Public Safety Committee on April 8th, 2019

That's a very good question. I think the question is directed toward our Interac e-Transfer product, which has several different options. Auto-deposit is an immediate, real-time transaction. The one that you described is called our question and answer type of transaction. That's where the recipient would like a security question answered to deposit the e-transfer transaction. In that case, since a person may not be on their email on a daily basis, they are given 30 days to accept the transfer. What happens, however, for the person sending the transaction is that the money is taken from their account. It's a good-funds model, so the funds are available. It's held by the sending financial institution in a suspense account, and then, once the security question is answered, the funds are released. At all times they are secure.

The answer is no. It's a highly secure, closed-loop, private network. While Interac operates the infrastructure, Interac also has the operating regulations and governance through which the transactions transfer from each financial institution. What we are facilitating is the financial institution that wants to employ the question and answer or Q and A type service. At no time, though, could the transaction be intercepted in transit. It is securely held at one financial institution and then, once released, the payment across the Interac infrastructure is securely facilitated into the receiving institution.

That's correct.

We have a fully secured, closed-loop private network among the almost 300 financial institutions, credit unions and caisses populaires across Canada.

That's a wonderful question.

We actively work with the RCMP and law enforcement today on the exchange of some information, although it often requires a production order. We would suggest that certain privacy and other safe harbour legislation could be opened that would allow a much more targeted approach among the trusted channels that we have today, whereby we could effectively focus and manage the cybercrime in a much more targeted way.

We find that our communications today are quite effective, but they are unspecific and constrained in many ways. We think there definitely are legislative options that would allow for more open sharing of that information, which would benefit—

The fraud is constantly changing, and it also moves around based on vulnerabilities at the different financial institutions. The most common fraud that we see is what we call account takeover fraud. In the earlier example, we were speaking about some of the phishing exams, a person's credentials or personal, identifiable information that allows criminals to overtake their bank account. Then they start a systemic practice of draining the funds from that bank account, sometimes to different receiving institutions, and pulling the money out of the financial system.

At Interac, we are in a unique position where we can see that fraud cross institutions across our network into different financial institutions on the receiving end. What we've developed is a fraud detection system that patterns that behaviour and is able to detect it. Then it either blocks the transactions or holds them for further review.

Not always. I won't outline all of the behavioural models, but I will say—noting that 99.9% of transactions flow through, and that's just indicative of our volume—that when a transaction actually gets blocked, it is a known fraudulent transaction. There are certain vectors and information we have where certain transactions are known, usually through information sharing that we actively participate in between Interac and the financial institutions, both sending and receiving. Sometimes that happens with the RCMP and law enforcement as well. It's that reciprocal sharing of information that is really critical to allowing us to block known fraudulent transactions. In the cases of the blocks, the customers are not impacted.

I'd say yes. The chip and PIN, both the chip technology with the EMV-layered security and the PIN that is known only to the user, have been very effective. We've almost eradicated fraud on Interac debit. It's well below one basis point of fraud. As I mentioned earlier, it's just the remaining mag stripe terminals in the U.S.

I think it's also effective because of public education. There has been a lot of public education so that you don't share your PIN. Even in widely streamed media, in television shows, they've talked about how sometimes even spouses don't share PINs with each other. It's been very effective public education to keep your PIN secure and secret.

You are totally secure. The PIN pads you make your transaction on, those are all issued by acquirers and payment processors, and they are part of the closed loop network. Every point in the network is secured.

It doesn't go across an open Internet.