Findings under the Personal Information Protection and Electronic Documents Act (PIPEDA)

PIPEDA Case Summary #2009-012

Bank not responsible after new account was opened using stolen identity

[Section 3; Principle 4.6]

Lessons Learned

  • Organizations must collect only the information that is necessary for a specific purpose or transaction.
  • In circumstances where it is believed there is a higher risk of either actual or potential fraudulent activities, financial institutions may request more personal information from individuals to confirm their identity.
  • For identity thieves, personal information is a highly valued commodity.  Both organizations and individuals must be vigilant in protecting personal information and report it when it is lost, stolen, or used fraudulently.

A fraudster used forged identification of an individual to open a bank account in the individual’s name. When the fraud was discovered, the individual realized that the fraudster had also used an invalid address and telephone number when applying for the account. The victim claimed the bank could have avoided the fraud and the resulting impact on his credit rating by verifying this personal information before opening the account.

The Assistant Commissioner found that the complaint was not well-founded since the bank had followed the requirements for personal information collection when opening new customer accounts, as stipulated by the Bank Act:  The collection and verification of an applicant’s address and telephone number is not required in normal circumstances. While the bank could have verified the information, it had no reason in the circumstances to doubt that the identification provided by the fraudster was counterfeit.

The following is an overview of the investigation and the Assistant Commissioner’s findings.

Summary of Investigation

A fraudster opened a bank account at a branch of a Canadian chartered bank, using the following documents as identification: a passport, and citizenship and immigration and social insurance cards. These three documents were counterfeit and each bore a forged signature of the complainant. The passport and the citizenship and immigration card also bore a photograph of the fraudster. On the bank’s account application, the fraudster gave a false address and two telephone numbers.

After the bank opened the account in the complainant’s name, the fraudster borrowed money on the overdraft protection linked with the account and then defaulted on the required payments. When the complainant was contacted about missing payments, it was discovered that the identification provided to open the account had been false, and that it was not the complainant’s account. The fraud was reported to the police and the bank immediately contacted credit reporting agencies to correct the complainant’s credit reports. The bank also assisted in obtaining a new social insurance number for the complainant.

The complainant acknowledged that he had lost the contents of his wallet several years before; it was never retrieved. As for the current situation, he believed that the bank nonetheless did not make a reasonable effort to verify that the personal information and the identification were accurate when it opened the account in his name. For its part, the bank states that it was also the victim of fraud and that the identification provided by the fraudster was in accordance with the bank’s account opening requirements under the Bank Act. The Access to Basic Banking Services Regulations (SOR/2003-184) under the Bank Act specify what identification a bank must require in order to open a deposit account. Paragraph 4(1)(a) states the following:

the individual shall present to the member bank

  1. two pieces of identification from among those set out in Part A or B of the schedule at least one of which is from among those set out in Part A of the schedule….
  2. the individual shall disclose, orally or in writing, the information listed in Part C of the schedule if the information is not available on the pieces of identification presented by the individual….

Part A lists 10 pieces of acceptable identification, all issued by a Canadian provincial or federal government body. Part B lists 5 other acceptable pieces of identification issued by other specified organizations or by a foreign government.

The Canadian passport and the social insurance card presented by the fraudster belonged to the group of acceptable IDs from Part A.

From Part C, an address can satisfiy the requirements of the regulation if it is provided orally or in writing. The fraudster provided an address in writing.

While the bank’s account application forms had a box to record telephone numbers, the Bank Act’s regulations do not oblige the banks to either collect or verify them.

Findings

Issued August 24, 2009

Application: Section 3 states that the purpose of this Part is to establish, in an era in which technology increasingly facilitates the circulation and exchange of information, rules to govern the collection, use and disclosure of personal information in a manner that recognizes the right of privacy of individuals with respect to their personal information and the need of organizations to collect, use or disclose personal information for purposes that a reasonable person would consider appropriate in the circumstances. Principle 4.6 states that personal information shall be as accurate, complete, and up-to-date as is necessary for the purposes for which it is to be used.

In making her determinations, the Assistant Commissioner deliberated as follows:

  • The information and identification collected about the applicant was in accordance with industry standards and regulations (i.e. the Bank Act regulations). The bank collected the sufficient amount and type of personal information to fulfill the purpose of opening an account. However, this Office recognizes that, in cases where there is cause for suspicion of either actual or potential fraudulent activities, financial institutions may request more personal information than they do in normal circumstances.
  • While the Assistant Commissioner acknowledged the unfortunate consequences of identity theft, in her view, the respondent cannot be held accountable in the circumstances for verifying personal information that it had no previous record of and for which there was no apparent reason to suspect its falsity. Neither the complainant nor the fraudster was known to the bank and the requisite documents the fraudster presented to identify himself all bore the same signature. The affixed photographs resembled the individual who presented himself to open the account. Thus, the information provided from the documents would consistently lead one to believe that it belonged to the account applicant.
  • The purpose of PIPEDA is to strike a balance between the right of privacy of individuals with respect to their personal information and the need of organizations to collect, use or disclose personal information for purposes that a reasonable person would consider appropriate in the circumstances. The bank might have attempted to independently verify the address and telephone numbers provided by the fraudster, if it had had reasonable grounds for suspicion. However, there was no apparent reason for the bank to deem the circumstances suspicious.
  • Finally, the Assistant Commissioner noted that the bank was immediately cooperative and helpful to the complainant when it realized that his personal information had been fraudulently used and his privacy violated.

Conclusion 

The Assistant Commissioner concluded that the complaint was not well-founded.