Banks have a legal duty to protect the confidentiality of existing and former customers. Banks also have obligations under the Privacy Act 1993, which contains 12 privacy principles about personal information. In the banking sector, these principles govern:
- banks’ collection and storage of customer information
- customers’ rights to access and correct information about themselves
- the disclosure of personal information.
We can consider complaints about breaches of privacy and duty of confidence. Sometimes we refer a privacy complaint to the Office of the Privacy Commissioner if we consider it would be better dealt with by that office. An example would be if a customer sought compensation that exceeded our limit.
Concepts similar, but not the same
A duty of confidence and the legal obligation to protect privacy are similar, but not the same. The former applies to information about individuals and businesses, the latter to information about individuals only (and that includes bank staff). If a complaint requires us to look into the behaviour of a staff member, we can ask the bank to tell us what systems or process changes it has put in place to correct a problem, but we cannot seek information about any disciplinary or other action the bank may have taken against that individual.
Disclosing confidential information
There are four broad situations in which a bank can lawfully disclose confidential information:
- When the law compels it to: Banks sometimes have to give evidence about a customer’s affairs in court. Banks can also be required to give information to the Inland Revenue Department (under the Tax Administration Act 1994), to the Ministry of Social Development (under the Social Security Act 1964) and to a company liquidator (under the Companies Act 1993). Banks are also required to report suspicious transactions to Police (under the Financial Transactions Reporting Act 1996 and Anti-Money Laundering and Countering Financing of Terrorism Act 2009).
- When it has a public duty to: This applies when there is a danger to the state or when the wider public needs protection against crime. A bank needs to balance the public interest with respecting a customer’s right to privacy when it considers providing information about that person to a third party.
- When a bank must disclose information to protect its interests: This applies when a bank takes legal action against a customer (such as to recover a debt), or defends an action from a customer and needs to provide information about the customer’s affairs.
- When a customer agrees: A bank can disclose customer information if the customer agrees. A bank must ensure the information is correct and within the scope of the customer’s consent. A customer may, for example, agree to the bank’s disclosure of information about one account only. If the bank releases information about other accounts, it has breached its duty of confidence.
When a bank breaches confidentiality or privacy
If we consider a complaint about breach of confidence or privacy to be valid (whether accidental or deliberate), we assess whether this has resulted in a direct financial loss to the customer and, if so, award compensation. We also look at whether the customer has suffered distress, embarrassment or inconvenience. We must be satisfied any distress, embarrassment or inconvenience warrants a compensation payment. Sometimes customers submit substantial claims for minor frustration or inconvenience. We are unlikely to award compensation for minor mistakes that have little or no harmful effects company liquidator (under the Companies Act 1993). Banks are also required to report suspicious transactions to Police (under the Financial Transactions Reporting Act 1996 and Anti-Money Laundering and Countering Financing of Terrorism Act 2009).
Stress payment for staff member's snooping reasonable
Hana had taken a protection order against her former husband and gone with her children to another part of the country for a few weeks to get away from him.CASE 2
Bank offers $500 over incorrectly addressed statement
Tani gave her new address details when opening a savings account, but the bank mailed her first account statement to her old address because of a technical glitch.CASE 3
Medical information request too broad
Sarah bought a life insurance policy with death and terminal illness benefits through her bank. Eight years later, she was diagnosed with a serious illness and lodged a terminal illness benefit claim.
Common scams targeting bank customers
How to bank safely
You always need to be on your guard when it comes to banking and money matters. That doesn’t mean being suspicious or paranoid. Rather, it means exercising care and maintaining a healthy scepticism towards individuals or companies when you’re online. We recommend you take the following precautions:
- Find out something about the company or individual you are dealing with. Do an internet search, look for reviews, ask for a physical address you can check, and look up the company on the Companies Register.
- Check Consumer Protection’s scam alert website.
- Check with someone independent and trustworthy before you commit to anything.
- Do not give out account details unless the business is established and trusted.
- Never accept money into your account for subsequent transfer to others.
- Never give out your PIN or internet banking password.
- Check your accounts regularly to ensure money is going to the right places.
- Report any likely scams to your bank.
- When emailing people about making a payment, confirm the payment details using another form of communication (such as by phone). You may not be communicating with the person you imagine, because fraudsters hack into email accounts and assume the account holder’s identity. A quick phone call can foil such deception.
- Contact your bank immediately if you suspect you have been scammed. It may be able to reverse a payment (but that’s unlikely if you’ve authorised the payment and it has gone through).
If you find you've become the victim of a scam and you complain to us, our job is to determine whether your bank is liable for the loss.
Scammers try to trick customers into giving out personal information such as bank account numbers, passwords and credit card numbers. This is called a phishing scam. Typically, customers receive an email from what looks like their bank. It will say they need to confirm some personal details, usually their internet banking username and password. It will contain a link to a website that looks like the bank’s but is fake. Customers who enter these details will soon find scammers have accessed their accounts and cleared out their money.
Be extremely wary of emails that appear to be from your bank and that ask you to confirm your personal details. Banks will never ask you for your password in emails. Don’t click on links within any email if you have the slightest suspicion about its authenticity. Simply delete the email. If you need to go to your bank’s website, type the address into your browser.
If you enter your internet banking password and other details into a fake website, it’s likely you will be liable for any losses because you disclosed this crucial information.
Fraudsters may also make phishing phone calls pretending to be your bank, telephone company, government department or a computer company. They may ask you to turn on your computer and download software that gives them access to everything on your computer. A fraudster who has gained access to your computer may be able to steal money from your bank accounts. Be very cautious about unsolicited phone calls, no matter how plausible the caller sounds.
Sending money to scammers
Scammers can also trick bank customers into sending money to them. How they do this varies. A common way is to ask customers to send a processing fee in order to receive an inheritance or the proceeds of an investment. Another is for someone met on an online dating site to seek financial help. Losses from such scams can run into tens of thousands of dollars.
Always be careful if someone you don’t know or have met only online asks for money. It can seldom be recovered. Your bank is very unlikely to be liable for losses you suffer if you give it instructions to send money to someone, it follows those instructions and you later find out that the individual was a scammer.
Another scam is to ask a bank customer – the mule – to accept and forward on money stolen from another victim’s bank account. Scammers convince people there is a legitimate reason for the transfer, such as paying a fee associated with a job application or helping someone with whom they have an online relationship.
A bank may reverse a payment from a mule’s account if the money is found to have been stolen. This, in turn, can cause the mule’s account to be overdrawn if there isn’t enough money in the account. The bank will ask the mule to repay the overdrawn sum.
In such cases, we consider whether the bank’s terms and conditions allow it to reverse a payment from a mule’s account. We also assess whether the bank had sufficient information to conclude the money was stolen before it reversed the payment. If so, the customer will be held liable for the loss.
These aim to get customers to disclose their PIN. Scammers have usually already stolen a customer’s wallet, but to use any credit or debit cards they need the PIN.
Scammers use different techniques to get intended victims to disclose their PIN. Scammers may, for example, say they are from the bank and have noticed suspicious transactions that indicate a card has been stolen. They will suggest cancelling the card, but doing that, they add, will require the customer to verify his or her PIN in order to authorise the cancellation. The giveaway here is that banks never ask for a customer's PIN.
Another technique is to contact a customer and say he or she has won a prize. The customer is asked to make up a four-digit number for identification purposes when collecting the prize. The scammer may be making the call from an ATM and will tap in the number. If not the PIN, the scanner will say that number has been taken, and to pick another. Subconsciously or otherwise, many customers will eventually give out their PIN.
By disclosing your PIN to anyone, you are breaching the terms and conditions of your account or card and you will generally be liable for fraudulent transactions. You won’t be liable for fraudulent transactions if you have taken reasonable care of your card and PIN.
Financial abuse of the elderly
Financial abuse can take the form of:
- misusing or stealing from the bank accounts of those in their care
- pressuring a person to sign a legal document, such as a guarantee or mortgage
- using a power of attorney in a way that is not in the interests of the person who granted it.
Pressure from family member or caregiver
Elderly people may face pressure from family members for financial support. For example, an adult child may pressure a parent to guarantee a loan or become a co-borrower on a loan using the parent’s house as security.
If someone is pressuring you to sign a bank document, or is accessing your accounts without your permission, contact your local bank branch. Staff will give you advice on how best to protect yourself and your banking affairs. In so doing, bank staff will also be alert to any unusual activity in your accounts.
Suspicions of financial abuse
If you suspect an elderly friend or relative is the subject of financial abuse, you may like to raise the subject diplomatically with that person. Some tentative questions can either allay or confirm your suspicions. You may wish to raise your concerns with a trusted family member. The Office for Seniors runs a free helpline (0800 32 668 65) that gives callers information about elder abuse and also connects them to support services.
Other types of financial abuse
Like all customers, older people can also be approached by individuals running financial scams. Fraudsters can make contact in person, by phone, email, or through the internet.
The following organisations also deal with matters affecting the elderly:
Anti-money laundering - changes to banking
The Anti-Money Laundering and Countering the Financing of Terrorism Act 2009 obliges New Zealand’s financial institutions and businesses to detect and deter money laundering and the financing of terrorism. The Act, which came into full force in 2013, also requires banks to gather more information about customers than previously. This can be inconvenient to some customers, but is a legal requirement for banks.
Information banks must collect
Banks must be more stringent when verifying a customer's identity. They need information from independent and reliable sources to do this.
The Act requires banks to collect more information about their customers to:
- ensure their understanding of a customer’s business with them is accurate
- help them assess the customer’s risk profile
- help them identify transactions that may be suspicious.
You may have to provide more evidence of your identity and personal details than before. This can extend to all types of accounts, including personal, business and trust accounts. Similarly, your bank may ask for more information if you want to transfer money above a certain amount overseas.
A bank must report to police any transaction it reasonably believes is suspicious.
A bank must not do business with a customer if it is unable to comply with the Act in its dealings with that customer. This means:
- it may not process certain transactions
- it can withdraw its products and services
- it can choose not to accept someone as a customer.
Information you may need to get
You may have to provide:
- your full name and date of birth
- your address
- your relationship to the customer (if you are not the customer)
- your company’s identifier or registration number
- the source of your funds
- the names and dates of birth for beneficiaries of a trust
- the details of someone you are sending money to if you are making an international payment
- the nature and purpose of your business with the bank
- any other information prescribed by regulations.
A bank may ask for the following to verify your identity:
- your passport, or
- your birth certificate and 18+ card, or
- your driver’s licence and EFTPOS card.
A bank may ask for the following to verify your address:
- recent utility bill, bank statement or insurance policy, or
- recent letter from the Electoral Office, a government agency, your employer or
- recent tenancy agreement.
Note: these are examples only. Your bank may want extra or different information.
Where to take your concerns
Talk to your bank first if you have concerns about how the Act affects you. Banks are legally required to have policies and practices compliant with the Act. We do not have the power to compel banks to alter their practices or policies. However, we may be able to consider a complaint about a practice or policy that has breached an obligation or duty that the bank owes to the customer. You can also complain to us if you believe your bank has breached its statutory obligations.