By: Baldeep Singh (Lecturer for Law at ATC)
INTRODUCTION
Banks and scandals are 2 words that if typed in Google, it will give you enough articles to read for this lifetime and not to mention the new scandals that will be created while just reading these articles. An institution that is trusted with financial dealings is bound to have scandals because greed is part of human nature. The question that will be addressed in this article is to what extent could bankers use confidential information about their customer’s financial dealings to the bankers benefit without the customer’s knowledge. In another word, what is the standard duty of bankers when it comes to customer confidentiality.
This area too is inspired by another bank scandal which was the Wells Fargo account fraud when the bank created millions of account of their customers without the customer’s knowledge, just to satisfy their sales targets[1]. While Wells Fargo is in the United States, Barclays Bank in the United Kingdom, also faced backlash in 2013 when they revealed their plan to sell 13 Million customers data to a 3rd party about the customer’s spending habits as this was another form of revenue stream for Barclays Bank[2] . These are just 2 examples of bank profiting from using customer’s confidential information. Thus, it must be asked, is this legally allowed?
Following that, to what extent does the law provides protection for bank customers when it comes to banks abuse of customer’s data. In this essay, I will examine the laws of Malaysia, Singapore and United Kingdom and concerning customer’s confidentiality when it comes to banks and when are the banks legally allowed to share this information about their customer’s financial behaviour. In cases where banks and customers have signed contracts to allow banks to use confidential information regarding the customer’s financial habit, there is a separate consideration of freedom to contract. Here, it will be important to analyse individual cases on whether do judges protect this freedom to contract or will they place the interest of the customers above this freedom. Once I have examined the laws and their limitation, in the last section of this essay, I will address whether the law for all these countries have struck a proper balance between protecting consumers as well as allowing banks to continuously find ways to profit.
UNITED KINGDOM
The foundation for bank’s duty to confidentiality in the UK can be found in the case of Tournier v National Provincial and Union Bank of England (1924)[3], where it was held that bank can only legally disclose information about its customer only in certain limited circumstances which includes where banks:
Disclosure required by law;
Bank has public duty to disclose the information;
It is within the bank’s interest to disclose the information;
Customer has either provided an express or implied consent to disclose.
In case where the bank has disclose any information and it caused loss to the customer, the bank will be liable if the loss could have been reasonably foreseen by the bank.Lord Justice Atkin described the basic duty of confidence in his judgment as something that clearly goes beyond opening and closing of an account. Bankers could still owe this duty even if the account is now closed. Lord Justice Atkin also pointed out that the course in which the information arose will be important. Information here does not actually has to be the transactions itself but any information that arose while the relationship of banker-customer is in existence. In the current case the information was obtained after the customer ceased to be the customer of the bank. Thus disclosure of such information will not be wrong.
The first interesting qualification to this discussion will be the forth qualification where customer provides their approval. Approval could be either implied or expressly provided. When approvals are expressly provided, through bank agreements, then it becomes a question about freedom to contract as if the customer has signed the agreement, he/she should be bound to that agreement to share their confidential information.
Additionally, the issue of freedom to contract can be affected by the first qualification as well especially since if law compels bankers to disclose information, then the agreement between bankers and customers to protect the customers information could be violated. Freedom of contract refers to situation where parties are free to enter into a contract on which ever terms they deem appropriate without governmental restriction. Thus, one has wonder if freedom of contract is affected in cases where government compels the bankers to disclose the information. Bankers could also reveal the information when they have a public duty or it is in the bank interest to disclose the information.
Banks can be exempted from their liability of disclosure of information if they received consent from the customer which is govern under the Data Protection Act 2018which states that personal data collected must be processed lawfully and fairly following the customer’s consent and the customer must be provided details on how the information is to be processed[4]. As a practical matter, consent can be difficult to prove and may easily be withdrawn. The real challenge here is when it comes to implied consent. Thus it will be important to look at case laws when it comes to implied consent.
The case authority on implied consent is few and not many to have a careful inspection of them. One such area where there is an established practise is concerning where bankers provide information on their customers when requested by other financial institutions as part of references . However, Turner v Royal Bank of Scotland plc (1999)[5] where bank replied several enquiries about customer credit report without first asking for consent from the customer, it was held as the practise was not well known, it was indeed a breach of customer’s confidentiality.
From Turner it can be seen that law heavily provides protection to the customer rather than the bank. References regarding customer credit reports are essential information to every lender that is doing their due diligence before agreement to transfer money. However, this set a high standard on bankers to not even disclose such crucial information without the consent of the customer obtained first. They could not rely on the defence of implied consent.
When it comes to consent, the notion of freedom to contract is important as banks have moved into the direction of having special headings in their agreement when it comes to customer data. For example, Barclays Bank in their Agreement titled as “Barclays Terms, Your Agreement with Us”, there is a Section F that specifically discusses regarding the customer’s personal information[6].
“In order to provide you with products and services, we need to collect, use, share and store personal and financial information about you, which includes personal data we obtain from you or from third parties, including credit reference and fraud prevention agencies”.[7]
By signing on this agreement, customers would have provided their consent to the above and this blanket statement, essentially gives the bank almost unlimited power to use and even share the customer’s data. Thus now bankers can rely on explicit consent from their customers to virtually do anything with their customer’s data as implied consent was not successful in Turner. One has to question whether the customers are in an equal bargaining position with the bank when signing their agreement with the bank. Could a customer expressly refuse this term and still be provided service from the bank? From my research, the same practise is done by other banks such as Lloyds[8] and HSBC[9] which means customers do not really have much of a choice as courts will uphold the agreement they have signed.
As mentioned above, the issue of freedom of contract can also be affected by the first qualification where banker’s are compelled by law to disclose information about their customer. Some information may be so confidential in the eyes of the customer, that they may not wish to share them even with the authorities. The question at hand in such case will be whether customers can stop their banks from disclosing such information. Unfortunately the answer is in a negative.
In the case of Barclays Bank v Taylor (1989)[10] a customer contended a banker’s duty to confidentiality included the duty to resist compliance with authority to not provide the authority with the information they seek regarding the customer’s transaction. The courts in this case rejected this argument and held that no such restriction can be placed on bankers as they must follow law and cannot in any circumstance refuse to follow them. This was indeed a good decision because detection of certain crimes such as money laundering requires bankers to share information with the authorities about the customer’s transaction. Thus, it only fair that the bankers disclose information about their customer’s transactions to the authorities when require to do so.
MALAYSIA
In Malaysia, the area of banker’s duty of secrecy is governed under statute specifically the Financial Services Act 2013 (FSA). Under the FSA a banker owes a duty to keep all information about their customers confidential at all times. Section 133(1) of the FSA stipulates that no person who has access to documents or affairs of customer transaction in an financial institution could disclose that information. The section goes on to describe all form of authorities in the bank that may have access to such information but the section clearly prohibits sharing of any customer information by bankers thus upholding customer’s confidentiality.
Just like Tournier in the UK, Malaysia law under the FSA highlighted there are 5 exception the in cases where there is a law or court order compelling such disclosure, to safeguard or protect the interest of the bank, where the bank initiates action to recover monies owed by the customer, disclosure for public interest and if consent is given by the customer either impliedly or expressly[11].
The landmark decision in Malaysia concerning consent to disclose is the case of Wong Yeng Mun v CIMB Bank Berhad (2010)[12] where the claimant’s wife opened and read information about his transactions from the bank statement and caused problems in his marriage. The claimant asserted that the statement was sent to the wrong address and that the bank breached their confidentiality duty by revealing his transaction to a 3rd party without his consent. The High Court held that there is an implication in the contract between bankers and customers that the former will not disclose information to a 3rd party without the consent of the customer either expressly or impliedly. On this basis, since the bank here did disclose such information and non of the exception specified under Tournier applies, bank have breached their duty to confidentiality.
In the CIMB’s defence, they argued that there was nothing in the contract specifically prohibiting them from mailing the statement to the address they did. Furthermore, it was never agreed between parties that the statement will only be sent to the plaintiff’s address. The issue arose due to a merger that occurred and in this confusion the bank sent out separate statements to these addresses. The bank tried to rely on their contractual terms which the court here did not accept. Once again the bank were strict on the element of consent and since it was not present in this case, the court found breach of confidentiality on the part of the bank.
There are few cases that were decided under the Banking and Financial Institution Act 1989 (BAFIA) that requires some consideration here. Particularly the decision in the case of Tan Lay Soon v Kam Mah Theatres (1993)[13] where Edgar Joseph Jr S.J.C held that customer is entitled to the banking secrecy and any revelation of this information without their consent will be against the law and bankers will be liable for any damages caused through the revelation.
This decision was later applied in the case of Tan Eng Seong v Malaysian Banking Berhad (1997)[14]. Here the plaintiff alleged that there was a breach of confidentiality on the part of his bank when they disclose information about his account to his brother. Plaintiff’s claim was indeed successful although there was no evidence of any damage suffer by the plaintiff due to this disclosure. Thus, he was only entitled to nominal damages.
Interestingly, in Malaysia there is another layer of legislation to consider especially the Personal Data Protection Act 2010 which under S.8 discusses the duty of disclosure by institutions which will include banks. Although S.8 seems to highlight the same as Tournier which is that consent is required before information can be shared, there is an exception provided under S.39. S.39(c) and S.39(d) states that if banks had reasonable believe that they either had right in law to disclose or if they reasonably believed customer consent would have been given, then bank is free to disclose the information[15].
This threshold is extremely low as since it is a subjective test that will be judged with reasonableness, bankers that divulge information holding such believes even with malice intent could avoid liability. Bankers who are in dealing with sensitive information about their customers should not be held at such low standards. Since their negligence could cause loss to their customers, a higher standard should be expected.
SINGAPORE
A bank in Singapore does owe a contractual duty of confidentiality which stems out of the relationship between bankers and customers. This is further substantiated by the fact that the duty is given a statutory footing in Singaporean Law. Section 47 of the Act provides that customer information shall not, in any way, be disclosed by a bank (holding a valid banking licence in Singapore or the branches and offices located within Singapore of such a bank incorporated outside Singapore) or its officers to any other person except as expressly provided in the Act[16].
The exceptions are provided under the Third Schedule of the act. If a bank chooses to provide a higher degree of confidentiality to their customers, they could do so following Section 47(8) of the Act but these exceptions ensure that by law, all banks will provide a basic level of confidentiality to all its customers[17]. The exceptions to section 47 are set out in the Third Schedule of the Act which is then further divided into Part I and II. In each exception there may also be further specific restrictions such as to whom the information may be disclosed, and the scope of such information that may be disclosed[18]. Where disclosure of customer information is made pursuant to an exception in Part I of the Third Schedule, the recipient of the information is not prohibited from further disclosing the information to any other person[19]. Clause 1 in Part I of the Third Schedule allows customer information to be disclosed where such disclosure is permitted in writing by the customer, or if he is deceased, his appointed personal representative[20]. The general exceptions under common law of implied consent no longer applies in light of the Act[21].
The landmark case for Singapore is the case of Susilawati v American Express Bank (2009)[22] where the main question at hand was whether all the duty of banker were in Section 47 or is the duty implied from the customer-banker relationship. This is a case where the appellant, a wealthy Indonesian lady, became a customer of the respondent’s private banking division on 27 August 1997. On a later date, the appellant executed a third party liability charge over her account to cover her son-in-law’s (Tommy) liabilities towards the bank. Between 1998 and 2006, Tommy, incurred substantial losses arising from transactions and loans from the bank. When Tommy failed to pay the bank, the bank deducted the amount from the appellant’s account. The appellant contended that the bank had gone beyond their duty when they made such deductions. Appellant’s arguement rest on 2 arguments. First, the charge was executed under Tommy’s undue influence, and, secondly, the bank owed her a fiduciary duty to disclose the transactions involving Tommy’s account. The court found that there was no evidence of undue influence.The relationship between the bank and the appellant was not fiduciary in nature and the bank did not owe a duty to disclose the information about Tommy’s account.
The plaintiff’s main argument here was that the bank had a duty to disclose the information about Tommy’s transaction to her. The decision shows that the bank had no such duty to disclose the information to the plaintiff. The execution of the liability charge by the plaintiff provided much of the ground for the bank to deduct from her account without her informing her. It also provided the bank with consent to not disclose the information that she was seeking.
The court in this case further held that the common law exceptions to confidentiality no longer applies. Therefore the exceptions are exclusively governed by Section 47 Banking Act. This shows that the exception given by Tournier will no longer apply in Singapore. Anyhow, the exceptions are reflected in the framework of Section 47. The court in this case argues that the Banking Act provides a much more comprehensive protection as oppose to the Tournier exceptions. Thus, there is no room to allow Tournier to continue to operate in Singaporean Law.
This approach is largely criticised as it lowers the standard for confidentiality by bankers. Section 47 does not provide a bank customer with any contractual or civil remedy[23]. Thus, making Section 47 the sole governing section drastically reduces the protection for bank customers and increases the protection towards banks. The Third schedule have also come under significant criticism as it provides various exceptions where information can be shared without the consent of the customer[24]. Banks could on their own, set a standard where express consent of the customer should be required. However, as things stand, in Singapore, bankers are provided with better protection than customers when it comes to using confidential information of customers without their consent.
ANALAYSIS OF THE LAW
The main question at hand for this essay is whether freedom of contract is upheld or is the courts willing to stop the bankers from sharing confidential information about their customers when it is unjust to do so. Tournier provided an excellent foundation that still stands in most jurisdictions except for Singapore (although S.47 Banking Act still reflects it) where 4 exceptions are provided where the bankers are allowed to disclose the information about the customer.
Courts will generally uphold the freedom of contract between bankers and their customers which entails that their information is not freely shared by the banks. As I have shown above, in majority of the cases, the courts protected the customers over the banks unless there were clear reasons to allow the sharing of information (bankers compelled by law to do so).
Generally the views adopted from the UK cases is that confidentiality of the customers will be protected. However, as mentioned above, there is a concern regarding banks including clauses in their agreement that are generally wide and allows bankers to use customer’s data however so they wish. The problem usually here will be that the customer may not be in an equal bargaining position as the bank to disagree with such terms. This too is assuming the customer understands the danger of allowing banks to use or share their information. Most customers may not have the proper comprehension of such terms and may sign on the documents without first reading them. Thus, even though the customer may be providing express consent, it is still questionable whether an informed consent is provided.
The courts have shown a willingness to protect the customers in situations where the banks where clearly in a higher bargaining positions thus they should have known and done better. The approach taken by courts is one that not only provide commercial certainty but it holds bankers accountable to a higher standard especially in Malaysia and UK. The CIMB case mentioned above is a good example to shows that bankers must constantly be on guard and even mistake from their end could cost them. Even cases such as Tan Lay Soon and Tan Eng Seong showed a strong willingness from the court to protect the customer’s confidentiality over the banks. Thus the contract between the banks and customers are upheld unless there is a strong compelling reason not to uphold it.
As for the approach in Singapore, the argument is that being overly reliant on S.47 Banking Act is dangerous as expressed by Poh Chu Chai that the intention of S.47 was merely to provide minimum statutory threshold which the bankers must meet in order to avoid criminal conviction[25]. Thus by removing Tournier, the standard for duty of confidentiality of the part of bankers in Singapore in low and bankers are given more discretion to use the information as they see fit. Parliament in Singapore seems to have left the discretion on the parts of banks to adopt a higher standard if they so choose but this could be a dangerous precedent.
In situation involving banks where the risk and possible of abuse is high, law needs to provide proper checks and balances so that a tragedy such as the 2008 housing bubble collapse can be avoided. It is highly unfortunate how bank officials were eventually bailed out by the government even though there were strong evidence to criminal charge those that were involved. Even though not all banks should be presumed “evil”, but as mentioned since there is a high possibility of abuse here, parliament must take strong measures.
CONCLUSION
Duty of confidentiality is implied in the contract between bankers and their customers. Thus the main question this essay was seeking to address was whether that contract will be upheld by courts or do they have a tendency to allow bankers to disclose customer’s information. The 4 exceptions of Tournier are good examples where this contract will not be upheld. Generally cases from UK, Malaysia and Singapore have shown a common trend which is that this contract will be upheld unless there are clear and obvious reason not to upheld it.
Most cases discussed above showed that customers will be given the protection of confidentiality and by extension the contracts are protected. Countries have developed more statutory exception to this duty in their jurisdiction making it harder for there to be complete secrecy. However, when information is given to authority to either identify or investigate crime are clearly understandable and acceptable reasons to disclose as oppose to banks disclosing the information to make profit by selling customer’s data. In this modern era where information is everything, jurisdiction needs more tools to address this problem. As we have seen, banks are not immune to controversy and scandals.
BIBLIOGRAPHY
Sandra Booysen and Dora Neo, Can Banks Still Keep a Secret, Cambridge University Press, (2017), Pg 260-279, 330-339
Ross Cranston and Theodor Van Sante, Principles of Banking Law, Oxford University Press, (2002), Pg 250-260
E.P Ellinger, E. Lomnicka and C.V.M Hare , Ellinger’s Modern Banking Law, Oxford University Press, (2006), Pg 179 - 185
Samahir Abdulah, “The Bank's Duty of Confidentiality, Disclosure Versus Credit Reference Agencies; Further Steps for Consumer Protection: 'Approval Model”, Web Journal of Current Legal Issues, Vol 19 No4, (2013)
“Wells Fargo Faces Scrutiny Over Lack Of Sale Scandal Disclosure”. CNBC.com.
Rupert Jones,”Barclays To Sell Customer Data”. Theguardian.com
Benjamin Kho Jia Yuan. “Dilution banker’s duty of secrecy in Malaysia under the Financial Services Act 2013: an adventure too far?”, UMLR, (2019).
Yun Hui Tan, “Banking Secrecy in Singapore”, 2014.
Poh Chu Chai, SAL Annual Review, (2009)
Joey Tan, “Malaysia: A Banker's Duty Of Secrecy And Confidentiality In Malaysia - Do You Know Your Rights As A Customer?”, Asia Pacific, Finance and Banking, (2016)
Anatoliy A. Lytvynenko, “Data Privacy and Banking Secrecy: Topical Issues in Commonwealth, Continental Europe and International Jurisprudence”, Athens Journal of Law - Volume 5, Issue 3 – Pages 303-322
[1] “Wells Fargo Faces Scrutiny Over Lack Of Sale Scandal Disclosure”. CNBC.com. https://www.cnbc.com/2016/09/16/wells-fargo-faces-scrutiny-over-lack-of-sales-scandal-disclosure.html [2]Rupert Jones,”Barclays To Sell Customer Data”. Theguardian.com https://www.theguardian.com/business/2013/jun/24/barclays-bank-sell-customer-data [3] KB 461, All ER Rep 550, 130 LT 682 [4]Section 2(1) [5] 2 All E.R. (Comm) 664 [6] Barclays,Barclays Terms: Your Agreement with Us, 2013, s.G http://www.barclayswealth.co.uk/Images/IBIM1000.pdf accessed 22th January 2013. [7]Ibid [8] Lloyds TSB, Personal Banking terms and conditions, 2012, s.D (14) http://www.lloydstsb.com/media/lloydstsb2004/pdfs/personal_banking_terms_and_conditions.pdf accessed 6th October 2012. [9] HSBC, General Terms and Conditions, Current Accounts Terms and Conditions, 2012, s.2(34)[34.2] http://www.hsbc.co.uk/1/PA_esf-ca-app- content/content/uk/pdfs/en/General_Current_Accounts_Aprl1.pdf accessed 6th October 2012. [10] CH 137 [11] Benjamin Kho Jia Yuan. “Dilution banker’s duty of secrecy in Malaysia under the Financial Services Act 2013: an adventure too far?”, UMLR, (2019). [12]MLJU, 414 (HC) [13]1 CLJ 85 [14]2 CLJ Supp 552 [15] Benjamin Kho Jia Yuan. “Dilution banker’s duty of secrecy in Malaysia under the Financial Services Act 2013: an adventure too far?”, UMLR, (2019). [16]Yun Hui Tan, “Banking Secrecy in Singapore”, 2014. [17]Ibid [18]Ibid [19]Ibid [20]Ibid [21]Ibid [22] 2 SLR 737 [23]Poh Chu Chai, SAL Annual Review, (2009), pg 80 [24]Ibid Pg 82 [25]Ibid Pg 79