Open letter to Santander: please use contracts that aren't impossible to comply with

jamesd

An open letter to anyone at Santander who might like to provide customers with contracts that customers might conceivably be able to comply with.

---

This is a complaint about unreasonable and impossible to comply with terms and conditions for the accounts. Santander surely can do better than coming up with terms and conditions that no consumer can comply with.

This is also a notification required under section 12.1 and 12.3 and 12.3b of the account terms and conditions that Personal Security Details have become known to another person, including through disclosure by Santander. I tried the required phone notification but your office was not open at the time of my call, so I am following up in this way.

You should only be alarmed by this notice if you have not received a similar notification from all of your customers, since all are required by your account terms and conditions to provide you with a notification similar to this one.

The planned change in conditions from 1 January 2013 contains the following added clause:

"K) take reasonable steps to keep your PIN or Personal Security Details unique to the accounts that you hold with us."

The terms and conditions give this definition: ‘Personal Security Details’ means any personal details or security process that we ask you to use to confirm your identity or authorise a Payment Instruction to us. These may include a password, selected personal information or other security numbers or codes that we give you or that you choose."

Please confirm that the bank believes that there are no reasonable steps that I should take to ensure that the following information is unique to the accounts that I hold with you:

1. My names
2. My address
3. My date of birth
4. The sign of the zodiac associated with my date of birth
5. My national insurance number
6. My mother's maiden name
7. My landline phone number
8. My mobile phone number
9. Any other normally unvarying information about me, as an individual

I hereby notify you that I and I believe most or all of your customers disclose and allow others to use Personal Security Details in the following ways, presumably breaching terms 9.7 e, f, g and h by doing so:

1. I disclose my names as I see fit, generally for the purpose of allowing others to address me, and for a range of purposes, such as complying with the legal requirement for financial institutions to obtain this information from me.
2. I allow any person to use my postal address to communicate with me and disclose it to a wide variety of persons and businesses for a wide range of purposes, including other banking institutions, who are required by law to obtain this information from me.
3. I provide my national insurance number in a broad range of situations where disclosure is normal, from opening accounts where the law requires account providers to collect this information to identifying myself in ways that I believe to be appropriate.
4. I disclose my mother's maiden name in a wide range of contexts where doing so is appropriate, notably in responding to the security questions required by many financial institutions.
5. I disclose both my landline and mobile phone numbers to anyone who I wish to allow to use those methods to communicate with me.
6. I disclose my account number and sort code, whenever I write a cheque, because they are on the cheque forms provided by the bank.
7. I disclose card details, when using a card for transactions in the normal ways, as and only as required for normal usage of the card.
8. I disclose a broad range of other personal information about myself in ways where I believe it is appropriate to do so.

I notify you that the bank routinely discloses the following Personal Security Details to others, when addressing letters to me:

1. My name
2. My address

I complain that Santander is breaching term 9.7 (i) "(i) act on any further instructions we give you to ensure that your online banking is secure. Any instructions will reflect good security practice, taking account of developments in e-commerce" by using an over-broad definition of Personal Security Information that conflicts with good security practice as a result. Good security practice requires not using over-broad definitions of the information that must be kept secure and not requiring that information be kept secure when it is not credibly possible to do so.

As a remedy, I request that Santander comes up with terms and conditions that it is conceivable for customers to actually comply with. It is inconceivable that any customer could comply with the current ones.

---

Jim431

Have you come off your meds or have they upset you in some way :whistle:

All financial institutions have very similar clauses and it is this part of the clause that is the critical bit.

"" These may include a password, selected personal information or other security numbers or codes that we give you or that you choose ""

Having said that I do think you have a point as their wording does seem to include every other personal detail.

They would certainly have some difficulty defending a breach of security on your part if it concerned items from your list.

My complaint with Santander is with online login process as is the least secure of all the bank account logins that I have because you have to enter ALL characters of each security code. Easy pickings for any keylogger. I expect they would argue that we should all be using the Trusteer Rapport software that they offer.

I expect the Santa rep will be rushing to offer a response and I look forward to reading it :rotfl:

opinions4u

I'd be interested to see how the FOS view the change, from a point of fairness and contract law.

pmduk

I think any bank trying to enforce such a clause is on to a loser here.

dalesrider

jamesd wrote: »

"K) take reasonable steps to keep your PIN or Personal Security Details unique to the accounts that you hold with us."

Of course my PIN is unique to that card. As is the same 4 digit number to any other card I hold.

As per their T/C I cannot divulge, what any PIN or other security details are.
All you have to say is my PIN is unique to each card I hold and there is nothing they can do...

There is no way they can prove any of my cards might have the same PIN. As these details are not stored in a form that is avaiable to be viewed by anyone at the bank.

As it is they are already breaking their own T/C when they list ALL your accounts under the same SINGLE security access.

le_loup

My first introduction to this sort of nonsense was a few years ago when I opened two savings accounts at the same time. one was with a small building society and the T&Cs consisted of six paragraphs on less than one page. The other account was with Halifax and the T&Cs were 29 pages long! For a simple savings account.
Since those day, thing have got so much worse.

rb10

Is this for real?!?!

It's surely pretty obvious to anyone that there are no 'reasonable steps' that could be taken to keep your name, address etc unique to your Santander accounts, therefore it's all irrelevant.

I do hope this is a wind-up.

jamesd

opinions4u wrote: »

I'd be interested to see how the FOS view the change, from a point of fairness and contract law.

Even before the change they have the impossible to comply with definition of information that has to be kept secure. It's just getting even more silly with the update.

Jim431 wrote: »

I expect the Santa rep will be rushing to offer a response and I look forward to reading it :rotfl:

I'd simply like them to offer customers a contract that they have some possibility of following. That shouldn't be too much to ask for from any business.

dalesrider wrote: »

All you have to say is my PIN is unique to each card I hold and there is nothing they can do...

I wouldn't even divulge that. It would be poor security practice on my part to disclose anything about how I select and use PINs.

What they are trying to do there is make the customer liable for fraud if a thief knows the number of one card through shoulder surfing or other methods and then uses the same number with other cards. If a case reached the FOS I expect that their attempt would be rejected, at least for one Santander card, maybe not for many, but some customers might not take it that far.

If the card is used as a credit token (credit card or overdraft use) their contract is trumped by the Consumer Credit Act anyway, but even before that, it's not gross negligence to use the same number for more than one card and gross negligence is the required standard under the industry standards - which also trump Santander's contract - for a consumer to become liable. But lots of their customers won't know that and will be duped instead of taking the matter to the FOS.

rb10 wrote: »

Is this for real?!?! ... I do hope this is a wind-up.

The contract that no customer can comply with is real and my post is not a wind-up, thought the contract itself is.

You may not have noticed it, but banks are prone to using disclosure of anything that they think of as related to security as an excuse for not paying out on fraud claims. That's why it's sensible to ask them to agree that there are no reasonable measures to take and why it's sensible to comply with the contract terms and notify them about the pieces of information being known to others. Once they are on notice of the disclosures, the risk is clearly and unambiguously theirs.

Santander's contract requires me to phone them at the premium rate number they provide to tell them that the personal information I've listed has become known to another person. If you have an account with them, you're also required to do so.

It's daft but that's what all of their customers are required by their contract to do. And it'd be nice if Santander stopped being daft.

The change does have at least one welcome bit: they finally have updated their contract to say that notice to cancel continuous payment authorities can be given to them, not the vendor, a couple of years after they were required to accept such notifications and act on them.

rockitup

What is the bank's stance now on customers storing log-on details with the likes of 1Password. It is the only way I can get to use ultra-strong passwords, different to each account.

I also use a 256 bit VPN when accessing financial websites or making a credit card payment online, stealth mode on the Mac and a 64 character WPA-2 password on my router.... Am i being paranoid? :eek::eek::rotfl:

pqrdef

But seriously, when I leave the house I usually have 5 or 6 cards. But I only memorise two PINs. I can just about remember which PIN applies to which card. There's no way I'm going to memorise half a dozen PINs. Do they want me to write them down on a bit of paper and keep it in my wallet? Or do they want me to leave my Santander card at home and just let that account go dormant?

maninthestreet

How would Santander ever know if you did use the same PIN number used for a Santander card with a non-Santander card?