Evidence of meeting #46 for Industry and Technology in the 45th Parliament, 1st session. (The original version is on Parliament’s site, as are the minutes.) The winning word was scams.

A recording is available from Parliament.

On the agenda

Members speaking

Before the committee

Hines  Head of Fraud Product, Interac Corp.
Harroun  Vice-President, Compliance and Enforcement, Canadian Radio-television and Telecommunications Commission
Brun  Vice-President, Government Relations, Desjardins Group
Lapalme  Senior Director and Deputy Head, Fraud and Financial Crime Management and Supervision Unit, Desjardins Group
Hutton  Vice-President, Consumer, Analytics and Strategy, Canadian Radio-television and Telecommunications Commission

The Chair Liberal Ben Carr

Well, it gives you an opportunity to redo.

Colleagues, I see the bells are ringing. We don't have the TV on, but I suspect that a vote has been called. I need unanimous consent to work through the bells. Given that it's a matter of privilege, I'm going to ask every member to give me a sign of affirmation.

Some hon. members

Agreed.

The Chair Liberal Ben Carr

Madam Dancho, I'll let you start again with five minutes on the clock.

4:10 p.m.

Conservative

Raquel Dancho Conservative Kildonan—St. Paul, MB

I think progress has been made on the caller ID side, and perhaps that's from the work of the CRTC and your moves to.... I don't know if you've mandated the telcos to work on spoofing with the STIR/SHAKEN technologies.

What can we do about the texting scams? Those are looking quite sophisticated. I was almost fooled the other day by something that looked very much like a legitimate text. I do receive text reminders from my bank, which are great. This was very similar and almost got me. Is there anything you can be doing to encourage telcos to deal with that?

4:10 p.m.

Vice-President, Compliance and Enforcement, Canadian Radio-television and Telecommunications Commission

Steven Harroun

I appreciate the question. You've laid out a good segue for me.

On the telephony side, we've done things such as universal call blocking, as I mentioned, 123-456-7890, but also STIR/SHAKEN, which is really that call verification system. Is it your bank calling? It can at least give you an X or a “potentially fraud”, or it can let you know if you should trust that phone call.

On the SMS text message side, the timing of your question is very good, because last year we introduced a framework to allow TSPs to block emails and SMS text messages that they know to be fraudulent. I'll be honest; I'm the policy guy, but there are all kinds of technicalities behind it where they can determine whether an SMS text message is valid or whether an email has a particular attachment you shouldn't click on, etc.

We're about to release a decision in the coming weeks that will actually enhance that framework even more and allow the telcos to do more, in that they can stop those text messages from hitting your phone.

4:10 p.m.

Conservative

Raquel Dancho Conservative Kildonan—St. Paul, MB

That's great news.

The technology exists to do so, and it sounds like you'll be permitting them to use that technology. Is that correct?

4:10 p.m.

Vice-President, Compliance and Enforcement, Canadian Radio-television and Telecommunications Commission

Steven Harroun

Absolutely. The way the telecom act is constructed, the TSPs need permission from the CRTC to interfere with any type of traffic. When I speak about these matters, I often say that if I can't enforce it, I'll regulate it, which is that policy piece, and that if I can't actually regulate it, then I'll educate, which is about educating Canadians.

4:10 p.m.

Conservative

Raquel Dancho Conservative Kildonan—St. Paul, MB

Thank you.

That's excellent work, and I'm glad that's coming forward.

I want to understand how this is going to work. If I were to click on the link and send an e-transfer, that would withdraw the money from my bank. Let's say I was banking with Desjardins. It would withdraw the money, and then it would use Interac's payment rail to get to the scammer. Where does the responsibility lie with each of you?

I'll go to Mr. Hines.

If I were to e-transfer to the scammer, where does your responsibility lie legislatively in preventing that scammer? I'm just trying to understand where Desjardins' responsibility begins, where yours begins, and where each ends. Can you outline the difference for me? How would you interact with Desjardins regarding that scam?

4:10 p.m.

Head of Fraud Product, Interac Corp.

4:10 p.m.

Conservative

Raquel Dancho Conservative Kildonan—St. Paul, MB

Yes.

4:10 p.m.

Head of Fraud Product, Interac Corp.

Mark Hines

Today, as the network in the middle, we don't take a direct role in compensating victims of scams. That's managed by our participants, usually a financial institution. What we're proposing, however, is that each actor in that chain—the platform, us, the bank and the individual—has specific obligations. If we don't meet them, then we should hold some level of responsibility for it.

4:10 p.m.

Conservative

Raquel Dancho Conservative Kildonan—St. Paul, MB

What are your capabilities versus Desjardins', for example, to stop that e-transfer? Then I'll go to Desjardins to respond. What is the difference between the two of you? Who should be stopping that?

4:10 p.m.

Head of Fraud Product, Interac Corp.

Mark Hines

Each of us plays a role. The key role that we play is really.... Our core value prop is a network view. What does that mean? It means I can see certain information about the destination that the sending institution can't see by itself, regardless of whether it's the biggest FI in the country or a small FI. Getting that intelligence from the receiver side, which is really the key for scams specifically, is where we're focusing our time, because that's what we, uniquely, can do.

4:10 p.m.

Conservative

Raquel Dancho Conservative Kildonan—St. Paul, MB

Okay.

I'm speaking to you, the witnesses from Desjardins. Do you have any suggestions for legislation that we could pass or anything else that we could do with regard to Mr. Hines's response?

4:10 p.m.

Senior Director and Deputy Head, Fraud and Financial Crime Management and Supervision Unit, Desjardins Group

Frédéric Lapalme

Yes. We would like to point out that this shows the importance of the Canadian Anti‑Scam Coalition launched and of our discussions today. So, it's a complete chain.

In the situation described, the financial institution would bear much of the responsibility for whether the victim is compensated. However, as we have shown today, a whole chain of stakeholders all share responsibility. As a result, the Canadian Anti‑Scam Coalition and other initiatives designed to bring all stakeholders together are all the more important.

4:15 p.m.

Conservative

Raquel Dancho Conservative Kildonan—St. Paul, MB

Last, for the CRTC, what would you say the telcos' role is? Is it their responsibility to have stopped that text in the first place? I don't mean this in a mean way, but sometimes I feel as if there's a bit of passing the buck, “Yes, it's a little bit ours, but it's kind of their fault, and we are not going to cover the cost. They should, but we could have stopped it.” Anyway, I think you get my point.

What is the telcos' role in stopping this?

The Chair Liberal Ben Carr

Answer within about 30 seconds, if you can, Mr. Harroun.

4:15 p.m.

Vice-President, Compliance and Enforcement, Canadian Radio-television and Telecommunications Commission

Steven Harroun

Ultimately, the telco's role in this scenario is to actually put that text message, call or email into your inbox. They are the pipe that delivers it to you. Fortunately, because they are well invested in stopping this type of fraud and stopping this type of activity, they often come to me seeking those permissions, “Can we stop this type of traffic? Can we stop these types of things?” That's just their role. They want network security as much as anyone else but, ultimately, their role is to deliver that traffic if they're supposed to, if it's going through their network.

The Chair Liberal Ben Carr

Thank you, Madam Dancho.

Mr. Ntumba, you have the floor for five minutes.

Bienvenu-Olivier Ntumba Liberal Mont-Saint-Bruno—L’Acadie, QC

Thank you, Mr. Chair.

I'll start with you, Mr. Hines.

It's true that Interac isn't a full-fledged financial institution. I would say you're working with the banks to do internal financial transactions.

I'll talk about humans, about seniors, our parents and grandparents. Some have cellphones and sometimes do Interac e-transfers. Sometimes they don't have a good handle on a transaction, and then the bank says they're responsible when something goes wrong. As young parents, we weren't equipped to train our grandparents on how Interac works. If I'm at work, I can't go and sit down with my grandfather and my mother-in-law to show them how to use Interac.

At what point is it the institution's responsibility to give seniors good financial literacy to prevent fraud?

4:15 p.m.

Head of Fraud Product, Interac Corp.

Mark Hines

As I mentioned before, education is vital, in particular for the vulnerable sectors. Seniors are, obviously, a key part of that. I've heard personal examples of folks with learning difficulties having been the victim of significant romance scams. These are tragic stories.

Our perspective at Interac is that the individual consumer alone should not be shouldering the burden of these scams, which is why our approach is to define a cross-sector approach, define what we each need to do, and then responsibility flows from that.

Education is a key part of that. Unfortunately, though, for seniors in particular—this is anecdotal—I've seen it happen that it stops those seniors from engaging with things that they really need to be engaging with online. Education is vital, but we also have a role to play to make sure that we're building a wall around them a bit to protect them as well.

Bienvenu-Olivier Ntumba Liberal Mont-Saint-Bruno—L’Acadie, QC

Thank you, Mr. Hines.

I'll quickly ask the Desjardins representatives the same question before ceding the floor to my colleague.

Mr. Lapalme, you may answer.

4:15 p.m.

Senior Director and Deputy Head, Fraud and Financial Crime Management and Supervision Unit, Desjardins Group

Frédéric Lapalme

Thank you for the question.

My answer will be along the same lines as what Mr. Hines just said. As we also said, seniors are no longer the only victims. Young people are victims when it comes to investments. Those who don't fall in the categories of young people and seniors are victims of other types of scams. In fact, people most likely to be targeted by scams are those who, unfortunately, don't think of themselves as potential victims, and think others are. Scams occur thanks to the speed with which transactions and frauds are carried out in the daily life of citizens and client members. I think another witness said this, but, a momentary misstep can make you a victim of fraud.

Technology is increasingly present and, unfortunately, we can't put the genie back in the bottle. We're going to have to evolve.

Doly Begum Liberal Scarborough Southwest, ON

Thank you very much, Chair.

Thank you, all of you, for being here today.

I want to pick up where Ms. Dancho left off. You might be surprised, but I feel that, at this committee, this is where we actually align and are very concerned about what's going on. This study has become very important in finding a way to protect Canadians.

I'll start with Interac.

Mr. Hines, you spoke about some of the steps. To go back to what Ms. Dancho was talking about, could you talk about how the different players come together? We've now had conversations with platforms, basically with all of the different players. We're all here. Can we come up with, at least, a solution or a template for it that allows us to understand what we can do better?

4:20 p.m.

Head of Fraud Product, Interac Corp.

Mark Hines

There are frameworks and structures that exist today—we don't have to make this up—both Canadian and international. In Canada there is, essentially, a similar structure with respect to cybersecurity, in which signals are exchanged between institutions. A similar approach could be taken with fraud data.

Australia is an example. I think the committee heard from a delegate from Australia. That's a market where they've taken this approach. We try to learn from other jurisdictions, from Australia, in particular, the U.K. to a certain extent, and Singapore is another one. There are standards around how you structure that to minimize the invasiveness, from a privacy perspective, to ensure integrity and security, obviously. I would point to those as very real examples that we could adopt without having to build it from the ground up.

If I might just take 15 more seconds to give an example of how a data element would work in that scenario, part of the new capabilities we're deploying on RTR and on e-transfer is something called a risk list, which has certain data elements that have previously been associated with fraud. If we know a telephone number is previously associated with fraud and we can share that back into the system, that's something that a TSP could use to inform trying to filter through these bad actors. I talk always about how they're coming to me, but there are ways in which we could share back as well.