Proceedings of the Standing Senate Committee on
Legal and Constitutional Affairs
Issue 9 - Evidence for May 27, 2009
OTTAWA, Wednesday, May 27, 2009
The Standing Committee on Legal and Constitutional Affairs met this day, at
4:16 p.m., to study Bill S-4, an act to amend the Criminal Code (identity theft
and related misconduct).
Senator Joan Fraser (Chair) is in the chair.
The Chair: Honourable senators, welcome to the Standing Senate
Committee on Legal and Constitutional Affairs. We continue our study of Bill
S-4, An Act to amend the Criminal Code (identity theft and related misconduct).
It is a very interesting subject; this bill has been introduced in the Senate
by the government, which it is not necessary the case with all bills. Most are
presented before the House of Commons and come here later on. In this case, the
bill was presented in the Senate.
As we continue our study of this most interesting bill, we are delighted to
have with us as witnesses Mr. Gord Jamieson, Head of Payment System Risk at
Visa; Ms. Vanessa Giuliani, Fraud Specialist, Consulting Solutions at Equifax;
and Mr. Rick Rennie, Vice-President of Customer Security and Risk Services at
Thank you for waiting while our start was delayed for a few minutes. We are
grateful to you for your patience and for being with us today. You have agreed
among yourselves that Ms. Giuliani will be the first speaker followed by Mr.
Jamieson and Mr. Rennie.
Ms. Giuliani, you have the floor.
Vanessa Giuliani, Fraud Specialist, Consulting Solutions, Equifax:
Thank you and good afternoon. I am the senior fraud consultant at Equifax
I would like to start by thanking the committee for the opportunity to speak
in support of Bill S-4. I would also like to congratulate the government for
taking such a positive step to help stem the growth of identity-related crimes
in Canada. Canadians benefit from coordinated strategies that involve
government, law enforcement, industry and consumers. Bill S-4 is an excellent
example of that.
Identity-related crimes have increased steadily since about 1998 with the
increased use of electronic delivery channels and networks. The theft of
personal information needs to occur to set up and prepare before an identity-
related crime can be perpetrated. Bill S-4 is welcome legislation to help stem
the flow of stolen information by making it illegal to possess it before the
information has been used to commit that crime.
We, at Equifax Canada, have noticed a substantial increase in the amount of
personal information stolen from a variety of sources such as rogue employees
and other unauthorized access. We know this through joint investigations
conducted with the police and finance service agencies.
The industry has taken a number of steps to mitigate the effects of this
crime when it comes to prevention. However, the electronic transfer of personal
information is critical when processing financial transactions in Canada. Only
so many steps can be taken by the industry. Indeed, thousands of personal credit
reports are electronically transmitted every day, which are acquired, secured
and used lawfully.
There have been cases where rogue employees or foot soldiers will take credit
reports from their place of employment and, much like a narcotics trafficker,
sell them to organized criminal groups. In many of those joint investigations,
police services report that stolen personal information is frequently found in
traffic stops and other lawful searches. There is little to no legitimate reason
for anyone to possess piles of credit reports, financial information or other
identity-related documentation. With Bill S-4, the person in possession of this
information will have to answer for that.
I would like to provide a little more information on identity fraud
statistics and trends in Canada. Since 1998, Equifax Canada has been documenting
the exponential growth of identity-related crimes. Between 1998 and 2003, Canada
experienced a 500 per cent growth in identity theft reports where applications
were submitted and damage incurred to a legitimate Canadian consumer. From 2004
to 2005, the growth rate levelled; but in 2008, the numbers climbed back up to
the 2003 high, and fictitious identity crimes started to blossom.
Fictitious identity crime occurs when personal information is stolen and
components of that information are used to create a non-existent person. The
perpetrator does this by taking personal information, such as the Social
Insurance Number of someone who is deceased or perhaps not yet part of the
credit-granting system, and builds a non-existent identity. The perpetrator then
monitors the progress of this fake identity by pulling credit reports and
conducting hundreds of thousands of dollars in financial transactions before
abandoning the fake identity of the person they created.
Of further note is the fact that we commonly see tens or even hundreds of
fictitious identities being operated by the same person or group at the same
time. Without question, regular or more traditional identity fraud, as well as
fictitious identity creation, is on the rise and hundreds of billions of dollars
are being siphoned by organized criminal groups each year.
I would like to pause for a moment and provide you with a recent example of a
case involving fictitious identity fraud to try to help underscore the
sophistication of this type of crime. This case is from about two years ago, and
it was a joint investigation between Equifax, several members of the financial
services community and the Metropolitan Toronto Police Fraud Squad.
Police from the Toronto Fraud Squad were tailing a vehicle that they believed
to be participating in a different type of crime. Unfortunately, they lost the
trail of that vehicle and then thought they had found the vehicle again. As it
turned out, they had found a completely random vehicle that fit the exact
description of the one they were trailing and realized that afterwards. By that
time, they had uncovered, quite by accident, 15 credit reports sitting in the
back seat. Those 15 credit reports were then given to Equifax to start a full
investigation, and what we found was that three rogue employees from three
reputable organizations had built 500 fictitious identities.
I brought ten examples of those fictitious identities with me today. To give
you a sense of how lucrative this type of offence is, the average financial gain
from each identity is approximately $250,000. If you multiply that by the 500
identities that these three people had created, that is over $125 million from a
Bill S-4 is an opportunity for legislators to truly stem the increase in
identity-related crimes and all of its modern manifestations. When law
enforcement has the right to recover stolen information and prosecute the
persons in possession, it will deter others with access to personal information
from participating in this type of crime. Where penalties are in place for
trafficking in stolen information, perpetrators are more likely to be influenced
by the consequences and rethink their foot soldier role in the crime.
Thieves are stealing and building fictitious identities as we speak, and this
problem will not go away without a confluence of legislation, law enforcement
and solutions from organizations like Equifax. With that in mind, we are very
encouraged to see Canadian legislators moving forward with this bill and we
offer our full support. The financial services and credit industry continue to
do our part by responding to victims of identity-related crimes and investing
millions of dollars each year in trying to detect identity-related crimes as
quickly as possible.
Identity crimes have grown to a level that affects all Canadians either
directly or indirectly. Unlike 10 years ago, I am hard-pressed to find a person
today who has not had a debit or credit card copied, worked with an employee who
was terminated for dishonest behaviour or had applications submitted using their
Combating identity-related crimes is a battle that transcends politics, and
on behalf of Equifax Canada, I commend you for helping to address the growing
problem of identity-related crimes in Canada.
The Chair: Before we go on, you said you had brought with you ten, I
think it was, cases. If you could give those documents to the clerk, we will
have them circulated to the committee members.
Gord Jamieson, Head of Payment System Risk, Visa: Good afternoon. I am
senior business leader in Visa's Payment System Risk Group. On behalf of Visa
Canada, I am pleased to participate in the Senate of Canada's review of Bill
S-4. Visa Canada supports the government's proposed legislation because, at its
core, it is the criminalization of identity theft that will provide greater
protection through the Canadian Criminal Code to all Canadians.
Identity theft is broader than and different from payment card fraud. We
emphasize this distinction to ensure that the law targets those activities that
are most likely related to that offence. We believe that Bill S-4, subject to
our technical comments, does have the right focus.
Before I speak to our specific comments, I would like to clarify Visa's role
within the payment system and in insuring the security of electronic payments.
Visa operates the world's largest retail electronic payments network,
providing processing services and payment product platforms. This includes
consumer credit, debit, prepaid and commercial payments, which are offered under
the Visa, Visa Electron, Interlink and PLUS brands.
Security is a priority for Visa. We have made significant investments to
protect the payment system and cardholder information. Visa cardholders can be
confident when they use their Visa card to shop in person or online because of
the fraud prevention and security features that exist on the card as well as on
the payment system itself.
In Canada, these include: Zero liability, which means that consumers do not
pay for transactions they did not make; the Verified by Visa service, which,
through the use of a personal password, gives consumers added protection when
they shop online with participating merchants; neural networks that monitor Visa
card transactions 24/7, looking for unusual purchase situations; Chip cards,
which are virtually impossible to copy to another card and help protect
cardholders and retailers from lost, stolen or counterfeit card fraud; the
three-digit code, which is also referred to as CVV2, is used by merchants to
ensure that the purchaser is using a genuine card; and lastly, the Account
Information Security Program, commonly referred to as AIS, which is a
standards-based compliance validation and education program designed to help
protect data at all points in the Visa payments system. To achieve compliance
under AIS, merchants and service providers must adhere to the Payment Card
Industry Data Security Standards, which is also known as PCI-DSS.
Protecting consumer confidence and delivering on our brand promise of
convenient, secure, reliable electronic payments are important priorities for
Visa. While consumers are protected against fraudulent charges on Visa cards
with zero liability, we understand that the impact of identity fraud can extend
beyond Visa payments. At the very least, victims experience the inconvenience
and the stress of completing police reports, requesting replacement cards and
working with reporting agencies.
Beyond ensuring consumers benefit from zero liability on Visa cards, we also
help coordinate responses with our card issuers and gather critical information
when an event occurs. On the prevention side, Visa develops compliance programs
and standards aimed at squeezing fraud out of the payment system. We also
provide consumer information on our website, work with law enforcement, and
through the Competition Bureau's Fraud Prevention Forum, help educate
cardholders about steps they can take to help protect themselves.
Visa proposes the following technical amendments related to payment card
fraud. As noted earlier, identity theft differs from credit card fraud. Credit
card fraud involves the exposure of account information leading to fraudulent
charges. In the case of identity theft, thieves may obtain a range of
information that can include a person's name, address, social insurance number,
bank account information or place of work, and use this information to
effectively steal an identity.
We believe that these amendments, outlined in detail in our written
submission, strengthen Bill S-4 and ensure it is able to capture present and
In clause 4, proposed subsection 342(3) uses the phrase "including a
personal identification number." This language is too limiting and should be
replaced with "including identity information." We believe it is important
that the legislation capture not only current technologies, but also be broad
enough in scope to capture future technologies.
The reference to "credit card data" in the same proposed subsection should
be replaced with "payment card data." The purpose is to capture all current
payment systems, such as prepaid cards, charge cards, debit cards and credit
cards, as well as emerging technologies, such as mobile and contactless
"Credit card" should be replaced by "payment card" in section 321 of the
Criminal Code, as well. The Criminal Code should also be amended so that the
definition of "payment card" means "debit, credit charge, prepaid cart,
contactless, mobile device, plate or other device."
In clause 10, the reference to "credit card number" in proposed subsection
402.1 should be deleted. Visa believes that introducing those concepts in this
provision is redundant, since proposed section 342 deals specifically with
crimes related to credit cards. As well, "personal identification number" or
PIN should be added in proposed sub section 402.1. In a related change, the
definition of "identity information" should include a reference to personal
identification number or PIN when our recommended change in clause 4 to proposed
subsection 342(3) deleting the phrase "including personal identification
Finally, in proposed subsection 402.2(1), if the committee accepts our
proposal to delete "credit card number" from proposed subsection 402.1, it
follows that this section would apply only to identity information, not to
Thank you for the opportunity to make this submission. I am happy to take
questions later on.
The Chair: Thank you very much. Did all senators manage to catch those
Senator Joyal: We were trying to flip the pages.
The Chair: Often it helps us to have page numbers in the bill.
Mr. Jamieson: I am sorry.
Senator Joyal: We can come back to that.
The Chair: Fine. Those are interesting suggestions.
Rick Rennie, Vice-President, Customer Security and Risk Services,
MasterCard: First I would like to acknowledge some overlap in the themes. I
should point out that, while we are fierce sales competitors, we work closely
and have a lot of common interests in combating fraud.
I am Vice-President, Customer Security and Risk Services at MasterCard
Canada. Thank you for allowing me the opportunity to appear before you today to
discuss Bill S-4 and its amendments to the Criminal Code provisions regarding
identity theft and related misconducts.
Let me speak briefly to what MasterCard is and is not. MasterCard Worldwide
advances global commerce as a franchiser, processor and adviser. We develop and
market payment solution processes worldwide. We process approximately 21 billion
transactions each year and provide industry leading analysis and consulting
services to financial institution customers and merchants. Through our family of
brands, including MasterCard, Maestro and Cirrus, MasterCard services consumers
and businesses in more than 210 countries and territories.
MasterCard does not issue cards directly to consumers or set interest rates
on cards. We do not make decisions regarding whom to issue cards to or what
interest rates or fees to charge. Terms or conditions, including rewards
programs, are made by our customer financial institutions, such as Bank of
Montreal or President's Choice Financial to name two.
MasterCard applauds the government's decision to introduce legislation that
criminalizes the activities which lead to identity theft and card fraud. As we
know, these are often perpetrated by highly-organized and sophisticated
criminals. Deterring this activity requires the active engagement of many
players, including government, the payment industry, retailers, law enforcement,
the courts and the public, of course.
At MasterCard, we know that despite our card issuing and acquiring customers'
best interests, some consumers become victims of identity theft or payment card
fraud. That is why fraud prevention and detection are an integral part of
business operations for MasterCard and our customers, requiring
multi-million-dollar investments each year in people and technology. I will
speak briefly to some of these efforts later.
MasterCard has always stood with industry stakeholders in support of the
government on this important issue. MasterCard strongly supports Bill S-4, just
as we had endorsed its predecessor, Bill C-27. With the introduction of Bill
S-4, we are confident the addition of measures to criminalize the collection and
distribution of the personal information of private citizens will better serve
to protect Canadians from the very personal and invasive crime of identity
Card-specific provisions contained in the legislation will provide the
justice system with the critical tools to target and neutralize the organized
groups behind card fraud. While we fully support the spirit of the legislation,
we would be remiss to not provide some comments on how Canadians might be better
served by the legislation.
First, I would like to point out that the proposed legislation's definition
of "identity information" under proposed subsection 402.1 appears to
contemplate that a credit card number can be used alone to identify an
individual, and this is not the case. A credit card number without another piece
of identification, such as a name, cannot identify an individual and,
consequently, cannot be used alone to commit identity theft, while a credit card
number and expiry date alone could be used to commit fraud. MasterCard therefore
believes it is important to distinguish between the terms "fraud" and "identity
Second, MasterCard supports the bill's extension of the term "credit card
data" in proposed subsection 342 (3) to include "personal identification
number," though we recommend the term be expanded to "personal identification
number or other authenticating information." This acknowledges emerging trends
in payment card technology that can potentially deliver even stronger methods of
authentication. Biometrics is one example.
Third, proposed subsection 342 (3) criminalizes the unauthorized use of
credit card data. MasterCard recommends Bill S-4 take the opportunity to update
the Criminal Code to reflect innovations in the payment card industry, and
specifically that section 342 (3) be amended by adding the term "or other
payment card data."
We recommend it be amended by adding the term "or other payment card data"
after the term "credit card data." This will ensure the Criminal Code can
encompass emerging technologies, for example, mobile payments or other handheld
devices which will eventually contain payment applications.
I would like to take my last few moments to quickly highlight some of the
policies and tools used by MasterCard and our customers to protect MasterCard
cardholders and to safeguard financial and personal information. MasterCard has
a comprehensive information security program to keep our networks secure and
requires our financial institutions to adhere to related rules, including the
Payment Card Industry Data Security Standards, or PCI.
Our zero-liability policy ensures that MasterCard cardholders are not
responsible for fraudulent activity on their Canadian-issued consumer cards. Our
chargeback policies afford additional consumer protection in instances where
they do not receive goods or services purchased using their MasterCard card.
MasterCard and our financial institution customers employ very sophisticated
financial transaction monitoring systems to detect fraud, often on a 24/7 basis.
Cardholders are routinely alerted before they are even aware of fraud and the
incidents are managed with minimal stress and inconvenience.
MasterCard SecureCode is a product that provides added security through the
introduction of a password for online shopping at participating retailers.
Finally, MasterCard is a global leader in the implementation of chip and PIN
technology, and our financial institution customers are well into the process of
delivering chip and PIN cards and acceptance devices in Canada. Greater detail
on these policies and tools is provided in our written submission, and I would
be happy to expand upon that during the question and answer session.
Thank you again for the opportunity to address this important topic and the
significant legislation you are pursuing.
Senator Milne: My first question is directed to Ms. Giuliani. We heard
from a previous witness that modern identity theft is increasingly being used to
steal smaller amounts from more accounts. One witness said that if you steal a
dollar from a million accounts, no one will even notice that it is missing, let
alone report it to the police. If they do report it to the police, the police
will not spend a lot of time tracking down the theft of $1, just as they will
not investigate a car crash that causes less than $1,000 of damage.
What is the solution to this? It is apparently increasing quite dramatically
Ms. Giuliani: It largely depends on the type of fraud being referred
to. There are some internally driven frauds where a little bit will be taken
from many accounts, and that is extremely difficult to detect. More modern
identity thieves are also trying to fly under the radar. However, the
"fictitious identity" frauds that I referenced are still affecting multiple
accounts with significant amounts being expended or taken down at once.
In terms of a general solution, the industry has been working collectively on
a number of things over the years. I was not going to speak about some of our
ideas on that, but since you asked, I will. Again, it is relative to the type of
fraud. In some situations, having greater capability to verify the information
submitted on the application would greatly help detect the fraud at the outset.
In that way we will not be in the predicament of having to detect it in all of
its modern forms. In other cases, organizations could step up internal
monitoring tools as much as possible.
Senator Milne: Do you see this kind of fraud increasing and the frauds
in larger amounts decreasing?
Ms. Giuliani: There has been some movement, but not nearly to the
point of being so small that it would go without notice. Using hypothetical
numbers, if the average loss to an identity theft was $75,000 at one time, it
may be $25,000 now, but it is still substantial enough to warrant our attention.
That is for the theft of another's person's identity or submitting
applications in someone else's name. Fictitious identity fraud numbers are
through the roof.
Senator Milne: That is interesting. That is what we have been hearing.
Do you gentlemen agree with each other's suggested amendments for
improvements to this bill?
Mr. Jamieson: They are nearly identical. We are competitors, but we
are fairly consistent in our approaches to identity theft.
Within the credit card industry, we report on a number of different fraud
types. The ones specifically related to identity theft are clearly false
applications, and those could be either true names or fictitious names. The
second kind is what we call account takeover. That is where someone has
another's personal information, calls a financial institution and asks for a
second card for their daughter, for example, and provides an address for
delivery of the card. That is someone taking over another's account. They would
have to have personal information and know enough about that individual to take
over the account.
Those two categories represent about 5 per cent of total fraud losses.
Senator Joyal: What is the amount of the losses?
Mr. Jamieson: The CBA acts as an independent broker for the industry
to gather our information. I will not share mine with MasterCard and American
Express, and vice versa. As a total for Visa, MasterCard and AmEx, for the 12
months of 2008 there were $407 million in losses from all types of fraud. Taking
out false applications and account takeovers, which represents about 5 per cent,
that works out to about $20 million.
Senator Baker: I do not think that completely answers the question. It
is fine to say $400 million or $20 million, but of what total amount? What would
be the percentage of loss?
Mr. Jamieson: That is the loss.
Senator Baker: Yes, but what percentage of total transactions would
Mr. Jamieson: That is about one tenth of 1 per cent.
Senator Milne: I am interested in what you said, Mr. Jamieson, about
the three-digit code, which is referred to as a CVV2, that is used by merchants.
Canadians have three-digit codes on their Visa cards. Quite often outlets in the
United States require a four-digit code and you cannot use your Visa card there.
Mr. Jamieson: There is some confusion. The three-digit code on the
back is traditionally used for card-not-present transactions. Internet
transactions are a perfect example of when that code would be requested. You
need something beyond the account number and the expiry date; you need this
In the U.S., sometimes at gas pumps, for example, they will ask for your
postal code. In the U.S., it is a numeric postal code known as a zip code while
ours is alpha-numeric, and that causes problems. It is not compatible in the
U.S., so they would have to go into a kiosk to complete your transaction.
Senator Milne: They ask for a four-digit code in some places. It is
not the PIN number, because it is not printed on the card.
Mr. Jamieson: Some consumers confuse that three-digit code with their
PIN number, which is not the case. CVV2 value and equivalent security features
of other brands are on the back and are only three digits. They are meant for
card-not-present transactions. Some merchants are starting to use them in
card-present environments. One large electronic retailer in Canada uses them in
the card-present environment to deter counterfeit, and it has been very
Senator Milne: I find it disturbing that with a card with a chip in it
my signature is no longer required.
Mr. Jamieson: You are authenticating with a PIN.
Senator Milne: Someone else can use that card and do the same thing.
Mr. Jamieson: They have to know your PIN, though.
The Chair: We keep reading horror stories about how people can read
your fingers on a keyboard to figure out what your PIN is.
Senator Baker: You have suggested specific amendments to the
legislation. This is a good time to make those suggestions because the bill is
being introduced here, and it will go to the House of Commons later, if it
passes here in the Senate.
If I read your specific suggestions correctly, and I listened carefully to
what you said, were to more or less stretch out the coverage of the particular
sections you referenced so that it would not be particularized but rather
generalized, and the definitions would change so they could encompass more than
the bill presently anticipates.
We heard from the Department of Justice the other day on this bill. We raised
a concern about one section being too particularized. I would like your opinion
on the explanation given to us. It was that for fear of Charter challenges they
had to restrict the definitions in some cases.
Do you have any thoughts on that? Mr. Jamieson, you are a former RCMP
Mr. Jamieson: Yes, I am.
Senator Baker: You should have some opinion.
Mr. Jamieson: I do have opinions. My only point here is that the
reason we wanted it stretched somewhat is because we are introducing these
technologies today. To introduce a bill that is limited to current technologies
that you all are aware of does not seem appropriate. We are testing mobile
transactions on your cellphone, using your cellphone to wave in front of a
terminal right now. It is out right now; we are testing it.
We have contactless cards that could be a fob, which is not necessarily the
plastic that you are used to seeing. That is why it is important that you
address it now and include it in that, or you are writing legislation that may
be outdated when it comes out.
The Chair: In connection with what should be covered by payment cards,
Mr. Jamieson, you said the definition should be amended to mean any debit,
credit, charge or prepaid card, contactless mobile device, plate or other
device. I betray my technological ignorance. What do you mean by
"contactless"? Is that wireless? Also, what do you mean by "plate"?
Mr. Jamieson: Plate is part of the definition within the code now, so
we kept that same terminology. It could be something you are taking an imprint
of. Our cards have embossing on them today, so you take an imprint of something
and it is like a plate.
"Contactless" is the technology that is coming out. We have contactless
chip cards, for example.
The Chair: You just wave them.
Mr. Jamieson: You just wave them. Mr. Rennie may have one here.
Senator Joyal: What the witnesses are saying is exactly what we raised
at our last meeting; I know the sponsor of the bill was listening at that time.
We want to be sure with this bill that we are not behind the technology, that we
are at least at par with the technology and even able to try to cover future
developments so that the bill will not be obsolete the day it is passed and gets
Royal Assent. I wonder if the Department of Justice is in the room to ensure
that they will be able to react to the proposed amendments, which express the
concern that we have already stated around this table — that the new method of
payments, which are totally beyond our imagination now, will change completely
from the plastic card that we all have in our back pockets. The telephone and
other electronic devices will be the method for paying and transferring money
and doing whatever business transactions will be available for any customer.
Since those are very specific proposed amendments, it is important that we
get the reaction of the Department of Justice and the sponsor of the bill to
ensure that what we do is not working in the context of 19th century technology,
but the technology that will be in place at the end of this century. Can we
The Chair: We can, indeed. In connection with these or any other
proposals for amendment that are made to us, we will be sure to contact the
department for its response to those proposals.
Senator Baker: I discovered during questioning that Mr. Jamieson is a
former RCMP investigator. I have seen his name in case law, where he
investigated this very subject with machinery that was used for forging cards
and successfully brought to a conclusion some very serious matters. That is not
what I wanted to ask him about, although it is fascinating in and of itself.
Mr. Jamieson, in various sections that you wish to expand upon, the bill
gives authorization for investigations concerning forgery instruments,
possession of forged documents, credit card data, identity documents and
identity fraud. It gives authorization under a section of the Criminal Code
which is called "Invasion of Privacy."
You are aware of the typical authorization you get to tap people's telephones
and interfere with persons on reasonable grounds under investigation. Do you
think the bill is going a bit too far in adding so many sections under forgery
and fraud to that section of the code — specifically section 183, which
authorizes the tapping of telephones and all other communication devices?
Mr. Jamieson: I have applied for wiretaps in my days with the RCMP,
and they were specifically directed at credit card-related offences. I gave
comments to my predecessors when they were developing legislative changes in the
mid- 1990s around section 342 of the code. I think we have sufficient
legislation around credit cards for law enforcement to do its job. It did apply
to wiretapping; it did allow us to apply and be granted wiretapping for those
types of investigations we were investigating.
That is why I am saying that for some of the aspects here, specifically
credit cards — not identity theft, we must draw that distinction — there is
sufficient legislation in place specific to credit cards. Identity theft is a
different aspect, and I think there needs to be that requirement there.
Senator Baker: Changed to incorporate what you have pointed out that
should be amended?
Mr. Jamieson: Yes.
Senator Angus: Mr. Rennie, you listed all these different trademarks —
MasterCard, Maestro, Cirrus — but you did not mention Mosaic and we see that
name around a lot. What is the story there?
Mr. Rennie: Mosaic is a specific product from one of our financial
Senator Angus: From the Bank of Montreal. Would they have the
intellectual property rights to that name?
Mr. Rennie: It is a trademark name that they have. MasterCard, Cirrus
and Maestro are brands we license to our clients around the world.
Senator Angus: You have been having quite a bit of experience with
Senate committees lately. How is it going?
Mr. Jamieson: Not myself.
Mr. Rennie: It is well above our pay scale.
Senator Angus: Some of us senators sit on certain committees, others
sit on other committees and some, like Senator Dickson, sit on all relevant
In terms of the draft legislation we are reviewing here for identity theft —
and you all seem to favour it — if I understand the thrust of it, it will reduce
some of the costs you incur to chase down the bad people for fraud and so forth.
Would this compensate for some of the increased costs?
Mr. Rennie: Can I speak to that one?
Senator Milne raised an important point that is worth highlighting again,
which is that card fraud in particular is run by very sophisticated groups. On
the question about do you go after someone committing a $500 or $1,000 crime,
there are not the resources to justify doing that.
Through the efforts particularly of our issuing financial institutions, all
of those sophisticated detection methods I talked about — perhaps many of you
have gotten phone calls from your financial institution questioning transactions
that you may have processed — we find we are very effective at detecting fraud.
That $400 million figure that Mr. Jamieson mentioned, I promise you, would be
triple, quadruple or quintuple if not for those efforts. That is an important
point to mention.
Regarding your question about the impact of this bill, it will undoubtedly
support it. Law enforcement already had a lot of the tools necessary as Mr.
We work closely with law enforcement on a regular basis. Our interest — that
is, the industry and issuers in particular — is in bundling cases that have
dozens or hundreds of these $1,000 or $2,000 losses so they can go after the
organized groups behind it. That is one of the things that we strongly support
from a prevention standpoint.
Also from a prevention standpoint, we are confident that chip and PIN
technology will have a substantial impact. However, it is expensive to implement
and it will take a long time to do.
Senator Angus: What is the biggest expense of that? Is it the machine?
Mr. Rennie: It is a combination. Issuers have to replace all of their
plastics with those with chips embedded in them. Merchants have to upgrade
devices to handle a chip transaction and networks have to be able to pass more
sophisticated, enhanced data.
Senator Angus: I had an experience last weekend in Northern Ireland. I
had the card with the chip and they had the machine, but it was not convenient
to have me and the merchant together at the same time. I gave them the credit
card and when it came time to get it back, I said I would put in my PIN. They
told me, "No, we do not need to do that. We have everything we need. Thank you
Mr. Jamieson: The case of whiskey is yours.
Senator Angus: What is the story? Does that happen in a place where
you are trusted such as a private club? That surprised me.
Mr. Jamieson: It surprises me too. Without a cardholder verification
method, which traditionally in the magnetic stripe world is a signature, as we
go to chip technology, it is the PIN. That is how you are authenticating that
you are the cardholder.
Senator Angus: It was a private club and they knew who I was in this
case. Does that enable them to take the data from the card without the PIN?
Mr. Jamieson: Yes, they take the risk. Since you have a relationship
with them, they are taking your card number and will process it. It would
probably be done offline through paper processing by taking an imprint. They
take the risk in that scenario.
Senator Chaput: I had the same experience at the airport in Toronto.
They did not ask for my PIN, did not need it and the transaction went through.
Mr. Jamieson: Did they ask for a signature?
Senator Chaput: No.
Mr. Jamieson: We have some low-value transaction programs in place for
less than $25.
Senator Chaput: It was over $25. It was a $200 purchase.
Senator Angus: You were buying my birthday present?
Senator Chaput: Buying myself a birthday present.
Mr. Jamieson: The point is that if the merchants do not follow the
proper card acceptance procedures, if they choose to do that and process the
transaction, then they take the risk if something goes wrong.
Senator Chaput: Is there a risk for me?
Mr. Jamieson: It is not your risk. It is the merchant's risk.
Mr. Rennie: It is important to point out that millions of transactions
a day are being processed and there will always be exceptions. People will not
follow proper acceptance procedures. However, they do to a great extent.
While we are in this transition period, it is more challenging because much
more front-line training is required. People have to get used to it. The
roll-out is uneven. That contributes to the challenges sometimes. We are
confident that it will do exactly what we expect it to do.
Senator Angus: I wanted to address the issue of insider people who
could take personal information to which they legally have access and use it for
illegitimate purposes. Do you feel this bill goes far enough?
Ms. Giuliani, I would think your organization would be one of those types of
organizations that would have that access. I would like to ask you many
questions on another occasion. It goes to identity credit prejudice of
individuals. Does the bill go far enough?
I do not care who answers this.
Mr. Jamieson: I believe it does.
Senator Angus: Fine. Thank you.
Senator Joyal: I will follow up on the last answer to Senator Angus.
It goes far enough provided that we include what they have proposed as
amendments to the bill.
Senator Angus: Is this the one you were talking about earlier that I
missed at the last meeting?
Senator Joyal: I am not saying more than what I just said.
It is important that the amendments you propose cover the emerging payment
forms that will not use the plastic credit card itself. The experimental
telephone payment that you are testing will mean that at a point in time, we
will not even have a plastic card with us. We will have our telephone number and
pay with cellphones. The data will not be transmitted by the chip in the card,
but by the chip in the telephone.
Mr. Rennie, you are proposing that we add after "credit card data," "or
other payment card data." It seems to me that it would not cover that kind of
future payment because you are talking about a card. Would it not be better to
say "or other form of electronic payment"?
Mr. Rennie: "Or other payment data" might be another way to phrase
it. You are absolutely right. We already process hundreds of thousands of those
contactless transactions. As Mr. Jamieson mentioned, there are trials under way
around the world currently — including in Canada — for mobile telephone
transactions as well.
Senator Joyal: I have no objection to keeping "credit card data"
because it is the usual form of payment today. However, very soon we will pay
with cellular phones and we will not need a plastic card with a PIN or whatever
information is on that card.
If we are to amend the bill and add "or other payment card data," we should
have "or other payment data."
Mr. Rennie: Yes.
Senator Joyal: That seems to be more in sync with what you are telling
us today if we want to achieve the objective of having a bill that would be
useful down the road.
Mr. Rennie: That is valid.
Senator Joyal: Proposed subsection 56.1(3), on the first page of Bill
S-4, contained the definition of identity document:
For the purposes of this section, "identity document" means a Social
Insurance Number card, a driver's licence, a health insurance card, a birth
certificate, a passport as defined in subsection 57(5), a document that
simplifies the process of entry into Canada, a certificate of citizenship, a
document indicating immigration status in Canada or a certificate of Indian
status, issued or purported to be issued by a department or agency of the
federal government or of a provincial government, or any similar document
issued or purported to be issued by a foreign government.
Does it cover all the identity documents that you and your business feel are
contemplated to check the identity of someone in your opinion?
Mr. Rennie: MasterCard does not actually capture personal information.
We are capturing card data that we transmit along our networks. Our issuers
absolutely are capturing personal information. They tend to be financial
institutions. I do not know if you had the CBA speak, but they would probably be
better positioned to talk about their particular practices.
Ms. Giuliani: We have some direct consumer activities where we take
identification. Yes, that is encompassing enough. The only thing it does not
include would be the direct payment card — debit or credit — which would be
covered elsewhere. Other than that, that is comprehensive enough.
Senator Joyal: That is the point, though. What I have in mind is, when
someone is holding a card that is normally confirmed by identity, you take that
card as the identification document. That is not covered by this. In other
words, if you fabricate a false identity document through that card, that would
not be covered by that.
That is why I posed the question to the Department of Justice witnesses. The
answer was that there is a Charter problem. It seems to me, however, that, since
a credit card is in fact related to identity documents that are checked
somewhere, if you make a false card, that false card becomes, in a way, an
Mr. Rennie: Are there not other types of cards that could fall within
that category, such as a membership card or a student card? There is a whole
range of cards that are used in some places as identification.
Senator Joyal: Yes, but it is the identification card to get credit or
pay, in that context.
Ms. Giuliani: Some of those ancillary cards like student and library
cards, they would be far down the line in the suite of identification. There
would always need to be a government issuer with signature, photo or both. We
have really moved away from the municipal cards or community cards. This is
I am sorry; I have not thought about it in this vein. However, the only thing
would be if a credit card was produced as one of the identification cards, would
it otherwise be covered if it was counterfeit?
The Chair: As an example, senators are given cards to get into the
building. They have numbers, our photographs and are issued, goodness knows, by
an arm of the Government of Canada; namely, the Senate of Canada.
Senator Milne: They also have a chip in them.
Ms. Giuliani: We do not see them often in the industry.
The Chair: Would this section, from your point of view, be better or
worse if, instead of applying only to the list of documents, it also had a
catch-all: Any other government-issued identity?
Ms. Giuliani: I thought it did here. The last part, after Indian
status: "...or issued or purported to be issued by any department or agency of
the federal government or provincial government."
The Chair: Maybe we need to have this clarified by the officials.
However, as I read it, that section says, in essence: "Any of the above
documents that have been issued or purported to be issued by a department or
Therefore, it is a limiting list. From your point of view, would it be better
to have a slightly broader catch-all? I take the point about government
documents being what you really care about, and that is useful. However, should
we not say in that case "any government identification"?
Ms. Giuliani: In the same vein as contemplating future technologies,
there may be future government documentation, sure.
Senator Joyal: It is right on the point. That is what I tried to get
from witnesses; to understand the implication of that definition of "identity
document," because it is a leading definition for everything that follows from
Mr. Jamieson, in your proposal and amendments, if you want to go back to that
document, in the middle of the page, you refer to clause 4 of the bill relating
to proposed subsection 342 (3). In your third bullet you state the definition of
payment card should be amended in the code to mean "any debit, credit charge or
prepaid card, contactless, mobile device, plate or other device." In which
section of the Criminal Code do you propose that definition?
Mr. Jamieson: In the early part of the 300s there, there is a
definition of "payment card." I cannot remember. It has been a while since I
The Chair: Section 321, I am informed.
Senator Joyal: In your opinion, would that be wide enough to cover the
new methods of payment that you are presently testing that might soon become the
usual form of payment for everyone?
Mr. Jamieson: Yes, I believe so. Mr. Rennie, do you agree?
Mr. Rennie: I am not sure I can provide an opinion on that at this
Senator Joyal: The other question is also for Mr. Jamieson. Your next
group of points in the document relates to proposed subsection 402.1. The second
This section should include "personal identification number" or PIN. As
stated, we recommend that subsection 342(3) be amended to delete the phrase
"including a personal identification number," as it is too limiting and
should be replaced with "including identity information."
Mr. Jamieson: Right.
Senator Joyal: Are there any Charter implications in that proposal?
Mr. Jamieson: I am not a lawyer.
Senator Campbell: Or an RCMP officer.
Mr. Jamieson: The idea was that when we saw "personal identification
number" earlier in proposed subsection 342(3), we felt the description should
include "identification information." Then, within the definition of "identification information," PIN should be put in there because that is a
form of identification that we are using as we go to chip technology.
Mr. Rennie: We agree. You can go back to our text, as well where we
used the phrase "personal identification number or other authenticating
Senator Joyal: That seems to be the way to try to circumscribe the
scope of what is to be covered so we do not find ourselves in a challenge on the
basis of the Charter.
Mr. Jamieson: Mr. Rennie has mentioned "other identification
information" would cover anything now or possibly others introduced in the
Senator Wallace: I will address this to Mr. Rennie and Mr. Jamieson.
It is somewhat along the lines of what Senator Joyal was speaking of. Both of
you seem to be making the same recommendation in regard to proposed subsection
342(3) included in Bill S-4. Rather than limit proposed subsection 342(3) to
only "personal identification number," you are suggesting, as Senator Joyal
mentioned, it would include the reference to "or other authenticating
information." I understand the logic of trying to create flexibility and
breadth to that.
However, on the other hand, I think whatever is added must be identifiable;
we have to know what that information is. Otherwise, it is vague and lawyers
will deal with that and it can create problems in trying to enforce the section.
With that in mind, I believe I know what a "personal identification number"
is. I can picture that. What is "or other authenticating information"?
Mr. Rennie: In my remarks, the example I gave was biometrics. There is
a wide range of biometric potentials. Whether they have commercial application
or not is another matter because, regardless of what you employ for
authentication, a PIN falls into the category of "something you know."
Biometrics typically falls into the category of "something you have or are."
The "something you know" could be a PIN or a password or something like that.
I think that is covered off.
It is the other area. Again, quite frankly, we do not know exactly where that
will go. If you are to put that into the market, you have to put it out there on
a universal basis so it is accepted everywhere. Regarding the earlier question
about Ireland, if you have biometrics and only 5 per cent of the merchants
accept biometrics, it does not do you any good.
Ms. Giuliani: If you look at what it is getting you, perhaps there
could be some type of definition there. It is for the purpose of gaining access
to an authorized instrument, currency or network. It is for the purpose of
access. You are right; we know what there is today; we cannot know what is to
come, but it is for the purpose of getting through the gate.
Mr. Rennie: For the purpose of unauthorized access.
Ms. Giuliani: It is the merchants' or institutions' form of
identifying or authorizing access.
Senator Wallace: In the industry you obviously have a sense of what it
is, but the breadth of it is currently unknown. I am looking at it objectively,
aside from the industry, at lawyers and those trying to enforce these sections.
It is obviously serious. If someone is in possession of or trafficking in what
would be referred to as "or other authenticating information," it is
significant. Because I am not in the industry, I do not get the sense of the
boundaries of it. If someone is in possession of whatever that is, they could
have a serious problem, so I think there is a need to define things clearly.
On one hand, I agree that we need a breadth so that we do not box ourselves
in so continuing changes in technology and industry do not mean we have to
continually amend the Code. As a lawyer, however, I do not have a certainty of
what that is, and it is a significant concept.
Ms. Giuliani: Some examples may assist with context. They would be
lists of passwords or secret words that would gain you access through telephone
authentication, the PINs you use with your cards, and online passwords and
codes. It is anything that gets you through.
The Chair: Senators, these are such interesting and important
witnesses that we are taking more time than usual with them, but we are now well
into overtime and we have other witnesses waiting.
Senator Wallace: This question should be relatively easy, I think.
Identity theft is a serious problem in our society, as we all recognize. Bill
S-4 is a serious attempt to address it.
From your perspective, is there an urgency that parliamentarians and
legislators get on with enacting this bill with the consideration of the
amendments you have proposed?
Ms. Giuliani: Absolutely. As I specified in my remarks, the deterrent
factor is missing right now. It seems too easy to recruit people in relatively
modest positions who have tremendous access to information. No one is thinking
twice about carrying big piles of information because it is difficult to connect
it to something. The urgency is certainly there, primarily for the deterrent
Senator Wallace: Mr. Rennie and Mr. Jamieson, do you agree with that?
Mr. Rennie: I agree.
Mr. Jamieson: I agree too.
Senator Campbell: My cop antenna goes up when I hear that the losses
are $470 million a year. Ms. Giuliani says that she has 500 that are averaging
$250,000 a pop, which is $115 million. It seems to me that the fraud we
traditionally think of is penny ante compared to fictitious identity fraud.
How will the chip, cordless technology, the telephone, et cetera, stop me
from putting together a fictitious identity? How will you find that out? Fraud
has been going on forever, and we have some pretty good investigation techniques
for that. You gave the example of ordering a credit card for a daughter. One
could shoot those orders off in all directions. How do you catch up with that?
Mr. Rennie: Using the card industry as an example, fraud has been with
cards since the beginning. Sophisticated practices have been put in place to
detect the problem quickly and to deal with it. The losses might be $400
million, but they would be dramatically higher without those procedures in
I do not think that these measures will have a substantial impact in that
arena. It is more about pure identity theft and it falls into the category of
what types of controls need to be put in place in that industry around
Senator Campbell: Can we differentiate between identity theft and
fictitious identity? How do we go between those two with the technology or the
changes that you want here? How does it even make a difference, except that we
have to broaden the terminology to cover the technology that is being added?
Ms. Giuliani: When reading the bill, we thought about it from both
vantage points, from stealing an entire identity and doing a straight
impersonation, and from taking components of someone's identity, and we found
that it is covered in so many places. The one that jumps out at me is "falsely
represents themselves." That would be covered whether it was a real person or a
Am I missing something?
Senator Campbell: My question is, how does this new technology stop
people from putting up a fictitious identity?
Mr. Jamieson: If you are talking about chip and PIN technology, it
Mr. Rennie: It is not intended to, either.
Mr. Jamieson: No. It is intended to secure the point-of-sale
transaction at the time of transaction with the higher- level security and the
higher level of cardholder verification.
The process of applying for a card is still managed by our client member
banks. They screen applications and go through the credit bureaus as a method of
further identifying individuals.
The Chair: Since we are running up against the clock, I will ask the
remaining senators to put questions and ask the witnesses to respond to them in
writing, if that is agreeable to all.
Senator Dickson: You replied to Senator Wallace that there is urgency
in this bill going forward. My question relates to similar legislation in the
United States. Have you studied existing legislation there? Are there
significant differences between what we are now proposing and what is now in
existence in the United States? Technology is moving so fast that it is
difficult, as Senator Wallace said, to draft legislation that keeps up.
Mr. Rennie: We have not done any comparative research. However, the
rate of card fraud, which is all we can speak to in Canada, is considerably
higher in Canada than in the United States. I am not sure whether legislation is
the reason for that or if there are other causes.
Senator Dickson: Are the sanctions proposed in this legislation
satisfactory, or would you like them to be more onerous?
Mr. Rennie: I think the sanctions are satisfactory. As I said earlier,
the problem is organized criminals. If you are really going to address the
problem with the legislation in hand, you have to go after the organized
criminals behind it.
With all respect to the United States, the U.S. Secret Service is intimately
involved in counterfeit fraud. They are very successful and they are aggressive
in their prosecutions. That could be part of the reason for the difference.
Senator Dickson: While I agree with the amendments you are proposing,
would it be more beneficial to the industry to get this bill through the House
of Commons and the Senate as quickly as possible? In other words, you could come
back in two years to make the changes. Technology moves along.
Senator Angus: Rather than have the amendments now?
Senator Dickson: Yes, rather than have the amendments now.
The Chair: We are the court of first instance.
Senator Joyal: It is an S bill. The bill was introduced in the Senate.
It has not passed in the other place.
The Chair: There is no delay.
Senator Joyal: We can send it back and forth; there is no delay here.
Senator Angus: The sponsor is here now anyway. They were just
protecting the sponsor.
The Chair: I think we interrupted the witnesses who may have wished to
respond to the question.
Mr. Jamieson: What is challenging in the U.S., is that you see a lot
of bills that come in at the state level and then at the federal level. It is
confusing to try to follow the law on what they are doing about identity theft
in the U.S., because there are so many different bills being introduced at
different levels of government.
To Mr. Rennie's point, the fraud situation is still there in the U.S., and
globally as well. I believe that specifically this bill will have a huge impact
on identity theft-related crimes.
The sentencing is appropriate, but that is what is listed in the Criminal
Code. Whether that is what is handed out, dispensed, is the challenge you get.
The sentence, even for credit card-related offences, tends not to be a
sufficient deterrent in Canada. Depending on where the individual is being tried
and the impact on the community in the area, a sentence could be conditional, it
could be six months or two years. That is the challenge we have.
Senator Campbell: It is the same with any crime.
Mr. Jamieson: Yes, it is.
Senator Dickson: I am really impressed by the substance of the
amendments that you propose. Since the government lawyers probably should have
consulted you before they drafted the bill, it would be helpful if you came
forward in writing to us with instructions to draughters so they have a better
comprehension of what should have been in the bill. It would have been less
The Chair: We will be asking them to respond in writing, so perhaps we
could add that to the list.
For a second round, we have Senator Milne, Senator Angus and Senator Joyal. I
will ask them to put their questions, which we will ask you to respond to in
Senator Milne: My question is really a concern. Mr. Jamieson, you
talked about chip cards, which are virtually impossible to copy. However, there
is technology out there that can read them from a distance, I am informed.
I was reading an article just the other day where the U.S. border service now
can read all the information that the banks have embedded in the chip on your
particular card, plus the PIN numbers, and they know this before you drive up to
the border. I am concerned about how secure these are.
The Chair: If you could respond to that in writing, please. It is
fascinating but we really are short of time.
Senator Angus: My question has to do with the practice that has grown
up to give more business not only to the merchants, your clients, but to the
card companies, of giving out your number of your card. On television, you see
these things, dial 1-800 and you get this fancy new product; just phone in and
give your credit card number and it will be delivered tomorrow. I have always
felt this was a dangerous thing. I do not give mine and I am unpopular at home
for being like that because I have made it a rule. I would like to know the
general parameters around that. Is it risky and does the bill help to prevent
theft of your data by being what I call careless with your number?
Senator Joyal: With that new method of payment, which will be by
phone, in my opinion the risk of fraud will be multiplied. Contrary to the
credit card that you must have on you, the phone can be operated from outside.
Mr. Rennie: Not that far away — it must be that close to the reader.
Senator Milne: Yes, but you do not always have it on you.
Senator Joyal: Did you evaluate the additional risk of fraud with that
new method that is being developed now, which would make the payment easier? How
much does the ease of payment multiply the risk; and if so, what are the
measures that can be taken to prevent that risk from happening?
The Chair: I know you are all yearning to answer and we are all
yearning to put more questions, too; but I will quite ruthless and stick to what
I said, which was to ask you to answer these questions in writing.
You can tell how very interesting, informative and helpful we have found your
testimony. We thank you so much for being here. It has been most useful for us
Mr. Jamieson: Can we get a transcript of the questions so we know
exactly what we are answering?
The Chair: We will put them to you by tomorrow morning, in one way or
Mr. Jamieson: Thank you very much.
The Chair: We are now very pleased to welcome, from the Royal Canadian
Mounted Police, Chief Superintendent Stephen White, Director General, Financial
Crime; and Stephen Foster, Director, Commercial Crime Branch, which means, I
suppose, that you are very expert in the issue before us. Have you decided which
of you will speak first?
Chief Superintendent Stephen White, Director General, Financial Crime,
Royal Canadian Mounted Police: Thank you very much, Madam Chair, honourable
members of the committee, for inviting us to be part of today's hearing with
this opportunity to present the RCMP's perspective on the current state of
identity theft and fraud in Canada.
Before computers and the widespread use of the Internet and other associated
technology, stealing and using another person's identity was a relatively
difficult crime to commit. Criminals had to invest considerable time and effort
in the process and the risks were high. To assume someone's identity, a thief
had to break into a house or steal a purse or wallet. Today's
technologically-adept thieves can do just as much damage in the time it takes to
swipe your bank card through the reader at a cash register.
The same technology that has made our lives more convenient by allowing us to
shop from home and operate in a virtually cash-free marketplace has also given
rise to countless new criminal opportunities for identity thieves. They can now
steal your personal information from the comfort of their home offices half the
world away taking advantage of everyday transactions that require people to
share personal information for identification purposes.
The techniques used by identity thieves range from the primitive to the
highly sophisticated. They steal your mail and go through your household garbage
looking for bank and credit card statements. More technologically advanced
thieves hack into computer databases and tamper with card readers in retail
location. Parallel to the evolving nature of technology, criminal techniques are
involving at a pace that's just as rapid.
Today, the methods adopted by criminals to commit economic crime are
increasingly sophisticated. There are strong indications that organized crime is
more involved in financial crimes across multiple jurisdictions which further
increases the complexity and challenges of criminal investigations.
The growing impact of identity theft and fraud is deeply troubling. In an
April 2009 report, the United Nations Office on Drugs and Crime stated that
identity-related crime is linked to other activities involving organized crime,
terrorism, corruption and money laundering. A 2008 EKOS survey found that nine
out of ten Canadians were somewhat concerned that they could be victimized by
identity theft and fraud. The survey also indicated that Canadians ranked
economic crimes, fraud and identity theft as their number one concern, more
troubling than terrorism, organized crime and gang violence.
That is why we have to view economic crime as being every bit as serious as
many other types of criminal activity. While it is true that identity theft and
fraud, for example, are less physically dangerous than many other types of
criminal activities, their social damage can be very severe and can undermine
the trust that people have in their society.
The cost to a person who has had his or her identity stolen can be enormous:
Financial loss and the investment of hundreds of hours try to re-establish
identity and good credit all take their toll.
A recent study by McMaster University estimated that, in 2008, 1,700,000
Canadians identity theft victims spent 20 million hours and 150 million dollars
clearing their names.
Of course, individuals are not the only victims. Stolen identities are also
used to commit frauds involving government services, benefits and official
documents. Financial institutions and retailers, the foundations of our economy,
suffer growing losses every year.
Evidence indicates that identity fraud is not just committed by enterprising
individuals. Organized criminal groups are also applying their considerable
resources to this expanding field of opportunities.
Quantifying the damage is extremely difficult. Many instances of this type of
fraud go unreported so definitive statistics are hard to come by. PhoneBusters,
the Canadian anti-fraud call centre jointly operated by the RCMP, the Ontario
Provincial Police and the Competition Bureau of Canada, can only maintain
statistics on the complaints they receive. In other words, the more than 11,000
complaints received by the call centre in 2008 reflect only a small percentage
of the problem.
In March 2009, the Canadian Council of Better Business Bureaus indicated that
identity theft was the faster growing type of fraud in North America, with the
cost of consumers, banks, credit card firms and retailers estimated to be in the
billions of dollars each year.
Raising public awareness about protecting personal information is currently
the best tool we have for preventing identity fraud. Along with members working
in RCMP detachments across the country, members in our financial crime units
make numerous presentations to educate the public on this issue. Whether these
presentations are made to businesses, government agencies or community groups,
the messages are the same: Protect your personal information; shred unwanted
personal documents; be wary of suspicious emails.
Prevention is still the best cure, but prevention can only do so much.
Currently the Criminal Code does not contain specific offences pertaining to
identity theft. Most Criminal Code offences related to property crimes were
enacted before computers and the Internet were even invented. While the Criminal
Code addresses most fraudulent uses of personal information by identity thieves,
it does not address the unauthorized collection, possession and trafficking of
personal information for the purpose of future criminal activity.
The RCMP is in favour of legislation that will criminalize identity theft and
fraud-related activity. Bill S-4 will close legislative gaps that currently
allow criminals to collect, possess and traffic in personal identification
information and documents.
Why be reactive when we can be proactive? We must constantly examine our
environment to identify new tools that can greatly assist in investigating
white-collar crime. Legislative amendments aimed at closing the identity theft
gap would help the RCMP and other law enforcement agencies protect not only
individual Canadians but also the integrity of our economy. We welcome laws that
will move us closer to this goal.
Madam Chair, honourable members of the committee, that concludes my prepared
remarks, and we would now be happy to answer any questions you may have.
Senator Wallace: Thank you for the presentation, Superintendent White.
We have heard thoughts on this from a number of different witnesses. Some have
looked at the bill from a technical point of view, but you deal with it on the
front line. You are dealing with the results of identity theft and identity
fraud. The public looks to you to protect us as best you can, and you need the
tools to do the job.
As you pointed out towards the conclusion of your presentation, you say that
legislation aimed at closing the identity theft gap would help the RCMP and
other law enforcement agencies, not only to protect individual Canadians but
also the integrity of our economy. That would undoubtedly be true.
Is that what Bill S-4 will do? Is it an example of that? Is it the type of
legislative amendment that you are looking for and feel will better protect
consumers in this country?
Mr. White: Yes, definitely. One of the big gaps we see now with
identity theft and identity fraud is the front end of the whole identity fraud
process, and that is the actual collection, possession and potential trafficking
of the personal information. Right now, for follow-up fraudulent activities,
quite a number of offences currently in the Criminal Code can address the actual
fraudulent activity conducted with the personal information. It is the front end
that has a significant gap, and this legislation can definitely provide us with
the tools that we need from a law enforcement perspective to address that front
Senator Wallace: I take it from your comments that you feel Bill S-4
is a tool that law enforcement needs now, there is a sense of urgency to it and
that it should not be put off for another day?
Mr. White: Definitely. From our perspective, this is a piece of
legislation and a tool we would like to have immediately.
Senator Wallace: Thank you.
Senator Milne: Gentlemen, you were present during the last
presentation, so you heard the suggested amendments to this bill. Do you agree
with these amendments? Perhaps it might help if you had a copy of them and could
read them. I think they are more specifically laid out in the Visa presentation.
The Chair: Since they are a little technical, if the witnesses do not
feel comfortable responding right away, perhaps we might give them copies and
ask them to respond in writing.
Mr. White: Today is the first time we heard of those amendments.
Senator Milne: You probably do need to analyze them a bit, but I would
certainly hope you can respond in writing quickly.
My other question would be similar to that I asked of Ms. Giuliani. We have
had witnesses before this committee who spoke of the fact that modern identity
theft is moving from small numbers of people who stole large amounts of money
through identity theft or credit card theft to much larger numbers of people who
are just stealing a few dollars, anywhere from $1 from people's bank accounts to
$100. Quite often, people would not even realize that money had gone. They would
think they did not add in the interest this month or whatever. These are usually
unreported and, if they are reported, they are too small for the police to
bother with, because you have to husband your resources as well. Do you see this
Mr. White: I am not sure if there is a trend. I think it has been
consistent over the years that people who are defrauded of a small amount of
money will not come forward and report it. One of the challenges we currently
have in terms of trying to identify a good national picture of identity theft
and identity fraud here in Canada is that the statistics we have are only those
complaints that are actually reported. Our estimate is that a very small number
of complaints of identity theft or identity fraud activities are actually
reported, and a recent study by McMaster University definitely reinforces that.
The whole issue of identity theft and identity fraud has changed from the
past, coming from more traditional methods. A lot of activity now is migrating
to the Internet, the cyberworld, so more tools and techniques are available to a
broader percentage of the population. Committing identity theft and identity
fraud is easier today with technology, so just by progression, you will have
more people involved in that type of activity for the very reason that it is a
significant way to make money.
Senator Milne: They can do it from home.
Mr. White: They can do it from home, and it could be profitable.
Senator Milne: Have you found that? Does the RCMP have any statistics
Stephen Foster, Director, Commercial Crime Branch, Royal Canadian Mounted
Police: We would not have specific statistics on how the identity theft
would have occurred. There is a broad range of activities by which your identity
could be stolen, and we do not have statistics related to the break-out of how
Senator Joyal: My first question is in relation to the force's
capacity as a crime investigation unit in relation to identity theft. My
question is simple: Do you have the personnel capacity to investigate the
dramatically increased number of crimes related to identity theft, as we have
heard from the previous witnesses, following the adoption of this bill? In other
words, it is good to adopt legislation, but if we stay with the same resource
capacity, we will not meet the target we would like to achieve, which is to
fight this kind of crime.
Mr. White: That is a very good question. In terms of our ability to
investigate new offences that would be brought into play with this new
legislation, like every other type of criminal activity that occurs, we will
never have enough resources to investigate it all. Our approach has been to try
to get the best information and intelligence collection nationally so we can
identify the biggest organizations operating in this domain and, in terms of
prioritizing, going after what we consider to be the biggest threats.
This piece of legislation may give us a jump start, because right now,
without identity theft as a criminal offence, we have to wait until the fraud is
actually committed and then do a fraud investigation, which may take more
resources to conduct. The new offences proposed in the legislation will enable
us to move forward with a criminal offence prior to the fraud even being
committed, and that would be the possession of the personal information. In many
ways, it will assist us from a resourcing perspective. Instead of having to do a
lengthy identity fraud investigation, it will potentially give us a tool so that
we can be at the front door and identify people involved in this activity before
they get involved in the second level, which is the actual fraudulent activity.
Senator Joyal: In other words, you will be more efficient in fighting
crime with the personnel resources you have rather than trying to simply add
personnel to the forces to meet the same results?
Mr. White: Primarily. You have heard the statistics on the volume of
identity theft and identity fraud out there, and we will never be able to
investigate all instances. As with any other criminal investigation or domain of
criminal activity, we would try to get the best and most complete information
and intelligence that we can nationally and identify the biggest groups,
organizations or threats, and that is where we would prioritize our
Senator Joyal: You referred in your presentation to the United Nations
Office on Drugs and Crime report. Do you not see a need to be able to fight the
tentacles of that kind of crime that might be organized outside of the borders
of Canada? The technology, as you know, is now worldwide. Do you not feel that
there should be better cooperation through a treaty with, for instance, the
United States and some of the European countries which share some similar
objectives and priorities with Canada, to help you to pin the author of that
kind of fraud? Most of them are systemic. It is not just the person who steals
someone's purse or wallet and goes to the shop and uses the card. That is small
fry in comparison to the organized crime that sets up an operation and locates
it in a country where they could operate through the Internet and so on. In
other words, do you need an international instrument to be more effective in
fighting the origins of the biggest ones?
Mr. White: Definitely, it is extremely important, because with
technology, a lot of the activity that is targeting Canadians is taking place
outside of Canada, and that will probably only increase with other advances in
technology. The critical point here is that we have strong international
cooperation with other countries in terms of law enforcement and from a judicial
standpoint as well. We are involved in a number of initiatives and working
groups. For example, we have very good cooperation and exchange of information
with the Americans in this domain.
There are always ways to improve. I am not sure if treaties would be the
answer. We would need further consideration. International sharing of
information and intelligence between law enforcement agencies is critical for us
to be able to go after the larger international organizations operating from
within Canada or across multiple countries at the same time.
Mr. Foster: Many of the investigations of this nature are already
international. We are communicating with other law enforcement agencies where
necessary. We can take action under the existing legislation and the Mutual
Legal Assistance Treaty. We are in close contact with the FBI and the legal
attaché's office here in Ottawa. There is regular cooperation in this domain to
the extent that we will draw witnesses internationally or have peace officers
testify internationally if necessary.
Senator Joyal: You have the internal capacity in terms of mastering
the technology, to be able to trace back and follow up on the investigation,
which does not stop at the border. As you said, the largest number of identity
theft crimes perpetrated and fraudulent activities related to that start outside
of Canada. You have to be as efficient abroad as in Canada in order to identify
the origin of the crimes.
Mr. White: Yes, definitely. As Mr. Foster mentioned, one of our major
tools is the Mutual Legal Assistance Treaty that Canada is a signatory to along
with many other countries. It is one of our primary tools for sharing of
evidence in criminal proceedings between countries. The RCMP has a network of
international liaison officers for day-to-day sharing of information and
intelligence with other countries. We are now established in 25 or 26 countries.
They are our front-line, everyday gateway to facilitating investigative activity
from an investigation in Canada out into a foreign jurisdiction. They basically
establish the networks and cooperation we need with foreign law enforcement to
pursue our Canadian investigations. That works very effectively.
Senator Milne: I have a supplementary question.
You spoke about international cooperation. How well are police forces within
Canada sharing information currently? Is it still a work-in-progress?
Mr. White: It is always a work-in-progress. The best way to answer
that is that many different police forces probably receive complaints locally,
whether from a small town in British Columbia or the Toronto police. The
challenge is trying to get all of that information and intelligence into one
centre. That is what is required for us to get a good understanding and national
perspective of identity theft and fraud. We need to get that into a central hub
or collection area because it is difficult to get the whole picture if we just
have pockets of information and intelligence across the country.
Senator Joyal mentioned earlier identifying the international linkages. It is
as important to identify the national linkages because many groups are stealing
identities and payment cards in one province and moving the whole operation to
another province to use them.
It is critical and it is something we are constantly working on. There is
good cooperation amongst law enforcement agencies. We are currently looking at
getting tools together that can bring all the information and intelligence into
one hub to give us the complete intelligence picture.
Senator Angus: Senator Milne started questioning you on something in
the paragraph near the bottom of page 3 of your written submission. You are
basically saying much of this is going on and only the tip of the iceberg comes
to your attention through complaints. You mentioned three sources. I was
confused why the Competition Bureau is there and how it fits with the OPP and
However, I assume reporting is less than 10 per cent. That is only an
Mr. Foster: Are you asking as a multiplier that we see the tip of the
iceberg with 10 per cent?
Senator Angus: Yes.
I got into a discussion with the officials when the bill was first brought to
us about my car having been broken into. Many of us have had the same
experience. I lost all kinds of documentation including the types listed in the
bill and also tax returns and other documentation that you do not like to have
flying around. The general response seemed to be that this material is sent out
of the country quickly and into the hands of central or sophisticated
organizations that operate businesses stealing identities.
I made my complaint to the local Montreal police. They told me they average
hundreds of such break-ins of cars per night. I do not think you probably ever
heard about my car.
Let us say it is 10 per cent of the thefts that take place in Canada. It
might be a much greater number because the thefts not reported are being
perpetrated by the same people who perpetrated the ones that are reported. Is
that a reasonable conclusion?
Mr. White: One of the best recent surveys on identity theft in Canada
in terms of completeness is that from the School of Business at McMaster
University in July 2008. One of their findings was that few cases of identity
theft were reported to police. It was only 13 per cent according to their
survey. That is probably the most recent survey we have. It is a low number that
Senator Angus: Would you think that the people who perpetrated that 13
per cent are the same people who perpetrated most of the other 87 per cent? In
other words, is it a small number of perpetrators, if it is from big organized
Mr. White: I do not think our statistics would demonstrate that. Our
perception is that it is much broader.
Senator Angus: There are many people involved.
Mr. White: Many people and organizations are involved. It is not
limited to a small, select group of organizations.
Senator Angus: Everyone has raised the issue of resources and the
ability to enforce. You have your limitations and my colleague who is no longer
here was a policeman himself. He says he has never heard of any law enforcement
agency that said they have enough money to do their job.
It is well known in Canada. We did a study of insider trading and
while-collar crime in the securities markets. An organization was created
between the RCMP and IMETs. The year we studied it, in 2007, it had 93 files
open and not one prosecution. That highlighted a need.
We have limited resources. There is recognition that there is a huge problem.
I gather you people had input with the government drafters in terms of what is
included in this bill and you are relatively comfortable that, in terms of the
law as a deterrent, it is adequate. It is a "step one," right?
Mr. White: It is definitely a "step one" and it is a huge deterrent
for that front-end activity, which is the actual theft of the personal
Senator Angus: Then, the next step would be allocation of more
manpower and money, et cetera. It is so widespread. It is one thing to have the
law. Am I right? Am I leading you to the correct answer?
Mr. White: I think you are asking if we need more resources.
Senator Angus: I understand you do. It is great to have the law, and I
think we need it. There are a series of bills coming through the committee that
are trying to create greater deterrence and to show that society is becoming a
little fed up with all of this criminal activity. However, I am troubled,
obviously, as I think my colleagues are, that it is all well and good to have
the laws on the books but, if we cannot enforce them, what are we doing?
Since we have the privilege of having you here — this is not right on the
point of the bill — but do you have any suggestions or other things that could
be done, other than just money?
Mr. White: Again, in terms of enforcing the legislation, the way we
look at as it giving us one extra tool. When we do hit the street, before, where
we had to go out and wait for someone with that personal information to actually
use it for criminal or fraudulent activity, which occurs in most cases, now we
do not have to do that. Now, if we do identify that individual with the personal
information and it is evident that the individual in possession — whether it is
documents or debit or credit cards — will use it for a criminal or fraudulent
activity, now there will be another tool and another offence we can use at the
outset. That is the key for us.
Senator Angus: How would that work? Would that enable you to hold them
and ask who they are reporting to? Would it be that sort of thing? In other
words, would it enhance the investigation?
Mr. White: Definitely. That would be part of it. Whenever anyone is
arrested and charged with a criminal offence, talking to us is voluntary. At an
early stage of this identity theft and fraud process, with a new tool and
offence, we are able to arrest and charge an individual at the outset.
Whether we are able to glean any additional information or intelligence from
them with regard to whether they are part of a larger organization is no
different than any other investigation. If we arrest a drug trafficker, for
example, sometimes we would get information of a larger organization. Sometimes
we will not. We are not saying we will go out and do a lot more investigations,
but it will give us what I think is a rich tool to identify this activity at the
front end. That is the great benefit for us.
Senator Chaput: Senator Angus just asked the questions that I was to
ask and I have the answers to those questions. Thank you.
The Chair: You used your time well, Senator Angus.
Senator Baker: In other words, the witnesses are saying that, when you
create a new offence under Canadian legislation — primarily under the Criminal
Code — then, of course, all the tools of the Criminal Code come into play and
you can do your investigations. However, without there being an offence, you
cannot conduct the investigations or be suspicious or have reasonable grounds.
I am looking for a suggestion from you — and I do not know if you will
proffer one — as to what can be done to improve the legislation before us, given
the fact that this is not an ordinary offence, as we know the word "ordinary"
pertaining to an activity that takes place within the jurisdiction of Canada. We
have heard from witnesses who have told us that the biggest organizers of this
crime are outside our boundaries.
Therefore, the logical question is: Is there something missing from the bill
that you can think of that perhaps you could use, because the provincial
jurisdictions will obviously come to you to investigate something that is
outside the jurisdiction of Canada. Is there something that could be
incorporated into this bill to assist you in the investigation of these new
offences that we are creating?
Mr. White: I cannot think of anything that comes to light right now.
Mr. Foster: We would not necessarily investigate crimes that are
wholly outside of Canada. There would have to be a connection back to Canada
that would interest us and be of a significant level so that we would actually
prioritize it with the resources that we have and say, "This needs
investigation, and it is international in nature."
If it was already being investigated by another agency, we would also assist
in that type of investigation. However, the extent to which this legislation
actually targets and makes an offence outside of Canada, et cetera — is
something like that your question?
Senator Baker: No, it is not my question. My question is quite simple:
You cannot lay a charge if the offence does not take place within the
jurisdiction of the territory in which the charge is being laid.
If you are laying a charge in Canada and you have new offences under this
act, is there anything that can be put into this bill to assist you? Tomorrow,
we are hearing from the Privacy Commissioner and she will tell us that she is
investigating cases outside the jurisdiction of Canada because the offences the
fraud being perpetrated is on a person who lives in Canada. The fraudulent
activity, however, is being organized outside of Canada.
She will then call upon you, if she finds a criminal offence has been
The Chair: Is this hypothetical or do you happen to know what she will
Senator Baker: I imagine it, looking at the case law from PIPEDA. I am
looking for something from the witnesses, if they care to proffer it. If they do
not, I understand. However, is there something here we are missing?
Senator Joyal: This might help the witnesses. Let us make a parallel
with terrorism. A terrorist activity might start outside of Canada, but it might
have an impact in Canada, through all kinds of means of communication. There is
a parallel to be made between a criminal activity contemplated in this bill,
which you stated properly is mostly being managed outside Canada, and terrorism
activity with origins outside Canada.
If you want to be as effective in fighting this crime as we pretend to be on
terrorism, in my opinion you must have similar legal means to fight that crime
as much as you have for terrorism.
Senator Baker: Does anything immediately come to mind?
Mr. White: The dialogue we are moving towards is: The actual offence
is committed by individuals outside of Canada. It is all done over the Internet,
for example, by an individual, say, in South America. He has stolen the
information and is sitting in South America, over the Internet. Now he has your
To commit a fraud, it would have to be committed somehow in Canada. If he is
going after your bank account, or getting into your credit card account, that
would be activity related to Canada. In that case, there would be criminal
activity occurring here in Canada. The identity theft part would have been
conducted outside of Canada because he is in a foreign jurisdiction now.
Similar to other criminal activities that we would investigate, we could
potentially lay a charge here in Canada against that individual. The challenge
would be getting him back to Canada to prosecute him. We could do so if Canada
has an extradition treaty with the other country.
It is not much different from other criminal activities that we investigate.
An individual involved in a conspiracy to import narcotics into Canada may be
based in another country, but the importation occurs in Canada, so criminal
activity occurs here. We can investigate and lay a charge against that
individual. Whether we can get him back to Canada to prosecute him is another
Senator Dickson: You made reference earlier to cooperating with 20
agencies or police forces around the world. I assume the reason for that is that
some of these gangs are located in those jurisdictions. Is the law in those
jurisdictions similar to this bill? Is it stricter? How does this bill rate
against their laws? You want to get the big criminals first, I assume, and you
must have some idea of who the gangs are.
Mr. White: Definitely. It would depend on the country. I am not in a
position to speak about what the legislation is in many countries where we have
liaison officers. If there is similar legislation in those countries, it is
possible that we could pass evidence on to those countries that would enable
them to charge an individual who committed the crime in their country. That is
if there is local legislation that would enable the foreign authorities to lay a
charge in that country. That is also a possibility, and the exchange of evidence
in criminal matters could be facilitated through the Mutual Legal Assistance
Some possibilities exist, but it would depend on the circumstances of
individual cases. It would be hard to say generically. We would need a broader
addition to this legislation.
Senator Baker: I asked the question because you used the example of
the Controlled Drugs and Substances Act throughout your presentation. As you are
aware, we passed that law, and prior to that, the Narcotics Act, which contained
special provisions that are beyond search warrants for which you are being given
authorization here, 487 warrants and 492.2 warrants. They are beyond that, that
is, they are warrants in which for example you do not have to identify the time
in which the warrants will be exercised, it could be 24 hours a day, and so on.
These are special provisions to fight drug offences. There are no special
provisions here. You are simply being added to sections of the Criminal Code
that give you all the standard tools that are used in investigating other
I was wondering whether you felt that in this case, as we have done with
controlled drugs and substances, special provisions should be instituted to
fight identity theft.
Mr. Foster: This legislation targets that gap that exists, as opposed
to the CBSA and Narcotic Control Act. The special provisions and special tools
in those cases are intended to fill gaps related to that activity. This
legislation targets the preparatory acts that precede a fraud but relate to the
collection and trafficking in personal identification information. In that
sense, this is a special tool for us, because it does not currently exist. We
are filling that gap.
The Chair: We thank you both so very much. It is very important for us
to have heard from the RCMP, since you will be charged with using this
legislative measure once it becomes law.