Public Safety Committee on Feb. 27th, 2019

From my perspective, they seemed like sound approaches to dealing with the issues in the short and medium term, which we absolutely must do. I see this as part of a broader cyber program for Canada. We have to simultaneously figure out that this is where we want to be in 10 years and that these are all the important disciplines and practices we should at the very least consider, or adopt in some form, to solve the issues he's saying we need to solve. The endgame, however, should also include resilience to future attacks.

Ultimately, we want to build a stronger cyber immune system. It's not about solving the latest...or just defending with one defence after another, like plugging holes in a dam. If you're thinking 10 years in the future, it's not that far. We just need to find a way to have a better cyber immune system where we're better able to detect new and emerging threats and adapt quickly to deal with them, instead of just drinking water from the firehose all the time.

Part of that does require a greater coordinated effort in Canada. I think Brian O'Higgins has advocated for a RAND-type organization where the cybersecurity research has to be funded by the government. You want trustworthy, objective, knowledgeable advice to the government so that we can react quickly to new and emerging threats. I think that's a fundamental part of a national cyber immune system. It's not the only part, but that's one of the next pieces I would strongly advocate for, in addition to the current cybersecurity centre and all the great things we do have going for us.

I'll give you another example of a model that I quite liked. Back in my history as a founder of Entrust, a world-leading provider of encryption technology, the Canadian federal government was our very first customer. In fact, that got the company going. It led to an export market, and before we knew it, we were in 50 national governments. That was a big win.

We're still riding off that kind of aura that Canadians are good in encryption technology. There's an opportunity now with quantum resistance. Encryption has to change wholesale around the world. It has to be resistant to a quantum attack. Guess what? Canadian quantum technology from the University of Waterloo and other places is world-leading. There's a good opportunity to repeat that kind of effect.

I felt your comment.

Oh, oh!

Thank you, Mr. Chair.

I'm going to be sharing my time with my colleague Steve Masnyk from SkyBridge Strategies.

My name is Normand Lafrenière, and I am the President of the Canadian Association of Mutual Insurance Companies, or CAMIC for short.

CAMIC represents 79 mutual insurance companies across Canada that ensure people's cars, homes, farms and businesses.

Mutual insurers were formed over a period of 100 years, beginning in 1836. They were formed because farmers could not find farm insurance or find it at a fair price.

Mutual insurers are owned by their policyholders. There are no stockholders or share capital, and they aren't on the stock market. Policyholders elect their company's board of directors and vote on the major orientations taken by their company.

The premiums of the many serve to pay the losses of the few. When a profit is generated, that profit is transferred to the surplus of the company to be better able to pay future claims, is refunded to the members or is used for the betterment of the community.

Canadian mutual insurers have formed two mutual reinsurance companies—their own reinsurers—to share risks amongst mutual insurers and access reinsurance in the international market.

They have also created guarantee funds to fully compensate policyholders should an insolvency occur. In passing, I would like to mention that, over the past 60 years—ever since guarantee funds have been in place—no mutual insurance company has gone under.

Today, CAMIC member companies have a 15% market share of the non-governmental Canadian property and casualty insurance market. Being especially present in rural Canada, mutual insurers insure 75% of Canadian farms.

We are here today to address the issues of cyber-risks and threats to the financial system in Canada and, in particular, how open banking could possibly increase the risk of cyber-attacks.

Generally speaking, the insurance sector is not a likely target of cyber-hacking. Apart from insured's credit card and debit card numbers, mutual insurers generally keep very little information of interest to cyber-hackers.

We do, however, have serious concern about the discussion at hand today, especially as it pertains to open banking. This is a concept that began in Europe, the U.K., Austria and Japan. The concept was put in place only recently in those jurisdictions, so there is very little anecdotal evidence on how well or not well it is working.

We can, however, offer thoughts about the discussion points raised by the government when it began its recent open banking consultation.

CAMIC is particularly concerned that the open banking concept will undermine the long-standing prohibition barring banks from engaging in the insurance sector. This long-standing prohibition, supported by governments of all stripes, is in place to protect consumers of insurance from credit-granting institutions coercing them into buying an insurance product that is not appropriate for them. We hope that any open banking framework would not undermine this legislative prohibition.

I would now like to ask my colleague, Steve Masnyk, to touch on other concerns related to open banking and the cyber risks.

Thank you, Mr. Lafrenière.

Thank you, Mr. Chair. Good afternoon, committee members.

I'm not sure if this little diagram has been distributed to everybody. You may have it in front of you. I hope it will be able to guide the discussion, because with me talking in the abstract, it is a bit easier to understand the concept once you have the diagram in front of you.

I'd like to explain the concept of open banking and the cyber risks it poses to the Canadian financial services sector. I'm sure that many members are not aware of what open banking is all about.

It's a concept where a consumer can request that all their data held by their bank—their chequing account, credit card transactions, debit card transactions, investments, RRSPs, mortgage, insurance or any other loan—be transferred to third parties who are in financial services. By third parties, we mean financial technology firms, also known as fintechs.

These fintechs will then be able to underwrite you a financial service product that you may or may not already have, based on the banking data your bank has about you. This transfer would happen via a middleman called an API, which stands for application program interface.

APIs are pretty much platforms or apps that would act as a conduit among the customer, the bank data and all the fintech entities they're associated with. Once a customer submits a request of this API to authorize the API to gather and disseminate their data from their bank, the API would follow through and disseminate the data to fintechs that are affiliated with the API.

The fintechs would have your banking history and, using this data, underwrite you a product to outbid something you already have or something you do not have. Based on the data, they would pretty much know everything about you: what products you have, what products you don't have and what products you might need.

This is the essence of the concept of open banking. As you can imagine, the risks and threats surrounding open banking are many: Who regulates the APls and by what privacy standards, provincial standards or federal standards? Who regulates the fintechs? Which privacy rules do they follow? How does a consumer authorize these players to disseminate their banking data? Once a consumer has given consent, can they revoke it? What happens to the data once a consumer has withdrawn their consent? How does a consumer know which players are holding their data?

Some of the bigger questions on cyber risks and hacking also apply: How easily can a fintech get hacked? What rules do they follow, and who enforces these rules?

Banks are highly regulated players with tremendous privacy standards in place in Canada, as are insurance companies. Where do fintechs fall into that hierarchy of standards? Canada's banks spend millions, if not billions, on technology to protect their customers' data, and even they get hacked. How about these fintech firms, which spend very little? These are a few of the big-picture issues that I will leave for this committee's consideration.

With respect to the insurance sector, as Mr. Lafrenière mentioned, with threats of cyber risks, we can say that, when it comes to mutual insurance companies, we believe there is minimal risk. lnsurance companies do not hold valuable financial data and, as such, are not as exposed to hacking as banks, for example, which hold much more valuable data.

I will leave you with an example. Of course, an insurance company insuring your home or car could be hacked; however, I am not sure a hacker would find it worth his while to know how old your car is or how many washrooms you have in your basement. Of course the risk of hacking exists; however, it is a question of degree.

With that, we're pleased to take any questions you may have.

I'll start, and then he can add.

In Europe, the U.K., and some countries in Asia, it's a recent development over the last year to year and a half. The upside to open banking, as the pro-open banking people are saying, is that it provides consumers with more choice and that it provides more efficiency in the financial services sector. The trend is quicker, faster one-stop shopping. Some of the arguments that are being talked about are that a customer or consumer would have financial products with many different players. You might have a mortgage with your bank, another loan with another bank, and another product with a credit union. This would all encapsulate and regroup together all your banking data and your financial data. Those are some of the reasons why open banking is in place in these other countries.

Right now there are some issues. Some people do practise what is called, I think, screen scraping. Basically they're taking their data. They give their usernames and passwords to third parties so that they can take their data from one bank and from the other bank and so on and gather that information and provide that service, if you will. That would disappear with the advance of API. Basically, it would reduce the risk, in that sense, for those people who give their usernames and passwords to third parties, which, by the way, contradicts their contracts with their own banks.

You're absolutely correct. As I said, in Europe and in the U.K. it's within the last 12 months, so there's no anecdotal evidence on how well it works or how badly it works, either way.

It could be. I'm not a banking expert, so you'd probably have to speak to somebody a lot more knowledgeable than I am.

I think we need standards to pass the information from banks to third parties, and those standards are not there right now. They're in different formats.

I would say so.

Just to answer your question, Mr. Spengemann, most fintechs are registered and regulated provincially, so in a federal regime there would be a gap in regulating these fintechs. For example, now you have five or 10 strong federal players—the banks and insurance companies that are strongly regulated. If you have 2,000 weak fintechs or weak players that are not federally regulated, how does that open up the whole risk to cyber-attack throughout the country?