Proceedings of the Standing Senate Committee on
Banking, Trade and Commerce

Issue No. 41 - Evidence - May 23, 2018


OTTAWA, Wednesday, May 23, 2018

The Standing Senate Committee on Banking, Trade and Commerce met this day at 4:12 p.m. to study the subject matter of those elements contained in Divisions 2, 4, 5, 6, 7, 12, 16 and 19 of Part 6 of Bill C-74, An Act to implement certain provisions of the budget tabled in Parliament on February 27, 2018 and other measures.

Senator Douglas Black (Chair) in the chair.

[English]

The Chair: Good afternoon, colleagues, and welcome to members of the general public who are following today’s proceedings of the Standing Senate Committee on Banking, Trade and Commerce either here in the room or listening via the web.

My name is Doug Black, I am a senator from Alberta and I chair this committee.

I would like the other senators who are present today to introduce themselves to our witnesses, please.

Senator Marwah: Sabi Marwah, Ontario.

[Translation]

Senator Ringuette: Senator Pierrette Ringuette from New Brunswick.

[English]

Senator Tannas: Scott Tannas, Alberta.

Senator Eaton: Nicky Eaton, Ontario.

Senator Stewart Olsen: Carolyn Stewart Olsen, New Brunswick.

Senator Unger: Betty Unger, Alberta.

The Chair: Of course we are very ably assisted by our clerk and the analysts assigned from the Library of Parliament.

Today we are continuing our subject matter examination of various divisions of Part 6 of Bill C-74, the budget implementation bill, 2018, No. 1, with a focus on Division 16, mendments to certain acts governing federal financial institutions and related acts, and sudivision A regarding financial technology activities.

To assist us in our deliberations we have, from the Bank of Canada, Grahame Johnson, Managing Director, Funds Management & Banking Department, and Scott Hendry, Senior Special Director, Financial Technology, Funds Management and Banking.

Gentlemen, thank you both very much for being with us to help with our deliberations. We would ask for your opening statement and then we will move to questions.

[Translation]

Grahame Johnson, Managing Director, Funds Management and Banking Department, Bank of Canada: Good afternoon, Mr. Chair and distinguished members of the committee. My name is Grahame Johnson. I am the Managing Director of the Funds Management and Banking Department of the Bank of Canada.

[English]

Thank you for the invitation to discuss Bill C-74.

The Bank of Canada is responsible for fostering a stable and efficient financial system. That includes regulatory oversight of designated financial market infrastructures such as our systematically important payment systems and clearing and settlement systems.

[Translation]

But the bank is not a prudential authority. Instead, it focuses on detecting, assessing and mitigating systemic risks in the financial system. In that sense, cyber-threats are one of the risks on which we are currently spending most time and effort.

[English]

To mitigate this risk, we concentrate on three main areas. First, we are investing to ensure that the bank itself is resilient to any cyber-threats. Second, we are ensuring the financial market infrastructures overseen by the bank are taking appropriate steps to mitigate cyber-threats. Third, we are collaborating domestically and internationally with financial system participants, regulators and oversight bodies to improve the resilience of the financial system.

A particular issue that we and many of our international collaborators have identified and believe merits close attention is the growing risk from third party providers. I’m referring here to the limited set of firms that deliver many of the new technologies used by the financial sector.

The increasing use of these firms, some of which offer critical services, is helping to improve the financial sector’s efficiency. However, in some cases, they may also fall outside of the purview of system regulators. As the Financial Stability Board has noted, reliance by many financial institutions on the same third parties and the interconnections between institutions could pose a systemic risk to the financial system. We are monitoring this issue closely as part of our role to promote a stable and efficient financial system.

With that, Mr. Hendry and I are happy to address any questions you may have. Thank you.

The Chair: Thank you very much, Mr. Johnson. We do have some questions, no surprise, starting with the deputy chair of the committee, Senator Stewart Olsen.

Senator Stewart Olsen: Thank you, gentlemen, for being here with us today.

You probably know we are examining the aspect of privacy and cybersecurity in fair detail in this budget bill. Because you’re responsible for fostering a stable and efficient financial system — and I have to commend you; when the world was in trouble and the global markets, Canada was seen as a very safe area with strong regulations and consequently we remained stable throughout. I appreciate that very much.

We’re facing right now a new measure that would allow banks to dispense or disseminate information, client information, to third parties; namely, fintech. Fintechs, as you know, are certainly not regulated in the same way as the Bank of Canada.

Can you elaborate a bit on what your thoughts are, and perhaps share, if you have discussed this with the banks? Do you have any idea what we should do about fintechs?

Mr. Johnson: Thank you for the question, senator. It certainly covers a wide range of ground and fintech, in general, is an area that has seen tremendous growth. It’s an area we have devoted an increased focus on.

I would suggest it begins, to your question, the fact that the very nature of financial transactions has changed over time. It is now, I would suggest, no longer a simple exchange of value, but it is an exchange of value and information. The information that goes with that exchange of value is a key and critical part of the actual transaction.

You send a real-time payment to a supplier. You also send the information as to who you are, what the payment is for, what account it should be credited to, things like that. This is critical information. It’s obviously very sensitive.

We are not prudential regulators of the banks but systemwide we do, certainly for the areas we do regulate, which are financial market infrastructures, we insist they meet high standards of cyber resilience, as does OSFI for the banking system.

We work, as I said in my comments, domestically and internationally. We’re members of SAC, which is the Senior Advisory Council, which is composed of CDIC, Canadian Deposit Insurance Corporation, OSFI, the FCAC and the Bank of Canada to ensure these issues are addressed.

We also work internationally to make sure they’re addressed.

The banks themselves are held to fairly high standards. I don’t know if it’s unique to Canada, but it is within Canada. OSFI holds the banks responsible, that their third party suppliers, partners and providers meet equally high standards. There is an indirect avenue to get to that.

Again, watching, as fintechs play a larger role, I think the regulatory attention they will get from the broad domestic community will grow.

In some cases it’s appropriate — and in fact we do use what’s called proportional regulation. If you’re very large bank with billions of dollars of transactions and huge exposures, you are held to a higher regulatory standard than a much smaller, non-systematically important institution in terms of things like liquidity and capital. If the smaller, less important institution failed, the knock-on effects are much smaller.

What I would suggest, however, in our view is when it comes things like cyber and operational risk, there is no proportionality. If you are dealing with individual data, if you are plugging into the system, if you will, even the smallest fintech needs to have the same measure of cybersecurity and cybersafety than the largest member of the system.

I’ll turn it to Mr. Hendry if he wishes to add information.

Scott Hendry, Senior Special Director, Financial Technology, Funds Management and Banking, Bank of Canada: I don’t have much to add, but privacy is a fundamental concern. That is within the bank as well as all the other regulators in Canada. Our general perspective is not from a micro-prudential perspective but in terms of how concerns of privacy at an individual level could aggregate up to cause systemic concerns. Trust in the financial system is the cornerstone and privacy and respect for confidentiality is part of that. We have to make sure that to maintain trust in the system, the privacy of all the transactions or the activity is maintained as well.

Senator Stewart Olsen: Do you have any suggestions of what we should expect from fintechs, then, or who should do the expectations? Who should regulate? You say the banks have a responsibility to make sure they’re secure. Because it’s a new world, I’m just wondering, Mr. Hendry, do you have any suggestions about moving forward?

Mr. Hendry: Specific suggestions? No, I don’t have any specific suggestions for how to move forward. We need to monitor developments. The fintech world is changing very fast and it’s not clear we can or want to get out ahead of it because that could inhibit the innovation that is occurring.

We want to make sure our general environment, from a regulatory perspective, is supportive of innovation but controlling of the risks that could arise.

I believe that is true in Canada. We do need to monitor what is happening to make sure entities that are growing up outside the regulatory perimeter, we’re aware of them, and if appropriate they should be brought inside the regulatory perimeter.

Senator Stewart Olsen: I see. Thank you.

Mr. Johnson: We did work with the FSB in a report they did on fintech and it was the opinion that fintech firms have not reached the stage where they are what we would call systemic or pose a systemic risk to the financial system. The risks they tend to pose right now, I would classify, one, as consumer protection — you want to make sure consumers are protected — and, two, privacy and information. Both are well outside of our mandate and our regulatory sphere.

We do have venues to at least raise this and we publish a financial system review where we raise issues like this. We have speeches that governing council members make and indeed our senior deputy, Carolyn Wilkins, has spoken on it. The governor referred to it as one of the three things that keeps him up at night.

It’s more indirect, working with our partners, particularly since, as I said, at this stage of development the risks fintechs pose are really consumer protection and consumer privacy. We work with our federal colleagues to highlight it to their attention and ensure it is addressed.

Senator Ringuette: Thank you for being here. I appreciate your comments and your research in the field.

We do have the issue of cyberattacks and the new body that should help eventually. We have the issue of the free flow of personal financial information that is a big question mark.

I appreciate your question and your answer, but am I wrong in assuming that you’re here to discuss Division 7, Part 6, which is the payment clearing and settlement clauses. Am I wrong?

Mr. Johnson: I believe we were invited here to discuss data privacy/third party, not the payment settlement. We’re happy to answer any questions on that as well, but it is the privacy.

Senator Ringuette: I think I’ve highlighted previously my concern looking at Division 16.

Would you have the same concern in regard to payment clearing and the fintech entities in that process?

Mr. Johnson: Very definitely yes, we would. We do oversee financial market infrastructures, oversee infrastructure designated as systemic, which would include the large value transfer system, or LVTS. We oversee systems designated as prominent, which is another more retail-based ACSS payment system in Canada.

We’re working closely with Payments Canada and the banking system as we speak to modernize those key payment systems. In fact, we are in the process of acquiring a new high value payment system. We are also in the process of working with industry and Payments Canada to renew the retail payment systems.

A key issue, I would say particularly for the more retail-based system, is the security and protection of information that goes along with those transactions.

As I said at the beginning, a key part of a financial transaction now is the data, is the information. It’s no longer just value.

Senator Ringuette: The content is the value.

Mr. Johnson: This is something we do have regulatory oversight over. It’s something we and Payments Canada work very closely on to ensure the highest of standards and that any information will be kept very, very safe.

The high value payment system, it’s a relatively closed system. There are 17 participants in it, so the information stays within a relatively — the retail system, which in the fullness of time will be more open to smaller payment system providers, pending upcoming legislation by the government, will have more and smaller participants. It’s there we will ensure — we will have to ensure — that appropriate safeguards are in place.

Senator Ringuette: You’re opening up an entire new venue. My question is: You’re working cooperatively with the financial institutions and the payment system and so forth. Your concern is in regard to the privacy. Are you working with the Privacy Commissioner to make sure that whatever outcome, that privacy is a major element that is resolved?

Mr. Johnson: The bank works closely with the Privacy Commissioner to make sure in all areas of our business we fully respect the relevant privacy laws. It is certainly the same with Payments Canada and the banks.

Senator Unger: I wonder if you could comment on this from a Canadian perspective.

Has there been a massive growth in the data that Canadian financial institutions gather on individuals? If so, do you think people in general understand how much of their personal data is being collected?

Mr. Johnson: I really couldn’t comment on that. That would fall under, far more, the prudential regulatory authority. We’re more of a macro systemic interest and, as I said, more direct oversight of financial market infrastructure. The actual retail relationship between the bank and end consumer is something we’re not well placed to discuss.

Senator Unger: Yesterday I was surprised to learn the Privacy Commissioner has no authority to enforce privacy laws; they’re merely guidelines. Considering that after this bill is passed banks will be able to share large amounts of data with fintech companies, do you think the Privacy Act should be strengthened to ensure strong penalties for breach of privacy?

Mr. Johnson: Again, that’s well outside of the Bank of Canada’s mandate. What I will say is that OSFI, which is the prudential regulator for the banking system, does have standards on both the banks and on any third party providers they use.

Mr. Hendry: I have nothing further to add.

Senator Wetston: Are you taking questions on the Exchange Fund Account?

Mr. Johnson: I would happily take questions on the Exchange Fund Account.

Senator Wetston: I tried to ask another official about this and I didn’t quite make it to the place that I wanted to, so I’ll try.

Mr. Johnson: I will do my best, senator.

Senator Wetston: I’m sure you will, and thank you for coming.

The Exchange Fund Account stood at US$86.6 billion or so?

Mr. Johnson: Or so, yes.

Senator Wetston: Clause 224 allows the Minister of Finance to make payments from the Exchange Fund Account to the Consolidated Revenue Fund?

Mr. Johnson: Yes, it does.

Senator Wetston: How would that transfer occur and how would it be reported?

Mr. Johnson: I will certainly tell you how it would occur. I will probably be less accurate in my telling of how it would be recorded, not being terribly familiar with national accounts and the accounting system used.

The Exchange Fund Account, which is a pool of about US$85 billion, approximately $75 billion is held in liquid securities — predominantly denominated in U.S. dollars, euros, pounds and yen — is funded by advances from the Consolidated Revenue Fund. Specifically, the government will borrow money, either in Canadian dollars and swap it or transform it into foreign currencies. That money goes into the CRF. It is then transferred to the Exchange Fund Account where it is invested in high-grade government securities, for the most part.

That money stays in the EFA, in the Exchange Fund Account, and is managed in there. Should it ever need to be utilized, either for the preservation of the stability of the Canadian dollar or liquidity concerns, it would be transferred back into the Consolidated Revenue Fund.

We do from time to time do small transfers. We’re in the rather happy position of earning a little more on our investments in the Exchange Fund Account than we pay on interest to fund it. Over time, a positive cash balance builds up. We let that build up to a certain threshold and then it is transferred into the CRF.

This has gone on. My understanding of the technical amendment there is, to just be explicit, in the past the Currency Act made reference to advances and with an advance is the notion of a repayment of that advance. This is really just a technical amendment, to be quite clear, that it can and does flow both ways. It was initially funded with the CRF advance and that can be repaid, if needed.

Senator Wetston: You don’t think the way it’s set up, and I suspect probably it will be utilized this way, but you don’t think that as the fiscal agent of the Crown, the government, there’s any issues or potential challenges associated with that role in this amendment versus another role, which sounds to me a little bit like having some opportunity to deal with the Consolidated Revenue Fund in a way which potentially was not originally contemplated.

Mr. Johnson: I’m probably not well placed to comment. I will say the nature of the EFA, as I said, it is funded with an advance from the CRF. My understanding of, really, the 10 years I’ve been in this role is that advance can be repaid. It’s generally being repaid in very small amounts. Not through intervention, which hasn’t happened since 1998, but rather just through accumulated earnings.

Senator Wetston: Of course, small amounts might be $100 million or $200 million.

Mr. Johnson: I was just going to say, I should quantify small amounts. Small for a sovereign the size of Canada.

The Exchange Fund Account is a pool of liquidity the government has put aside and is available should it be needed, subject to the conditions of the Currency Act.

Senator Marwah: Thank you again for your comments. You made some points about the issues of interconnectedness between financial players. That’s a global issue. It’s not just unique to us. Everybody is talking about it. Governor Poloz talks about it. I think your CEO made a speech recently, a couple of weeks ago, about interconnectedness and what the Bank of Canada is really doing.

I would like your views. Is there anything that you have seen in other jurisdictions that others are doing, perhaps, better than us and putting higher standards to manage cyber risk and to manage payments risk? I’m particularly worried about these large payments, the LVTS and ACSS, the guts of our payment system.

Are any other jurisdictions doing more than us in terms of controlling cyber risk within that space?

Mr. Johnson: I would suggest we are at the forefront. I would be reluctant to put a specific ranking. We are active in a number of international fora on the payments side. Canadian payments and market infrastructures, the FSB, the BCBS. We work very closely with our peers.

High-value payments networks are an area that have attracted an increasing amount of recent attention. This is an area, certainly prior to the financial crisis — and, indeed, even a little bit after — was well below the radar for most people and indeed even within governments. It was plumbing that just worked and you didn’t pay much attention to it.

I think, like plumbing, you realize how important it is when it stops working and you’ve got an awful mess to clean up. There was a little bit of that in the financial crisis. Certainly not in Canada.

I would also point to, recently, the cyberattack on the Central Bank of Bangladesh, where the Central Bank of Bangladesh’s payment system was compromised. False SWIFT messages were sent to the Federal Reserve Bank of New York and $80-some odd million was exfiltrated to, quite frankly, casinos in the Philippines.

I think that was a bit of a wake-up call. High-value payment systems are a target. A huge amount of money flows through there.

SWIFT, which is the Society for Worldwide Interbank Financial Transactions, a messaging system by which this is done, has put in place a series of mandatory controls to ensure, to the extent one can, that similar incidents don’t happen again.

We are all working to become fully compliant. We at the Bank of Canada have put increased focus on what we call a financial crime risk management framework to build up our own defences, both automated and manual, to ensure the transactions we conduct, both on behalf of the government and our other clients — we offer banking services to foreign official sector institutions — are legitimate, are not compromised, that who we’re dealing with is who we think we’re dealing with and to not find ourselves in that area.

It is rapidly evolving. We are at the forefront of taking best steps to guard against this. We are coordinating with what I would call the leading official sector service provider to central banks in the world to take measures to make sure we are, again, at the vanguard of this.

Senator Marwah: You are also responsible for regulation of the financial market oversight, including payments, and the largest guts of payments are LVTS and ACSS. Those are the guts of our payment systems.

Let me ask you a question. If a bank gives information to a fintech, does that mean that fintech has easier access into LVTS and ACSS?

Mr. Johnson: No.

Senator Marwah: How do you control that?

Mr. Johnson: In order to access LVTS and ACSS, you need to have a settlement account with the Bank of Canada.

Senator Marwah: You control that? They can’t jeopardize the payment system?

Mr. Johnson: We control who has access to settlement accounts, yes. It is a closed system. You don’t access LVTS through the Internet. It’s a dedicated network. You need a dedicated SWIFT terminal. You need to meet a host of standards, including having a settlement account at the Bank of Canada.

Senator Marwah: There’s no additional risk in terms of a bank giving information to a fintech?

Mr. Johnson: Not for the high value payment system, no. I can be specific to that.

Senator Marwah: Thank you.

Senator Tannas: Thanks for being here. Can you confirm, today, are there any fintechs that are unregulated or outside of your purview, outside of regulators’ purview, that could severely damage our financial system, either through some cyber event that locks it up or through a financial failure?

Mr. Johnson: The scope and definition of fintech is incredibly large. Working with the FSB and looking at the fintech environment, we have concluded at this time, at least, fintech — be it crypto assets, be it crypto tokens, be it person-to-person lending, be it a host of other applications that might do this — does not pose a systemic risk to the Canadian financial system.

As I said, there are investor protection concerns and there may well be privacy concerns. In terms of systemic risk to the economy, to the financial system, the conclusion was no. You worked on that.

Mr. Hendry: I agree. There are a lot of fintechs out there, but they are not very big, for the most part. In some other countries, that is not true. In China there are two other major fintech companies that do the lion’s share of payments these days. That is not true in Canada.

There are many small fintechs, but they are not systemically important.

Senator Tannas: If you identified a fintech or a segment, a sector, that had grown — because it’s all moving fast — to a point you saw it could present a threat to the financial system, either through privacy or a cyberattack or a financial failure, do you have to come back here, as you have done in the BIA, and ask for the right to take over that organization in a crisis, or do you have tools at your disposal that would allow you to, either with your colleagues at other regulatory bodies or yourselves, put your umbrella over top and say, “We’re doing that.” Do you have to come back here or can you move quickly and of your own volition?

Mr. Johnson: I would say it’s hard to generalize. If it was what we would characterize as a financial market infrastructure that had grown, if it was a new type of exchange or new type of central clearing counter party, that would fall under our mandate. If the governor were to declare them to be systemically important, they would fall under our regulatory purview and we would not need to return.

If it was of another nature, we would take it to our SAC, our FISC partners, and highlight that in our view, this has reached the stage where it may be systemic. If it was appropriate for our SAC or FISC or provincial, for that matter, regulatory partners to do it, they would. I couldn’t speak for our regulatory partners as to whether they felt they might need to come back and enlarge their regulatory umbrella, but it would be raised in those venues.

The Chair: But the point is you monitor?

Mr. Johnson: We monitor very closely.

Senator Stewart Olsen: Just a clarification, if I may. The two major fintechs in China are moving into Canada, are they not? We are organizing ways to pay through those two major companies. I think it has been addressed with the Chinese tourists who are coming over.

Do you know anything about that? Just because you said it could be a systemic risk. Sorry, chair. Thank you.

The Chair: No, no. That’s a good point.

Mr. Hendry: I know of one that has started making inroads into Canada or efforts to try and enter Canada. I’m not sure about the other one, Ant Financial. But the same sorts of criteria would apply. If it grows, in our opinion, at the Bank of Canada to be prominent or systemically important, we would ask the governor to designate it as such and then it would fall within our regulatory perimeter.

Similarly, the government is working on a retail payments oversight structure currently to make sure there is a broader perimeter for smaller payment infrastructure that is not yet at the prominent or systemically important stage.

Senator Stewart Olsen: Thank you very much.

The Chair: Good clarification.

Senator Wallin: I just need to go back to basics here for a moment. In your remarks, you said, “We are ensuring the financial market infrastructures overseen by the bank are taking appropriate steps to mitigate cyber-threats.”

The explanation of that is, just a few moments ago, you can control who has access to bank information, the governor and others are giving speeches. You highlight these issues or concerns to your federal partners.

Do you have any punitive authority? Do you have any ability to halt transactions? Do you have any ability to demand a change in behaviour from any fintech, domestic or foreign? I’m just looking for other tools you might have in your arsenal other than giving speeches and raising awareness.

Mr. Johnson: For those FMIs that we do have oversight authority for, supervisory authority, we very much do have direct tools. We are the regulator for LVTS, for ACSS the TMX, CDCC, the various exchanges. We do have the authority to go in and say, “You need to do this if you wish to continue to operate.” You give them more than a second to comply, but yes, we do.

In other areas where we do not have — by and large we’re a non-regulatory central bank. In other areas where we do not, it truly is through monitoring, through raising awareness and through engaging domestically with partners.

Again, I’ll return to the SAC and the FISC venue. We do have that and it has proven to be effective.

Senator Wallin: I guess that whenever the governor and deputy come here to talk to us or whenever they give a speech anywhere they have to tread very gently because if the bank says something that takes it over the edge, you don’t have the freedom that the Privacy Commissioner has to say yesterday that we have a problem here, a really big problem.

How do you walk the line given all of the things happening now and the speed at which they’re happening of raising awareness and concern without setting off some crisis. Is that part of the conversation you’re having now, which is: When do we take it to the next level to a level 4 from a level 3 in terms of our rhetoric and warning systems?

Mr. Johnson: I happily let the governor walk that line. He’s better at that.

Senator Wallin: I’m sure you will.

Mr. Johnson: Again, you do want to not overreact with the rhetoric, as you say.

The bank is a very, for lack of a better word, thoughtful research-based policy institution. We do openly engage with others, with industry, with other regulators and other areas. We and the governor are working in the cyber area jointly with banks to coordinate a recovery mechanism from a cyberattack.

Really, it’s very frequent interaction and communication with industry domestically, with industry internationally and with our international peers to make sure we’re not either lagging behind or running around screaming “Fire!” in a crowded theatre, which is never good.

Senator Wallin: I’m glad to know that you’re having the conversations quietly and thoughtfully behind closed doors.

Mr. Johnson: Again, it’s not all behind closed doors.

Senator Wallin: I understand.

Mr. Johnson: But yes, this is done very thoroughly, rigorously and carefully.

Senator Wallin: Thank you.

Senator Ringuette: When Senator Wallin was talking about your tool kit, I’m looking at Division 7 of Part 6 in this bill where in regard to payment clearing and supplement, which gives you another set of very important tools you didn’t have before. If a payment clearing system seems to have some difficulty, you can move in and say, “Okay, everyone that’s part of this clearing system, you have to stay within until we manage this.”

You have this new tool, so —

Mr. Johnson: You’re referring to the resolution authority for the financial market institution, which is a very important new tool for the regulator. The idea there is it was directly a lesson learned from the financial crisis.

When a systemically important financial institution ceases to exist — and I believe Senator Marwah, you referred to the interconnectedness, the degree of interconnectedness. This is not the bankruptcy of a toy store. This is something that can reverberate massively. We saw what happened with Lehman and the reverberations and global consequences that followed.

FMIs are, by their nature, incredibly interconnected. These are central clearing houses. Everyone uses them as the central counter party to closed trades. They’re well capitalized and very well risk proofed. In the event one of them would fail, it could potentially be catastrophic because they are the counter party to everyone else’s trades.

What the resolution authority permits the bank to do as a resolution authority is to step in and effectively take that over, put a stay on and say, “No one is going anywhere. We’re here now. Don’t worry about us. We have lots of liquidity. We will wind this down in an orderly fashion and resolve it, essentially.”

It’s a tool you don’t want to use. It’s not a preventative tool. The tools I was referring to are things we can do ex-ante to ensure good behaviour, high standards are met and to ensure not a bad outcome. The resolution authority is a tool that will be used —

Senator Ringuette: At the extreme.

Mr. Johnson: Well, if a very bad event has happened.

Senator Ringuette: At least now within this bill you have that tool.

Mr. Johnson: Yes, and it’s critical. Thank you.

Senator Eaton: In your notes, gentlemen, you wrote:

As the financial stability board, reliance by many financial institutions on the same third parties and the interconnections between institutions pose a systemic risk to the financial system.

How big is the risk? How much research do you do into those third parties or their interconnections?

Mr. Johnson: I’m going to turn that to you.

Mr. Hendry: Similar to the comments we’ve made now, from our monitoring and our investigations analysis and research, we do not see any third party providers that are systemically important at this time, that they are so important that a failure, whether a financial failure or an operational outage, would cause contagion and systemic risk throughout the financial sector. We are continuing to monitor this, again in partnership with other Canadian regulators or international bodies to understand developments elsewhere.

Senator Eaton: Educate me here. When you talk about third parties and the interconnections, if it’s international, if it’s non-Canadian, are most of their regulations up to our standard? In other words, are we operating on a level playing field or do different countries have different standards?

Mr. Johnson: I’ll jump in. I would say a couple of things.

First, again, I will return to the fact that Canada does have, I would say, the thoughtful situation where OSFI regulates third party standards. The banks can’t just choose to go to any unregulated third party provider. They need to ensure the third party service providers they are using meet Canadian standards.

I’ll try and use an example of what we consider a third-party provider would be cloud services. It’s an if. As Scott has said, we’re not there now; it’s just something that’s been identified as a potential risk. One can imagine if every Canadian bank all of a sudden said, “We’re going to use Microsoft Azure as our cloud service provider. We’re all going to go to that and run our web portals off of that. We’re going to run our telephone banking apps off of that,” and lo and behold, that went down for a day or two and there was no ability to transact. One could imagine an interconnected risk there in the sense that the entire financial system is using that one cloud service provider.

I’m going a little extreme here. This is nowhere near where we are. But these are the sorts of things you want to watch.

The Chair: I have a question, if I may. As you know, it’s come to the attention of this committee there are provisions whereby banks may be able to provide information in respect of their customers to fintechs. We have heard from the Privacy Commissioner.

My question relates to whether you’re able to comment on the balance to be achieved — if there is a balance to be achieved — between innovation and privacy.

Mr. Johnson: I really can’t comment specifically on the balance between innovation and privacy. I will say that Senior Deputy Governor Wilkins did refer to this in a speech she gave at Rotman.

We very much recognize the need to balance innovation with proper risk management. I’ll use risk management as a broader umbrella to cover everything from operational risk to financial risk to consumer protection to investor protection to privacy. It is essential to balance those.

Again, this is outside of the bank’s mandate, apart from just a broader interest in a safe and efficient financial system. It is why, because we don’t have direct authority over this, we tend to use venues such as speeches and our financial system review to raise these issues and to highlight innovation as fantastic. Innovation in the payment space is truly amazing if you look at the speed and ease with which you can conduct financial transactions.

Likewise it raises risks in new financial products being created and sold to retail investors. Could these proliferation of exchange traded funds, some complex exchange traded funds, crypto tokens, all these things, could they raise risks? Not systemically right now, but something we’re watching and systemic risks are within our mandate. It’s something that, as we monitor, we can raise for awareness it is important to ensure investor education, it is important to ensure investor protection and all of these — it is important to ensure that both the creators of these new products and services, the users of new products and services and indeed the larger community writ large are aware of the balance between innovation and risk.

The Chair: Mr. Hendry, anything to add?

Mr. Hendry: I agree there is a balancing of different policy objectives that must be addressed no matter what the issue is. Here there is a balance between innovation and a broad range of risk management type of objectives.

These need to be considered on a continual basis.

The Chair: That’s very helpful. Thank you very much.

Senator Wetston: I want to follow up on the fintech issue and a quick comment, if you don’t mind, about the fact there’s a shared responsibility in this country in financial markets. I’m making a plug for securities regulators, as I always do, and mention that CDS, as well as CDCC, are jointly overseen by both the OSC, AMF as well as the Bank of Canada. I’m only saying that because I think the committee is well aware there are other regulatory bodies that have a great deal of involvement in overseeing these very important clearing and settlement bodies. I think you would agree with me. It’s just a matter of pointing that out, if I may.

I want to talk a bit about the fintech space. As the chair has indicated about the sharing of information and your comments here that I think Senator Eaton raised with you about third parties: What are your views around the possibilities that — our banks are obviously highly regulated prudentially by OSFI, and I don’t see OSFI in this space with respect to your comments regarding cybersecurity risk and other risks associated with financial transactions. I know they are highly engaged, obviously.

Where I want to take this question is in the blockchain environment, because I think blockchain technology seems to have considerable potential for disintermediation and efficiency. I would think these amendments would allow banks to invest in blockchain technology. That would be my sense of these amendments.

If that is the case, I understand from your comments you’ll be monitoring those kinds of developments. What’s your view with respect to those possibilities? I know that there isn’t a systemic risk issue for now, but how are you factoring in these kinds of developments and not just developments around online lending and other types of transactions that would occur. Any comments on that area?

Mr. Hendry: Blockchain is something we’re very interested in to try and understand how it could change things. We’re still forming our opinion. Again, at this point it has not been put in place in any systemically important system or really in any production level system used in Canada. It’s simply not that important at this point, but it could be. As you say, there are many different companies looking at different use cases for the possible application of this.

There is the possibility under some circumstances that it could disintermediate various institutions and cause important changes in how the financial sector operates.

On another level, it could be just a technology that isn’t really going to change too much of meaning, except under the hood and how things operate and maybe some efficiency levels and provide some important but not systemically important changes to the financial sector.

It remains to be seen what’s going to happen. We’ve done some experimenting ourselves in this area to try and get a better understanding of the technology. We’re trying to keep abreast of the different proposals out there in the private sector or among official institutions for how this could be put in place and what it could possibly change.

It’s simply not clear yet how this will develop and we will continue to monitor it and continue to follow.

Mr. Johnson: If could I add a couple of things? Banks have actually been investing very heavily in blockchain for years. There was nothing that prohibited them. They bought companies. They bought talent. They bought technology. They saw this as, I would say, a potential significant catalyst for change within the system. I think wisely they chose to invest.

Scott did mention it, but I’ll play it up a little bit more. Maybe you’re too modest. We’ve been extremely involved in blockchain. We’re one of the lending central banks in the world when it comes to really engaging in this technology. We partnered with six or seven banks, Payments Canada and a technology company, R3, to create a blockchain-based payment system.

Senator Wetston: You said Jasper?

Mr. Johnson: And then we did Jasper 2, which was a more fulsome payment system. Then we did Jasper 3, which was partnering with the TMX to do an actual security settlement system. Now we’re partnering with the Monetary Authority of Singapore to use blockchain as a way of cross border sharing.

The real lesson here for us — quite frankly, we have yet to determine that it does something so good that you’d throw away the existing systems. It is the partnering with the private sector that’s really valuable because it allows us — it’s a lot easier to see how technology is developing when you’re actually on the ground, building applications with it. We’re very involved.

Senator Wetston: Is it your sense to date that depending on how this moves and the direction it moves in that it will be necessary to develop a regulatory framework around blockchain technology and its uses, whether it be payment systems or other transactional types of activities?

Mr. Johnson: I would say that it’s not yet clear.

Blockchain has for years been touted as something that’s going to fundamentally change the financial landscape. It hasn’t happened. It may be this is simply something banks end up using internally as a way of balancing internal ledgers and that would be a relatively minor change. It may be that this is hugely disintermediating, in which case it would require that.

It is very much an engage, monitor, keep abreast of and react appropriately and proportionately. I think that’s exactly what we’re doing.

Senator Wetston: Thank you.

Mr. Hendry: I want to emphasize as well, as Grahame said, the banks are very involved in this new technology. They really want to understand it themselves and decide whether or not or where they can use it to their own benefits.

It’s not as if they had their heads in the sand and they’re going to be disintermediated by surprise. They know what’s going on. They know what the risks are. They are working hard to improve their systems. Modernization is doing that on a more traditional path of the payment system. They’re also looking at nontraditional paths for payments as well as other types of technologies.

They are very much aware of what’s going on and trying to benefit.

The Chair: We’ve reached the end of our list of questioning. I want to thank you, Mr. Johnson and Mr. Hendry, for being here today.

I would like to observe, in closing, this committee is indebted to the Bank of Canada because you are always helpful, you are frank and you are open with us. We very much appreciate that because it helps us in the work that we’re doing.

Again today, through both of your presentations, you were frank and you were helpful and you were engaged. Thank you very much for that. We look forward to welcoming you back.

(The committee adjourned.)