Banks have a legal duty to protect the confidentiality of existing and former customers. Banks also have obligations under the Privacy Act 2020, which contains 13 privacy principles about personal information. In the banking sector, these principles govern:
- banks’ collection and storage of customer information
- customers’ rights to access and correct information about themselves
- the disclosure of personal information.
We can consider complaints about breaches of privacy and duty of confidence. Sometimes we refer a privacy complaint to the Office of the Privacy Commissioner if we consider it would be better dealt with by that office. An example would be if a customer sought compensation that exceeded our limit.
Concepts similar, but not the same
A duty of confidence and the legal obligation to protect privacy are similar, but not the same. The former applies to information about individuals and businesses, the latter to information about individuals only (and that includes bank staff). If a complaint requires us to look into the behaviour of a staff member, we can ask the bank to tell us what systems or process changes it has put in place to correct a problem, but we cannot seek information about any disciplinary or other action the bank may have taken against that individual.
Disclosing confidential information
There are four broad situations in which a bank can lawfully disclose confidential information:
- When the law compels it to: Banks sometimes have to give evidence about a customer’s affairs in court. Banks can also be required to give information to the Inland Revenue Department (under the Tax Administration Act 1994), to the Ministry of Social Development (under the Social Security Act 1964) and to a company liquidator (under the Companies Act 1993). Banks are also required to report suspicious transactions to Police (under the Financial Transactions Reporting Act 1996 and Anti-Money Laundering and Countering Financing of Terrorism Act 2009).
- When it has a public duty to: This applies when there is a danger to the state or when the wider public needs protection against crime. A bank needs to balance the public interest with respecting a customer’s right to privacy when it considers providing information about that person to a third party.
- When a bank must disclose information to protect its interests: This applies when a bank takes legal action against a customer (such as to recover a debt), or defends an action from a customer and needs to provide information about the customer’s affairs.
- When a customer agrees: A bank can disclose customer information if the customer agrees. A bank must ensure the information is correct and within the scope of the customer’s consent. A customer may, for example, agree to the bank’s disclosure of information about one account only. If the bank releases information about other accounts, it has breached its duty of confidence.
When a bank breaches confidentiality or privacy
If we consider a complaint about breach of confidence or privacy to be valid (whether accidental or deliberate), we assess whether this has resulted in a direct financial loss to the customer and, if so, award compensation. If the breach is continuing, we can also require the bank to cease its conduct.
We will look at whether the customer has suffered distress, embarrassment or inconvenience. We must be satisfied any distress, embarrassment or inconvenience warrants a compensation payment. Sometimes customers submit substantial claims for minor frustration or inconvenience. We are unlikely to award compensation for minor mistakes that have little or no harmful effects. Banks are also required to report suspicious transactions to Police (under the Financial Transactions Reporting Act 1996 and Anti-Money Laundering and Countering Financing of Terrorism Act 2009).
Sometimes we refer a privacy complaint to the Office of the Privacy Commissioner if we consider it would be better dealt with by that office.
Bank offers $15,000 for failing to block previous owners from company’s accounts
Peyton bought a business in December 2020. In June 2022, the previous owners contacted Peyton's bank to say they had discovered their internet banking still gave them access to the accounts of the business. The bank realised it had failed to correctly de-link them from the accounts in December 2020.
CASE 2Contacting customer’s employer a breach of privacy
Leon got into arrears with his credit card. He was living overseas but had a New Zealand address on file with the bank. The bank emailed him to say his credit card debt was overdue. Leon replied that he would make a payment “very soon”. He didn’t, and the bank made further attempts to contact him, at which point Leon said he told the bank he was in financial hardship.
CASE 3Bank had valid grounds for disclosing information to police
In May 2020, police contacted Edgar's bank seeking copies of his transaction statements to help them locate and arrest him. He had skipped bail while waiting to appear in court on criminal charges
Financial abuse of the elderly
Financial abuse can take the form of:
misusing or stealing from the bank accounts of those in their care
pressuring a person to sign a legal document, such as a guarantee or mortgage
using a power of attorney in a way that is not in the interests of the person who granted it.
Pressure from family member or caregiver
Elderly people may face pressure from family members for financial support. For …
Anti-money laundering - changes to banking
The Anti-Money Laundering and Countering the Financing of Terrorism Act 2009 obliges New Zealand’s financial institutions and businesses to detect and deter money laundering and the financing of terrorism. The Act, which came into full force in 2013, also requires banks to gather more information about customers than previously. This can be inconvenient to some customers, but is a legal requiremen…
Credit laws and banking
Banks' obligationsConsumer credit contracts legislation covers most of the lending-related complaints we investigate. A consumer credit contract will exist whenever a bank lends to a customer for personal use, such as through a mortgage, credit card, arranged overdraft or personal loan. Such contracts typically take the form of a customer agreement (such as a home loan agreement) or the standard t…
Updated December 2024