FCAC Supervisory Highlight: Report on findings
Thematic Review on Electronic Alerts

Information contained in this publication or product may be reproduced, in part or in whole, and by any means, for personal or public non-commercial purposes without charge or further permission, unless otherwise specified. Commercial reproduction and distribution are prohibited except with written permission from the Financial Consumer Agency of Canada.

For more information, contact:

Financial Consumer Agency of Canada
427 Laurier Ave. West
Ottawa, ON K1R 7Y2

www.canada.ca/en/financial-consumer-agency

Cat. No.: FC5-96/2025E-PDF (PDF, English)

ISBN: 978-0-660-76451-1

© His Majesty the King in Right of Canada, as represented by the Minister of Finance Canada, March 2025.

Aussi disponible en français sous le titre : Faits saillants de la surveillance exercée par l’ACFC, Rapport sommaire - Examen thématique sur les alertes électroniques.

Introduction

This summarizes the Financial Consumer Agency of Canada’s (FCAC) thematic review of the banking sector’s adherence to the legislative obligation to provide consumers with electronic alerts (e-alerts).

The e-alert obligation came into force on June 30, 2022, as part of the Financial Consumer Protection Framework (the Framework).^{Footnote 1}  The obligation, as set out in the Bank Act, requires banks to send e-alerts, without delay, to consumers when their personal deposit account balance falls below a prescribed amount, or when the available credit on their credit cards and lines of credit has fallen below a prescribed amount. Unless otherwise prescribed by the consumer, the default amount for an e-alert is $100.

As a consumer protection, e-alerts provide consumers with timely information to make informed financial decisions and avoid incurring costs such as non-sufficient funds fees.

In monitoring the banking sector’s implementation of the Framework, FCAC identified a higher risk of implementation issues among small and medium sized banks (SMSBs).

Scope and methodology

The scope of the thematic review focused on the following e-alert related requirements:

1. The requirement for banks to send consumers e-alerts for the required products, without delay, is met when the balance on a deposit account or the available credit falls below the amount prescribed by the consumer. If the consumer has not specified an amount, the default threshold is $100.
2. The requirement for e-alerts to include information on what consumers can do to avoid charges or penalties.
3. The requirement for banks to allow consumers to prescribe the dollar amount for receiving e-alerts, or to opt out from receiving e-alerts when communicated in writing.

The thematic review was undertaken on 6 SMSBs whose selection provided for a representative sample of the size, business models, and regional presences of SMSBs.

As part of the review, FCAC required all SMSBs to complete a questionnaire on their implementation of e-alerts requirements. With respect to the 6 banks, FCAC conducted a desk review of e-alerts related information and documentation provided by the banks, as well as virtual and on-site interviews.

The findings in this report are based on a snapshot of data and information provided by banks, over an 8-month period. The findings do not reflect any changes the 6 banks may have implemented following the review period.

Findings

FCAC’s key findings from the thematic review, which all banks are expected to review and address as required, are listed below.

Requirement to send e-alerts without delay

FCAC discovered multiple cases where consumers who were supposed to receive e-alerts did not receive them or did not receive them immediately. The findings of particular concern are as follows:

• Some banks required consumers to register for online banking as a prerequisite for receiving e-alerts.
• Some banks did not send e-alerts for certain types of accounts, on the basis that there were no charges or penalties associated with the accounts.
• Some banks did not take the necessary steps to contact consumers to obtain the required contact information to send e-alerts. These banks only attempted to update consumer contact information if they were contacted by consumers.
• Some banks were delayed in sending e-alerts. The timing of e-alerts was negatively impacted by the internal systems and processes that banks relied on to monitor banking activity and send e-alert. In some cases, e-alerts were delayed by more than 24 hours after the prescribed or default dollar amount necessitated the sending of an e-alert.

FCAC expectations

• Banks must not create additional requirements, such as requiring consumers to register for online banking, as a condition for sending e-alerts.
• Banks must send e-alerts for the required products – personal deposit accounts, credit cards, and lines of credit – regardless of the fee structure associated with these products.
• Banks must actively solicit consumer contact information to send e-alerts and be able to demonstrate that they took the necessary actions to do so.
• Banks must promptly send e-alerts as soon as the specified dollar amount (or default amount) is met. This ensures consumers can make timely financial decisions and avoid potential costs.

Requirement for e-alerts to contain specific information

The FCAC found that the reviewed banks provided information in e-alerts that was clear and simple.

However, FCAC also found that the e-alerts did not include all the required information; in particular, information on what consumers may do to avoid charges or penalties and the time within which this is to be done.

FCAC expectations

Banks must include specific information in e-alerts, including what action(s) the consumer may take to avoid charges or penalties, and the timeframe within which the action(s) must be taken.

Requirement to allow consumers to set prescribed amount or to opt out of receiving e-alert

FCAC found that banks were complying with the requirement to allow consumers to set a specific dollar amount for e-alerts or to opt out of receiving them if they preferred. However, banks were not consistently maintaining records to show that consumers had requested to opt out of receiving e-alerts.

FCAC expectations

• Banks must maintain records for consumers who have opted out of receiving e-alerts. These records must show that consumers have communicated the request in writing.
• Banks must ensure staff is adequately trained to help consumers looking to opt out of receiving e-alerts or looking to change the dollar amount for receiving e-alerts.

Monitoring, testing and reporting

The thematic review identified concerns regarding the monitoring, testing, and reporting methods banks are relying on to test their compliance with e-alert requirements.

FCAC found that some banks are relying on informal methods to test whether e-alerts are being sent to consumers, such as having bank employees test the e-alerts system using their own personal accounts.

FCAC also found that reporting on the monitoring and testing activities varied across banks. In some cases, reporting included information on e-alert volumes, error rates, and other information relevant to business lines and compliance team. In other cases, reporting was unsatisfactory, with reporting only taking place after an issue was identified or reporting not yet being implemented due to reliance on third party service providers.

FCAC expectations

• Banks must implement ongoing monitoring and regular testing to ensure that e-alerts are effectively sent to consumers without delay and include all required information.
• Banks must establish effective policies and procedures for reporting on compliance activities, findings from monitoring and testing, and any corrective actions taken.

The use of technology to enable compliance

The Thematic review demonstrated that banks utilize technology in various ways to manage regulatory compliance. Regardless of whether they develop technology in-house or rely on third party products, FCAC expects banks to identify and manage the associated risks and ensure compliance and adhere to their obligations.

This review revealed that some banks are using third-party service providers to support the sending of e-alerts to consumers. Third parties were found to be providing services such as sending e-alerts directly to consumers or providing a banking platform for identifying when the bank is to send an e-alert to the consumer.

FCAC found that banks relying on third parties were exposed to operational and compliance risks. These risks included third parties that could only offer e-alerts to consumers registered for an online banking platform, third parties unable to send e-alerts for all required products, and third-party contracts managed through a parent organization, which led to delays in transmitting e-alert information.

FCAC found that banks lacking full control over third-party technology faced more compliance issues due to their inability to make changes directly.

FCAC expectations

• Banks must ensure adherence to their obligations even when relying on third parties for e-alert requirements.
• Banks are expected to assess their relationships with third parties on an ongoing basis to ensure compliance obligations are understood, documented and being met.

Conclusion

Thematic reviews are one of many tools used by the FCAC to assess compliance as part of its risk-based approach to supervision. This review, the first conducted by FCAC since establishing a thematic review team, was a productive review with a number of findings that are particularly relevant for the industry and consumers.

In addition to this report, each bank subject to this thematic review has been informed of the FCAC’s findings specific to their institution and is required to implement the necessary corrective actions. FCAC is actively monitoring the implementation of these corrective actions.

All banks, including Canada’s major banks, are expected to review the findings presented in this report, assess their compliance with the e-alert requirements, and address any issues or deficiencies on a timely basis.