Kitchener, Ont.A hard credit inquiry is not neutral. It is not administrative. It is a formal query to a credit bureau that reduces a consumer's credit score, stays on the file for up to six years, and signals to every lender who subsequently reviews that file that the consumer was recently assessed for new credit. Each hard pull is a mark. The mark costs something. The cost accumulates.

Between November 2025 and May 2026, a major Canadian chartered bank ran six hard credit inquiries on one consumer's Equifax file. The consumer had not applied for any product. The consumer had not visited a branch. The consumer had not called a lending line, submitted a form, or in any way requested that the bank access his credit bureau. The consumer was not aware the inquiries were happening. He discovered them when he reviewed his credit report.

Six inquiries. No consent. No application. No authorization. Six separate moments when the bank decided to access a private financial record it had no disclosed legal basis to request.

What the law says

PIPEDA, Canada's Personal Information Protection and Electronic Documents Act, is explicit on the matter of consent. Schedule 1, Principle 4.3: an organization may collect, use, or disclose personal information only with the knowledge and consent of the individual, except in exceptional circumstances the Act enumerates. A credit bureau inquiry is the collection of personal information. Consent is required. The Act provides a mechanism for withdrawal: Principle 4.3.8 states that individuals may withdraw consent at any time, subject to legal or contractual restrictions. A formal withdrawal of consent was served on the bank in writing on May 12, 2026. The meaning of that notice is clear: any further inquiry after the date of service is a knowing post-notice breach.

Complaints were filed with the Financial Consumer Agency of Canada, the Office of the Privacy Commissioner, and the major credit bureaus. Formal faxes of complaint were delivered. Six regulatory notifications, filed in five days, about six unauthorized credit pulls from one bank on one consumer's file.

Six hard inquiries. No application. No consent. A withdrawal notice served in writing. The bank acknowledged the complaint. The six inquiries are still on the file.

The letter

The bank's response to the formal demand was a letter. The letter thanked the consumer for raising his concern. The letter did not explain what authorized the inquiries. The letter did not explain the bank's basis for accessing the consumer's credit bureau on six occasions without application or consent. The letter did not remove the inquiries. The letter thanked him and closed.

The credit score at the time the dispute was filed was 697. The consumer had been building that number carefully. Each hard inquiry pulls the number down. Six pulls, without any corresponding application to justify them, represent six arbitrary subtractions from a score that determines what loans are available, at what rate, under what terms. The bank subtracted six times. The bank sent a letter. The subtractions remain.

The verdict

A chartered bank accessed a consumer's private credit file six times without his knowledge, consent, or any application to justify it. Federal privacy law requires consent. The consumer withdrew consent in writing. The bank acknowledged the complaint. The inquiries stayed. A fifty-thousand-dollar small claims action is on standby. The regulatory complaints are pending review.

This is not a data breach. No system was compromised. No hacker accessed anything. An institution with the resources, legal staff, and compliance departments of a major Canadian bank decided, six times, to run a hard pull on a consumer who never asked it to. The bank cannot say it did not know the rules. The bank wrote the privacy policies. The policies say consent is required. The bank ran six hard pulls anyway and sent a letter when asked about it.

The letter is not enough. It was never going to be enough.