Bank improves consent procedures for credit bureau inquiries

PIPEDA Case Summary #2003-246

[Principle 4.3, Schedule 1]

Complaint

An individual complained that a bank performed a credit check on him without his consent while he was in the process of completing a mortgage application.

Summary of Investigation

An individual asked a bank if it could match a mortgage rate quoted to him by another branch of the same bank. The financial representative stated that he would first have to complete a mortgage application and the individual agreed. When the representative accessed the individual's profile, he noted that there was a signed financial agreement on file with a subsidiary of the bank. This agreement, signed two years previously, stated that the subsidiary could collect and disclose personal information to other lenders and credit bureaus. The representative proceeded to do a quick credit check without informing or obtaining the consent of the individual.

When the branch manager subsequently informed the complainant that a credit check had been done and that the bank could not match the mortgage rate, he expressed his concern and asked that all information about him, including the credit bureau inquiry, be deleted from his file and that a letter be sent to him confirming this. After some time had elapsed without a response, the individual eventually spoke to a customer care representative, who informed him that the bank had been entitled to do a credit check by virtue of the old financial agreement on file. The individual was concerned since he had closed his former account a year earlier and he felt that, in any case, the bank's subsidiary was a separate legal entity and any agreement signed with it should not apply to a transaction with the bank itself.

The customer care representative subsequently wrote to the individual to confirm that all of his personal information had been removed from the bank's files. He also noted that, as a gesture of goodwill, he had contacted the credit bureau to have the inquiry removed from its report, only to discover that the bureau had no record of this inquiry.

The bank admitted that rather than relying on the old financial agreement with its subsidiary, it should have taken a full credit application and obtained the individual's written consent prior to conducting the credit bureau inquiry. It further stated that, as a result of this incident and others, it had issued a circular to its employees reminding them of the bank's policy and procedures regarding customer consent and credit bureau inquiries.

Findings

Issued December 4, 2003

Jurisdiction: As of January 1, 2001, the Personal Information Protection and Electronic Documents Act (the Act) applies to any federal work, undertaking or business. The Assistant Privacy Commissioner had jurisdiction in this case because a bank is a federal work, undertaking or business as defined in the Act.

Application: Principle 4.3 states that the knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate.

The Assistant Commissioner deliberated as follows:

• In this Office's previous deliberations on matters of consent, it has been stressed that the fact and purposes of a collection or disclosure of personal information must be brought to the individual's attention at the time of the collection or disclosure.
• It was, however, clear that the bank representative did not inform the individual of or seek his consent to the quick credit check, even though the individual was present at the time.
• Moreover, while the financial agreement that the individual had signed with the bank's subsidiary gave his consent to it disclosing his information to other lenders and credit bureaus, such a broad consent clause, signed two years previously with a bank subsidiary that operates as a separate and distinct legal entity, and relating to an account that had been closed, did not justify the collection and disclosure of the individual's personal information for the credit inquiry.

The Assistant Commissioner found, therefore, that the bank did not meet its obligation under Principle 4.3.

• Nevertheless, the Assistant Commissioner was pleased that the bank admitted its error and took immediate steps to prevent a recurrence by issuing a circular to remind employees of its policy and procedures regarding credit bureau inquiries and customer consent.
• The bank also wrote to the individual to confirm that all of the information relating to his mortgage application had been removed from the system and that the credit inquiry did not appear on the credit bureau report.
• The individual indicated that he was satisfied with the bank's action in this regard.

The Assistant Commissioner concluded that the complaint was resolved.