Bank misinformed client of purpose of requesting personal information for picking up credit card

PIPEDA Report of Findings #2013-002

April 15, 2013

---

A customer picking up his replacement credit card at his bank branch of more than 30 years was asked to provide his driver's license so the employee could record the number. As his birth certificate reference number was already on file at the bank and the staff knew him, he refused. He later received his replacement card by mail, which did not require him to provide any additional personal information.

The customer raised the issue with representatives of the bank's customer service unit and ombudsman. The customer service unit told the customer that its request for his driver's license number was required further to the bank's obligations under the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA) and the Office of the Superintendent of Financial Institutions (OSFI) Guideline B-8: Deterring and Detecting Money Laundering and Terrorist Financing (Guideline B-8). However, the bank's ombudsman later informed the complainant that the rationale that he had been provided with regarding the recording of his driver's license information for PCMLTFA compliance was incorrect.

The customer filed a complaint with our Office. Because the customer had refused to provide his driver's license, an actual collection of the personal information the driver's license contained had not occurred. Therefore, our Office found that this aspect of the complaint was not well-founded. Nevertheless, at our Office's suggestion, the bank agreed to revise its procedure for pickup of a credit card to ensure that, when the client's identification on file meets anti-money laundering requirements, and in situations where the client presents different identification when he or she picks up a replacement card, the bank will limit the information it records to only the type and place of issue of the new identification.

Furthermore, given that the bank had inaccurately informed the complainant about the purposes for which the complainant's personal information was being collected, our Office found that Principle 4.2.5 had been contravened. In light of the revised procedures for credit card pickup, and the fact that the bank has circulated this information to its staff, the complaint relating to identifying the purpose of collection was therefore well-founded and resolved.

Report of Findings

Complaints under the Personal Information Protection and Electronic Documents Act (the Act)

1. The complainant alleged that a bank (the respondent) improperly demanded to record information from his driver's license card on the pretext that it was required under the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA).

Summary of Investigation

2. When the complainant attempted to pick up a replacement credit card at the bank's branch location where he had conducted banking for more than 30 years, staff asked to record information from his driver's license card. In the circumstances, the complainant's file already contained the reference number for his birth certificate and the place where it was issued.

3. According to the bank, an employee who served the complainant considered that the latter's client file was not compliant with anti-money laundering identification requirements. Consequently, the employee asked the complainant for his identification to update his client file. However, as the complainant refused to present his identification, the bank employee did not view, collect or record it. As a result, the complainant did not obtain his credit card at the branch.

4. After the complainant received his credit card by mail, he approached the bank, commencing with the customer service unit and later escalating the matter to the bank's ombudsman. He complained about the bank demanding his driver's license card at the exclusion of all other forms of photo identification, despite the fact that the branch staff he had interacted with knew him. He also requested the specific regulation that required the bank to verify and record the information from his driver's license card.

5. The customer service unit responded that, under the PCMLTFA and in accordance with the Office of the Superintendent of Financial Institutions (OSFI) Guideline B-8: Deterring and Detecting Money Laundering and Terrorist Financing (Guideline B-8), the bank was required to implement money laundering risk mitigation policies, including client identification and record-keeping activities. Further, it was the bank's policy to maintain a record of two pieces of identification on a client's file, one being government-issued photo identification.

6. The bank's ombudsman later informed the complainant that the rationale that he had been provided with regarding the recording of his driver's license information for PCMLTFA compliance was incorrect. Not satisfied with the bank's responses, the complainant submitted the current complaint to this Office, which we accepted on January 17, 2012.

7. As part of this Office's investigation, we reviewed the bank's procedures for credit card pickup (the procedures). The procedures state that a customer picking up a credit card must provide two pieces of identification and that one piece must be government-issued photo identification. Further, if the client's identification on file meets anti-money laundering requirements, and the client presents different identification from that included on their file, employees are to enter the details of the new identification on a form provided for this purpose. The relevant fields on the form require the following data: (i) reference number (e.g., driver's license card number); (ii) photo identification (yes or no); (iii) description/type; (iv) province/state of issue; and (v) country of issue.

8. We also reviewed the Proceeds of Crime (Money Laundering) and Terrorist Financing Regulations (PCMLTF Regulations), which require financial entities to ascertain the identity of persons in certain situations. Where a financial entity opens a credit card account in the name of a person, subsection 64(1.1) stipulates that the identity of the person shall be ascertained by referring to: (i) the person's birth certificate; (ii) driver's license; (iii) provincial health insurance card (if such use of the card is not prohibited by the applicable provincial law); (iv) passport; or (v) other similar document.

9. Since the complainant's file already contained the reference number for his birth certificate and the place where it was issued, therefore complying with the PCMLTF Regulations, it appears that the bank did not need to record additional identification for PCMLTFA purposes.

10. The bank confirmed that it requests photo identification when customers pick up credit cards for the following purposes: (i) to verify identity; (ii) to meet anti-money laundering requirements; and (iii) to prevent and deter fraud.

11. In terms of anti-money laundering requirements, the bank took the position that "credit cards, and thereby credit card holders as a group, are not considered 'minimal risk'". As such, the bank argued that its procedures were reasonable and necessary to meet OSFI expectations under Guideline B-8, which states, in part, that where a birth certificate or a social insurance number card is the only document available to ascertain identity, and the assessed money laundering or terrorist financing risk of the client is other than minimal, Federally Regulated Financial Institutions should consider applying additional identification measures.

12. We reviewed the above noted guideline and noted that it suggests additional identification measures could include viewing the original of other acceptable government-issued identification documents, including government-issued photo identification.

Application

13. In making our determinations, we applied Principles 4.4 and 4.2.5 of Schedule 1 from the Act.

14. Principle 4.4 stipulates that the collection of personal information shall be limited to that which is necessary for the purposes identified by the organization. Information shall be collected by fair and lawful means.

15. Principle 4.2.5 stipulates that persons collecting personal information should be able to explain to individuals the purposes for which the information is being collected.

Findings

16. The issues in this investigation are as follows:

1. Did the bank limit its collection of personal information to that which was necessary for the purposes identified by the organization?
2. Did the bank ensure its employees were able to explain purposes for which personal information was being collected?

Limiting Collection

17. At issue here is whether the bank limited collection of the complainant's personal information to that which was necessary for the purposes identified by the organization.

18. Principle 4.4 stipulates that the collection of personal information shall be limited to that which is necessary for the purposes identified by the organization. Information shall be collected by fair and lawful means.

19. On this matter, we accepted the bank's position that because the complainant did not present his driver's license to the employee, the bank did not collect the complainant's personal information. Therefore, the bank did not contravene Principle 4.4.

20. Nevertheless, in the course of our investigation, the bank updated its procedures for picking up credit cards. The procedures continue to require the client to present two pieces of acceptable identification from a list of acceptable documents whereby one piece must include a government-issued photo identification. However, if the client's identification on file meets anti-money laundering requirements, and s/he presents different identification, the bank will only record the type and place of issue of the new identification as opposed to the reference number listed on the piece of identification.

21. We are satisfied that this new procedure addresses the bank's legitimate requirement to properly authenticate individuals picking up credit cards while ensuring that the bank does not collect more information than is required for that purpose.

Identifying Purposes

22. At issue here is whether the bank ensured its employees were able to properly explain the purposes for which the complainant's personal information was being collected.

23. Where a financial entity opens a credit card account in the name of a person, subsection 64(1.1) of the PCMLTF Regulations stipulates that the identity of the person shall be ascertained by referring to a document from a list of identification, which includes a birth certificate.

24. Our investigation revealed that when the complainant attempted to pick up his replacement credit card, the bank had a record of his birth certificate already on file and was therefore compliant with the PCMLTF Regulations. Nonetheless, a bank employee asked to record information from the complainant's driver's license card advising him that it was necessary for anti-money laundering identification requirements, which was inaccurate.

25. Therefore, the bank contravened Principle 4.2.5 since its employee was unable to properly explain to the complainant the purposes for requesting identification information.

26. That being said, we noted that the bank's previous procedures for picking up credit cards did not suggest any purpose for recording identification information other than meeting anti-money laundering requirements. As the purposes for collecting identification information are circumstance-specific, the revised procedures indicate that any one, or combination of, the following requirements may apply: (i) anti-money laundering requirements; (ii) identification and authentication; and (iii) fraud detection.

27. The bank has circulated this information to its staff. We believe that the new procedure guidelines along with adequate training to its staff will enable bank employees to properly explain the purposes for which personal information is being collected in these circumstances.

Conclusion

28. Accordingly, we conclude that the collection complaint (Principle 4.4) is not well-founded and the identifying purposes complaint (Principle 4.2.5) is well-founded and resolved.

Other

29. Noting the complainant's concern that the bank demanded his driver's license at the exclusion of all other forms of photo identification, we confirmed that the bank's revised procedures include options in terms of photo identification. We have recommended to the bank that it remind its branches to ensure that customers are aware of those options.

30. In consideration of the complainant's objection that the bank required a customer known to the branch staff to present identification to pick up a credit card, we advised him that our Guidelines for Identification and Authentication^{Footnote 1} state that an organization should only authenticate an individual's identity when it is necessary given the nature of the transaction. Further, the guidelines allow that an authentication process may involve three factors including: (i) something known to the individual; (ii) something the individual has; and (iii) something the individual is (for example a biometric, such as a facial image) or does.