Executive Summary: Key Legal and Evidentiary Issues

• Allocation of liability between the bank and the customer where a third-party fraudster obtained a loan using disclosed personal information and a one-time password (OTP).
• Scope of Desjardins’ contractual and civil duty of prudence and diligence in authenticating a telephone request for an Accord D loan.
• Effect of the member’s breach of the Conditions of use of the Desjardins access card, specifically the prohibition on disclosing authentication elements such as an OTP.
• Causation analysis as to whether the plaintiff’s disclosure of personal data and the OTP is the immediate and determining cause of the fraudulent loan.
• Assessment of whether any objective red flags in the account activity or in the December 20, 2021 call required Desjardins to apply additional authentication measures.
• Determination that the absence of institutional fault means the plaintiff remains contractually bound to repay the $8,500 Accord D financing and cannot obtain credit record rectification.

Factual background

Madame Ikram Mouhajer, a young member of Desjardins, was approached on Facebook via Messenger on 20 December 2021 by a third party who presented a seemingly legitimate opportunity. The fraudster represented that a real company would temporarily deposit money into her account, which she would then return, keeping a portion as remuneration. Relying on these representations, Ms. Mouhajer transmitted several personal details: her telephone number, a specimen cheque, her date of birth and other identifying information. She believed she was participating in a lawful short-term deposit arrangement rather than a loan. Unbeknownst to her, the fraudster used these details to contact Desjardins by telephone, impersonate her, and request an Accord D financing in the amount of $8,500. Desjardins conducted its usual identity verification, including standard security questions and verification of transit and folio numbers, and sent a one-time password (OTP) to the cellphone number on file for Ms. Mouhajer, which had been associated with her account since 2018. The fraudster, still in contact with Ms. Mouhajer, obtained this OTP because she herself communicated it to him. That OTP allowed the caller to complete the authentication process, and the $8,500 Accord D financing was granted and deposited in her account the same day. Acting under the instructions of the fraudster and believing she was returning funds in a legitimate transaction, Ms. Mouhajer made a series of withdrawals from her account totalling $7,500 and then deposited those funds into a Bitcoin ATM using a QR code provided by the third party. She retained $1,000 in her account.

Subsequent developments and discovery of the fraud

The next day, when she viewed her online account, Ms. Mouhajer realized that the amount credited was recorded as an Accord D loan rather than a simple deposit. She promptly contacted Desjardins to report what she now perceived as a fraudulent scheme and repaid $1,000, corresponding to the portion of the loan she had not transferred to the fraudster. Desjardins opened an internal investigation into the transaction. As part of that process, the December 20, 2021 call was reviewed and an investigative interview with Ms. Mouhajer was conducted on 11 January 2022, during which she acknowledged having communicated the OTP to the third party. Following its investigation, Desjardins concluded that the operations had been properly authenticated and that the responsibility for the Accord D financing rested with Ms. Mouhajer. Through counsel, she then sent a formal demand seeking cancellation of the loan, reimbursement of any amounts paid, and removal of negative notations from her credit file. When this did not occur, she instituted a small claims action before the Cour du Québec, Division des petites créances, against Fédération des Caisses Desjardins du Québec and Caisse Desjardins de Charlesbourg.

Contractual framework and policy terms at issue

A central element of the dispute was the contractual Conditions of use of the Desjardins access card. These conditions form part of the contract between Desjardins and its members and set out the parties’ respective obligations regarding electronic access and security. Article 15.2 of the Conditions of use specifically requires the member to keep all authentication elements strictly confidential, including any one-time security code sent to the member. It states that if the member voluntarily or negligently discloses such an element to a third party, the member must assume the consequences of the transactions carried out using that information, even if those transactions arise from fraud. The Court emphasized that Ms. Mouhajer was contractually bound by these conditions. Her decision to transmit the OTP, along with other personal data and a specimen cheque, ran directly contrary to article 15.2. The judge treated this contractual clause as clear and decisive for the allocation of loss: the institution undertakes to implement reasonable authentication measures, while the member undertakes to safeguard the secrecy of the codes that permit access to those very measures.

Legal principles on institutional duty and client responsibility

Legally, the Court began by recalling that a financial institution owes its client a duty of prudence and reasonable diligence in the management of accounts and in the processing of operations. This encompasses secure management of banking operations, appropriate monitoring of account activity and implementation of reasonable authentication mechanisms to prevent unauthorized use. The jurisprudence cited confirms that banks must put in place adequate identification processes when granting credit or allowing access to accounts. At the same time, Quebec civil law and the contractual regime recognize that the client has a correlative obligation to preserve the confidentiality of their identification and authentication data. Where a member voluntarily discloses a confidential security element to a third party, the resulting transactions are normally attributable to the member rather than the institution, absent clear institutional fault or disregard of obvious risk signals.

Application of the law to the facts and evidentiary assessment

On the evidence, the Court found that Desjardins followed its internal procedures when it received the call on 20 December 2021 seeking an Accord D financing in Ms. Mouhajer’s name. The agent asked the customary identity-verification questions, checked the transit and folio numbers and sent an OTP to the secure telephone number in the member’s file. The institution had no reason, from its perspective, to doubt that the person on the phone was in fact the account holder, since the requisite information was provided correctly and the OTP was successfully entered. Crucially, the judge accepted that the decisive event enabling the fraud was Ms. Mouhajer’s own communication of the OTP to the third party. That disclosure allowed the impersonator to satisfy the bank’s authentication requirements and directly triggered the granting of the $8,500 Accord D loan in her name. The Court also examined whether there were any objective “red flags” in the circumstances that ought to have alerted Desjardins to the possibility of fraud or led it to impose additional security measures. The judge rejected the argument that, because of Ms. Mouhajer’s youth or her relatively low pre-existing credit limit of $500, Desjardins should have been on heightened alert. The internal risk-assessment parameters and capacity-to-borrow criteria for Accord D products do not, in themselves, establish fault simply because an institution decides to grant a higher credit amount. Nor did the recording of the 20 December 2021 call or Ms. Mouhajer’s later observations reveal any glaring anomaly that would have made the transaction objectively suspicious from the bank’s vantage point.

Finding of no fault and allocation of loss

The Court ultimately concluded that Desjardins committed no fault, either in contract or in civil liability, in processing and approving the Accord D financing. The authentication was performed in accordance with its usual standards, and the institution did not ignore any clear warning sign of fraudulent use of the account. By contrast, the plaintiff’s own conduct—providing her telephone number, specimen cheque, date of birth and, above all, divulging the one-time security code—was characterized as the immediate and determining cause of the loan being obtained in her name and of the subsequent financial loss. Additionally, the plaintiff personally executed the cash withdrawals and deposited the $7,500 into a cryptocurrency ATM, thereby completing the loss of funds. In light of these findings, the Court dismissed Ms. Mouhajer’s action in its entirety, declared that Fédération des Caisses Desjardins du Québec and Caisse Desjardins de Charlesbourg had committed no fault in granting the loan, and reminded that Ms. Mouhajer remains responsible for the obligations arising from the $8,500 Accord D financing. The defendants are thus the successful parties, and no monetary damages or costs were awarded in their favor; each side was ordered to bear its own legal costs, and no separate, quantifiable monetary award can be determined beyond the confirmation that the plaintiff continues to owe the $8,500 loan amount.