On June 30, 2022, more than three years after Bill C-86 was tabled in Parliament, the Financial Consumer Protection Framework will come into force. This federal framework consolidates and strengthens the Bank Act consumer protection provisions applicable to banks (including authorized foreign banks) and amends the Financial Consumer Agency of Canada Act to reinforce the role and increase the powers of the Financial Consumer Agency of Canada (FCAC).
The framework will significantly expand the amount of personal information that banks hold, and as a result their obligations vis-à-vis that information. In fact, these changes only bolster Chris Skinner’s position that “banks should move from being safekeepers of money to safekeepers of data”1.
This article examines the privacy implications of the following aspects of the framework:
The obligations imposed by the framework do not supersede either federal or provincial privacy laws. As a result, when complying with the framework’s requirements, banks will still be required to:
At a high level, and for banks with well-developed privacy and data governance programs, obligations under the framework should not entail the introduction of fundamentally new or novel processes. After all, banks already collect, use, and retain large volumes of highly sensitive data. However, banks do need to consider the framework’s requirements carefully in relation to existing policies, processes, and systems to identify where and how these need to be revised to comply with both C-86 and privacy regulations.
The framework requires banks to “establish and implement policies and procedures to ensure that the products or services in Canada that it offers or sells to a natural person other than for business purposes are appropriate for the person having regard to their circumstances, including their financial needs”6.
The FCAC Guideline on Appropriate Products and Services for banks further clarifies this obligation by stating that,
“A Bank’s Policies and Procedures should ensure that the Bank collects and records the KYC [Know your customer] information it needs to understand consumers’ circumstances so that it can assess the appropriateness of the products or services being offered or sold. The nature of the KYC information that a Bank may need to collect and record can vary depending on consumers’ circumstances, including their financial needs, and on the products or services that it offers or sells.”
This requirement raises the question as to how and from where banks can collect the necessary customer information to assess whether the product or service is appropriate. For example, can banks rely on information they already have? Are banks allowed to obtain and rely on information obtained from external sources such as social media or third parties?
Information gathered by the bank during the course of their relationship with the customer is a key resource for assessing appropriateness, but banks may also wish to use information gathered from social media or third parties. In any of these cases, banks will need to ensure that the customer has consented to have his/her information used by the bank to perform an appropriateness assessment. If not, fresh consent may be needed.
When revising or drafting new consent sign-offs, banks must ensure that the scope of use provided in the sign-off is reasonable. To establish reasonable use, banks will need to show that there is a defined business objective and that the personal information collected is necessary to achieve the objective. The bank could consider documenting how missing information or information that can’t be obtained from the client could be externally sourced to enable the bank to assess the appropriateness of the product or service. Documenting how and why information may be gathered from internal or external sources may also be valuable in responding to a challenge that the bank’s collection of personal information was overly broad or unnecessary.
Banks should consider implementing the necessary controls to ensure that any data used in the appropriateness assessment is accurate, particularly when such data originates from external sources such as social media.
As noted above, the new complaint management obligations imposed by the framework have several privacy implications.
The first pertains to the very comprehensive record that banks will be required to create and maintain for each complaint. The privacy risk associated with this record-keeping requirement arises because banks will gather a considerable amount of new and sensitive information in the course of investigating and responding to a complaint7. Banks will need to ensure that this information is only used for the purposes for which it was collected (i.e., investigating and responding to the complaint). To aid compliance in this regard, information should be appropriately labelled or tagged, and banks may consider measures such as segregated storage of the data.
The framework also requires that third parties that sell or further the sale of the bank’s products give customers access to the bank’s complaint procedures as if the product or service had been received by from the bank8. In order to effectively investigate a complaint on a product sold by a third party, banks will likely ask the third party to share customer information with the bank. Banks may find third parties claiming that they can’t share customer information because doing so would breach customer privacy or that privacy laws bars them from sharing the information. It should generally be possible to overcome these objections, as privacy law does not bar disclosure as a matter of course. But banks could consider including in their distribution agreement a requirement that third parties must seek the complainant’s consent to share their information with the bank.
Banks must not only investigate and respond to complaints, but are also required to retain all complaint records for seven years9. As noted above, complaint records are likely to contain information from a number of different internal and external sources and may include proprietary or confidential information of the bank or a third party, or sensitive information about the complainant or other individuals (e.g., in call recordings). Since these records must be kept for at least seven years, appropriate security and record retention policies and procedures should be developed and implemented to address the risks associated with them. Segregation of complaint records may assist with the implementation of these controls (e.g., litigation holds and destruction requirements)10.
While complaint records do not present novel record retention issues, banks nonetheless should ensure that
Every quarter, banks must submit to the FCAC Commissioner a copy of the record12 that reaches the designated level13. Although complaint information submitted by banks to the FCAC could be subject to access to information requests, we expect the FCAC to refuse such requests on the grounds that such information is protected by section 17 of the FCAC Act14. However, should the FCAC be unsuccessful in refusing the request, the bank will need to ensure that any sensitive information provided as part of the record be redacted before it is disclosed as a result of an access-to-information-and-privacy request.
Although quarterly complaint records submitted by banks will most likely be protected, the FCAC will still be required to publish a report which will include a summary of the information provided by the banks in their annual complaint report15.
Bill C-86 amended the FCAC Act by adding the following two criteria when determining an administrative monetary penalty in the case of a violation:
The addition of duration as a criterion underlines the importance that banks establish explicit retention policies that refer to statutory retention and litigation holds. A bank’s failure to respect such polices can weaken any argument if information is deleted. Banks may wish to consider adopting measures such as:
To discuss these issues, please contact the author(s).
This publication is a general discussion of certain legal and related developments and should not be relied upon as legal advice. If you require legal advice, we would be pleased to discuss the issues in this publication with you, in the context of your particular circumstances.
For permission to republish this or any other publication, contact Janelle Weed.
© 2023 by Torys LLP.
All rights reserved.