Findings under the Personal Information Protection and Electronic Documents Act (PIPEDA)

PIPEDA Case Summary #2002-40

Applicant objects to credit check as condition for opening bank account

[Principle 4.3.3, Schedule 1; and section 5(3)]

Complaint

An applicant for a bank account complained that the bank had improperly attempted to collect his personal information by demanding authorization to conduct a credit check on him as a condition for opening the account.

Summary of Investigation

The complainant wanted only a basic bank account into which he could deposit cheques and cash. He did not want a chequing account, an overdraft limit, a credit card, or credit in any form. The bank told him that to open an account he was required not only to provide two pieces of identification and his social insurance number, but also to sign a form authorizing the bank to run a credit check. Since he was not seeking any form of credit, he did not see why the bank would need to run a credit check on him. He declined to sign the authorization, and the bank refused to open an account for him.

The investigation confirmed that it was the bank's policy to run a credit check on any new account applicant and to require the applicant to authorize the credit check. The bank bases this policy on the need to obtain information for two purposes: (1) compliance with the Proceeds of Crime (Money Laundering) Regulations; and (2) reducing the growing risk of fraud to the bank.

The Proceeds of Crime (Money Laundering) Regulations do require banks to ascertain the identity of every individual who signs a signature card for an account, but also specify that the means of identification to be used are ". birth certificate, driver's licence, provincial health insurance card, passport, or any similar document." The Regulations do not require that credit checks be used for the purpose of identification. In fact, all banks do run credit checks on applicants for credit products, but for account applicants the policy varies from institution to institution.

The bank in question identifies "new account fraud" involving "identity takeover" as a real and fast-growing threat to the financial community. The bank argues that a credit check not only protects against identity theft and alerts the bank to persons likely to use accounts inappropriately, but also serves to prequalify customers for overdraft protection and immediate access to funds at automated banking machines (ABMs).

The complainant was willing to accept any conditions the bank saw fit to impose as an alternative to a credit check. He offered to forgo credit privileges such as overdraft protection and immediate access to ABM funds. He was agreeable to having a lengthy hold placed on deposited checks, or to depositing only cash into his account, or to refrain entirely from using ABMs. Given that he did not want credit in any form, he believed that the bank should customize its account-opening procedures in his case so as to reduce its risk by other means. The bank, however, said that the complainant's suggestions would not suffice to confirm his identity for its stated purposes and that in any case it was not prepared to customize account-opening procedures for individual customers.

Commissioner's Findings

Issued March 12, 2002

Jurisdiction: As of January 1, 2001, the Personal Information Protection and Electronic Documents Act applies to any federal work, undertaking, or business. The Commissioner had jurisdiction in this case because banks are federal works, undertakings, or businesses as defined in the Act.

Application: Principle 4.3.3, Schedule 1, states that an organization must not, as a condition of the supply of a product or service, require an individual to consent to the collection, use, or disclosure of information beyond that required to fulfil the explicitly specified and legitimate purposes. Section 5(3) states that an organization may collect, use, or disclose personal information only for purposes that a reasonable person would consider appropriate in the circumstances.

For the Commissioner, the question to be considered was this: Was it for legitimate purposes that the bank had attempted to collect the complainant's personal information through a credit check as a condition for opening an account?

The Commissioner determined that the Proceeds of Crime (Money-Laundering) Regulations did not require banks to run a credit check as a means of identifying a customer. He found therefore that complying with the Regulations was not a legitimate purpose for running credit checks.

As for the purpose of reducing the risk of fraud, the Commissioner considered as follows:

  • Whatever risk of fraud the complainant represented as an account-holder seemed to have been created largely by the bank itself through its policy of automatically providing new customers with overdraft protection and immediate access to deposited funds, whether or not the customer specifically sought such privileges.
  • The complainant did not want these or any other forms of credit and was in fact eager to avoid having credit that might lead to a risk of fraud to the bank.
  • The bank had not demonstrated to the Commissioner's satisfaction that opening an account under such conditions as the complainant had proposed would have incurred any serious risk for the bank or that the bank's own preferred method of reducing risk (i.e., credit checks) would have proved any more effective than the method proposed by the complainant.
  • A credit check being by nature an intrusion into highly sensitive personal information, as Privacy Commissioner he was opposed in principle to the running of credit checks as a matter of course. He felt obliged to ensure that the use of credit checks remain limited to cases of necessity in keeping with what he considered to be the only legitimate purpose for a credit check - i.e., assessing financial risk in relation to an individual actively seeking credit.

The Commissioner determined that reducing financial risk was not a legitimate purpose for a credit check in the complainant's case. Moreover, regarding section 5(3), in the absence of any evidence that running a credit check on the complainant would have actually achieved this purpose, the Commissioner was satisfied that a reasonable person would not have considered the purpose appropriate in the circumstances. He found that the bank was not in compliance with Principle 4.3.3 and section 5(3).

The Commissioner concluded therefore that the complaint was well-founded.

Further Considerations

The Commissioner recommended that the bank develop a procedure whereby individuals such as the complainant, who were unwilling to consent to a credit check but willing to forgo all forms of credit, could open an account by consenting to whatever alternative conditions the bank might see fit to impose by way of ensuring that no credit was advanced. He also recommended that the bank report within 90 days on its progress in developing such a procedure.