TAC sub-committee meeting
Meeting summary
Date: Tuesday August 31, 2021
Time: 4:00 pm – 5:00 pm
Location: Virtual via Teams
This summary sets out the key points discussed at the August 31, 2021 meeting.
FSRA cyber security overview
FSRA provided the committee with an overview of its Cyber Security operating model and program. The program includes:
- Threat protection, detection, response and recovery
- Communication, training and awareness
- Risk assessment and management; and
- Policy and standards development
The capabilities that are delivered through the program are governed through oversight functions. FSRA utilizes a NIST framework, which is an industry standard that establishes security posture and helps to manage our program.
The committee questioned if the cyber security framework and activities have been subject to a third-party review. FSRA advised two third-party assessments have been completed to date, and self assessments are completed throughout the year.
RPP privacy concerns
The Personally Identifiable Information (PII) Approach was shared following concerns raised at the last sub-committee meeting. The concept of PII anonymization was presented, whereby a process would take place that would mask sensitive PII, and only release non-sensitive data sets to FSRA for analytical purposes.
Questions raised around triangulation of information, transfer of data, algorithmic transparency, and consent credit unions have around data collection were discussed.
It was noted that FSRA is governed by the Freedom of Information and Protection of Privacy Act (FIPPA), and are regulated for retention, collection and disposal of information. FSRA reiterated that the data we are looking to collect is for analytical purposes only.
Data modernization
One of the benefits regulators and financial institutions are seeing through data modernization is the simplification of financial reporting. FSRA recognizes we have many financial templates in different formats, that are submitted through different channels, and require different inputs from the credit union.
The future data collection strategy of a single data channel was presented, where existing/new financial templates would be merged with eFiling to reduce the number of platforms. In addition, some of the schedules would be replaced by source level data with the goal for this collection process to be automated with built in validation, where possible.
A question around filing frequency of source level data was raised, and discussions were held on quarterly versus monthly collection.
Update on progress of the RPP
The RPP RFP is the process by which we are looking for the solution to automate, collect and validate data. FSRA provided a status update on the process. Next steps include a review by FSRA Legal and Procurement and sub-committee input and review. Discussions were held regarding members previous experiences with RFPs for technology solutions and other approaches available, including an RFI. The sub-committee discussed how the proponent of the RFP should engage with credit unions. It was noted that a stratified sample across the different systems used by credit unions would be the right approach.
Attendance records
|
Invited/Attended |
Company Name |
Attendance Status (A)ttended; (R)egrets; (S)ubstitute; |
|---|---|---|
| Aleksandar Simic | FSRA | A |
| Brian Mullan | FSRA | A |
| Alena Thouin | FSRA | A |
| Allison Wendt | FSRA | A |
| Joanna Wearing | FSRA | A |
| Barry Doan | FirstOntario Credit Union | A |
| Pierre-Yves Monin | Caisse Desjardins | A |
| Mark Cauchi | Alterna Credit Union | A |
| Dominic Naimool | Kingston Community Credit Union | A |
| Patrick Barr | CCUA | A |
| Parna Sabet-Stephenson | Gowling WLG | A |
| Rob Palin | Fiserv | R |