Decision #106

(Canadian Code of Practice for Consumer Debit Card Services)

Subsection 5(5) (Liability for Loss)

(Invalid PIN attempts and suspicious transactions)

(FCAC Act ss. 3(2)(c) and 5(3))

This is a decision under the Canadian Code of Practice for Consumer Debit Card Services (Debit Card Code).

In June 2007, the Financial Consumer Agency of Canada (FCAC) received a complaint from a customer of the Bank who claimed that she was being held responsible for unauthorized debit card transactions.

Paragraph 3(2)(c) of the Financial Consumer Agency of Canada Act sets out that FCAC will monitor the implementation of voluntary codes of conduct that are designed to protect the interests of customers of financial institutions, that have been adopted by financial institutions and that are publicly available, and to monitor any public commitments made by financial institutions that are designed to protect the interests of their customers.

As a member of the Canadian Bankers Association (CBA), the Bank committed to the application of the Debit Card Code, which provides a level of customer protection. Therefore, when FCAC receives a complaint that may fall within the scope of the Debit Card Code, we will review the facts of the case to determine the level of compliance. When a debit card is issued, the Debit Card Code outlines cardholder's and card issuer's responsibility and liability.

In May 2007, the complainant's spouse contacted his branch to advise the Bank that he had been a victim of debit card fraud. The consumer completed the Bank's fraud investigation form, thereby confirming that his card was in his possession and that his personal identification number (PIN) had never been shared with anyone or recorded anywhere. A total of $1310.21 in unauthorized transactions was processed through his account during May 2007.

The Bank initially notified the cardholder verbally in June 2007 of its decision to hold him responsible for the unauthorized transactions. In a letter to the cardholder, the Bank explained that the cardholder was liable for the disputed transactions given that the bank was unable to find any indication that the banking card was compromised. The customer's request for reimbursement of the funds was consequently declined.

However, the customer disagreed with the Bank's decision and escalated his concern. A subsequent investigation was conducted at which time a point of compromise was discovered by the Bank. In June 2007, the Bank revised its decision and reimbursed the customer the total amount of the disputed transactions.

The Bank later indicated to FCAC that its initial investigation showed no known points of compromise and no invalid PIN attempts to access the cardholder's account, concluding that the perpetrator was able to retrieve the customer's PIN without difficulty. The Bank claimed that it was reasonable to conclude that the card and PIN were not kept secured by the customer.

By a letter dated July 2009, the Director of the Compliance and Enforcement Branch (CEB) of the FCAC advised the Bank of a finding of non-compliance with the Debit Card Code.

The CEB noted concerns regarding the Bank's investigative procedures:

Specifically, when adjudicating a "pay no pay" decision on a fraud claim the analysis of invalid PIN attempts notes that: "If there are no invalid PIN attempts, the PIN was likely stolen with the card". This is contrary to the Debit Card Code.

We are concerned with the impact this analysis has on consumers. In this case the bank based its initial decision on the fact that there were no invalid PIN attempts and no known points of compromise. In actuality, only after the consumer elevated the concern..., did the bank determine that a point of compromise was discovered and that there were invalid PIN attempts. We encourage the bank to review and amend its dispute transaction investigation process.

In accordance with the FCAC's administrative procedures, if a financial institution disagrees with the conclusions reached by the CEB in determining non-compliance with a code of conduct, the matter will be referred to me for final review. Under the Financial Consumer Agency of Canada Act, conclusions of non-compliance with codes of conduct and public commitments result only in the administrative finding of non-compliance; there are no enforcement measures or penalties under the Act.

I have reviewed the contents of the case file including the non-compliance with a code of conduct letter from the Director, CEB dated July 2009, the Bank's reply to that letter dated August 2009, the Bank's letter of October 2009 and the Debit Card Code that was applied.

The Debit Card Code is considered to be a code of conduct pursuant to paragraph 3(2)(c) of the Act and the CEB of FCAC has reviewed the matter pursuant to subsection 5(3) of the Act.

In considering the Bank's representations, I was not satisfied that the information provided demonstrated that the Bank performed a thorough investigation in this case. It is my view that the representations highlight a breakdown of communication between the fraud investigation group, the branch involved and the Bank's compliance group and, equally importantly, a communication breakdown with CEB. Moreover, I was particularly concerned that there may be similar situations where fulsome information was not being provided and consumers have been held liable for fraudulent transactions.

As I had no evidence that the process followed in this case was an anomaly, I requested that CEB officials visit with the Bank in October 2009 to discuss my concerns. My officials assure me that the Bank has good overall processes in place and this case represents an isolated instance where a poor decision was made in the initial investigation. Furthermore, I have reviewed and am satisfied with the Bank's letter dated October 2009 which details the steps taken to ensure complete and thorough investigation of all customer complaints of possible debit card fraud going forward.

Please note that the file has been closed with the conclusion of non-compliance.

Ursula Menke


December 2009

Page details

Date modified: