Decision # 134

Commissioner’s Reasons for Decision

In March 2018, the Deputy Commissioner of the Financial Consumer Agency of Canada (FCAC) issued a notice of violation in accordance with subsection 22(2) of the Financial Consumer Agency of Canada Act (Act), alleging reasonable grounds to believe that the Bank committed the following two violations:

i. from September 2003 to January 2017, when entering into a credit agreement for credit cards, inaccurately disclosed the date on or after which interest accrues contrary to subsection 12(1) of the Cost of Borrowing (Banks) Regulations (COBRs), (violation #1); and

ii. from September 2010 to January 2017, charged interest to certain cardholders who had paid the outstanding balance owing on their credit card account on or before the due date thereby contravening subsection 3(4) of the Credit Business Practices Regulations (CBPRs), (violation #2).

The Deputy Commissioner proposed to impose penalties of $125,000 and $75,000 for violations #1 and #2, respectively (Notice of Violation).

The violations alleged were the subject of an investigation and compliance report issued by FCAC in March 2018 (Compliance Report). The Bank responded to the allegations in the Notice of Violation, including on the exercise of my discretion to make public the information in section 31 of the Act, by way of written representations dated April 2018 (Response).

For the reasons outlined below, I have determined that the evidence is sufficient to find that the Bank committed violation #2 on a balance of probabilities and see no cause to reduce the penalty of $75,000 proposed in the Notice of Violation. However, I am not satisfied that the Bank committed violation #1 as alleged in the Notice of Violation.

Factual Background

The Breach Alleged

The Compliance Report sets out the following undisputed facts relevant to violations #1 and #2.

From September 2003 to January 2017, the initial disclosure statement that the Bank provided to borrowers when entering into a credit agreement for a credit card stipulated as follows:

Interest is calculated [text omitted]

Following the implementation of a new accounts receivable system in 2003 (System), certain cardholders were charged interest despite having a nil balance on their accounts by the due date. This problem arose in cases where accounts were paid in full as a result of

(i) partial payments made by the cardholder followed by merchant credits; or

(ii) full payment made by the cardholder via a different financial institution that was initially returned or rejected but later processed by the due date.

Impact and Remediation Efforts

The Bank has faced challenges in identifying all of the cardholders impacted by the System errors due to limitations relating to, for example, historic data retention. The Bank has been able to confirm however that the number of impacted accounts for the period of November 2012 to January 2017—the date when the Bank implemented a technology fix—is 6,149.

The Bank has paid $15,808.24 in refunds to cardholders whose accounts were impacted from January 2012 to January 2017. The Bank has developed a plan to reimburse accounts impacted dating back to September 2003, and estimates paying an additional amount of $21,420.00 in refunds.

Relevant Provisions

My analysis for violation #1 considers the Bank’s compliance with the requirements in subsection 12(1) of the COBRs. Subsection 12(1)—which speaks to a bank’s obligation to disclose the cost of borrowing in the context of credit card products—refers back to paragraphs 10(1)(a) and (c) to (k) of the COBRs, and incorporates the information requirements therein for credit card products. The relevant provisions read in part as follows:

For violation #2, the focus is on subsection 3(4) of CBPRs, which reads as follows:

Analysis

Violation #1

I see two issues for determination with respect to violation #1. The first is on the proper construction of a bank’s initial disclosure obligations under subsection 12(1) of the COBRs. The second is whether the evidence substantiates a breach on a balance of probabilities as alleged in the Notice of Violation.

(i) Proper construction of subsection 12(1) of the COBRs

In its Response, the Bank submits that there is nothing in the COBRs that requires a bank to implement a rigorous system of control and oversight to minimize errors, and that there is no basis in the Bank Act that requires a bank to ensure that a cardholder receives what is promised in the disclosure. The Bank appears to accept that once the disclosure statement is provided to the borrower, there may be a risk of liability in private law for breach of contract but none in regulatory law for non-compliance. Therefore, the Bank considers that it is an appropriate construction of subsection 12(1) of the COBRs that compliance is achieved simply by providing the required information to the borrower—be it accurate and reliable or not.

I cannot agree with an interpretation that allows a bank to provide borrowers with information on the cost of borrowing that is incorrect with impunity from enforcement under the COBRs. In my view, compliance with subsection 12(1) of the COBRs involves more than showing that borrowers were provided with words in a statement that match the information requirements. Rather, compliance is a matter of accuracy and reliability. It is achieved when the information disclosed—be it an amount, a process, a formula, etc.—is properly supported by the backend system that is designed to uphold it. System failures and processing errors can be a basis for finding that a bank’s disclosure is non-compliant with the COBRs.

(ii) Analysis of the evidence on the alleged breach

Turning now to the issue of the proper analysis of the evidence, I note that the Notice of Violation describes the alleged breach that is the subject of violation #1 in narrow terms. It impugns the Bank’s compliance with the requirement under subsection 12(1) of the COBRs—that links back to paragraph 10(1)(f) of the COBRs—solely on the basis of a failure to include information on “the date on or after which interest accrues”. As such, I must determine, on a balance of probabilities, whether the Bank failed to comply with this specific requirement in the initial disclosure statement provided to borrowers from September 2003 to January 2017.

I have reviewed the record before me, and I am not satisfied that it substantiates a deficiency in the disclosure on the information provided to borrowers on “the date on or after which interest accrues”. The initial disclosure statement in question appears to have been clear on the date that interest charges would start to be incurred; this date is described as “the transaction date […] or the first day of the billing period in which it is first charged to [the] account”. There is no evidence that the System failed to capture this date correctly for purposes of interest accrual.

Rather, the System appears to have malfunctioned on the application of the grace period—which the Bank characterized as [text omitted] programming error. This error impacted cardholders who had a nil outstanding balance on their credit card accounts as a result of making (i) partial payments followed by merchant credits; or (ii) full payment using a different financial institution that was rejected and reprocessed by the due date. These cardholders were charged interest and did not benefit from the grace period described in the initial disclosure statement.

Ultimately, on the evidence available, I find that the Bank did not commit violation #1 in the narrow terms alleged in the Notice of Violation.

Violation #2

The Bank has admitted that credit cardholders were erroneously charged interest from September 2010 to January 2017.

With the facts for violation #2 not in dispute, the issue for decision is whether the Bank has put forth in its Response a valid defence of due diligence to exculpate itself from having breached subsection 3(4) of the CBPRs. If so, there remains the issue of determining whether the amount of the penalty proposed in the Notice of Violation should be reduced.

(i) Defence of due diligence

The threshold for proving the defence of due diligence is high (Cata International Inc. v. Canada (M.N.R.), 2004 FC 663 (CanLII) and Samson v. Canada (M.N.R.), 2007 FC 975 (CanLII)). Affirmative proof is required that all reasonable care was exercised to ensure that errors were not made.

In this case, the Bank confirms that the System’s billing process was reviewed on a recurring basis (every 18 months). It also argues that the two errors responsible for the miscalculation, namely (i) a partial payment by the borrower followed by a merchant credit; and (ii) a full payment processed through a different financial institution that was returned at some point and then reprocessed, were complex and rare. The Bank concludes that it is unlikely that sample testing would have independently identified the errors through preventative control testing.

I find these arguments hardly persuasive, and I would need clear evidence to conclude that it is indeed rare for the Bank cardholders to find themselves in the circumstances that gave rise to this breach. I also note that the Bank has confirmed that its preventative control and sample testing process failed to account for these two events altogether. Consequently, and based on the record before me, I find that the Bank has committed violation #2 on a balance of probabilities and see no grounds to accept the Bank’s position that it has made out the defence of due diligence.

(ii) Amount of the penalty

On the issue of the proposed penalty, I have reviewed the analysis in the Notice of Violation and I am satisfied that the amount of $75,000 should stand in this case. The System errors remained undetected for approximately 14 years and it was a cardholder’s complaint that brought the breach to light. At the same time, I can accept the Bank’s argument that the population of impacted credit cardholders was extremely small (estimated at less than 1% of this credit cardholder base).

Publication

There remains one outstanding issue to dispose of: whether to make public the information set out in section 31 of the Act. The factors that I consider in my analysis include the willingness of the financial institution to assume responsibility for the breach and compensate affected consumers, the impact of the breach on consumers and consumer confidence and its commitment to better governance and management of risks against future breaches.

In this case, the Bank appears to have responded to this breach in a manner that shows a strong commitment to enhancing its controls and oversight of such risks. In its Response, the Bank explains how it is committed to leveraging its existing corporate governance structure and management accountability to ensure that all issues related to erroneous interest charges are appropriately addressed. Furthermore, I see that the Bank has acted promptly and appropriately to find the root cause of the errors and to remediate impacted credit cardholders without being prompted to do so by FCAC.

At the same time, the Bank argues that this case is extremely complex and its error inadvertent and, as a result, making its name public would be so disproportionate and unfair that the Bank would then consider all available options under the Act. I am not sure that I follow this argument or find it relevant to my analysis.

Ultimately, I am persuaded on the evidence that the Bank has acted appropriately in this case, including through its commitment to enhancing its controls and governance. Its efforts to remediate impacted cardholders is also noted. Overall, I am satisfied that it is appropriate to not make public the Bank’s name in relation to violation #2.

Ottawa, January 14, 2019

Lucie M.A. Tedesco

Commissioner

Financial Consumer Agency of Canada