Canada’s Privacy Commissioner seems to butt heads with the mortgage industry on the collection of social insurance numbers (SINs).
The Commissioner isn’t too fond of using SINs on mortgage applications. Her office put out a report June 8 that states:
A “SIN is not required to conduct a credit check.”
“There is no legislative requirement for the SIN to be collected for [mortgage purposes].”
“The Office of the Privacy Commissioner is of the view that the SIN should not be used as a general identifier and organizations should restrict the collection, use and disclosure of the SIN to legislated purposes only.”
Assistant Commissioner Elizabeth Denham, tells us:
“We recommend that no private sector organization request the social insurance number from a customer, and that no customer give the social insurance number to a private-sector organization, unless the organization is required by law to request it.”
That creates a potential conflict because the private nature of SINs generally makes them a reliable part of the identification verification process. ID validation has become vital in an environment where mortgage fraud is a serious risk.
According to the Canadian Bankers Association, there is “nothing specifically legislated that requires banks to ask for a SIN for mortgage purposes.”
“Specifically” seems to be the key word, however.
Certain provincial jurisdictions and regulators do, in fact, require lenders and brokers to make a “best efforts” attempt to ascertain a person’s identity. Confirming a customer’s SIN against credit bureau records has been an important means of doing so.
Lenders, in general, like to see SINs on mortgage applications. As CAAMP’s VP of Education and Professional Affairs, Mark Webb, notes: “Lenders expect that agents ask for the SIN but the client has no obligation to provide it. If the client refuses then it is up to the lender to assess how they will respond to the application.”
Webb advises that, “Brokers should not make any change with respect to current practices regarding getting SIN numbers.”
From a practical consumer standpoint, the underlying question should be: is the person taking your SIN trustworthy and does he/she store clients’ information in an extremely secure manner. If so, then many feel that SINs should continue to be an essential fraud-prevention tool.
The big question for me is what percentage of brokers store and transmit client information in “an extremely secure manner”.
The Privacy Commissioner Elizabeth Denham said that “None of the brokers we audited had performed sufficient tests on their IT systems to allow them to say with any certainty that their computer networks—and all personal information stored on them—were secure.”
That said, I have worked in IT for 12 years and worked for brokers for over 3 years and I never seen an official list of checks that brokers should perform.
Hi ComputerGuy,
Thanks for the post. I agree that it would have been much more interesting (and fair to the industry) if the Privacy Commissioner’s sample were random and statistically valid.
Instead, the quote you posted reflects findings that were based on a hand-selected group of five brokers who had already admitted privacy breaches. Hence, there is considerable selection bias and sample size deficiency.
As we wrote last week, these findings cannot be extrapolated to the industry. Yet, concerned homeowners should still ask the right questions when selecting a mortgage planner–including the process by which their data is used and stored.
Cheers,
Rob
As someone that only provides their SIN in cases when it’s legally required I applaud The Privacy Commissioner report, but wish the government would go one step further and make it illegal for the collection of SINs in any non-required case.
A little off topic, but it’s more difficult to rent than it should be because most rental applications request your SIN. Although they can’t require it if you leave it blank a lot of places choose not to rent to you.
I’m betting some lenders will not accept applications without a SIN, even if they provide a different reason for doing so.
If SINs were provided so a credit report could you searched for, then were immediately discarded I would be more accepting of businesses requesting them, but you have to wonder how many databases of SINs have already been hacked and are being sold online.
The cost of identity theft is simply too high for me to trust every mortgage broker/landlord to secure this information.
Rob — perhaps you’d like to share with us how you use and store private client information. Might be a good post for other brokers to follow in implementing their data stores. I’d be particularly interested to know what encryption you use, how you protect the private key, how you audit for unauthorized access to the data, and how you maintain secure backups of that data.
This issue is a tug of war between the lenders right to obtain as much information on the applicant as they deem necessary (thinly substantiated as protecting themselves against mortgage fraud) vs. borrowers right to protect themselves against Identity theft and/or privacy.
This is what the government has to say:
“When an organization requests your SIN, ask if they are legally required to collect the SIN. If not, offer other forms of identification instead.” (Service cda)
Sounds simple to me but if lenders or landlords are intent on trampling on individual rights, privacy and current legislation, I for one have no problem telling them to stick it and find another lender!
How do you pull a credit bureau without the SIN?
That is a very one sided opinion.
A lender’s right to protect itself, its shareholders, and its customers from fraud is just as important as an individual’s right to privacy.
I really don’t think the Privacy Commissioner has any clue about the threats lender’s face today. Identify fraud stemming from mortgage applications is pennies compared to the costs of fraud on closed mortgages.
You can do it with name, address, and previous address. SIN is not required to pull a credit report.
I would tend to err on the side of an individual’s right to privacy. No one is saying that lenders can’t take steps to protect themselves, but those steps must be reasonable. And while I’m admittedly not a lawyer, individual rights ALWAYS trump a business’ right to profit from a loan transaction.
Your SIN is arguably the most sensitive personal information you possess. Just as it’s not reasonable for lenders to ask for a DNA sample, it’s not reasonable to ask for your SIN, IMO.
Al R
Mortgage fraud hurts everyone in the form of higher rates and more restrictions. The person above is accurate that mortgage fraud is a vastly more costly problem than the misappropriation of mortgage applicant data. Lenders have a much greater downside than the individuals who are voluntarily asking that lender for money. That is enough to justify use of SINs, and it’s the reason lenders have been doing it for years.
Reasonable people can disagree, but if the only way lenders can comfirm the identities of applicants is through the use of an identifier the government and RCMP expressly advise consumers not to disclose, perhaps they should put a bit more thought and/or overhead into their processes.
I would have to challenge you on your statement that lenders have more downside than consumers in this. Identity theft can be devastating to an individual, whereas a single incident wouldn’t even amount to a rounding error on a lenders’ bottom line, and, in any event, is simply passed on to other consumers. If someone steals my identity, I could be out thousands, and there’s no way for me to get that back.
I might have more sympathy if financial institutions were a bit more forthcoming about security breaches, but usually incidents are minimized to avoid embarassment. I know more than a few people who have been issued new debit and/or credit cards from their financial institutions with zero explanation other than they may be compromised. No details on how/where/which retailer, etc.
I would love to see a post on this.
I would also love to see the privacy commissioner post IT recommendations / requirements rather than saying that the broker’s aren’t investigating their security enough.
SINs are obviously not the only way to verify ID, but they are one of the easiest ways for the customer and one of the most reliable ways for a lender. Fraud potential would drastically increase without their use. Regardless of what a few government agencies suggest, SINs are a standard identification tool in the industry and their use is legal for mortgage application purposes.
Your point about the downside to individuals being greater is plain wrong. Mortgage fraud costs lenders hundreds of millions of dollars. Fraud from leaked SINs during the mortgage process is a tiny fraction of that. To say that lenders can absorb hundreds of millions in losses doesn’t make their right to protect themselves less important than an individual’s.
Financial institutions will soon be required by law to report security breaches. So your last wish will come true.
Thanks for the post
First, I agree that we cannot demand a SIN and that borrowers do not have to provide it.
However, I work in the alternative lending space and can confirm that a SIN is crucial in our underwriting of challenging files.
AKA’s, multiple surnames, change of province of residence — these can hide many evils that would negatively impact a lender. With loss prevention our priority, we cannot afford to ignore the lack of a SIN.
A date of birth with an address that’s less than two years old, plus a new married name can generate a very clean, very short bureau for a borrower with past or current undischarged bankruptcies, judgments, Family Responsibility collections, Canada Revenue Agency executions and more. These four items alone would impact the priority of our charge and could result in NSF activity due to garnishments that would then jeopardize the mortgage and therefore the investors’ funds.
The SIN is often the only way to pull these facts from a full, more comprehensive bureau.
If the credit is iffy, adding a SIN to the application is the best way for a broker to prove that the borrower is on the up and up. If the bureau is sketchy and the borrowers decline to provide the SIN, it makes me seek other means of verifying their identity and credit history, which makes it more onerous and sometimes more expensive for the broker, on whom the burden of proof is placed.
I never thought of it like that, good post. I typically withhold my SIN on all applications.
This is an excellent insight. I’m in the business and never realized how much information was linked to a social insurance number. Personally, I think it’s pretty reasonable to take the infinitesimal risk of someone having my SIN in order to get the $200,000 or $300,000 I need from that person.
A SIN is required to check credit, just try and do it with Filogix, 80% of the time you need a SIN. Also, we are forgetting about the golden rule “the one with the gold makes the rules”. If someone doesn’t want to disclose information then they simply are declined.