Public Safety Committee on May 29th, 2019

Media reports are not always accurate. To be technically accurate, the access of information within the PayPal account would only be through an authorized account holder or through their loss of credentials and device. If there's a loss of credentials by a consumer—let's say they have malware on their computer and their log-in credentials are stolen or lost through that—the access of their account through a malicious attempt would be caught by our fraud platform or risk systems to detect that. If it's not caught by some vulnerability, the only access into the PayPal account would be to PayPal balance, but not directly into the consumer's bank information. The bank information is stored in our system and not made visible, even after entered into the system by the consumer.

The only method they would have is of trying to extract data by using the PayPal system to process transactions. They might try to attempt fraud, but they wouldn't be able to get their bank account information through the platform.

We have buyer protection so if there are malicious or unintended transactions on a consumer account, we provide buyer liability and buyer protection for those fraudulent transactions and protect the consumer in that case.

I want to reiterate though that a malicious account access into a PayPal account is unlike a malicious access into any account. If online fraud occurs, we cover liability for the buyer, for the consumer, in that case. Our seller protection has other coverages to sell our merchants. The access to the PayPal account does not mean that the malicious actor necessarily has access to the bank account directly. They don't have access to credentials, nor to the bank account information, but only the linkage that we provide for the bank account as a funding instrument into the PayPal account.

Many of our staff in our information security organization are members of industry alliances that are helping to make the Internet more secure. We are absolutely in the research and development stages of many investments. Email phishing and anti-phishing working groups are other areas as well, as Ms. Sahota mentioned. The investments we make in email security, Internet security and browser security are at the forefront of our investments.

As I mentioned, our buyer protection programs provide liability coverage for any fraudulent activities that might happen on a consumer account. We also invest heavily into cybersecurity initiatives and our fraud-risk platforms. We have industry-leading metrics on how low our fraud numbers are in the sense that we protect and prevent a significant amount of fraud, and protect merchants and consumers on our platform at an excellent rate that we're very proud of.

Interestingly, foreign countries—you mention nation-state, and it's not information I'm at liberty to share, but related to private attackers or individuals who are online fraudsters who would attempt to attack websites happens on a regular basis. They're not centralized to any particular geographic region. There is, of course, a high distribution of cyber-attacks where their origin or their attribution to the country of origin is often difficult to trace, because a lot of countries participating in their infrastructure are allowing it to be hacked. As an example, attackers may originate from one country and use Internet services from another country to direct their attacks. Criminals use a multi-layered economy, and multiple parties are usually involved from different regions of each attack.

Not in particular. We have no singular concentration of countries that attack us as a company uniquely.

It's an excellent question. The data protection and data privacy implications that Canada is proposing and has outlined as a framework are an excellent support for industry and businesses globally.

To answer the first part of your question about operating globally, we do have staff in many of our regions that have increased regulations. We gave a local presence in many countries, including Europe, with support for GDPR, and in regions in Singapore where we have support for our business in the APAC region. We do have localized staff and support for each of those regions, as well as in other areas in the world that support local regulations. We have a global workforce that encourages participation with local legislators and regulators. We work closely with examiners and regulators when there are data protection and data privacy laws to ensure that we not only support and accommodate those, but help to align with regulations that are evolving and help inform practical applications to those in a context that's suitable for a global economy.

By the way, on the announcement of the new digital charter, PayPal applauds Minister Bains and the Government of Canada for taking leadership on that important topic of data protection. We believe that this responsibility does help us to protect users against harm and support privacy laws. It's a great first step. It derives some principles. I believe the 10th principle, or the last one on that was to provide accountability and enforcement. More detail around that would be helpful.

Certainly, as Canada has not been the first mover of data privacy law, I think that's actually worked to your advantage because you've been able to learn from other regions and regulators about the right balance of privacy law. But in being specific with companies with respect to the digital privacy and regulations that you're encouraging, there will be a tough balance between the framework that you've provided and those guiding principles that help direct good behaviour and strong accountability. As well, the work with industry and private partnerships will help to build strong legislation that you can support in years to come.

Where does your money go in a PayPal balance stream?

PayPal balances are backed by a number of U.S. banks, so we support depositing and safe investment and deposit of the account money. The first item was if you use credit. Was that a supporting comment, or what was the line there, before I answer?