Evidence of meeting #151 for Public Safety and National Security in the 42nd Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was data.
A video is available from Parliament.
Principal, SkyBridge Strategies
Not exactly. It permitted banks to sell or transmit their data to third party providers, including fintechs.
Conservative
Glen Motz Conservative Medicine Hat—Cardston—Warner, AB
That seemed like legitimate legislation. Would it seem as though, if they wanted to convince you, they could show you draft regulations or provide an opportunity to comment on the issues prior to...? Did that occur? Did they allow you to provide that on this issue with fintechs?
Liberal
The Chair Liberal John McKay
Mr. Motz, you're getting into conversations that may or may not have happened at some other point. We are limiting our study to the financial sector, and not beyond that. If you could focus your questions on how these gentlemen can contribute to the concept of open banking, I think that would be useful, as opposed to other areas.
Conservative
Glen Motz Conservative Medicine Hat—Cardston—Warner, AB
If we're talking about cybersecurity and open banking, are you aware of anyone else who may have been asked not to speak to committees on changes of sharing information from banks and other companies or groups?
Liberal
The Chair Liberal John McKay
Now we really are wandering off. I don't know that this is a relevant and material question to what is before the committee at this point. What these gentlemen are presenting is what's relevant to this committee, not what may or may not have happened with other people doing other things.
If you could, please focus your questions on what they would know or not know, not what other people may know or not know.
Conservative
Glen Motz Conservative Medicine Hat—Cardston—Warner, AB
Sure.
Gentlemen, do your members have cybersecurity-sharing mechanisms, or do most of you belong to other various threat reduction or awareness organizations?
Conservative
Glen Motz Conservative Medicine Hat—Cardston—Warner, AB
Do you have your own cybersecurity mechanisms yourselves? Do you protect yourselves, or do you share those mechanisms with other similar industries? Do you contract that out? Are there awareness organizations that you use to ensure that your data is safe and secure?
President, Canadian Association of Mutual Insurance Companies
Member companies use services to make sure that their system is kept intact.
We understand that all the companies use different outsiders, if you will, to help them do that, or they use internal knowledge, internal employees. There are many ways that are being used to do that, but they all spend money to make sure that their system is kept intact.
Conservative
Glen Motz Conservative Medicine Hat—Cardston—Warner, AB
Okay.
Those are my questions. Thank you, Mr. Chair.
NDP
Matthew Dubé NDP Beloeil—Chambly, QC
Thank you, Chair.
I don't want to purport to know what Mr. Motz was asking about, but I do want to say for the record that my understanding is that there have been government consultations on the notion of open banking. If that was the direction of the questioning, I'm sure it does have some merit to the discussion, in my humble opinion.
Liberal
The Chair Liberal John McKay
Had the question been phrased along those lines, it might have been a more appropriate question.
NDP
Matthew Dubé NDP Beloeil—Chambly, QC
That's fair enough, Mr. Chair. I respect your ruling, but certainly, when we shout down members with points of order as the point tries to get made, the chair has the right to rule on that.
Gentleman, thank you for being here. Forgive me for my layperson's understanding. When we talk about about apps, I'm wondering if we're also talking about applications through social media and things like that. What I'm getting at is, when we look at the Cambridge Analytica situation, part of what was at stake there was the fact that there was a legal grey zone with regard to data that was collected when a Facebook user would do one of these personality quizzes, or whatever. They were sort of clicking “Okay” and signing away a bunch of data they weren't aware of.
Is there a concern that by opening the floodgates for third party applications with regard to banking, someone could, say, log on to an application with the good intention of using it for a credit check or things like that—we see a lot of these services being offered—and then just scan through, as a lot people do, and click “Okay”, and then they've basically sold away a bunch of very private financial information?
In and of itself, this may not be bad; it may be used in the right way by the application user, but then if you get a breach, as with Equifax, the next thing you know, that data is being used for nefarious purposes—especially given that the third party app may or may not have the same type of security protocols in place as a large institution like one of the banks, which have been at this much longer in some cases.
That's probably a long-winded, convoluted way of getting to the question. What are some of the ramifications of where this could go, potentially?
Principal, SkyBridge Strategies
To your point, Mr. Dubé.... One, what is expressed and informed consent? What is a person agreeing to when they start dating a third party or an application, when they start having some kind of relationship? What is the consumer consenting to? Does the consumer understand what he or she is consenting to? What are the implications once you want to revoke that consent? How do you do that? Can you do that? Do people read the 75 pages, where it says, “Do you agree...” when they buy a product online? Does anybody ever read those 75 or 150 pages, other than going right to the bottom and agreeing? I think the bigger-picture question is, what are people consenting to?
Once you've consented with apps one, two and three, do they have any relationships with fintechs a, b, c or d afterward? Does anybody really know what they're consenting to?
I think if somebody really knew what they were consenting to, it would make a lot more sense. It would be truly informed, knowledgeable consent. In this case, regarding these APIs and these fintechs, what are you actually consenting to? That's one of the answers to your questions, I hope.
NDP
Matthew Dubé NDP Beloeil—Chambly, QC
I'm wondering how we make it clearer what's being given away and the implications of that. In other words, the concern I have is that the accountability might be different for a third party app versus a large player like a bank, which, just by the size of the enterprise and its role in society, ultimately has different accountability towards the public.
The question is about the potential proliferation of this. Should we be exploring stricter rules as to how the data is treated and how it's taken on from the banks, especially if this transaction is taking place on a device that itself may not be secure?
Principal, SkyBridge Strategies
If I were a public policy leader, I think I'd be very scared that this is opening up. As I said, you'll have 2,000 to 4,000 fintechs running around the country. Who knows who regulates them, what standards they have or how much money they spend on privacy? It opens the floodgates to massive cyber-hacking.
President, Canadian Association of Mutual Insurance Companies
Our position is that the consumer should have ownership over their personal information, not the financial institutions that currently hold the data. The consumer should be the one to decide whom to share their personal and financial information with. We'd like to see standards put in place to govern the transfer of data between banks and fintechs to reduce the risk of information being stolen.
That said, in a case where information is sent from a financial institution to a fintech and the data is then stolen from the fintech, the financial institution would feel responsible for data content and data keeping. We aren't sure that the fintechs participating in the system will have the same data protection standards.
NDP
Matthew Dubé NDP Beloeil—Chambly, QC
My question is about insurers in this new digital landscape. I'm going to give you a bit of an odd example, but I hope you get the drift. Quebec's highway safety rules require drivers to have winter tires on their vehicles for a certain part of the year. In Ontario, winter tires are optional, but it affects people's insurance premiums.
Are you worried about differences in cybersecurity standards and the potential impact on premiums? Some players could be subject to lower standards, and others could have higher standards. Should those standards be the same across the board in your industry to make transactions and essentially insurance easier to administer?
President, Canadian Association of Mutual Insurance Companies
Yes. Certainly, the system for fintechs should be very robust. We know that's the case for financial institutions, insurance companies and banks. If fintechs are to be allowed to participate in the system, we think they should have to adopt very stringent data protection standards.
Liberal
Kanata—Carleton, Lib.
Thank you.
Thank you very much for your testimony, and for coming today.
I just want to clarify one thing. If I heard you wrong, please correct me. I think what I heard was that there is minimum cybersecurity risk to your companies or your customers. Is that correct?
President, Canadian Association of Mutual Insurance Companies
“Minimum” is probably a big word, but there is less risk, just because the kind of data we maintain is of less interest—except for the credit card numbers and debit card numbers that insurance companies have in order to take payments. Apart from that.... Again, with the example of the size of the bathrooms you have, there's not much interest in that for a third party.