Bank improves credit card application process
PIPEDA Case Summary #2004-266
[Principles 4.3, 4.3.1, 4.3.7(d), 4.10.2; sections 8(3), 8(4)(a)(ii), 8(5), and Principle 4.9]
An individual made four complaints against a bank:
- that it collected and used her personal information to issue her a business credit card without her knowledge and consent;
- that it used her personal information without her knowledge and consent to run a personal credit check on her;
- that the bank denied her access to her personal information; and
- that the bank would not respond to her concerns and complaints about this matter.
Summary of Investigation
According to the complainant, in January 2002, her employer informed her that he had applied for a business credit card for himself and that he had asked for a supplementary card for the complainant for the purpose of paying for company-related items. The card, which she received at home, had on it both her name and that of the company she worked for. Since the card was for company use, she preferred to receive correspondence related to it at work. She called the bank to request an address change but could not access the account. She alleged that she was denied access to the account because, when she provided her Social Insurance Number and date of birth for identification purposes, the bank did not have the information on record to confirm her identity.
Shortly after receiving the card, the complainant's employer asked her to accompany him to the bank to obtain a cash advance on the business credit card. The complainant did so, and immediately deposited the full amount into the company's account. The same day, she wrote a cheque to her employer on the business account for the same amount.
In March, she received the first statement for the account at her home address. She called the bank again to request an address change, and this time was able to have her identity confirmed using her SIN and date of birth. The complainant stated that it was during this conversation that she first learned that she, and not her employer, was liable for charges on the card. She was also informed that her personal credit history had been checked prior to the card being issued.
Her employer refused to pay the full balance owing on the card, and the complainant eventually paid it off with her own money. In order to pursue legal action against her employer to recover the amount, the complainant wanted to obtain a copy of the form used to apply for the credit card to prove that it did not have her signature. She made numerous attempts by telephone to obtain the copy, as well as an explanation of the reason she was issued the card. She was first told that the application was lost, and then later that it was not lost but had been archived. When she still had not received a copy of the form, she complained to the Office.
On the same day that she filed her complaint with the Commissioner's Office, she filled out a personal information access request form at her branch of the bank in question. A few weeks later, the bank wrote to her stating that it needed an additional 30 days to process the request and quoted sub-paragraph 8(4)(a)(ii) of the Act. One month later, the bank wrote to the complainant, informing her that no application for the business credit card existed and that an on-line submission had been made in person at a branch of the bank that had since closed.
The bank provided her with a copy of this submission, which does not show who applied for the card. According to the bank, its process at the time allowed for cards to be issued based on an electronic submission by branch staff, which was automatically approved or declined. If a submission was approved, the card would be mailed directly to the customer. The bank has since amended its procedures to include a paper-based application form, which must be signed. The bank then retains the forms. The Office confirmed that the application in place at the time did not require a signature.
The bank disputed the complainant's claim that her employer applied for the card on her behalf, stating that the application and processing of the business credit card could only have occurred with the customer present to provide the required personal information. Branch staff would then have authenticated the identity of the applicant according to the bank's know your customer policy.
The on-line submission showed the complainant's home address, SIN and date of birth. The representative who processed this application could not remember the particular transaction, but did indicate that it would have been highly unusual for her to have collected an individual's personal information from a third party. Moreover, as the complainant had been a customer (of a bank that the respondent bank later merged with) since 1994, this information was already on file.
According to the bank, when credit card applications are processed at a branch, a report is sent to the bank's credit card arm with the applicant's information in order to set up the account and issue a card. In this case, the SIN and date of birth were both included in this report and entered on the credit card arm's systems when the account was established.
As for consent, when the bank sent the complainant her card, it also forwarded a cardholder agreement that outlined the terms and conditions of the card. The agreement noted that signing or using the card confirmed the agreement between the cardholder and the bank. The complainant stated that she had not read the agreement because she believed her employer when he told her that she was not liable for charges on the card and that it was a "supplementary" card to the business. This was not, however, the case. The card was a business credit card issued in the complainant's name, which appeared on the card. She was thus liable for all charges and payments, which would affect her credit history and not that of the business.
The complainant had also alleged that the bank had done a credit check on her without her consent for the purpose of issuing a credit card to her. In response, the bank provided a copy of a consent agreement that the complainant had signed in 1994 when she opened an account with the bank that the respondent bank later merged with. This agreement allowed the bank to use the customer's personal information to run credit check when he/she applied for a credit product. The respondent bank also uses a similar service agreement but has since updated its policies regarding consent for all credit checks. Customers must now sign a full credit application that includes consent for credit checks when applying for credit products, regardless of whether the customer has signed a service agreement or not.
Finally, with respect to the assistance the complainant received, the bank's records showed that she contacted it in September and November 2002. In January 2003, she brought her concerns to the bank's ombudsman's office, which referred her file to the credit card arm of the bank for resolution. According to the bank, it was working to address her concerns and that it was providing her with regular updates on the status of its investigation.
Issued April 16, 2004
Application: Principle 4.3 stipulates that the knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate; Principle 4.3.1 notes that an organization will typically seek consent for the use or disclosure of the information at the time of collection; Principle 4.3.7(d) states that individuals can give consent in many ways, including at the time that individuals use a product or service; and Principle 4.10.2 stipulates that organizations must put procedures in place to receive and respond to complaints or inquiries about their policies and practices relating to the handling of personal information. The complaint procedures should be easily accessible and simple to use.
Subsection 8(3) establishes that an organization shall respond to a request with due diligence and in any case not later than thirty days after receipt of the request; sub-paragraph 8(4)(a)(ii) allows an organization to extend the time limit for a maximum of thirty days if the time required to undertake any consultations necessary to respond to the request would make the time limit impracticable to meet; subsection 8(5) states that if the organization fails to respond within the time limit, the organization is deemed to have refused the request; and Principle 4.9 states that upon request, an individual shall be informed of the existence, use, and disclosure of his or her personal information and shall be given access to that information.
With respect to the complaints that her personal information had been collected and used without the complainant's consent, the Assistant Privacy Commissioner deliberated as follows:
- While the investigation was able to establish that the application was made in person, it was not possible to determine the identity of the individual making the application.
- Given this, the Assistant Commissioner could not find the bank in contravention of Principle 4.3.
- Principle 4.3.7(d) states that consent can take many forms, one of which includes the use of the product. As the complainant used the card, the Assistant Commissioner could only conclude that she agreed to have it.
- The Assistant Commissioner was pleased, however, that the bank had since changed its practice and now requires the customer's signature on all credit card applications, thus eliminating the possibility of a situation such as the one the complainant described.
With respect to the allegation that the bank used the complainant's personal information to conduct a credit check without her knowledge and consent as part of the credit card application process, the Assistant Commissioner deliberated as follows:
- Although the complainant had signed a consent agreement in 1994, giving the bank consent to conduct a credit check anytime she applied for a credit product, the Assistant Commissioner noted that our Office has stressed in previous deliberations on consent that the fact and purposes of a collection or disclosure must be brought to the individual's attention at the time of the collection or disclosure.
- The bank cannot, therefore, rely on such a form of consent, obtained eight years earlier by a different bank to open a personal account, to justify conducting a credit check to process the business credit card application.
- While the bank did not meet its obligations under Principles 4.3 and 4.3.1, the Assistant Commissioner was pleased that the bank has since changed its practice and now requires all credit card applicants to sign an application form that includes consent to a credit check.
The Assistant Commissioner concluded that, with respect to this use allegation, the complaint was well-founded.
Regarding the access complaint, the Assistant Commissioner noted that:
- The complainant had made several attempts to obtain a copy of the application from September 2002 onwards. She made a formal written request in early April 2003, which the bank responded to three weeks later, invoking a thirty-day extension, citing sub-paragraph 8(4)(a)(ii). One month later, she received the information she was seeking.
- The extension cited by the bank was not valid as no consultations were undertaken to find the information she had requested. Indeed, the bank had already begun searching for the document months prior to the formal written request.
- The Assistant Commissioner did not agree that the time extension applied and therefore determined that the bank had exceeded the thirty-day time limit stipulated under subsection 8(3), was deemed to have refused the request under subsection 8(5), and was therefore in contravention of Principle 4.9.
However, as the complainant received the information she was looking for, the Assistant Commissioner concluded that the access complaint was resolved.
As for how the bank deals with complaints regarding its handling of personal information, the Assistant Commissioner noted that at the same time the complainant was trying to obtain a copy of the application form, she was also requesting an explanation of how the bank had come to issue her a business credit card, allegedly without her knowledge and consent. When the bank did not respond to her inquiry for seven months, she complained to the Office. As the Assistant Commissioner noted, it was only as a result of the Office's involvement that the bank offered the complainant an explanation of the circumstances surrounding the issuance of the card. She therefore found that the bank did not meet its obligations as outlined in Principle 4.10.2.
The Assistant Commissioner concluded that the compliance complaint was well-founded.
- Date modified: