Thief cashes convenience cheque on cancelled credit card account
PIPEDA Case Summary #2005-299
Read the update on the response from the Bank to the Assistant Commissioner's recommendations
(Principles 4.6.1, 4.7, and 4.7.1 of Schedule 1)
Complaint
An individual alleged that a bank had failed to safeguard his personal information, which resulted in a third party fraudulently cashing a convenience cheque in his name.
Summary of Investigation
The complainant was a victim of fraud, when his mail was stolen from his apartment building. Among the items taken was his credit card account statement, which, unbeknownst to the complainant, contained unsolicited personalized convenience cheques. Shortly afterward, the thief forged a $900 cheque in the complainant's name, and cashed it.
The day before the forged cheque was cashed, the complainant had notified the bank that mail had been stolen from his building. He cancelled his credit card and requested a replacement. At the same time, he asked for a copy of his statement since he had not yet received it.
A few weeks later, he contacted the bank because he noticed a $900 charge on his new account. The charge occurred when a convenience cheque carrying his old account number was cashed. While the call centre representative to whom he spoke noted on his file that the charge was in dispute, the representative failed to note that it was a fraud case.
For the next six months, the bank continued to bill the complainant for the $900 plus interest on his new account. It was only after several interventions on his part, including telephone calls and letters, that the bank reversed the charges and booked the case as one of fraud. The complainant even cancelled his current credit card account over the way the bank handled the case. He continued, however, to receive marketing materials with his new credit card account, including convenience cheques.
The bank stated that its authorization system initially rejected the forged cheque because it was related to a card that had been reported as stolen. A routine second review of the rejected item was carried out by a bank representative in its authorization department. The representative approved the cheque transaction and processed it on the complainant's replacement card. The notes on the complainant's file indicated that a statement was missing, but there was no reference to the statement containing convenience cheques. The representative approved the cheque in the interests of customer service.
The bank confirmed that the complainant had told it that he did not cash the convenience cheque. The representative to whom he spoke did not note, however, that the cheque was stolen and fraudulently cashed. Several months later, the bank sent the complainant a copy of the cancelled cheque. In response, he phoned the bank's fraud department; however, he was forwarded to the customer service department because the letter he received originated from that area.
Following a letter from the complainant to the bank, the bank agreed that this was a case of fraud. It reversed the charges, credited his account and sent him a letter of apology.
During the course of the investigation, other concerns were raised regarding two of the bank's practices: sending unsolicited personalized convenience cheques to cardholders and accessing by telephone the bank's credit card account by only providing an account number.
The bank's convenience cheques are considered a marketing product. The cheques include the account holder's name, address and account number. They are sent by mail to card members as part of various promotions (up to four times a year) or at a customer's request. The credit card application form contains a consent provision allowing the bank to use personal information "to promote and to market products and services offered by us, selected merchants that accept the Card, or other well established companies, including by means of direct marketing." A card member may opt out of receiving marketing materials at any time, which is stated on the form. The application does not specifically mention the convenience cheques.
Our Office could not confirm whether the complainant was initially aware that the bank provides convenience cheques to its customers. He did, however, opt-out of receiving the cheques once he was made aware of the stolen cheques. In his case, he received additional cheques, with his second account number printed on them, after he had closed his second account. Both the bank and the complainant confirmed that he is no longer receiving any marketing materials, including convenience cheques.
As for telephone access to account information, the complainant was concerned that the bank provides account information, such as balance, minimum payment required, last payment received, amount of last payment, and available balance to anyone who provides the bank with an account number when using their telephone service. Although the complainant stated that he could get access to account information without a personal security code, he acknowledged that he had never tested the system by programming his home telephone number into a cellular phone. He believed that even if the information was only available when using one's home installed telephone and number, the bank's system was not secure.
The bank stated that information is not provided solely on the basis of the account number. The bank uses a telephone interactive voice response (IVR) system that may be accessed through the regular customer service telephone numbers. At the time of the complaint, the bank used the following IVR verification methods.
Previous IVR Verification Methods:
- A match between the telephone number of an incoming call and the telephone number on the customer's file was adequate without a password.
- There was no match, but the customer had a password. Further verification was needed, such as year of birth followed by a series of random questions.
- Match or no match, if a customer had a password, he/she was required to provide it. Customers were given the option of providing their own passwords at the outset. This was done by registering for the password online or by telephoning customer service and providing a password to a representative. A customer card could not be activated until a password was provided. Instructions concerning a password were provided on a recorded message.
Current IVR Verification Methods:
- Match or no match, if the customer does not remember his or her password, he/she is required to provide the year of birth plus answer a series of random questions.
- Match or no match, if the customer remembers his or her password, he/she is required to provide it. The password is chosen as described in the last bullet of the previous verification procedures.
Findings
Issued March 31, 2005
Application: Principle 4.6 states that personal information shall be as accurate, complete, and up-to-date as is necessary for the purposes for which it is to be used; and Principle 4.7.1 stipulates that the security safeguards shall protect personal information against loss of theft, as well as unauthorized access, disclosure, copying, use, or modification.
In making her determinations, the Assistant Privacy Commissioner deliberated as follows:
- The complainant informed the bank that his mail had been stolen and that he wanted to close his account, open a new one, and obtain a copy of a statement that he had not received. He was not aware that there were convenience cheques in the missing statement, and the customer service representatives with whom he dealt were unaware that these cheques were included in that statement.
- The day after contacting the bank about the missing statement, a cheque with the old account number on it was cashed. The bank's authorization system initially rejected the cheque because it was linked to a card that had been reported as stolen. However, since the bank did not record accurate information about the missing statement, namely, the fact that it contained convenience cheques, a customer service representative allowed the cheque to be cashed. Clearly, by not properly recording accurate information, the bank failed to protect the complainant's personal information.
- Later, when the complainant tried to alert the bank that someone had forged his signature and cashed a cheque, the customer service representative did not note that this was a case of fraud — as should have been the case since the bank already knew that this account had been compromised — but rather noted that the charge was in dispute. As a result, it took six months for the complainant to have inaccurate information removed from his account.
- The Assistant Commissioner therefore found the bank in contravention of Principles 4.6 and 4.7.1 of Schedule 1.
The Assistant Commissioner concluded that the complaint was well-founded.
Further Considerations
When this case was first published, the Assistant Commissioner commented on the other issues raised during the investigation.
While she acknowledged that issuing unsolicited convenience cheques to credit cardholders is a standard industry practice, she was concerned about the potential for putting consumer information at risk that such a practice may bring about. What happened to the complainant was a case in point. He did not know that his statement contained the cheques, and as a result, he did not know that not only his statement was missing, but that these cheques were also missing. The representatives he dealt with also did not know that the missing statement contained convenience cheques.
The Assistant Commissioner therefore recommended that the bank cease its practice of sending out unsolicited convenience cheques and that instead it consider informing customers on how to order such cheques from the bank.
Finally, with respect to the bank's telephone verification procedures, she was satisfied that the bank has appropriate measures in place to protect account information. Access to an account is established by providing account information that, under normal circumstances, only the client and the bank would know. The bank clearly has an authentication process in place that ensures that the right customer has access to his or her own account.
Update
The bank responded to the Assistant Commissioner’s recommendations as follows:
- The bank would not entertain the possibility of a separate mail-out for convenience cheques. It believes that this practice would double its costs and that it would put it at a competitive disadvantage since other banks would continue the practice of enclosing convenience cheques with monthly statements.
- However, there are now five opt-out options available to the bank’s customers. They can opt out of receiving information regarding all products or opt out of receiving convenience cheques, insurance material, telemarketing material, and/or e-mail. These options and a customer service telephone number are contained on the back of the bank statement.
- In order to improve convenience cheque security, the bank now requires card members to write additional information on the cheque. The information consists of data that is not readily available to anyone who tries to misappropriate cheques mailed to customers.
- The bank has also taken steps to ensure that customers’ account numbers on convenience cheques are not easily accessible, thus mitigating the possibility of misuse by others.
While the Assistant Commissioner views the enhanced security features as an improvement, she decided to approach the Canadian Bankers Association (CBA) about her concerns regarding the common industry practice of issuing unsolicited convenience cheques that contain personal information. She has requested that the CBA encourage the development of best practices for the Banking industry to improve the safeguarding of customers’ personal information in regard to convenience cheques.
- Date modified: