 |
| Heidi J. T. Exner |
Anholt’s story reads like a heist movie. Scammers impersonating bank officials strung him along for months, ironically convincing him that he was helping the good guys in a battle against fraud. They led him to liquidate his entire savings, piece by piece. The money, much of it converted to gold, was couriered away by criminals. Despite multiple face-to-face visits to his banks, which exhibited red flags like huge, uncharacteristic transfers and emotional distress, this senior citizen’s downward spiral wasn’t stopped. RBC and CIBC, when confronted, shrugged their shoulders, pointed to internal policies and procedures, and claimed their efforts were sufficient.
What are the banks’ legal obligations?
Canada’s central playbook for banking safety is found in the Bank Act and the Financial Consumer Protection Framework (FCPF). These enactments demand that federally regulated banks establish “policies and procedures” for consumer protections (Bank Act s. 627.02), treat clients fairly (s. 627.03) and investigate unauthorized transaction claims with promptness and good faith (s. 627.26). They’re also required to maintain accessible complaint systems (FCPF s. 627.04 to s. 627.06), provide clear disclosure of account risks and protections (FCPF s. 627.13 to s. 627.16) and deliver redress to customers if institutional errors or misconduct cause loss (s. 627.27).
Galkin_K: ISTOCKPHOTO.COM
Why didn’t the banks step in?
RBC and CIBC both say they followed policy. But even common sense dictates that Anholt’s repeated withdrawals, requests for large transactions and visible distress should have triggered more than generic warnings. Sections 627.02 and 627.03 of the Bank Act don’t just ask for paperwork; rather, they impose a legal duty to implement real, working consumer protection protocols and fair treatment. When a vulnerable client appears to be at risk of exploitation, these sections could be interpreted as requiring personal intervention, escalated reviews or pauses on suspicious transfers.
Complaint handling laws (FCPF s. 627.04 to s. 627.06) and requirements for fair investigation (Bank Act s. 627.26) mean banks can’t simply wash their hands of responsibility after a scam. Yet in practice, Canadian banks retain broad wiggle room, and customers must often prove bank error, which is a high bar for traumatized, elderly or unsophisticated victims.
Ultimately, we have laws that merely mandate internal policies. This is problematic as it creates numerous grey areas in consumer protection mechanisms due to the banks alone wielding certain discretionary powers. Systems that depend on institutions policing themselves face several significant pitfalls that undermine accountability, trust and effectiveness. These pitfalls are rooted in conflicts of interest, lack of transparency and limited motivation for meaningful or lasting change, all of which can result in public harm and organizational failure.
How Canada stacks up in a global context
The U.K. has pioneered regulatory intervention in authorized push payment (APP) frauds. New regulations require banks to reimburse victims up to 85,000 pounds per incident and give banks up to 72 hours to delay and investigate suspicious outgoing payments. The U.K.’s approach assigns shared responsibility, compelling banks to proactively monitor for suspicious transactions or patterns, and to prove gross negligence if wishing to deny compensation. These measures have increased pressure on banks to intervene early, improving overall consumer safety.
Australia’s 2025 Scams Prevention Framework imposes what its government touts as the “world’s toughest anti-scam laws” on banks, telecoms and social platforms, making them liable for customer losses where they fail to meet specified anti-fraud obligations. The law requires banks to verify payee identities, monitor for scams and provide redress if obligations are unmet, with penalties up to AU$50 million. Dispute mechanisms enable victims to seek compensation, including via court proceedings or class actions. Regulators have enhanced investigative powers, including public warnings and remedial directions.
U.S. federal law (specifically Regulation E of the Electronic Fund Transfer Act) offers American consumers significant protection from unauthorized electronic fund transfers. If fraud is reported promptly, liability is capped, usually to US$50 or $500, depending on notification timeliness. Proposed new legislation, such as the Protecting Consumers from Payment Scams Act, aims to expand banks’ liability for certain “authorized” payment scams, encouraging institutions to share responsibility, mirroring reforms in the U.K. U.S. banks must also conduct timely investigations into claims, with regulatory agencies empowered to fine and sanction failures.
Are proposed new Canadian fraud-fighting moves enough?
Alarmed by a surge in high-profile frauds and public outcry, the federal government is now promising sweeping reforms. Budget 2025 includes plans to embed fraud detection and prevention obligations directly into the Bank Act. Per these plans, banks may soon be forced to:
- Obtain express consent before enabling risky account functions,
- Allow customers to adjust transaction limits themselves (which actually increases risks in many instances),
- Report more fraud data to the Financial Consumer Agency of Canada, and
- Create stronger, victim-centred complaint and redress systems.
There’s also some chatter about a new Financial Crimes Agency, which is presented as Canada’s own fraud SWAT team, to “unite the expertise needed” to chase down sophisticated scams and recover illicit profits. Despite the fact that the Canadian government is globally notorious for its lack of fraud expertise, I am adopting a wait-and-see stance before I dismiss this proposition entirely. But for Anholt, and thousands like him, even if successful, initiatives like these come too late.
The broken shield
Can Canada do better? Well, yes.
In contrast to Canada’s “ask nicely” approach, jurisdictions like the U.K. and Australia have raised the bar. U.K. regulators now require banks to refund victims of APP scams, unless the consumer was grossly negligent, and establish real-time monitoring for suspicious activity. Australia’s 2025 laws hold banks liable for losses when they fail to meet anti-fraud standards: redress is the rule, not the exception. Even the U.S. has adopted an approach that incentivizes banks to uphold more robust consumer protections, which speaks volumes, in my view.
The Canadian approach, largely reliant on voluntary codes and reporting obligations rather than statutory liability, lags behind best practices globally. Critics, including consumer advocates cited in news reports or Anholt’s story, urge swift action to introduce automatic liability limits and proactive fraud frameworks, as in the U.K. and Australia. Recent government consultations have considered “maximum liability thresholds” for fraud victims, but legislative changes have yet to materialize.
Without clear rules on reimbursement requirements, Canadian banks operate in a legal climate that prioritizes internal policy over statutory duty. This means many fraud victims, particularly the elderly and vulnerable, may face years of savings lost with little immediate hope of redress.
The path forward
The devastating fallout of Anholt’s experience, and the patchwork legal shield that failed him, underscore the urgency of overhauling Canada’s anti-fraud regime. To meet the spirit of the Bank Act and the FCPF, reforms must explicitly limit victim liability for all forms of true fraud, including scams where the customer is duped into authorizing transactions. Legislation must not merely contemplate but mandate clearer reporting duties and proactive intervention by banks when suspicious “red flag” behaviour is detected, instead of leaving these steps to banks’ internal policies to manage.
It’s time for Canada’s laws to catch up to modern scams. Until then, and perhaps ultimately, consumer knowledge campaigns, including the voices of victims like Anholt — who are exceptionally brave to speak up and share their stories — are truly our best defence.
Heidi J. T. Exner is an award-winning white-collar crime fighter and she is passionate about making the world a better place. Heidi is the founding partner of Ethical Edge PI & Corporate Advisors, the founder and chair of the Exner Foundation, and she serves on JURIST’s Alumni Board and the Policy & Advocacy Committee at the Canadian Blockchain Consortium. She welcomes you to find her on LinkedIn or check out her biography page on Ethical Edge’s website.
The opinions expressed are those of the author(s) and do not necessarily reflect the views of the author’s firm, its clients, Law360 Canada, LexisNexis Canada or any of its or their respective affiliates. This article is for general information purposes and is not intended to be and should not be taken as legal advice.
Interested in writing for us? To learn more about how you can add your voice to Law360 Canada, contact Analysis Editor Peter Carter at peter.carter@lexisnexis.ca or call 647-776-6740.