Consumer Issues in the Financial Services Sector
This page has been archived on the Web
Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.
Standing Senate Committee on Banking, Trade and Commerce
February 16, 2005
Opening statement by Heather Black
Assistant Privacy Commissioner of Canada
(CHECK AGAINST DELIVERY)
Thank you for inviting us to comment on consumer issues related to the financial services sector.
My comments today will focus on the application of the Personal Information Protection and Electronic Documents Act (PIPEDA) to the banking sector.
PIPEDA has applied to banks, and other federally regulated industries such as telecommunications and airlines, since January 1, 2001 when the Act came into force.
Specifically, the Office of the Privacy Commissioner has jurisdiction over some 50 banks as listed in schedules 1 and 2 of the federal Bank Act.
Since January 1, 2004, PIPEDA has applied to other financial institutions such as trust companies, insurance companies and credit unions operating in provinces that do not have "substantially similar legislation". In those provinces that have substantially similar legislation — Quebec, Alberta and British Columbia — provincial personal information protection legislation applies.
My comments will focus on banks because, as I will explain in a moment, we have more experience with banks than with other financial institutions.
Banks operate in a complex regulatory environment subject to a number of legal requirements that impact on their personal information practices. Banks are also expected to comply with international "know your customer" obligations such as those issued by the Basel Committee on Banking Supervision. To date, we are only one of several bodies with oversight responsibility with respect to financial institutions.
We are often required to take these competing requirements into account when dealing with banks. For example, we recently dealt with some complaints about a bank that sent a form letter to its customers asking them to indicate whether they were U.S. citizens. As it turned out, due to a change in ownership structure, the bank is now classified as a "controlled foreign corporation" for the purposes of U.S. income tax law. As a result, the interest income earned on personal deposit accounts of account holders who are known or presumed to be U.S. citizens is required to be reported to the U.S. Internal Revenue Service.
Since PIPEDA came into force, we have received more complaints about the banking sector than from any other industry sector. In 2002, 42 per cent of our PIPEDA complaints were against banks; in 2003, the percentage dropped slightly to 37 per cent. In 2004, complaints about banks continued to lead the pack even though the scope of the Act expanded to include a wide variety of other industries.
On the whole, Canadian banks are privacy sensitive and they have a long history of protecting personal information. The relatively large number of complaints reflects the ubiquitous nature of banks — almost every Canadian has a bank account and many Canadians have bank-issued credit cards and mortgages or other types of bank loans. As well, the volume of complaints suggests that Canadians share our view that personal financial information is sensitive and deserves to be treated with care.
Many of these complaints involved what might be called one-off problems — a careless or overzealous employee disclosing information without consent or using personal information without consent — as opposed to systemic problems involving bank policy.
Perhaps the best way to give you a sense of how the Act applies to banks and how we deal with complaints is to discuss briefly two systemic issues that have arisen in the banking sector and to explain how they were resolved.
We have received two complaints from individuals that a bank demanded, as a condition of opening a new deposit account that they submit to credit checks even though they were not seeking credit. On the surface, this raised questions about the bank's compliance with PIPEDA which prohibits organizations from collecting more personal information than necessary.
Although the bank claimed that it only used the credit bureau information to verify identity and check fraud-related databases, we determined that the system being used did inquire into the individuals' actual credit information.
In conducting our investigation, we consulted a report entitled "Customer due diligence for banks," issued by the Basel Committee on Banking Supervision and the Access to Basic Banking Regulations issued under the Bank Act, that became law on September 30, 2003.
The Commissioner concluded that the complaints were well-founded. We recommended that the bank should not make inquiries into an applicant's eligibility for credit unless the applicant is interested in having access to credit.
We acknowledged that banks have an obligation to mitigate the risk of fraud and we recommended that the bank implement procedures whereby individuals who wish to open a personal deposit account without submitting to a credit check may do so by accepting risk-reducing conditions such as a hold period on deposited cheques.
I want to discuss these complaints because our findings helped establish the principle that individuals can open "plain vanilla" accounts by providing a minimal amount of personal information.
We have also investigated complaints about banks taping telephone calls with their customers. This is a common practice. We rejected the position taken by one bank that only one party had to consent to calls being recorded, in this case the bank customer service agent. We did agree that it is appropriate that information exchanged during a business conversation should be recorded in some way, both to protect the organization and the individual. However, the reasonable expectations of the customer should also be considered, and most individuals would want to know beforehand that their call is going to be taped.
In these cases, the banks clearly did not meet these expectations and did not have the individuals' consent to record the calls, thus contravening the consent principle of PIPEDA.
In order to help organizations comply with the Act, our Office developed "best practices" guidelines for recording customer telephone calls. The guidelines state that conversations should not be taped unless it is for a purpose that a reasonable person would consider appropriate in the circumstances and that the customer must be informed of the purpose for taping the call and must consent, except in certain limited cases where consent is not required, before the taping begins. We also recommend that customers should be offered an alternative, such as visiting a retail outlet, writing a letter, or conducting the transaction over the Internet.
The banks in question are now complying with these best practice guidelines.
I have used these two examples, because they illustrate how we have used PIPEDA to convince banks to change their business practices to become more protective of personal information.
I would like to thank this Committee for the opportunity to appear. Thank you very much for your time today.
I would be pleased to take your questions.
- Date modified: