InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
CFPB Tackles Credit Card Vendors For Alleged Unfair Billing of Ancillary Products
Today, the CFPB filed proposed consent orders against two credit card add-on product vendors for allegedly billing consumers for credit monitoring and identity theft protection services they did not receive. Under the proposed consent orders, one vendor will provide nearly $7 million in restitution to the holders of approximately 73,000 accounts, and pay a $1.9 million civil money penalty. The other vendor will provide almost $55,000 in restitution to consumers who were incorrectly billed for identity theft or credit monitoring services, and pay a $1.2 million civil money penalty. The Bureau specifically noted that today’s announcement is the “first time the Bureau has brought actions directly against the companies” that market or administer ancillary products.
OCC Fines National Bank for Alleged Unfair Billing Practices
On June 19, the OCC released recent enforcement actions taken against national banks, federal savings associations, and individuals currently or formerly affiliated with national banks and federal savings associations. Among the actions was the issuance of a consent order for a civil money penalty against a national bank for allegedly violating the Federal Trade Commission Act. During its investigation, the OCC discovered deficiencies relating to the bank’s billing and marketing practices, specifically with regard to identity protection and debt cancellation products. According to the consent order, since April 2004, the bank, along with an identity protection product vendor, marketed and sold various types of identity theft protection products to its customers. Before customers could access the credit monitoring service of the identity theft product, they “were required to provide sufficient personal verification information and consent before their credit bureau reports could be accessed.” However, the OCC found that the vendor (i) billed the bank’s customers the full fee for the products, even if they were not receiving all of the credit monitoring services; (ii) billed the customers prior to receiving the customers’ information and consent and establishment of credit monitoring; and (iii) failed to ensure that customers received electronic benefit notifications. The bank retained a portion of the fees that the customers paid. Additionally, the bank’s vendors incorrectly informed customers during telemarketing calls that only one of the products offered had the ability to access identity protection benefits electronically. As a result, some customers purchased the more expensive Enhanced Identity Theft Protection, as opposed to the less expensive Identity Theft Protection, under the mistaken belief that this was the only way they could access the product’s benefits online. Finally, the OCC also alleged that, from August 2005 through November 2013, the bank’s debt cancellation product vendor’s billing practices, which posted recurring payments on the same day of the month regardless of the payments’ due dates, resulted in some customers paying recurring late fees. The bank will pay $4,000,000 to resolve the OCC’s allegations.
FCC Enters Into $25 Million Settlement Following Cell Phone Carrier Data Breach
On April 8, the Federal Communications Commission (FCC) announced a $25 million settlement with an international telecommunications carrier concerning the unauthorized release of the personal information of nearly 280,000 customers by certain employees. The alleged data breach took place over a 168-day period at carrier call centers in Mexico, Columbia, and the Philippines where employees of the carrier allegedly were paid by unauthorized third parties to disclose confidential customer information. The third parties appear to have sought the information to unlock and traffic stolen cell phones. The FCC Enforcement Bureau found that the data breach violated a carrier’s duty under Section 222 of the Communications Act and also constituted “an unjust and unreasonable practice” under Section 201. In addition to paying the $25 million civil money penalty, terms of the settlement require the carrier to (i) notify all affected customers and reimburse them for any subsequent credit monitoring services; and (ii) implement new internal policies to improve the carrier’s privacy and data security practices. For more information on the latest regulatory guidance on data security and evolving best practices, please visit the Privacy, Cyber Risk, and Data Security Resource Center.
Digital Insights & Trends: What Keeps You Up At Night - Data INsecurity
We’re still wide awake, focusing on what keeps us (and our financial institution clients) up at night. Let’s pick up where we left off following our December webinar, but this time address data INsecurity from the perspective of its “other” victims, i.e., consumers. Last months’ webinar reviewed the benefits of risk-based approaches to organizational cybersecurity frameworks and identified potential obstacles to their achievement. Today, we’re thinking about another risk of cybersecurity breakdowns – the loss of consumer confidence. This risk threatens companies as surely as the regulatory, media and legal fallout.Despite the proliferation of data breach notification and consumer financial privacy laws, data-breach-fueled identity theft is increasing. A recent report of the National Consumers League & Javelin Strategy reveals that consumer fraud victims don’t discriminate between business organizations and financial institutions when assigning blame for data breaches. Rather, they avoid doing business with all organizations involved. Ironically, nearly one-third of fraud victims take no action to prevent further fraud, even when they’ve been notified that their data has been compromised. The majority of consumer victims, according to the NCL/Javelin report, say both businesses and FIs should be held accountable, and want to be able to sue the breached companies. An even greater majority think the federal government should protect them -- and lawmakers are listening. Senator Amy Klobuchar (D-MN), for example, favors a national security breach notification law.
Financial institutions are between a rock and the proverbial hard place. Compromised financial information results in greatly increased fraud against affected consumers. However, many consumers don’t take action to prevent a breach from escalating into further incidents of fraud. (Partly, this results from lack of faith in the effectiveness of solutions like credit monitoring, and partly, consumers don’t know where to go for help.) Some consumers contact law enforcement or government agencies, but many simply avoid patronizing the companies involved as a result of diminished trust. An overwhelming number of victims believe the right course is action against companies where their information was breached.
Trust lost is hard to regain. Data breach responses are key to effective enterprise risk management, not only because of legal and enforcement risk, but because consumer loyalty, and its loss, have real, tangible, operational and financial consequences. In an effort to bolster consumer trust, companies should: be transparent in communicating their practices and controls with respect to the management and use of data; and provide guidance to their customers on actions that can be taken to protect their own data.
Note: Information in this article is based in part on the “Consumer Data Insecurity Report” produced by Javelin Strategy & Research (2014).
CFPB Enforcement Action Targets Bank's Add-On Product Billing Practices
On September 24, the CFPB announced a consent order with a large national bank to address alleged unfair practices related to add-on identity theft protection products marketed by the bank and sold and administered by a third-party service provider to the bank’s customers from 2003–2012. Specifically, the CFPB alleged that customers were unfairly billed by the service provider for certain products that offered credit monitoring and credit report retrieval services without receiving the full benefit of the services. Customers who enrolled in these add-on identity theft products were required to provide sufficient written authorization and personal verification before the customers’ credit bureau reports could be accessed. However, according to the Bureau, in many instances time passed before a customer’s authorization was obtained or a customer’s authorization was never obtained. In other instances, the credit bureau could not match the customer’s identification information with its records. Although the bank’s vendor, rather than the bank itself, was directly responsible for selling and administering the products, the CFPB found that the bank’s compliance monitoring, service provider management, and quality assurance functions had failed to prevent, identify, and correct the unfair practices, resulting in substantial injury to more than 420,000 consumers. According to the CFPB’s order, this injury was not reasonably avoidable by consumers, and was not outweighed by any countervailing benefit to consumers or competition, and, therefore, the bank engaged in unfair practices.
The consent order requires the company to pay $47,900,000 in redress to compensate consumers injured by the alleged unfair billing practices, as well as a $5 million penalty to the CFPB. In addition, the consent order requires the bank to: (i) correct all unfair practices related to improper customer billing for add-on identity protection products and take numerous additional corrective actions to ensure that neither the bank nor its service providers or affiliates engage in such practices in the future; (ii) obtain CFPB non-objection prior to marketing, selling, or referring customers to identity protection products in the future; and (iii) review and, if necessary, revise the bank’s third-party risk management and responsible banking programs to ensure that, among other things, the bank conducts periodic onsite reviews of any add-on service provider’s controls, performance, and information systems. A separate OCC consent order also requires the bank to pay an additional $4 million civil money penalty to the OCC.
CFPB Supplements Consumer Reporting Guidance, Holds Consumer Advisory Board Meeting, Issues Consumer Reporting Complaints Report
On February 27, the CFPB issued supplemental guidance related to consumer reporting and held a public meeting focused on consumer reporting issues. The CFPB also released a report on consumer reporting complaints it has received.
Supervisory Guidance
The CFPB issued a supervision bulletin (2014-01) that restates the general obligations under the Fair Credit Reporting Act for furnishers of information to credit reporting agencies and “warn[s] companies that provide information to credit reporting agencies not to avoid investigating consumer disputes.” It follows and supplements guidance issued last year detailing the CFPB’s expectations for furnishers.
The latest guidance is predicated on the CFPB’s concern that when a furnisher responds to a consumer’s dispute, it may, without conducting an investigation, simply direct the consumer reporting agency (CRA) to delete the item it has furnished. The guidance states that a furnisher should not assume that it ceases to be a furnisher with respect to an item that a consumer disputes simply because it directs the CRA to delete that item. In addition, the guidance explains that whether an investigation is reasonable depends on the circumstances, but states that furnishers should not assume that simply deleting an item will generally constitute a reasonable investigation.
The CFPB promises to continue to monitor furnishers’ compliance with FCRA regarding consumer disputes of information they have furnished to CRAs. Furnishers should take immediate steps to ensure they are fulfilling their obligations under the law.
Consumer Advisory Board Meeting
The public session of this week’s two-day Consumer Advisory Board (CAB) Meeting featured remarks from Director Cordray, and a discussion among CAB members, industry representatives, and consumer advocates on several major topics: (i) use of credit history in employment decisions; (ii) consumer access to credit information; and (iii) the credit dispute process.
Mr. Cordray focused on steps the CFPB has taken related to the credit reporting market, including: (i) launching a complaint portal through which consumers have submitted 31,000 consumer reporting complaints, nearly 75% of which have related to the accuracy and completeness of credit reports; (ii) beginning to supervise large credit reporting companies and many large furnishers; (iii) identifying process changes, including upgrades to the e-Oscar consumer dispute system to allow consumers to file disputes online and to provide furnishers direct access to dispute materials; and (iv) issuing guidance to furnishers on resolving consumer disputes.
Mr. Cordray also expressed support for a “major initiative” in the credit card industry to make credit scoring information more easily and regularly available to card holders. Mr. Cordray stated that he sent letters to the CEOs of the major card companies “strongly encouraging them to consider making credit scores and educational content freely available to their customers on a regular basis.” He added that he sees “no reason why this approach should not be replicated with customers across other product lines as well.”
In his CAB remarks, Mr. Cordray also identified some persistent concerns that resulted in the additional furnisher guidance issued today, discussed above. He stated that “[s]ome furnishers are taking short-cuts to avoid undertaking appropriate investigations of consumer disputes. For example, a consumer may find an error on the credit report and file a dispute about an incorrect debt or a credit card that was never opened. In response, the furnisher may simply delete that account from the information it passes along to the credit reporting company.” He stated that such practices deprive consumers of important protections.
During the discussion session, consumer advocates complained that credit reports provided to consumers are not the same as the reports provided to creditors. They claimed that consumers receive “sterilized” versions and do not, for example, get to see if their file is mixed with some else’s file. They also complained that the reports do not provide credit scores.
With regard to the CFPB’s support for creditors disclosing credit scores on a regular basis, several participants, including a representative for CRAs, stated that creditors should be free to provide the credit score of their choice, and not only FICO. Mr. Cordray and the CFPB’s Corey Stone responded that the CFPB is encouraging voluntary participation in score disclosure programs, but stated the Bureau does not believe that any one score needs to be disclosed. Instead, Mr. Stone explained that creditors should provide the score that is most relevant and useful for its customers. Mr. Cordray stressed the importance of providing educational information with the score, regardless of what score is provided.
The consumer advocates also were sharply critical of the CRAs and certain creditors’ dispute resolution processes. One participant raised specific concerns about the lack of human interaction in online dispute processes and the sale of certain add-on products offered during the dispute process.
The industry’s representative defended recent enhancements to the dispute process and highlighted the efficiency benefits of online disputes, including quicker resolution. He added that many furnishers prefer to hear directly from their customers, and that the real issue is how creditors respond.
Report on Consumer Reporting Complaints
The “credit reporting complaint snapshot” states that of the nearly 300,000 complaints the CFPB has received on a range of consumer financial products and services, approximately 31,000 or 11 percent have been about credit reporting. The CFPB accepts consumer credit reporting complaints in five categories: (i) incorrect credit report information; (ii) credit reporting company’s investigation; (iii) improper use of a credit report; (iv) inability to obtain credit report or score; and (v) credit monitoring or identity protection services. The CFPB reports that the most common complaints related to incorrect information on a credit report, while very few complaints related to identity protection or credit monitoring services. The report reviews the complaint handling process, and indicates that companies have resolved approximately 91 percent of the complaints submitted to them.
House Democrats Encourage FTC Scrutiny Of Consumer Reporting Agencies' Add-On Products Marketing
On December 18, a group of House Democrats sent a letter urging the FTC to focus on the online marketing of products and services by consumer reporting agencies (CRAs). The lawmakers assert that CRAs “often require consumers to jump through hurdles, presumably in an effort to generate additional revenue.” The lawmakers suggest that certain CRAs’ websites mislead and confuse consumers, particularly with regard to the marketing of “free” consumer products and services that are conditioned upon consumers signing up for “costly add-on services such as ongoing credit monitoring.” The letter identifies the following specific practices for FTC scrutiny: (i) marketing “free” products or services that automatically convert to a monthly subscription if the consumer does not cancel within a trial period; (ii) “prominent” advertising of discount packages without disclosing that the initial small dollar enrollment fee converts into a subscription service; and (iii) requiring consumers to set up accounts before being granted access to their credit score or reports, while “barrag[ing]” consumers with add-on product offerings during the account registration process.
CFPB, OCC Announce Add-On Product Actions, Other Non-Mortgage Enforcement Action
On September 19, the CFPB and the OCC announced parallel enforcement actions against a national bank to resolve allegations that the bank engaged in the unfair and deceptive marketing, sale, and billing of “add-on products” across multiple consumer products, and the OCC announced a separate order that resolves claims related to the bank’s non-home loan debt collection litigation practices and compliance with the SCRA.
Under the CFPB’s consent order, the bank will pay a $20 million penalty to resolve allegations that over a seven year period ending in March 2012, the bank, through its vendor, enrolled customers in credit monitoring and identify theft products, and charged some customers for these products without or before having received written authorization to perform the monitoring services. The CFPB order also requires restitution to affected customers, and numerous requirements to enhance compliance, including with regard to vendor oversight. Under the OCC’s parallel action, the bank entered a consent order similar to the one entered with the CFPB, and consented to pay a $60 million penalty.
The CFPB order acknowledges the bank’s representations that it no longer offers the scrutinized products and that it already has credited or refunded affected customers. The bank’s press release also reaffirms its commitment to holding its vendors to high standards.
In a separate action announced by the OCC on the same day, the bank also entered a consent order to resolve allegations of unsafe or unsound practices with regard to its non-mortgage debt collection litigation practices and its non-mortgage SCRA compliance. As the bank pointed out in a press release, the consent order relates to only a slight percentage of credit card, student loan, auto loan, business banking and commercial banking customers who defaulted on their loan or contract and the resulting collections litigation that followed several years ago. The press release explains that the bank uncovered the issue in internal reviews that began in 2010 and took several steps in response, including: (i) halting new credit card collections litigation in 2011, (ii) dismissing the impacted lawsuits, and (iii) improving SCRA controls.
CFPB Announces Enforcement Action Against Credit Card Issuer
On September 24, the CFPB announced that it resolved an investigation initiated by the FDIC and subsequently joined by the CFPB into telephone sales of certain ancillary or “add on” products marketed and sold by a major credit card issuer. The products related to (i) payment protection, (ii) credit monitoring, (iii) identity theft protection, and (iv) protection in the event of wallet loss. Pursuant to the Joint Consent Order released by the CFPB, the bank will pay a $14 million penalty and provide approximately $200 million in restitution to eligible consumers who purchased one or more ancillary products over a period of approximately four years. The order also calls for certain changes to the bank’s marketing and sales practices in connection with the products. During a press call to announce the consent order, CFPB Director Richard Cordray explained that the CFPB “expect[s] that more such actions will follow.” The CFPB is publishing the orders from its various actions on its administrative adjudication docket. Mr. Cordray also stated that “[i]n the meantime, [the CFPB is] signaling as clearly as [it] can that other financial institutions should review their marketing practices to ensure that they are not deceiving or misleading consumers into purchasing financial products or services.” In July, the CFPB issued Bulletin 2012-06, which outlines the CFPB’s expectations for the institutions it supervises, and their vendors, with regard to offering ancillary products in compliance with federal consumer financial laws. BuckleySandler represented the bank in this joint CFPB-FDIC investigation and enforcement action.
CFPB Announces First Public Enforcement Action; Issues Related Compliance Bulletin
On July 18, the CFPB announced its first public enforcement action - a Consent Order entered into by a major credit card issuer to resolve allegations that the issuer’s vendors deceptively marketed ancillary products such as payment protection and credit monitoring. The OCC made a corresponding enforcement announcement and released a Cease and Desist Order and Civil Money Penalty to resolve related charges. Under the CFPB order, the issuer will refund approximately $140 million to roughly two million customers, and will pay a $25 million penalty. The OCC order requires restitution of approximately $150 million (of which $140 million overlaps with the CFPB order) and an additional $35 million civil money penalty. Under both agencies’ actions, the issuer is prohibited from selling and marketing certain ancillary products until it obtains approval to do so from the regulators, and the issuer must take specific actions to enhance compliance with consumer financial laws.
Concurrently, the CFPB issued Bulletin 2012-06, which states that the CFPB expects supervised institutions and their vendors to offer ancillary products in compliance with federal consumer financial laws. The guidance cites “CFPB supervisory experience [that] indicates that some credit card issuers have employed deceptive promotional practices when marketing” such products, including (i) failing to adequately disclose terms and conditions, (ii) enrolling customers without their consent, and (iii) billing for services not performed. The Bulletin reviews applicable federal law and outlines the compliance program components that the CFPB expects supervised institutions to maintain.
