Voltaire, the pen name of the French author François-Marie Arouet, was the first to warn about not letting perfection be the enemy of good. “Le mieux est l’ennemi du bien,” he wrote, in Dictionnaire philosophique.
A little more than 250 years later, many of us still struggle with the idea. The financial services industry’s addiction to complexity trips up professionals, firms and their regulators. Consumers are left as vulnerable as ever.
We risk making the same mistake on anti-fraud investor protection. Here’s what Voltaire might suggest.
Require credit bureaus to immediately alert Canadians when anyone tests the locks on their financial house. Real-time notification — already done when there’s a credit card or bank transaction, or an unrecognized sign-in to an email or social media account — is a common-sense answer that shouldn’t require legislation. But it does.
The Office of the Privacy Commissioner already says that, “Generally accepted or common practices in a particular sector or kind of activity may be relevant to the reasonableness of a security safeguard.”
By charging a fee for automated access notification alerts that banks, governments, telecoms, email and social/digital platforms provide for free, the duopolistic credit bureaus operating in Canada are offside this free safeguard standard. And lest we forget, that fee is on top of what the bureaus already charge lenders to aggregate, and marketers to use, the customers’ data.
As we saw with the Canadian Investment Regulatory Organization (CIRO) and Desjardins data breaches, regulator communications and two years of credit monitoring are woefully inadequate. For starters, fraud usually occurs after three years.
CIRO has directed Canadians to contact call centres — often based in the U.S. and South Africa — where they’ve had to surrender personal data yet again.
Also, Americans have had the right to free credit freezes and thaws since 2018. While Quebec followed suit in 2023 after the 2019 Desjardins breach, the rest of Canada moves at a snail’s pace on this protection.
This isn’t about blaming CIRO or firms like Desjardins for data breaches that have put Canadians at risk of identity theft and fraud. It’s about simpler, more effective protections.