Public Safety Committee on April 8th, 2019

I can speak for Payments Canada. We're at the infrastructure layer. We would write the rules around how that works, and we run the systems that do the cheque imaging and enable the digital image. But all the security and all the services provided to a consumer would be through their bank. We would support the bank, support our members in that, but it's at the policy level of the bank.

To add from my many years in banking, the technology has come a long way and the cheque imaging is quite good now. Of course, consumers are encouraged to destroy the cheque afterwards. However, duplicate cheque detection has come a long way as well. If you ever try to deposit it twice, it won't allow you to do so.

No. In fact, that's why we put it—

I know one.

I do, yes.

Go ahead, please.

I've been looking at the model. It's actually quite good. SWIFT has adopted a model wherein they publish the security standings of all their counterparties, as they call them, not from a creditor's standpoint but just as a counterparty to the system. It's a good model that we quite like.

That allows each of the participants in the ecosystem.... If you're a financial institution or a caisse populaire and you see a lowered security level that's not quite at the standards, you can mitigate or limit your risk to that partnering financial institution. They've implemented some really interesting things in the past year.

I can respond to that.

The attestation program to which Terri referred has been a set-up by the SWIFT organization, to allow the counterparties to publish their attestations to other counterparties. If one organization feels like the other counterparty that they're doing business with is too risky, because of their attestation they have the opportunity as a business owner to de-risk themselves or to demand that certain requirements be met before they continue doing business with that organization.

I just want to come back to the labelling of ingredients. The attestation is a version of it, but it's an early version. There is no precedent for identifying all of the components in the value chain and disclosing and managing that. There are multiple parts to this. It's not actually being done anywhere else that we know of.

It's a great question. SWIFT is a global organization that has started early days in that. I would absolutely suggest that Interac would be an appropriate place as well. We currently run our operating regulations and minimum standards, whether they're security standards or participant standards, for all the FIs in our ecosystem.

We have a very robust governance policy and operating regulations in market today. We're looking at how we can enhance those in-market regulations every day. The participants eagerly participate in the marketplace and adhere to those regulations because what it gets them is reciprocity of payments and access to the ecosystem.

I can answer only for Interac, but I can firmly say that we are not. We are not prepared to allow data outside of our Canadian constitution and Canadian roots. Our incorporation—we became a corporation about a year ago—is quite strongly grounded in Canada. All of our data is to reside in Canada. We are also to use Canadian vendors and Canadian suppliers in the delivery of any of our services, but we build our own technologies. To your question about foreign service providers, we are quite anchored in our Canadian roots.

All our infrastructure and data are resident in Canada and owned and operated by Interac.

To your question about a foreign entity as a hacker, our experience is that most hackers are foreign entities. We haven't seen a lot of domestic Canadian hackers.