Proceedings of the Standing Senate Committee on
Banking, Trade and Commerce

Issue No. 41 - Evidence - May 24, 2018

OTTAWA, Thursday, May 24, 2018

The Standing Senate Committee on Banking, Trade and Commerce met this day at 10:30 a.m. to study the subject matter of those elements contained in Divisions 2, 4, 5, 6, 7, 12, 16 and 19 of Part 6 of Bill C-74, An Act to implement certain provisions of the budget tabled in Parliament on February 27, 2018 and other measures; and in camera, for the consideration of a draft agenda (future business).

Senator Douglas Black (Chair) in the chair.


The Chair: Good morning. I want to welcome my colleagues and members of the general public who are following today’s proceedings, either here in the room or via the Web. My name is Doug Black. I’m a senator from Alberta, and I have the privilege of chairing this committee. I’m going to ask my colleagues to introduce themselves. A couple of our colleagues will be late today because of other engagements, but they’re on their way.


Senator Ringuette: Pierrette Ringuette from New Brunswick.


Senator Unger: Betty Unger, Alberta.

Senator Wetston: Howard Wetston, Ontario.

Senator Marwah: Sabi Marwah, Ontario.

Senator Stewart Olsen: Carolyn Stewart Olsen, New Brunswick.

The Chair: Of course, as always, we are extremely well served by the clerk of this committee and our analysts from the Library of Parliament.

Today, we’re continuing our subject matter examination of various divisions of Part 6 of Bill-C74, the budget implementation bill, 2018, No. 1, with a focus on Division 16, amendments to certain Acts governing federal financial institutions and related Acts, and Subdivision A regarding financial technology activities.

We have a stellar panel this morning. If anyone has any banking concerns, we have the right group here. I welcome, from the Royal Bank of Canada, Holly Shonaman, the Chief Privacy Officer; from the TD Bank Group, Jane Stubbington, Vice President, Compliance, and Global Chief Privacy Officer; from Scotiabank, Mike Henry, Chief Data Officer; from the Bank of Montreal, Chris Bradley, Associate General Counsel, Canadian Personal and Commercial Banking; and, from the Canadian Imperial Bank of Commerce, Dave Bruyea, Senior Vice President and Chief Information Security Officer.

I’m hoping that we have opening statements from some or all of you, and then we will move to questions from the senators. Welcome. Thank you very much for being here. We’re looking forward to your presentations.

Mike Henry, Chief Data Officer, Scotiabank: Good morning, Mr. Chair and honourable senators. My name is Mike Henry. I’m the Executive Vice President and Chief Data Officer for Scotiabank. It’s a pleasure to be here with you today. I thank members of the committee for this invitation to discuss Scotiabank’s commitment to the privacy of customer data and this committee’s study of Division 16 of the Bank Act, which would permit investment and partnership with fintechs.

For the past 186 years, Scotiabank and our employees have been proudly serving communities across Canada and around the world, in the more than 50 countries that we operate in. In all of those places, our number one business priority is helping our customers become better off, while protecting the trust and the relationship on which our business is built.

Over the last number of years, we’ve seen many changes in the financial services sector, including, in recent years, with the digital transformation this industry is going through. What has not changed, though, is our unwavering commitment to our customers and to maintaining their trust. I’d like to comment briefly on our customers, on privacy and also on security.

The Canadian banking system has been a model of stability in the global financial system, ranking among the soundest in the world for the last decade and weathering the financial crisis. Banks in Canada are well capitalized. They are well managed, and they’re well regulated. The financial industry is in a time of transition right now, and, like other industries across the country and globally, we have been witnessing a new era of significant change, defined primarily by rapid advancements in technology and increasing customer expectations for seamless digital experiences.

Canada has the potential to play a leading role in the development of the global digital economy. It’s important that Canada drive an innovation agenda to keep pace with this changing nature of financial services through the modernization of balanced regulation. To that end, the provisions proposed in Division 16, Part 6 of Bill C-74 are integral to ensuring the updated legislative framework will foster an environment for innovation in financial services that will be required to facilitate the development and delivery of new financial solutions to the benefit of all Canadians and to encourage collaboration between banks and the fintech community.

It’s important to clarify that, contrary to statements made to this committee these changes to sections 316 and 317 have no impact on the current provisions in regard to the use of consumer data in insurance referrals covered in section 416. The insurance business banking rules are very clear in how they dictate insurance referrals and proscribing the use and disclosure of consumer data by banks to insurance companies, agents or brokers.

Thinking of privacy, Canada is a leader in privacy protections. This country has one of the world’s most robust privacy laws, and has since 2001, in the form of the Personal Information Protection and Electronic Documents Act, more commonly referred to as PIPEDA. Prior to that banks had rigorous privacy protections in place. Individuals entrust Scotiabank with their most sensitive information. They expect we will handle it ethically and responsibly, keeping it accurate, confidential, secure and private. We are committed to doing exactly that for them. We make this commitment through the Scotiabank privacy code. Our code is based on the Canadian Standards Association’s model code for protection of personal information. It’s also based on the principles embodied within PIPEDA and the OECD’s privacy principles.

It’s important to emphasize Scotiabank remains accountable for all personal information in our possession or under our control, including any personal information transferred to third parties for processing or other functions on our behalf. We have very robust policies and procedures in place to make sure information shared with or processed by third parties is handled in accordance with privacy laws and with our own high standards for the protection of privacy of individuals and the security of that information.

Shifting to security, Scotiabank has mature policies and standards in place that are continually being enhanced to address the evolving nature of cybersecurity threats and regulatory requirements, as well as best practices and evolving industry standards. We employ an extensive series of protective and preventative measures to safeguard the bank and personal information we handle, process and store. These controls relate to authentication, authorization, encryption, logging, monitoring, anomaly detection, the security of the networks, applications, servers, workstations, even printers. It is achieved and delivered by a dedicated and growing team of security professionals who operate around the globe. As any initiative to allow the transmission and processing or handling and storage of data by a third party, an extensive security review is performed to ensure the third parties’ security standards are equal to or better than our own standards and best practices. This is enforced through specific contractual arrangements that require those third parties to comply in providing those key controls.

I want to conclude by reiterating our support for the modernization of the federal financial sector framework. Canada’s financial industry has demonstrated it is capable of competing, innovating and leading on a global scale, while maintaining the safety and soundness our customers rely on. Canadian banks have been leaders in privacy and security, and we are well positioned, as an industry, to embrace these changes to the Bank Act. I’ll end my comments here. Thank you for your attention. I look forward to answering your questions.

The Chair: Thank you very much, Mr. Henry.

Jane Stubbington, Vice President, Compliance and Global Chief Privacy Officer, TD Bank Group: Thank you for the opportunity to be here today. As the Global Chief Privacy Officer for the TD Bank Group, my job is to implement TD’s privacy program and policies across the enterprise and to monitor our business’s compliance with privacy laws.

I understand the committee has invited us here today to address questions about how banks protect customer data and whether innovation and greater collaboration between banks and fintechs will put customer data at risk.

Let me first say that TD and all banks are in the business of trust. Trust is the foundation upon which the business of banking is built. TD’s focus is first and foremost on earning and maintaining customer trust. This is a business that TD has been in for over 160 years, and it’s who we are. Without customer trust, our reputation and business will suffer.

Canadians have always trusted their banks to safeguard their money and information. As a result, privacy and security are at the core of our business. This will never change and is non-negotiable.

As we move into the digital space, including working with fintechs, customers have heightened expectations for the safety and confidentiality of their information, and so does TD. Privacy and security principles must remain at the centre of our business. Innovation raises the bar for all of us to remember that as we move forward to meet changing customer expectations, we hold onto the principles and values that made us their trusted partner in the first place.

As technology and the business of banking evolve, the way we protect our customers must evolve as well. Cybersecurity is a top priority for the bank. We continue to assess and respond to the cyber-threat landscape.

Developing transparent privacy policies is a key element to our building of trust. As our products change and as the information we collect and use changes, we must be sure our customers understand why we ask for their information and how it will be used. We must also be transparent when asking customers to share information with us that is optional, so they can understand why we are asking and then decide whether they want to share.

Trust is built up over years of doing the right thing, but it can be lost in a heartbeat. It is also more than a feeling; trust has substance. It is made up of effective controls and a strong governance framework with a steadfast focus on the customer.

Banks must comply with the federal privacy law, PIPEDA. Changes to the Bank Act do not impact our PIPEDA obligations. More important, no change to the Bank Act will remove our commitment to our core principles of trust and transparency. These principles are not driven by regulation; they are driven by doing what’s right. This means banks must be transparent and have customer consent before sharing any data with a third party, including a fintech or any other company with which we work.

Because privacy and security are so integral to our business, TD chooses partners and service providers very carefully. We have a robust process for evaluating and auditing partners and service providers who have access to customer data. We must be satisfied that any partner has appropriate privacy and security protections in place. Regardless of whether a fintech is under a different level of regulatory scrutiny than the bank, TD’s own privacy and security standards mean we won’t work with companies that cannot demonstrate high standards in data protection.

In addition, the same privacy laws apply to fintechs engaging in commercial activity in Canada. They will effectively be under two layers of scrutiny: one by the banks with whom they partner and oversight by the Office of the Privacy Commissioner and relevant provincial privacy regulators.

We don’t look to avoid regulation that governs how customer information is handled. We embrace it, because it is central to our relationship with our customers and our business model.

The provisions proposed in Bill C-74 are unrelated to and do not change the current restrictions on banks in insurance. This includes relationships with third-party service providers. These restrictions also mean banks cannot use their relationship with a third-party fintech company to indirectly provide bank customer information to insurers.

The new powers proposed in the Bank Act will continue to be subject to section 416 of the Bank Act and the associated regulations prohibiting the bank from directly or indirectly sharing information regarding its customers to an insurance company, agent or broker. While the amendments will add or clarify certain powers of the banks, they do not override the prohibition for banks to directly or indirectly share customer information with an insurance company, agent or broker.

We do not and cannot take customer confidence for granted. Once we have earned the customer’s trust and business, we must work every day to maintain it. Trust is hard to build and very easy to lose. We want to foster lifelong relationships with our customers, help them identify their financial needs and offer suitable products to meet them, all while remembering that customer control, privacy, data security and transparency are central to our success and relationship building. Thank you. I look forward to questions.

Holly Shonaman, Chief Privacy Officer, Royal Bank of Canada: Thank you, senators, and thank you for initiating this dialogue today.

As Chief Privacy Officer, I am responsible for privacy governance across our enterprise. I would like to thank you for the invitation to appear today to talk about the privacy of client data in relation to the committee’s study of Bill C-74.

Canadians know RBC as their local bank as well as a strong business leader — a company that has existed almost as long as Canada itself. We are recognized for the quality of our advice and solutions, for being a respected employer, a champion of diversity and innovation, and for our commitment to this country’s youth and future prosperity. We are recognized as a company dedicated to protecting the privacy of our clients and safeguarding the personal and financial information entrusted to us.

Our relationship with our clients is built upon a foundation of trust. We take the privacy of customers’ personal and financial data very seriously. Safeguarding the confidentiality of our clients’ information is always our top priority.

RBC companies follow comprehensive privacy policies and practices in compliance with laws and to support our commitment of trust through integrity in everything we do. Our privacy principles describe how we collect and use client information, how it may be shared and with whom, our security practices and the choices of our clients. All of this information is publicly available on every page of our website.

I would like to stress we only use personal and financial information for the purposes we have communicated to our clients. If we plan to use it differently than its original purpose, we would obtain client consent to use it in a new way.

Generally, most client information is collected when they interact with us; for example, when they apply for a product or service or sign up for a special offer, we ask them for information that allows us to complete their requests. We also use their information, if they have agreed, to offer products and services that might meet their specific needs.

We take consent very seriously. Our language is plainly written. It is not overwhelming. It is concise and to-the-point.

Under certain circumstances, personal client information may be shared among RBC companies or third parties, always subject to any legal requirements such as insurance restrictions. This can allow us to help our clients achieve their financial goals. It would only be done with our clients’ consent. Clients who do not want their information shared among our companies can easily tell us. Also, we may share information with other RBC companies to detect or prevent fraud or crime, to enable those companies to meet regulatory, legal, financial or other reporting obligations, and only as permitted or required by law.

We also use service providers to perform specialized services on our behalf, such as cheque printing, mail distribution or data processing. Our service providers may at times be responsible for processing or handling personal information. They are provided only the information necessary to perform those services. In addition, we require those third parties to protect the information in a manner consistent with our own policies and practices. We build this into our contractual arrangements and take steps to monitor and ensure they meet or exceed our standards. If they fail to comply with their legal agreement or our supplier code of conduct, we take steps to address this, which could include the termination of that relationship.

We will only share client information with other third parties as indicated under the account agreement and under special circumstances, involving regulation as required by law or to help prevent fraud or protect personal safety.

Our commitment to privacy extends to our online services and any new technologies we employ.

Our digital channel privacy policy applies to online, mobile and other digital channels and services owned or operated by Royal Bank of Canada and its subsidiaries.

We don’t take for granted the role we play in the lives of our clients or the role we play in this country. That is why we continue to advance new technologies and lead innovation while maintaining industry-leading approaches to protecting client data. The reality is privacy has become an increasingly complex issue, not only for the financial services sector, but other industries in Canada and around the globe.

Knowing this, we are diligent in maintaining the highest privacy standards. We have increased our involvement in this area to continue to stay ahead of this evolving issue. Preserving the trust of our clients and all Canadians is foundational to how we do business as a company and how we succeed.

Thank you and I would be pleased to answer questions.

Chris Bradley, Associate General Counsel, Canadian Personaland Commercial Banking, Bank of Montreal (BMO): On behalf of BMO financial group, I am pleased to join with my industry colleagues to discuss Bill C-74 and the provisions relating to bank collaborations with fintech firms.

Canada’s banks are embarking on an exciting new era where we integrate remarkable leaps in technology into our businesses. At BMO this represents an integral part of our efforts to deliver a leading customer experience. Our customers have new and modern expectations on how they want to be served. We are working to exceed their expectations.

Partnerships with third parties in the fintech space give us the opportunity to achieve just that. Such partnerships provide the ability to combine the complementary strength of banks, such as wide distribution, great customer relationships, access to capital and regulatory expertise, with the nimbleness and agility these new fintech companies provide. These arrangements provide much-needed momentum to Canadian private sector innovation. These fintech firms, creators of homegrown Canadian ideas, will get the opportunity to bring their ideas to market faster. If we do it right, banks will get the effective development of customer-friendly solutions delivered to market at greater speed and lower cost, along with business processes to boost productivity. Fintechs, meanwhile, will get the capital and market access they need to bring their exciting new products and solutions to a wider audience.

We commend the government for recognizing this opportunity with the Bank Act amendments found in Bill C-74. The opportunity to work with more of these firms will provide greater impetus to banks to bring these solutions to market.

As we look to move forward with the prospect of such partnerships, we must maintain the trust of our customers and adhere to the laws by which we do business. One absolutely fundamental part of this is the protection of customer privacy. These proposed changes allow us to create relationships with more types of firms, but they do not place customer information at risk. It is important to note the legal restrictions that limit banks from sharing customer information, restrictions from nearly a century of legal precedent and more recently the requirements of privacy legislation, remain firmly in place. Our responsibilities to protect the privacy of our customers are not part of the Bank Act and consequently the amendments in Bill C-74 do not and cannot affect those protections in any way.

I want to assure members of this committee our commitment to customer privacy is fundamental to everything we do. This also applies to our third party relationships. When we enter into a relationship with a third party we have a rigorous screening process. Within that process, information security requirements represent the toughest hurdle that such a third party would have to face. When those firms don’t satisfy our own information security requirements, we don’t proceed with the deal unless and until they do. This scrutiny continues beyond the initiation of a partnership agreement, as we have the right to inspect a firm’s security arrangements throughout the course of the contract.

Mr. Chair, BMO is committed to respecting and protecting the privacy and confidentiality of the personal information our customers have entrusted to us. You can be assured the amendments the government has proposed will not affect that commitment or place customer information at any risk. On behalf of BMO, I am pleased to be here today, and, along with my industry colleagues, I’m happy to answer any questions.

Dave Bruyea, Senior Vice President and Chief Information Security Officer, Canadian Imperial Bank of Commerce (CIBC): I’m here today in my capacity as Dave Bruyea, Senior Vice President and Chief Information Security Officer at CIBC.

Let me start by thanking the committee for the opportunity to be here today to speak about information security and privacy in the context of Division 16 of Bill C-74. As part of my responsibilities, I oversee and manage the risk and security services, standards and policies that safeguard CIBC’s information assets and systems, including our client information and data.

Today I’ll be focusing my remarks on information security and the checks and balance we have in place to ensure the integrity of our clients’ data, particularly when working with third parties.

At CIBC, information security and protecting the privacy and confidentiality of personal information is paramount, and an integral part of enabling trusted client relationships. Our reputation and the strength of our client relationships are heavily dependent on how we, as an enterprise, treat and respect both CIBC-owned information and the information entrusted to us by clients, employees and business partners. This is why we have rigorous programs in place to protect our clients and corporate information, and robust policies that govern how we treat that information.

As an illustration, in order to be transparent with individuals whose personal information we hold, our privacy policy sets out details around the limited circumstances under which personal information may be shared. For example, with client consent we may share personal information where a client is participating in a partner program, such as a credit card rewards program.

It is also important to recognize banks operate in a highly regulated environment. Therefore the referral and information sharing processing rules, with a fintech or otherwise, are well established in our regulatory framework, including by OSFI guideline B10, which requires a review of the third parties before entering into contracts. Let me be clear. The Bank Act amendments we’re discussing today do not change the bank’s obligations to secure our customer data, either ourselves or with respect to third parties holding it on our behalf. The existing, robust requirements banks are subject to when contracting with a third party, or when referring a customer to a third party, remain the same. Let me close by clarifying the current legislation as proposed does not permit a bank to do anything more in relation to the business of insurance. Those restrictions have not been amended, nor are we seeking for them to be. The proposed changes in no way permit a bank to do, directly or indirectly, in the future what we are prevented from doing currently as stated in section 416 of the Bank Act.

Thank you, I’m looking forward to your questions.

The Chair: Thank you. Before we proceed to questions, I would like to introduce Senator Tannas From Alberta, Senator Dagenais from Quebec and Senator Tkachuk from Saskatchewan.

Senator Stewart Olsen: Thank you for your very informative presentations. I appreciate and have appreciated the rigour with which banks protect their clients’ information.

With these new regulations and ability to share with third parties, while I hear what you’re saying about how you will not enter into contracts, et cetera; I’m not sure you can actually fulfill that with today’s changing technology. As you said, the technology is rapidly moving forward. I understand you enter into these with a good deal of security in mind. I’m not sure you don’t need to change that and review how you’re entering into all this.

My second question would be along the lines of informing the clients you’re working with. I know that nowadays people come in and when you open an account or something you sign. I for one had no idea that what I was signing would mean that you could take my information and share it with other companies and fintechs.

I’m wondering, are you considering offering your consent forms or your consent information to clients when they apply for your services? When you share the information, are you providing your client with whom you’re sharing it with, on a regular basis?

For instance, if you enter into a new contract, you would advise your clients the bank has entered into this new contract, are you okay with us sharing your information?

With that, I leave you. I have three questions.

I don’t want to take up all the time so if you could be brief in your answers, I would appreciate it. I’m sorry I went long.

The Chair: Why don’t we start with you, Ms. Shonaman, and the next time we’ll start at the other end.

Ms. Shonaman: I’m happy to start and my colleagues can jump in as they need to. We are concerned about the rapid pace of change in technology and in all consumer industries. Our clients are demanding and expecting we offer services that suit their needs. We believe it’s important to stay on top of those. We are constantly looking at how our privacy policy evolves, how we talk to our clients differently and enter into a discussion with them about privacy.

In terms of your second question, we have taken a look at all of our language based on our compliance with the new European Union privacy law. We see opportunities and we have made changes that make it clearer how we use people’s data. We make that accessible to them on our website and through talking with our branch staff or advice centre agents. Finally, I would say we have to strike a balance between how much information we provide our clients and our ability to deliver the services. Clients don’t want to hear from their bank all the time. I think as we proceed, become clearer, the expectations change and peoples’ awareness changes, which we welcome, we are ready to have those conversations with people. We are ready to figure out ways to be more specific on how and with whom we’re sharing their information. We’re open to it. Right now, we use more blanket language for people to understand the kinds of purposes and the very limited information provided to third parties.

Ms. Stubbington: I would concur with everything my colleague has said. We believe in meaningful and informed consent. We know our customers need to understand how and why we’re using information. That means that we, too, need to understand how and why the information is being used in particular ways.

We stay on top of changes to technology as they are happening and we are transparent with our customers with respect to those. We have information on our website that is in plain language. It highlights what we do with information. It highlights where we share information with third parties, and that will include the fintech context.

We do that so customers understand and so we can stay up-to-date with what customers are expecting and what their financial needs are.

Mr. Henry: I agree with everything my fellow panellists have said and in the spirit of not being repetitive, I’ll take a bit of a different angle, senator. We operate a business based on trust. Because of that, protecting the safety and soundness of the entire system is fundamental to what we do. That, in and of itself, is our primary motivator. It is in our own best interests in operating our business to make sure that anyone we partner with and work with meets the same high standards we hold ourselves to because by taking care of our customers in that way, we benefit our business overall.

Mr. Bradley: Exactly. I agree with my colleagues. If we entered into a relationship with a fintech through which the fintech was providing service to our customer — some banks, for example, enter into relationships with firms who have expertise in small business lending — we would get consent directly from the customer before disclosing information to a fintech.

Mr. Bruyea: The only thing I would add is with respect to the cybersecurity landscape. It is constantly evolving and becoming increasingly dangerous. There’s no doubt. Both internally and amongst the other institutions I work with, as well as with the government, we are spending a lot of time identifying threats to the banking system, threats to our own products and services and designing countermeasures to make sure we stay on top of those risks.

Senator Stewart Olsen: I know you’re doing that, but I’m not sure the fintechs are doing that. Thank you very much.

Senator Marwah: Thank you all for your presentations. They were all very clear.

There has been a fair bit of discussion at this committee that would lead us to the impression that fintechs are not regulated by Canada’s privacy laws. In fact if you give information to a fintech, they can do with it as they please. Besides privacy they could undertake activities that, as Senator Tannas said once, allow you to do through the back door what you can’t do through the front door, such as sell insurance. You say that would not be permitted and you would not be able to undertake those activities. I would like to hear your comment directly on the privacy side and about what else can the fintechs do.

Ms. Stubbington: I’m happy to start with that to make it very clear fintechs are subject to privacy laws in Canada. To the extent they’re carrying on business at the federal level as a commercial activity in Canada, they will be subject to PIPEDA and to the extent they’re carrying on activity within a particular province that has its own legislation — I’m speaking specifically of Alberta, BC and Quebec — they would be complying with those laws and subject to those privacy laws.

We feel very sure they need to comply with privacy laws.

The Chair: Does anyone else wish to add to that?

Ms. Shonaman: I would like to add we are a highly regulated industry, subject to OSFI’s supervision. We feel responsible for the end to end use of our data. It does not matter how many or who is in the mix of that supply chain. We feel responsible for the entire usage from start to finish. That’s where we derive our comfort and where we put our efforts.

Mr. Bruyea: When we design these information-sharing arrangements between the bank and these third parties, we look at the scope and use of information to restrict it only to activate the services and the relationships being built.

Senator Marwah: How do you control activities the fintechs may do that you cannot do directly? How do you ensure that cannot happen?

Mr. Henry: Mr. Chair, I’m happy to pipe in on that and Senator Marwah, you had a secondary question about insurance. If I focus on that initially, think it’s important to be unequivocal. If I were to summarize section 416 where there are no changes, banks are not permitted, through any subsidiary, any affiliate to directly or indirectly provide any information with respect to a customer that would be used for the purpose of promoting insurance products. Nothing changes there and we’re not seeking changes there.

To broaden the question, as you did in follow up, we are getting consent for a specific use of customer information as we pass things along and would contract for that specific use. And that contract would be subject to the oversight in OSFI in making sure we work appropriately with that third party.

The Chair: Anyone wish to add anything else to that? Senator Tannas, do you have a supplemental?

Senator Tannas: Ms. Shonaman said they feel they should have the same standards. My understanding is that you must; it’s not that you feel, you must?

Ms. Shonaman: I guess I’m coming from a cultural perspective. That is what we believe. It is the truth. It is legally true. It’s true under our agreements and under the law but we feel it as well.

Mr. Bradley: As my colleagues mentioned, fintechs are governed by privacy law and we have contracts with fintechs. It’s very clear we not only put that in our contracts but we take it very seriously. If you look at the Competition Bureau’s study on fintechs, they said one of the toughest hurdles that fintechs have to deal with, before dealing with a bank, are our information security requirements. It’s something the banks are under great scrutiny from OSFI to make sure they get it right.

Senator Wetston: The Privacy Commissioner was here yesterday. I’m sure you’ve probably had a opportunity to reflect on his testimony.

When I think of banking, it’s a very complex, multifaceted business, engaged in many areas of activity. Then I think about customers.

The Privacy Commissioner will soon be publishing or providing guidelines for consent of customers. I expect that will also be applicable as guidance to customers of the banks. I don’t think they’re out yet. Maybe you’ve had an opportunity to have discussions with the Privacy Commissioner about those guidelines. Any thoughts about that?

Ms. Shonaman: We’ve been involved with various provision of and drafting of guidelines with the Privacy Commissioner’s office through the Canadian Bankers Association. Guidelines help us in our business because they make it very clear what the regulatory expectations are. We treat guidelines very seriously. They don’t have to have the force of law for us to be very concerned about whether we are compliant with those guidelines.

Senator Wetston: Any other thoughts? My question was too simple for you, then.

Mr. Bruyea: Clearly, there is a global trend to modify and update privacy legislation to match the speed of innovation going on today. We would expect to work with the Privacy Commissioner on updating our PIPEDA legislation to do the same.

Senator Wetston: Thank you for that. In my mind when I any about privacy, I also think about data security. It’s difficult for me to sometimes distinguish them.

You must, you’re professionals. When you’re thinking about privacy, you think about one aspect of this. In data security, you think about another aspect of this.

I know we’re looking at Division 16, Part 6. My experience in examining what is going on in the financial markets, and I think we can collectively look at what is happening in financial services with robo advisers, blockchain technology, cybersecurity firms not within the bank but supplying services to the banks, having their own issues around who is supplying it and security related to those particular firms, AI and all those related matters. When I look at what the intention here is, it’s greater flexibility for financial institutions to undertake and leverage broader fintech activities that enable the delivery of financial services in new and innovative ways.

What does that mean?

Mr. Henry: I think, senator, what we’re looking to do is create new value for our customers. Every day we are experiencing new things digitally we hadn’t imagined even just a short time ago. We’re looking to bring these experiences into the world of financial services in a way that makes banking easier for Canadians and delivers that extra value to them. All of that will happen, though, within the framework we spend tremendous effort focusing on from both a privacy and data security standpoint.

Senator Wetston: Technology has it advantages and benefits, and it also has its risks. Are you creating more risk?

Mr. Bradley, you were going to respond to that question as well. Maybe you can take that one on.

Mr. Bradley: My response would be no, we’re not creating more risk. It’s important to understand we already have the authority to deal with fintechs. We do today, and that’s what the Competition Bureau was talking about in their fintech study about how we deal with fintechs.

The proposed legislation just amends what we are already enabled to do, for example, by allowing us to deal with fintechs not solely in the financial services world, that use their technology for services more broadly, which is important for innovation in Canadian industry. The standards by which we govern ourselves when we deal with fintechs are not going to change. We’re just being enabled to deal with a slightly broader range of companies.

Mr. Bruyea: I would add, senator, that in privacy policies in the legislation that’s been built up over many years in Canada, there are some immutable principles associated. The same is true on the data security side. There are some immutable principles that must never be violated. The way we design countermeasures today to effect the protection of customer data changes and the principles, and the way we go about addressing culture issues, people issues, process issues in any partnership arrangement we might have are the same.

Senator Ringuette: First, I must say thank you to all of you, and to our chair for finally having individual faces of our financial institutions in front of us instead of the Bankers Association that I’ve seen here only on your behalf for the last 12 years. I welcome that.

I understand you have and are still investing heavily in cybersecurity. However, what we’re looking at is a brand new opportunity for financial institutions in Canada to Part 6 Division 16. It’s an entirely new addition to your abilities.

Now, in regard to that entirely new section for you to be partnering, owning, investing in all this new slate of fintech and the specific language in regard to data, which is our personal financial information.

We have received at this committee on this issue the Privacy Commissioner, who has not been consulted in regard to this new section and does not see the balance between the new powers you will have and the balance of privacy of information.

Yesterday, we had two witnesses from the Bank of Canada who follow with great care the different systemic processes of financial institutions, and again there, the wish for a balanced approach of innovation in the sector and privacy of information.

We also have in the news the obligation from the EU in regard to privacy, that each time a financial institution or whatever business entity in Europe wants to transmit, manipulate, or whatever the data, they have to have the specific one-on-one consent from the person in question.

The Chair: Your question, please. I know you’re getting there.

Senator Ringuette: At the end of the day, it’s all fine and dandy you have codes, that you have policy. Actually, I have in front of me the policy from the Royal Bank. It’s 75 pages that I didn’t sign to, but it’s your policy, and since I’m a customer, I’m part of your policy.

Why would you resist further security and trust to your different financial entities by having an amendment that would be provided to us by the Privacy Commissioner so that Canadians using your financial institution will have greater trust that their information will not be transmitted unless there is specific consent from them?

Is that a good enough question, chair?

The Chair: Yes. Panel, please.

Mr. Henry: I’m happy to start and invite others to join in. There was a lot in there, Senator Ringuette. I’ll try and touch on this broadly. Some of the key points are to remember this is not an entirely new opportunity. Banks can already partner with the fintech community. What we’re trying to do is modernize what I would characterize as some anachronistic provisions in the Bank Act, to take out some speed bumps. That’s for the benefit of Canada. We take very seriously the role we play in the social and economic fabric of the country as a whole. We think this speaks to the innovation agenda our country has as a whole.

I would also mention that what we’re doing here happens within the existing framework of privacy protection in this country. I don’t think we should conflate what’s happening in the Bank Act with separate, already robust privacy regulation. In fact, you cited Europe as an example, and I would point out the European data protection supervisor has just formally recognized the adequacy of Canada’s privacy framework.

We are completely open to and, in fact, happy to engage in dialogue with any and all of our regulators on how we continue to advance the agenda within Canada. We think we’re doing it for the overall good of the country.

Senator Tkachuk: In this discussion, I would like to know what does a fintech bring to a bank? Why would you want to partner with them? Why do you buy them? How do I as a customer benefit? I deal with two of your banks. It’s important to me.

Mr. Bradley: I can take a stab at that first. The reason we partner with a fintech is fundamentally to enhance the customer’s relationship with the bank. We know there are some things a bank can’t do or can’t do as well as some other companies, such as a fintech. If we can enter into a relationship by which we can offer our customer, if the customer chooses, the opportunity to work not only with us but also with a fintech we’ve engaged to work with us, that will enhance the customer’s relationship with us. That’s the fundamental reason.

Senator Tkachuk: Like what? Give me an example.

Mr. Bradley: I mentioned before a fintech has particular expertise on small business lending that might be able to work with a bank to facilitate more small business lending than a bank would have been comfortable with before.

Senator Tkachuk: I don’t know what you mean. All the banks do have small business lending. They all have expertise with it. They’re all very good at it as far as I know. What does a fintech bring that would be different, out of the business range you have that will be complementary to your business so I as a customer will benefit? How does that work exactly?

Mr. Bruyea: There is a company called SecureKey in the Canadian market. SecureKey is all about identity federation. What it effectively does is offer a utility service that creates a modern equivalent of the provision in the act around letters of introduction to enable us to do that more electronically and seamlessly with our customers. That is a business not effectively primarily in the business of banking. It allows us to modernize a piece of our process to enable consumers to do business in a much more friction-free way, for example.

Ms. Shonaman: Sometimes fintechs focus on life events, having a baby, getting married and buying a new home. What these application providers do is bring a number of service providers together in a easy to access way that allows people to access things at the time they want them. A more financial services-based example would be a company that is very good at providing a financial dashboard, doing analysis on a customer’s patterns of transactions and then offering advice and insight on where there might be savings opportunities, where money might be better placed in a RRSP or a TFSA or things of that nature. These are not specific things we are doing, they are just examples.

Senator Tkachuk: You lost me there. You mention that, but if I’m a customer, what does that mean to me precisely? When you say all those things, what does that actually mean? I don’t understand any of this. Just be clear.

Mr. Henry: It’s almost an umbrella comment for some of the shared examples. I think what they bring us is fresh perspective generally on a specialized and specific part of an activity where we’re trying to provide an end-to-end service for customers, we can sometimes find a partner that has this fresh perspective and somewhat more agility, that goes deeper on something. That could be security —

Senator Tkachuk: I’m buying a car. Do you have people who are better than you in buying a car that you would be using? What would happen?

Mr. Henry: I think we’re pretty good at automotive finance. You don’t know what idea you haven’t thought of. We want to find ideas for fresh perspective. Chris mentioned at the outset this is about creating values for customers in our core business. If we find someone specialized in a niche who does it faster and better than we do and we put it in the overall service offering to customers in a way that customers want and appreciate and value, that’s a good thing for everyone.

Senator Tkachuk: Okay. I’m not sure if the question was answered.

Senator Tkachuk: I wouldn’t buy something on that basis. Maybe they know something that I don’t.

The Chair: Thanks, senator. I assume as well, based on your comments that it enhances in your view your respective competitive positions.

Mr. Henry: Yes.

The Chair: Okay. That’s fine. No one is criticizing. You’re in business. While it’s, of course, about customers, it’s also about ensuring your business prospers, grows, is innovative, et cetera.

Ms. Shonaman: Is relevant to our customers.

The Chair: No one is criticizing.

Senator Tkachuk: I’m not criticizing, I’m trying to understand. At the same time they’re doing that, they will be sharing information about their customer base. I want to know who they’re sharing it with. You say fintech. What does that mean? What kind of business is it? What do they actually do? I think that’s important for us to know. I haven’t really gotten an answer as to what that actually is. I think that’s important if we’re going to protect customer security and my security and Canadians’ security.

The Chair: You’re raising an important point, Senator Tkachuk. I want to ensure the panel understands Senator Tkachuk is saying he doesn’t understand why you would deal with fintechs and his sense is you have not answered the question. Is that correct, Senator Tkachuk?

Senator Tkachuk: That is correct.

The Chair: Should we have another go at that or should we move on?

Mr. Henry: By all means let’s continue. My generic answer would be served by more specific examples. David mentioned before small business lending as an example. In Scotiabank’s case we did partner with a company to test something out on small business lending. Our intent was to find out is there a faster way to get a small business customer a loan, to get them the working capital they need to better run their business. In doing so also makes them happier to do more business with Scotiabank.

What we learned from that particular partnership was we could get to the same outcome from a servicing standpoint in a faster way with fewer steps. That brought our customers the kind of expediency they wanted, a more frictionless or seamless experience. It brought us the benefit of financial efficiency and happier customers.

Senator Tkachuk: That was helpful.

The Chair: That makes sense. Does anyone wish to add on that or should we move on?

Ms. Shonaman: You mentioned buying a car. We might partner with a fintech that will tell you what your car is worth at any point in time, in case you wanted to sell it. We might offer the same thing for your home. If you want to know what your home is worth, we may partner with somebody who can have access to all that data and deliver it to our client.

Senator Tannas: It’s clear the culture of our Canadian banks is one of excellence. I’m a huge fan. I’ve had a ringside seat at watching the banks in action throughout my career.

It’s also clear there are more and more interrelationships with fintechs on the horizon, both in terms of service and process outsourcing. I have a concern about service and process outsourcing that I spoke of before. I raised one about a service you’ve outsourced to do the funding of mortgages. This service happens to be owned by a fintech that also owns a title insurance company. That, to me, is where some of this is going. Where the insurance and banking fences are now, we’re relying on the fintech to make sure they don’t have a conflict of interest and abiding by the rules of the Bank Act.

I believe — and we’ve got product partnerships as well — that, if we’re going to have a mess, if we’re going to have a wreck, it makes a lot of sense that it’s going to be a counter-party problem. The culture of the banks is such that it won’t be in the banks; it will be in one of your partners, whether it’s a cyber problem or a breach of the law you’re working to abide by. That’s probably a fair expectation.

My question is: If you agree with that — maybe you don’t; maybe they’re more secure than you guys. I doubt it. If you agree — and I’m sure by contract you all have the ability to send your internal audit people into their operations — could you confirm you are at least as active with your internal audit operations in fintech partnerships, at least? Hopefully, you’ll tell me you’re more active with internal audit procedures and operations and oversight in fintechs than you are in your own ecosystem.

Mr. Bruyea: Thank you, senator. I can start with that answer. First, I think we’ve established here today that it matters little whether we are actually holding the information or the information is in the supply chain. It matters not to the customer. We have a very rigorous process to understand any risks associated with the management and use of information in our supply chain. That rigorous process is backed up by an E21-compliant line-of-defence model within the organization. People may not be familiar with E21. It basically was a guideline set out by OSFI that codifies how you should structure your internal governance processes to deal with specific sensitive matters inside the organization, like risk management, cybersecurity, supplier governance. That piece —

Senator Tannas: That’s good. Would OSFI look at you and say, “How active have you been over here with this service provider?”

Mr. Bruyea: Absolutely. In fact —

Senator Tannas: Shows us your records, internal audit meetings or procedures, et cetera, that you have done?

Mr. Bruyea: OSFI is very active in that regard. In fact, there has been some very recent examination activity, over the last couple of months, with respect to third-party supply-chain risks. They have put the banks through a very rigorous process. I would also say, out of Davos, the G7 conversations happening more globally, this whole area of supply-chain risk and third-party risk management is a huge issue. We have to start crossing jurisdictional boundaries when we deal with some of these issues. Higher order committees are taking those into conversations.

Senator Tannas: In your world, there’s the flavour of the month from the regulator — it’s not a month; it goes on for a long time — where they focus on something. Where in the process is this particular third-party chain risk? Are they at the beginning of everybody focused on this? Are we in the middle? Are we nearing the end, and it has all been settled and everything is in place? Where do you think you are in that?

Mr. Henry: I’m happy to jump in and give a perspective. In addition to this notion of selecting and contracting with a third party, which is subject to scrutiny from OSFI, senator, to your exact point, they also have an expectation there’s ongoing monitoring, ongoing attestation, there is what the banks call a “three-line-of-defence model.” First, a business practitioner, just from a good business standpoint, focuses on that. That is subject to challenge by a second line of defence within the organization, what we generally refer to as “risk management,” and the third line of defence is the bank’s audit process. That’s a very robust process that applies equally to this. It starts with that business practice of just saying, “What do we think this actually means from a reputational standpoint,” and goes from there. All of that is subject to OSFI scrutiny at each step in the process. That is something that just continues to get more and more robust. Each of us would have processes for managing operational risk in addition to credit risk. OSFI, in fact, has specific requirements for us to enumerate nonfinancial risks we face, of which third-party risk management is one of those. We have to lay out and attest to and provide evidence on how we actually bring that to life for all of the third parties we deal with on a regular basis.

Senator Tannas: Would you confirm it is at least as robust as what you would be doing in terms of auditing your branches and activities elsewhere in the organization?

Mr. Henry: The standard is that any party we deal with needs to meet at least what we do, yes.

Senator Unger: Thanks to all of you for great presentations and great answers and explanations.

G7 and the EU has been mentioned. In a recent report by Privacy International from the U.K, entitled Fintech Privacy and Identity in the New Data-Intensive Financial Sector, stated: “There has been a massive growth in the amount and nature of the data that is gathered by financial institutions about individuals. Many new data sources feed into the creation of financial identities.”

I wonder if you could comment on this from a Canadian perspective. Has there been a massive growth in the data Canadian financial institutions are collecting? In general, do people understand financial institutions are gathering this kind of data, which can include things like call records, text messaging? In some cases data is being gathered even when the customer isn’t on a phone or using the service.

I wonder if Canadian banks are anticipating this influx of additional data now being gathered by fintechs in the EU or U.K.? Would you comment about that?

Mr. Henry: Senator, I think that, for me, that starts with the firm belief that customers have the right to meaningful and informed consent on what data is being stored and what use is intended with the data. We try to be transparent with our customers in that regard. I think we all have a growing appreciation for the fact that, yes, there is more and more data being produced and being gathered around the world. We take very seriously that obligation.

If I reflect in terms of Scotiabank’s business practices, we make a point of regular, ongoing dialogue with our customers from all kinds of different perspectives. We have systems in place to keep that dialogue going and to codify the knowledge and the feedback we’re getting from our customers. I would say that, yes, there is an appreciation this is occurring, that customers actually like and, in many cases, want the new types of value being created from this. Commensurate with that, it’s not just the data that’s growing, but, frankly, what’s growing right alongside is the investment we’re making in securing that data.

Senator Unger: What you just said, Mr. Henry, how does that translate directly to me, say, as an ordinary consumer who has dealt with the same bank forever and trusts the same bank, of course? How would I be informed of how carefully you scrutinize everything on my behalf?

Mr. Henry: Our commitment is to be transparent with our consumers. They have an ability to opt in and opt out for different usages for their data. The more we know about someone, the more relevant and helpful we can be to them. An example would be as simple as reminding someone a payment is due. By gathering that piece of data, which ten years ago wouldn’t have happened, we can deliver an extra piece of value to a customer to help them in their financial lives.

Mr. Bruyea: To your question, senator, there’s definitely a trend to use some additional telemetry or information to protect a consumer. You mentioned identity. There are systems now available where we can detect whether the same computer is being used to activate the banking service that was used previously. In the case where we detect a change, we may want to advise the consumer that someone may be attempting to use your account without your knowledge. That new type of information is available and can be harnessed to protect the consumer.

Ms. Shonaman: I would add that the flip side of all these news reports about how data is being used is our clients are becoming more aware of their rights and asking the questions they should be asking. Under EU law, clients have the right to understand how you process that data and it’s something with which we comply in our European businesses. We don’t think it’s too far beyond the pale to think other regulatory regimes will rise to that standard at some point. We want to be prepared for that. We’re going to hear about this from regulators and our clients and we want to be ready to have that conversation.

Senator Unger: When the Privacy Commissioner appeared before this committee, he expressed concern that Bill C-74 is one-sided. It favours innovation and forgets about privacy.

Can you comment about this and do you share his concern?

Ms. Stubbington: The Bank Act amendments do not change the existing privacy framework. As we’ve been saying, it’s very robust and well respected globally as a privacy framework and that doesn’t change regardless of amendments to the Bank Act.

Senator Unger: You don’t share his concern that it was one-sided?

Ms. Stubbington: I don’t want to speak for his office or for him. The existing privacy framework is there and the banks endeavour daily to comply in all respects with the privacy laws.

Senator Unger: Thank you.


Senator Dagenais: My thanks to our guests. I have been fortunate to listen to your testimony and your replies. I understand that you are careful to protect your clients’ personal information, but you are also capable of substantial technological advances that broaden your chances of attracting new clients. Could there be an equally substantial effort to communicate with your clients when you have to share those clients’ information? What would happen if one of your clients refused to agree to share his or her personal information? You are all invited to reply.


Ms. Stubbington: We believe wholeheartedly in meaningful and informed consent. To the extent we are going to use information we have from a customer for any type of a new purpose, we would need to get consent for that new purpose. We are transparent with our customers. We use plain language they can understand. We offer numerous opportunities to engage with us with respect to any questions. We want that type of engagement. We do want them to understand what information we are using for what purpose, how we’re using it. We really invite that type of dialogue.

Mr. Henry: If I can just maybe bring that to life with an example, since examples seem to have helped in a few instances. In the recent past Scotiabank made an enhancement to our mobile banking app by leveraging a service we pulled into the app from a third party. The way that works is precisely at the heart of your question, Senator Dagenais.

What happens when a customer for the first time goes into that portion of the app, something pops up in front of them and says you’re about to do something new that involves this partner. In plain English, we say this information will need to go to that partner and ask if you accept before you proceed. We apply that approach.


Senator Dagenais: In the area of brokerage, the rules on communication are very strict. I am sure that you are able to comply with them. Could the same communication requirements apply on an individual basis each time you have to share your clients’ personal information?


Mr. Henry: It might be just me, senator, I apologize. I didn’t understand the question.


Senator Dagenais: In the area of brokerage, the rules on sharing information are very strict. Do the same rules apply in other areas when you have to share your clients’ personal information? For example — correct me if I am wrong — CIBC bought La Personnelle insurance company, which then became its property. Could personal information have been shared with the new insurance company that they purchased? Do the same rules apply at that point?


Mr. Bruyea: I do know, senator, we maintain privacy preferences in our customer database related to what we can share and can’t share from a regulatory and customer election point of view. That is all tracked in our databases and our processes use that information to influence what can or cannot be shared.

Ms. Shonaman: We have the same procedure where you have that control and consents and preferences you can choose. There may be particular industries that have restrictions on data sharing. We have the base level that is required by PIPEDA and our own privacy standards that apply to every company in the enterprise. Where there are additional regulations, they layer on top of that.


Senator Dagenais: Daniel Therrien, the Privacy Commissioner, has told us that, in a few months, he will publish what might be called the “informed consent rule.” I would like to know if each of your financial institutions will be applying this informed consent rule without delay when the Privacy Commissioner releases it.


Mr. Bruyea: Senator Dagenais, I believe as soon as we get to see that rule making from the Privacy Commissioner, we will be wholeheartedly implementing that. It will be subject to seeing it first.

Ms. Shonaman: Senator, I would add in some cases, because we are held to a high standard, we may already comply with what is issued.

Ms. Stubbington: I agree.

Mr. Henry: We are committed to always being in full compliance with any requirement.

The Chair: I have obviously heard and listened carefully to what you say and I take away your focus on protecting privacy is robust. I take that as a given from what you have indicated today.

The puzzle I am having difficulty resolving is, why would the Privacy Commissioner propose to us proposed amendments to the existing legislation to further enhance privacy concerns? Why would he feel that for some reason — yet to be explored — that more is required?

Are you able to comment on that?

Mr. Henry: I’m happy to lead into that. I can’t hypothesize on what’s happening in his head. I can share my perspective that we have a very robust privacy framework here in Canada. We’ve mentioned a few times today Canada is viewed as a leader among the world with respect to privacy regulation. Even in Europe where new things are happening, they acknowledge the adequacy of the framework in place in our country. If there’s a view on the part of anyone that there’s an opportunity for improvement, we welcome that dialogue. We would be happy to be part of that conversation.

Mr. Bruyea: The commissioner is responding to the global trends of increasing privacy oversight in all jurisdictions around the world, whether it relates to fintechs or more broadly.

The Chair: Is it fair for me to take away from your comments that if the Privacy Commissioner feels something additional is required, you will salute?

Mr. Henry: I think it’s fair to surmise we would love to be part of a discussion on how we can make improvements for the benefit of Canada as it relates to privacy. If and when something becomes a requirement for us, absolutely we will ensure compliance.

The Chair: Thank you very much. We’re going to move to the second round, being mindful of time, senators, and that we have an in-camera following this, I would ask we keep questions and answers succinct.

Senator Marwah: A quick question. How would the privacy code of the Canadian banks you already have in place compared to those of your major competitors — the U.S., UK and EU banks, all of those with which you compete every day? How would our privacy be on par?

Ms. Shonaman: We look to all industries across the world when benchmarking our practices. Recently we looked at our privacy policy, which will be updated on Friday. We looked at what other banks are doing around the world, as well as other companies — the Googles and Amazons of the world, and so on. We continually benchmark, not just against Canadian banks.

Senator Marwah: You feel you’re on par with the best?

Ms. Shonaman: Yes, I believe we need to be.

Mr. Henry: We frequently have other banks from around the world visiting us here, looking at what we’re doing. I believe that is flattering and is indicative of the leadership Canada demonstrates in this space.

Senator Wetston: I’m going to ask two short questions and give the panel the opportunity to answer the one they want.

The Chair: Or none of the above?

Senator Wetston: Or none of the above. The first question is on the application of GDPR in the EU and your perspective on that — obviously, regulation.

The second question, and you can answer if you like, is: do you believe the policies associated with privacy in the current environment, and given the amendment which is to establish what you’re already doing, more or less, or ensure you’re able to continue in this particular space, do you believe the current policy stifles innovation?

In other words, does the privacy policy today stifle innovation? Because data is key to innovation. I’m indifferent to which question you want to answer.

Ms. Shonaman: Can I answer the first one?

Senator Wetston: Maybe we’ll have a mix.

Ms. Shonaman: We believe that GDPR, while different from Canadian legislation, is very helpful. Our Canadian legislation is principles-based and very strong, and, even though it was written some time ago, the principles of privacy remain quite consistent.

GDPR is more specific on what you shall do with your clients and with your employees. We believe both kinds of legislation can work. We also believe that, at RBC, we’re held to a higher standard because of the position we have in the country and with our clients. We always seek to hit the gold standard, which is GDPR. Even though it’s not law in Canada, we’d be looking to raise ourselves up to that level because it’s the right thing to do.

Ms. Stubbington: Since we’ve talked about the first question, with respect to the second, innovation is obviously very good for Canada, for our customers, for Canadians and for our businesses. We want to be able to continue to meet the ever-changing financial needs and expectations of our customers. If we go back to basics with respect to privacy law, it’s looking for consent for the collection, use and disclosure of information. That is a fundamental cornerstone and the basis upon which we earn the trust of our customers. I think it works well. I think the amendments before us are separate from the privacy regime, which is there to enable innovation.

Mr. Henry: I will simply add what Jane closed on. The conversation today is different from the privacy framework we have, which is not changing. What’s on the table proposed as a change is something that will tangibly enable innovation and will work to the benefit of all Canadians.

Mr. Bradley: To take the second question, whether privacy policies stifle innovation, I don’t think they do. We’re able to deal with fintechs, but there’s a balance. Again, if you look at the competition bureau’s fintech market study report, they commented in some cases it’s so difficult for fintechs to deal with banks because of our high information security requirements. There’s a suggestion maybe our bank regulator, OSFI, ought to back off a little bit to enable fintechs to work with banks easier.

Senator Wetston: Thank you. That’s the point I was trying to get to.

The Chair: Interesting. Anything to add?

Mr. Bruyea: I’d just like to emphasize we believe at CIBC it’s a false choice to say you can have innovation without privacy.

Senator Ringuette: All of you have indicated you work closely with the Privacy Commissioner. The Bank of Canada yesterday indicated that, in regard to overlooking all of the financial macro activity, also indicated working with the Privacy Commissioner. Yet the Privacy Commissioner comes here not having been consulted, after two years with all of your institution’s discussion with the finance department for what we have in front of us. He’s saying that and I have a tendency to believe him.

Moving on to my second question, which is very important. I think it’s Mr. Henry and maybe, I think, Mr. Bruyea. You’ve both brought up the issue of insurance companies. This is a brand new section of the Bank Act that we have in front of us. I looked at section 314 that reads as follows.

Paragraph 483(1)(c) of the Bank Act is replaced with the following: “consist of a contract with the related party for the purpose of having either one of them act as an agent or make referrals.”

This is a brand new power you’re getting in regard to whatever fintech financial entity is in this section. Where do you see the prohibition from a third party that you would have provided data to act as a, as it says, make referrals or act as an agent in regard to a insurance company?

Nowhere in this new section in regard to new fintech entities is there any mention of prohibiting.

On the contrary, it says at section 314: “consists of a written contract with the related party for the purpose of having either one of them act as an agent or make referrals.”

It’s not an additional prohibition. It’s an additional power that, if you read it as it’s written, would enable you to sidetrack if there’s a third party with a contract.

Mr. Henry: Senator, I’m glad you raised it. It’s an important point to be clear on. Taken in aggregate, we need to first understand the point this is, in fact, not a new power. It’s a changing to approval processes in the Bank Act that banks need to do to be able to enter these business relationships.

Senator Ringuette: To have new agents and referral capability.

Mr. Henry: We can already do it today with a different process. What’s changing tomorrow is the way that comes to fruition.

As it relates to the insurance part of your question, though, nothing that’s proposed in any of that section that’s under review is superseded or replaces what is in section 416. Section 416 explicitly prohibits this insurance activity. There is no change whatsoever and no opening or avenue for us to do anything that would allow entry, even from a referral perspective, to participate in the sale of insurance.

Senator Ringuette: We have this entire new slate of entities. In addition to this new slate of entities, this new act of a third party being an agent or being able to make referrals on your behalf. From my perspective, this is absolutely not clear.

Mr. Henry: Senator, sorry. In section 416, it specifically says an affiliate of the bank that is not a subsidiary cannot directly or indirectly provide information to an insurance company, agent or broker. It is expressly prohibited that we can’t do it ourselves. We can’t give it to someone else that would do it for us.

The Chair: Thank you. Does anyone else wish to comment on that?

Senator Ringuette: I will triple check to make sure.

Mr. Henry: Section 416(3)(a).

Senator Stewart Olsen: This is more of a point of clarification. You mention in your contracts with fintechs you monitor them very closely and OSFI checks up. They can’t actually go in and audit fintechs, can they? You can’t audit fintechs and neither can OSFI. I could be wrong. I don’t know how you would monitor them to make sure they are complying with what you’ve asked.

Mr. Bruyea: I would offer two things there, senator. One is in our contracts we specifically require that we do have those audit rights or those rights of inspection to make sure they are complying with the Ts and Cs of contractual arrangements we make. That is point one.

The second point is there is new technology coming on stream that allows businesses like ourselves to continuously monitor technically these fintechs for certain hygiene-related issues they may have from a security or privacy point of view. There is some exciting new technology that’s helping us there as well.

Senator Stewart Olsen: Thank you. That’s clear.


Senator Dagenais: I am sure that you have banking relationships or services in other countries where the tax system may be more to your advantage than in Canada. In the financial institutions that you hold in other countries, are your clients’ data as well protected as they may be in Canada?


Ms. Shonaman: There are differing privacy regimes across the world. The United States is in a very different place than Canada and a very different place from the European Union member states. Where we level the playing field is with our contractual agreements with those parties that are drawn up under our privacy standards internally.

Mr. Henry: I would echo the same point. Speaking on behalf of a bank operating in more than 50 countries around the world, we articulate a global standard and we operate to the higher of the local or global standard.


Senator Dagenais: Thank you very much.


Senator Tannas: Sorry to be pedantic. I want to follow up on Senator Ringuette’s question. Mr. Henry, your answer where you said you can’t, as it relates to insurance, give data to somebody else and have them sell insurance for you.

Mr. Henry: That is correct.

Senator Tannas: Could they sell insurance for themselves?

Mr. Henry: Senator, I’m not a lawyer. I’d need to ask one if that were possible. The spirit is we have no desire to be in the business of insurance or to enable the business of insurance.

Senator Tannas: I understand that. Did you have something to add?

Ms. Stubbington: I was going to add that to the extent we have given them customer information, we’ll have given them limited information for a specific purpose, and they will not be able to use that information for an unauthorized purpose.

Senator Tannas: I’m going back to my little example of the title insurance guys that do a service for you that they could subsidize to you and sell, and you would get the benefit that way. That is not allowed, is that correct?

Mr. Henry: That is correct. We would contract about the specific use of data, and if someone did that, they would be in breach of that contract and we would pursue that under all rights available to us.

Senator Tannas: Thank you.

The Chair: Just following up on what Senator Tannas had to say. I know we have the Associate General Counsel of CIBC here. Because it is a legal question, do you wish to add anything to that?

Mr. Bradley: I’m actually with BMO.

The Chair: I beg your pardon.

Mr. Bradley: That’s okay. Mike was entirely right. That is exactly what we would do, prohibited by contract. The purpose of these relationships is so the fintech can work with our client to provide a service that we have chosen to work with them and that we think would benefit our customer, not to provide multiple services that aren’t related.

The Chair: And you would confirm what Ms. Stubbington said as well?

Mr. Bradley: Correct.

The Chair: Thank you all very much. An outstanding panel. It is clear our five leading banks in Canada are extraordinarily well served by each of you. Thank you for being here. I hope you will accept our invitation to come back at some point.

(The committee continued in camera.)