Canadians are increasingly using technological tools such as laptops, tablets and smartphones for online banking. However, there are currently no legislative or regulatory protections, applicable nationwide, to limit consumers’ liability in the event of an unauthorized transaction associated with their bank account, unlike the legal framework in place for credit card users.
Recent Trends in Online Banking Fraud in Canada
In the digital age, online banking fraud has become a major problem for consumers, who are increasingly at risk of sophisticated scams and frauds, including those using artificial intelligence techniques such as deepfakes.
Banking fraud comes in many different forms, including prompts to click on suspicious links, phishing attacks, calls from fake bank representatives and fraudulent social media ads.
According to the Canadian Anti-Fraud Centre (CAFC), Canadians lost over $638 million to fraud in 2024. However, actual losses could be much higher, because only 5% to 10% of victims report instances of fraud to the authorities. In his Annual Report 2024, the Ombudsman for Banking Services and Investments (OBSI) reported that fraud is the leading issue for consumer complaints about their financial institutions, representing 38% of complaints related to banking services. He also noted a dramatic increase in the number of consumer complaints about electronic transfer fraud and other types of digital fraud.
More generally, while they continue to be most impacted by fraud, seniors and other vulnerable individuals are not the only targets. According to the CAFC, fraudsters targeted every age demographic in 2022.
Canadian Legal Framework
Consumer protection in the banking sector falls within both Parliament’s exclusive jurisdiction over banking and provincial legislatures’ jurisdiction over property and civil rights, which enables provinces to enact consumer protection laws.
At the federal level, dealings between banks and their customers are governed by Part XII.2 of the Bank Act and the Financial Consumer Protection Framework Regulations, in addition to new rules introduced by Canada’s Financial Consumer Protection Framework, which came into effect on 30 June 2022. The Financial Consumer Agency of Canada is the federal agency responsible for supervising the Acts, regulations, codes of conduct and public commitments that protect consumers of financial products and services, as well as for overseeing the activities of federally regulated financial institutions.
However, this legal framework has no provisions to protect consumers from unauthorized transactions associated with their deposit account (otherwise known as a “bank account”).
For operations involving a bank account, consumers are instead subject to the normative and contractual framework governing the rights and responsibilities of financial institutions and their customers, including the Canadian Code of Practice for Consumer Debit Card Services (the Code), the banking contract and the internal policies of each financial institution.
There is a different system in place for credit card users. Section 627.33 of the Bank Act limits a credit cardholder’s liability for unauthorized use to $50 unless the holder has demonstrated gross negligence (or, in Quebec, gross fault) in safeguarding the credit card, the account information or the personal authentication information. Certain provincial consumer protection laws contain similar limitations, for example, section 99 of British Columbia’s Business Practices and Consumer Protection Act. Credit card companies like Visa, Mastercard and American Express also offer protections such as a “zero liability” policy in the event of fraud.
On 7 November 2024, the National Assembly of Quebec unanimously passed Bill 72 [in French], An Act to protect consumers against abusive commercial practices and to offer better transparency with respect to prices and credit. This Act provides for the addition of two provisions (sections 65.1 and 65.2 – coming into force to be determined by order [in French]) to Quebec’s Consumer Protection Act to limit the consumer’s liability for unauthorized and authorized use of a deposit account, similar to the legislative protections offered to credit cardholders.
Canadian Code of Practice for Consumer Debit Card Services
The Code, introduced in 1992 and last revised in 2004, is a voluntary standard-setting instrument for financial institutions. It was developed by the Electronic Funds Transfer Working Group, which includes representatives from consumer organizations, financial institutions and retailers, as well as representatives of federal and provincial governments. In accordance with a commitment made by the Canadian Bankers Association on behalf of its members, the Code applies to online transactions in respect of customer deposit accounts.
Under clause 5(3) of the Code, in the event of fraud, debit cardholders are not liable for losses resulting from “circumstances beyond their control,” such as “unauthorized use [of a card], where the cardholder has unintentionally contributed to such use, provided the cardholder co-operates in any subsequent investigation.” The Code also states that if the personal identification number (PIN) is obtained by coercion, trickery, force or intimidation, cardholders are not considered to have disclosed the PIN “voluntarily,” thus contributing to unauthorized use (Appendix A of the Code, clause 5).
Banking Contracts and Internal Policies
Since the Code was first developed, financial institutions have incorporated some or all of its rules into their banking contracts with customers.
To qualify for reimbursement in the event of fraud, victims must refer to the contract terms, including the investigation procedures set out in the banking contract and the internal policies of their financial institution. In the event of a dispute, a decision not to reimburse a customer may be submitted for review to OBSI. This independent body, which has handled consumer complaints since 1996, became the sole designated external complaints body in Canada as of 1 November 2024. Despite the availability of this recourse, in 2023, “approximately one in five fraud cases resulted in a settlement or recommendation for compensation to the consumer.” As the OBSI points out, it has no legal or regulatory basis to exceed the scope of the applicable contract terms.
Recent Developments in Enhancing Protections for Victims of Banking Fraud
In 2024, the Government of Canada launched the third phase of a review of the statutes that govern federally regulated financial institutions. This phase focused on exploring proposals to strengthen Canada’s financial sector, including with regard to the prevention of financial fraud, among other topics.
In its submission to the review process, the consumer advocacy organization Option consommateurs [in French] called for the establishment of a uniform legal framework for fraud protection across all payment methods that would shift more liability to the banks. For its part, the Canadian Bankers Association [in French] opposed the imposition of a maximum liability threshold, citing concerns that it would disincentivize the public from preventing and reporting cases of fraud. Finally, OBSI noted that imposing additional requirements on financial institutions would come at a financial cost, which would likely be passed on to consumers in the form of fees.
Other solutions have been proposed to combat online banking fraud, including the following:
- strengthening the security of financial institutions’ internal systems to prevent, detect or stop fraudulent transactions;
- raising consumer awareness of emerging trends in financial fraud; and
- increasing collaboration between the public and private sectors, as well as other stakeholders such as the federal, provincial and territorial governments, financial institutions, consumer protection organizations, law enforcement, telecom providers and digital platforms (social media).
Regarding the protection of victims of banking fraud, the United Kingdom seems to have taken a positive step by introducing reimbursement rules for “authorized” transactions involved in authorized push payment (or APP) scams. Victims coerced into sending money to a fraudster via bank transfer can be reimbursed for up to £85,000, provided that they have not acted with gross negligence, although this exception does not apply to vulnerable individuals. These protections have been in place since 7 October 2024.
By Iryna Zazulya, Library of Parliament
Categories: Economics and finance, Information and communications, Law, justice and rights