A credit union in Ontario should have obtained consent for credit check on spouse

PIPEDA Report of Findings #2011-004

An individual complained that a credit union had collected his personal information during what he alleged was a misleading credit application process. He also alleged that his personal information was kept without consent and that the credit union refused to destroy that information. Finally, he complained that the organization had conducted a credit check on his spouse without consent and had improperly used and disclosed the information acquired.

Our Office found that the respondent did make it clear to the complainant what personal information was required for the application process. We also found that the credit union’s legal obligations required that it retain the complainant’s personal information for seven years.

However, the investigation raised concerns about the collection of information about the complainant’s spouse. Although the complainant’s spouse was named on the application form, she had not provided consent for a credit check.

Our Office recommended that the credit union revise its processes to ensure that consent is obtained from each customer applying for credit before obtaining a joint credit bureau report.

Our Office concluded the complaints relating to both collection and consent with regard to the complainant’s personal information were not well-founded. The complaints relating to consent to the collection of his spouse’s personal information and the use and disclosure of her information were well-founded and resolved.

Complaints under the Personal Information Protection and Electronic Documents Act (“PIPEDA”)

Summary of the complaints:

1. The complainant alleges that the respondent credit union:

1. collected his personal information in a misleading credit application process;
2. retained his personal information without consent and refused to destroy the personal information collected in the application process;
3. completed a check on the credit bureau of his spouse without consent; and,
4. improperly used and disclosed personal information acquired during the application process.

The complainant’s spouse provided consent allowing the complainant to handle her complaint on her behalf.

Summary of Investigation:

2. In November 2009, the complainant approached the respondent about opening a new secured line of credit for $250,000, to be secured against his home (the “matrimonial” home) and for personal purposes only. The secured line of credit was required for renovations on his home. The complainant is a small business owner (in operation continuously since 2003). He is a consultant and his business is not incorporated. When the complainant inquired about the secured line of credit application, and as he was self employed, he was advised that he would be required to provide three Notices of Assessment (NOAs) to verify his income.

3. On November 25, 2009, the complainant completed and signed an application form for the secured line of credit. He was named as the sole applicant. His spouse was shown on the application form as his spouse. She did not sign the application form, nor was she named as a co-applicant of the loan.

4. The complainant states that the respondent requested that his spouse be included on the application form as she would have to sign the final loan documents.

5. On November 25, 2009, the complainant faxed his signed one-page application and copies of three of his most recent NOAs to the respondent. On November 26, 2009, he faxed the respondent additional documents to support his application, including proof of property insurance, a record of the property taxes paid and the MPAC property valuation.

6. On December 9, 2009, the complainant inquired on the status of his application. He was told by the respondent’s branch manager that self employed applicants were required to submit financial statements of their business activities. He would be required to provide three years of his business’ financial statements for the secured line of credit to proceed.

7. This was of concern to the complainant. It was the first time that the respondent had informed him of their requirement to submit three years of financial statements for his business, in order to have his personal secured line of credit application considered by the organization. The complainant notified this Office on May 27, 2011, that it was his understanding that the term “financial statements” meant whatever financial statements he maintained “for my business, including Income Statements (which includes business income and expenses), Balance Sheet, Capital Expenditures, etc.”

8. The request for the financial statements was not acceptable to the complainant. He approached the branch on December 10, 2009 and requested an exemption from the respondent’s “Statement of Business Activities requirements”. The branch agreed to submit the exemption request. According to the complainant, the respondent advised him that the respondent “would modify their reporting requirement: but they would insist on having an opportunity to see my business tax filings”. It was the complainant’s understanding that the respondent required him to submit the Canada Revenue Agency Form entitled “Statement of Business and Professional Activities”. The Form lists business income and expenses for self-employed individuals. The respondent would not retain copies but would study the business tax filings and record key figures.

9. This was not acceptable to the complainant. On December 15, 2009, he sent a letter to the respondent with instructions withdrawing his application for the secured line of credit and his consent to the use of his personal information. He requested that the respondent destroy all the personal information collected in the secured line of credit application process.

10. The respondent maintains that following a review of the complainant’s application, the complex nature of the application and the fact that the complainant was self employed, the complainant was advised that financial statements pertaining to his business activities would be required.

11. The respondent maintains that during the adjudication of a loan, it is common to request additional financial information from an applicant. In an e-mail dated May 27, 2011, the respondent stated that financial statements in the circumstances of this complaint meant all of the tax filings relating to the complainant’s business activities for three years.

12. On May 30, 2011, the respondent explained that the reason that the NOAs were not acceptable to verify the complainant’s income is that:

“…the NOA gives you only one number. It does not confirm how the number was achieved. We would be interested in learning whether the income was legitimately earned and whether the method was sustainable and in keeping with the applicant’s story. We need to be sure the applicant can repay the loan. We are also responsible for ensuring our applicants are not money laundering”.

13. The respondent provided a copy of their Credit User Policy Manual. They referred to Section 1.03 on Income Verification to support the fact that financial statements are required if an applicant is self employed. Section 1.03states:

Income confirmation must be provided to confirm proper GDS/TDS calculations. If income cannot be readily obtained or income is estimated, exceptions must be properly explained in credit write up and forwarded to the SVP.

New Members and High Ratio deals will require two of the following types of verification for residential mortgages (most recent):

Notice of Assessment, T4s, Employment Letter (verified as bona-fide), Pay Stubs (few months worth), Financial Statements if self employed (two years at least).

Ensure to request the Notice of Assessments more often whenever possible. A copy of the Tax Returns alone is not sufficient. New member account applications should be reviewed more diligently also.

We will consider “Stated Income Loans” with LTV up to 50% if the proven income exceeds our DSR’s. Verbally request their income and calculate the ratio two ways. Confirmed income and then Stated Income (income told versus what can be proved). This can be approved within discretionary limits. LTV’s over 50% and up to 60% refer the application to Head Office. Borrower Income Form is to be considered completed and confirm status of company through the internet Canada 411 or business registration.

14. In correspondence dated March 18, 2011, the respondent indicated that whether they had this policy or not, the Senior Vice President, Credit, has the “prerogative to ask for whatever he wants from the applicant, considering it is our money the applicant is asking to borrow. If the applicant declines to provide adequate/satisfactory information, the applicant can then walk away from the transaction”, as occurred here.

15. Following the withdrawal of the complainant’s secured line of credit application, the respondent did not collect any further personal information from the complainant. They advised the complainant they would destroy the personal information collected, except for the front page of the secured line of credit application form and the complainant’s credit report.

16. The respondent initially stated that the retained information was required by virtue of their agreement with Equifax. This agreement requires the respondent to comply with all credit-reporting laws. The Ontario Consumer Reporting Act 1990, chapter 33, section 8 requires the respondent to prove consent and also retain information for auditing purposes.

17. Although the respondent referred to chapter 33, section 8 of the Ontario Consumer Reporting Act 1990 c.33 as requiring it to prove consent to obtain a consumer report from a credit bureau, the relevant section seems to be section 10(2). This section requires every person who requests a consumer report to provide notice of this fact to the consumer. The respondent stated that the only way to prove consent was to retain the front of the complainant’s application form, which identifies him and confirms his authorization to obtain the credit report.

18. On May 31, 2010, the complainant filed a formal complaint with the Financial Services Commission of Ontario (“FSCO”). He alleged that the respondent contravened PIPEDA when it collected, used and retained his personal information in the application process for the secured line of credit, and failed to comply with the record keeping requirements under the Credit Unions and Caisses Populaires Act, 1994 of Ontario (the “Caisses Populaires Act”). On January 13, 2011, FSCO advised the complainant and respondent that the respondent had followed the requirements for record-keeping and it found no contravention of the Caisses Populaires Act.

19. The respondent forwarded a copy of its submission to FSCO to this Office. In the submission, it stated that as the complainant filed a formal complaint, the respondent was now required under Ontario Regulation 237/09 made under the Caisses Populaires Act, Part VI, section 116(5), to "keep a copy of every complaint it receives, every response it issues and any other document that relates to the complaint for six years from the date of the complaint and shall make them available if requested to do so by the Superintendent”.

20. Notwithstanding the specific obligations for record-keeping in section 116(5) of Ontario Regulation 237/09, the respondent confirmed to us that they are now only retaining the front page of the secured line of credit application and the front page of the complainant’s credit report.

21. When the complainant attended the branch to retrieve his documentation, he discovered that the respondent had performed a credit bureau check of his spouse on December 9, 2009, without obtaining her consent.

22. The respondent admitted relying on the consent of the complainant to proceed with a joint credit bureau check. The respondent stated that “the credit bureau report was obtained on the basis of spousal support due to the fact that [the complainant’s spouse] would be signing on the loan”. Further, they stated in their letter of submission to FSCO that the credit bureau report was obtained on the strength of the complainant’s signed authorization to a joint credit bureau report.

23. On February 12, 2010, the complainant and respondent exchanged e-mails concerning the destruction of the complainant’s personal information. During this exchange of e-mails, the respondent’s Vice-President of Operations made reference to the fact that the complainant was a former employee of the federal government, in an attempt to explain that the respondent is subject to regulations. The complainant alleged that this was a misuse of his personal information as he had never provided this piece of information to the respondent. The respondent states that when the statement was made, their employee had the application form and credit report in front of him.

24. The respondent stated that their online privacy policy is adapted from the Credit Union Code. The respondent states that the respondent does not have policies or brochures to explain to applicants what is, or may be, required for a credit application, although they do have a privacy policy.

Complaint #1: – Misleading credit application process

Application:

25. In making our determinations, we applied Principles 4.2.3 and 4.3.2 of Schedule 1 of PIPEDA.

26. Principle 4.2.3 states the identified purposes should be specified at or before the time of collection to the individual from whom the personal information is collected. Depending upon the way in which the information is collected, this can be done orally or in writing. An application form, for example, may give notice of the purposes.

27. Under Principle 4.3.2, organizations shall make a reasonable effort to ensure that the individual is advised of the purposes for which the information will be used. To make consent meaningful, the purposes must be stated in such a manner that the individual can reasonably understand how the information will be used or disclosed.

Findings:

July 22, 2011

Attempted Collection

28. The complainant was initially told to provide three years of NOAs for the secured line of credit application. During the application process he was asked to provide financial statements of his self employment business activities. On learning of the requirement for financial statements, the complainant sought an exemption and was then told he would be required to provide his tax filings of his business activities. The complainant objected to both requirements and withdrew his application. Although the respondent asked for financial statements or, alternatively, the complainant’s tax filings of his business activities (the CRA Statement of Business Activities), this information was never collected by them.

Identifying Purposes, Knowledge and Consent

29. Although the complainant did not know about this additional requirement when he inquired about the secured line of credit, the respondent eventually made clear to him the information it required for the application process.

30. Further, the Privacy Statement in the secured line of credit application signed by the complainant states that the purposes for which the respondent collects, uses and discloses personal information is to determine credit worthiness and to evaluate a customer’s credit standing.

31. The consent to a credit bureau report clause in the application form states that the respondent can obtain personal and credit information about the complainant from any source and use that information to determine his credit worthiness.

32. It is clear that the complainant understood that the additional information was being requested so that the respondent could evaluate his credit worthiness for an secured line of credit application, which is in accordance with the requirements of Principle 4.2.3 of Schedule 1. Further, the respondent did not attempt to collect any additional financial information from the applicant without the applicant’s knowledge or consent, as required by Principle 4.3.2.

33. While it would have been desirable for the respondent to have been clear up front about what types of information it requires from self-employed applicants, we are satisfied that the purposes for which the information was being requested was made clear to the applicant and that the complainant’s personal information was not collected without his consent.

Conclusion:

34. Accordingly, we conclude that the complaint is not well founded.

Complaint #2: - Retention of and refusal to destroy personal information when no longer needed

Application:

35. In making our determinations, we applied Principles 4.5 and 4.5.3 of Schedule 1 of PIPEDA.

36. Principle 4.5 states that personal information shall not be used or disclosed for purposes other than those for which it was collected except with the consent of the individual or as required by law. Personal information shall be retained only for so long as necessary for the fulfilment of those purposes.

37. Principle 4.5.3 states that personal information that is no longer required to fulfil the identified purposes should be destroyed, erased or made anonymous. Organizations shall develop guidelines and implement procedures to govern the destruction of personal information.

Findings:

July 22, 2011

38. The complainant was advised by the respondent on February 4, 2010, that it had destroyed all of the information submitted in support of his application, other than the front page of the secured line of credit application and the credit report from Equifax. The respondent explained that it was retaining this information for seven years.

39. The respondent subsequently clarified its position. In a letter dated February 28, 2011, it stated that all of the personal information collected in respect of the complainant’s application had been destroyed except for the front page of the application and the front page of the credit report.

40. We are satisfied that the respondent must be able to identify the complainant and confirm his authorization to obtain a credit report, in order to show that it is in compliance with section 10(2) of the Ontario Consumer Reporting Act. Without these documents, it would be difficult for the respondent to demonstrate that it notified the complainant, before obtaining a credit report on him, as required by this section.

41. It should be noted that the “Credit Bureau and Privacy Approval” statement in the loan application expressly stated that one of the purposes that the respondent would collect, use and disclose personal information was to “comply with legal and regulatory requirements”. Accordingly, the respondent is retaining these two documents to allow it to fulfill its identified purposes, as required by Principle 4.5.

42. A secondary issue is the length of time the information is to be retained. The respondent has stated that it is required to retain the information for seven years. We note, however, that the limitation period for bringing a prosecution under the Consumer Reporting Act for failing to meet any of its requirements is two years (section 23(4)).

43. In its submissions to the FSCO, the respondent relied on the requirements of section 116(5) of Regulation 237/09 made under the Caisses Populaires Act. As noted above, section 116(5) requires the retention of “any…document that relates to the complaint”.

44. However, the respondent has confirmed that it destroyed all of the other information it had collected from the complainant. This would suggest that the respondent considered that section 116(5) was not applicable in the circumstances. Moreover, section 116(5) only requires that documents be retained for six years, not seven years.

45. In short, it would seem that the legal obligations cited by the respondent do not justify the retention of the complainant’s personal information for the full seven years that the respondent maintains is required.

Recommended Actions:

46. On June 24, 2011, this Office issued a preliminary report of investigation, in which we believed that the respondent was in compliance with PIPEDA. However, we concluded that the legal obligations cited by the respondent did not justify the retention of the complainant’s personal information for the full seven years.

47. In our preliminary report, we recommended that the respondent review the retention period for the complainant’s information, in light of the applicable legal requirements.

48. In response, the respondent referred to the provisions of section 230 (4) (b) of the Income Tax Act. The respondent stated that section 230 (4) (b) requires “all other records and books of account referred to in this section, together with every account and voucher necessary to verify the information contained therein, until the expiration of six years from the end of the last taxation year to which the records and books of account relate”. The respondent submitted that this means that a record created during the year 2001 has to be kept until the end of 2007 for a total of seven years.

49. Our Office is satisfied that the legal obligation cited by the respondent for the retention of the complaint’s personal information for a period of seven years is reasonable.

Conclusion:

50. Accordingly, we conclude that the complaint is not well founded.

Complaint #3: - Consent to a Credit Bureau check

Application:

51. In making our determinations, we applied Principle 4.3 of Schedule 1 of the Act.

52. Principle 4.3 providesthat the knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate.

Findings:

July 22, 2011

53. The respondent, in obtaining a credit bureau report relating to the complainant’s spouse, is not in compliance with Principle 4.3 of Schedule 1 of PIPEDA.

54. The secured line of credit application form includes the following consent clause entitled “Credit Bureau Approval and Privacy Statement”:

“I AUTHORIZE [the respondent] TO OBTAIN PERSONAL AND CREDIT INFORMATION ABOUT ME FROM ANY SOURCE. I hereby certify all information is true and correct. I have no undisclosed financial obligations and acknowledge the foregoing will be used to determine my creditworthiness...

I/We consent to the collection, disclosure and processing of information about me by [the respondent] and its affiliates and their respective agents and service providers for purposes set out under Use of Personal Information; and to the sharing or exchange of reports and information with credit reporting agencies, credit bureaus and/or any other person, corporation, firm or enterprise with whom I have or propose to have a financial relationship in addition to the uses noted below:

• Information can be used to supply promotional materials and solicitation for [the respondent’s] Products
• Information can be provided to affiliates to supply promotional materials and solicitation for other products.

Uses of Personal Information:

We ([the respondent], its affiliates, and their respective agents and service providers) collect, disclose use and process personal information about you; (a) to consider [initialing] and to initiate, maintain, and develop our relationship with you in connection with our offering products and services generally, including helping us to understand the current and future needs of our members and to otherwise analyse and manage our business, (b) to administer accounting services and security measures in relation to your business with us; (c) (i) to monitor your banking history and (ii) to evaluate your credit standing; if you provide your Social Insurance Number, we will use it to match your credit bureau reporting agency information and (d) to comply with legal and regulatory requirements and (e) to promote and market products and services offered by (I) [the respondent] or (II) or its affiliates including by means of direct marketing.

For further information about [the respondent’s] privacy code or to refuse or withdraw your consent under (e) (I) or (II) at any time, call [the respondent’s phone number] or your local ... branch.”

55. The investigation revealed that although named as spouse on the secured line of credit application form, no consent to the credit bureau check was acquired by the respondent from the complainant’s spouse, either in the form of a signature on the secured line of credit application form, or in a separate consent form.

56. Further, the respondent agreed that they relied on the consent of the complainant to proceed with the credit bureau check for his spouse. The respondent admitted in a letter filed with FSCO that on the strength of the signed authorization from the complainant, “a joint credit bureau check was obtained”. By failing to obtain the consent of the complainant’s spouse, the respondent acted contrary to Principle 4.3 of Schedule 1 of PIPEDA.

Recommended Actions:

57. On June 24, 2011, this Office issued a preliminary report of investigation, in which we believed that the respondent was not in compliance with the Act.

58. In our preliminary report, we recommended that the respondent revise its business processes, to ensure that consent is obtained from each consumer applying for credit, before obtaining a joint credit bureau report.

59. In response to our recommendation, the respondent advised that their policy stipulates that written consent is to be obtained prior to obtaining a joint credit bureau report. They confirmed that they reinforced their procedure manual to make obtaining consent from both consumers a mandatory requirement before a joint credit bureau report is obtained.

Conclusion:

60. Accordingly, we conclude that this complaint is well founded and resolved.

Complaint #4 – Use and disclosure of the fact that the complainant previously worked for the Federal Government

Application:

61. In making our determinations, we applied Principle 4.5 of Schedule 1 of PIPEDA.

62. Principle 4.5 states that personal information shall not be used or disclosed for purposes other than those for which it was collected except with the consent of the individual or as required by law.

Findings:

July 22, 2011

63. The evidence provided by the complainant of improper use or disclosure of his personal information is with regard to the reference made by the respondent to the fact that that the complainant was a former federal government employee. In an exchange of e-mails between the complainant and the respondent, an employee of the respondent stated this in an attempt to explain to the complainant that the respondent is subject to regulatory obligations. The complainant alleges that he did not provide this information and this is a misuse of his personal information.

64. The respondent indicates that at the time of this communication, the respondent’s employee had the credit application and credit report in front of him and the complainant’s status as a former federal government employee was therefore visible. The respondent states that no other comment was made or information used by its employee.

65. The term “use” in PIPEDA has a broad meaning. When the employee referred to the fact that the complainant was a former government employee, this was done in a broader context of the respondent’s attempt to justify its practices to the complainant. Hence, this constitutes a “use” of personal information for the purposes of PIPEDA. Furthermore, this use goes beyond the purposes for which the respondent obtained the complainant’s credit report. It was therefore in contravention of Principle 4.5 of Schedule 1.

66. The investigation does not support the allegation of any improper disclosure of the complainant’s personal information. The fact that the complainant was a former government employee was not disclosed to anyone other than the complainant himself.

Recommended Actions:

67. On June 24, 2011, this Office issued a preliminary report of investigation, in which we believed that the respondent was not in compliance with the Act.

68. In our preliminary report, we recommended that the respondent implement procedures to ensure it does not misuse personal information contained in a credit report in the future.

69. The respondent confirmed that it would comply with our recommendation by reinforcing the statement in their privacy policy to ensure that its employees do not misuse personal information contained in a credit report. Specifically, that the collection of personal information shall be limited to that which is necessary for the purposes identified by the credit union and that personal information is not to be used or disclosed for purposes other than those for which it was collected.

70. Our Office is satisfied that, once fully implemented, the respondent’s reinforcement of its privacy policy will address the privacy issue underscoring our recommendation.

Conclusion:

71. Accordingly, we conclude the complaint pertaining to the misuse of personal information, is well founded and resolved. The complaint regarding the disclosure of personal information is not well founded.

Follow Up:

72. As evidence of our Office’s continuing intention to follow-up on this matter, we request that the respondent provide this office with written confirmation that it has made the changes it committed to in paragraph 69 above, within six months of the date of this Report.

Other:

73. We note that one of the complainant’s main concerns is that he feels he was misled by the respondent as to the requirements for a loan application. The respondent identified the purpose for which it was collecting the complainant’s personal information, but it did not specify the types of information it required from loan applicants at the outset of the application process. While we have concluded that this is not a violation of PIPEDAin the circumstances, we would strongly encourage the respondent to provide clearer information up front as to what types of information it may request from loan applicants. The respondent already has an internal policy that discusses what types of information it requires, and we see no reason why this information could not be made available to potential customers.

74. With respect to the respondent’s requirement that self-employed applicants, such as the complainant, submit financial statements or tax filings for their business, we are concerned that this information, in addition to NOAs, is not required to meet the respondent’s purposes. Although the complainant has not raised this issue directly, it is not clear to us why NOAs covering a multi-year period, which show, among other things, taxable income for those years, is not sufficient to assess the credit worthiness of a self-employed applicant.

75. It seems to us that the financial statements or business tax filings could contain much more personal information related to income and expenses than would be necessary for the respondent to meet its obligations as a prudent lender. The respondent states that it is interested in assessing the sustainability of the income, but has not explained fully why obtaining NOAs for multiple years is insufficient for this purpose. The respondent has also made general statements that it is required to assess whether the income is legitimately earned and to detect money-laundering, but it has not specified the regulatory obligations which would require it to obtain business financial statements or business tax filings from self-employed applicants. Nor has it demonstrated how this information would help it achieve these purposes. We would therefore encourage the respondent to reconsider requiring self-employed applicants for personal loans to submit financial statements or business tax filings.