bearer shares, it should be noted that, despite the amendments to Bill C-25, bearer shares that have been issued will continue to be legal. In this regard, we could learn from the Netherlands, where bearer shares are no longer allowed. For the outstanding shares, namely, those that have been issued, a period of two years has been allowed for those shares to be returned into the system and for the shareholder to be authenticated. The Netherlands are a good example as regards bearer shares.

Thank you for having me today and the opportunity to speak to such an important topic.

I think the opportunity for a shared utility that assists the banks in verification of customer information is an outcome that we would like to see achieved in this regime. Again, banks have multiple obligations. We have obligations to collect information. We have obligations to confirm that information and verify it. A registry really helps with latter part of that equation, but in some ways it also may ensure that we have complete information on our customers.

I will ask my colleague to answer that question.

To address your comment on whether we feel targeted, I think the answer to that is no. There seems to be a common misconception that credit unions somehow are weaker or less stringent in the exercise of their due diligence. I can assure you that's not the case. We have to live by the same rules as the largest of the banks. There is no fact to that; it could be a misconception, but that is all it is.

With respect to a registry, we definitely are in support of that. This is one of the areas where I think we could make meaningful reductions in the burden that we carry for compliance, if just the gathering of factual information such as beneficial ownership information can be done just once and it's held in a repository that's accessible to all. That way we could also be assured that everyone is seeing the same information, because right now there's no assurance of that. Clients could come to a bank and give certain information; they could go to another bank and give other information; then they could come to us and give other information. So you could have three sets of information out there that may not be entirely different but not necessarily completely the same either.

I would like to elaborate on what my colleague said earlier.

Even small credit unions have access to fairly sophisticated systems provided by their head office. Head offices were in fact designed to develop shared, sophisticated, and modern systems. So we already have some systems.

Further, in smaller regions, we know our members better. I would even say this is an advantage in terms of these issues.

It's actually possible to look at a comparison with the United States. Since 2009, the Internal Revenue Service, or IRS, has initiated proceedings against 1,545 taxpayers in relation to activities abroad and 671 taxpayers in connection with tax violations.

In Canada, from 2011 to 2016, proceedings were initiated against 42 taxpayers in relation to tax evasion. A CBC/Toronto Star investigation recently revealed that, since 1977, the Royal Bank of Canada had registered 429 offshore companies engaging in tax evasion in Panama. The bank was asked to turn over information, and it complied. It shows, however, how prevalent the use of offshore companies is.

As for bearer shares, everyone agrees that there is a problem. Even academics are saying that Canada is lagging behind on the issue. We have a serious problem, and we can't continue to allow bearer shares to be issued on the market. We absolutely have to get rid of them, since that is what led to the whole Panama Papers debacle. The British Virgin Islands still have bearer shares. My personal prediction is that the Virgin Islands will be the site of the next Panama Papers-style scandal, precisely because they still allow bearer shares.

I'll start, and then I'll let my colleague add.

We're moving to a digital environment. That is the way of the world. Innovation is being fostered at all levels, including the government level, and a lot of those transactions or account openings are moving into the digital sphere. I don't think it's weaker, because many of the technologies that are coming out could be stronger. There are examples, such as when you show your driver's licence. If you use it through a digital channel, they can home in and get some data to confirm that it's valid ID.

I don't think we're looking for it to be laxer. I think we're looking for flexibility within the regulations to allow for new technologies to be utilized that are possibly more secure. Right now a very prescriptive regime allows us to use these methods to identify our client. We're suggesting more flexibility. Again, they have to be secure—we're not asking for lax identification—but for flexibility so these new technologies that could be more secure than face-to-face interactions are allowed to be part of the regime.

I don't know if you want to add to that, Stuart.

Thank you, Sandy.

The emergence of fintech has brought forth a whole new realm of opportunities to use technology to enhance identification. I don't think anyone at this table is advocating for a weaker approach to KYC, but we would—

Absolutely.

Blockchain presents a unique opportunity for client identification in a secure and encrypted way, using the concepts of digital keys and digital key management. That's an area that we need to contemplate as we look forward to revamping regulations. How will banks use digital key and digital key management in the new regime, and the rights of protecting that information under PCMLTFA and things of that sort?

I'll tie this in quickly with bearer shares, if I may. In the blockchain world, this is a bearer share. If I give you this, it has a private key and a public key, and you own what is in that crypto-wallet or in the blockchain. That is not a mechanism by which the conventional means that we use to track and report on money laundering will work in the future, so there's an opportunity for exploration and new ways of innovation in how we think about AML in a future state in this space.

I welcome ongoing discussions with the Department of Finance, the CBA, and the government on this very topic, with FINTRAC included. The advancements we're seeing in technology create opportunities, but they also create new risks, and we need to be in a position to address that.

Maybe I'll start off.

It sounds like an interesting proposal. We'd have to give it some thought, but I don't know. Sabrina's more in this area than I am, so maybe she has some thoughts.

FINTRAC has for some time created their typologies and trends reports. I can't say that I've seen one recently, but those reports spoke very much to what you're suggesting. I think there's always room to do it to a greater extent and to share it more extensively. That's definitely valuable in helping alert reporting entities to what might or might not be compromising to them. This really ties into what our CBA friends have also said, in that there is capacity to use technology to a greater extent to try to identify some of these issues.

Sure. I think we would support any initiative that would get greater value from the information that we're providing to FINTRAC.

I think I'll start off, and if my colleague has anything to add, she can.

I think, parroting a little bit the comment that was made earlier, we'd be supportive of any measure that increases awareness about that compliance cost and puts it a little higher up on the agenda. I think the government is striving to achieve a balance between having a robust framework and minimizing costs. I just think we think sometimes that balance isn't always struck quite right. I'd be supportive of anything like what you're proposing that would help with that.

Mr. Albas, I couldn't agree more. I mean, even small changes in some of the definitions.... I'll give an example. I know you're using the Department of Finance February paper as a foundational document. One of the proposals is to broaden or increase the scope in terms of the definition of what would constitute a head of an international organization, these sorts of changes.

Obviously, the system needs to adapt to perceived threats and money launderers. They change and they amend their ways in response to these things, but in terms of changing the definition of a head of an international organization, these are small changes, but they can result in multi-million dollar costs, certainly to members of our association.

Forms need to be changed, and these changes are made electronically. Training has to be provided. There are outside vendors who need to be engaged, and many insurers often use the same vendors, so when these changes need to be made, and there's a deadline by which that has to happen, there's often competition for those scarce resources, and as you can imagine, what happens is the cost of those resources go up.

Let me just say there are a lot of excellent proposals and suggestions in that paper. We've mentioned a few, but this is one we're quite concerned about.

Yes.

That's what the minister indicated, but an analysis of the bill suggests the exact opposite. According to the legislation, existing bearer shares will continue to be valid unless the holder of the certificate requests that it be converted to a registered instrument.

Yes, that is what the minister stated, but that is not consistent with what's in the bill. At least, I couldn't find anywhere in the bill where that was indicated, despite reading all the provisions.

The banks have put a lot of resources into this, and we're not suggesting that we don't want to keep that level of resource. We just want to get the most output for that resource, and we feel the best way to do that is to focus on the highest risk customers or typologies.

Sometimes in the regime, there's a lot of noise that doesn't necessarily cause compliance burden, but it doesn't necessarily bring you a greater output. An example would be ongoing monitoring of an account. You're supposed to have ongoing monitoring of low-risk accounts. You have a retired person, but you're still supposed to make sure that they're retired or they're still living at the same place, those types of things. We want to focus on the risk.

A typical response to increased regulatory demands in the credit union system is to.... As I mentioned earlier in a response to another question, we get the central entities, these entities that are back-office entities that credit unions have created, historically, precisely to deal with these shared demands on the system. If the issue is not being dealt with by a central entity, they'd be creating a credit union service organization so they'd collectively get together and share the costs out. That's one way they can attenuate some of the costs.

Sabrina, would you like to add anything?

No, I think that's exactly it. We're seeing more and more of the service groups developing as regulatory compliance demands increase.

Perhaps I could add, Mr. Chair, the other reaction that often happens, and our survey from 2011 found this. It compels mergers; it drives the credit unions together to get those efficiencies that bigger institutions have. That's not always the best outcome for Canadians. That local service gets a bit challenged when you're bigger and more widely spread.

I'd respond to that by saying, first of all, the proposed revisions to include the digital currency dealers within Bill C-31 are of particular importance to this industry. But moving too quickly to regulate an industry, where the technology is evolving quickly, could prove problematic or disadvantage Canada in terms of its competitiveness.

What I would suggest, though, is the importance of KYC in terms of onboarding to the blockchain ramp and offboarding of the blockchain ramp, especially involving those aspects of digital currencies. This is an important consideration. I think the inclusion of virtual currency dealers in proposed Bill C-31 does bring that standard of KYC to a very important topic.

I would add that what I think we're advocating for with the technology is a technology-neutral approach to legislation. Right now it's a three-year credit bureau...or photo ID. You don't need to have prescriptive legislative requirements. You could have a principles-based flexibility that allows for technology to evolve. Obviously, people will have to determine if that technology is secure enough. I think it's more about how you write the legislation in order to allow for that evolution. To your point, every five years it has to be changed—so a little more evergreen.

There are always the aspects of risk with any public registry or repository, but protecting information is instrumental by isolating those who have access to it and providing the right security credentials around it. It is an aspect of build, of any new form of technology, and security can be incorporated into those measures.

The real question to ask, as well, is to what degree is the information sensitive and needs to be protected. There is some information that might be beneficial to have publicly available in this regard and that consideration needs to be undertaken as well. I think there are aspects of public registries in other jurisdictions that have both public and private aspects.

As a banking institution, we use public registries today or private registries through the correspondent banking network, and it has been quite useful to banks to use that.

I might just say that we put forward this idea in the spirit of looking for ways to minimize, again, and get that balance right. That's largely how we've approached this. I think there are a lot of things that need to be thought through, including the issues you've raised. I think we would take your concerns very seriously, of course, in that.

Sabrina, is there anything you'd like to add?

I think without a doubt any time you have a large database of potentially interesting information to anybody, it's going to pose a security challenge. I think that needs to be weighed, though, against the cost of having everybody repeat this exercise individually. Given the fact that you're now storing the same information, but in a whole bunch of different databases and that security issue still exists, I agree completely that you can mitigate some of those risk issues by controlling who gets access.

Personally, I'm not in favour of a completely public registry of any kind. I think there should be a stringent protocol around who gets access and for what reason.

I think a grace period might be appropriate.

I will read you a quote from a Canadian Tax Foundation article that came out a few days ago. Talking about the situation in the Netherlands, the author said this:

[Netherlands] announced that bearer shares would have to be traded through a bank or investment firm, thereby removing their holders' anonymity and eliminating the incentive to use the shares for fraudulent purposes. Furthermore, shareholders were given a two-year period to register their shares with an intermediary designated by the corporation.

And further:

At the expiry of the two-year period, the shares will be cancelled and corporations will have to pay the value of the cancelled shares into a deposit fund monitored by the Ministry of Finance. Therefore, shareholders who want to redeem the value of their shares will have to report to the Ministry of Finance.

Having such a grace period would be a good idea to ease the transition.

Blockchain technology takes a variety of shapes and forms. Recall that first it is typically a decentralized mechanism that exists not just within the bounds of Canada, but perhaps globally. In other iterations, you may have a more constrained or private blockchain network that can be fully centralized and controlled. Depending on the aspects and use cases that are of particular consideration, the risks, the ability to monitor them, the level of encryption, ans the level of obfuscation in a particular blockchain vary widely. We're seeing continued innovation and change in this space.

There is not a one-size-fits-all approach to this level of technology, and it needs a new way of thinking.

London, Ontario?