PIPEDA Findings #2021-006: A short-term lender collects online banking credentials in the course of payday loan applications
The Office of the Privacy Commissioner of Canada (OPC) investigated a short-term lender, CashHere, after receiving an alert that it was collecting clients' online banking credentials (usernames, passwords, security questions and answers) as part of its payday loan application process. The OPC found that while the lender had a legitimate need to verify identity and income, collecting these highly sensitive credentials was not a purpose that a reasonable person would consider appropriate due to the significant privacy risks and the availability of less invasive alternatives. The investigation also uncovered a related entity, MoneyHome, engaging in similar practices.
- Appropriateness of collecting online banking credentials for loan applications
- Proportionality of privacy harms versus lender benefits
- Availability of less privacy-invasive means to verify identity and income
- Potential link between CashHere and MoneyHome
Complaint well-founded — not resolved
The OPC determined that collecting online banking credentials was not appropriate under PIPEDA because the significant privacy risks and potential for unfettered access to financial information were disproportionate to the lender's needs, and less invasive verification methods were available. The investigation could not be resolved as the respondent ceased communication and a potentially related entity continued similar practices.
AI-generated summary for reference only. Always verify against the official decision ↗
The OPC recommended that CashHere cease collecting banking login credentials and intends to inform MoneyHome and other payday lenders of these findings. The matter was referred to the Ontario Ministry of Government and Consumer Services.
- s. 5(3) PIPEDA
- Principle 4.4 PIPEDA
This summary is informational only and not legal advice.