Too many Canadians are being scammed by fraudsters who impersonate banks with convincing calls, texts, and “security” prompts—then drain accounts in minutes. What’s especially troubling is what happens after: victims often learn that a quick “yes” to a verification text or an approved login prompt can be treated as “authorization” under the fine print, leaving them without reimbursement even though they were tricked.
That’s why we’re asking the Financial Consumer Agency of Canada (FCAC) to require a simple but meaningful change: banks should be mandated to highlight, in bold and plain language—and with a separate signature or electronic acknowledgment at account opening and digital banking enrollment—that customers must never share passcodes or banking details, or approve prompts, in response to unsolicited communications. If the rules rely on consumer behaviour to prevent losses, the warnings should be impossible to miss.
Letter below:
Financial Consumer Agency of Canada (FCAC) By email
To Whom It May Concern:
I am writing to recommend that the Financial Consumer Agency of Canada (FCAC) require federally regulated financial institutions to enhance the prominence and enforceability of consumer-facing warnings about scams that rely on unsolicited communications (calls, texts, emails, and in-app messages) to obtain credentials, one-time passcodes, or approvals.
Recent reporting involving a Winnipeg consumer who was allegedly defrauded following a convincing “fraud department” impersonation illustrates an ongoing consumer protection gap: many consumers do not appreciate that a “yes” reply to a verification text, an approved push notification, or disclosure of a one-time passcode can be treated by a bank as customer-enabled authorization—potentially resulting in a denial of reimbursement under the account agreement. Whatever the merits of any individual case, the broader pattern is clear: contract terms allocating responsibility for safeguarding credentials often exist, but they are not sufficiently highlighted at the time consumers are most likely to absorb and remember them (account opening and digital banking enrollment).
Recommendation: bold, signature-required disclosure at onboarding and digital banking enrollment
I recommend that FCAC require banks to include a short, standardized, plain-language warning in account-opening agreements and digital banking terms that is:
- displayed in bold print (and not buried in general “security” language);
- presented as a separate “key risk” acknowledgment; and
- confirmed by a separate signature, initial, or equivalent electronic acknowledgment at the time of account opening and again upon digital banking/mobile app enrollment.
Proposed mandatory disclosure (suggested language)
For consistency across institutions, FCAC may wish to prescribe minimum wording similar to the following:
IMPORTANT: UNSOLICITED CONTACTS AND SCAMS
If you receive an unsolicited call, text, email, or message from someone claiming to be the bank, you must not share any banking information, passwords, PINs, one-time passcodes, or verification codes, and you must not approve any login or transaction prompts.
The bank will not ask you to provide or confirm a one-time passcode or to approve a security prompt in response to an unsolicited communication.
If you receive an unsolicited communication, hang up or stop responding and contact the bank using a trusted number (for example, the number on the back of your card or the bank’s official website).
Customer Acknowledgment (signature required): I understand that I must never provide banking information or verification codes, or approve prompts, in response to unsolicited communications, even if the caller or message appears to be from my bank.
Signature/Initial: ___________________________ Date: ___________________________
Purpose and consumer-protection rationale
This recommendation is not intended to shift responsibility away from financial institutions to detect unusual activity. Instead, it is designed to ensure consumers receive a clear, memorable warning at the time it is most impactful, and to reduce foreseeable harm from increasingly sophisticated impersonation scams.
A separate, bold, signature-required acknowledgment would:
- improve consumer understanding that one-time passcodes and approvals function like a digital signature;
- reduce disputes driven by misunderstanding of what constitutes “authorization” under banking agreements;
- strengthen incentives for banks to communicate consistent anti-scam guidance; and
- better align contract disclosure practices with real-world scam patterns, particularly those targeting seniors and other vulnerable consumers.
Implementation considerations
FCAC could consider requiring:
- standardized placement (e.g., within the first pages of the account-opening package and during digital banking enrollment flows);
- readability standards (minimum font size and plain-language drafting);
- a separate acknowledgment (not bundled with general consent);
- periodic re-acknowledgment (e.g., annually, and upon mobile app re-installation or device changes); and
- auditable records of acknowledgment for complaint resolution.
Request
I respectfully request that FCAC review this proposal and consider guidance and/or supervisory expectations requiring financial institutions to adopt prominent, signature-required disclosures addressing unsolicited communications and credential-sharing risks as part of retail account opening and digital banking enrollment.
Thank you for your consideration.
Sincerely,
Samantha Gale Chief Executive Officer Canadian Private Lenders Association