Bank improves safeguards after individual’s personal information used fraudulently to open credit card account

PIPEDA Case Summary #2007-381

[Principles 4.3, 4.6, 4.7, 4.7.1, 4.9.6]

When an individual found out that a fraudster had opened a store credit card account (offered in conjunction with a bank) using his personal information, he complained to the bank that it had not properly verified his information.  He was upset that the bank had allowed the account to be opened and a debt to be incurred through the fraudulent use of his information.  After he received telephone calls from a collection agency trying to recover the debt that was not his, he notified the bank and filed a complaint with this Office. 

The Assistant Privacy Commissioner found that the bank had missed a number of opportunities to prevent the problems from occurring.

The following is an overview of the investigation and the Assistant Commissioner’s findings.

Summary of Investigation

The fraudster applied for a store credit card offered in conjunction with a bank.  The bank stated that the applicant presented false identification and completed the application form.  The form included name, date of birth and SIN, which appear to have been that of the complainant.  In addition, the address provided was very similar to that of the complainant.  Our Office requested a copy of the application form, but neither the store nor the bank was able to provide one.

The initial application was rejected when a bank analyst noticed that the address on the form was different from the one on the complainant’s credit report.  According to the bank’s account notes, the fraudster verified the address, as well as additional details on the application, during a telephone conversation with a bank representative.  A few days later, the imposter changed the address on the account to one in another city.

Later the same month, the fraudster returned to the store to make a purchase.  The store called the bank for approval of the purchase since it was in an amount that required him to produce identification.  According to the bank’s account notes, the cardholder presented a Canadian citizenship card.  The bank’s credit representative confirmed all information with the cardholder and indicated this to the merchant. 

The bank states that its credit representative was nevertheless suspicious and alerted its security department about the account.  In spite of these suspicions, the bank allowed the purchase to go through.  However, the bank’s security department conducted an investigation on the same day and asked the store for a copy of the identification the purchaser had presented (the Canadian citizenship card).  Upon examining a photocopy of the citizenship card, our Office discovered that there was a 30-year discrepancy between the year of birth on the citizenship card and that on the complainant’s credit bureau report.  This discrepancy was missed by the bank’s fraud investigator.

According to the bank, its security department made attempts to contact the individual by telephone using the information on file.  These attempts were unsuccessful.  In all likelihood, the number provided by the imposter was false.  The bank blocked the account so that no further purchases would be allowed.  No follow-up correspondence was sent, although monthly account statements were issued to the address on file.  There was an instruction placed on the original account to transfer all calls about it to the security department.  The bank indicated that this note was not placed on the new account that was established when the original account was closed due to non-receipt of the credit card payment.  (The creation of a replacement account is standard bank practice.)

As the note to refer all calls to the security department was placed on the original account and not on the replacement account, the replacement account flowed through the system like any regular account on which payments have not been made.  It was ultimately placed with a collection agency.  The bank maintained that it provided the collection agency with the personal information contained in the credit application in good faith, unaware that the application had not been made by the complainant.

The bank provided this Office with its fraud procedures, which outline the steps for the bank’s fraud investigators to follow once it has been decided that an account has been opened fraudulently or is being used fraudulently.  It does not appear, however, that the security department determined that this was a case of fraud prior to the account being transferred to an agency for collection.

A few months after the purchase was made, the complainant was alerted by another bank’s credit alert reporting system that someone had “stolen” his identity, and had used his information to obtain a store credit card account on which $9,000 worth of goods were bought.  The complainant contacted the bank to inform it about the unauthorized credit card and to have the file flagged as fraudulent.  The bank immediately initiated an investigation and recorded a fraud status on the account.  It assisted the individual by providing him with the necessary steps to contact two credit bureaus so that they could flag his records to indicate the fraud.  The bank also assumed the financial loss for the account balance.

A couple of weeks later, the complainant contacted the bank to notify it that he had received telephone calls from a collection agency seeking to recover the credit card debt.  The next day the bank contacted the collection agency to pull the file and return it on a “rush” basis since fraud was involved.

The complainant held the bank responsible for allowing an individual to obtain a store credit card in his name without any proper verification.  He also believed that the bank improperly disclosed his personal information to the collection agency, which, he claimed, harassed him by attempting to collect a debt for which he was not responsible.

Findings

Issued March 15, 2007

Application: Principle 4.3 states that the knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate.  Principle 4.6 provides that personal information shall be as accurate, complete, and up-to-date as is necessary for the purposes for which it is to be used.  Principle 4.7 requires that personal information shall be protected by security safeguards appropriate to the sensitivity of the information.  Principle 4.7.1 elaborates on this by stipulating that the security safeguards shall protect personal information against loss or theft, as well as unauthorized access, disclosure, copying, use, or modification. 

In making her determinations, the Assistant Privacy Commissioner deliberated as follows:

• Our Office did not know for certain what identification was presented at the time of the application for the credit card.  We knew that the name, date of birth and SIN were provided and were apparently those of the complainant.  The bank initially rejected the application because the address provided by the individual did not match the address on the credit bureau report.  After speaking with the impersonator, who provided the correct information, the bank approved the credit card.
• Later, when the impersonator wished to make a purchase at the store, the store contacted the bank for approval.  Although the bank’s credit representative was suspicious enough of the cardholder to later alert security officials of the account, the representative nonetheless allowed the purchase to go forward.  By not first reporting his/her suspicions and refusing the purchase, the $9,000 transaction in the complainant’s name went through.
• The bank’s security department conducted its own investigation at the time of the $9,000 purchase, during which it obtained a copy of the citizenship card that had been presented to the store by the purchaser.  The fraud investigators did not notice that there was a 30-year discrepancy between the year of birth on the citizenship card and that on the complainant’s credit bureau report.
• The bank’s security department placed a freeze on the account and attempted to contact the cardholder, to no avail.  According to the bank, the freeze was placed on the account because the trail of events was suspicious (the address change made soon after the account was opened, followed swiftly by a large purchase).  The Assistant Commissioner surmised that the discrepancy in birth dates was not one of the reasons for freezing the account.
• The bank admitted that a note placed on the original account by security, indicating that all calls about the account should be transferred to security, did not appear on the replacement account established when the original account was closed due to non-payment.  The Assistant Commissioner reasoned that, had such a note appeared, it might have alerted someone to the fact that there was something wrong with the account and that fraud might be involved.  More significantly, had the security department observed the discrepancy between the date of birth on the citizenship card and that contained on the credit bureau report, it would likely have considered the account as having been opened fraudulently, and the account would not have gone to collection.
• As for the transfer of the complainant’s personal information to a debt collection agency, the complainant referred to the transfer as a “disclosure.”  The Assistant Privacy Commissioner noted that it was not a “disclosure” as this Office defines the word, but rather a “use” since the bank was still responsible for the debt.
• The bank claimed that its actions with respect to the handling of the account and its transfer to a collection agency were conducted in good faith, in the belief that this was not a case of identity theft.  However, the Assistant Commissioner pointed out that, from the sequence of events, the bank missed at least two instances in which it could have better safeguarded the complainant’s personal information and prevented its unauthorized use.  Firstly, it allowed the $9,000 purchase in spite of the credit representative’s suspicions.  The representative ought to have refused the purchase.  According to the bank, its credit representatives would now transfer such a call immediately to security.  Secondly, during its own investigation, the bank ought to have noticed that the information provided by the fraudster was inaccurate (year of birth).  The Assistant Commissioner concluded that, by missing these opportunities, the complainant’s personal information was not safeguarded, and it was consequently transferred to the collection agency without his knowledge or consent to collect a debt that was not his.  For these reasons, Principles 4.3, 4.6, 4.7 and 4.71 were contravened.
• The Assistant Commissioner recommended that the bank provide additional training to staff with respect to its security verification processes so that they may identify fraud cases with greater accuracy.  Given that there was a discrepancy between the birth date on the citizenship card and the one on the credit bureau report, care needs to be taken to mitigate reoccurrences.
• The bank enhanced its customer authentication and verification procedures.  Moreover, it undertook to review this Office’s Guidelines for Identification and Authentication to determine if further changes were necessary.  The bank also provided additional staff training with respect to these procedures.

Satisfied that the bank had met its obligations under the Act, the Assistant Commissioner concluded that the complaints were well-founded and resolved.

See also

#374 Bank faxes credit card account statement to fraudster

#27 Man objects on principle to bank’s identification program