'It's outrageous': Growing number of BMO customers raise concerns with bank's security, investigative processes

Since sharing the stories of four Bank of Montreal customers fighting to get some form of restitution after they had thousands of dollars stolen from their accounts, CTV News Ottawa has been flooded with emails from Canadians who are facing similar situations.

• READ MORE: Customers voice concerns with BMO security measures after scammers gain access to their accounts

Some common complaints continue to emerge – a lack of security measures protecting customers' money and concerns with how the bank's fraud department is handling their investigations.

Laurie Johnson is one of dozens of BMO customers searching for answers to no avail. In October, $15,000 was stolen from her mother's bank account. She now has power of attorney and hopes to recoup her mother's lost money.

"The police can't catch them. They can't seem to do anything. They said they would never be able to find them and the bank's not doing anything and these people are just continuing to do this everywhere," she said. "It's happening all over the place and it's just frustrating as heck that these people can do this."

Meanwhile, the threat of falling victim to a cyberattack is growing by the day.

"Cybercriminals don't even have to be computer whizzes anymore," said technology analyst Carmi Levy. "They can just buy the kits, they can buy the data, and they can buy the entire end-to-end process, including the scripts that they should follow when they reach you on the phone. So, what we're seeing now, is almost a commoditization of cybercrime because now we're seeing people getting into the cybercriminal industry without even the skills to do so because they can just buy it as they go along."

• Sign up now for daily CTV News Ottawa newsletters
• The information you need to know, sent directly to you: Download the CTV News App

How are criminals gaining access to that data? It could be anything from social media use, phishing emails or previous data breaches.

Three years ago, the Office of the Privacy Commissioner of Canada found "security deficiencies" at BMO led to a large-scale breach of roughly 113,000 accounts.

"The first attack occurred during the period between June and November 2017, while the second occurred in late December that same year. BMO did not become aware that personal information had been taken by the attackers until it received a ransom email in May 2018, prompting it to conduct a comprehensive technical review of its systems. As a result of this review, BMO discovered that the first breach involved the compromise of 36,755 customers, and the second, 76,399," reads a portion of the report.

"During these attacks, unauthorized third parties obtained a wide range of personal information, which included, depending on the person, financial account numbers, social insurance number ("SIN"), name, occupation, date of birth ("DOB"), address and/or credit/debit card numbers."

That data does not just disappear after a few years; it stays in the hands of malicious actors.

"That information is then grabbed and shared on the dark web on resources that are freely available to cybercriminals," said Levy.

"So, when they call us, it feels like they're calling from an institution. It feels like they know us. They have enough data points on us to convince us that they're legitimate."

Katya Feder is another BMO customer who had $14,500 stripped from her account. She was told she would not receive any form of compensation.

After launching an investigation, BMO flipped the blame on her, saying she did not properly safeguard her information. It's something that happens to most bank customers when they are tricked by elaborate scams.

"You're going to someone internal in the bank who reports to the CEO and they know that to keep their job. They're supposed to protect the bank, not protect the customer and that's why the customer always gets blamed," said Duff Conacher, the co-founder of Democracy Watch, a national non-profit, non-partisan organization that advocates for improved corporate responsibility for Canadians.

Consumers who feel the bank did not adequately investigate their concerns have the option of contacting the Ombudsman for Banking Services and Investments (OBSI). Over the past two years, the OBSI has seen a massive jump in the number of complaints it has heard.

"Our complaint volumes have been increasing over the past five years, with both banking and investment complaints reaching record highs in 2023, following on very high complaint volumes we saw during the pandemic," said Mark Wright, director of communications and Stakeholder Relations for the OBSI.

"In 2023, banking cases increased to 2,388 up from 686 in 2022, nearly a 250 per cent year over-year increase. The unprecedented growth of volume in bank related complaints was in large part due to changes to the Bank Act Consumer Protection Framework that came into effect on June 30, 2022, which changed how federally regulated banks must deal with consumer complaints."

More changes are coming. On Oct. 17, the federal government announced that the OBSI would soon take over as the sole external complaints body for Canada's banking sector, as opposed to having the bank's investigate themselves.

That change is set to come into effect on Nov. 1, 2024, but Conacher says there are still holes in that plan.

"Bankers sit on the board of the ombudsman complaint handling service, and so it's not as independent as it really needs to be, to be effective. It also lacks key powers."

Key powers like the ability to impose binding arbitration, something that was part of the Liberal Party campaign promise in 2021, but was not mentioned in the latest announcement on Oct. 17.

When asked whether or not the OBSI will have the power to impose binding arbitration as of Nov. 1, 2024, and how the change will help to protect customers, Katherine Cuplinskas, senior communications advisor and press secretary for Canada's Finance Minister, Chrystia Freeland, told CTV News:

"This fall, the Deputy Prime Minister announced a suite of new measures to ensure Canadians are treated fairly by their banks. This includes reducing non-sufficient fund fees charged by banks, and the designation of an independent and transparent not-for-profit organization, the Ombudsman for Banking Services and Investments (OBSI), as the single external complaints body for Canada's banking sector.

"This means that if you feel you have been treated unfairly by your bank, you will now have an impartial advocate who works on your behalf, instead of one that works on behalf of your bank."

Meanwhile, the OBSI is convinced this change will help protect Canadian banks accounts.

"Establishing a single ombudsman ensures that all consumer complaints are treated equally and dealt with consistently regardless of the bank a consumer is dealing with," said Wright. "In the case of banking complaints and binding decisions, it is worth noting that no bank has ever refused an OBSI recommendation. We are confident we can reach a fair outcome given all the facts of each case."

• Sign up now for daily CTV News Ottawa newsletters
• The information you need to know, sent directly to you: Download the CTV News App

Levy says he doesn't think anybody is doing enough to keep up with the evolving threat landscape.

"And I think that includes banks," he says.

"They have their Terms of Service in place that we're all supposed to read and sign off on when we sign up for their services, but the sad reality is, the technology is moving so quickly and cybercriminals are becoming so sophisticated. I think we are not keeping up and our organizations aren't keeping up and as a result, that leaves a much wider gap for their customers to get into trouble."

Despite numerous requests to BMO, the bank has not put anyone up to answer questions in an interview.

Instead, a spokesperson for the company sent CTV News the following statement:

We take scam incidents very seriously and understand the very unfortunate impact on our customers. We alert customers of the trending scams and provide resources here.

Unfortunately, customers can be victimized by criminals who use impersonation, spoof, and phishing scams, where a customer is persuaded to share their private, confidential banking credentials.

If we receive a customer concern, it is reviewed individually, with respect to its own facts. A formal complaint process is available to customers. Generally, a written response is provided to each customer to explain the key facts and results of the review.

We use two-step verification as an additional method of security to verify a customer's identity. A One Time Passcode (OTP) is a component of our two-step verification.

When an OTP is sent, it is accompanied by the following disclosure that warns a customer of the risk of sharing this code with anyone: "Warning: This Code grants access to your accounts. Calls to request it may be a scam. If called, hang up and call the # on BMO card. BMO Code: XXXXXX".

In the context of our review, we consider the specific facts leading to the transaction, including if the customer was victim of a phishing scam, shared their banking information (including password or OTP, online or over the phone) or ignored the OTP message advising them that the code grants access to their accounts and cautioning them that a call to request the code may be a scam.

We always aim to help customers and do our best to recover funds when possible and collaborate with law enforcement.

For privacy reasons, we cannot share information with respect to specific customers.