Bank uses $20 refund to justify ID check says former customer
Under proposed new privacy laws, David Buckingham might have found out sooner that Bank of New Zealand had run checks on his identity, despite him not being a customer of the bank.
The Queenstown man discovered the BNZ had done an ID check on him with credit reporting company Centrix.
Buckingham was not a BNZ customer, and so had not given the bank permission to ask Centrix to match the information the bank held on him with the private information on the Centrix credit report.
He challenged BNZ, which told him it was only following anti-money laundering laws (AML) requiring ‘‘ongoing customer due diligence’’ (OCDD).
He had not been a customer of the bank for many years, though BNZ had recently made a small payment to him as part of a large-scale remediation programme compensating customers for past errors.
Buckingham did not think that made him a customer of BNZ, and if the identity check was for anti-money laundering purposes, shouldn’t it have been done before the bank paid him the money?
‘‘The suggestion that a $20 refund for overcharging of fees gave rise to BNZ having an obligation to perform OCDD and therefore, created AML obligations leading to a requirement to access my credit report seems very far-fetched,’’ Buckingham said.
BNZ claimed it was ‘‘required to undertake OCDD on customers who are no longer active, and up to five years after they are no longer active with us’’.
The Department of Internal Affairs said there was no requirement under anti-money laundering laws for a bank to do ongoing customer due diligence on former customers.
After a bit of sleuthing, Buckingham found BNZ had done other ongoing customer due diligence checks on him at earlier dates, which was the result of the bank not having closed an old loan account on which nothing was owed.
Buckingham said he planned to take a privacy complaint against BNZ.
His experience comes as Parliament is considering strengthening privacy rights to align New Zealand laws with laws in other parts of the world.
Lawmakers are considering requiring the likes of banks and other companies to notify people when their private information is passed to third parties, or accessed from third parties.
The idea is to give people a much clearer idea of who has their data, rather than having to infer it from the privacy statements of the businesses they deal with.
‘‘Transparency regarding the collection, use, and disclosure of personal information is fundamental to protecting individuals’ privacy rights and their dignity and autonomy,’’ the Department of Justice said in a consultation paper on the plan.
Since privacy laws were put in place, technologies and business models relating to the collection of personal information had dramatically evolved, resulting in a proliferation of indirect collection of personal information, the department said.
It’s not clear yet how the notifications would be delivered.
Buckingham wondered whether the country should look at establishing a national password-protected privacy register and requiring companies to notify when they held, accessed or shared private information.
People could check to see who had been passed their private information.
The Privacy Foundation, a nongovernmental organisation run by academics, made an Official Information Act request to see submissions to the consultation.
It revealed pushback from businesses that claimed notifications would threaten existing business models, push up costs and create public ‘‘notification fatigue’’.
BNZ’s submission acknowledged notifications would require agencies to create a clearer picture of what data they were collecting, and from where.
Marcin Betkier, a law lecturer at Victoria University of Wellington, is one of the academics behind the Privacy Foundation.
Betkier said banks could notify customers using existing communications channels, such as their online banking platforms.
The consultation closed in September last year. The submissions will be used to provide feedback to the Government on how privacy laws should be changed.