Bank customer is a victim of multiple incidents of fraud
Key lessons:
- Unfortunately, not all frauds are committed by strangers. “Familiar fraud” refers to situations where someone who has access to the personal information and financial documents of a family member or close friend assumes their identity to gain access to money in their accounts.
- Although banks have security measures to reduce the risk of fraud, consumers must keep their personal information such as security questions and PINs (personal identity numbers) confidential – even from those they love and trust. Documents containing personal information, such as account statements, should either be shredded or kept in locked storage. Devices and accounts that can be used to authenticate identity through email or SMS should also be kept private and secure.
- Consumers should always take precautions that can help identify fraud quickly, including reviewing their account transactions at least every month and maintaining low withdrawal limits on debit and credit cards. If available, e-alerts should be set up to notify account holders of every withdrawal. If a consumer discovers any discrepancies or unrecognized transactions, it is important that they inform their bank immediately.
Consumer discovers unauthorized transactions on different accounts
Mr. B held various financial products with his bank, including a personal chequing account with debit card access, investments, and a credit card. He worked outside the home and his adult children lived with him. Mr. B said that he kept his PIN confidential but did not keep his personal information in locked storage. His children had unrestricted access to his house.
Mr. B had been a victim of fraud in the past. To protect himself from future frauds, he disconnected online access to his accounts, limiting his account access to in-person visits at his bank branch. One day, about a month after discontinuing online access to his accounts, Mr. B went to the branch to do his regular banking and realized that he had forgotten his bank card at home. When he got home, he called telephone banking instead of returning to the branch.
During this phone call with his bank:
- Mr. B was informed that online access to his accounts had been reconnected using his personal information and that several transactions had taken place.
- The bank representative told Mr. B his account balances and Mr. B responded that they did not seem right.
- The bank representative also told Mr. B it had recently taken two days to transfer funds from his investment account into his personal chequing account – longer than it would have if Mr. B had made the request in-person.
- Mr. B had difficulty identifying which transactions had been made without his knowledge or consent and told the bank representative that all the transactions were unauthorized.
As soon as the bank was made aware that Mr. B may have been a victim of fraud again, it immediately cancelled his debit card and credit card and suspended his online account access.
Mr. B thought that by limiting his bank account access to in-branch only, he had taken extra precautions to protect himself from fraud. He asked his bank to reimburse him for the unauthorized transactions in his accounts which totaled $24,700.
Bank investigates and suspects familiar fraud
During its investigation, the bank noted that most of the transactions Mr. B had disputed were either:
- purchases made while online or over the phone, suggesting that his actual credit card may not have been in the fraudster’s possession at the time of the transaction, or,
- purchases made while inserting the actual debit card or credit card into a chip-reader machine and entering the PIN at the time of the transaction.
The bank confirmed it had followed its normal procedures to prevent fraud, such as:
- resetting the passwords required for online access to Mr. B’s accounts when requested,
- sending one-time verification codes to Mr. B’s phone or in the mail to activate his new cards after receiving requests to cancel the old ones, and
- validating his personal information before releasing account details.
The bank confirmed that:
- Mr. B’s passwords were changed after the bank had helped him reset them.
- Mr. B’s new cards were activated with the one-time verification codes.
- Mr. B’s personal information was validated by the bank over the phone as required.
- If Mr. B had not taken these actions, they must have been done by someone close to him who had access to his personal information.
As a result, the bank suspected that “familiar fraud” had occurred.
The bank agreed to reimburse Mr. B $13,700 for the transactions that were made without using his physical credit card. However, the bank would not reimburse Mr. B for the transactions that were made using his debit and credit cards with his PIN. Because Mr. B refused to report these transactions to the police, the bank closed its investigation.
Mr. B felt that he was still owed $11,000 to make up for his loss due to fraud. Frustrated by his bank’s decision, Mr. B came to OBSI for help.
Our findings
During our investigation, we reviewed the details of the investigation that led to the bank’s decision not to reimburse Mr. B for the PIN transactions. Despite the extra precautions that he and his bank had taken, the evidence indicated that if these actions were not Mr. B’s, someone close to him had been able to access his personal information, reset his passwords, obtain his bank cards, withdraw funds using his PIN and return his cards to their normal place.
We concluded that the bank had no reason to suspect fraud or take further actions because it had verified Mr. B’s identity appropriately through its normal validation process on a number of occasions. We also found that the bank’s position to close its investigation, unless Mr. B was willing to file a police report, was reasonable in the circumstances.
The outcome
We had no basis to recommend that the bank offer any additional compensation to Mr. B.