Q2 | Torys QuarterlySpring 2022

How to safeguard customer privacy under the Financial Consumer Protection Framework

On June 30, 2022, more than three years after Bill C-86 was tabled in Parliament, the Financial Consumer Protection Framework will come into force. This federal framework consolidates and strengthens the Bank Act consumer protection provisions applicable to banks (including authorized foreign banks) and amends the Financial Consumer Agency of Canada Act to reinforce the role and increase the powers of the Financial Consumer Agency of Canada (FCAC).

The framework will significantly expand the amount of personal information that banks hold, and as a result their obligations vis-à-vis that information. In fact, these changes only bolster Chris Skinner’s position that “banks should move from being safekeepers of money to safekeepers of data”1.

This article examines the privacy implications of the following aspects of the framework:

  • New policies and procedures to ensure that the products or services offered or sold by banks and their intermediaries are appropriate for the person having regard to their circumstances, including their financial needs2.
  • A new complaint management process, which requires banks to:
    • create and maintain a comprehensive record of all complaints for a period of seven years3; and
    • submit to the FCAC all complaint records received by a designated employee4.
  • The addition of “duration” as a criterion when determining the amount of an administrative monetary penalty in the case of a violation5.

Privacy law requirements

The obligations imposed by the framework do not supersede either federal or provincial privacy laws. As a result, when complying with the framework’s requirements, banks will still be required to:

  • obtain meaningful consent when collecting, using, storing, or disclosing (processing) personal information;
  • use or otherwise process data only for purposes collected or, if data is to be used for new purposes, to obtain fresh consent for those new purposes; and
  • disclose information if required by law unless exemptions apply that limit or override such requirements.

At a high level, and for banks with well-developed privacy and data governance programs, obligations under the framework should not entail the introduction of fundamentally new or novel processes. After all, banks already collect, use, and retain large volumes of highly sensitive data. However, banks do need to consider the framework’s requirements carefully in relation to existing policies, processes, and systems to identify where and how these need to be revised to comply with both C-86 and privacy regulations.

Ensuring that products or services are appropriate to the customer

The framework requires banks to “establish and implement policies and procedures to ensure that the products or services in Canada that it offers or sells to a natural person other than for business purposes are appropriate for the person having regard to their circumstances, including their financial needs”6.

The FCAC Guideline on Appropriate Products and Services for banks further clarifies this obligation by stating that,

“A Bank’s Policies and Procedures should ensure that the Bank collects and records the KYC [Know your customer] information it needs to understand consumers’ circumstances so that it can assess the appropriateness of the products or services being offered or sold. The nature of the KYC information that a Bank may need to collect and record can vary depending on consumers’ circumstances, including their financial needs, and on the products or services that it offers or sells.”

This requirement raises the question as to how and from where banks can collect the necessary customer information to assess whether the product or service is appropriate. For example, can banks rely on information they already have? Are banks allowed to obtain and rely on information obtained from external sources such as social media or third parties?

Information gathered by the bank during the course of their relationship with the customer is a key resource for assessing appropriateness, but banks may also wish to use information gathered from social media or third parties. In any of these cases, banks will need to ensure that the customer has consented to have his/her information used by the bank to perform an appropriateness assessment. If not, fresh consent may be needed.

When revising or drafting new consent sign-offs, banks must ensure that the scope of use provided in the sign-off is reasonable. To establish reasonable use, banks will need to show that there is a defined business objective and that the personal information collected is necessary to achieve the objective. The bank could consider documenting how missing information or information that can’t be obtained from the client could be externally sourced to enable the bank to assess the appropriateness of the product or service. Documenting how and why information may be gathered from internal or external sources may also be valuable in responding to a challenge that the bank’s collection of personal information was overly broad or unnecessary.

Banks should consider implementing the necessary controls to ensure that any data used in the appropriateness assessment is accurate, particularly when such data originates from external sources such as social media.

The complaint process

As noted above, the new complaint management obligations imposed by the framework have several privacy implications.

The first pertains to the very comprehensive record that banks will be required to create and maintain for each complaint. The privacy risk associated with this record-keeping requirement arises because banks will gather a considerable amount of new and sensitive information in the course of investigating and responding to a complaint7. Banks will need to ensure that this information is only used for the purposes for which it was collected (i.e., investigating and responding to the complaint). To aid compliance in this regard, information should be appropriately labelled or tagged, and banks may consider measures such as segregated storage of the data.

The framework also requires that third parties that sell or further the sale of the bank’s products give customers access to the bank’s complaint procedures as if the product or service had been received by from the bank8. In order to effectively investigate a complaint on a product sold by a third party, banks will likely ask the third party to share customer information with the bank. Banks may find third parties claiming that they can’t share customer information because doing so would breach customer privacy or that privacy laws bars them from sharing the information. It should generally be possible to overcome these objections, as privacy law does not bar disclosure as a matter of course. But banks could consider including in their distribution agreement a requirement that third parties must seek the complainant’s consent to share their information with the bank.

The framework will significantly expand the amount of personal information that banks hold, and as a result their obligations vis-à-vis that information.

Banks must not only investigate and respond to complaints, but are also required to retain all complaint records for seven years9. As noted above, complaint records are likely to contain information from a number of different internal and external sources and may include proprietary or confidential information of the bank or a third party, or sensitive information about the complainant or other individuals (e.g., in call recordings). Since these records must be kept for at least seven years, appropriate security and record retention policies and procedures should be developed and implemented to address the risks associated with them. Segregation of complaint records may assist with the implementation of these controls (e.g., litigation holds and destruction requirements)10.

While complaint records do not present novel record retention issues, banks nonetheless should ensure that

  • applicable policies define triggers that should prompt consideration of applying a litigation hold—for example, customer makes formal complaint to FCAC;
  • the seven-year retention period for complaint records is appropriately socialized, in particular with those responsible for providing and implementing litigation hold notices; and
  • the data is destroyed when the retention period expiries and any litigation holds are lifted11.

Every quarter, banks must submit to the FCAC Commissioner a copy of the record12 that reaches the designated level13. Although complaint information submitted by banks to the FCAC could be subject to access to information requests, we expect the FCAC to refuse such requests on the grounds that such information is protected by section 17 of the FCAC Act14. However, should the FCAC be unsuccessful in refusing the request, the bank will need to ensure that any sensitive information provided as part of the record be redacted before it is disclosed as a result of an access-to-information-and-privacy request.

Although quarterly complaint records submitted by banks will most likely be protected, the FCAC will still be required to publish a report which will include a summary of the information provided by the banks in their annual complaint report15.

Using duration to determine administrative monetary penalties

Bill C-86 amended the FCAC Act by adding the following two criteria when determining an administrative monetary penalty in the case of a violation:

  • the duration of the violation
  • the ability of the person who committed the violation to pay the penalty.

The addition of duration as a criterion underlines the importance that banks establish explicit retention policies that refer to statutory retention and litigation holds. A bank’s failure to respect such polices can weaken any argument if information is deleted. Banks may wish to consider adopting measures such as:

  • pseudonymization options to limit sensitivity of data kept long term
  • safeguards such as offline storage.

  1. Chris Skinner, Digital Bank: Strategies to Launch or Become a Digital Bank, Marshall Cavendish.
  2. Section 627.06 of the Bank Act.
  3. Section 627.44 of the Bank Act.
  4. Section 627.45 of the Bank Act.
  5. Section 20 of the Financial Consumer Agency of Canada Act.
  6. Section 627.06 of the Bank Act.
  7. For example, complaint records may include call recordings from upset customers or new information about the customer's financial circumstances. The records may also contain proprietary or confidential information of the bank or third parties such as affiliates or resellers of bank products.
  8. Section 627.15 of the Bank Act.
  9. Section 627.44 of the Bank Act. The requirement to make a record of a complaint extends to anonymous complaints. Where the complainant refuses to provide their identity, banks are not required to take steps to identify the complainant. In fact, this would not be a recommended practice, as the additional information would increase the bank’s risk (e.g., in the case of a breach).
  10. Segregation of data and appropriate tagging of proprietary and confidential information would also be valuable for complying with pending data portability requirements, as it would help with distinguishing information provided by the consumer and proprietary information of the bank or third parties.
  11. Appropriate destruction of records in accordance with regulatory requirements will help to mitigate a number of risks by limiting the amount of data on hand in the case of breach and avoiding the possibility that the record could be used to establish the duration of a violation for purposes of assessing a monetary penalty.
  12. The record submitted to the FCAC must include all of the information identified in section 627.44 except the contact information, other than the postal code.
  13. The FCAC Guideline on Complaint-Handling Procedures distinguishes between complaints handled by the non-designated (first level of complaint handling) and designated level (level where complaints are escalated).
  14. Section 17 of the FCAC Act provides that information collected by the FCAC in the course of the exercise or performance of powers, duties or functions in connection with the administration of the FCAC Act would be considered confidential.
  15. Sections 627.54 and 627.47 of the Bank Act.

To discuss these issues, please contact the author(s).

This publication is a general discussion of certain legal and related developments and should not be relied upon as legal advice. If you require legal advice, we would be pleased to discuss the issues in this publication with you, in the context of your particular circumstances.

For permission to republish this or any other publication, contact Janelle Weed.

© 2023 by Torys LLP.

All rights reserved.

Subscribe and stay informed

Stay in the know. Get the latest commentary, updates and insights for business from Torys.

Subscribe Now