Findings under the Personal Information Protection and Electronic Documents Act (PIPEDA)
PIPEDA Case Summary #2003-219
Bank requires credit checks as condition for opening deposit account
[Principles 4.3.2 and 4.3.3; section 5(3)]
An individual complained that a bank had demanded, as a condition of opening a new deposit account, that he submit to a credit check even though he was not seeking credit.
Summary of Investigation
The complainant noted that the bank's requirement was in conflict with a previous well-founded complaint filed with this office, in which it was recommended that the bank develop a procedure whereby individuals who were unwilling to consent to a credit check but willing to forgo all forms of credit could open a personal deposit account by consenting to whatever alternative conditions the bank saw fit to impose to ensure that no credit was advanced. Both the previous and the current complaints involved the same bank.
The bank did not dispute that at the time of the current complaint, it was still representing consent to a credit check as being a requirement for all new account applicants. The bank explained, however, that, despite the language of its policy and consent clause, the bank never actually made a practice of obtaining credit reports or reviewing credit histories in respect of new account applicants. Rather, it used the applicant's personal information to verify identity and conduct background verifications. This usage is now reflected in the revised language on the application forms. The term "credit" is omitted.
The bank's practice, however, is to conduct the background verifications on new applicants by running the individual's personal information against fraud-related databases of a credit bureau. In addition, the bank also conducts an identity verification through a software program that compares the information on the application form with corresponding information on the applicant's credit bureau file. If the bank finds any discrepancies, these systems prompt the bank to make further inquiries of the applicant.
The investigation also revealed that this so-called "identity" verification is not strictly limited to items of identification. The system automatically assigns an overdraft limit and client card entitlements for the individual. In order to do so, the system extends its inquiry into the individual's actual credit information on file, thus contradicting the bank's claims that it does not obtain a credit report or review credit history.
According to the bank, a primary objective in confirming the identity of the applicant through a credit bureau is to mitigate the bank's risk of fraud, including the growing threat of identity theft. The bank considers itself to be in a position of risk because it provides new account holders with overdraft protection in the form of immediate access to deposited funds and because it is required by law to provide banking card services for all new accounts. The bank maintained that its identity verification procedures complied with the expectations of domestic and international regulators and have been successful in reducing the bank's losses through fraud.
The Office consulted a report entitled "Customer due diligence for banks," issued by the Basel Committee on Banking Supervision, which is an international body composed of ten member countries, including Canada, that formulates broad supervisory standards and guidelines and recommends statements of best practice, with the expectation that individual authorities will implement them. The report presents a "know your client" framework and recommends that banks obtain all information necessary to establish to their full satisfaction the identity of each new customer and the purpose and intended nature of the business relationship. The report, however, also advocates that a graduated approach to identity verification be used and that the type of applicant and the expected size of the account be taken into account when determining the extent and nature of information collected for this purpose.
The bank does allow for alteration of its account-opening procedures in certain specific situations, by limiting access to funds and by placing a hold on funds deposited into the account. The bank, however, remains unwilling to customize its credit bureau inquiries for account applicants who simply want basic-service accounts without credit facilities or to otherwise alter its account-opening procedures in such cases. The Office confirmed with the credit bureaus that it is possible to customize the software programs used for identity verification.
The Office consulted the federal Department of Finance with respect to the new Access to Basic Banking Regulations under the Bank Act, which were to become law on September 30, 2003. These new Regulations will require member banks of the Canada Deposit Insurance Corporation to open deposit accounts and cash government cheques for any person who meets the requirements set out in the Regulations.
Section 3(1) of the Regulations sets out the following conditions under which a bank may refuse to open an account:
- if the member bank has reasonable grounds to believe that the account will be used for illegal or fraudulent purposes;
- if the individual has a history of illegal or fraudulent activity in relation to providers of financial services;
- if the member bank has reasonable grounds to believe that the individual, for the purpose of opening the account, knowingly made a material misrepresentation in the information provided to the member bank; . . .
Section 3 of the Regulations will permit banks to use credit bureaus services to
- determine if an account applicant has a history of fraudulent activity with respect to financial services institutions, and
- determine if the individual has misrepresented any of the information on their account application form.
Section 4 of the Regulations sets out the pieces of information that a bank may require of an individual requesting a retail deposit account: specifically, two pieces of identification, as well as the name, date of birth, address and occupation of the individual. In addition, "if the bank requests," the individual shall
- consent to the bank's verifying whether any of the circumstances set out in subsection 3(1) apply to the individual, and to the bank's verifying the pieces of identification presented by the individual.
Issued September 12, 2003
Jurisdiction: As of January 1, 2001, the Personal Information Protection and Electronic Documents Act applies to any federal work, undertaking, or business. The Commissioner had jurisdiction in this case because a bank is a federal work, undertaking or business as defined in the Act.
Application: Principle 4.3.2, emphasizing that the individual's knowledge is required as well as consent, states that organizations must make a reasonable effort to ensure that the individual is advised of the purposes for which information will be used; for consent to be meaningful, purposes must be stated in such a manner that the individual can reasonably understand how the information will be used or disclosed. Principle 4.3.3 states that an organization shall not, as a condition of the supply of a product or service, require an individual to consent to the collection, use, or disclosure of information beyond that required to fulfil the explicitly specified, and legitimate purposes. Section 5.3 states that an organization may collect, use or disclose personal information only for purposes that a reasonable person would consider appropriate in the circumstances.
The Commissioner deliberated as follows:
- With reference to both the "know your client" guidelines of the Basel Committee and the new Access to Basic Banking Regulations, the Commissioner determined that it was both reasonable and appropriate, as a matter of due diligence, and particularly given the bank's obligation to provide banking card services to any account holder, for a bank to collect and use limited personal information of deposit account applicants for the purposes of verifying the individual's identity and determining whether the individual has a history of illegal or fraudulent use of a personal deposit account. He thus deemed these purposes as legitimate in respect of Principle 4.3.3.
- However, he also determined that at the time of the complainant's inquiry, the bank did not make a practice of expressing these purposes in such terms, nor did it otherwise explain to him in a reasonably understandable manner, in accordance with Principle 4.3.2, why it required his consent to what it then termed a "credit report" and his permission to view his credit history. The bank could not, therefore, be said to have satisfied the condition of "explicitly specified" purposes under Principle 4.3.3.
- The Commissioner also determined that, despite the bank's subsequent representations to the contrary, the credit bureau verifications in question do involve a type of credit check, in that the verification system automatically checks the applicant's credit information to determine eligibility for an overdraft limit with the bank. While the Commissioner acknowledged that many customers do favour and seek credit facilities and willingly submit to credit checks in order to qualify for them, he believes it highly unlikely that any reasonable person would consider the bank's policy of mandatory credit checks appropriate in circumstances such as the complainant's, in which he was not seeking, and was willing to do without, credit facilities of any type. Furthermore, given the bank's ability and willingness to customize its account opening procedures in certain specific situations, the Commissioner considered it unreasonable for the bank to refuse to do likewise for individuals who simply do not wish to have a credit relationship with the bank and are willing to forgo any facility that would represent a credit risk to the bank.
- Thus, the Commissioner did not consider the bank's policy of mandatory credit checks even where credit is neither sought nor wanted to be a legitimate purpose under section 5(3) of the Act.
Therefore, the Commissioner found that the bank was in contravention of Principles 4.3.2 and 4.3.3 of Schedule 1, and section 5(3) of the Act.
The Commissioner concluded that the complaint was well-founded.
The Commissioner made the following recommendations:
- The bank should not make inquiries into an account applicant's eligibility for credit facilities unless it has determined that the applicant is interested in having such facilities.
- In cases where the applicant has expressed interest in obtaining credit facilities attached to a personal deposit account, the bank should obtain a separate consent to the collection of credit information (such as the number of credit bureau inquiries and a recommended overdraft limit).
- Except where consent has been granted for such credit inquiries, the bank should modify the software program used to confirm the account applicant's identity with the credit bureau, so as to remove the fields that report on the number of credit bureau inquiries within the last 60 days and the recommended overdraft limit.
- The bank should implement procedures whereby individuals who wish to open a personal deposit account without submitting to a credit check may do so by accepting risk-reducing conditions such as a hold period on deposited cheques.
- The bank should clarify, in the explanatory material accompanying its application form for deposit accounts, that the "verifications" in question are to be conducted through a credit reporting agency.