Thank you, Mr. Chair. Good morning. My name is Linda Routledge and I am the Director,
Consumer Affairs with the Canadian Bankers Association. With me is my colleague William Crate,
the CBA’s Director of Security and Intelligence. We are pleased to be invited to discuss Bill S-4, the
Digital Privacy Act, which would amend the Personal Information Protection and Electronic
The CBA works on behalf of 60 domestic banks, foreign bank subsidiaries and foreign bank
branches operating in Canada and their 280,000 employees.
The banking industry has long been a leader in privacy protection. Given the nature of the services
that banks provide to millions of customers in communities across Canada, banks are trusted
custodians of significant amounts of personal information. Privacy and protection of clients’
information is a cornerstone of banking. Banks take very seriously their responsibility to protect
customers’ information, and are committed to meeting not only the requirements of privacy laws but
also the expectations of our customers.
We participated in all aspects of the consultation process that was part of the five-year review of
PIPEDA. Bill S-4, which is the product of that review, contains valuable amendments to PIPEDA
that will significantly enhance Canada’s privacy framework.
We are pleased to have this opportunity to voice our support for many provisions in this legislation,
including the new breach notification and the financial abuse provisions. We are concerned,
however, that the amendments to eliminate investigative bodies will create uncertainty and may
significantly limit the type of information that banks currently share to prevent criminal and terrorist
Breach Notification and Reporting
The banking industry supports the requirements in the Digital Privacy Act for organizations to notify
individuals about a breach of their personal information where there is a real risk of significant
harm. In fact, banks already notify clients in the rare instances of such a breach so that individuals
can protect themselves from fraud or any other misuse of their personal information. We are in
favour of reporting material breaches to the Privacy Commissioner. We also support the
Commissioner’s new oversight powers to ensure organizations comply with these new provisions.
We look forward to working with the government on guidance and/or regulations to set out the
details of how these provisions will be implemented, thereby providing an effective framework to
ensure Canadians are notified in a timely manner. It is important for all stakeholders to work
together to protect the personal information of individual Canadians and Bill S-4 effectively creates
a framework for that to happen.
The CBA has long advocated for amendments that will help seniors and vulnerable Canadians from
becoming victims of financial abuse. We applaud the government for including an important
amendment in Bill S-4 that would allow banks to notify a family member or authorized
representative in suspected cases of financial abuse. When bank employees see situations in the
branch that suggest potential financial abuse, it is the customer’s savings that are at risk and bank
staff want to be able to help them avoid financial abuse.
At present, PIPEDA only allows a bank to report suspected cases of financial abuse to a
government institution such as the police or the Public Guardian & Trustee, and only when there
are reasonable grounds to believe that a law has been contravened. The suspicious behaviour that
bank staff may witness may not necessarily suggest that a law has been broken. It can still be a
very real case of financial abuse, yet banks are constrained in what they can do to assist their
clients. Even when banks suspect unlawful behaviour and are able to report the suspected abuse,
they are often told that police or the Public Guardian & Trustee do not have sufficient resources to
undertake an investigation.
Our support for this provision is guided by the best interests of our customers, particularly groups
most susceptible to financial abuse, such as seniors. Banks want to ensure their staff has the
ability to protect their customers from financial abuse and this provision is an important tool in that
While we are supportive of the majority of provisions in Bill S-4, we are concerned that some of the
proposed amendments may hinder the ability of banks to protect our customers, our employees,
our communities and the financial sector from crime
Current regulations under PIPEDA contain a list of designated investigative bodies through which
organizations can share personal information under conditions set out in the Act. The CBA’s Bank
Crime Prevention and Investigation Office, or the BCPIO, was among the first investigative bodies
approved by the government and it has been in operation for almost 15 years. The BCPIO’s
information sharing policies and procedures across organizational boundaries are clearly
understood by Canadian banks along with other participating financial institutions. It is this formal
relationship that allows banks to detect, prevent and suppress criminal activity, such as:
- Theft of data / personal information;
- Criminal breach of trust;
- Proceeds of crime;
- Money laundering;
- Terrorist Financing;
- Bank robberies; and,
- Physical attacks on critical infrastructure.
The Bill proposes to replace designated investigative bodies with a framework for the disclosing
and sharing of personal information between organizations. In our view, the new provisions,
particularly the wording of proposed provision 7 (3) (d.2), may not allow banks the same scope as
the investigative bodies to detect, prevent and suppress the full range of criminal activities. In
particular, we are concerned that the proposed change limits disclosure to circumstances where it
is “reasonable for the purposes of detecting or suppressing fraud or of preventing fraud”. Many of
the criminal activities I have just listed are not captured by the term “fraud.”
If these provisions are passed in their current form, we believe that the ability of the banks to
protect the financial system and our customers from criminal activity may be severely hampered.
We ask the Committee to consider amending the Bill to allow approved investigative bodies such as
the BCPIO to continue with their important work. Alternatively, if the Committee wishes to maintain
the proposed approach in Bill S-4, we recommend that the legislation be amended to ensure
financial institutions can share the information needed to detect and prevent other types of serious
criminal activity beyond fraud.
In closing, we want to reiterate the banking industry’s support for many aspects of Bill S-4 and ask
the Committee to consider amending the Bill to help protect Canadians from financial crimes.
We look forward to continuing to work with the government and this Committee to enhance and
modernize the standards governing the protection of personal information in the private sector.
We look forward to your questions.