Decision #46382-174Q307

File: 46382-174Q307

Compliance issue

Code of Conduct – Canadian Code of Practice for Consumer Debit Card Services (2002) – Failure to comply with a voluntary code of conduct with respect to debit card fraud
Financial Consumer Agency of Canada Act, paragraph (3)(2)(c)
Canadian Code of Practice for Consumer Debit Card Services (revised in 2002),
section 5, subsection 6(6)

A consumer complained to the Financial Consumer Agency of Canada (FCAC) that he was being held financially liable for unauthorized transactions from his bank account. The disputed transactions were made with his debit card, which was stolen from him. He became aware of his missing debit card in the morning and alerted the bank later that same day.

The Canadian Code of Practice for Consumers Debit Card Services outlines banks’ obligation to reimburse its clients who have experienced losses as a result of unauthorized activity.

Over the course of its investigation into the matter, the bank discovered, via video surveillance, that someone known to the consumer had stolen the card. Moreover, it was discovered that this person had successfully entered the cardholder’s personal identification number (PIN) on the first attempt. Therefore, the bank determined that the consumer was financially responsible for the transactions because there were no PIN mismatches. This suggests that he had a readily identifiable PIN combination and had not adequately protected his PIN.

Subsection 5(5) of the Code (2002 revision) states that a cardholder contributes to unauthorized use by voluntarily disclosing the PIN, which includes writing the PIN on the card, or keeping a poorly disguised written record of the PIN in proximity with the card.

The cardholder is also considered to contribute to unauthorized use by failing to notify the issuer within a reasonable time that the card has been lost, stolen or misused, or that the PIN may have become known to someone other than the cardholder.

Appendix A of the Code – clauses 3 and 5 – provides guidance on how to interpret section 5 of the Code (2002 revision). Clause 3 outlines the situations in which a cardholder would not be liable for any losses. Clause 5 describes how a cardholder could contribute to the unauthorized use of their card.

The consumer also complained that the bank did not properly inform him of the dispute resolution process that was available to him.

Subsection 6(6) of the Code (2002 revision) states that a cardholder whose problem cannot be settled by the PIN issuer will be informed of the reasons for the issuer’s position on the matter of unauthorized transactions. It also states that the issuer will then advise the cardholder of the appropriate party to contact regarding the dispute.

Given the information provided by the consumer and the bank during FCAC’s compliance investigation, the Agency’s Compliance and Enforcement Branch concluded that the case represented an incidence of non-compliance with the Code (2002 revision). A non-compliance letter was issued to the bank. The letter stated that the bank did not consider “shoulder surfing” or other circumstances surrounding the disputed transactions, and that the bank did not advise the cardholder of the next stage in the dispute resolution process.

Decision taken

Following the non-compliance letter issued by FCAC’s compliance and enforcement branch, and as permitted under the Agency’s compliance framework, the bank asked that the case be submitted to FCAC’s Acting Commissioner for review.

After reviewing the facts of the case and the representations submitted by the bank, the Acting Commissioner concluded that the bank was in compliance of subsection 5(5) of the Code (2002 revision) concerning the determination of liability for the unauthorized transactions. However, the Acting Commissioner upheld the previous finding of non-compliance with subsection 6(6) of the Code (2002 revision). The bank did not advise the cardholder of the appropriate party to contact regarding the disputed determination of the bank to hold him liable for the unauthorized transactions.

Compliance considerations

In the representations it submitted to the Acting Commissioner, the bank showed that there were several inconsistencies in the consumer’s statements about what had happened to his debit card, and how, therefore, the unauthorized transactions may have occurred.

When the consumer first reported the loss of his card to the bank, he did not report that he had been shoulder surfed, or that his PIN may have been disclosed to a third party or compromised in any way. The consumer also indicated to the bank that he had filed a police report, but never submitted a copy of the report to the bank or advised it of its contents.

Over the course of the bank’s investigation, the consumer was shown a picture of the individual responsible for the unauthorized transactions. He confirmed verbally to bank employees that the individual was known to him. However, he did not provide information on the nature of their relationship.

In a subsequent investigation by the bank’s Ombudsman Office, the consumer stated that he was the victim of “professionals” and that “he was not the only victim of this person or group,” and speculated that he was shoulder surfed while using the branch’s automatic banking machine (ABM) where he usually does his banking. However, at this time, he failed to mention to the bank’s Ombudsman Office that he knew the individual who was responsible for the unauthorized transactions.

The bank argued that the possibility of shoulder surfing was not a factor, stating that too much time had elapsed between the last time the consumer had used his card and when the wallet was stolen and the unauthorized transactions began. In addition, the bank stated that there were no invalid PIN entry attempts. Subsequent investigations also revealed that the consumer had a readily identifiable PIN combination.

Therefore, the bank argued that the consumer did contribute to the unauthorized use of his debit card.^{Footnote 1}  The bank provided the consumer with the bank’s complaint resolution process at the time he first complained. However, it did not advise him of the appropriate party to contact regarding the dispute when it informed him of the reasons it was holding him liable for the unauthorized transactions.

Measures taken by financial institution

When the bank declines a request for reimbursement of unauthorized transactions, it now issues a standard letter that includes information about the appropriate party to contact regarding the dispute.

Outcomes

conduct and public commitments that are designed to protect the interests of consumers. FCAC reports to Parliament annually on the level of compliance of financial institutions with these codes and commitments, and on the types and volume of complaints received.

The Canadian Code of Practice for Consumer Debit Card Services is designed to protect Canadian consumers who use debit card services. It outlines industry practices and consumer/industry responsibilities in relation to debit card transactions and liability. Thorough investigations are essential for ensuring that voluntary codes like this one work well for consumers. In the present case, after reviewing the information provided by the consumer and the bank, the Acting Commissioner agreed that, on the balance of robabilities, the consumer must have contributed to the unauthorized use of his debit card.​^{Footnote 2} 

However, the Acting Commissioner upheld the previous finding of non-compliance with subsection 6(6) of the Code (2002 revision), finding that the bank failed to provide the cardholder with information on the appropriate party to contact – as required by the Canadian Code of Practice for Consumer Debit Card Services – if he wanted to dispute the bank’s decision to hold him liable for the unauthorized transactions made with his debit card.