Decision # 129

Commissioner’s reasons for decision

(Financial Consumer Agency of Canada Act (Act) subsection 23(2))

This decision deals with two separate cases of disclosure by the Bank subject to the Disclosure of Charges (Banks) Regulations (Regulations).

In March 2017, the Deputy Commissioner of the Financial Consumer Agency of Canada (FCAC) issued a Notice of Violation to the Bank pursuant to subsection 22(2) of the Financial Consumer Agency of Canada Act (FCAC Act). The Notice of Violation states that the Deputy Commissioner has reasonable grounds to believe that the Bank committed two violations:

1. By failing to disclose to its customers and to the public all charges applicable to personal deposit accounts by means of a written statement, contrary to section 3 of the Regulations; and
2. By failing to disclose to its commercial account holders by way of written statement all charges applicable to the services listed in paragraphs 5(1)(a) through (r) of the Regulations and which were provided by the Bank, contrary to subsection 5(1) of said Regulations.

The Deputy Commissioner proposed a penalty of $75,000 for the violation of section 3 of the Regulations and a penalty of $25,000 for the violation of subsection 5(1) of the Regulations, for a total proposed penalty of $100,000.

I address each case separately, drawing from the relevant facts and evidence contained in the February 2017 FCAC compliance report, the Notice of Violation and the Bank’s representations dated April 2017 (Representations). My findings on the issue of naming are set out at the end of the decision and conclude this matter.

Having duly reviewed the file before me, including the Representations made by the Bank, I conclude that, on a balance of probabilities, the Bank committed the two violations set out in the Notice of Violation. In addition, I accept the total penalty of $100,000 proposed by the Deputy Commissioner. My reasons follow.

Violation of section 3 of the Regulations

Factual background

Further to introducing a new system (System) on [text omitted], the Bank charged certain of its customers fees that were not consistent with the information disclosed in the Bank’s [text omitted] statement of disclosure (SoD).

Two errors impacted the [text omitted] sent through the System, resulting in fees being calculated and charged in amounts different (higher and lower) from those disclosed in the SoD.

The issue was first raised by a customer in July 2015. The Bank made several attempts to address the problem without success. The Bank anticipated that an upgrade scheduled for April 2017, would address the issue conclusively. 

Analysis and Conclusions

In general, the breach of a consumer provision subjects a regulated institution to strict liability such that it can be found in violation, in accordance with the Act, absent a defence to excuse the non-compliance.

Section 3 of the Regulations sets out the following clear requirement: 

In its Representations, the Bank has requested that I set aside the findings of violation and consider the Bank’s active steps to remediate its overcharged customers, as well as the specific measures implemented since 2014 to enhance the Bank’s overall compliance framework and internal controls. At the same time, I note that the issue was brought to the Bank’s attention through a customer complaint rather than through its internal controls. Further, it took over four years before the problem was detected and, as acknowledged by the Bank, it still remained unresolved as at the date of the Notice of Violation, namely March 2017. The Bank reported that a total of [text omitted] customers had been overcharged a total amount of $584,808.98. The Bank has successfully processed, or is on schedule to process, a refund to substantially all of these customers. However, this number includes only those customers who were overcharged fees. It is not clear why customers who were undercharged—and therefore impacted by the incorrect disclosure—have yet to be accounted for.

Ultimately, the Bank has provided no new evidence in its Representations to substantially affect the analysis of the breach to section 3 of the Regulations relating to the System errors, or a defence for excusing its non-compliance. The various measures implemented since 2014 do demonstrate that the Bank is working to improve its compliance framework and internal controls. However, I would suggest that more needs to be done. Based on the evidence before me, I conclude on a balance of probabilities that the Bank has committed the violation in question.

Turning to the issue of the penalty proposed, I have considered the Deputy Commissioner’s analysis under section 20 of the Act, and agree that it is the responsibility of the Bank to conduct adequate cyclical reviews and performance testing of systems to ensure compliance. I am concerned that the Bank was unable to quickly detect and conclusively address the breach in this case. On the degree of harm, I would also note that the number of impacted consumers is greater than those who were overcharged. The Bank has stated that it greatly values the importance of providing accurate and complete disclosure of information to its customers. I would have therefore expected the Bank to have more accurately reported the number of affected customers to FCAC. In light of these points, a more significant penalty could have been considered. That said, I am bound by the choices set out in subsection 23(2) of the Act and see no basis for lowering the amount proposed. I am satisfied that the Bank has committed the violation in question and accordingly, the penalty proposed for this violation remains at $75,000.

Violation of subsection 5(1) of the Regulations

Factual background

In 2008, the Bank made changes to its system, which caused billing errors for certain commercial customers who used the Bank’s internet banking solution. The errors were prompted by a logic flaw contained in the release and detected by way of a complaint received from a commercial customer in 2015.

On investigation, the Bank found that [text omitted] commercial customers had been overcharged monthly account fees from 2009 to 2016, as a result of the billing errors. The Bank indicated that no instances of overcharging were identified prior to this period.

A permanent system fix was implemented in 2016, and the amount of $683,542 was reimbursed to affected customers. In some cases, the Bank also sent customers a written apology.

Analysis and Conclusions

Subsection 5(1) of the Act provides as follows:

In its Representations, the Bank does not dispute the breach of subsection 5(1) of the Regulations or provides new evidence to affect the analysis relating to same. Rather, it confirms that the overcharged amounts were not intended to overcompensate and also notes that the majority of the commercial customers affected were large, sophisticated organizations, whose dealings with the Bank had been extensive. As I understand it, the Bank relies on this argument as a mitigating factor and suggests that the harm done should be assessed as low.

While I accept the Bank’s evidence on its lack of intention for the breach, I am not persuaded that the Bank Act provides a basis for considering the harm done to customers that are sophisticated, large and have extensive dealings with their bank as less significant in such circumstances. Customers and the public are entitled to accurate disclosure and to be billed correctly no matter their profile.

Having regard to the record before me, I am satisfied that the Bank has committed the violation in question on a balance of probabilities. I also impose the penalty of $25,000—as proposed in the Notice of Violation—as I do not agree with the Bank’s arguments relating to the harm done in this case.

Publication

The last issue for decision is whether to make public the name of the Bank. In general, a number of factors are considered in the exercise of my discretion under section 31 of the Act, including the egregiousness of the financial institution’s actions or inactions, its willingness to assume responsibility for the breach and to compensate the affected consumers, the impact of the breach on consumers and on consumer confidence, and the deterrence effect. I also look at the degree of collaboration shown to FCAC throughout the investigative process and the regulated entity’s commitment to improving its management of risks against future breaches.  

In its Representations, the Bank requests that it not be named on the basis there is a risk of significant damage to its reputation. The Bank argues that the perception in the eyes of its existing and prospective customers and business partners is crucial to the sustainable operation of its business and notes that it relies greatly on the public trust and its reputation in the financial marketplace. It considers that it took active steps to investigate the customer-reported deficiencies, collaborated throughout FCAC’s investigative process and took full responsibility for the breaches, including through careful remedial measures and monetary compensation.

I accept the Bank’s argument that it relies greatly on its public trust and reputation in the financial marketplace, and find that this proceeding serves as sufficient deterrence to motivate the Bank to bolster its efforts to deliver more properly on its stated commitment to having a robust and effective compliance program. For these reasons, I conclude that it is appropriate to not make public the Bank’s name in relation to the two violations in this case. However, I expect further non-compliance by the Bank to attract a less favourable result in the future, as I will have a basis to question its assertions with respect to the value and the importance it places on its compliance obligations.  

As indicated in the cover letter to the Notice of Violation, there will be a formal Compliance Agreement to ensure the Bank is completely successful in its effort to fully comply with the legislative requirements.

August 31, 2017

Lucie M.A. Tedesco
Commissioner
Financial Consumer Agency of Canada