Canada: Theft Or Loss Of A Credit Card: Who Has The Burden Of Proof?

Last Updated: June 15 2012
Article by Luc Thibaudeau

Lavery Keeps A Close Eye On Developments In Consumer Law. Its Leading-Edge Expertise In The Retail Trade And Class Actions Has Been Pointed Out Many Times By People Involved In The Field. Lavery Is Committed To Keeping The Business Community Informed About This Issue By Regularly Publishing Bulletins Dealing With Case Law And Legislative Developments That Could Affect, Influence And Even Change Business Practices. This Bulletin Discusses A Recent Court Of Québec Decision1 Concerning The Liability Of A Credit Card Holder In The Event Of The Theft Of His Card As Well As The Legislative Changes On This Issue Proposed By Bill 242.


In this case, the plaintiff, who had a credit card issued by MBNA Bank Canada ("MBNA"), claimed that $8,759.76 of purchases on her credit card in Bangladesh were fraudulent transactions made without her authorization and that MBNA could not claim payment from her. MBNA argued in defence that the plaintiff had participated in the fraud.

The plaintiff claimed to be entitled to protection under sections 123 and 124 of the Consumer Protection Act (the "CPA"), which provide that a consumer incurs no liability for a debt resulting from the use of his credit card by a third person after the issuer of the card is notified of its loss or theft. Even where such notice is not given, the liability of a consumer whose credit card is lost or stolen is limited to the sum of $503.

These two provisions do not establish any presumption of loss or theft in favour of the consumer and do not state what burden of proof has to be met to be entitled to protection under them. We must therefore refer to the rules of evidence in the Civil Code of Québec: "A person wishing to assert a right shall prove the facts on which his claim is based"4, according to the balance of probabilities. Evidence is sufficient if it "renders the existence of a fact more probable than its non-existence"5. A consumer must therefore show that the existence of the loss or theft is more probable than its non-existence.


Justice Tremblay of the Court of Québec wrote that it is up to the holder of a card to prove that the card was lost or stolen and that it is not enough for a person to state that he or she has been the victim of fraud without explaining how the fraud was committed and how the alleged perpetrators were able to obtain certain information about the cardholder6.

Thus, according to the judge, the plaintiff did not meet her burden of proof. He noted the following evidence:

  • the fact that, as the plaintiff admitted, her credit card was not stolen or lost7;
  • the fact that the purchases relating to the alleged fraud were all made in Bangladesh, where the holder originally comes from8;
  • the fact that the users of the card in Bangladesh were aware of personal information about the plaintiff, including her personal identification number, date of birth, her mother's maiden name and her husband's name9;
  • identical frauds committed contemporaneously in Bangladesh using the cards of the plaintiff's husband and father10;
  • the very low likelihood of the cards of these three consumers being cloned11;
  • the cardholders' conduct after they were informed of the unauthorized transactions12.

The judge added that, given the presence of these serious, specific and consistent elements, it is very unlikely that the plaintiff was the victim of identity theft or card cloning. The plaintiff must therefore pay the balance owed on her card. However, as the balance is $8,759.76 whereas her credit limit is $8,400 and she never asked for the limit to be increased, Justice Tremblay limited the plaintiff's liability to $8,400, applying section 128 of the CPA13.


This is not the first time the courts have had to examine the circumstances surrounding a loss of payment instruments14 or allegations of "unauthorized" payments from a bank account15. As a general rule, courts asked to decide on such issues are very strict in their analysis and assessment of the circumstances surrounding the alleged losses and thefts. The witnesses' credibility plays an important role and, in many cases, the judgements rendered use presumptions of facts in deciding whether or not to accept the cardholders' version. Consumers must adduce serious, specific and corroborating evidence to establish fraud16. Banks and card issuers hire specialists in this type of fraud who are very familiar with the practices of people who steal or clone cards and can tell when someone's story doesn't ring true. The courts consider them highly credible due to their experience17. In a 2010 decision the court wrote: [Translation] "Fraudsters generally make very costly purchases in a short period of time and do not use the card again a few days later"18. A person's criminal record is also taken into consideration19.


These decisions are relevant since the legislator intends to make certain changes to the sections of the CPA dealing with them. In Bill 2420 currently being studied, it proposes extending the application of the CPA to debit cards. Section 10 of the Bill provides for the addition of sections 65.1 to 65.4 which, if they are adopted as proposed, would read as follows:

65.1. For the purposes of this division, "debit card" means an electronic payment card or any other electronic payment instrument, validated by a personal identification number or by any other means used to confirm the consumer's identity, which allows the consumer's account to be accessed for the purpose of transferring funds.

65.2. Consumers are not liable for losses resulting from the use of their debit card by a third person after the card issuer is given notice, by any means, of the loss, theft or fraudulent use of the card or of any other use of the card not authorized by them.

Even if no such notice is given, consumer liability for the unauthorized use of a debit card is limited to $50.

Any stipulation contrary to this section is prohibited.

65.3. Within two days after receiving notice of the loss, theft or fraudulent or unauthorized use of a debit card, the card issuer must reimburse to the consumer any amount debited from the consumer's account after notice was given.

65.4. Despite section 65.2, the consumer may be held liable for the losses incurred by the card issuer if, after having reimbursed the consumer, the card issuer proves to the satisfaction of the court that the consumer authorized the use of the debit card. (emphasis added)

Under the proposed section 65.5, these provisions could be extended by regulation to products other than debit cards:

65.5. A regulation may be made to determine any other payment instrument to which this division applies.

Thus, in the case of the unauthorized use of a debit card, the burden of proving that the consumer authorized the use of his card will be up to the company that issued the card. This naturally raised concerns in the Parliamentary Commission since there is already a code of conduct that sets out rules governing liability for the unauthorized use of a debit card which are different from the proposed text.

It was argued that these new provisions would significantly reduce consumer liability, thereby increasing that of institutions that issue debit cards. These provisions would reduce the ability of these institutions to protect themselves against the actions of certain consumers who are fully or partially responsible for the unauthorized use of their debit cards21. Also, the question rightly arises as to why the legislator is proposing to reverse the burden of proof for debit cards but not for credit cards22.

In its Brief, the Desjardins Group proposed the following text for the future sections 65.3 and 65.4 of the CPA:


"65.3. Consumers are liable for losses resulting from any form of unauthorized use of their card if such losses result from fraud on their part or if they have not met, intentionally or further to gross negligence, any of the obligations set forth in the agreement relating to the use of the card in order to keep their personal security information confidential.

65.4. Within ten days after receiving notice of the loss, theft or fraudulent or unauthorized use of the card, the card issuer must reimburse the consumer any amount to which the consumer is entitled pursuant to sections 65.2 and 65.3."23

The following wording of a new section 123.1 of the CPA was proposed with respect to credit cards:

"123.1. Consumers are liable for losses resulting from any form of unauthorized use of their card if such losses result from fraud on their part or if they have not met, intentionally or further to gross negligence, any of the obligations set forth in a contract with a variable credit rate in order to keep their personal security information confidential."24

The Canadian Bankers Association ("CBA") also commented on these new provisions before the Parliamentary Commission. It noted that they differ from those set out in the harmonization agreement25. However, the CBA's comments were submitted subject to the fact that on several of the points raised by the Bill, banks are governed by the Bank Act and federal law rather than the CPA. This issue will soon be decided by the Court of Appeal in Marcotte26, a case involving the application of the CPA to currency conversion fees charged by credit card issuers.

Like the Desjardins Group, the CBA also mentioned that the Canadian Code of Practice for Consumer Debit Card Services is already applied across the country and that experience shows that it is effective and that it ensures that consumers are adequately protected27. The CBA submitted that the two-day period in section 65.2 of the CPA would [Translation] "prevent a financial institution from conducting the appropriate verifications and investigations before it has to reimburse a consumer, including someone who may in fact have authorized the use of his card"28.

The debate is not over. We will keep you informed of any developments as they come up.


1 Begum v. MBNA Canada Bank, 2012 QCCQ 2561, March 29, 2012, Christian Tremblay, J. (Court of Québec).

2 An Act mainly to combat consumer debt overload and modernize consumer credit rules.

3 "123. In case of loss or theft of a credit card, the consumer incurs no liability for a debt resulting from the use of such card by a third person after the issuer is notified of the loss or theft by telephone, telegraph, written notice or any other means. 124. Even where such notice is not given, the liability of the consumer whose credit card is lost or stolen is limited to the sum of $50."

4 Article 2803 of the Civil Code of Québec.

5 Article 2804 of the Civil Code of Québec.

6 Paragraph 64 of Tremblay, J.'s decision

7 Paragraph 37 of the decision.

8 Paragraph 50 of the decision.

9 Paragraph 42 of the decision.

10 Paragraph 45 of the decision.

11 Paragraph 47 of the decision.

12 Paragraphs 52 and following of the decision.

13 128. Where the merchant has indicated to the consumer the amount up to which variable credit is extended to him, the merchant shall not increase such amount unless the consumer expressly applies therefor.

14 See, for example, for credit card transactions: El Masri v. Canadian Imperial Bank of Commerce, 2010 QCCQ 8174,August 26, 2010, Marie Michelle Lavigne, J. (Court of Québec); then, concerning the alleged loss of travellers' cheques: Kattous v. Amex Canada inc., 2006 QCCS 960, February 24, 2006, Claude Tellier, J. (Superior Court).

15 Louis v. Banque Laurentienne du Canada, 2007 QCCQ 424, January 9, 2007, Louise Comeau, J. (Court of Québec).

16 El Masri v. Canadian Imperial Bank of Commerce, supra, footnote 14.

17 See, for example: Louis v. Banque Laurentienne du Canada, supra, footnote 15, where the institution's evidence was based on the investigation that was conducted.

18 El Masri v. Canadian Imperial Bank of Commerce, supra, footnote 14, paragraph 43 of the decision.

19 Kattous v. Amex Canada inc., supra, footnote 14; Louis v. Banque Laurentienne du Canada, supra, footnote 15

20 An Act mainly to combat consumer debt overload and modernize consumer credit rules (the "Bill").

21 See in particular pages 4 and following of the brief submitted by the Desjardins Group to the Committee on Citizen Relations in November 2011 (the "brief").

22 The proposed new wording for section 123 of the CPA did not reverse the burden of proof: "123. The consumer is not liable for debts resulting from the use of a credit card by a third person after the card issuer is notified, by any means, of the loss, theft or fraudulent use of the card or of any other use of the card not authorized by the consumer. Even if no notice was given, consumer liability for the unauthorized use of a credit card is limited to $50. Any stipulation contrary to this section is prohibited."

23 See page 6 of the Brief.

24 See page 18 of the Brief

25See page 3 of the document dated October 18, 2011 submitted by the Canadian Bankers Association.

26 Marcotte v. Fédération des caisses Desjardins du Québec, 2009 QCCS 2743, Gascon, J., in appeal.

27 See in particular: rights-responsibilities/78-voluntary-commitments-and-codes-of-conduct ; and cdncodepracticeconsumerdebitcardservices_en.pdf .

28 See page 4 of the document dated October 18, 2011 submitted by the Canadian Bankers Association.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on

Click to Login as an existing user or Register so you can print this article.

In association with
Up-coming Events Search
Font Size:
Mondaq on Twitter
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).
Email Address
Company Name
Confirm Password
Mondaq Topics -- Select your Interests
 Law Performance
 Law Practice
 Media & IT
 Real Estate
 Wealth Mgt
Asia Pacific
European Union
Latin America
Middle East
United States
Worldwide Updates
Check to state you have read and
agree to our Terms and Conditions

Terms & Conditions and Privacy Statement (the Website) is owned and managed by Mondaq Ltd and as a user you are granted a non-exclusive, revocable license to access the Website under its terms and conditions of use. Your use of the Website constitutes your agreement to the following terms and conditions of use. Mondaq Ltd may terminate your use of the Website if you are in breach of these terms and conditions or if Mondaq Ltd decides to terminate your license of use for whatever reason.

Use of

You may use the Website but are required to register as a user if you wish to read the full text of the content and articles available (the Content). You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these terms & conditions or with the prior written consent of Mondaq Ltd. You may not use electronic or other means to extract details or information about’s content, users or contributors in order to offer them any services or products which compete directly or indirectly with Mondaq Ltd’s services and products.


Mondaq Ltd and/or its respective suppliers make no representations about the suitability of the information contained in the documents and related graphics published on this server for any purpose. All such documents and related graphics are provided "as is" without warranty of any kind. Mondaq Ltd and/or its respective suppliers hereby disclaim all warranties and conditions with regard to this information, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Mondaq Ltd and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use or performance of information available from this server.

The documents and related graphics published on this server could include technical inaccuracies or typographical errors. Changes are periodically added to the information herein. Mondaq Ltd and/or its respective suppliers may make improvements and/or changes in the product(s) and/or the program(s) described herein at any time.


Mondaq Ltd requires you to register and provide information that personally identifies you, including what sort of information you are interested in, for three primary purposes:

  • To allow you to personalize the Mondaq websites you are visiting.
  • To enable features such as password reminder, newsletter alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our information providers who provide information free for your use.

Mondaq (and its affiliate sites) do not sell or provide your details to third parties other than information providers. The reason we provide our information providers with this information is so that they can measure the response their articles are receiving and provide you with information about their products and services.

If you do not want us to provide your name and email address you may opt out by clicking here .

If you do not wish to receive any future announcements of products and services offered by Mondaq by clicking here .

Information Collection and Use

We require site users to register with Mondaq (and its affiliate sites) to view the free information on the site. We also collect information from our users at several different points on the websites: this is so that we can customise the sites according to individual usage, provide 'session-aware' functionality, and ensure that content is acquired and developed appropriately. This gives us an overall picture of our user profiles, which in turn shows to our Editorial Contributors the type of person they are reaching by posting articles on Mondaq (and its affiliate sites) – meaning more free content for registered users.

We are only able to provide the material on the Mondaq (and its affiliate sites) site free to site visitors because we can pass on information about the pages that users are viewing and the personal information users provide to us (e.g. email addresses) to reputable contributing firms such as law firms who author those pages. We do not sell or rent information to anyone else other than the authors of those pages, who may change from time to time. Should you wish us not to disclose your details to any of these parties, please tick the box above or tick the box marked "Opt out of Registration Information Disclosure" on the Your Profile page. We and our author organisations may only contact you via email or other means if you allow us to do so. Users can opt out of contact when they register on the site, or send an email to with “no disclosure” in the subject heading

Mondaq News Alerts

In order to receive Mondaq News Alerts, users have to complete a separate registration form. This is a personalised service where users choose regions and topics of interest and we send it only to those users who have requested it. Users can stop receiving these Alerts by going to the Mondaq News Alerts page and deselecting all interest areas. In the same way users can amend their personal preferences to add or remove subject areas.


A cookie is a small text file written to a user’s hard drive that contains an identifying user number. The cookies do not contain any personal information about users. We use the cookie so users do not have to log in every time they use the service and the cookie will automatically expire if you do not visit the Mondaq website (or its affiliate sites) for 12 months. We also use the cookie to personalise a user's experience of the site (for example to show information specific to a user's region). As the Mondaq sites are fully personalised and cookies are essential to its core technology the site will function unpredictably with browsers that do not support cookies - or where cookies are disabled (in these circumstances we advise you to attempt to locate the information you require elsewhere on the web). However if you are concerned about the presence of a Mondaq cookie on your machine you can also choose to expire the cookie immediately (remove it) by selecting the 'Log Off' menu option as the last thing you do when you use the site.

Some of our business partners may use cookies on our site (for example, advertisers). However, we have no access to or control over these cookies and we are not aware of any at present that do so.

Log Files

We use IP addresses to analyse trends, administer the site, track movement, and gather broad demographic information for aggregate use. IP addresses are not linked to personally identifiable information.


This web site contains links to other sites. Please be aware that Mondaq (or its affiliate sites) are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of these third party sites. This privacy statement applies solely to information collected by this Web site.

Surveys & Contests

From time-to-time our site requests information from users via surveys or contests. Participation in these surveys or contests is completely voluntary and the user therefore has a choice whether or not to disclose any information requested. Information requested may include contact information (such as name and delivery address), and demographic information (such as postcode, age level). Contact information will be used to notify the winners and award prizes. Survey information will be used for purposes of monitoring or improving the functionality of the site.


If a user elects to use our referral service for informing a friend about our site, we ask them for the friend’s name and email address. Mondaq stores this information and may contact the friend to invite them to register with Mondaq, but they will not be contacted more than once. The friend may contact Mondaq to request the removal of this information from our database.


This website takes every reasonable precaution to protect our users’ information. When users submit sensitive information via the website, your information is protected using firewalls and other security technology. If you have any questions about the security at our website, you can send an email to

Correcting/Updating Personal Information

If a user’s personally identifiable information changes (such as postcode), or if a user no longer desires our service, we will endeavour to provide a way to correct, update or remove that user’s personal data provided to us. This can usually be done at the “Your Profile” page or by sending an email to

Notification of Changes

If we decide to change our Terms & Conditions or Privacy Policy, we will post those changes on our site so our users are always aware of what information we collect, how we use it, and under what circumstances, if any, we disclose it. If at any point we decide to use personally identifiable information in a manner different from that stated at the time it was collected, we will notify users by way of an email. Users will have a choice as to whether or not we use their information in this different manner. We will use information in accordance with the privacy policy under which the information was collected.

How to contact Mondaq

You can contact us with comments or queries at

If for some reason you believe Mondaq Ltd. has not adhered to these principles, please notify us by e-mail at and we will use commercially reasonable efforts to determine and correct the problem promptly.