Decision #144

Commissioner’s Decision and Reasons

Summary

1. By notice of violation issued on September 2, 2022 (Notice of Violation), in accordance with s. 22(2) of the Financial Consumer Agency of Canada Act (Act), staff of the Enforcement Division of the Financial Consumer Agency of Canada (FCAC Staff) allege that the Canadian Imperial Bank of Commerce (CIBC or Bank) committed a violation of the Cost of Borrowing (Banks) Regulations, as they applied at the time the violation is alleged to have occurred (Regulations).

2. Section 12(5)(a) of the Regulations required banks that issue credit cards to provide customers with supplementary disclosure statements, at least once a month, that contain an itemized statement of account that describes each transaction and discloses each amount credited or charged, including interest, and the dates when those amounts were posted to the account.

3. In the Notice of Violation, and as discussed more fully in the compliance report issued on August 31, 2022, and attached to the Notice of Violation (Compliance Report), FCAC Staff allege that from May 2003 to June 2021 the Bank failed to provide some customers with accurate information in their supplementary statements, as required by the Regulations (Violation).

4. CIBC admits to the Violation. However, in its representations in response to the Notice of Violation (Representations), the Bank disputes the assessment of negligence and harm and, as a result, the penalty amount proposed of $3.25 million.

5. As the evidence confirms the facts as alleged, I accept the Bank’s admission as my finding on the Violation. The sole issue for decision is whether to impose the penalty amount proposed, a lesser amount or no penalty.

6. I have considered the record before me, namely the Notice of Violation, the Compliance Report, and the Representations and I have decided to impose the penalty amount of $3.0 million. My reasons follow.

Background

7. In June 2020, CIBC identified that credit transactions were not always transferred properly when a credit card account was deactivated. 

8. Credit cards are deactivated when reported lost or stolen (lost or stolen cards) or when reported as defrauded (defrauded cards). In these circumstances, customers are provided with replacement cards and, as part of the activation process, legitimate transactions (credits and charges) are transferred from the deactivated account to the new, active account.

9. Following an internal investigation, CIBC confirmed that credit transactions for some deactivated lost or stolen cards were not transferred in a timely manner during the period of 2003-2021 and that credit transactions for some defrauded cards were not transferred in a timely manner during the period of 2018-2020.

10. Until the credit transactions were transferred from the deactivated account to the active account, the supplementary statement for the active account did not accurately reflect all transactions, as required. The account balance, amount due, credit limit available and estimated time to pay were also incorrect. In addition, the credit transfer delays resulted in some customers being improperly charged interest, over limit fees and/or insurance premiums.

11. On September 4, 2020, CIBC submitted a Reportable Compliance Issue report to FCAC, as required under the Supervision Framework. CIBC engaged a third-party vendor to assist with the identification of affected customers and the preparation of a remediation plan.

12. CIBC’s analysis attributed the cause of the non-compliance as follows:

  1. For the period of May 2003 to June 2021, for lost or stolen cards, CIBC attributes the root cause of the non-compliance to employee error and an ineffective quality assurance program.
  2. For the period of April 2018 to July 2020, for defrauded cards, CIBC attributes the root cause of the non-compliance to the elimination of the specialized Fraud Claims Team in April 2018 and its replacement by an automated process that failed to transfer credit transactions.

13. New procedures implemented in July 2020 corrected the non-compliance for defrauded cards. CIBC also reintroduced a dedicated team of permanent, full-time employees to monitor the processing of credit transactions and introduced a quality assurance program for defrauded accounts. New procedures implemented in June 2021 corrected the non-compliance for lost or stolen accounts, along with a new quality assurance program to ensure employees adhere to the procedures. 

14. The Bank’s remediation analysis identified 125,785 affected accounts (108,882 defrauded cards; 16,903 lost or stolen cards) and $1.5 million in improper fees, interest and premiums charged to those accounts as a result of the non-compliance. A total of $51.7 million in credit transactions ($45.9 million defrauded cards; $5.8 million lost or stolen cards) were not transferred within the Bank’s standard processing period of 5 days. Less than half, approximately $20.9 million in credit transactions, exceeded 60 days of delay in transfer and 75% of credit transactions were transferred within 120 days, however some customers experienced delays of up to 3 years.  

15. As of September 21, 2021, CIBC had transferred all outstanding credit transactions to active accounts and had refunded the improper charges (with 3% interest) to impacted customers. The average amount of improper charges refunded was $122.31 for defrauded cards and $96.85 for lost or stolen cards. In addition, CIBC made a charitable donation of $36,190.34 on November 19, 2021, for those customers who could not be located or whose refund was less than $5.

Analysis and Conclusions

16. Under s.12(5)(a) of the Regulations:
“a bank that issues credit cards must provide borrowers with supplementary disclosure statements on a regular periodic basis, at least once a month, that disclose […]:

(a) an itemized statement of account that describes each transaction and discloses each amount credited or charged, including interest, and the dates when those amounts were posted to the account […].”

17.  There is no dispute on the evidence about the breach of s.12(5)(a) of the Regulations, and I accept CIBC’s admission that the Violation occurred as alleged. Accordingly, the issue for decision is whether to impose the penalty amount proposed, a lesser penalty amount or no penalty.

Penalty Amount

18. In determining the amount of the penalty, the relevant criteria to consider are set out in s. 20 of the Act, and include the degree of intent or negligence, the harm done, the duration of the violation and the Bank’s history of prior violations within the five-year period immediately before the violation.

Negligence and Intent

19. There is no allegation or evidence of an intention to breach the Regulations on the part of CIBC. In FCAC Staff’s view, CIBC was negligent in meeting its regulatory obligations for an extended period of time. According to FCAC Staff, CIBC’s controls were inadequate and ineffective to either ensure compliance or to detect a breach. 

20. FCAC Staff recognize the corrective measures taken by CIBC once the breach was identified as mitigating and assessed the degree of negligence at Level 2 or Significant Negligence.

21. CIBC argues that FCAC Staff placed too much emphasis on the duration of the breach for lost and stolen cards in its evaluation of the degree of negligence. CIBC asserts that the cause of the breach for lost or stolen cards was occasional employee error. In their view, the lack of detection over the 18-year period was not indicative of poor controls but was the result of the low level of incidence (less than 1% of all lost or stolen cards).

22. In contrast, CIBC argues that the control failures for defrauded cards were of a systemic nature, indicating some negligence. However, in CIBC’s view, the shorter duration of the breach for defrauded cards (2 years) should result in an overall assessment of negligence that is materially lower than assessed by FCAC Staff: Level 1 or Some Negligence

23. I find that FCAC Staff’s analysis is appropriate in this case and is supported by the evidence. Whether caused by an uncorrected employee error or an undetected systems issue, the failure of CIBC’s control framework to identify this non-compliance over multiple years demonstrates a significant degree of negligence, notwithstanding the effective remediation once identified. 

Harm

24. FCAC Staff’s analysis concludes that the total number of customers affected, and total dollar amounts involved were relatively high, indicating a high level of harm. FCAC Staff used the totals of 132,658 accounts, $20.9 million of delayed credit transfers and $1.5 million in fees, interest and opportunity costs in their analysis. In addition, FCAC Staff considered the long duration of the breach in their estimation of harm and determined an overall assessment of a Level 2 or Significant Harm.

25. CIBC disputes FCAC Staff’s assessment of harm. CIBC asserts that financial harm was limited to the $1.5 million of improper charges that were ultimately fully refunded. In their view, it is inappropriate to consider the dollar amount of the delayed credit transactions in the assessment of harm. They assert that the delay did not cause financial harm in and of itself, as the credit transactions were all ultimately transferred. In their view, financial harm was only present where the delay resulted in additional charges being improperly imposed on customers.

26. In addition, CIBC challenges FCAC Staff’s decision to rely on the amount of credit transactions not transferred within 60 days ($20.9 million) for the purpose of determining the degree of harm. The Bank argues that, if the amount of credit transactions is used at all, those not transferred within 120 days ($13.9 million) would be a more relevant amount, to reflect the maximum time customers have to file a dispute with their card issuer, thus reducing the level of harm.

27. Finally, the Bank asserts that FCAC Staff erred in their consideration of duration in their analysis of harm. In CIBC’s view, FCAC Staff’s use of an 18-year duration does not adequately recognize the fact that most of the harm occurred in the relatively short 2-year period resulting from a systemic issue related to defrauded cards. As a result, CIBC contends that the element of a long duration was inappropriately considered to be an aggravating factor in FCAC’s Staff’s assessment of harm.

28. The disclosures and reporting requirements of the Regulations recognize the legitimate right of consumers to be provided with accurate information on which they can base their financial decisions. The criterion of harm is therefore not limited to direct financial harm, as proposed by CIBC. This Violation deprived customers of accurate reporting on their credit card statements and persisted for many years, causing harm.

29. In my view, FCAC Staff’s consideration of the value of the delayed credit transactions, and the numbers of accounts affected, is a reasonable approach where a more precise calculation is not possible. These totals reflect a reasonable estimate of, or proxy for, the size and scale and, therefore, the level of harm. The use of 60 days by FCAC Staff also strikes a reasonable balance between the Bank’s normal processing time of 5 days and the outer limit of 120 days for dispute resolution.

30. However, while the Violation continued undetected for many years for lost or stolen cards, I find that applying this long duration as an aggravating factor to the overall harm may be an overstatement in this case. I note that the large majority of customers affected, and dollar amount of impact (98%), related to defrauded cards. As outlined above in paragraph 12, the issue relating to defrauded cards was identified and corrected within 2 years. I find these facts to be mitigating to the impact of duration on the assessment of overall harm.

31. I recognize, as does FCAC Staff, that the degree of harm was also mitigated by the full remediation provided by CIBC. I note that the total number of customers used in FCAC Staff’s analysis of harm was comprehensive as it was the total number of accounts remediated by CIBC, and not only those customers with delays exceeding 60 days. I further note that the impact per individual customer was relatively low.

32. As a result, I conclude that the level of harm should be more appropriately assessed at Level 1 or Some Harm.

Duration

33. The long duration of the Violation elevates the impact of the breaches and calls into question the Bank’s control framework and compliance oversight. It is reflected in the finding of an elevated level of negligence and has contributed to my conclusions regarding the proposed penalty amount.

34. It is damaging to confidence in the financial system, and the reputation of the Bank, if breaches of consumer protection provisions are allowed to remain undetected and unremedied for extended periods.

Violation History

35. CIBC’s violation history was assessed at Level 1 or Some History by FCAC Staff and not disputed by CIBC. This assessment was based on a single Commissioner’s Decision relating to five violations of disclosure requirements for credit cards.

36. In the period following the issuance of the Notice of Violation, CIBC was the subject of a second Commissioner’s Decision relating to three violations of fee disclosure requirements. However, this history cannot be considered as it occurred outside of the relevant timeframe.

Conclusion

37. In consideration of my analysis of the relevant criteria, I find that it is appropriate in these circumstances to impose a $3.0 million penalty for the Violation.

38. The penalty amount imposed is appropriate to promote compliance by CIBC. The failures of the control framework led directly to the breach and the harm to customers. The penalty amount imposed will also serve the purpose of specific and general deterrence and highlight the importance of effective testing and validation against consumer protection provisions when business changes are made.

Judith N. Robertson
Commissioner
Financial Consumer Agency of Canada

Ottawa, May 1, 2023

Page details

Date modified: