Bank over-collects client’s personal information for credit increase
PIPEDA Report of Findings #2013-009
May 28, 2013
A customer applying to his bank for an increase to his line of credit mentioned his income included both a salary and a bonus component. Because he had indicated that he received a type of fluctuating income (plus his salary), the bank branch employee asked him to provide his most recent federal Income Tax and Benefit Return (T1 General) form and his Notice of Assessment for income verification purposes. Although at first the customer did not raise any objections to this request, when he returned to the bank with the documents, he expressed his objections, citing an invasion of privacy and noting that the documents contained much more personal information than was necessary for income verification. The bank employee insisted that the documents were necessary and collected them from the customer.
The customer then escalated his privacy concerns within the bank. Eventually, the bank’s ombudsman informed him that the employee had unnecessarily collected the two documents from him since his salary income would have been sufficient to approve his credit application. Further, his salary could have been confirmed from his pay stubs. The Assistant Commissioner thus found that the bank had contravened Principles 4.3.3, 4.4 and 4.4.1 since, by not allowing the approval of the complainant’s credit application to proceed without his T1 General or Notice of Assessment, the bank had made its "unnecessary collection" a condition of service.
The bank explained that the employee had not followed the bank’s procedure. That procedure dictated that customer concerns about perceived over collection of their personal information for income verification must be followed up by the bank employee who is to re-examine the customer’s situation and determine whether the provision of less customer personal information could suffice.
However, the Assistant Commissioner was of the view that the bank’s income confirmation procedure itself was in violation of Principles 4.4, 4.4.1 and 4.8.1 of PIPEDA since it led to the collection of personal information from certain individuals that is not necessary for the purpose of verifying their income. Additionally, by presenting the less privacy-invasive option only to those customers who complain about a perceived over collection, the bank was not upholding its obligation to be open about its policies and practices with respect to personal information management. At the same time, it did not allow customers to acquire this information without unreasonable effort.
Although the bank still maintained that its income confirmation procedure did not contravene PIPEDA, in response to our Office’s suggestions, it agreed to revise the procedure so that all credit applicants are now informed of the minimum amount of their personal information that may be sufficient to approve their application. Applicants may then choose what personal documents they will provide for the verification process.
The complaint was thus well-founded and resolved.
Lessons Learned
- Organizations must ensure that their collection of personal information is limited only to that necessary for the purposes identified.
- Organizations must not make the collection of unnecessary information for an identified purpose a condition of supplying the customer with a product or service.
- Organizations must be open about their policies and practices with respect to the management of personal information. Individuals must be able to acquire information about an organization’s policies and practices without unreasonable effort.
Report of Findings
Complaint under the Personal Information Protection and Electronic Documents Act (the Act or PIPEDA)
Summary of the Complaint
- The complainant alleges that a Canadian bank over collected his personal information with respect to an application for an increase in his line of credit with the bank and, in so doing, made the collection of this information a condition of service.
Summary of Investigation
I. Alleged over collection of the complainant’s personal information
- The complainant, who is a salaried individual, telephoned the bank and requested, on a rush basis, an increase in his secured line of credit, which was secured against his residential property. The complainant disclosed to the employee that his total income included a salary and a bonus component.
- As the complainant disclosed that his total income included a salary and a bonus component, in accordance with the bank’s procedures, the financial advisor (the “FA”) asked him to provide his Notice of Assessment (the “NOA”), and his T1 General Income Tax and Benefit ReturnFootnote 1(the “T1 General”). As the complainant did not initially object to the request, there was no discussion regarding whether this information was necessary for him to apply for the increase or whether other options were available.
- The T1 General is a comprehensive form, populated by the individual and comprising financial and non-financial information (including a breakdown of several income sources), for a given tax year. It may contain third-party personal information. On the other hand, the NOA is a summary document of the individual’s net income taxes or credits, generated later by the Canada Revenue Agency (the “CRA”).
- A few days later, the complainant went to a bank branch with the aforementioned documents. Although he told the FA that the bank’s collection of certain personal information from his T1 General constituted a violation of his privacy, the FA collected the complainant’s NOA and the first four pages of his T1 General. The complainant claims that the FA told him that, without these documents, the bank could not process his credit application.
- The bank’s procedure that was to be followed by the FA during the complainant’s credit increase application contained a mechanism for exploring the possibility of using alternative documents containing less personal information to confirm the complainant’s income (to be invoked after a customer raises a concern either about privacy or about the amount of information that the bank says it requires).
- Our review of the bank’s procedure concluded that the FA had not followed the correct process on two occasions: (i) when she failed to explore whether alternative documents containing less personal information would suffice, after the complainant told the FA that the bank’s collection of certain personal information from his T1 General constituted a violation of his privacy, and (ii) when she subsequently failed to ask the complainant if he would like the matter to be referred in order to escalate it as a privacy incident.
Complaint escalation
- The complainant subsequently had several email exchanges with various bank employees about his privacy concerns. The complainant escalated his concerns within the bank, as per its published complaint escalation procedures. During this process, the bank’s customer service unit provided him with information about the bank’s income confirmation procedures; it explained to him in an email that because the complainant’s income included a bonus component, the T1 General, the NOA, a proof of annual property tax payments, a request for appraisal of his present property and a signed Credit Bureau Consent form were the absolute minimum required. The customer service unit also informed the complainant that the bank had internal guidelines to be followed and advised him of his option to further escalate the matter to the the bank’s ombudsman.
- The complainant then pursued his escalation option, resulting in the bank’s ombudsman conducting a review of his complaint. In an ombudsman’s letter to the complainant, the ombudsman explained the bank’s policy regarding self-employed individuals or those with fluctuating income and the need to confirm income as part of the bank’s approval process.
- However, the ombudsman then apologized in writing to the complainant, stating that it appeared the complainant had been given incorrect information in the matter, based on the salary income that he receives. The ombudsman later reiterated that conclusion in a later email to the complainant, stating that the level of income confirmation requested by his branch was in excess of what is usually required by the bank in his particular situation and that his financial advisor could have asked for his two most recent pay stubs or reviewed his two most recent direct deposit payments from his employer. The ombudsman also stated that to ensure that the matter does not recur, it had taken steps to advise the complainant’s branch that this was an error.
- A similar message was conveyed to the complainant by the ombudsman in another email whereby he was told that an error had been made in implementing procedures since another source was available to verify his income. This email also stated that bank regretted any pressure the complainant may have felt to provide the requested information, but maintained that the bank had not acted unlawfully in its initial request for information from the complainant. The bank also apologized to the complainant for the frustration that the matter had caused him.
- Additionally, the complainant filed a complaint with the Ombudsman for Banking Services and Investments (the OBSI). The OBSI responded to him by stating that its terms of reference establishing its mandate did not permit it to investigate a business decision made by a bank.
Complaint accepted by this Office
- As the complainant was not satisfied that the bank had responded to all his concerns, he submitted the current complaint to this Office, which we accepted on August 25, 2011.
- In his complaint, he alleged that the bank refused to consider his application for credit unless he provided certain personal information, which he deemed unnecessary for that purpose. He alleged that the bank required this unnecessary information as a condition of supplying the service.
- He also specified that the T1 General, which the bank collected from him, contains twelve specific types of information not at all relevant to his income (e.g., disclosure to Elections Canada for the National Register of Electors; contributions to a professional association; ownership of foreign property; donations to a charitable organization, etc.).
- In conversations between the complainant and this Office, we reached an understanding whereby this Office would focus the investigation on his allegation of an over collection of his personal information in general, contained in the T1 General and the NOA, for the purpose of increasing his line of credit.
- Thus, our investigation proceeded by considering the T1 General and the NOA as documents containing more information about an individual than do alternative records commonly used by the bank and other banks to verify an individual’s income (e.g., pay stubs or pay direct deposit payments).
- As well, we explained to the complainant that PIPEDA does not have provisions to address or investigate issues surrounding the quality of customer service in general.
The bank’s explanation
- The bank affirmed in a letter to this Office that as the complainant had disclosed that his income, upon which the credit application was to be based, included both salary and bonus income, it was reasonable for the FA to request his NOA and his T1 General.
- However, in its representations to this Office, the bank also stated that once the complainant raised his concerns, the FA should have followed the bank’s procedures, which instruct that the bank employee is to determine whether alternative documents containing less personal information are sufficient for the application.
- The bank also stated in the same correspondence that the FA’s request for the complainant’s NOA and T1 General was in accordance with the bank’s obligations under PIPEDA, given that the complainant fell within the bank’s “fluctuating income” category.
- In addition, we noted that at the complainant’s visit to the branch (when he raised his privacy concerns), the complainant did not sign the bank’s personal line of credit application form and the bank did not process the complainant’s formal application for an extension of his personal line of credit. As for the complainant’s two documents that he provided, the bank informed us that they were locked in the FA’s office drawer, not shared, copied or viewed by anyone. The bank eventually returned them to the complainant, retaining no copies.
II. The bank’s procedures
- The scope of our investigation also included an examination of the bank’s procedure that was to be applied to the complainant to confirm his income. This procedure applies to certain personal loan and credit applicants that the bank places in its category of “fluctuating income” by virtue of the fact that the applicants have at least one source of income that is not full-time-salary based.
- In its representations to this Office, the bank defended its procedure since, in the bank’s view, the bank must properly and appropriately document the ability of a borrower having several forms, or fluctuating forms, of income to repay the credit.
- The bank further explained that the T1 General is requested since it gives a breakdown of various types of income (e.g., employment, investment, rental, RRSP, etc.) details that the NOA does not provide. The bank maintains that, on the other hand, the NOA is necessary since it can specifically confirm whether the customer has outstanding taxes to be paid. Additionally, the bank asserts the necessity of both documents since the total income declared on the individual’s T1 General, which is a document generated by the individual, can be verified against corresponding figures found in the government-issued NOA.
- The bank claimed that its procedure is reasonable. In this regard, it cited the Alberta Court of Appeals decision in Leon’s Furniture Limited v. Alberta (Information and Privacy Commissioner),2011 ABCA 94 (Leon’s) for the proposition that a business is only required to demonstrate that its policies are “reasonable”. It cited the Court of Appeal’s statement that this reasonableness “...standard does not require the organization to defer to all instances to the interests of individual privacy.” The decision stated that, as such, a business does not have to show that it has the “best” or “least intrusive” approach to privacy.
- The bank stated that the test for determining what is reasonable is an objective test, i.e., the “reasonable person” test. The bank advised that from the total number of credit applications it processes every year, its privacy office has not received any other inquiries about the bank’s required financial disclosure requirements for credit applications.
Past cases, OSFI guidelines and Industry Practices
- In its representations, the bank cited this Office’s case summary #2003-169Footnote 2, Individual objects to bank’s requirement to provide a Notice of Assessment for income verification purposes, in support of its own—and allegedly other banks’—practice of collecting clients’ tax information to evaluate client solvency. In that previous case investigated by this Office, a bank requested an entirely self-employed individual to provide his NOA in the context of his credit application. In the then-Commissioner’s findings, while he agreed that the NOA—since it is issued by an independent official source—satisfied the bank’s purposes of income verification and determining credit worthiness for unsalaried individuals, he found that the bank was collecting more information from the NOA than it needed to achieve its purposes and that the bank was also requiring the provision of the NOA as a condition for the credit.
- In its representations, the bank also referred to the Office of the Superintendent of Financial Institutions’ (the “OSFI”) draft Guideline B-20 on sound business and financial practices: Residential Mortgage Underwriting Practices and Procedures (the “Guideline”). The bank maintained that the Guideline encourages banks to obtain relevant income tax information, such as a T4 or T1 General, accompanied by an NOA from all potential borrowers. This Office reviewed the Guideline, which has since been approved and released by the OSFI, in June 2012.
- We observed that the Guideline sets out the OSFI's expectations regarding the reasonable due diligence that banks should undertake in order to properly assess a borrower's capacity to service or repay his or her debt obligations secured by residential property. Principle 2 of the Guideline generally provides that financial institutions should ensure that they make a reasonable enquiry into the background, credit history, and borrowing behaviour of a prospective residential mortgage loan borrower as a means to establish an assessment of the borrower’s reliability to repay a mortgage loan. Principle 2 also advises maintaining complete documentation of the information that led to the mortgage approval, including employment status and verification of income.
- Under the “Income Verification” heading of Principle 3 of the Guideline, it states that for borrowers who are self-employed, financial institutions should take reasonable steps to obtain income verification (e.g., an NOA) and relevant business documentation (Note that the given example of an NOA is taken directly from the Guideline).
- Finally, we observed that Principle 2 expressly states that financial institutions should also ensure that they obtain appropriate borrower consent for this assessment and comply with relevant provincial and federal legislation governing the use and privacy of personal information. In this regard, Principle 2 makes reference by example to PIPEDA.
- During our investigation, we consulted with other Canadian banks about their policies when verifying the income of credit applicants who are salaried employees receiving bonuses, and in circumstances similar to the complainant’s. Several of these institutions confirmed that their policy is to first obtain income verification from several sources, such as a letter of employment, a pay stub, pay direct-deposit receipts or a T4 slip. They reported that only after due consideration of these first-order documents would they use an alternative method, which involves requesting the applicant’s NOA and their T1 General. One financial institution advised that for cases involving variable income, they would require documentation (T4’s or T1 General’s, along with NOAs) going back three years.
- In general, we did not observe a noticeable degree of uniformity amongst the practices of the banks we consulted. Lastly, those we consulted informed us that the particular circumstance of a requested line of credit being secured against real property did not affect the income verification procedure.
Application
- In making our determinations, we applied Principles 4.3.3, 4.4, 4.4.1 and 4.8.1 of Schedule 1 of the Act.
- Principle 4.3.3 states that an organization shall not, as a condition of the supply of a product or service, require an individual to consent to the collection, use, or disclosure of information beyond that required to fulfill the explicitly specified and legitimate purposes.
- Principle 4.4 provides that the collection of personal information be limited to that which is necessary for the purposes identified by the organizations. Information shall be collected by fair and lawful means.
- Principle 4.4.1 states in part that organizations shall not collect personal information indiscriminately. Both the amount and type of personal information collected shall be limited to that which is necessary to fulfil the purposes identified.
- Principle 4.8.1 states that organizations shall be open about their policies and practices with respect to the management of personal information. Individuals shall be able to acquire information about an organization’s policies and practices without unreasonable effort. This information shall be made available in a form that is generally understandable.
Analysis
I. Alleged over collection of the complainant’s personal information
- At issue in the first place is whether the bank collected more of the complainant’s personal information than necessary for the purpose of approving his credit extension and whether this collection was made a condition of the service being provided. Principles 4.4 and 4.4.1, respectively, provide that the collection of personal information shall be limited to information that is necessary for the purposes identified by the organization, and that both the amount and type of personal information collected shall be limited to that which is necessary to fulfil the purposes identified.
- Additionally, Principle 4.3.3 requires that organizations do not, as a condition of the supply of a product or service, require an individual to consent to the collection, use, or disclosure of information beyond that required to fulfill the explicitly specified and legitimate purposes.
- The bank conceded that its FA made an error in telling the complainant that his NOA and his T1 General were required to process his application and in not considering alternative documents once the complainant expressed concerns about his privacy.
- The bank conceded this error to the complainant ─ much later and after his complaint was escalated to the bank’s ombudsman ─ in confirming to him that his bonus income from the T1 General and the NOA was not necessary to approve his credit application and was even in excess of what is required by the bank in the complainant’s particular situation. The ombudsman stated that, in the complainant’s case, he would have qualified for his credit increase based on his salary alone, calculable from documents containing less personal information such as pay stubs or proof of direct deposit payments from his employer.
- Clearly, a T1 General and an NOA contain much more information about an individual than that made available from their pay stubs, proof of direct deposit payments from their employer, or a salary-confirmation letter from their employer.
- Since it was demonstrated that the additional personal information collected from the NOA and the T1 General was not necessary to approve his application, Principles 4.4 and 4.4.1 were contravened.
- Further, in light of the bank’s insistence on obtaining the additional and unnecessary information from the NOA and T1 General for his application and the bank’s refusal to proceed with his application without these documents, the bank also contravened Principle 4.3.3.
II. The bank’s procedure
- This section addresses the bank’s income-confirmation procedure for applicants of personal loans and lines of credit who have what the bank describes as “fluctuating income”.
Past cases and OSFI guidelines
- We noted that certain arguments put forward by the bank to defend its procedure and practice of requesting the T1 General and the NOA from clients with fluctuating income refer to situations involving individuals who receive no income from a salary. For that reason, those situations are not comparable to the one characterized by this complaint, made by an individual who clearly receives a salary, supplemented by additional income (e.g., a performance bonus).
- For example, this Office’s case summary #2003-169 is based on an individual who is described as self-employed. Further, although case summary #2003-169 states that the then-Commissioner agreed that the NOA satisfied the bank’s purposes of income verification and determining credit worthiness in those unsalaried circumstances, the then-Commissioner also pointed out that the NOA, even by the bank’s own admission at the time, also contains information not required to meet those purposes.
- The bank mentions as well OSFI Guideline B-20, which it claims it must adhere to. However, in that Guideline’s Principle 3, when it specifically cites the NOA as an example of a document to verify income, the context is clearly described as one of borrowers who are self-employed (i.e., borrowers without any source of salaried income).
- Also with regard to Guideline B-20 on sound business and financial practices, we do not share the bank’s interpretation that this Guideline encourages banks to obtain relevant tax information, such as a T4 or T1 General accompanied by a NOA, from all potential borrowers. While we acknowledge a lender’s need to accurately assess risk, our own careful study of the Guideline does not lead us to believe that its intent is so broad as to suggest collecting tax-return information from all borrowers.
- Noteworthy, however, is the specific recommendation in Principle 2 for financial institutions to ensure compliance with relevant provincial and federal privacy legislation (e.g., PIPEDA).
Industry Practices
- With respect to allegedly standard financial industry practices with clients who have one or more fluctuating income source, this Office’s own survey of several Canadian banks could not confirm the bank’s assertion that the industry’s standard practice is closely aligned with its own.
- The majority of institutions we contacted described their income verification approach for cases such as the complainant’s to be a more prudent and incremental one with respect to the amount of personal information they ask credit applicants to provide. By and large, their approach is characterised by first verifying the salary income of fluctuating-income applicants (by means of a T4 slip, pay stub or pay direct-deposit receipts) to determine if they qualify based on that source, before resorting to asking for a T1 General or an NOA.
- Finally, we note that “common industry practice” does not constitute a defense as to whether or not a contravention of PIPEDA has occurred in any given instance. Practices and processes must be assessed against their own specific context and fact scenario in determining compliance with the Act.
“Reasonableness”
- The bank pointed to the Leon’s decision and argued that its policies reflect a reasonable balance between privacy rights and a bank’s ability to use personal information for reasonable business purposes.
- It should first be noted that the Leon’s decision was made pursuant to the Alberta private-sector privacy law. In this case, the applicable legislation is PIPEDA. Accordingly, our analysis must occur within the context of the Act. The Federal Court of Appeal has noted that Schedule 1 of PIPEDA must be interpreted with “flexibility, common sense and pragmatism”.Footnote 3
- In this case, the central issue is whether the respondent has met its obligations under Principles 4.3.3, 4.4 and 4.4.1. Principles 4.4 and 4.4.1 are about “limiting” the collection of personal of personal information. The principles provide that an organization must limit its collection of personal information to that which is “necessary” to fulfill its identified purposes. Principle 4.3.3 uses similar language—it refers to personal information “required” to fulfill an organization’s identified and legitimate purposes.
- In our view, the use of the words “necessary” and “required” in these principles indicate a higher standard than mere reasonableness, even on a flexible, common sense and pragmatic reading of the Act. A reasonableness standard would allow the bank to collect personal information even if it is not strictly necessary for its purposes, contrary to the clear wording and purpose behind Principles 4.3.3, 4.4 and 4.4.1. For these reasons, we do not accept the bank’s argument on this point.
- The facts of this case demonstrate to this Office’s satisfaction that the personal information contained in documents requested by the bank from the complainant was not“necessary” or “required” in the assessment of his application. We are thus of the firm view that, for the reasons discussed above, the bank did not meet its obligations under the Act.
Our Office’s review of the bank’s procedure
- Upon examination, we found the bank’s income confirmation procedure to be in violation of Principles 4.4, 4.4.1 and 4.8.1 of PIPEDA.
- Based on the evidence, it appears that the T1 General and the NOA are first being requested from all applicants who have some form of fluctuating income even though, for certain salaried individuals who also have a source of fluctuating income, a document such as a pay stub, containing only their salary income, may suffice for the applicant to meet the bank’s income requirement for the application and to have their application approved.
- We are of the view that when applicants in this situation are first requested to provide the bank with supporting documents, such as their T1 General and the NOA (which contain much more personal information than necessary for the bank to confirm their income and evaluate their credit application), the bank is not being sufficiently and proactively open about its income confirmation process and the minimum amount and type of applicant information that could be sufficient to fulfill the identified purpose.
- Even though the bank’s procedure contains a mechanism to potentially scale back the amount of personal information being requested, this particular step is invoked only after an applicant objects to the amount of information first being requested or if the applicant tries to escalate the matter as a privacy issue. Our Office rejects this practice.
- Our reasons are twofold: i) the bank is not meeting its obligations under Principles 4.4 and 4.4.1, for certain applicants, to limit its collection of their personal information to only that which is necessary for the purpose identified, and ii) the bank is clearly not demonstrating an acceptable level of openness towards all applicants, as required by Principle 4.8.1, when the bank does not explain to them at the outset how their income confirmation could be attained using only their salary information.
- It will be recalled that Principle 4.8.1 states that information about an organization’s policies and practices shall be made available “without unreasonable effort”. In our view, it is not “reasonable” for the bank to systematically require its clients to object to a potential over collection of their personal information before the bank reveals existing policy options that would involve the disclosure of a smaller set of less sensitive information to sufficiently satisfy the bank’s purposes. Simply put, the bank is not being entirely open with its clients with regard to personal information policy requirements.
Our Office’s requests for procedural change
- Consequently, we requested that the bank change its procedure.
- We asked that the bank be more open vis-à-vis its policies and practices. We asked that the bank communicate to all its personal loan and line of credit applicants—at the outset of the income-confirmation process—the minimum amount of applicants’ personal information that may well be sufficient to approve an application. At this same point in the approval process, we asked the bank to offer its applicants a clear choice in the personal documents that they could provide.
- These changes allow fluctuating-income credit applicants an opportunity to manage and exercise discretion regarding the personal information they choose to provide to the bank. They also reduce the likelihood of the bank collecting, or attempting to collect, from these applicants personal information not necessary for the stated purpose. Equally as important, it would reduce the likelihood of a recurrence of the situation that the complainant experienced.
- In a letter, the bank submitted to our Office a draft version of its revised procedure that we deemed clear and acceptable. We consider clarity to be an essential criterion for such a procedure, given how our investigation revealed that the existing procedure was misinterpreted and/or misapplied by more than one bank employee when they attempted to respond to the complainant’s concerns.
- The bank then submitted a subsequent and unsolicited revision of its procedure to our Office, which we did not deem acceptable. Discussions followed between the bank and our Office, resulting in the bank agreeing to implement the version of the procedure that had originally been offered and accepted by us previously.
- In our view, this revised procedure requires the bank to be open to applicants about the bank’s income confirmation policies and practices, including the minimum amount of applicants’ personal information and the type of documents containing that information that may be sufficient to approve their application. Notably, this openness is to occur upfront and before requesting any documents of the applicant. As a result, once implemented and properly followed, this procedure will uphold Principle 4.8.1 and would enhance compliance with Principles 4.4 and 4.4.1.
- The bank advised us that the new procedure was targeted for publication on its intranet site. In concert, branch employees will be advised in electronic format (i) that there has been an amendment made to the existing procedure and (ii) how they are to proceed when confirming applicants’ income. Our Office has previewed a copy of this electronic message. Employees review these messages and updates weekly to ensure that they understand, implement and practice any changes.
Conclusion
- Accordingly, the matter is well-founded and resolved.
Other
- It became apparent to our Office in the course of our investigation that the complainant’s allegation of the twelve types of personal information contained in the T1 General that he deems not relevant for the processing of an increase to his line of credit (and the role of T4 slips for the same purpose) are complex matters that affect not only the bank’s banking operations, but are also of relevance for current banking practices on an industry-wide scale. Therefore, this Office’s intent is to carry out discussions about these matters on an industry level.
- Date modified: