VANCOUVER -- Could your financial institution be putting you at risk for identity theft? While banks are required to protect your private information, Bank of Montreal customer Simon Knight says the government needs to put more restrictions in place on how they do that.
Last month, Knight was shocked to receive a statement in the mail from BMO Wealth Management Nesbitt Burns that contained a lot of his private sensitive information – everything that thieves would need to steal his identity, including his full social insurance number.
The statement also included his account number, home address, full name, home telephone number, cell number, work number, employer information including his employer’s address, his salary, fixed assets, liquid assets and total net worth, and his wife’s details too – all sent to his community mailbox in Coquitlam.
“I feel betrayed and let down by somebody I trust, because I did trust them,” Knight said.
The risk of mail theft
Knight guards his privacy closely and says he is highly sensitive to the possibility of mail theft – particularly that thieves can rob consumers of their hard-earned retirement savings.
“Top of the list has got to be security,” he said. “And I think this one piece of paper I’ve got in front of me is enough about Simon Knight to do something very malicious.”
Mail theft is a huge problem and if his mail had been stolen, it would be the key to open up accounts in his name.
“Often times you won’t even find out about it until you check your credit report and you see some mysterious accounts that have gone into collections,” said Maureen Mahoney, a Consumer Reports policy analyst.
Knight shredded the documents but ended up getting three more similar documents in the following days, and was told by his bank to expect even more because he has several accounts with BMO Nesbitt Burns.
“If it’s happening to me, Ross, it’s got to be happening to thousands or tens of thousands of other Bank of Montreal customers across Canada,” Knight told McLaughlin On Your Side.
The firm has 70 offices across the country. CTV News reached out and received this statement: “The security and safety of client information is of the utmost importance to us. We follow strict procedures when handling client information and, where possible, accommodate client preferences.”
Knight says he was told, when he spoke to his bank's management, that the mailed statements were required to keep customer information updated and to assess tolerance for risk on investments.
“I don’t think this is acceptable,” he said.
No restrictions
We discovered there are no rules or regulations about how financial firms reach out to their clients in order to keep information updated.
We reached out to eight different financial regulators and agencies, including: the Office of the Superintendent of Financial Institutions, the Financial Consumer Agency of Canada, the Privacy Commissioner of Canada, the Investment Industry Regulatory Organization of Canada, the B.C. Securities Commission, the Mutual Fund Dealers Association, the Canadian Bankers Association, and Canada’s Ombudsman for Banking Services and Investments.
And we could find no laws restricting the use of full social insurance numbers in these kind of "know your customer" communications.
“Once it’s out there’s no way to get it back,” said Mahoney.
A possible fix
The fix is seemingly simple: obscuring some of the digits of the social insurance number or not including it at all in mailings, statements or communications – something the United States started doing 20 years ago.
“And now over half the states have similar laws,” added Mahoney.
But we could find no such laws here in Canada.
BMO’s solution
As a solution, BMO ended up offering Knight five years of free credit monitoring.
So CTV News followed up with the bank, asking:
- What are your strict procedures when handling client information, particularly when revealing Social Insurance Numbers in emails, mailings, and other communications?
- What has BMO learned from this and what commitment will BMO make moving forward in how it handles these mailings?
- Will BMO stop sending out full Social Insurance Numbers in mailings and communications such as the “know your customer” mailings like the ones that were sent to Mr. Knight?
In response, a spokesperson said: “We offer a range of communications options, including electronic communications, encrypted email, and mail. We will always work with our clients to accommodate their preferences.”
But the bank would make no commitment to restrict the use of social insurance numbers in their communications.
And that's not good enough for Knight.
“I want them to stop this immediately,” he said.
Government options
Unless industry takes a lead on the issue, it may take legislation for real change to happen. McLaughlin On Your Side reached out to the federal minister of finance, Chrystia Freeland; the leader of the Opposition, Erin O’Toole; and the leader of the NDP, Jagmeet Singh.
Only Singh’s office replied to our inquiries, promising to look into it.
Many of the agencies we contacted expressed concern about privacy and protecting the confidentiality of consumer information, but none offered any comment on whether Knight’s information was handled appropriately.
It was suggested he could file a complaint with the Investment Industry Regulatory Organization of Canada and the Office of the Privacy Commissioner of Canada.
That office has proposed the Privacy Act and the Personal Information Protection and Electronic Documents Act (PIPEDA) be modernized, which the federal government has committed to review, but no specific recommendations have yet been made for SINs.