Evidence of meeting #156 for Public Safety and National Security in the 42nd Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was payments.
A video is available from Parliament.
6 p.m.
Some hon. members
Oh, oh!
6 p.m.
NDP
Richard Cannings NDP South Okanagan—West Kootenay, BC
I'm just going to follow up on what Mr. McKay was asking, about comparing the credit card and the Interac model.
I had Mastercard representatives in my office last week telling me about their system. As I recall, Mastercard and Visa are more of an intermediary between banks, vendors and individuals, whereas Interac has sort of a direct line into your bank account. I'm just wondering if that adds more risk to a transaction, having that direct line into your bank account, whereas the other ones seem to be having more layers where security could kick in. Maybe it's the other way around. I don't use Interac a lot, and it's not because of this, but I'm just curious as to this direct access to your bank account. What sort of security questions come into that?
6 p.m.
Chief Risk Officer, Interac Corp.
I actually think it reduces the risk to have the closed-loop private network. For clarity, the direct connection is called an API, or an application programming interface that we have to the financial institution, through which all transactions flow. The sending institution—your bank, for example—would vet that you have the funds available and then send it in real time across our payment infrastructure to the receiving institution, and we would be able to facilitate those transfers. I do believe the direct connection reduces risk. We can monitor and manage the system appropriately.
6:05 p.m.
NDP
Richard Cannings NDP South Okanagan—West Kootenay, BC
Mr. McKay also mentioned bill payments, for instance. Is that similar? When I'm paying a bill, I don't think Interac is involved, but when I'm paying a bill through my bank, is it a similar process?
6:05 p.m.
Chief Risk Officer, Interac Corp.
Interac does do some of those transactions, and we're looking at it. Certainly, e-transfers are easy to understand. If you're paying a service provider, a plumber in your home, you may choose to use Interac e-Transfer, and those are real-time payments today.
The bill payment interface that you may use with, say, Rogers, to pay your cable bill, for example.... Today those payments are held at the financial institutions and then remitted through a batch process. We're actively working with them on how to make those payments real-time, because we have real-time capabilities already, but today, those are batch-processed payments at each of the Canadian financial institutions. It's just a legacy thing.
6:05 p.m.
Conservative
Jim Eglinski Conservative Yellowhead, AB
Thank you.
This is for Interac. Earlier, you stated that you kept all your stuff within Canadian servers and stuff like that, but you do provide international service to foreign cardholders. Is that correct?
6:05 p.m.
Chief Risk Officer, Interac Corp.
We do have some international remittance on our Interac debit product. I think somebody had an example. If you were in the United States and you wanted to withdraw money through your Interac bank card, you could use a third party ATM. We do have an ability for you to withdraw funds when you're in another country.
6:05 p.m.
Conservative
Jim Eglinski Conservative Yellowhead, AB
Someone from a foreign country cannot use your system. Do you maintain a relationship with foreign banks in such a case?
6:05 p.m.
Chief Risk Officer, Interac Corp.
No, we do not maintain foreign banking relationships.
If you, as a Canadian consumer with a Canadian bank account, choose to withdraw funds if you're visiting Texas, for example, you can withdraw funds in Texas through your Interac debit card. But no, we do not maintain foreign banking relationships.
6:05 p.m.
Conservative
Jim Eglinski Conservative Yellowhead, AB
I was wondering about security.
I'll turn it over to my friend, who had a question for you.
6:05 p.m.
Conservative
Pierre Paul-Hus Conservative Charlesbourg—Haute-Saint-Charles, QC
Thank you, Mr. Eglinski.
I was away for a few minutes. I don't know whether the question has already been asked, but I don't think so.
How many direct attacks on systems do you experience each day or month?
Can you tell us where the attacks come from? Are the attacks carried out by individuals, by people in Canada or abroad? Are any attacks carried out by specific countries?
Both witnesses can respond.
6:05 p.m.
Chief Information Security Officer, Payments Canada
As you can appreciate, we don't describe the details of our specific security capabilities or security incidents or events. Suffice it to say, the financial industry receives attacks all the time from everywhere.
6:05 p.m.
Conservative
Pierre Paul-Hus Conservative Charlesbourg—Haute-Saint-Charles, QC
Without providing the details of your organizations, can you tell us what type of attacks are carried out? Are the attacks carried out by isolated individuals or organizations? Can we have this type of information?
6:05 p.m.
Chief Risk Officer, Interac Corp.
It might be important for the committee to make a distinction between attempts and attacks.
I would say that all financial institutions, payment ecosystem providers and settlements providers are going to sustain attempts. At Interac, we have a managed detection and response, so that when there is an attempt to infiltrate our systems, we can see it. We're actively monitoring it and we're preventing it to make sure that it doesn't happen.
I'd say attacks are relatively few. What I do know of them, from some of our partners and through some of these forums where they're reported, is that in recent years they are sophisticated. I don't think we're seeing a lot of the one-off you described. They are more sophisticated attempts that are coming through.
6:05 p.m.
Conservative
Pierre Paul-Hus Conservative Charlesbourg—Haute-Saint-Charles, QC
Do you have an obligation to disclose to the banks? You're an intermediary between the different banks. When the threats are more significant, do you have a time frame, a number of hours in which you must inform the banks and the government?
When it comes to the government, I don't think that there's an obligation to disclose. However, in terms of your business partners, is there an obligation to disclose?
6:10 p.m.
Chief Risk Officer, Interac Corp.
We don't have an obligation to disclose among the various financial institutions. That's not a legislative requirement, but we do have trusted channels through which we do share some of that information for the betterment, safety and soundness of the ecosystem. We will share information on a very specific basis with the related FI.
6:10 p.m.
Conservative
Pierre Paul-Hus Conservative Charlesbourg—Haute-Saint-Charles, QC
You clearly referred to sophisticated operations, which require significant resources. Can you give us an idea of where the threats are coming from?
6:10 p.m.
Chief Risk Officer, Interac Corp.
I think the new cyber unit of the RCMP is probably best placed to pinpoint where in the world they're coming from. There are certainly various countries where we have seen attempts and attacks, but it does migrate around. It is global and it is sophisticated.
6:10 p.m.
Liberal
6:10 p.m.
Liberal
Sven Spengemann Liberal Mississauga—Lakeshore, ON
Thanks very much, Chair.
Thank you for being with us.
I want to pick up where my colleague Monsieur Paul-Hus left off. I also serve on the Standing Committee on National Defence. This is one of those areas where, when we talk about critical infrastructure, there is some overlap.
Without getting into the details, as you pointed out, or giving us information that should not be disclosed, how concerned are you, generally speaking, about a state-to-state attack, and how much do you consider yourselves to be part of our core infrastructure? I'll maybe add to that question. What if your service does go down for a prolonged period through an attack? What would be the implications for the country?
6:10 p.m.
Chief Information Security Officer, Payments Canada
First of all, as you've heard, we are safe. Security is our most important priority. We support our members, the financial institutions in Canada, in their security programs, and they support us in ours. Attacks and threats come from all sides. We must maintain a constant state of vigilance, and our members must do so as well. We rely on every Canadian citizen to be responsible for their own security. We also believe that together we can improve and increase the security of the country as a whole.
