How to safeguard customer privacy under the Financial Consumer Protection Framework

 
The framework will significantly expand the amount of personal information that banks hold, and as a result their obligations vis-à-vis that information. In fact, these changes only bolster Chris Skinner’s position that “banks should move from being safekeepers of money to safekeepers of data”¹.

This article examines the privacy implications of the following aspects of the framework:

• New policies and procedures to ensure that the products or services offered or sold by banks and their intermediaries are appropriate for the person having regard to their circumstances, including their financial needs².
• A new complaint management process, which requires banks to:
  • create and maintain a comprehensive record of all complaints for a period of seven years³; and
  • submit to the FCAC all complaint records received by a designated employee⁴.
• The addition of “duration” as a criterion when determining the amount of an administrative monetary penalty in the case of a violation⁵.

Privacy law requirements

The obligations imposed by the framework do not supersede either federal or provincial privacy laws. As a result, when complying with the framework’s requirements, banks will still be required to:

• obtain meaningful consent when collecting, using, storing, or disclosing (processing) personal information;
• use or otherwise process data only for purposes collected or, if data is to be used for new purposes, to obtain fresh consent for those new purposes; and
• disclose information if required by law unless exemptions apply that limit or override such requirements.

At a high level, and for banks with well-developed privacy and data governance programs, obligations under the framework should not entail the introduction of fundamentally new or novel processes. After all, banks already collect, use, and retain large volumes of highly sensitive data. However, banks do need to consider the framework’s requirements carefully in relation to existing policies, processes, and systems to identify where and how these need to be revised to comply with both C-86 and privacy regulations.

Ensuring that products or services are appropriate to the customer

The framework requires banks to “establish and implement policies and procedures to ensure that the products or services in Canada that it offers or sells to a natural person other than for business purposes are appropriate for the person having regard to their circumstances, including their financial needs”⁶.

The FCAC Guideline on Appropriate Products and Services for banks further clarifies this obligation by stating that,

“A Bank’s Policies and Procedures should ensure that the Bank collects and records the KYC [Know your customer] information it needs to understand consumers’ circumstances so that it can assess the appropriateness of the products or services being offered or sold. The nature of the KYC information that a Bank may need to collect and record can vary depending on consumers’ circumstances, including their financial needs, and on the products or services that it offers or sells.”

This requirement raises the question as to how and from where banks can collect the necessary customer information to assess whether the product or service is appropriate. For example, can banks rely on information they already have? Are banks allowed to obtain and rely on information obtained from external sources such as social media or third parties?

Information gathered by the bank during the course of their relationship with the customer is a key resource for assessing appropriateness, but banks may also wish to use information gathered from social media or third parties. In any of these cases, banks will need to ensure that the customer has consented to have his/her information used by the bank to perform an appropriateness assessment. If not, fresh consent may be needed.

When revising or drafting new consent sign-offs, banks must ensure that the scope of use provided in the sign-off is reasonable. To establish reasonable use, banks will need to show that there is a defined business objective and that the personal information collected is necessary to achieve the objective. The bank could consider documenting how missing information or information that can’t be obtained from the client could be externally sourced to enable the bank to assess the appropriateness of the product or service. Documenting how and why information may be gathered from internal or external sources may also be valuable in responding to a challenge that the bank’s collection of personal information was overly broad or unnecessary.

Banks should consider implementing the necessary controls to ensure that any data used in the appropriateness assessment is accurate, particularly when such data originates from external sources such as social media.

The complaint process

As noted above, the new complaint management obligations imposed by the framework have several privacy implications.

The first pertains to the very comprehensive record that banks will be required to create and maintain for each complaint. The privacy risk associated with this record-keeping requirement arises because banks will gather a considerable amount of new and sensitive information in the course of investigating and responding to a complaint⁷. Banks will need to ensure that this information is only used for the purposes for which it was collected (i.e., investigating and responding to the complaint). To aid compliance in this regard, information should be appropriately labelled or tagged, and banks may consider measures such as segregated storage of the data.

The framework also requires that third parties that sell or further the sale of the bank’s products give customers access to the bank’s complaint procedures as if the product or service had been received by from the bank⁸. In order to effectively investigate a complaint on a product sold by a third party, banks will likely ask the third party to share customer information with the bank. Banks may find third parties claiming that they can’t share customer information because doing so would breach customer privacy or that privacy laws bars them from sharing the information. It should generally be possible to overcome these objections, as privacy law does not bar disclosure as a matter of course. But banks could consider including in their distribution agreement a requirement that third parties must seek the complainant’s consent to share their information with the bank.

Banks must not only investigate and respond to complaints, but are also required to retain all complaint records for seven years⁹. As noted above, complaint records are likely to contain information from a number of different internal and external sources and may include proprietary or confidential information of the bank or a third party, or sensitive information about the complainant or other individuals (e.g., in call recordings). Since these records must be kept for at least seven years, appropriate security and record retention policies and procedures should be developed and implemented to address the risks associated with them. Segregation of complaint records may assist with the implementation of these controls (e.g., litigation holds and destruction requirements)¹⁰.

While complaint records do not present novel record retention issues, banks nonetheless should ensure that

• applicable policies define triggers that should prompt consideration of applying a litigation hold—for example, customer makes formal complaint to FCAC;
• the seven-year retention period for complaint records is appropriately socialized, in particular with those responsible for providing and implementing litigation hold notices; and
• the data is destroyed when the retention period expiries and any litigation holds are lifted¹¹.

Every quarter, banks must submit to the FCAC Commissioner a copy of the record¹² that reaches the designated level¹³. Although complaint information submitted by banks to the FCAC could be subject to access to information requests, we expect the FCAC to refuse such requests on the grounds that such information is protected by section 17 of the FCAC Act¹⁴. However, should the FCAC be unsuccessful in refusing the request, the bank will need to ensure that any sensitive information provided as part of the record be redacted before it is disclosed as a result of an access-to-information-and-privacy request.

Although quarterly complaint records submitted by banks will most likely be protected, the FCAC will still be required to publish a report which will include a summary of the information provided by the banks in their annual complaint report¹⁵.

Using duration to determine administrative monetary penalties

Bill C-86 amended the FCAC Act by adding the following two criteria when determining an administrative monetary penalty in the case of a violation:

• the duration of the violation
• the ability of the person who committed the violation to pay the penalty.

The addition of duration as a criterion underlines the importance that banks establish explicit retention policies that refer to statutory retention and litigation holds. A bank’s failure to respect such polices can weaken any argument if information is deleted. Banks may wish to consider adopting measures such as:

• pseudonymization options to limit sensitivity of data kept long term
• safeguards such as offline storage.