Decision #143
Commissioner’s decision and reasons
Summary
1. By notice of violation issued on June 24, 2021 (Notice of Violation), in accordance with s. 22(2) of the Financial Consumer Agency of Canada Act (Act), staff of the Supervision and Enforcement Branch of the Financial Consumer Agency of Canada (FCAC Staff) allege that the Canadian Imperial Bank of Commerce (CIBC or Bank) committed three violations of the Cost of Borrowing (Banks) Regulations (Regulations).
2. Sections 8, 9 and 10 of the Regulations require that when entering into a credit agreement a bank must provide a borrower with an initial disclosure statement that, in addition to certain specified information, includes the nature and amount of any other non-interest charge.
3. In the Notice of Violation, and as discussed more fully in the compliance report issued on June 11, 2021 and attached to the Notice of Violation (Compliance Report), FCAC Staff allege that from 2001 to 2020 the Bank failed to accurately disclose security registration, search and renewal fees for fixed interest rate loans secured by movable property or investments (Violation 1), variable interest rate loans secured by movable property or investments (Violation 2), and investment secured personal lines of credit (Violation 3), (together Violations).
4. The amount of the penalty proposed is $3.2 million for each of Violations 1 and 3 and $3.7 million for Violation 2, for a total of $10.1 million.
5. On February 15, 2022, in response to my request, FCAC Staff submitted additional information regarding their assessment of the relevant criteria and the application of the FCAC Administrative Monetary Penalties Framework (AMP Framework).Footnote 1 This information was received, and provided to the Bank, on February 15, 2022.
6. In its written representations received July 26, 2021, and March 16, 2022 (Representations), the Bank admits that breaches of the Regulations occurred, but disputes FCAC Staff’s conclusions regarding the duration of the breaches and their assessment of harm and negligence. The Bank therefore submits that the proposed penalty amounts should be reduced.
7. The issues for decision in this case are whether to (i) find that the Violations alleged in the Notice of Violation have been committed; and (ii) impose the penalty amounts proposed, lesser amounts or no penalties.
8. I have considered the record before me, namely the Compliance Report, the Notice of Violation, the additional information related to the AMP Framework and the Representations. I find that the Bank committed the Violations as alleged. I have also decided that it would be appropriate to impose penalty amounts of $1.7 million for each of Violations 1 and 3 and $2.2 million for Violation 2, for a total of $5.6 million. My reasons follow.
Background
9. In April 2019, as part of an internal review, CIBC identified compliance concerns with the initial disclosure documents related to certain third-party charges for several secured loan products.
10. The review and subsequent analysis found that the initial statement of disclosure for these loan products did not disclose any security search fee and erroneously showed the amount of the security registration fee and security renewal fee (when applicable) as $0 (Security Administration Fees).
11. These Security Administration Fees in fact ranged between $6 - $67 per instance. They were debited from client accounts and remitted directly to third-parties, including provincial governments, Teranet, and Le Registre des droits personnels et réels mobiliers.
12. These findings led to the Bank submitting a Reportable Compliance Issue report (RCI) to FCAC on June 28, 2019. Banks are required to report compliance issues to FCAC that meet defined criteria. In the RCI, CIBC indicated a start date for the breach of 2001, subject to confirmation. CIBC was unable to verify compliance prior to 2012 as the Bank did not retain earlier client records in accordance with its record retention policy.
13. CIBC’s analysis attributed the non-compliance primarily to a systems and process issue. That is, the initial statement of disclosure for all the products in question was generated by the same system and included $0 fees and/or missing fees unless manually input or corrected by the frontline staff.
14. On August 17, 2020, CIBC implemented an interim solution that stopped charging customers Security Administration Fees for these products, thereby ending the breach. CIBC expected to implement a systems upgrade to ensure compliant disclosure and resume charging customers the Security Administration Fees by the end of 2021. CIBC absorbed the third-party costs directly during this interim period.
15. For the purposes of remediation and reporting to FCAC, CIBC assumed that the non-compliance affected all customers of these loan products between September 1, 2001, and August 16, 2020. September 1, 2001 was the date the Regulations took effect.
16. CIBC engaged an external consultant and obtained information from third-parties to assist with their analysis and to identify all clients potentially affected. Where client records were unavailable, CIBC extrapolated from the existing data and made conservative assumptions regarding the potential impact on customers.
17. The Bank’s analysis resulted in an estimated 200,000 customers affected and approximately $11 million in total fees and interest being refunded or contributed to charity where customers could not be identified. The estimated average refund per customer was $53 for Violation 1, $51 for Violation 2 and $101 for Violation 3.
Analysis and conclusions
Violations
18. Under the Regulations, banks entering into a credit agreement for a loan for a fixed interest rate for a fixed amount (s. 8(1)(q)), for a loan with a variable rate for a fixed amount (s. 9(1)), or for a line of credit (s. 10(1)(c)), are required to provide the borrower with an initial disclosure statement that includes the nature and amount of any non-interest charges. The Security Administration Fees fall into the category of such charges and must be disclosed to the borrower.
19. In its Representations, CIBC acknowledges that a breach of ss. 8(1)(q), 9(1) and 10(1)(c) of the Regulations occurred. However, CIBC questions the evidence supporting FCAC Staff’s allegations that the violations started on September 1, 2001.
20. In CIBC’s view, their decision to use September 1, 2001 as the starting date for remediation purposes arose from an abundance of caution to ensure that no potentially affected customers were missed. The Bank claims it would be unfair to rely on that decision to determine the start date of the Violations when the only direct evidence confirming the breach dates from 2012.
21. I find sufficient evidence in the record to support FCAC Staff’s allegation of September 1, 2001, as a probable start date for the Violations.
22. In my view, the Bank’s explanation for the non-compliant disclosure provides evidence to support the probability that the disclosure was non-compliant from the time the Regulations were first in effect (September 1, 2001).
23. CIBC states that because its compliance control framework relied on system testing when a new regulatory requirement was implemented or updated, frontline staff would have expected the system to be accurate in these unfamiliar products (0.1% of the relevant lending portfolio). As a result, they may not have recognized the errors to be flagged and corrected. CIBC also relies on these circumstances to explain why the non-compliant disclosure persisted undetected for many years.
24. There is no evidence of an obvious means by which the non-compliant disclosure could have been introduced post 2001. There have been no material changes to the Regulations since their effective date of September 1, 2001. Therefore, the non-compliant disclosure could not have been inadvertently introduced during a system change to respond to a regulatory requirement. Nor did the Bank provide any alternative explanation for how and when the non-compliant disclosure was created.
25. In addition, CIBC’s June 28, 2019 RCI report indicated September 1, 2001 as a start date, subject to confirmation. This report pre-dates and is unrelated to any remediation decision on the part of CIBC.
26. Therefore, since September 1, 2001, any customer of those loan products would have received the non-compliant system-generated disclosure. While I accept the possibility that CIBC frontline staff could have corrected the non-compliant disclosure prior to 2012, where the records are unavailable, I find that to be highly unlikely given the absence of evidence of this corrective action in customer records post 2012.
27. As a result, I find that CIBC has committed the Violations as alleged in the Notice of Violation, on a balance of probabilities.
Penalty amounts
28. Turning to the penalty amounts proposed in the Notice of Violation, the issue for decision is whether to impose the penalty amounts proposed, lesser penalty amounts or no penalties.
29. The relevant criteria to consider are set out in s. 20 of the Act, including the degree of intent or negligence, the harm done, the duration of the violation and the Bank’s history of prior violations within the five-year period immediately before the violation.Footnote 2
30. There is no allegation or evidence of an intention to breach the Regulations on the part of CIBC. CIBC did not profit from the breach as all fees were required and paid directly by the customer to third-parties.
31. FCAC Staff’s analysis of the degree of negligence and duration was consistent for all Violations. FCAC Staff’s analysis differentiated the degree of harm among the Violations according to the number of customers affected and the total dollar value of the impact. This differentiation in the degree of harm is the source of the difference in the proposed penalty amounts for the Violations.
32. CIBC disputes FCAC Staff’s assessment of the degree of negligence and harm for all Violations and requests a commensurate reduction in the proposed penalty amounts. In addition, CIBC objects to FCAC Staff’s approach of considering duration as part of their analysis of negligence and harm.
33. CIBC asserts that each criterion must be considered separately and not as a component of, or contributor to, the other criteria. In their view, FCAC Staff’s approach creates a compounding effect which is contrary to the Act and unfair to CIBC as the resulting proposed penalties would be based on the same criterion applied multiple times.
34. I disagree with CIBC’s view that the requirement to consider each of the relevant criteria precludes me from having regard to the actual interaction between and among the criteria.
35. In my view, it is wholly appropriate to recognize, as does FCAC Staff, that the evidence related to the criterion of duration is often integral to the evidence related to the criteria of negligence and harm. For example, the degree of negligence can be demonstrated by the length of time a non-compliant practice continues without detection and remediation. Similarly, the accepted proxies used to estimate the degree of harm (e.g., number of customers and dollar amounts) may naturally increase if the breach continues for a longer period.
36. CIBC’s position that it is only valid to conduct a stand-alone analysis of the evidence relating to duration, seems to introduce an artificial separation that disregards the practical reality of the interdependence of these criteria. In addition, this approach could create the very risk that CIBC is seeking to avoid, namely compounding the impact of duration by requiring a separate accounting for duration in addition to the unavoidable inclusion of the element of time that is often already present in the analysis of negligence and harm.
Negligence
37. Turning to the specifics of this case, in FCAC Staff’s view, CIBC was negligent in meeting its regulatory obligations and did not take the steps necessary to ensure that the disclosure in question reflected the actual fees charged, as required by the Regulations.
38. FCAC Staff incorporated a consideration of the duration of the breaches into their analysis of negligence and found it to be aggravating to the level of negligence. Despite a control framework that included systems testing, frontline staff training, and compliance oversight systems, CIBC did not identify this problem for over 17 years.
39. This apparent failure of CIBC’s control framework provides the evidence to support FCAC Staff’s assessment of the degree of negligence at Level 2 or Significant Negligence for each Violation.
40. CIBC contests FCAC Staff’s analysis and submits that a more accurate evaluation of its disclosure failures would be Level 1 or Some Negligence. CIBC attributes the delay in identifying the non-compliance to the relative low incidence of these loans rather than any significant deficiency in its compliance control and oversight systems.
41. CIBC points to its eventual self-identification of the issue, subsequent rectification of the problem, entering an Action Plan with FCAC Staff, and fulsome remediation, as demonstrating its commitment to compliance.
42. CIBC also asserts that, because the Violations were caused by the same systems’ deficiency, it is unfair for FCAC Staff to treat each breach as an isolated incident with separate penalty amounts. In the Bank’s view, this approach significantly and unfairly overstates the actual level of negligence and therefore the total cumulative penalty amount.
43. I find that FCAC Staff’s consideration of duration in the negligence analysis is appropriate in this case. I find that FCAC Staff’s analysis is supported by the evidence, and I agree with the conclusion that the apparent initial failure to ensure compliant disclosure, and the subsequent failure to identify this non-compliance over many years, demonstrates significant negligence.
44. It is the fact that the breaches continued for many years without identification that brings into question CIBC’s control framework, notwithstanding their eventual self-identification. I note that this finding would be valid whether the duration was the 8 years admitted by CIBC or the nearly 20 years of the Violations.
Harm
45. For Violations 1 and 3, FCAC Staff’s analysis concludes that the total dollar amounts, and the numbers of customers affected, were relatively low (Violation 1 – 21,956 customers and $1.2 million; Violation 3 – 19,327 customers and $1.9 million). However, when they added their finding of a long duration, they determined an overall assessment of a Level 2 or Significant Harm.
46. For Violation 2, FCAC Staff’s analysis resulted in a higher assessment of harm than Violations 1 and 3 because of the higher total dollar amounts and numbers of customers affected (Violation 2 – 161,960 customers and $8.3 million) in addition to the long duration. FCAC Staff proposed to reflect this difference in the higher proposed penalty amount for Violation 2, although it is still within in the same range for Level 2 or Significant Harm.
47. CIBC disputes FCAC Staff’s assessment of harm as an overstatement. CIBC’s analysis, conducted by an external consultant, was able to confirm only half of the number of customers and dollar amounts underlying FCAC Staff’s analysis. CIBC maintains that a more accurate assessment of harm for all Violations would result in a finding of Level 1 or Some Harm.
48. CIBC asserts that FCAC Staff improperly considered the lack of client records prior to 2012 as aggravating, even though the Bank had no requirement to retain those records and may have contravened certain legal obligations had it done so.
49. CIBC further asserts that FCAC Staff’s analysis did not appropriately consider several mitigating factors. CIBC points to the single reportable customer complaint, the fact that the fees were to be paid to third-parties and their view that customers would have likely received verbal disclosure during the sales process, thus reducing the actual harm of the non-compliant disclosure.
50. In addition, the Bank highlights that it has already incurred significant costs in its efforts to remediate customers and prevent further non-compliance, including absorbing fees that would have otherwise legitimately been paid by customers. In their view, these actions served to reduce the degree of harm of the Violations and should be reflected in a lower penalty amount.
51. While it is not possible to know the actual harm caused to customers as a result of the non-compliant disclosure, it is understood to include both financial and non-financial harm. Customers are entitled to receive accurate information. It is damaging to confidence in the financial system, and the reputation of the Bank, if breaches of consumer protection provisions are allowed to remain undetected and unremedied for extended periods.
52. I agree that in this case, FCAC Staff’s consideration of the total potential number of customers affected and dollar amounts is a reasonable approach to estimate the degree of harm. However, I am not persuaded by FCAC Staff’s conclusions in their assessment of the level of harm.
53. As outlined in paragraphs 45 and 46, the long duration moved FCAC Staff’s analysis from a Level 1 or Some Harm to a Level 2 or Significant Harm. However, I note that the total number of customers affected, and total dollar amount of impact, were directly attributable to the long duration in this case as the refund per individual customer was relatively low. Therefore, in my view, the impact of the long duration of the Violations on the criterion of harm is sufficiently captured by the estimates of total number of customers and the total dollar amounts.
54. My finding of a lower level of harm is further supported by the mitigating factors of the conservative and comprehensive assumptions used to generate these estimates and the fulsome remediation provided by CIBC, as accepted by FCAC Staff. To the extent possible, all customers were refunded the fees (with interest) that, absent the non-compliant disclosure, they would have been required to pay.
55. As a result, I conclude that the level of harm should be more appropriately assessed at Level 1 or Some Harm for all Violations.
Duration
56. The long duration of the Violations elevates the impact of the breaches and calls into question the Bank’s understanding of the importance of disclosure requirements and the expectations of an appropriate standard of care in their fulfillment. The Regulations reflect the foundational role of disclosure in the consumer protection provisions of the Bank Act. In order for consumers to make informed financial decisions, they must be provided information that is accurate and, at a minimum, meets regulatory requirements.
57. I consider the criterion of duration to have been adequately addressed in the above analysis of negligence and harm. It is reflected in the assessment of the level of harm and the elevated level of negligence and has contributed to my conclusions regarding the proposed penalty amounts.
Violation history
58. In the past 5 years, CIBC has been the subject of one Commissioner’s Decision relating to five violations of disclosure requirements for credit cards. CIBC’s violation history was assessed at Level 1 or Some History by FCAC Staff and not disputed by CIBC.
59. I find this history to be an aggravating factor, as does FCAC Staff in their proposed penalty amounts.
Conclusion
60. The imposition of penalty amounts is appropriate in this case, both to promote compliance by CIBC and for the purpose of specific and general deterrence. The long duration of the Violations serves as a sobering reminder of the critical importance of banks investing in robust and effective compliance control frameworks.
61. In consideration of my analysis of the relevant criteria, and in particular my findings related to the level of harm, I find that it is appropriate in these circumstances to impose a $1.7 million penalty amount for each of Violation 1 and 3 and $2.2 million penalty amount for Violation 2, for a total of $5.6 million.
Judith N. Robertson
Commissioner
Financial Consumer Agency of Canada
Ottawa, September 27, 2022
Page details
- Date modified: