As for privacy information and the protection of the consumer PII, I believe the privacy laws and reporting time frames are adequate. As a bank or large institution, we go through various security scans, looking for malicious activity on a daily basis. The question really comes down to finding the threshold of abusive activity, whether some activity is actually a problem. My view would be that the reporting we do at our primary regulator is adequate.
The typical things we see at TD Bank relate to attempts at customer-based criminal activities against our online banking systems. One of the things I mentioned in my opening remarks was credential stuffing. If you look at all of the data breaches that exist now from Marriott, Yahoo, etc., we have millions, in some cases billions, of credentials. Yahoo reported 3.5 billion sets of credentials. Criminals are scripting attacks against various banks, looking for consumers who reuse their user names and passwords throughout the institution. The volume of that traffic is significant, and it forces banks and corporate defenders to invest in leading technologies to remediate that traffic. That becomes business as usual for us, no different from fraud losses within a period of time.