Language selection

OPC Logo Office of the Privacy Commissioner of Canada

Search

A short-term lender collects online banking credentials in the course of payday loan applications

PIPEDA Findings #2021-006

March 12, 2021

Complaint under the Personal Information Protection and Electronic Documents Act (the “Act”)

Description

The Ontario Ministry of Government and Consumer Services alerted the OPC that CashHere, a short-term lender, was requesting clients’ online banking passwords, usernames and security questions and answers in the course of payday loan applications. Our Office subsequently commenced a Commissioner Initiated Investigation into the matter.

Takeaways

  • Organizations must collect, use or disclose personal information only for purposes that a reasonable person would consider are appropriate in the circumstances.
  • To determine whether organizations have an appropriate purpose for collection of banking login credentials, we consider the sensitivity of the personal information as well as the factors set out by the courts :
    1. Whether the organization’s purpose represents a legitimate need / bona fide business interest;
    2. Whether the collection, use and disclosure would be effective in meeting the organization’s need;
    3. Whether there are less privacy invasive means of achieving the same ends at comparable cost and with comparable benefits; and
    4. Whether the loss of privacy is proportional to the benefits.
  • It is not appropriate for a lender to collect online banking credentials to validate identity and manage loan repayment. The privacy harms associated with applicants providing lenders with access to their full financial statement history, as well as the unfettered ability to make financial transactions on their accounts, is not proportionate to the commercial benefits for the lender.

Report of findings

Overview

The Ontario Ministry of Government and Consumer Services alerted the OPC that 2124478 Ontario Corporation (“CashHere”), a short-term lender, was requesting clients’ online banking passwords, usernames and security questions and answers in the course of payday loan applications.

Our Office subsequently commenced a Commissioner Initiated Investigation into the matter and determined that CashHere was collecting and using banking login credentials for a purpose that a reasonable person would not consider appropriate. We accept that online banking credentials could be effective in allowing CashHere to address its legitimate need to validate identity and obtain credible and verified income history, in order to make a lending decision and manage loan repayment. However, in our view, there were less privacy invasive means to achieve these purposes, for example, through the collection of redacted hard copy bank statements and employer contact information. Furthermore, the privacy harms associated with applicants providing CashHere with access to their full financial statement history as well as the unfettered ability to make financial transactions on their accounts, are not proportionate to the commercial benefits for CashHere.

During the course of our investigation, CashHere ceased responding to our Office and its website was listed for sale. We discovered, however, that an organization operating under the name MoneyHome, commenced operating under a different website (www.moneyhome.ca), but with: (i) the same online application as that employed by CashHere (requesting banking login credentials); and (ii) listing on its website CashHere’s previous physical address, as well as CashHere’s payday loan license certificate.

Given the above, we suspect that the same entity that was operating Cashere, or a related entity, is now operating under the name MoneyHome, but the latter has denied any connection.

We therefore find this matter to be well-founded, and not resolved.

Background

  1. The Ontario Ministry of Government and Consumer Services alerted the OPC that 2124478 Ontario Corporation (“CashHere”), a short-term lender, was requesting clients’ online banking passwords, usernames and security questions and answers in the course of assessing loan applicants.
  2. CashHere is a company located in Ontario which offers short-term personal loans, commonly referred to as “payday loans”. Individuals could apply for a loan through its website (http://cashhere.ca) via an online form. We note that, at the time of this report’s publication, the website is no longer in operation.
  3. Prior to commencing this investigation, we engaged with CashHere to better understand its practices in this area. CashHere explained to our Office that:
    1. the company was collecting, via its online application form, online bank account number and login credentials (including bank account details, passwords and secret question answers) as well as Social Insurance Number (“SIN”), Ontario Health Card, Driver's license and Date of Birth, in order for clients to be eligible for a loan;
    2. customers could provide the online banking information, on a voluntary basis, as an alternative to providing hard copies of various documents, including a pay slip with the account number; and
    3. it collects such information to verify income and to be able to track down dishonest clients that have not repaid their loan. It also asserted that it was following industry practice in requiring such information.

Complaint

  1. Having been satisfied that there were reasonable grounds to investigate this matter, the Privacy Commissioner of Canada commenced a Commissioner-initiated complaint, under subsection 11(2) of PIPEDA, to consider whether CashHere was:
    1. collecting personal information, and in particular online banking login credentials, for a purpose that a reasonable person would consider appropriate, pursuant to s. 5(3) of the Act; and
    2. collecting more personal information than necessary and whether it was collecting that information via fair and lawful means, pursuant to Principle 4.4 of Schedule 1 of the Act.
  2. During the course of the investigation, we obtained further written and oral representations from the respondent. Early in our investigation, CashHere agreed to modify its practices and forms to make the provision of an applicant’s social insurance number, driver’s license and health card information optional, but indicated its intention to continue collecting banking login credentials, such that we focused our investigation and this report on the appropriateness of its collection and use of those credentials.

Analysis

ISSUE: Whether CashHere had an appropriate purpose for collection of banking login credentials

  1. PIPEDA section 5(3) states that an organization may collect, use or disclose personal information only for purposes that a reasonable person would consider are appropriate in the circumstances. This requirement applies to all information collected, used or disclosed by an organization, including information which is collected on an optional basis from individuals (i.e. not as a condition of service), and whether or not the individual has consented to the practice (i.e., consent cannot render an inappropriate practice appropriate).
  2. In accordance with our Office’s Guidance on inappropriate data practices: interpretation and application of subsection 5(3)Footnote 1, we consider the factors set out by the courts in order to assist in determining whether a reasonable person would find that an organization’s collection, use and disclosure of information is for an appropriate purpose in the circumstances. Specifically, in addition to considering the degree of sensitivity of the personal information at issue, we may consider:
    1. Whether the organization’s purpose represents a legitimate need / bona fide business interest;
    2. Whether the collection, use and disclosure would be effective in meeting the organization’s need;
    3. Whether there are less privacy invasive means of achieving the same ends at comparable cost and with comparable benefits; and
    4. Whether the loss of privacy is proportional to the benefits.

Sensitivity

  1. In this case, CashHere is collecting highly sensitive information, in the form of banking login credentials, which could reveal highly detailed financial information about the borrower, and expose them to fraud or theft of the funds in their bank accounts.

Legitimate Need

  1. We accept that for the services CashHere offers, i.e. short-term loans without credit checks, it had a legitimate need to be able to validate identity and get credible and verified income history information in order to make a lending decision and manage loan repayment.

Effectiveness

  1. CashHere represented, and we accept, that accessing loan applicants’ online banking accounts would be an effective way of validating identity and income history.

Less Privacy Invasive Means

  1. While we accept that CashHere’s stated purpose represents a legitimate need, and that the collection of the loan applicant’s banking credentials was effective in meeting that need, there are clearly less privacy invasive alternatives to verify applicants’ identity and income information, that do not expose the individuals to the risks associated with handing over effectively unfettered online access to their bank accounts.
  2. CashHere itself offered an alternative method for applicants to verify their identity and income. Applicants could choose to provide hard copies of bank statements along with their employer contact information to allow CashHere to review their bank statements and/or to contact their employer to validate their identity and employment history. In our view, this alternative would be much less privacy invasive, in that it would provide the lender with only the information contained in the statement (particularly if it were to allow redactions such that only income information was provided), as opposed to providing access to the applicant’s full financial statement history. It also does not expose the individual to the same risk of theft or fraud.

Proportionality

  1. Furthermore, the loss of privacy from the collection of banking credentials is not proportional to the benefit gained.
  2. CashHere claims that it is able to more efficiently process a loan application because it can access an individual’s banking information directly online more quickly than relying on the individual to provide copies of bank statements. Given the ability of many individuals to immediately download, take a screenshot and send their bank statements electronically, we question CashHere’s efficiency claims.
  3. CashHere also represented that it may be more likely to approve a loan application based on higher confidence in the validity of the applicant’s income and credit worthiness, although we are not convinced that the provision of bank statements, T4 tax slip, pay stubs, and/or verification of employment from an employer could not achieve the same ends.
  4. In any event, in our view, the loss of privacy from this collection is disproportionate to the benefits cited by CashHere:
    1. The collection of banking login credentials enables unnecessarily broad access to an applicant’s financial information (potentially going back years), compared to a snap shot of a few months that would demonstrate recent income history; and
    2. The collection of banking credentials provides CashHere with the ability, unnecessary to the validation goals described in paragraph 9, to make actual financial transactions in the applicant’s bank account.
  5. CashHere represented to our Office that it does not and would not use applicants’ banking credentials to make transactions, though it did not make this commitment to individuals in a written agreement.
  6. In our view, even if there was a written agreement to this effect between CashHere and the applicant, it would still expose the individual to unacceptable and unnecessary risk, and would not guard against or mitigate the applicant’s liability vis-à-vis their bank if unauthorized transactions were to result – either because of misuse by CashHere or an employee, or as a result of a breach of the organization’s security safeguards.
  7. The Financial Consumer Agency of Canada warns that: “by disclosing their online banking user IDs and passwords to a third party, consumers may breach their financial institutions’ user agreements and be held liable for any losses resulting from unauthorized transactions despite any security measures the third party service may have in place.”Footnote 2
  8. Considering the above factors, it is our view that a reasonable person would not consider CashHere’s purposes for collecting and using banking login credentials to be appropriate in the circumstances, even where the applicant provides the information voluntarily.

CashHere and MoneyHome

  1. Our Office attempted to share with CashHere our findings and recommendation that it cease collecting applicants’ banking login credentials. We were, however, unable to reach CashHere. During the course of our investigation, CashHere ceased replying to our correspondence. The website (http://cashhere.ca) is listed as being for sale, although we confirmed that the company was still listed as active in the Ontario registry of Companies.
  2. Upon completion of our investigation, we discovered that a business called MoneyHome appeared, pursuant to the MoneyHome website, to be operating from CashHere’s commercial address. It is also a payday loan company and uses an online form seemingly identical to CashHere’s, collecting online banking login credentials to assess applications. Its website displayed the exact same payday loan license certificate as that for CashHere.
  3. We contacted MoneyHome to confirm its link to CashHere. In response to our inquiry, MoneyHome stated that it had no connections to CashHere and that the address on its website was incorrect due to an error made by their web developer. MoneyHome did not respond when we asked why the payday loan certificate on their website was the same as CashHere’s. We note that this certificate was removed from MoneyHome’s website shortly after our contact. The allegedly incorrect address was later removed.
  4. Given the above, and at the time of the issuance of this Report, although we suspect that the same entity that was operating CashHere, or a related entity, is now operating under the name MoneyHome, representatives for the latter deny any connection.

Conclusion

  1. We therefore find this matter to be well-founded, and not resolved.
  2. We raised this matter, and our concerns as outlined above, with Ontario’s Ministry of Government and Consumer Services, who originally brought the matter to our attention. We note that it has added MoneyHome to its Consumer Beware List.Footnote 3
  3. We intend to share our findings with MoneyHome, and publish this report on our website, with a view to informing MoneyHome, and other payday loan organizations, that they should refrain from the practices that are subject to this Report, which have been found to be in contravention of Canada’s Federal privacy law.

Update

We have shared this report with both CashHere and MoneyHome. Neither organization has responded to our Office. We noticed, in June 2021, that MoneyHome website is now for sale.

Date modified: