The Reserve Bank of New Zealand Act 1989 requires banks to keep certain transaction information about deposits and withdrawals for seven years. Some banks keep information for longer than this. Some allow customers to access transaction records stretching back many years through online banking. Banks don’t have to keep physical copies; electronic copies are sufficient.

Non-transaction records

Banks also hold a lot of non-transaction records such as applications, phone conversations, internal notes and customer correspondence. They do not have to hold such records for any set period, although we expect banks to hold critical information about communications with customers for a suitable period of time. Again, electronic rather than hard-copy versions are acceptable. Thus, a loan is still enforceable even if a bank no longer has an original copy signed by a customer.

Customer rights

Under the Privacy Act 1993, you can seek copies of personal information held by your bank about you.

Your bank must tell you within 20 working days whether it will give you the information you have sought, and explain why if it declines. A bank cannot supply information it no longer holds. If a bank has the information and you are entitled to it, the bank should supply it within a reasonable timeframe. 

The Privacy Commissioner’s website has information about your right to access personal information.

We expect a bank to carry out a proper search to establish whether it has the information you have sought. It is not sufficient for a bank to say it is unable to provide information simply because it is no longer required by law to hold it.

A bank is allowed to charge a fee to help cover the cost of supplying the information you have sought.

How we can help

 If your bank refuses to give you information, we may be able to review whether it has good grounds for withholding it.

 If your bank says it no longer holds the information you are seeking and you want a third party to verify that, we can liaise with your bank to ensure it has properly checked its records. If we are satisfied the bank has done this, and it no longer has to hold the information, then we cannot help you further.

We may not be able to help you if your complaint relates to old records. That’s because the rules under which we operate do not allow us to look into a complaint if you became aware of, or should reasonably have become aware of, a bank’s action or inaction more than six years ago.

Privacy & confidentiality

Banks have a legal duty to protect the confidentiality of existing and former customers. Banks also have obligations under the Privacy Act 1993, which contains 12 privacy principles about personal information. In the banking sector, these principles govern:

  • banks’ collection and storage of customer information
  • customers’ rights to access and correct information about themselves
  • the disclosure of personal information.

We can consider complaints about breaches of privacy and duty of confidence. Sometimes we refer a privacy complaint to the Office of the Privacy Commissioner if we consider it would be better dealt with by that office. An example would be if a customer sought compensation that exceeded our limit. 

Concepts similar, but not the same

A duty of confidence and the legal obligation to protect privacy are similar, but not the same. The former applies to information about individuals and businesses, the latter to information about individuals only (and that includes bank staff). If a complaint requires us to look into the behaviour of a staff member, we can ask the bank to tell us what systems or process changes it has put in place to correct a problem, but we cannot seek information about any disciplinary or other action the bank may have taken against that individual.

Disclosing confidential information

There are four broad situations in which a bank can lawfully disclose confidential information:

  • When the law compels it to: Banks sometimes have to give evidence about a customer’s affairs in court. Banks can also be required to give information to the Inland Revenue Department (under the Tax Administration Act 1994), to the Ministry of Social Development (under the Social Security Act 1964) and to a company liquidator (under the Companies Act 1993). Banks are also required to report suspicious transactions to Police (under the Financial Transactions Reporting Act 1996 and Anti-Money Laundering and Countering Financing of Terrorism Act 2009).  
  • When it has a public duty to: This applies when there is a danger to the state or when the wider public needs protection against crime. A bank needs to balance the public interest with respecting a customer’s right to privacy when it considers providing information about that person to a third party.
  • When a bank must disclose information to protect its interests: This applies when a bank takes legal action against a customer (such as to recover a debt), or defends an action from a customer and needs to provide information about the customer’s affairs.
  • When a customer agrees: A bank can disclose customer information if the customer agrees. A bank must ensure the information is correct and within the scope of the customer’s consent. A customer may, for example, agree to the bank’s disclosure of information about one account only. If the bank releases information about other accounts, it has breached its duty of confidence.

When a bank breaches confidentiality or privacy

If we consider a complaint about breach of confidence or privacy to be valid (whether accidental or deliberate), we assess whether this has resulted in a direct financial loss to the customer and, if so, award compensation. We also look at whether the customer has suffered distress, embarrassment or inconvenience. We must be satisfied any distress, embarrassment or inconvenience warrants a compensation payment. Sometimes customers submit substantial claims for minor frustration or inconvenience. We are unlikely to award compensation for minor mistakes that have little or no harmful effects company liquidator (under the Companies Act 1993). Banks are also required to report suspicious transactions to Police (under the Financial Transactions Reporting Act 1996 and Anti-Money Laundering and Countering Financing of Terrorism Act 2009). 

Common scams targeting bank customers

You always need to be on your guard when it comes to banking and money matters. That doesn’t mean being suspicious or paranoid. Rather, it means exercising care and maintaining a healthy scepticism towards individuals or companies when you’re online. We recommend you take the following precautions:

How to bank safely

  • Find out something about the company or individual you are dealing with. Do an internet search, look for reviews, ask for a physical address you can check, and look up the company on the Companies Register.
  • Check Consumer Protection’s scam alert website.
  • Check with someone independent and trustworthy before you commit to anything.
  • Do not give out account details unless the business is established and trusted.
  • Never accept money into your account for subsequent transfer to others.
  • Never give out your PIN or internet banking password.
  • Check your accounts regularly to ensure money is going to the right places.
  • Report any likely scams to your bank.
  • When emailing people about making a payment, confirm the payment details using another form of communication (such as by phone). You may not be communicating with the person you imagine, because fraudsters hack into email accounts and assume the account holder’s identity. A quick phone call can foil such deception.
  • Contact your bank immediately if you suspect you have been scammed. It may be able to reverse a payment (but that’s unlikely if you’ve authorised the payment and it has gone through).

If you find you've become the victim of a scam and you complain to us, our job is to determine whether your bank is liable for the loss.

Phishing scams

Scammers try to trick customers into giving out personal information such as bank account numbers, passwords and credit card numbers. This is called a phishing scam. Typically, customers receive an email from what looks like their bank. It will say they need to confirm some personal details, usually their internet banking username and password. It will contain a link to a website that looks like the bank’s but is fake. Customers who enter these details will soon find scammers have accessed their accounts and cleared out their money.

Be extremely wary of emails that appear to be from your bank and that ask you to confirm your personal details. Banks will never ask you for your password in emails. Don’t click on links within any email if you have the slightest suspicion about its authenticity. Simply delete the email. If you need to go to your bank’s website, type the address into your browser.

If you enter your internet banking password and other details into a fake website, it’s likely you will be liable for any losses because you disclosed this crucial information.

Fraudsters may also make phishing phone calls pretending to be your bank, telephone company, government department or a computer company. They may ask you to turn on your computer and download software that gives them access to everything on your computer. A fraudster who has gained access to your computer may be able to steal money from your bank accounts. Be very cautious about unsolicited phone calls, no matter how plausible the caller sounds. 

Sending money to scammers

Scammers can also trick bank customers into sending money to them. How they do this varies. A common way is to ask customers to send a processing fee in order to receive an inheritance or the proceeds of an investment. Another is for someone met on an online dating site to seek financial help. Losses from such scams can run into tens of thousands of dollars.

Always be careful if someone you don’t know or have met only online asks for money. It can seldom be recovered. Your bank is very unlikely to be liable for losses you suffer if you give it instructions to send money to someone, it follows those instructions and you later find out that the individual was a scammer.

Money mules

Another scam is to ask a bank customer – the mule  – to accept and forward on money stolen from another victim’s bank account. Scammers convince people there is a legitimate reason for the transfer, such as paying a fee associated with a job application or helping someone with whom they have an online relationship.

A bank may reverse a payment from a mule’s account if the money is found to have been stolen. This, in turn, can cause the mule’s account to be overdrawn if there isn’t enough money in the account. The bank will ask the mule to repay the overdrawn sum.

In such cases, we consider whether the bank’s terms and conditions allow it to reverse a payment from a mule’s account. We also assess whether the bank had sufficient information to conclude the money was stolen before it reversed the payment. If so, the customer will be held liable for the loss.     

PIN scams

These aim to get customers to disclose their PIN. Scammers have usually already stolen a customer’s wallet, but to use any credit or debit cards they need the PIN.

Scammers use different techniques to get intended victims to disclose their PIN. Scammers may, for example, say they are from the bank and have noticed suspicious transactions that indicate a card has been stolen. They will suggest cancelling the card, but doing that, they add, will require the customer to verify his or her PIN in order to authorise the cancellation. The giveaway here is that banks never ask for a customer's PIN.

Another technique is to contact a customer and say he or she has won a prize. The customer is asked to make up a four-digit number for identification purposes when collecting the prize. The scammer may be making the call from an ATM and will tap in the number. If not the PIN, the scanner will say that number has been taken, and to pick another. Subconsciously or otherwise, many customers will eventually give out their PIN.

By disclosing your PIN to anyone, you are breaching the terms and conditions of your account or card and you will generally be liable for fraudulent transactions. You won’t be liable for fraudulent transactions if you have taken reasonable care of your card and PIN. 

Financial abuse of the elderly

Financial abuse can take the form of:

  • misusing or stealing from the bank accounts of those in their care
  • pressuring a person to sign a legal document, such as a guarantee or mortgage
  • using a power of attorney in a way that is not in the interests of the person who granted it.

Pressure from family member or caregiver

Elderly people may face pressure from family members for financial support. For example, an adult child may pressure a parent to guarantee a loan or become a co-borrower on a loan using the parent’s house as security. 

If someone is pressuring you to sign a bank document, or is accessing your accounts without your permission, contact your local bank branch. Staff will give you advice on how best to protect yourself and your banking affairs. In so doing, bank staff will also be alert to any unusual activity in your accounts.

Suspicions of financial abuse

If you suspect an elderly friend or relative is the subject of financial abuse, you may like to raise the subject diplomatically with that person. Some tentative questions can either allay or confirm your suspicions. You may wish to raise your concerns with a trusted family member. The Office for Seniors runs a free helpline (0800 32 668 65) that gives callers information about elder abuse and also connects them to support services.

Other types of financial abuse

Like all customers, older people can also be approached by individuals running financial scams. Fraudsters can make contact in person, by phone, email, or through the internet. 

More information

The following organisations also deal with matters affecting the elderly: