Commissioner’s decision and reasons
1. By notice of violation issued on October 25, 2019, (Notice of Violation) in accordance with subsection 22(2) of the Financial Consumer Agency of Canada Act (Act), staff of the Supervision and Enforcement Branch of the Financial Consumer Agency of Canada (FCAC Staff) allege that Rogers Bank (or Bank) committed two violations of the Negative Option Billing Regulations (Regulations) in relation to sales of credit cards.
2. Banks are required by the Regulations to obtain a customer’s express consent, either orally or in writing, before providing a credit card. If consent is given orally, banks are required to provide the customer with confirmation in writing, without delay,Footnote 1 of the customer’s express consent for the new credit card.
3. In the Notice of Violation, and as discussed more fully in the compliance report issued on October 23, 2019 and attached to the Notice of Violation (Compliance Report), FCAC Staff allege the Bank failed to:
i. obtain express consent before providing customers with credit cards in accordance with subsection 3(1) of the Regulations from October 2014 to February 2018 (violation 1); and
ii. provide customers written confirmation when consent to receive credit cards was provided orally in accordance with subsection 3(2) of the Regulations from October 2013 to February 2019 (violation 2).
4. The amount of the penalties proposed are $175,000 for violation 1 and $75,000 for violation 2.
5. In its written representations dated November 21, 2019 (Representations), the Bank does not question the appropriateness and level of the proposed penalty amounts. However, the Bank objects to its name being made public in this decision.
6. Given the Bank’s Representations and the fact that it has not paid the proposed penalties, the issues for decision in this case are whether to (i) find that violations have occurred as alleged in the Notice of Violation; (ii) impose the penalty amounts proposed, lesser amounts or no penalty; and (iii) make public the name of the Bank.
7. I have considered the record before me, namely the Compliance Report, the Notice of Violation and the Representations. I have determined, on a balance of probabilities, that the violations occurred as alleged. I have identified no reason to reduce the amount of the penalties proposed in the Notice of Violation and find that they are appropriate in the circumstances, therefore, they stand as proposed. I have also decided that making the name of the Bank public in this case would be appropriate. My reasons follow.
8. During the relevant period of time, the Regulations stated:
Consent for New Products or Services
3(1) Before providing a person with a new primary financial or optional product or service, an institution must first obtain the person’s express consent to do so, either orally or in writing.
(2) If the consent is provided orally, the institution must provide the person without delay with confirmation in writing of their express consent for the new product or service.
(3) The use by the person of the new product or service, or any product or service related to the new product or service, does not constitute express consent for the purpose of subsection (1).
(4) Any communication from an institution seeking a person’s express consent must be made in language, and presented in a manner, that is clear, simple and not misleading.
9. As part of its regular supervisory activities, in May 2017, FCAC requested complaint information from Rogers Bank relating to express consent for credit cards for the period April 1, 2015 to March 31, 2017. Rogers Bank received applications for credit cards through multiple channels during this period. The Notice of Violation relates to sales through all channels (in-store, call centres, third-party interceptors) except online applications.
10. FCAC Staff reviewed the 525 reportable complaintFootnote 2 summary reports submitted by Rogers Bank and found that 481 of these related to a lack of express consent. FCAC Staff also performed a more detailed review of 110 of these complaints, including reviewing call recordings, which confirmed that in 96 out of 110 complaints reviewed express consent was not obtained as required.
11. In addition, FCAC Staff reviewed a sample of calls unrelated to the reportable complaints where the customer cancelled the credit card prior to activation. It is FCAC Staff’s view that cancelling before activation may be an indication of a lack of express consent. In its review of 209 of these call recordings, FCAC Staff found that there was evidence that express consent had not been obtained in approximately 20% of the calls sampled. Reasons for cancellation included that the customer had no knowledge of applying for a card, was surprised by receiving a card statement or never wanted that card.
12. FCAC Staff also reviewed Rogers Bank’s control and monitoring activities, including call centre call monitoring, mystery shops and audio recordings of third-party interceptors. The analysis of the results of these monitoring activities also revealed relatively high incidents of non-compliance with express consent ranging from 11%–24% of the total samples.
13. FCAC Staff found deficiencies in Rogers Bank’s policies and procedures, training, and documentation. In the view of FCAC Staff, the control framework was insufficient to ascertain the full scope of non-compliance, resulting in the conclusion that additional, undetected, instances of failure to obtain express consent were probable.
14. FCAC Staff also reviewed the documents Rogers Bank sent to each new credit card customer. These consisted of a welcome email and a welcome kit that was sent in the mail. FCAC Staff found the wording of these communications to be inadequate to confirm express consent when given orally. These communications referred to the credit card being approved rather than confirming that the customer expressly consented to receiving the credit card, as required by the Regulations.
15. As a result of the investigation findings and the deficiencies in the control framework summarized in the preceding paragraphs, FCAC Staff concluded that there were reasonable grounds to believe that Rogers Bank had breached the Regulations. FCAC Staff established the timeframe for the violations as October 2014 to February 2018 for violation 1 and October 2013 to February 2019 for violation 2.
16. In its Representations, Rogers Bank does not dispute the findings of FCAC Staff and takes responsibility for any deficiencies that resulted in the specific violations set out in the Notice of Violation. However, Rogers Bank does dispute the inference drawn by FCAC Staff of the likelihood of additional potentially affected customers. In the Bank’s view, this assertion exaggerates the harm caused by the violations.
17. Finally, the Bank objects to the publication of its name in this case on the grounds of potential reputational damage.
Analysis and conclusions
18. I have reviewed the record before me, comprising the Notice of Violation, the Compliance Report, and the Representations.
19. As the alleged breaches are not in dispute, and the record supports the allegations, I find that on a balance of probabilities violations 1 and 2 occurred as alleged in the Notice of Violation.
20. In considering the penalty amounts proposed for the violations, the issue for decision is whether to impose the penalty amounts proposed, a lesser penalty amount or no penalty. The relevant criteria to consider are set out in section 20 of the Act, namely the degree of intent or negligence, the harm done, and the Bank’s history of prior violations.
21. In its Representations, Rogers Bank does not question the penalty amounts proposed by FCAC Staff, however the Bank challenges the level of harm FCAC Staff has attributed to the violations.
22. With regard to the degree of intent or negligence, FCAC Staff point to the fact that appropriate controls were not in place at the time Rogers Bank started providing credit cards in 2013 and that, even when controls were put in place over time, its monitoring activities were ineffective in identifying and remediating instances of non-compliance leading to the breach identified in violation 1.
23. For violation 2, FCAC Staff asserts that Rogers Bank was negligent in meeting its regulatory duties. It did not self-identify the lack of compliance in the wording of its welcome messages, raising concerns about how the Bank creates and monitors its regulatory disclosure documents.
24. Both Rogers Bank and FCAC Staff highlight the enhancements identified by the Bank during the course of the investigation and the multiple improvements to the control framework that were put in place or planned between 2017 and 2019. As of June 2019, the welcome messages were compliant with appropriate language to confirm express consent.
25. In addition, Rogers Bank committed to entering into a compliance agreement with FCAC. A compliance agreement will allow a close oversight of Rogers Bank to ensure they continue to take the appropriate corrective actions to address the issues identified by FCAC Staff.
26. A precise quantification of the number of customers affected and the amount of harm resulting from the violations is not possible. The documentation made available by Rogers Bank does not allow for a complete or exact analysis.
27. FCAC Staff assert that all of the Bank’s credit card accounts sold through these channels (approximately [text omitted]) were potentially affected by the lack of consent which resulted in violation 1 and the improper disclosure which resulted in violation 2. FCAC Staff points to the deficiencies in the Bank’s data collection and controls as factors in this conclusion.
28. Rogers Bank calls this conclusion an ‘evidentiary leap’ that inflates the estimation of harm. I acknowledge this concern; however, it is clear from the analysis of the complaints, cancellations before activation, mystery shopping and call monitoring that the instances of non-compliance were not isolated and ranged from 11%-87% of the samples examined. Therefore, even a more conservative estimate of the number of customers likely affected would remain in the tens of thousands.
29. Rogers Bank also asserts that no customer suffered direct financial harm as remediation measures (closing accounts, refunding fees, removing credit bureau impact) were put in place. This narrow interpretation of harm is not in keeping with the purpose of the Regulations. The requirement to obtain express consent is not only in the best interest of the customer in order to allow them to make informed financial decisions, but any product provided without express consent is, in and of itself, evidence of harm as the customer’s rights have not been respected.
30. The complaint comments reveal the level of concern of those customers whose express consent was not obtained, and the negative impact on their confidence in the Bank as a result of the experience. In addition, it is likely that some affected customers did not take action to cancel or complain and did experience negative consequences as a result of having been provided a product they did not authorize.
31. The deficiencies which resulted in the violations were longstanding and not self-identified. Rogers Bank’s compliance history with FCAC reveals no previous violations in the past five years.
32. In light of the above analysis of the relevant criteria, I have found no reason to reduce the proposed penalty amounts and find them appropriate to encourage compliance. Therefore, the penalty amounts for violations 1 and 2 stand as proposed.
33. Rogers Bank objects to the exercise of my discretion to make public the name of the Bank in this decision. In the view of the Bank, the publication of its name would have a damaging effect on its reputation, its parent’s reputation, customer confidence and its future success.
34. In addition, Rogers Bank asserts that given its view of a lesser degree of harm than was alleged by FCAC Staff, publication is not necessary, in addition to the penalty amounts and compliance agreement, to promote compliance.
35. I have considered the Bank’s Representations relative to this issue and have addressed their submissions regarding the degree of harm. I agree that entering a compliance agreement with FCAC will be an important factor in improving the Bank’s compliance capability.
36. However, it is my view that publication would serve to encourage Rogers Bank to continue to commit to its program of compliance improvement and thereby enhance its ability to prevent and detect future non-compliance. I note that while Rogers Bank was responsive to FCAC during the investigation, it did not self-identify these longstanding issues and the lack of data from the Bank hampered a clear determination of the true scale of the violations.
37. I am also of the view that any potential negative impact on the Bank’s reputation is outweighed by the positive impact on consumer confidence in Canada’s regulatory oversight of consumer protection and the banking system.
38. As a general deterrent, publication will also serve to increase the understanding of the importance of the requirement for express consent within the financial community and amongst consumers.
39. Therefore, I conclude that it is appropriate to exercise my discretion in this case to make public the name of the Bank together with the nature of the violations and the penalty amounts.
Judith N. Robertson
Financial Consumer Agency of Canada
Ottawa, March 31, 2021
- Date modified: