:
Thank you, Mr. Chair, and good afternoon, honourable members.
I'm pleased to be here with Mr. Lambert. I have with me Monsieur Juneau, who's going to assist us in flipping through these slides. I would have found it very difficult to do both at the same time.
On behalf of FINTRAC, I'd like to thank you for the opportunity to go through exactly what FINTRAC is and who we are. I know we're an agency that's not particularly well known, so hopefully I'll be able to expand a bit today on what it is that we do and how we do things.
FINTRAC is the Financial Transactions and Reports Analysis Centre of Canada.
[Translation]
Incidentally, the presentation will probably be mostly in English, but of course we can also answer questions in French.
[English]
We were established in 2000. Our enabling legislation is the Proceeds of Crime (Money Laundering) and Terrorist Financing Act; I won't go through all its iterations and all the amendments. We're an independent agency that reports to Parliament through the Minister of Finance. We're the FIU, which is the financial intelligence unit, and also the compliance regulator of those businesses that are subject to the PCMLTFA. We're headquartered in Ottawa. We have three regional offices: one in Montreal, one in Toronto and one in Vancouver. The regional offices do our compliance, our exams and our assessments on all the reporting entities that report to us. All our intelligence is done through our office in Ottawa. Our budget is about $55 million a year, give or take.
We are not—and this is an important point and one that's not always understood—an investigative agency. We are an administrative financial intelligence unit, which means that we receive reports. We cannot actively go out and collect reports. We cannot ask reporting entities to give us specific reports on specific individuals or entities. We do not do any covert work on the web. We don't do any dark web investigative covert work or anything like that. We exist to analyze the reports that we receive under our legislation and from the reporting entities that are required by law to report to us.
We're also limited a little bit in our legislation in terms of specifics. If you were to ask me whether or not I disclosed on a particular case or a particular person, I would not be in a position legally to answer that. If I were to say whether or not I disclosed a particular case on a particular person, it would essentially be tantamount to making an illegal disclosure, for which I'd be subject to a potential five years in jail. As you can appreciate, it's not something that I would like to do. We can't talk specifics, unfortunately, with respect to the cases that we do, but we can talk about how we do it, what we do and what we do generally.
On this first slide, as you can see, we have the number of reporting entity sectors. These are the reporting sectors that must, under our legislation, report and provide reports to us. Our key regime partners in Canada include a number of different agencies and departments, all responsible for certain aspects of the anti-money laundering and anti-terrorist financing regime in Canada. The disclosure recipients, those to whom I can legally disclose depending on when we meet our legal threshold for reporting and for disclosing, are shown on the left of the slide.
Included in the types of reports that we receive at FINTRAC are electronic fund transfers in and out of Canada that are $10,000 or more, and there is a 24-hour rule applied to that as well. We also receive large cash transaction reports of $10,000 or more and casino disbursement reports on $10,000 or more going into or out of a casino. We receive terrorist property activity reports and suspicious transaction reports.
The suspicious transaction reports are in fact what we like to call our bread and butter. There are no monetary thresholds, and it's up to our reporting entities when they deem something to be suspicious relevant to money laundering or terrorist financing to report that to us. They usually provide us with a narrative as well. This provides us with significant quality information that we can then disclose to our law enforcement partners if we meet our own threshold of suspicion that it is relevant or would be relevant to a money laundering or terrorist financing investigation.
Also, while the CBSA is not a reporting entity, we do receive from them cross-border currency reports and cross-border seizure reports as well. We also receive voluntary information records from law enforcement and national security agencies, and we can get that from other government agencies, as well as the public, if they want to submit their own suspicions or their own information on what they perceive as or think is money laundering or terrorist financing.
We also receive queries and disclosures from our international partners. We have 105 MOUs signed with international foreign intelligence units. They can share information with us and we are at liberty to share information with them according to the MOUs that we have signed.
What do we actually do? We get our reports from our reporting entities. On the compliance side we ensure through exams, assessments and different techniques that they in fact are complying with the legislation's regulations under the PCMLTFA. Once we receive the reports, we will then do our own intelligence and analysis on those reports. We will obviously connect those with voluntary information records that we may receive from law enforcement and national security agencies. If we reach our threshold to disclose, we will then disclose tactical financial intelligence in support of ongoing investigations or, in some cases, we will proactively launch investigations.
We also do strategic intelligence in looking mostly at trends, topologies and research that we do on upcoming and emerging technologies and emerging threats to the financial institutions or to the anti-money laundering and anti-terrorist financing regime in Canada.
In terms of the number of reports we receive, we receive approximately 25 million reports a year—all reports, all told. From there, that's what we base our analysis on. As I said earlier, we are not investigative, so we cannot go out seeking additional information. We will of course use open source information to supplement our analysis prior to providing disclosures to our law enforcement or national security agencies.
As I said, we do tactical financial intelligence. That's typically related to specific targets, individuals, entities or investigations. We provide that to police. We can provide that to law enforcement and national security agencies, depending on the thresholds. We can also provide that to the CRA if there is a tax evasion, for example, or to the CBSA if there's an inadmissibility question. We can also provide it to our international partners if there is a connection between Canada and an international partner or another country. If we have an MOU and if we have authority and approval from our law enforcement partners in Canada, we could provide that to our international FIUs as well.
We also do a fair bit of strategic intelligence in order to look at analytical perspectives on the nature, scope and threats in this. It's obviously a fast-moving world when we're talking about anti-money laundering and anti-terrorist financing. We try to stay on top of that as much as we possibly can. We have a strategic intelligence unit that does that.
In terms of our contributions, we have provided disclosures on all types of fraud, including romance scams. We'll go straight to that on the public-private partnership that we launched with HSBC and the Canadian Anti-Fraud Centre, as well as law enforcement and major banks across Canada. Project Chameleon was launched in 2017, building on the success of Project Protect, which was on the money laundering related to human trafficking. This is on money laundering related to romance scams. It is, according to the Canadian Anti-Fraud Centre, one of the biggest and most lucrative types of scams in Canada. It tends to focus on seniors, as you can imagine. I don't think I have to explain what a romance scam is, as we probably all know, but if that comes up in the questions, we'll answer later. In light of time, we'll go to the next slide.
Again, rather than go into all of this, we'll look at our role on the strategic intelligence side in addressing the emerging technologies. We do keep track of innovative financial technology—fintech—trends and developments. We have people whose job it is to do that type of research. We work with our international partners as well, through Egmont or the Financial Action Task Force. We also will work with other international partners to develop trends, topologies and reports and to identify potential threats in the regime—they could be on the regime or potentially on the regime in the future—in looking at where the emerging technologies are and the intersection with anti-money laundering and anti-terrorist financing.
Mr. Chair, I think I've come in just under the time allotted. I will leave it at that. I'm available for any questions you may have.
:
That is a good question, and I am going to respond in English, because this is getting a bit more technical.
[English]
As you know, around the world, a lot of this is in English, so if I'm talking cryptocurrencies—in French I think it's cryptomonnaie—we're seeing a couple of things. Yes, it is faster. The speed of transactions is certainly faster.
If you look at things like romance scams, for example, yes, money laundering tends to be proceeds of crime. However, when it comes to romance scams, the proceeds are already in the financial system. This is the use of social media and the use of different ways of either anonymizing or representing yourself falsely and using social media to take advantage of people: They're sending money to you and you're using that to launder it. The crime is perhaps the false representation of yourself as opposed to committing a physical crime of robbing a bank and then trying to launder that money.
You are correct. It is quicker, and it can bypass.... If you're using cryptocurrency-type stuff, you can bypass the financial system itself to do that.
We're also seeing that the speeds at which transactions can happen are increasing. As for the types of crimes, with the use of social media and those types of things to steal identities and represent yourself falsely—such as putting false representations on Facebook and those kinds of things to “friend” people and take advantage of people—we're seeing more of that. Certainly, the ability to use the Internet and open source to identify potential victims is something that criminals are taking advantage of as well.
Then there are the other areas where you're looking at ransomware, for example, in which a fake email might be sent in or they're taking over somebody's computer and requesting payment from them to get back their access to their computer. We have seen cases of ransomware internationally. That seems to be a growing field right now in terms of criminals being able to take over and request payment. More and more, they'll request payment in cryptocurrency as opposed to cash or an email transfer.
Yes, the ability to use computers is increasing the capacity.
:
Without giving away trade craft.
The reports come in. We have an air-gapped database. Contrary to most financial intelligence units in the world, police, law enforcement...no one else has access to our database, not unless you work at FINTRAC, and that's only if you work on the tactical intelligence side and only if you're working on that particular case. There is “need to know” within the agency as well.
Essentially, the information comes in. Let's say it's a suspicious transaction report and one of the two people who look at this finds some key words. It looks like #ProjectProtect, for example, dealing with human trafficking. They would read through the STR. They would give it to a team leader in the geographic area. STR teams are set up by geography. They would give it, for example, to the central region team leader, who would then take it and do some quick searches in the database to see if in fact we have transactions. They would give it to one of our analysts, who would then take that STR and go through it.
Often the STR, especially with Project Protect, will identify that money went from this account to this account, or this IP address to this IP address. We would take that and search the rest of the database to see if we had other additional transactions that could be brought together to provide a very good picture for law enforcement.
Once we have that, we will put our own case together. We have summary sheets. We have transaction tables. We have i2 charts. We have fact sheets that identify who is included in the disclosure and why. We will do some open source information. We'll also look in our database to see if this is related to any other previous cases on which we disclosed. If so, we will include that. Then we will send that out to the appropriate law enforcement agency.
:
Good afternoon, Mr. Chairman and honourable members of the committee, and thank you for the opportunity to speak with you on this issue of cybersecurity in Canada's financial sector.
As introduced, I am Chief Superintendent Mark Flynn, the director general of financial crime and cybercrime within the federal policing criminal operations area.
I'm here today with my colleague Chris Lynam, the acting director general of the national cybercrime coordination unit, who will also provide a brief opening statement following my remarks.
[Translation]
I'll start by describing what cybercrime is and the types of activities cybercriminals are engaged in.
[English]
Cybercrime includes crimes where technology is the primary target as well as where technology is the enabler or instrument for other types of criminality, whether it is financial crime, including fraud and money laundering, the trafficking of illicit drugs or other national security offences.
Cybercrime is a global problem that is multi-faceted and complex with multi-jurisdictional elements and new and continually evolving technologies that impact the safety and economic well-being of Canadians and Canadian businesses. Canadian businesses and individuals, especially vulnerable members of our society such as the elderly and young people, are targets for cybercriminals because of our relative wealth and open, Internet-dependent economy. ln particular, the financial sector is targeted by cybercriminals both directly and indirectly. ln other words, Canadian financial institutions' systems are attacked from two sides, namely, via a company's infrastructure itself or via the portals through which the company's clients access its systems.
To explain this further, I'll go into more detail. Cybercriminals may attempt to directly compromise the financial institution's computer infrastructure through attacks that grant unauthorized access to the core systems themselves. These attacks are attempts to make a profit through the theft of money from those systems or through the movement of money through those systems, to steal private information or, in some cases, to damage the reputation of the company. These crimes are perpetrated by individuals working alone, organized crime groups or professional cybercriminals employed by larger entities, including foreign state actors.
Criminals also indirectly attack financial institutions by obtaining user credentials or other personal information to gain unauthorized access to individual user accounts. Obtaining these user credentials can be done in a number of ways: by using accessible tools from the Internet to obtain passwords, through social engineering or by simply purchasing large databases of personal information on the dark web. The relatively low cost of these attacks has enabled both malicious individuals and new organized crime cyber groups to undertake these attacks on an unprecedented scale.
The wide availability of a whole new range of illicit cyber tools has given rise to an entirely new cyber environment which consists of a wide range of entrepreneurial actors, including malware developers, infrastructure providers and administrators, and platform data resellers who collaborate with others in global networks or independently offer their services and expertise to others via the Internet for profit. We refer to this as the criminal cyber-ecosystem or, on some occasions, we call it cybercrime as a service.
When it comes to Canada's financial and commercial sectors, the volume and severity of cybercrime affecting Canadians and businesses is significant. Global financial services and institutions continue to be targeted by a range of malicious cyber-attacks that generate significant illicit profits for the perpetrators.
Also, the advancements in technology that can be used to assist traditional crimes such as theft, fraud or money laundering has led to a shift in the way that law enforcement must respond to large-scale cyber and financial crimes. Essentially, what we are witnessing are new cybercrimes and old crimes perpetrated in new ways.
In addition to cybercrime organized crime groups, professional money launderers and international money controllers are no longer bound by traditional methods of laundering money and moving their proceeds of crime.
Dark-web marketplaces, the growth of virtual currencies and complex trade-based money laundering schemes are examples of technology-enabled advancements and criminal techniques that have effectively eroded borders and allowed criminal organizations to set up a truly global footprint and a global reach that's associated with that.
Cybercriminals seek to profit through the deployment of malware, such as banking trojans; a multiplicity of online fraud scams; email compromise; or through extortion events, including ransomware or distributed denial of service, also referred to as DDoS attacks, etc. Any of these crimes can be perpetrated from inside or outside Canada.
These innovative cybercrime techniques reveal that the majority of current cybercriminality is financially motivated, as is the case with a lot of crime. It's about gaining access to money in the end and profiting from it.
While the RCMP has been gaining a better understanding of the scope and magnitude of the threat, challenges do remain. For instance, the global reach of cybercriminals means that law enforcement has to be concerned about criminal actors from around the world, no longer just the criminals who are within our borders. This is an international priority for many law enforcement agencies, which will continue to grow in significance and scale.
Furthermore, policing efforts in the cyber realm continue to face challenges largely due to the cross-cutting nature of cybercrime. It applies to all types of crime and it is borderless, as I stated. The borderless nature makes it possible for cybercriminals to commit their crimes across multiple jurisdictions. One cybercriminal can victimize numerous individuals on a massive scale in a way that is not possible in the physical world.
In response to the threats and challenges being faced, the RCMP's cybercrime strategy guides investigation and enforcement efforts to reduce the threat and help mitigate victimization and the impact of cybercrime in Canada. This approach is built on three pillars. The first is to identify and prioritize cybercrime threats through intelligence, collection and analysis. The second is to pursue the cybercrime and the criminals through targeted enforcement and investigative action. The third is to support cybercrime investigation with specialized tools and training.
The cybercrime strategy includes an operational framework developed to guide the RCMP's federal policing action against cybercrime. As cybercrime transcends all types of criminality, the use of specialized investigative teams is essential. The RCMP's federal policing cyber investigations are undertaken primarily today by our national division cybercrime investigative team. However, it leverages the expertise and other specialized investigative supports, such as undercover operations and tactical Internet operation support, which are necessary to augment the investigative outcomes.
The RCMP also plays a central role in the Government of Canada's overarching priority to provide for the safety and security of Canadians.
At this moment I'll turn it over to my colleague so he has a moment for opening remarks as well in relation to the new cybercrime centre that's being set up for law enforcement.
:
Good afternoon, and thank you, Mr. Chairman, for the opportunity to speak with you today.
As my colleague touched on, law enforcement is facing several challenges in addressing cybercrime. The traditional Canadian policing model is predicated on the assumption that the offender, the victim and the justice system are largely collocated jurisdictionally. However, as we know, most cybercrimes are multi-jurisdictional, if not multinational, impacting victims across traditional jurisdictions, and this brings into sharp focus the need for a coordinating mechanism.
Law enforcement requires a means to gather information and intelligence regardless of the jurisdiction, and a mechanism to coordinate investigative efforts. It is not efficient for multiple police services to be allocating scarce investigative resources on the same criminal activity in an isolated fashion.
Another key concern is that cybercrime is under-reported and there are varied reporting mechanisms in Canada, which is confusing for the public.
The 2017 Canadian survey of cybersecurity and cybercrime undertaken by Statistics Canada found that about 10% of businesses impacted by a cybersecurity incident reported the incident to a police service in 2017. Despite under-reporting, the number of cybercrimes reported to police in Canada has increased in recent years. In 2017, nearly 28,000 cybercrimes were reported to Canadian police, which is an 83% increase compared to 2014.
The under-reporting of cybercrime prevents law enforcement from connecting the dots and responding to cybercrime on a larger, coordinated and more targeted scale. It also hampers governments in understanding the magnitude and extent of the problem we are facing.
[Translation]
In response to challenges and to bolster Canada's ability to fight cybercrime, budget 2018 announced $116 million over five years and $23.2 million per year for the creation of the national cybercrime coordination unit.
[English]
The unit will be a national police service, stewarded by the RCMP, supporting and working with law enforcement across Canada. lt will act as a coordination hub for cybercrime investigations in Canada and will work with international partners on cybercrime.
I'm going to take an angle from my colleague Ms. Damoff. I know the position you're in in law enforcement, but I really have to tell you that from experience—and I'm sure Jim can attest to this—if we were in your position, we would say things like, “We wish government would have thought of this” or “We wish this legislation would have considered this”, because you're playing it out in the field. I don't want to put you in a bad spot, but I'm going to ask it differently.
This study is about protecting Canadians. This study is about ensuring that we have legislation in place that allows law enforcement to do law enforcement functions in a manner that will protect Canadians better, that will allow FINTRAC and every other agency that does this to do it better. You don't have to tell us specifically, but in the roles that you gentlemen play now, just give us a general theme as to what gaps you see that we as a committee can start looking at specifically to address those gaps to ensure that everything.... This is all about public safety. This is the public safety committee. Your role is public safety.
No offence, but sometimes it's easy to hide behind “Well, I can't say that”, but I actually think you can say that. From my experience, yes, you can say, “Here are the gaps that I see that law enforcement, that government, that whoever, can look at specifically.” I would offer you the courage to go ahead and do that.
Voices: Oh, oh!
:
I'll start with one element, and then I'll hand it over to Chris, because Chris will be responsible for some of this as we move forward.
Currently, we have the Canadian Anti-Fraud Centre. I'm not sure if you're familiar with that organization up in North Bay, which is a partnership between the OPP, the Competition Bureau and the RCMP. They do a lot of amazing work around fraud and understanding the problem. There is also severe under-reporting. We believe there's 10% or less, more likely less than 5%, reporting of fraud. However, that information, when it's collected en masse, is being utilized to shape some of our international operations in dealing with, say, call centres that are in other jurisdictions. There are actual results that are coming from that. A big part of that is understanding the problem, gathering the information, offering support to the victims.
I sat in on some calls when someone has called the Canadian Anti-Fraud Centre. The help that those call takers on the front line can give to those individuals when they call in to say they just lost a large sum of money, or even if it's a small amount of money.... They feel bad because of the fact that they've been victimized. Those call takers do an amazing job in helping those people understand they're not alone. They destigmatize it, help them get advice and guidance on where to go and what to do. It's making a significant difference.
They also have a very important—
[Translation]
the threats, in terms of cybercrime, are constantly evolving. It's therefore important that government and RCMP systems and structures be flexible and responsive to new threats.
[English]
What I will say as the person who right now is charged with putting together the new unit is that we did a lot of consultation, both with police services and with the private sector, to really understand how, particularly in the private sector, they are addressing this threat from a cybersecurity perspective. One of the key take-aways we had was that you have to constantly evolve.
We have the ability in building this new unit from the ground up to really push an innovation agenda and build a culture of being adaptive. We've even had success in terms of the funding, the number of positions we've been approved to have and ensuring we have enough IT developers within the unit to be able to change the IT system. If a new threat comes on the market and we need to very quickly change the public reporting systems so that Canadians and businesses can report it, we've accounted for that.
It will constantly be a challenge to try to even just keep pace with the cybercrime environment. From a culture perspective, we're going to do all we can to really make sure that it's not a bureaucratic structure that can't respond.
:
My biggest fear today is around the collective threat of all of the smaller compromises that are going on, or the number of small compromises that are used to then gather information that is leveraged in attacks against the banks and other online service providers that are out there.
When you add that small piece from each offence together, it creates some pretty significant numbers. When you talk fraud in general, and just look at seniors in 2017, and realize that there is 22 million dollars' worth of actual reported losses in the small number of reports that we get, that's a staggering number. You have to understand that has a significant impact on all of those individuals.
Gathering that information together, better understanding it and collecting the technical information that allows for investigation of those things is where we're going to have a bigger impact on Canadians. Also, it's important to move beyond just the security, and when we think of large corporations and the amount they invest in cybersecurity, it's appropriate. The attack platform that's out there, the number of criminals around the world who can now reach across the Internet to cause that harm is something they all should be concerned about.
Obviously, we're not on the defensive side; we're on the investigative side. We need to have the appropriate balance between the two in order for us to be able to both protect Canadians from a security perspective and pursue the people who are responsible for it. When we just do security, that allows the criminals to still be out there, to still commit their crimes without repercussions. We have to have an effective investigation going after them.
It's the same as a physical bank robbery. We would not just make banks more secure and throw every armed robber out on the street. We need someone to pursue them, and we have to do that in collaboration.