What do you mean by “on fumes”? I have all the actual content material here.
That's where I would disagree with you, Peter. I know we have worked together on a couple of committees now. I disagree that other committees could look at it. This is perfectly reasonable here.
Two, all the points I have made here would improve this motion, and I would be willing to vote for the motion. The only thing that hurts me now is that we have this amendment that's been approved to include the United Kingdom travel in it.
In consideration of this motion, ahead of time I went through and did a bit more work on open banking, on what other jurisdictions have done, what Canadians have said about it, what news outlets have written about the data and privacy side of things. We've all heard the stories about foreign hackers targeting Canadian banks and governments as well. It's happened multiple times, and cybersecurity experts told the same thing to members of Parliament at different opportunities.
So again, to go back to the point about the public safety and national security committee, that point was made by financial organizations that appeared at the House of Commons committee on public safety, but they haven't appeared here to tell us about the financial data impact, the reputation impact on those organizations. Most chartered banks and most financial institutions will tell you that in an open banking era where consumers are able to move around much more easily than they used to.... On mortgages, for example, you can go online and look at Ratehub and find all the publicly available data quite quickly.
As I mentioned at the beginning of this, if the intent is to say Ratehub is okay, it's already being done, 90% of everything is being done.
What we could look at is not specifically which organized crime organizations are doing it and the financial damage to the organizations, but we could ask financial institutions what their focus area is, what the reputational damage is, whether they have quantified that, what the potential loss is to the customer base, whether that is something they have considered, what opportunity they have seen.
Again, to fintech, which is one of my points here, a lot of large financial institutions are getting into the business of fintech. Either they are starting arms of their businesses to look at fintech or they are buying up smaller start-up entrepreneurial outfits that have some new fintech technology to share—either an app or an algorithm or artificial intelligence they are looking at. That's the type of information we should be getting before the committee here.
I'll mention a Global News article on February 6, 2019, because it's recent. It talks about FireEye, which routinely uncovers major underground sites selling thousands of stolen Canadian credit cards at a time, sometimes from major banks but also targeting customer accounts at smaller banks and credit unions.
If you will remember—and this is much more the credit unions—when we introduce new regulations or we approve of regulations by OSFI and others, we should take a look at what open banking will do to large financial institutions that have the capital base, the employees and the ability to adjust how they do business. They have a larger client base, so they can adjust how they're doing business, versus the smaller players in the market. We have a heavily concentrated banking sector and we should also be looking at these new up-and-coming financial institutions and how we can make sure they are not wiped out potentially by something like open banking that is introduced too speedily or too slowly or doesn't allow the opportunity to compete with the larger players.
It's already happening that major banks are suffering from it, but oftentimes criminal organizations target smaller institutions, which is why it is worthy.
Paragraphs (a) and (b) make sense. They refine the study areas on privacy, and you could say that the ethics, privacy and information committee should be looking at this, but we should look at the security risks involved and the consent consumers should be providing.
Another article I want to mention is written by Howard Solomon: “Organizations still fall short on cybersecurity, Canadian breach response expert tells privacy conference”. They mostly focus on organized crime and the types of criminal activity out there and they use the word “mind-blowing” on how much financial information is available on Canadians online that you can just purchase. In the area of open banking, would that facilitate thieves' stealing the banking information of Canadians, or is there a way to make it safer for Canadians to do that type of business? What would happen in a situation where somebody approves, on a customer's behalf, some type of data or information transaction and then they lose it?
Setting those limits and looking at what other jurisdictions have set, but also within Canada and what fits for Canada, falls within the amendments to paragraphs a) and b) that I am proposing we do.
OSFI, the Office of the Superintendent of Financial Institutions, has issued an advisory. The following is based on an article from January 30:
The Office of the Superintendent of Financial Institutions ("OSFI") today issued an advisory setting out new guidelines for how federally regulated financial institutions ("FRFI") report technology or cyber security breaches.
We have a government considering open banking in the budget. We are considering a motion for the committee to look at open banking, but we have a regulator that has already gone ahead on two of the points in the main motion, which corresponds to two of the points in my amendment, and has already proceeded with establishing rules.
The rules are detailed. If the committee will indulge me, these are the rules they have. This makes it a reportable incident so it means you need to track the information, you need to be able to put it into a report, and then you need to provide it to OSFI. This would be a regulated lender, which would exclude a lot of other financial institutions.
This is the depth of information they want. They want: significant operational impact to key critical information systems or data; material impact to FRFI operational or customer data including confidentiality, integrity, or availability of such data; significant operational impact to internal users that is material to customers or business operations; significant levels of systems service disruptions and extended disruptions to critical business systems operations; the number of external customers impacted as significant or growing; negative reputational impact that may be subject to public or media disclosure; material impact to critical deadlines, obligations and financial market settlement or payment systems, such as, for example, financial market infrastructure; significant impact to a third party deemed material to the FRFI; material consequences to other FRFIs or the Canadian financial system; a FRFI incident that has been reported to the Office of the Privacy Commissioner or local foreign regulatory authorities. They gave 72 hours' notice through the lead supervisor for that particular...
You can see how detailed that is already. Forgive me for providing a very detailed amendment, but you have a regulator that has already proceeded to establish some ground rules. To meet the requirements of OSFI, any regulated lender would have to somehow collect all of that information, synthesize it into a report, and then provide it to them in, I'm guessing, an understandable format, which already will include by default a lot of customer information and customer data. It will have to include exact total amounts of damages, whatever way they quantify it, which is, again, why I think it's reasonable to look at these two.
I won't read the full advisory, because I have it here. Again, it's very detailed. As to the duplication, it's already being done. The OSFI regulator is already doing it and already looking at it. I really think cybersecurity as it's mentioned in the original motion could be vastly improved with my two points.
We could then look at “c) the appropriateness of government bodies collecting the personal banking information of Canadians”, because if we have a situation where we're going to expect the information to be shared on a consent basis, but a customer controls information between financial institutions, I think we really have to look at how much information will be retained.
I know we live in a new era where Canadians are a lot more concerned about their privacy. I'm sure you all get the same types of messages when you send a letter or a survey into your riding asking questions. People are asking how we got their address, their name. We say it's a national list of electors, and we're trying to communicate with them because they're voters in the riding, they're constituents, and we want to hear from them to find out what they think of our proposals.
On the same basis, a financial institution may collect information on several clients over time, and then they have all this information. How long can they keep it? Until the person is no longer a client? What happens if there is a data breach in the meantime? Are they then responsible for disclosing a data breach for a former client? Is it just current clients? How long should they hold that information?
We saw the impact with Statistics Canada. StatsCan was trying to collect Canadians' banking information through a pilot project. That was 500,000 households, roughly 1.5 million Canadians, they had started to look at. Statistics Canada shouldn't expect to be able to just hoover up that type of information anytime it wishes to. I'm glad that program was suspended. Whoever made that decision to go ahead, to cancel that collection of information, that was the right thing to do.
That was probably one of the issues I got the most email traffic and phone calls about from people I had never heard from before who were really concerned about their private banking data now being held by StatsCan. I think Statistics Canada generally has a good reputation. Small business owners have issues with their surveys and the frequency of them, but they have a good reputation generally. Still people were concerned about all the banking information they were going to get.
People were telling me they thought StatsCan was going to get their Visa or Mastercard statements, that the agency would literally see every single transaction of theirs. I couldn't tell them that wasn't the case. I actually didn't know, which is why I think if we're going to have government bodies like OSFI making rules to collect information from banks and other regulated lenders, we should be able to direct them, through the ministry of finance, and provide the findings to the minister that perhaps would say OSFI shouldn't be then holding this banking information. It shouldn't be holding personalized information. How much information the banks have to share with the regulator, in cases of data breach, I think is important too. A regulator can suffer a data breach as well, and what would happen in those cases?
There are entire avenues to consider here. The Statistics Canada example is a perfect one. At the time, the Information Commissioner and Privacy Commissioner had already recommended the removal of personal identifiers before the data was disclosed to the agency. I think that's an important point here: if OSFI has made these regulations already, as of January 30, requiring this private data to be shared, are they going to be the ones removing any personal identifiers from banking information and client information from the bank or are they going to be doing it after the fact? That means that regulators at OSFI will know which Canadians by name and which accounts have a data breach, who has taken it, where they are, and which financial institution they're with. It's very detailed. Those are areas that we should be looking at.
We spend a lot of time, I think, as a parliament and as legislators legislating on Canadians and on people instead of legislating what government departments can and cannot do and what regulators can and cannot do or collect in terms of information. We should spend much more time looking at how civil servants are doing their jobs and whether we can put any timelines on their work, any restrictions on the work that they do, because they're doing it on behalf of Canadians, on behalf of taxpayers.
I think it's incumbent upon us to look at the appropriateness of government bodies collecting that type of information. There were a lot of articles that came out in November and December. A lot of Canadians, I'm sure, contacted all of you about the Statistics Canada not breach but pilot project. That's an important point. Some of the articles talked about things like bill payments, cash withdrawals from ATMs, credit card payments, or even account balances. There's a lot of information out there that could be open for sharing and open banking.
I think without looking specifically at government bodies, which we're not doing here in the main motion—to which I'm proposing to add (c)—we really should be looking at government bodies and our processes. I know the chartered banks and larger financial institutions invest heavily in their cybersecurity infrastructure. They put a lot of money towards it. But I wonder sometimes how much the government puts towards it and towards ensuring the cybersecurity of information it holds on behalf of Canadians.
There have been data breaches year after year. Stats Canada has had one of them, from the long-form survey. There have been very entrepreneurial journalists who've gone and found census surveys not shredded, not destroyed appropriately, in the garbage behind their building, perfectly available to anyone who just walks by. I think we should look at that.
It would likely be worth it to have the Privacy Commissioner come in and tell us, from their experience, what they have heard from the other committees that have looked at it, for all of the data breaches so far—just for government, not for financial institutions, and not just in terms of best practices but in terms of the best go-forward regulatory changes or legislative changes that we could propose to ensure that OSFI doesn't overreach.
On OSFI overreaching, I'd say they overreached on the B-20 stress test. I like bringing up that particular one. I think they went too far in what they did with the B-20 stress test, and I think they may go too far in other areas too. You heard me list for you the types of information that's being collected by the OSFI regulator, now with a requirement or a guideline to the banks.
That's why I think it's important. That's why I think we should be looking at it.
I want to move on to my next point:
d) the current landscape of the financial services sector in Canada, the major actors, levels of competition, and the sufficiency/stringency of regulations governing financial institutions;
We used to have a big five system. Now we have a big six system, where they own 90% of the assets in the banking system. That's based on the information I could find. Traditionally, it has been believed that a more concentrated industry is less competitive and is liable to compromise economic efficiency.
We saw during the 2008 downturn that our stringent regulatory financial rules actually helped us weather the storm much better. I would also add that it was thanks to a good prime minister at the time who knew what he was doing.
There was also a study by Bikker and Haaf in 2002 on 23 European countries. It found support for the traditional view that concentration impairs competition.
Perhaps during this open banking study we could consider whether that concentration, that stringency of financial regulations and financial rules, is still in the best interest of Canadians or whether there could be a nice middle ground between the two. Can we have the robust, stable financial system that we have now, with strong financial institutions that can weather a storm like we had in 2008-2009, or do we go full on with open banking, and does that compromise it in any way? That is what my amendment point (d)—my (d), which would be (d), (e), (f), (g), I guess, in the clerk and the chair's amended enumeration here—would be going to.
We can't look at open banking without looking at the current landscape and how that's impacting things. To do that, we would then have to look at what the big banks are doing, what the smaller lenders are doing, and what the opportunities are if other potential new lenders such as insurance companies jump into it. They're doing a lot of fintech development. There's the case of Meridian Credit Union, which is starting Motusbank without any branches. How will that impact the stability of the market? What are the regulations that they should be looking at?
What we have now is a financial banking environment that has comfortably accommodated what used to be the big five. Now you have the big six, with National Bank that has made its way into there, and there's a statutory 6% ceiling on bank lending rates, along with other rigidly modern features of conservative banking methods. It is a pretty conservative system. Their lending practices are fairly rigid.
What would happen then with financial product innovation? What would be the role of foreign financial institutions if Santander or a big American bank or regional bank wanted to participate? It could even be a merchant bank that is purely on the corporate side. If they wanted to participate in the Canadian market, what would be the rules?
You could have foreign institutions, perhaps, keeping Canadian customer information in Canada, or would these data centres be overseas? That's worth looking at in that landscape review. I don't think we can look at open banking without first looking at the banking system we have before us.
The regulatory changes introduced by the two bank acts allow financial institutions in Canada to conduct their functions more efficiently and to develop new products and services more effectively in an environment of competition and flexibility within the sector. The two bank acts I'm referring to are the act of 1967, following the Porter commission, and the act of 1980. More recently, the previous government introduced a division between banks and insurance companies that they may own. It was kind of a firewall between the two so that they couldn't easily share banking information.
It's all about building that ecosystem. I think that what open banking does is make jumping between ecosystems a lot easier for customers. It empowers them to make decisions for themselves. I would hope that in any changes that we look at, we consider how they would impact the landscape and how they would impact the flexibility in the sector for the organizations, the financial institutions side, and what risks we're placing upon them and upon the customers.
You may realize that you shared mortgage information with a company and that now they have it, 10 years later, and they're still using it. They're still trying to contact you, perhaps, or using it for modelling purposes now. Perhaps they're using it to model an optimal rate to offer young Canadians or older Canadians, but unbeknownst to you, they still have your banking information, or they still have your home equity line of credit balance from back then, and they are able to track a little bit what has been going on in the marketplace.
I don't think we can separate those two concepts.
Bank mergers.... This goes back to my point about labour and the impact on skilled labour retention, the impact on payroll taxes, openness—which is my point (f), which would be point (i) or (l). In the past, when the big five or the big six were requesting to merge, the decision was made at the time, on political grounds, to deny them permission to merge. It would have created an even more concentrated market, and even less choice for Canadians.
If we're going to allow for more open banking, that would mean potentially more entrants into the marketplace. A lot of smaller institutions would enter, maybe without brick and mortar branches. Perhaps they only have data centres. Perhaps they only have a corporate headquarters or maybe some regional branch just to keep financial advisors, underwriters and maybe mortgage specialists in the field. What would that do in the longer term for the share of the marketplace for the big banks if they don't adjust to it? If they have adjusted to it, would this lead to even more concentration and not allow an opportunity for competition?
I want to make a comparison to the struggles that Liberal and Conservative governments have had to foster more competition in the wireless sector. Different governments have tried different things through the CRTC—or trying to overrule the CRTC—to provide more competition in wireless communications. We all have cell phones. We all have these smart phones that we use for pretty much everything now, including our banking needs. It's all done on these devices now. The governments have repeatedly struggled to provide more competition there. I still hear that a lot of Canadians are unhappy with their choices.
Would that then be the case in open banking 10, 20 or 30 years down the line? Would we have a more concentrated market, or perhaps a very open market where the big six are no longer called the big six and we have the big 20 and there are no more branches? That would then lead to the problem of—