Evidence of meeting #152 for Public Safety and National Security in the 42nd Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was cybersecurity.
A video is available from Parliament.
4:20 p.m.
Director, Payments and Cybersecurity, Canadian Bankers Association
From a national security perspective, that's not something we would have a lot of insight about. Certainly, that question would be better asked of the telecom industry.
4:20 p.m.
Conservative
Pierre Paul-Hus Conservative Charlesbourg—Haute-Saint-Charles, QC
I see; but have the Canadian banks that are a part of your network ever expressed concerns with regard to telecommunications and banking information?
4:20 p.m.
Director, Payments and Cybersecurity, Canadian Bankers Association
Again, we would rely on the proper diligence being performed from a national security perspective on any telecom provider introduced into Canada. Obviously, whatever telecommunication provider comes into Canada would be required to support more than just the financial sector, so we would really rely on the national security review and the telecom sector.
4:20 p.m.
Conservative
Pierre Paul-Hus Conservative Charlesbourg—Haute-Saint-Charles, QC
With respect to the protection of assets, those of enterprises and those of individuals, can the banks that are members of your association compensate the losses due to fraudulent transactions, attacks or phishing operations? How does that work? First, is it a major problem? Second, do your clients and your banks incur losses?
4:20 p.m.
Assistant General Counsel, Canadian Bankers Association
There's no problem. Banks, in the rare circumstance of a cyber-attack that results in a financial loss to their clients, will reimburse them.
4:25 p.m.
Conservative
Pierre Paul-Hus Conservative Charlesbourg—Haute-Saint-Charles, QC
I believe there is a $100,000 limit on compensation.
Is there a maximum for insurance, or the bank's liability?
4:25 p.m.
Assistant General Counsel, Canadian Bankers Association
You may be referring to the CDIC deposit insurance. That's not something related to cyber-threats or cyber-attacks. In terms of a cap for banks, if a fraud has been committed and the clients are not at fault, but the security safeguards have been breached, they will be reimbursed.
4:25 p.m.
Conservative
4:25 p.m.
Conservative
4:25 p.m.
NDP
Matthew Dubé NDP Beloeil—Chambly, QC
Thank you Mr. Chair.
Gentlemen, thank you for being here.
I have a question about the banks and the credit card companies. That relationship is more complicated than people realize.
There is a belief that the banks are responsible for several of the steps in a credit card transaction, but in fact, it is the credit card company that is responsible.
The Privacy Commissioner shared concerns about the fact that the credit card company servers are located elsewhere, such as in the United States. The legal protections conferred on clients by citizenship are not necessarily the same. There is also the fact that an ill-intentioned actor could pose additional risks, should the relationship between two countries deteriorate. From that perspective, the servers that contain our data, for instance the ones in the United States, could become a target.
Do the banks that deal with those enterprises have a role to play in this? Can the Government of Canada do anything to protect the data and transactions of Canadians?
According to what I understand, credit card companies are independent from the banks. Nevertheless, the banks deal with those enterprises for certain important aspects of their activities.
4:25 p.m.
Director, Payments and Cybersecurity, Canadian Bankers Association
I think it's fair to say that banks and credit card companies are interconnected. The data is shared. Credit card companies have data related to the transaction, but so do the banks. At the end of the day, if it's a Canadian-issued credit card, then obviously banks would be obligated to follow the requirements as set out by Canadian legislation.
4:25 p.m.
NDP
Matthew Dubé NDP Beloeil—Chambly, QC
I want to make sure I understood.
Certain obligations are imposed on you. If you do business with the credit card company, whether Visa or Mastercard or another company, the data on clients' credit card transactions are kept on the servers of the credit card company. Does this create a problem with respect to the legal protection offered in countries where the data are kept? Do the same obligations apply? If Visa, for instance, knows about a leak on American servers, is it the Canadian bank that is responsible for that leak?
4:25 p.m.
Assistant General Counsel, Canadian Bankers Association
I can speak to the fact that banks remain responsible and accountable for the personal information of their clients. When they contract with a third party, let's say, and outsource the processing of data, they are responsible in those circumstances to ensure that the privacy and security safeguards are in place. They would inform their clients that their data was being stored in another jurisdiction and was subject to that jurisdiction's laws.
The important thing to remember is that when they've outsourced their data, it doesn't mean they've outsourced their obligations. Canadians can feel confident and secure that their data is being protected by the banking industry.
4:25 p.m.
NDP
Matthew Dubé NDP Beloeil—Chambly, QC
I just want to make sure I understand that answer correctly. I apologize; I'm not trying to lay out a trap or anything. This is just to try to get a better understanding of this, with data transiting all over the place. That's part of the objective of this study.
Let's say a bank has an agreement with a credit card company and that credit card company is in the United States. We'll assume that the majority of them operate primarily in the States. If their servers are there, per the agreement you have with them, you would then respect your obligations under Canadian law for the bank if something happened in another jurisdiction relating to the credit card company that affected Canadian clients.
4:30 p.m.
Assistant General Counsel, Canadian Bankers Association
If it's an outsourcing arrangement, then yes, definitely. If it's an independent third party, then the laws of the country where the information is being held by that third party may apply.
4:30 p.m.
NDP
Matthew Dubé NDP Beloeil—Chambly, QC
When you say “independent third party”, would that be similar to how we talk about open banking and things such as that?
4:30 p.m.
Assistant General Counsel, Canadian Bankers Association
Yes, but I want to just reiterate that when it comes to the banks and protecting their clients' information, in the event of a breach of the bank's security safeguards—which would be a rare circumstance—they would comply with Canadian law and take all steps necessary to make their customers whole.
4:30 p.m.
NDP
Matthew Dubé NDP Beloeil—Chambly, QC
If there's a breach at a credit card company that deals with multiple banks, do the banks consider it their responsibility if they have consumers that are affected? Am I understanding that correctly?
4:30 p.m.
Director, Payments and Cybersecurity, Canadian Bankers Association
Yes, the banks would hold the customer relationship directly in that circumstance.
4:30 p.m.
NDP
Matthew Dubé NDP Beloeil—Chambly, QC
That is fine, thank you.
There's another point I'd like to discuss.
In your presentation, you mentioned that 72% of Canadians use the Internet or mobile applications to do their banking transactions.
One aspect that is brought up frequently concerns wireless networks. You may well have the most secure network in the world, but if software updates on our equipment or our cell phones are not done on time, this may create breaches and cause serious problems with respect to financial transactions.
In the past, your organization has said that we should adopt standards for the products people use to access their data. Could you tell us more? We often hear about the concept of the Internet of Things, an expression I like. It may have consequences on financial transactions.
4:30 p.m.
Director, Payments and Cybersecurity, Canadian Bankers Association
When it comes to things such as Wi-Fi, again, that falls under the telecom sector specifically and whatever safeguards they would be required to undertake. Again, Wi-Fi would affect things beyond financial services and financial transactions. That said, we've been very vocal in terms of sharing information with our customers. It comes back to educating customers in terms of where they should and should not perform financial transactions. We continue to share that message with them. Public awareness is one area where we would certainly encourage the government to do more, so that again, Canadians can feel safe in whatever type of transaction they are doing through Wi-Fi, financial or otherwise.
4:30 p.m.
Liberal
4:30 p.m.
Ruby Sahota Brampton North, Lib.
I'd like to start by saying to the Canadian Bankers Association that so far this committee has heard only really great things about the effectiveness of the banks in the area of cybersecurity. Most witnesses have told us that the banks are basically leading the way.
I'm very curious about how much of an investment this has been for the banks, how you work with other banks overseas and what partnerships you have. You mentioned in your introduction that you think it's important for the government to invest in academia—I believe you were saying to establish a cybersecurity curriculum and to invest in that area.
Have you already been doing that on the private side as well? If so, can you elaborate on what institutions you've been working with and where your cybersecurity experts train and upgrade and get their skills?
There's a whole bunch of questions in there, I know, but you can tackle them one by one.
