Language selection

OPC Logo Office of the Privacy Commissioner of Canada

Search

Individual’s personal information fraudulently used by sales representative to issue him a new credit card

PIPEDA Report of Findings #2015-008

July 7, 2015

While shopping in a store, an individual and his wife were approached by a sales representative of a financial service provider who offered to upgrade the wife’s credit card. After she signed an application, she also provided the representative her husband’s name and date of birth, after being told it was needed “for verification purposes.”

Days later, the couple received an unwanted credit card in the husband’s name in the mail. The husband also learned that a credit check had recently been performed on his file at a credit bureau.

The husband was concerned that the financial service provider had checked his credit without consent and authorized a credit card in his name. He alleged that the service provider did not have adequate procedures and policies in place to safeguard his personal information.

When he raised these concerns with the service provider, it was not able to produce the actual paper application form previously signed by his wife. It explained that its practice is to destroy completed paper application forms and replace them with electronic copies.

Dissatisfied with the service provider’s reply to his concerns, he filed a complaint with our Office.

The service provider stated that its in-store representatives offering credit cards to customers are fully trained third parties. The service provider advised us that it has procedures in place to audit such representatives for adherence to its policies and procedures, so that they:

  1. follow procedures to the service provider’s standards; and
  2. hand out proper materials and disclosure documentation. The audit procedures also ensure that representatives do not make misleading or fraudulent claims.

After internally investigating the incident, the service provider concluded that the representative had fraudulently submitted a credit card application in the complainant’s name and in contravention of the service provider’s protocol.

As a result of this incident, the service provider advised us it had taken the following steps:

  1. disciplining the representative involved in this incident;
  2. decommissioning the use of paper applications so that representatives are instead required to use tablets to facilitate credit card applications; and
  3. requiring representatives to submit applications electronically and removing the ability to change applications once they are submitted.

Our Office determined that since the representative had used the complainant’s personal information to perform a credit check on him without the individual’s consent, Principle 4.3 (regarding user knowledge and consent) was contravened.

In addition, because the representative had been able to falsify the credit card application using the husband’s personal information, there was a contravention of Principles 4.7 and 4.7.1  (regarding safeguarding personal information).

However, since the service provider had verified how the incident occurred and had taken additional measures to prevent recurrence, our Office determined that the complaint was well-founded and resolved.

Lessons Learned

  • An individual’s knowledge and consent is required for the collection, use or disclosure of their personal information.
  • Organizations must ensure that their employees respect their privacy policies and procedures in the course of business with customers.
  • An organization’s privacy safeguards must be robust enough to protect the personal information entrusted to it. Privacy safeguards are subject to periodic review and updating.

Report of Findings

Complaint under the Personal Information Protection and Electronic Documents Act (“PIPEDA” or the “Act”)

Overview

The complainant alleged that a financial service provider (the “service provider” or the “respondent”) performed a credit check on him and opened a credit card account in his name without his knowledge or consent.    

Our investigation determined that the service provider has policies and procedures in place regarding the audit of its third party representatives and employees and that it provides privacy training to them.

Notwithstanding the above, it appears that the incident occurred due to the actions of one of the service provider’s representatives who did not follow the service provider’s procedures and fraudulently completed its paper application in the complainant’s name. It appears that the paper application was easily falsified by the representative.

The service provider investigated the incident and took additional measures to prevent recurrence, which included disciplinary action in respect to the representative and implementing an electronic application process. In addition it cancelled the complainant’s credit card and removed the credit inquiry from his credit report.

We found the complaint to be well-founded and resolved.

Summary of Investigation

  1. The complainant advised our Office that in 2013, while shopping at a retail store, his wife was approached by a representative of the service provider offering to upgrade her credit card. When the representative asked the complainant’s wife for her husband’s (the complainant’s) name and date of birth, she was told that it was for “verification purposes”.
  2. About one week later, the complainant received a new credit card issued by the service provider, with his name on it. However, the envelope containing the card was addressed to his wife. When his wife tried to cancel the card, she was informed she could not as it was opened under his name. The complainant also confirmed with a credit bureau that his credit had been checked by the service provider a few days before.
  3. The complainant and his wife raised the issue directly with the service provider. In reviewing the information provided to them by the service provider, they alleged that the copy of the application which the service provider produced was not the application the complainant’s wife had signed. In addition, the application had information about the complainant’s health card, which neither the complainant nor his wife had provided to the service provider.
  4. The complainant remained concerned that the service provider; (i) checked his credit without consent;  (ii) authorized a credit card in his name based on incorrect information;  (iii) used his health card information and; (iv) that it did not have adequate procedures and policies in place to safeguard his information.
  5. The service provider advised the complainant that the electronic copy of the application form that was provided to him is the only form it has on file as it securely disposes of the paper copies once they are scanned into the system.
  6. The service provider also advised that the representative in question did not follow the service provider procedures and fraudulently completed a credit card application in the complainant’s name and that, as a result, disciplinary measures were taken vis-à-vis the representative. The service provider advised the complainant that it had cancelled the credit card and removed the credit inquiry from his credit report.
  7. The service provider also offered free credit monitoring for a year to the complainant and his wife along with financial compensation, however both these offers were refused by the complainant.
  8. The service provider further explained to our Office that the process used by the service provider to solicit credit cards involves the use of a third-party “interceptor”. This interceptor (representative) is a fully trained third-party representative of the service provider who is retained to provide in-store solicitation of potential customers for credit cards and other products.
  9. The service provider advised our Office that it has procedures in place to audit representatives for adherence to its policies and procedures for the solicitation of credit card applications. In particular, it regularly audits representatives to ensure they are following the service provider’s standards, handing out proper materials and disclosure documentation, and to ensure that representatives are not making misleading or fraudulent claims. This program also includes a remediation process in case any issues are identified.
  10. The service provider advised that if all the required fields of an application are completed by the representative, the application is processed through the adjudication system and is either approved or declined pursuant to the service provider’s credit granting approaches. Once the application is sent for processing, the system is not able to discern a discrepancy between the name on the application and the signature. It is for this reason that the application, which was submitted fraudulently in the complainant’s name, was adjudicated even though it did not bear his signature.
  11. The service provider advised that currently representatives are neither allowed nor capable of upgrading a customer to a different credit card product. After investigating the incident, the service provider concluded that the representative fraudulently submitted a credit card application bearing the name of the complainant in contravention of the service provider’s protocol.
  12. The service provider does not know how the representative was able to gain the complainant’s health card information if it had not been provided to the representative by the complainant’s wife.  The service provider confirmed that it did not have the complainant’s health card information on file prior to the submission of the application in question.
  13. The service provider advised that as a result of this incident, it has taken the following steps:
    1. It took disciplinary measures vis-à-vis the representative involved in this incident;
    2. It has decommissioned the use of paper applications so that representatives are now required to use tablets to facilitate credit card applications;
    3. Representatives must submit applications electronically and do not have the ability to change applications once they are submitted.
  14. The service provider advised that the use of the electronic tablet has resulted in a lower incidence of representative fraud or error as the tablet enables the prospective customer to review their information before signing on it. In addition, the tablet has improved the service provider’s tracking and retrieval of applications.

Application

  1. In making our determinations, we applied Principles 4.3, 4.7 and 4.7.1 of Schedule 1 of the Act.
  2. Principle 4.3 provides that the knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate.
  3. Principle 4.7 states that personal information must be protected by security safeguards appropriate to the sensitivity of the information. Principle 4.7.1 states that the security safeguards must protect personal information against loss or theft, as well as unauthorized access, disclosure, copying, use, or modification, and that organizations must protect personal information regardless of the format in which it is held.

Findings

  1. At issue is whether the service provider obtained the complainant’s consent before it collected, used and disclosed the complainant’s personal information from a credit reporting agency and issued a credit card in his name. Principle 4.3 requires the knowledge and consent of the individual for the collection, use, or disclosure of personal information, except where inappropriate.
  2. The facts demonstrate that the service provider obtained access to the complainant’s credit history as held by a credit reporting agency. The type of access was a “hard pull”Footnote 1 and it elicited the complainant’s personal information. As a result, a credit card was issued to him, which he had not requested.
  3. The service provider conducted an internal investigation upon receiving the complaint and admitted that its representative had breached the complainant’s privacy. The service provider explained that although it has procedures in place to audit representatives for adherence with its policies and procedures, this representative did not follow the service provider’s procedures and protocols, namely that of obtaining consent from the individual whose credit was being checked before a credit application is processed.
  4. The respondent, in obtaining a credit bureau report relating to the complainant without his consent, contravened Principle 4.3.
  5. In keeping with Principles 4.7 and 4.7.1, our investigation determined that the service provider has policies and procedures in place that ensure its third party representatives receive privacy training.  This training includes information about the following: (i) the meaning of “personal information”; (ii) relevant privacy legislation; (iii) the representative’s responsibility when collecting personal information; and (iv) how to safeguard personal information.
  6. Notwithstanding these policies and procedures, the representative was able to complete an application for a credit card on behalf of the complainant without his knowledge. This practice was facilitated by the use of a paper application which was easily falsified by the representative.  As a result, the representative wrongfully used the complainant’s personal information to issue him a credit card he did not request, thus contravening not only Principles 4.7 and 4.7.1, but the service provider’s policies and agreements.
  7. Prior to our Office’s intervention, the service provider responded to the complainant and cancelled the credit card and removed the credit inquiry from the complainant’s credit bureau. The service provider also offered free credit monitoring for a year to the complainant and his wife along with monetary compensation.
  8. The service provider also implemented the use of electronic application submissions, which they allege have resulted in lower incidence of representative fraud or error, in addition to improving the service provider’s tracking and retrieval of applications.
  9. The service provider verified how the incident occurred and took additional measures to prevent recurrence, which included disciplinary action in respect to the representative and the implementation of an electronic application process. In our view, we consider the matter resolved.

Conclusion

Accordingly, we conclude that the matter is well-founded and resolved.

Footnotes

 

Date modified: