Business·GO PUBLIC

Online banking agreements protect banks, hold customers liable for losses, expert says

An expert in contract law who analyzed the electronic banking agreements for BMO, CIBC, RBC, Scotiabank and TD says the contracts are "so one-sided” they need to be rewritten with third-party oversight to even the playing field for customers.

Contract lawyer says terms overwhelmingly favour banks, calls for more consumer protections

General contractor Jeff Harney shows Go Public's Erica Johnson his electronic banking agreement with RBC. (Maggie MacPherson/CBC)

Jeff Harney is one of hundreds of people who recently contacted Go Public after losing a fight with their bank — many saying they felt powerless against new electronic banking agreements they didn't understand, couldn't navigate and which they felt protected their bank from any liability.

"They've made this clause, which clears themselves of all responsibility," said the North Vancouver contractor, pointing to a section in his agreement that RBC used to refuse to pay him after losing $1,500 in a case of e-transfer fraud last May.

Most of Canada's five big banks — BMO, CIBC, RBC, Scotiabank and TD — recently updated their electronic banking agreements, so Go Public asked an expert to assess how well they balance the banks' liabilities against customer protections.

The news is not good for millions of customers.

"They are so one-sided and benefit the banks to such a degree that there is no way that I would call these bargained agreements," said Anthony Daimsis, a professor of contract law at the University of Ottawa. 

"These are take it or leave it — where the taker [customer] really has no option."

Daimsis says there's such a "huge imbalance of power" that Ottawa should create better protections to give customers a fighting chance when something goes wrong with their online banking.

Daimsis — who has studied hundreds of contracts — spent hours analyzing the agreements from the big five banks.

He critiqued all five banking agreements on four things: 

  • Clarity of language.
  • What kind of liability the banks accepted.
  • The responsibilities of customers.
  • How people were notified about amendments.

All say the banks are entitled to change the agreements at any time, and most say they will determine how customers are notified.

"I'll give you an absurd example," said Daimsis. "If the head of the bank, on the last Thursday of the month, says, 'This is how I'll notify of changes — I'm going to lift my window and yell it out of my office' is that really notification?"

"The purpose of notifying is not merely to send the information out. It's to ensure that the information is received properly and consistently with what that agreement is."

'The changes benefit TD'

TD's new agreement takes effect March 2. Daimsis says it gets points for clearly identifying how the terms have changed — but loses points because customers get a raw deal.

"The changes benefit TD," said Daimsis. 

For instance, the old agreement said customers were liable for losses as soon as they "become aware" a banking card or device has been lost, stolen or misused. The new one says they are liable as soon as they "suspect" it. 

"My concern is, what is that standard of suspicion? Because TD doesn't tell us," said Daimsis. 

"And what makes this especially difficult is that the banks internally investigate. These are not transparent investigations."

I don't know if I'm really agreeing to something if I have no choice.- Prof. Anthony Daimsis, University of Ottawa

Longtime TD customer Debora Bloom of Collingwood, Ont., says the new terms "felt a bit smelly" when she read them.

"It felt to me like the banks were starting to tilt the balance in favour of themselves." 

She worries the onus is on customers to prove they didn't share bank cards or PINs, for example.

"It's a 'he said/she said' at the end of the day," said Bloom. "They've got a team of expensive lawyers against Joe and Josephine Consumer. You're going to empty your bank account just to position your point of view."

TD customer Debora Bloom says she understands banks have an obligation to shareholders, but her new banking agreement goes too far in favour of the bank. (Submitted by Debora Bloom)

Bloom says she complained last October to the Financial Consumer Agency of Canada (FCAC), asking the regulator to make financial institutions more accountable.

"They need to do a better job," she said of FCAC. 

The FCAC would not confirm whether it had received Bloom's complaint or whether it was investigating.

A spokesperson for TD Bank said in a written statement that customers have a key role in protecting against fraud. 

"Customers have obligations that are outlined in our agreements, including taking reasonable steps to safeguard their debit and credit cards, and keeping personal identification numbers and passwords confidential, among other requirements."

The statement says that most customers who experience fraud "end up being reimbursed."

Scotia's agreement 'so bad it's shocking'

Daimsis says it took him the longest to go through Scotiabank's online agreement, which was updated last May.

Most of the terms in Scotia's agreement aren't numbered, and one part refers to consumer protections being "subject to Section 13" — but Daimsis couldn't find Section 13 anywhere.

"Scotia's agreement is so bad, it's shocking," he said. 

University of Ottawa contract law professor Anthony Daimsis is calling on the federal government to create a code of conduct so banks can’t have agreements that are unfair to customers. (Brian Morris/CBC)

Daimsis was also concerned that important information outlining a customer's responsibilities — such as never to do online banking using public Wi-Fi — is in smaller font than the rest of the agreement. 

"It shouldn't require me to read something closely and maybe just catch that in a small font," said Daimsis. "I would want that front and centre, because not everyone knows the security concerns dealing with Wi-Fi."

Scotiabank did not address any of the criticism about its online agreement to Go Public, but in a statement said: "We regularly review our policies and procedures to ensure they align with best practices."

RBC not responsible 'even if we are negligent'

When RBC introduced its new terms last May, it required customers to accept the agreement before they could continue accessing their online banking.

One clause says the bank can't be held responsible for loss of data or damages "even if we are negligent." 

"They call them agreements," said Daimsis. "I don't know if I'm really agreeing to something if I have no choice."

Harney says he certainly didn't feel he could argue with RBC after his email was hacked and fraudsters made off with the $1,500 e-transferred to him. He hadn't read a clause that limits his bank's liability.

"The bank was saying that [according to its agreement] they are allowed to pay an e-transfer to whoever accepts it — as long as they answer the security question," said Harney. 

"The only reason I would've ever come across this part of the contract is after I've experienced a problem," he said. 

Harney says RBC used its agreement to justify refusing to reimburse him after e-transfer fraud cost him $1,500. (Maggie MacPherson/CBC)

In a statement, RBC said it "takes seriously its responsibility to protect clients from fraud" and provides information about protecting against e-transfer fraud.

Daimsis says much of the important information in RBC's agreement will likely never be read — the contract is 35 pages long.

"It's too much," said Daimsis. "You get lost very quickly and you just put it down. At that point you're just assuming, 'Well if my online banking works, I guess everything's OK.'" 

RBC said its agreement is long because it "covers multiple topics" but is organized so clients can find relevant information.

BMO can change terms at any time

BMO was ranked best by Daimsis for using clear and simple language. He said the bank's agreement — updated in December — also says customers will not be responsible for "circumstances beyond your control" and appears to take responsibility for "any errors we made, technical problems or system malfunctions". 

But like all the agreements, BMO's terms are weighted in favour of the bank, said Daimsis. 

Most concerning was a clause that says BMO can change the terms at any time and that customers "agree to any changes made when notice is given in our Canadian branches or in any other manner, which we may determine from time to time."

BMO's agreement uses clear language and appears to take responsibility for any errors, but still favours the bank, Daimsis said. (Doug Ives/The Canadian Press)

"No person who has the ability to disagree would agree to such a term," said Daimsis. "I would not agree to somebody who says, 'Here's my agreement with you. I get to change it and I'll notify you the way I want to notify you.'"

BMO's statement to Go Public did not address the criticisms. 

Instead, a spokesperson wrote that the bank's focus "is on delivering a great customer experience around our banking services" and that BMO has "an electronic banking guarantee and reimburses customers for any losses resulting from unauthorized transactions."

CIBC's broad terms limit liability

CIBC's agreement, which was last updated in 2016, raised concerns for clarity of language.

Daimsis cites a clause he says uses very broad terms that are open to interpretation.

It states CIBC will only be liable in cases of its "gross negligence, fraud or willful misconduct."

"Not just negligence but so grossly negligent — whatever that means — that's the only time they'll take on some responsibility," said Daimsis.

The agreement also restricts any reimbursements to direct damages.

CIBC says in its agreement it will only be held responsible for 'gross negligence, fraud or willful misconduct.' (Nathan Denette/Canadian Press)

"Which means they're not going to address the consequence of their error on your financial well-being," said Daimsis.

If your account is emptied and you are evicted, for example, the bank won't pay for costs stemming from the eviction. 

"Very often the direct damages are not as large as what the consequences of ... what the bank security issue has led to," said Daimsis.

In a statement, a CIBC spokesperson said the agreement "reflects industry best practices and regulatory requirements that protect our clients each and every day. It is regularly reviewed to ensure that protections and guarantees for clients keep pace with the evolving banking landscape."

When are the banks liable?

All the banks say they'll take responsibility for financial losses in certain situations — ranging from employee fraud to transactions on credit cards that are forged or expired.

They also say they invest significant resources in protecting customer accounts from fraud, but they also emphasize that protections are a shared responsibility; that customers must carefully read their agreements and follow requirements to keep their transactions safe from cybercrime and other losses.

Canada's banks get away with limiting customer protections because they're in the driver's seat, says Daimsis.

"These banks know that they're the only real game in town. So, then, why would they ever lower their standards?" he said. 

TD's new contract requires customers to notify the bank when they 'suspect' unauthorized transactions — a term Daimsis says is open to interpretation. (Brian Morris/CBC)

"And what's especially disturbing ... in the banking industry, we're dealing with really sensitive subjects. People's credit-worthiness; their ability to buy a home, their ability to pay for the right to just operate in our society. So they're really at a disadvantage when the bank says these are the terms and that's it."

He says the federal government should step in.

"It's critical to have that oversight body — a third party — that would balance it in a way that reflects the reality and the sensitive relationship between a bank and a consumer."

Go Public asked the Ministry of Finance whether Ottawa would consider requiring language that would ensure consumers have guarantees that the bank will protect their life savings, and reimburse them when their online banking systems fail.

A ministry spokesperson emailed a response, steering us to a voluntary code of conduct for debit cards created in 1992 and last updated in 2004, that a number of financial institutions have agreed to apply to online transactions.

Go Public also asked each of the big five banks whether they would work with a third party on a code of conduct.

None of the banks answered that question. 

Their umbrella organization, the Canadian Bankers Association, said in a statement that banks "already comply with multiple codes of conduct" and are also "subject to strong oversight by the federal government, regulators and related agencies, and work closely with them on consumer protection and education."

With files from Enza Uda

Comments

To encourage thoughtful and respectful conversations, first and last names will appear with each submission to CBC/Radio-Canada's online communities (except in children and youth-oriented communities). Pseudonyms will no longer be permitted.

By submitting a comment, you accept that CBC has the right to reproduce and publish that comment in whole or in part, in any manner CBC chooses. Please note that CBC does not endorse the opinions expressed in comments. Comments on this story are moderated according to our Submission Guidelines. Comments are welcome while open. We reserve the right to close comments at any time.