Six hard inquiries the bank did not ask permission for.
A Canadian consumer, reviewing her credit file for the first time in two years, finds six hard inquiries from a major chartered bank she has not recently applied to for anything. Each hard inquiry is, by every credit bureau's published scoring methodology, a negative event on the consumer's file. The bank, when asked, produces a standard letter. The letter does not explain what the six inquiries were for. The letter thanks the consumer for raising her concern. The six inquiries remain.
TorontoThe credit file is a document the country has decided to outsource to two private American corporations. Equifax and TransUnion maintain the credit histories of most Canadians who have ever held a credit product of any kind. The files contain what the corporations have been told by the financial institutions that report to them: the accounts, the balances, the payment histories, and the inquiries. The inquiries are of two kinds. A soft inquiry is one that does not affect the consumer's score: the consumer checking her own file, or a pre-approved marketing check by a financial institution. A hard inquiry is one that does: it signals to the bureau's scoring model that the consumer has recently sought new credit, which the model treats as a signal of potential credit stress, and the score drops, by between five and fifteen points per inquiry, on every bureau's published methodology.
The consumer whose credit file this magazine is describing found, on a review of her Equifax report she conducted earlier this year, six hard inquiries from a major chartered bank placed over a period of fourteen months. She had not, in the fourteen months in question, applied to the bank for any new credit product. She had not signed a consent to credit inquiry in any interaction with the bank in that period. She had not, as best as she can reconstruct from her own records, had any substantive contact with the bank's lending division during that window. She had maintained an existing chequing account and a single legacy credit product that predated the inquiry window by three years. Six hard inquiries. No application. No consent she can locate. A credit score that, on her last Equifax report before the inquiry cluster began, was in the upper band of what the bureaus call good, and is now, on the most recent report, at the lower edge of the same band, having absorbed the cumulative effect of events she did not initiate.
What a hard inquiry without consent is, legally
Under the Personal Information Protection and Electronic Documents Act, the federal privacy statute governing private-sector data handling, abbreviated PIPEDA, a financial institution may only collect, use, or disclose a consumer's personal information for the purposes for which the consumer has provided consent. A hard credit inquiry is a collection of personal information: the institution is asking a third-party data custodian to return a detailed report on the consumer's financial history. The inquiry is, on every standard reading of PIPEDA's definition of personal information and collection, a privacy event. The consumer's consent is, in principle, required. The consent, in practice, is buried in the standard account-opening agreement the consumer signed when she opened the chequing account, in language that, on the version of the agreement this magazine has reviewed from a comparable major institution, runs to approximately four hundred words on page eleven of a thirty-page document, in a font size the magazine's designer has confirmed is below eight points.
The standard account-opening consent language, in the version the magazine has reviewed, authorises the bank to obtain credit reports from credit bureaus from time to time for the purposes of administering the account and assessing the customer's credit profile. The phrase from time to time has no definition. The phrase for the purposes of administering the account has no operational constraint. The bank's legal position, in any response to a complaint about unauthorised hard inquiries, will be that the consent signed at account opening covers any inquiry the bank chooses to make, at any time, for any internal credit-assessment purpose, without further notice or specific consent from the consumer. This legal position has, in the absence of a regulatory ruling or court decision to the contrary, not been definitively rejected by any Canadian oversight body. The position may be wrong. It has not been authoritatively told it is wrong.
Six hard inquiries. No application. A credit score that has moved from the upper band to the lower edge of the same band, absorbing events the consumer did not initiate.
The complaint and its resolution
The consumer filed a complaint with the Office of the Privacy Commissioner of Canada. The OPC accepted the complaint, opened a file, and initiated a mediated resolution process. The process took four months. At the end of four months, the bank provided the consumer with a written explanation of the inquiries. The explanation stated that the inquiries were conducted as part of the bank's routine credit-portfolio management process, that the bank is entitled under the terms of the account agreement to conduct such inquiries, and that the bank considers the matter resolved. The OPC's file was closed on the basis that the bank had engaged with the complaint and provided an explanation. The six inquiries remain on the consumer's credit file. The score remains lower than it was before the inquiry cluster began. The consumer has not been offered a correction, a remedy, or a score restoration.
The OPC's mandate under PIPEDA includes the authority to investigate, make findings, and recommend remedies. It does not include the authority to order remedies. If the OPC determines that a consent clause is insufficient to authorise a particular practice, the OPC can issue a finding to that effect and recommend that the institution change its practice. The institution can accept or decline the recommendation. If the institution declines, the OPC can refer the matter to Federal Court. The Federal Court can order a remedy. This process, from initial complaint to Federal Court order, takes, on the published timelines of the cases this magazine has been able to identify, between three and seven years. The consumer's credit file, in the meantime, continues to reflect six hard inquiries she did not consent to in any meaningful operational sense of the word consent.
The bureaus, the banks, and the score
The two credit bureaus are private American corporations. They are regulated, in Canada, by PIPEDA and by provincial privacy legislation in the provinces that have their own equivalent statutes. They are not regulated by the federal banking regulator. They are not regulated by the provincial securities commissions. They are not regulated by any Canadian authority specifically constituted to oversee credit scoring methodology. The methodology they use to calculate scores, the algorithm that translates a credit file into a three-digit number, is proprietary. The bureaus publish general descriptions of the factors they consider and the approximate weight of each. They do not publish the algorithm. The algorithm is a trade secret. The consumer whose score is affected by six hard inquiries cannot verify, by independent calculation, that the score change attributable to the inquiries is accurate. The consumer can request the bureau dispute the inclusion of an inquiry on her file, but only on the grounds that she did not authorise it. If the bank asserts she authorised it under the account agreement, the bureau will maintain the inquiry on the file. The consumer is, in this chain, the least powerful party in a system built entirely from her data.
What the country could choose instead
The country could amend PIPEDA, or its replacement, Bill C-27, which has been in Parliament for three years, to require explicit, transaction-specific consent for each hard credit inquiry, separate from the omnibus account-opening agreement. The United Kingdom did this under the Consumer Credit Act. Several US states require it under their own credit-reporting statutes. The European Union requires it under the General Data Protection Regulation. The country has, in the years this consumer's score was moving from the upper band to the lower edge, been consulting on the matter and has not enacted the requirement. The consultation has produced documents. The documents have produced drafts. The drafts are in committee. The consumer's score is where it is.
The verdict
Six hard inquiries. No application. Four hundred words on page eleven of a thirty-page account-opening agreement, in a font below eight points, authorising the bank to pull the consumer's credit profile from time to time. A complaint to the privacy regulator. A four-month process. A letter from the bank. A closed file. A score that reflects six events the consumer did not initiate in any meaningful sense of initiation. A regulator that cannot order a remedy. A bureau that will not remove an inquiry the bank asserts was authorised. A consumer who is, at the end of this process, exactly where the system was designed to leave her: fully processed, thoroughly responded to, and no better off than she was before she asked the question.
Require specific consent. Per inquiry. In plain language. Above ten-point font. On a separate document. Or admit that the account-opening consent form is the country's authorisation for every bank to pull the consumer's credit file whenever it chooses, for as long as the account exists, for any internal purpose the bank defines, with no notice, no explanation, and no remedy when it happens six times in fourteen months.