Bank improves its credit card account verification practices after challenge from customer

Early resolved case summary #10


Lessons Learned

  • Organizations should restrict their collection, use and disclosure of the Social Insurance Number (SIN) to legislated purposes. While some private sector organizations are required by law to request customers’ or employees’ SINs, it should not be used as a general identifier. For further information, consult our guidance “Best Practices for the use of Social Insurance Numbers in the private sector”.

Complaint summary

An individual claimed the bank that had issued her credit card was asking for her partial social insurance number (SIN) as part of the process to set up a “verified credit account” associated with the credit card. According to the individual, she required this type of account to make payments by credit card for certain commercial websites that she had visited; and when she attempted to set up the account through the website of the bank, she had to provide the last six digits of her SIN as part of the login process.  

She objected to the bank’s practice of collecting her partial SIN for identity verification, believing that it should be optional or that credit card holders needing a “verified credit card account” should be directed to an alternative method that does not require SIN information.

Since the individual was not satisfied with the bank’s response to her concerns, she turned to our Office for assistance.  

The bank informed our Office that there was an alternative to logging onto its website with SIN information to set up the account. According to the bank, the individual also had the option of activating account verification directly from the commercial websites that required it, as these sites offer the verification through a secure web portal, which is also operated by the bank (i.e., not by the online merchant) but does not use SIN information as part of the process.

However, the complainant observed that this alternative was not mentioned or explained on the bank’s website, and clients would not know about this option unless they phoned the bank to find out about it. Nonetheless, the bank was firm in its assertion that it was not contravening PIPEDA by maintaining its practices.

Outcome

During our involvement with this complaint, our Office made public the results of another OPC investigation that was in some ways comparableFootnote 1.  In that investigation, we found that an organization had lacked transparency by not making readily available information about an authentication alternative that did not require an individual’s credit card information. When we brought this finding to the attention of the bank, it reconsidered its position and informed our Office and the complainant that it was discontinuing this type of authentication altogether and that it intended to change its website accordingly. Since the individual agreed that this satisfied her complaint, we considered the matter resolved. Our Office subsequently confirmed that the bank had modified its website.

February 2014

Date modified: