Attention: News and Business Editors
October 23, 2008
(OTTAWA)—The Public Interest Advocacy Centre (PIAC) today released “’Are You Sure You Want to Continue?’: Consumer Authentication at the Crossroads,” a report that calls for a major overhaul to Industry Canada’s “Authentication Principles”. The report laments the Authentication Principles’ failure to provide Canadian consumers with adequate protection when using the Internet to conduct business transactions such as online banking. The report offers a host of recommendations aimed at protecting the security and privacy of consumers who use electronic authentication to access finances or to shop online.
“Banks and retailers are not adequately protecting consumers who use their services online,” said John Lawford, Counsel for PIAC. “There is more they can do to reduce fraud and increase online security with little effort by upgrading their customer authentication systems but they have not been held to any real standard by these voluntary principles.”
The report notes that consumers are becoming increasingly wary of growing security and privacy risks, such as phishing, that are threatening the way they conduct online retail and banking transactions. In order to ensure consumer safety and confidence in online commerce, the report urges a greater role in the regulatory process be played by both the federal and provincial governments, and recommends that much stricter authentication regulations be applied to financial institutions under the Bank Act and other federal financial legislation.
To adequately protect consumers’ privacy while online, PIAC suggests the Authentication Principles be amended to include direct references to the standards of the Personal Information Protection and Electronic Documents Act (PIPEDA) and that consumers be given more choice in how to protect their privacy, such as the ability to decide which personal information will be used for authenticating them during an online transaction.
The report warns that consumer liability should also not be increased by new authentication and that contracts issued by banks and retailers make the provider of the payment system responsible for losses due to authentication failures, fraud and hacking. The report calls for consumer education about authentication coupled with disclosure requirements for banks and retailers to ensure consumers are told of problems with authentication systems.
Finally, the report suggests that a federal regulatory body, such as the Office of the Superintendent of Financial Institutions of Canada, be instructed to audit the authentication systems of financial institutions, in order that industry standards and the new Authentication Principles and legislation are followed, and that a similar audit system should occur at the provincial level to oversee retail authentication systems.
For more information, please contact:
John Lawford
Public Interest Advocacy Centre
ONE Nichloas Street, Suite 1204
Ottawa, ON K1N 7B7
(613) 562-4002×25
(613) 562- 0007 (Fax)
Full text of the report:

thumb_pdfAre You Sure You Want to Continue? Consumer Authentication at the Crossroads
Download File: authentication_final.pdf [size: 0.6 mb]