Evidence of meeting #156 for Public Safety and National Security in the 42nd Parliament, 1st session. (The original version is on Parliament’s site, as are the minutes.) The winning word was payments.
A video is available from Parliament.
Liberal
David Graham Liberal Laurentides—Labelle, QC
If you go to the gas station and buy gas and a bar of chocolate, does Interac know that you bought gas and a bar of chocolate, or that you went to the gas station?
Chief Risk Officer, Interac Corp.
I can't share all the data elements that are collected, but I believe the transaction is about the money movement itself. It's not about the goods and services that you're looking to purchase.
Liberal
David Graham Liberal Laurentides—Labelle, QC
This applies to both of you. Do you have member institutions that do a poor job of living up to your standards? I know that in the case of Payments Canada membership is statutorily required for some organizations. Interac is probably the same thing. Do you have lagger organizations you're always chasing that are not keeping up with your standards? You don't have to identify them, but do they exist?
Chief Information Security Officer, Payments Canada
I would say that all the organizations that participate with Payments Canada have high security standards, and they all meet a very rigorous bar for safety and security.
Chief Risk Officer, Interac Corp.
I would say absolutely the same. As the centre of the ecosystem, Interac spends a good amount of time with all of our participants—and we have many more participants—in giving them lead time and testing time when we're raising security standards, which we always are. We actively work with them to make sure they can make the new standards.
Liberal
The Chair Liberal John McKay
Thank you, Mr. Graham.
Mr. Cannings, you have three minutes if you wish to use them.
NDP
Richard Cannings NDP South Okanagan—West Kootenay, BC
Okay. Sorry, normally in my committee I never get a second chance.
Liberal
The Chair Liberal John McKay
I'll go back to myself and ask about what I'm interested in.
I have my Visa card here with CIBC, and I have my debit card. On a security basis only, I would be given to understand from your testimony, Ms. O'Brien, that this is far safer than this.
Liberal
The Chair Liberal John McKay
Why? Is it because you have 300 organizations in this, and you are a closed loop? There are many more thousands of organizations in this.
What is the essential—
Liberal
David Graham Liberal Laurentides—Labelle, QC
John, be careful not to show the numbers; we’re televised.
Liberal
Liberal
The Chair Liberal John McKay
Yes, that's right.
What is it in the structure that makes the one safer than the other?
Chief Risk Officer, Interac Corp.
I think there are many factors. As I alluded to earlier, Interac has a very strong governance and operating regulations structure that is layered. It's not just about the security of a closed-loop network. It's about the participant's level of security, the issuers and acquirers, like the PIN pad level of security, as well as varying degrees of transaction types and limit structures, which is different from some of our credit card partners that we have in Canada, which may have a higher risk appetite.
They have different types of participants in their marketplaces, and different types of fraud monitoring, so I can't speak to the level of fraud monitoring, or their risk appetite. I just know that it's higher than ours in some regards, in their limits on certain different types of cards. As you may well know as a consumer, many cards have much higher limits. Those are more attractive targets for cybercrime than debit cards.
Liberal
The Chair Liberal John McKay
So, it's not a function of how the system is set up or the security that's built into it; it's a function of how much risk we want to take in order to be able to do volumes of business.
Chief Risk Officer, Interac Corp.
I think it's a function of both. It's a layered approach. It's a function of the security of the participants, of the operating regulations, of the limit structure, of the fraud risk monitoring—for sure, that's pivotal and key in that ecosystem.
Liberal
The Chair Liberal John McKay
Thank you.
I have one other question, with respect to the sharing that's going on among the various institutions. Not all institutions will have the same degree of interest—that's not quite right. They're all interested, but they will have different agendas. Particularly, the government will have one agenda; the security people will have another agenda; the financial institutions will have another agenda and whoever else is in that.
Are you satisfied that, with the various agendas that are going on and your feeding in that data, security is actually enhanced at the end of the day?
Chief Risk Officer, Interac Corp.
I would say yes, absolutely. It is further enhanced with every amount of information sharing that we have.
Of course, we participate, as Justin and Martin said, in a lot of central forums, in information sharing through some committees, and the CCTX has been a great addition in recent years. But the actual event sharing in the moment of a particular theme or threat vector that is in the marketplace at any given time is really pivotal to detecting it and preventing that fraud. Then it benefits the entire ecosystem. We at Interac will speak with individual financial institutions on a daily basis, because those threat factors continuously change. It's been quite effective.
Liberal
The Chair Liberal John McKay
I'm assuming Payments Canada would adopt the same answer. Is that correct? Okay.
I have a final question for Payments Canada. I've never quite understood why, when I'm paying a bill online, the money clearly comes out of my bank account but is not credited to the vendor for a day or two or three. It puzzles me that it's not an instantaneous transaction. Do you have an answer to that?
Chief Operating Officer, Payments Canada
Yes. As an infrastructure layer, we don't interact with consumers at the bill payment level, but part of our modernization program includes the creation of a real-time payment rail, which would do exactly that—eliminate the lag in deposits, cheque holds, bill payments and the like. So, if you keep your fingers crossed, you'll see one coming soon.
