Banks have a legal duty to protect the confidentiality of existing and former customers. Banks also have obligations under the Privacy Act 2020, which contains 13 privacy principles about personal information. In the banking sector, these principles govern:
- banks’ collection and storage of customer information
- customers’ rights to access and correct information about themselves
- the disclosure of personal information.
We can consider complaints about breaches of privacy and duty of confidence. Sometimes we refer a privacy complaint to the Office of the Privacy Commissioner if we consider it would be better dealt with by that office. An example would be if a customer sought compensation that exceeded our limit.
Concepts similar, but not the same
A duty of confidence and the legal obligation to protect privacy are similar, but not the same. The former applies to information about individuals and businesses, the latter to information about individuals only (and that includes bank staff). If a complaint requires us to look into the behaviour of a staff member, we can ask the bank to tell us what systems or process changes it has put in place to correct a problem, but we cannot seek information about any disciplinary or other action the bank may have taken against that individual.
Disclosing confidential information
There are four broad situations in which a bank can lawfully disclose confidential information:
- When the law compels it to: Banks sometimes have to give evidence about a customer’s affairs in court. Banks can also be required to give information to the Inland Revenue Department (under the Tax Administration Act 1994), to the Ministry of Social Development (under the Social Security Act 1964) and to a company liquidator (under the Companies Act 1993). Banks are also required to report suspicious transactions to Police (under the Financial Transactions Reporting Act 1996 and Anti-Money Laundering and Countering Financing of Terrorism Act 2009).
- When it has a public duty to: This applies when there is a danger to the state or when the wider public needs protection against crime. A bank needs to balance the public interest with respecting a customer’s right to privacy when it considers providing information about that person to a third party.
- When a bank must disclose information to protect its interests: This applies when a bank takes legal action against a customer (such as to recover a debt), or defends an action from a customer and needs to provide information about the customer’s affairs.
- When a customer agrees: A bank can disclose customer information if the customer agrees. A bank must ensure the information is correct and within the scope of the customer’s consent. A customer may, for example, agree to the bank’s disclosure of information about one account only. If the bank releases information about other accounts, it has breached its duty of confidence.
When a bank breaches confidentiality or privacy
If we consider a complaint about breach of confidence or privacy to be valid (whether accidental or deliberate), we assess whether this has resulted in a direct financial loss to the customer and, if so, award compensation. If the breach is continuing, we can also require the bank to cease its conduct.
We will look at whether the customer has suffered distress, embarrassment or inconvenience. We must be satisfied any distress, embarrassment or inconvenience warrants a compensation payment. Sometimes customers submit substantial claims for minor frustration or inconvenience. We are unlikely to award compensation for minor mistakes that have little or no harmful effects. Banks are also required to report suspicious transactions to Police (under the Financial Transactions Reporting Act 1996 and Anti-Money Laundering and Countering Financing of Terrorism Act 2009).
Sometimes we refer a privacy complaint to the Office of the Privacy Commissioner if we consider it would be better dealt with by that office.
Stress payment for staff member's snooping reasonable
Hana had taken a protection order against her former husband and gone with her children to another part of the country for a few weeks to get away from him.CASE 2
Bank offers $500 over incorrectly addressed statement
Tani gave her new address details when opening a savings account, but the bank mailed her first account statement to her old address because of a technical glitch.CASE 3
Medical information request too broad
Sarah bought a life insurance policy with death and terminal illness benefits through her bank. Eight years later, she was diagnosed with a serious illness and lodged a terminal illness benefit claim.
Common scams targeting bank customers
You always need to be on your guard when it comes to banking and money matters. That doesn’t mean being suspicious or paranoid. Rather, it means exercising care and maintaining a healthy scepticism towards individuals or companies when you’re online. We recommend you take the following precautions:
How to bank safelyFind out something about the company or individual you are dealing with. Do an in...
Financial abuse of the elderly
Financial abuse can take the form of:
misusing or stealing from the bank accounts of those in their care
pressuring a person to sign a legal document, such as a guarantee or mortgage
using a power of attorney in a way that is not in the interests of the person who granted it.
Pressure from family member or caregiverElderly people may face pressure from family members for financial support. For ex...
Anti-money laundering - changes to banking
The Anti-Money Laundering and Countering the Financing of Terrorism Act 2009 obliges New Zealand’s financial institutions and businesses to detect and deter money laundering and the financing of terrorism. The Act, which came into full force in 2013, also requires banks to gather more information about customers than previously. This can be inconvenient to some customers, but is a legal requiremen...