Thank you, Mr. Chair. Good morning. My name is Linda Routledge and I am the Director, Consumer Affairs with the Canadian Bankers Association. With me is my colleague William Crate, the CBA’s Director of Security and Intelligence. We are pleased to be invited to discuss Bill S-4, the Digital Privacy Act, which would amend the Personal Information Protection and Electronic Documents Act.

The CBA works on behalf of 60 domestic banks, foreign bank subsidiaries and foreign bank branches operating in Canada and their 280,000 employees.

The banking industry has long been a leader in privacy protection. Given the nature of the services that banks provide to millions of customers in communities across Canada, banks are trusted custodians of significant amounts of personal information. Privacy and protection of clients’ information is a cornerstone of banking. Banks take very seriously their responsibility to protect customers’ information, and are committed to meeting not only the requirements of privacy laws but also the expectations of our customers.

We participated in all aspects of the consultation process that was part of the five-year review of PIPEDA. Bill S-4, which is the product of that review, contains valuable amendments to PIPEDA that will significantly enhance Canada’s privacy framework.

We are pleased to have this opportunity to voice our support for many provisions in this legislation, including the new breach notification and the financial abuse provisions. We are concerned, however, that the amendments to eliminate investigative bodies will create uncertainty and may significantly limit the type of information that banks currently share to prevent criminal and terrorist activity.

Breach Notification and Reporting

The banking industry supports the requirements in the Digital Privacy Act for organizations to notify individuals about a breach of their personal information where there is a real risk of significant harm. In fact, banks already notify clients in the rare instances of such a breach so that individuals can protect themselves from fraud or any other misuse of their personal information. We are in favour of reporting material breaches to the Privacy Commissioner. We also support the Commissioner’s new oversight powers to ensure organizations comply with these new provisions.

We look forward to working with the government on guidance and/or regulations to set out the details of how these provisions will be implemented, thereby providing an effective framework to ensure Canadians are notified in a timely manner. It is important for all stakeholders to work together to protect the personal information of individual Canadians and Bill S-4 effectively creates a framework for that to happen.

Financial Abuse

The CBA has long advocated for amendments that will help seniors and vulnerable Canadians from becoming victims of financial abuse. We applaud the government for including an important amendment in Bill S-4 that would allow banks to notify a family member or authorized representative in suspected cases of financial abuse. When bank employees see situations in the branch that suggest potential financial abuse, it is the customer’s savings that are at risk and bank staff want to be able to help them avoid financial abuse.

At present, PIPEDA only allows a bank to report suspected cases of financial abuse to a government institution such as the police or the Public Guardian & Trustee, and only when there are reasonable grounds to believe that a law has been contravened. The suspicious behaviour that bank staff may witness may not necessarily suggest that a law has been broken. It can still be a very real case of financial abuse, yet banks are constrained in what they can do to assist their clients. Even when banks suspect unlawful behaviour and are able to report the suspected abuse, they are often told that police or the Public Guardian & Trustee do not have sufficient resources to undertake an investigation.

Our support for this provision is guided by the best interests of our customers, particularly groups most susceptible to financial abuse, such as seniors. Banks want to ensure their staff has the ability to protect their customers from financial abuse and this provision is an important tool in that regard.

Financial Crimes

While we are supportive of the majority of provisions in Bill S-4, we are concerned that some of the proposed amendments may hinder the ability of banks to protect our customers, our employees, our communities and the financial sector from crime

Current regulations under PIPEDA contain a list of designated investigative bodies through which organizations can share personal information under conditions set out in the Act. The CBA’s Bank Crime Prevention and Investigation Office, or the BCPIO, was among the first investigative bodies approved by the government and it has been in operation for almost 15 years. The BCPIO’s information sharing policies and procedures across organizational boundaries are clearly understood by Canadian banks along with other participating financial institutions. It is this formal relationship that allows banks to detect, prevent and suppress criminal activity, such as:

  • Theft of data / personal information;
  • Criminal breach of trust;
  • Proceeds of crime;
  • Money laundering;
  • Terrorist Financing;
  • Cyber-crime;
  • Bank robberies; and,
  • Physical attacks on critical infrastructure.

The Bill proposes to replace designated investigative bodies with a framework for the disclosing and sharing of personal information between organizations. In our view, the new provisions, particularly the wording of proposed provision 7 (3) (d.2), may not allow banks the same scope as the investigative bodies to detect, prevent and suppress the full range of criminal activities. In particular, we are concerned that the proposed change limits disclosure to circumstances where it is “reasonable for the purposes of detecting or suppressing fraud or of preventing fraud”. Many of the criminal activities I have just listed are not captured by the term “fraud.”

If these provisions are passed in their current form, we believe that the ability of the banks to protect the financial system and our customers from criminal activity may be severely hampered.

We ask the Committee to consider amending the Bill to allow approved investigative bodies such as the BCPIO to continue with their important work. Alternatively, if the Committee wishes to maintain the proposed approach in Bill S-4, we recommend that the legislation be amended to ensure financial institutions can share the information needed to detect and prevent other types of serious criminal activity beyond fraud.

Conclusion

In closing, we want to reiterate the banking industry’s support for many aspects of Bill S-4 and ask the Committee to consider amending the Bill to help protect Canadians from financial crimes.

We look forward to continuing to work with the government and this Committee to enhance and modernize the standards governing the protection of personal information in the private sector.

We look forward to your questions.