Rebecca Ma, deputy general counsel and chief privacy & compliance officer at Interac, has a clear-eyed perspective on managing the evolving regulatory landscape across jurisdictions. Though Interac operates exclusively in Canada, which streamlines its compliance efforts to federal and provincial regulations, Ma believes this is both a benefit and a challenge.
"We only have to really account for the federal and the various provincial requirements," she tells Lexpert, which offers a certain level of simplicity. However, what truly sets Interac apart is its proactive approach to monitoring global legislative developments, notably in Europe, to anticipate and prepare for similar regulations that could impact Canada.
A good example of this forward-thinking strategy is how the company prepared for the potential impact of GDPR. While GDPR doesn’t directly apply to Canadian companies, Ma recalls how prior experience in a company with European subsidiaries gave her invaluable insight.
“That gives you an insight of what's going on with Canada," she says, noting that Interac was largely ready when new privacy legislation, such as Quebec’s Law 25, began to make its way through Canadian law.
But Interac’s compliance model doesn’t stop at meeting the legal minimum. Instead, they aim higher, building a compliance culture that not only adheres to the law but also considers broader expectations from regulators, consumers, and stakeholders.
"It's compliance to the letter of the law. That’s your baseline – then you also have to look at the regulatory expectations,” she explains. These include expectations from the Bank of Canada, customer demands, and even the high standards set by their clients, which include nearly 300 financial institutions across the country.
When it comes to addressing privacy laws across different provinces, Ma points out that Interac applies the highest standard as its baseline.
“If you were a customer and you resided in Quebec, then one law applies to you," she notes. "But if you move to Ontario, we would apply the federal law to you – and if you move to BC, we would apply the BC Act."
In the highly regulated financial services space, especially with the increased scrutiny on payments and data, Ma says Interac operates under a unique governance model and has the Prominent Payment Systems (PPS) designation by the Bank of Canada. This designation reflects the critical role Interac e-transfer and debit products play in the daily lives of Canadians. As a result, Interac must maintain a compliance program that not only meets basic legal requirements but also accounts for heightened risk standards.
"People trust you. There’s a lot of fraud on various systems and you need to ensure that your risk and security requirements are above par," Ma adds.
Regarding anti-money laundering (AML) requirements, Ma offers a nuanced explanation. While Interac is not directly captured under AML legislation, its role as a central player in Canada’s financial system puts it at the heart of AML processes.
"We support our participants, who include many financial institutions, with making sure that we're helping them comply with their AML requirements," she explains.
Fraud prevention is another major concern. With Canadians losing an estimated $567 million to fraud in 2023 alone, Ma knows better than most the gravity of the situation.
"Fraud is one of the greatest threats to our digitalized economy," she says, stressing the importance of enhancing their products to detect and prevent fraudulent activities. Interac has introduced solutions like Interac Verified, which helps organizations confirm the identity of individuals to combat fraud, as well as leveraging its position to detect fraud across its payment systems.
“We’ve done a lot of work because of our unique position, running a payments ecosystem, and we will continue to do that," Ma adds.
When it comes to emerging technologies like blockchain and AI, Interac is embracing innovation while taking a balanced approach.
"We make sure we have the right foundational governance policies and frameworks in place to identify risks, monitor, manage risks, and continuously update ourselves," Ma says. “We always keep it in consideration that this technology helps us take a leap forward, but it also could pull you back a little if things aren’t done right."