Decision #117

From: Financial Consumer Agency of Canada

Commissioner's Reasons for Decision

Canadian Code of Practice for Consumer Debit Card Services

Sections 5 and 6 (Liability for loss for unauthorized use of a card and PIN)

Subsection 3(2)(c) and 5(3) of the Financial Consumer Agency of Canada Act

This is a decision under the Canadian Code of Practice for Consumer Debit Card Services (the Code).

Further to the Financial Consumer Agency of Canada (FCAC) Compliance Framework, I have reviewed the non-compliance letter sent to the bank by the Director, Compliance and Enforcement Branch (CEB) regarding the bank's non-compliance with the Code, along with the bank's written representations (representations) in reaching the following decision.

Background

In April, 2011, the FCAC received a complaint from a consumer (also referred to as the "cardholder" or "customer") regarding liability for an unauthorized transaction on her debit card.

The customer claimed that in March, 2011, after she used her debit card at a convenience store, she was approached by two individuals and, in the process of interacting with them, her wallet was stolen by a third person. Within 15 minutes of her wallet being stolen, the consumer reported the theft of her debit card to her branch. Following this report, the bank found that, within the time between the theft of the card and the consumer reporting the incident to the bank, a $401.50 debit was completed with the client's original debit card (a chip card) upon first attempt with the correct personal identification number (PIN).

The consumer was subsequently informed by the bank that she would be held liable for the charge, because the transaction occurred using the customer's chip card with the PIN entered correctly on the first try, indicating that she must not have taken the necessary precautions to protect her debit card PIN. The consumer disputed the bank's finding since she believed she had been "shoulder-surfed" on the day of the transaction in question.

Applicable provisions

Pursuant to subsection 5(1) of the Financial Consumer Agency of Canada (the Act), the Commissioner is mandated to examine and inquire into all matters connected with the administration of the Act, including, with respect to the objects set out in paragraph 3(2)(c), the monitoring of the implementation of voluntary codes of conduct designed to protect the interests of consumers of financial institutions that have been adopted by financial institutions and that are publicly available.

The Code has been endorsed by the bank as a member of the Canadian Bankers Association. The relevant portions of the Code state as follows:

"5. Liability for Loss

The interpretation guide for this section is in Appendix A.

...

3. Cardholders are not liable for losses resulting from circumstances beyond their control. Such circumstances include, but are not limited to:

a. technical problems, card issuer errors, and other system malfunctions;

b. unauthorized use of a card and PIN where the issuer is responsible for preventing such use, for example after:

the card has been reported lost or stolen;

the card is cancelled or expired; or

the cardholder has reported that the PIN may be known to someone other than the cardholder; and

c. unauthorized use, where the cardholder has unintentionally contributed to such use, provided the cardholder co-operates in any subsequent investigation.

...

4. In all other cases, when a cardholder contributes to unauthorized use, the cardholder will be liable for the resulting loss...

5. A cardholder contributes to unauthorized use by

a. voluntarily disclosing the PIN, including writing the PIN on the card, or keeping a poorly disguised written record of the PIN in proximity with the card;

b. failing to notify the issuer, within a reasonable time, that the card has been lost, stolen or misused, or that the PIN may have become known to someone other than the cardholder.

...

6. In the event that the results of an investigation determines that not all the funds will be reimbursed to the cardholder, the PIN issuer is responsible for showing that, on the balance of probabilities, the cardholder contributed to the unauthorized use of the card, subject to section 5 of this Code."

In addition, Appendix A to the Code, "Guide to the Interpretation of Section 5: Liability for Loss", (the Guide) states in relation to Section 5, Clause 5 (above) that:

Cardholders are not considered to have disclosed the PIN "voluntarily" if the PIN is obtained by coercion, trickery, force or intimidation.

This includes situations where the customer's PIN is observed at point-of-sale terminals.

CEB findings

As set out in the non-compliance letter, CEB concluded that the bank did not, as per the Code, demonstrate on the balance of probabilities that the consumer contributed to the unauthorized use of the card before holding the consumer responsible for the transaction. Rather, CEB found that the bank based its decision to hold the consumer responsible for the transaction on the fact that the PIN for the chip card was entered correctly on the first attempt.  The bank did not consider that the cardholder did not disclose her PIN voluntarily, or that the PIN was most likely obtained through some action of trickery—which the Guide states includes situations where the customer's PIN is observed at point-of-sale terminals (i.e. "shoulder surfing").  The bank confirmed this position in response to FCAC's investigation enquiry following the consumer's lodging of the complaint with FCAC. CEB concluded that the bank was non-compliant with the Code.

The non-compliance letter also raised the concern that the bank appears to take a systemic approach to holding cardholders liable for unauthorized debit card transactions when a CHIP card is used on first attempt, rather than undertaking a full investigation and considering all elements of the Code in light of a particular situation. The bank was asked to review its policies and procedures governing its processes for examining consumer claims of unauthorized debit transactions and for assessing liability for loss to ensure all of the elements of the Code and the Guide are adequately referenced and considered.

The bank's representations

In its representations, the bank accepted FCAC's findings of non-compliance.  It submitted that the customer was fully reimbursed for the unauthorized transaction before CEB engaged the bank to investigate the customer's complaint.  The bank stated that it agreed with FCAC's conclusion that, although the customer advised the branch that she may have been "shoulder surfed," this did not provide evidence that the customer voluntarily disclosed her PIN to a third party.  The bank agreed that, on a balance of probabilities, the customer did not contribute to the unauthorized use of her debit card and that the customer's request for reimbursement should not have been declined.

The bank also attached excerpts from its [internal policy].

The bank submits that the branch in question did not follow the bank's internal policy in this case.  In such situations, the bank's internal policy required that the bank prove that, on the balance of probabilities, the customer contributed to the unauthorized use and that the [decision] to decline the customer's request be [approved by regional management].  In response to CEB's concern that the bank appears to take a systemic approach to holding cardholders liable for unauthorized debit card transactions when a CHIP card is used on first attempt, the bank submits that while such information would be an important consideration in the investigation, all situations are investigated on a case-by-case basis.

The bank confirmed that it has made management aware of the issue and has initiated a review of its internal policy.  Following the review, the bank will communicate with front-end employees to remind them of the importance of the policy and to convey any changes made.

Analysis

In order to comply with the Code, when investigating whether there has been unauthorized use of a debit card, the PIN issuer must examine whether the cardholder has contributed to unauthorized use by carrying out the activities set out in Section 5, Clause 5 of the Code, including "voluntarily disclosing the PIN."  As the Guide states, cardholders are not considered to have disclosed the PIN voluntarily if the PIN is obtained by coercion, trickery, force or intimidation, including situations where the customer's PIN is observed at point-of-sale terminals.  Moreover, if there is a decision following an investigation not to reimburse the cardholder, the PIN issuer is responsible for showing that, on the balance of probabilities, the cardholder contributed to the unauthorized use of the card.

Here, I accept the conclusions of CEB, as conceded by the bank, that the bank's decision to hold the cardholder responsible was not based on a demonstration that on a balance of probabilities the cardholder contributed to the transaction as required by the Code. Here, the consumer immediately notified the bank of the theft of her debit card and that she believed she was "shoulder-surfed" immediately prior to her debit card being stolen, and cooperated with the bank's investigation.

The fact that the consumer's PIN for her chip card was entered correctly on the first attempt is not sufficient to establish that the cardholder contributed to the unauthorized use of the card—particularly in cases like this one, where the bank does not refute the cardholder's claim that the PIN was not disclosed voluntarily.  Therefore, I agree with CEB's conclusions, as conceded to by the bank, that the bank's decision to hold the cardholder responsible for the unauthorized transaction was not in compliance with the Code.

Finally, while I accept that the branch failed to follow the bank's internal policy in this case, I agree with CEB's concern that the bank's initial response to FCAC's enquiry demonstrates a systemic approach to holding cardholders liable for unauthorized debit card transactions when a CHIP card is used on first attempt.  On enquiry by FCAC, the bank initially confirmed the branch's findings: that on the balance of probabilities, the cardholder contributed to the unauthorized use of the card and must have been careless in the protection of her PIN and card. The bank reasoned that the disputed transaction with the CHIP card was completed on the first attempt, and the card holder admitted that she was "shoulder surfed. "The bank's position indicates that beyond the level of the particular branch, it interprets its internal policy in the same way as the branch and that, in applying its internal policy, it was not considering all of the elements of the Code in light of the circumstances of the case.

Given these concerns, in order to ensure that similar situations are avoided in the future, I request that the bank review its internal policy. I also request that the bank follow up with all employees involved in unauthorized debit transaction investigations to ensure that the assessment of liability for consumer claims in relation to unauthorized debit transactions will be carried out consistent with all elements of the Code. Once this review has been completed, FCAC should be provided with copies of any documentation provided to bank staff.

Conclusion

This file is closed with the conclusion of non-compliance with the Code. This finding does not form part of the bank's compliance history for the purpose of s. 20 of the FCAC Act.

Ottawa, November 5, 2012

Ursula Menke

Commissioner

Financial Consumer Agency of Canada

Report a problem or mistake on this page
Please select all that apply:

Thank you for your help!

You will not receive a reply. For enquiries, contact us.

Date modified: