On 26 September 2021, a fraudulent application for a credit card was submitted in Trina’s name through a credit card provider’s website. To apply, the fraudster had used Trina’s driver’s licence number and her home address, and what turned out to be a fabricated email address and telephone number. The fraudster had also ticked a box saying that Trina’s credit file information could be obtained by the provider.
The application was approved that day, and the account was opened with a $9,900 credit limit. Also that day, the credit card was mailed to Trina’s home address.
The next day, 27 September, the provider blocked the account so they could undertake further verification. The lender sent an email to the fabricated email address requesting 3 months’ of bank statements, along with a ‘selfie ID’. It wasn’t clear what had triggered the provider to block the account.
On 29 September, Trina received the credit card in her mailbox. She immediately called the provider and explained she had not applied for the card. She reported the matter to the police and applied for a new driver’s licence. Trina never found out how the fraudster had obtained her driver’s licence number.
Trina was very concerned about how the credit card was able to be issued in her name. The provider investigated and on 11 October confirmed that Trina had been the victim of fraud and that they’d closed the account. Thankfully the card had not been used to make purchases, and the provider emailed the 3 credit reporting agencies asking them to remove all reference to the provider on Trina’s credit file.
Trina remained concerned about how a credit card with a $9,900 limit had been issued to her without the provider having first obtained information to assess whether the lending was affordable under the Credit Contracts and Consumer Finance Act 2003 (the CCCFA). The provider responded that the information submitted during the application process and obtained from Trina’s credit file was enough for a credit card to be ‘system approved’. They offered her $100 to resolve the complaint, but Trina remained concerned and complained to FSCL.
Trina wanted to receive further information from the provider about how the credit card application had been able to proceed. On the other hand, the provider maintained their view that all verification and checks required before opening an account and issuing a credit card, had been met in this case.
We found there were some service issues in Trina’s complaint including our view that the provider’s fraud team should carry out their checks before a physical credit card is issued. For the stress Trina had suffered, we suggested the lender increase their offer to $250.
However, the central issue in Trina’s case was that she wanted to know more details about exactly what the provider’s processes were when approving the credit card in her name – how was the fraud not initially detected, but then detected a day later? The provider’s position was that they could not reveal further details about what caused their fraud team to block the card on 27 September. Although we could understand Trina’s desire to know more, we said the provider’s position was reasonable. If details of fraud detection processes and the information uncovered by fraud teams is shared with the public, it compromises the work fraud teams undertake.
However, we did share Trina’s concern about how the affordability assessment required under the CCCFA had been undertaken. For instance, there did not appear to have been any income or expense details gathered during the initial application process. We asked the provider for further details about how the affordability assessment requirements had been met, but we advised Trina we couldn’t pass that information onto her. This was because the lender’s affordability assessment criteria is commercially sensitive information. This was especially the case here, where Trina had not suffered any financial loss (no transactions were made) and she was not actually a customer of the provider.
We suggested that Trina obtain another copy of her credit files from the three credit reporting agencies, as a final check that her credit file had been updated.
Trina accepted our initial view on her complaint. However, when she then obtained her credit file – there had been another credit product approved by the provider in Trina’s name, also from September 2021, that she had not known about before. We went back to the provider and said there should have been a search of Trina’s name across all the provider’s product lines once the initial fraud had been identified, to check for any other fraudulent activity.
We asked the lender to increase their offer of compensation to $500, which Trina accepted.
The problems did not end there however, because it took the credit reporting agencies several months to then confirm they had updated Trina’s credit files. This was outside the credit card provider’s control and, in the end, our case manager contacted the credit reporting agencies directly on Trina’s behalf. This resulted in the reporting agencies swiftly updating Trina’s credit file.
If this swift action hadn’t been taken, the next step would have been to refer Trina to the Privacy Commissioner. The Privacy Commissioner is best placed to deal with complaints about delays in updating a credit file – credit file information being ‘personal information’ for the purposes of the Privacy Act.
Insights for consumers and participants
Unfortunately, the type of fraud Trina fell victim to, is common. This case serves as a reminder of how important it is to protect your personal information– with fraudsters always finding new methods to obtain that information.
This case also shows the importance of providers having good internal processes to check across all product lines if a fraud is detected in relation to only one product they offer. It also demonstrates that with fraud cases, it is reasonable for providers to withhold providing some details to FSCL and consumers because otherwise it would undermine their efforts to detect fraud.
Similarly, considering there was no financial loss to Trina in this case, and that she was never actually a customer of the provider, it was reasonable that the provider’s affordability assessment criteria were not released to her.