Decision #22693-776Q307

File: 22693-776Q307

Commissioner’s Decision

Compliance issue

Code of Conduct — Canadian Code of Practice for Consumer Debit Card Services (2002) — Failure to comply with a voluntary code of conduct with respect to unauthorized debit card transactions
Financial Consumer Agency of Canada Act, paragraph 3(2) (c)Footnote 1  
Canadian Code of Practice for Consumer Debit Card Services (2002), paragraph 5(3)(c)

A consumer complained to the Financial Consumer Agency of Canada (FCAC) that he was being held financially liable for unauthorized transactions on his bank account that were carried out using his stolen debit card. The unauthorized transactions in question took place early in the morning. The consumer contacted the bank to dispute these transactions on the same day, claiming that the transactions executed with his stolen debit card were unauthorized, and asking for the funds to be reimbursed.Footnote 2  The consumer also notified the police promptly of the incident.

Evidence suggested that the consumer fully cooperated with both the bank and the police in their subsequent investigations. Over the course of both investigations, the consumer maintained that he never disclosed his personal identification number (PIN) to a third party. However, it was later discovered, via video surveillance, that someone known to the client had stolen the card. Furthermore, it was discovered that this person had successfully entered the consumer’s PIN on the first attempt.

This case was subject to the 2002 revision of the Canadian Code of Practice for Consumer Debit Card Services. The Code outlines banks’ obligation, in certain circumstances, to reimburse consumers who have experienced losses as a result of unauthorized activity.

Following its investigation into the matter, the bank determined that the consumer was financially responsible for the transactions because there were no PIN mismatches, suggesting that the person who stole the card had knowledge or access to the consumer’s PIN.

In addition, given that the consumer claimed that he had never disclosed his PIN to a third party, the bank concluded that it must have been a combination of characters that could be easily associated to him and, thus, that his PIN did not meet the conditions of clause 5(4) of Appendix A of the Code. This clause states that cardholders are considered to have disclosed the PIN voluntarily if they use a PIN combination selected from the cardholder’s name, telephone number, and date of birth, address, or social insurance number.

Therefore, the bank considered that the consumer contributed to the unauthorized use of his debit card, and should be held responsible for the financial loss. However, the bank eventually reimbursed the consumer, citing customer service reasons.

Paragraph 5(3)(c), Liability for Loss, of the Code (2002 revision) sets out that cardholders are not liable for losses resulting from circumstances beyond their control. Such circumstances include unauthorized use, where the cardholder has unintentionally contributed to such use, provided the cardholder co-operates in any subsequent investigation.

Given the information provided by the consumer and the bank during FCAC’s compliance investigation, FCAC’s Compliance and Enforcement Branch concluded that the case represented an incidence of non-compliance with the Code (2002 revision). A non-compliance letter was issued to the bank, stating that there was no compelling evidence to suggest that the client contributed to the unauthorized use of his debit card. The letter also set out that the bank appeared to have failed to fully consider the context around which the unauthorized transactions occurred, including that the consumer may have been a victim of "shoulder surfing."

Decision taken

Based on a review of the file and the bank’s representations in response to the non-compliance letter, the Acting Commissioner decided that this case did not represent an incident of non-compliance with the Code (2002 revision).

Compliance considerations

In responding to the non-compliance letter, the bank highlighted the consumer’s declaration that he thought his PIN had been guessed by a third party. The bank maintained that the consumer’s admission that the PIN was figured out by a third party proved that it was one that was easily identifiable.

The bank also advised that, during its investigation, it considered the possibility that the consumer was a victim of shoulder surfing, but eventually concluded that it was not a factor. Moreover, at no time during the investigation did the consumer allege that shoulder surfing took place.

The 2002 version of the Code does not require the PIN issuer to show, that on balance of probabilities, the cardholder contributed to the unauthorized use of the card. In reviewing the case, the Acting Commissioner agreed that it was highly improbable that this situation could have occurred without some form of voluntary participation from the consumer, given that the consumer’s PIN was guessed by a third party known to him, that the PIN was entered correctly on the first attempt, and that shoulder surfing was not a factor.

However, in his decision, the Acting Commissioner made it quite clear that he did not believe that the Clause 5(4) of the Appendix of the Code was structured or worded in a way that it would appear to be simply providing a list of examples of unacceptable PINs, nor that is an open-ended statement that allows for consideration of other unacceptable PIN combinations. Furthermore, the Acting Commissioner deemed that the bank could not rely on this clause to judge and/or verify if a “reasonable” standard was applied by the consumer while selecting his PIN combination.

Measures taken by financial institution

Over the course of this case, the bank informed FCAC’s Compliance and Enforcement Branch that it had decided to reimburse the consumer, citing customer service reasons, and not because they felt obligated to do so under the Code.


FCAC monitors federally regulated financial institutions’ compliance with certain codes of conduct and public commitments that are designed to protect the interests of consumers. FCAC reports to Parliament annually on the level of compliance of financial institutions with these codes and commitments, and on the types and volume of complaints received.

The Canadian Code of Practice for Consumer Debit Card Services is designed to protect Canadian consumers who use debit card services. It outlines industry practices and consumer/industry responsibilities in relation to debit card transactions and liability. Thorough investigations are essential for ensuring that voluntary codes like this one work well for consumers.

In the present case, after reviewing the representations made by the bank, the Acting Commissioner agreed that the circumstances of the case did not demonstrate that the consumer did not contribute to the unauthorized use of his debit card, as described in the 2002 revision of the Code.Footnote 3  However, citing customer service reasons, the bank decided to reimburse the consumer.

Page details

Date modified: