Commissioner’s decision and reasons
1. By notice of violation issued on August 5, 2020 (Notice of Violation), in accordance with s. 22(2) of the Financial Consumer Agency of Canada Act (Act), staff of the Supervision and Enforcement Branch of the Financial Consumer Agency of Canada (FCAC Staff) allege that The Bank of Nova Scotia (Scotiabank or Bank) violated s. 3(1) of the Negative Option Billing Regulations (Regulations) in relation to the provision of products and services.
2. Section 3(1) of the Regulations requires that a bank first obtain a person’s express consent before providing them with a product or service, whether it is a primary or optional product or service.
3. In the Notice of Violation, and as discussed more fully in the compliance report issued on July 8, 2020 and attached to the Notice of Violation (Compliance Report), FCAC Staff allege that from 2014 to 2018 the Bank failed to obtain customers’ express consent before providing them with a credit card, line of credit and/or optional insurance for related products.
4. The amount of the penalty proposed is $80,000.
5. In its written representations dated September 4, 2020 (Representations), the Bank acknowledges that a violation occurred, but that it was limited to the period from February to June 2018. As a result, the Bank disputes FCAC Staff’s assessment of the level of harm and negligence. In addition, the Bank requests that I exercise my discretion and not make its name public in this proceeding.
6. The issues for decision in this case are whether to (i) find that the violation alleged in the Notice of Violation has been committed; (ii) impose the penalty amount proposed, a lesser amount or no penalty; and (iii) make public the name of the Bank.
7. I have considered the record before me, namely the Compliance Report, the Notice of Violation, and the Representations. I find that a violation of the Regulations was committed during the period from February to June 2018. However, I am not satisfied that the imposition of a penalty is appropriate in this case. I have also decided that it would be appropriate to make the name of the Bank public. My reasons follow.
8. The Regulations state:
3(1) Before providing a person with a new primary financial or optional product or service, an institution must first obtain the person’s express consent to do so, either orally or in writing.
9. In May 2018, Scotiabank’s Compliance Monitoring Team found instances where employees at one of the Bank’s Customer Contact Centres were enrolling customers in optional creditor insurance without the customer’s express consent. The Compliance Monitoring Team conducts regular call monitoring of the Customer Contact Centres which provide service support for existing customers and engage in sales activities (outbound sales).
10. Based on these instances of non-compliance, Scotiabank undertook a larger review of this Customer Call Centre’s sales operation (Outbound Sales Unit) and identified additional instances of non-compliance with express consent requirements related to credit cards, lines of credit and creditor insurance. This expanded review included increasing the number and timeframe of the sample of calls reviewed, deploying an internal audit team to investigate on-site for the root causes of the compliance failures and engaging a third party to conduct additional analysis to ascertain the extent of the non-compliance.
11. In June 2018, Scotiabank terminated or disciplined the employees who were implicated in the non-compliance and permanently ceased the operations of the Outbound Sales Unit.
12. In July 2018, Scotiabank’s Internal Audit Group reported on the results of their review and identified weaknesses in the design and operation of internal controls at the Outbound Sales Unit as contributors to the compliance failures.
13. In August 2018, as required, Scotiabank submitted a report to FCAC outlining that the breach of the Regulations by the Outbound Sales Unit was identified in May 2018 and ended in June 2018 when the unit was closed.
14. FCAC staff undertook an investigation and identified significant control deficiencies related to this Outbound Sales Unit. According to FCAC Staff, the deficiencies in the control structure included inadequate policies and procedures, lack of training, inappropriate incentive programs and lack of clarity regarding roles and responsibilities leading to ineffective oversight by senior management.
15. FCAC Staff is of the view that these control deficiencies were the cause of the non-compliance that was detected in 2018 and would have resulted in additional, undetected, instances of non-compliance from the outset of the operation in 2014.
16. In its Representations, Scotiabank acknowledges that a breach of the Regulations occurred between February and June 2018. However, Scotiabank disputes FCAC Staff’s allegation that the non-compliance started when the Outbound Sales Unit opened in 2014.
17. Scotiabank asserts that there is no evidence of a pattern of non-compliance prior to February 2018 and that their internal analysis (shared with FCAC Staff) does not support an extension of the duration of the violation beyond the February to June 2018 period.
18. In Scotiabank’s view, the problem was of limited duration and caused by a discrete set of circumstances that occurred in early 2018, namely changes in the leadership and the significant expansion of the Outbound Sales Unit in March 2018. As a result, Scotiabank asserts that FCAC Staff’s analysis overstates the degree of negligence and harm resulting from the non-compliance.
Analysis and Conclusions
19. I have considered the record before me, comprising the Notice of Violation, the Compliance Report, and the Representations.
20. In my view, the business changes that Scotiabank highlights as occurring in early 2018 are relevant and are not adequately addressed by FCAC Staff. I accept the possibility that the control framework, although demonstrably deficient when the Outbound Sales Unit doubled in size and came under new leadership in early 2018, may have been adequate to prevent non-compliance during the period when the unit was smaller and under more effective oversight.
21. At the same time, I acknowledge FCAC Staff’s expertise in evaluating the adequacy of control frameworks and I accept that the risk of non-compliance increases when there are control deficiencies of the nature identified by FCAC Staff. However, an increase in the risk of non-compliance as a result of deficiencies in the control framework is not sufficient evidence of the non-compliance alleged in the Notice of Violation.
22. The other evidence available to me that supports FCAC’s Staff’s allegation of an extended period of non-compliance appears limited to two escalated customer complaints related to this issue that pre-date the change in 2018. Unfortunately, Scotiabank did not track first level complaints by issue and the third-party analysis of the 2014 to 2018 period was reported by Scotiabank to be inconclusive, resulting in no additional evidence to consider.
23. Accordingly, I am not persuaded that there is sufficient evidence to conclude that Scotiabank was in breach of the Regulations for the period prior to February 2018.
24. However, and as acknowledged by the Bank, there is sufficient evidence in the record to find that Scotiabank committed a violation of the Regulations from February to June 2018.
25. As a result, I find that Scotiabank has committed a violation of s. 3(1) of the Regulations between February and June 2018, on a balance of probabilities.
26. Turning to the penalty proposed in the Notice of Violation, the issue for decision is whether to impose the penalty amount proposed, a lesser penalty amount or no penalty. The relevant criteria to consider are set out in s. 20 of the Act, namely the degree of intent or negligence, the harm done, and the Bank’s history of prior violations.
27. There is no allegation or evidence of an intention to breach the Regulations on the part of Scotiabank.
28. FCAC Staff found that Scotiabank was negligent in not implementing and overseeing an appropriate control program when it opened the Outbound Sales Unit in 2014. According to FCAC Staff, the deficiencies in the control framework described in paragraph 14 were the cause of the non-compliance that was detected in 2018 and provided them reasonable grounds to believe that there were additional, undetected, instances of non-compliance from the outset of the operation in 2014.
29. Scotiabank disputes FCAC Staff’s analysis of negligence. While Scotiabank agrees that some local control deficiencies contributed to the non-compliance, as discussed above, they dispute the duration of the non-compliance and, therefore, the degree of negligence.
30. Scotiabank also highlights their early identification of the issue and the rapid action on the part of the Bank to prevent further instances of non-compliance as evidence that the control framework was effective and mitigating against a finding of negligence.
31. Within a month of the identification of the issue, Scotiabank deployed an Internal Audit team to investigate, closed the Outbound Sales Unit, and terminated or disciplined the individual employees involved in the breach.
32. In addition, Scotiabank subsequently implemented control enhancements across all of its Customer Contact Centres and asserts that a Compliance Agreement with FCAC Staff will be sufficient to ensure regulatory oversight of their control framework improvements.
33. I acknowledge, as does FCAC Staff, that the actions of Scotiabank, including self-identification, prompt reporting and corrective actions, demonstrate Scotiabank’s commitment to maintaining an effective compliance and oversight regime.
34. As noted above, for the period prior to February 2018, I remain unconvinced that the record supports a finding of non-compliance and, therefore, the degree of negligence alleged by FCAC Staff.
35. However, for the period from February to June 2018, I am satisfied that the record supports a finding of a degree of negligence. Scotiabank was negligent in making substantial changes to the Outbound Sales Unit in early 2018 without ensuring a corresponding evaluation and commensurate strengthening of the oversight and control regime.
36. FCAC Staff’s analysis of the harm caused by the non-compliance starts from the premise that harm is present whenever a customer’s right to expressly consent to a product, as required by the Regulations, is not respected. They also highlight that this harm may include a financial aspect, such as interest or fees, but is not limited to this financial aspect.
37. I agree with both of these positions. As FCAC Staff note, the purpose of the requirement for express consent is to allow consumers to make informed financial decisions. Providing consumers with a product without their express consent denies them this opportunity and therefore introduces harm.
38. FCAC Staff assessed the level of harm based on the total number of products provided to customers by the Outbound Sales Unit since its inception in 2014 and the estimated percentage of non-compliance derived from Scotiabank’s review of the five months between February and June 2018. According to FCAC Staff, this calculation results in an estimated total of approximately 20,000 instances of products and optional services potentially provided without express consent over the four-year period.
39. Scotiabank disputes this estimate as an overstatement. As discussed above, they dispute the four-year period and, in any case, believe that the level of non-compliance found from February to June 2018 is not an accurate reflection for the whole period. Scotiabank’s review of calls between February and June 2018 resulted in the identification of approximately 1,200 instances of non-compliance.
40. Scotiabank also highlights the actions it took to remediate customers and prevent further non-compliance as mitigating to the assessment of harm.
41. Scotiabank offered the same remediation to all customers who had been provided products through the Outbound Sales Unit since its inception in 2014, whether or not there was evidence of lack of consent, and despite their view that the non-compliance did not start until in 2018.
42. Those with active accounts received information outlining the terms and conditions of the product and a dedicated contact number (which received approximately 2,300 inquiries). Scotiabank closed approximately 5,600 accounts, most of which had not been activated, and refunded fees, interest and premiums totalling approximately $80,000 to customers. In addition, Scotiabank ensured approximately 750 adjustments to credit bureau information.
43. The analysis of the level of harm related to the non-compliance does not lend itself to an easy quantification. The number of customers affected, and dollar amounts attributed to the non-compliance – while useful as indicators of the scale and scope of the non-compliance and therefore potential harm – are not definitive. In addition, limitations in the data retained contribute to a reliance on reasonable estimates and proxies for an assessment of harm.
44. I recognize that Scotiabank moved quickly to prevent additional non-compliance and instituted effective remediation to all affected and potentially affected customers, thus mitigating the potential harm. The lack of evidence to support the duration of the breach beyond February to June 2018 is also relevant and mitigating to the degree of harm alleged by FCAC Staff.
45. The Bank’s violation history over the past 5 years is also a mitigating factor when considering the appropriateness of the penalty proposed.
46. In consideration of my findings of the degree of negligence and harm and the multiple mitigating factors identified above, I find that it is appropriate in these circumstances to impose no penalty.
47. Having made the decision on the violation and penalty, I now consider the Bank’s submission that I should exercise my discretion and withhold the publication of its name in this proceeding on the basis that publication is not necessary for consumer protection or to promote compliance by Scotiabank.
48. Scotiabank asserts that the full remediation and other corrective actions taken following the identification of the breach have already accomplished the consumer protection objective. Scotiabank expresses the concern that publication in these circumstances would negatively impact the Bank’s reputation and customer trust.
49. In addition, Scotiabank asserts that it has already demonstrated its high level of commitment to ensuring that its operations are compliant with the Regulations and that FCAC Staff will have the opportunity to oversee these enhancements under a Compliance Agreement.
50. I have considered the Bank’s Representations and it is my view that making public Scotiabank’s name in this case is an appropriate measure and a suitable specific deterrent.
51. While I find that the evidence does not support FCAC Staff’s view of the duration of the breach, I remain concerned by the negligence demonstrated in the rapid expansion of the Outbound Sales Unit without a commensurate review and appropriate strengthening of the control framework.
52. Publication will also serve to promote more broadly the importance of banks ensuring that their control framework for express consent evolves appropriately as the business evolves. In addition, publication will highlight the importance of Scotiabank’s effective post-breach actions, which served to mitigate the impact of harm and negligence and will provide a useful example to the industry.
53. I am also of the view that publication in this case is consistent with FCAC’s purpose to protect and educate consumers and to promote compliance by banks. I note that several recent Commissioner’s decisions involved issues relating to express consent, demonstrating the continued need to highlight these issues.
54. Therefore, I conclude that it is appropriate to exercise my discretion in this case to make public the name of the Bank together with my findings on the violation and the penalty.
Judith N. Robertson
Financial Consumer Agency of Canada
Ottawa, November 8, 2021
Report a problem or mistake on this page
- Date modified: