CFPB’s First Enforcement Action Warns Financial Institutions About Liability for Third Party Activities on their Behalf; Related Compliance Bulletin Offers Guidance

On July 18, 2012, the Consumer Financial Protection Bureau (“CFPB” or “Bureau”) marked its one-year anniversary by announcing its first public enforcement action with an Order requiring Capital One Bank to refund approximately $140 million to two million customers and to pay a $25 million civil monetary penalty to settle charges that some of its third party call-center vendors used “deceptive marketing tactics” to pressure or mislead consumers into paying for ancillary products to the bank’s credit cards. These fee-based “add-on” products included credit monitoring and payment protection, offered to customers when they contacted call centers to activate their new credit cards. The CFPB coordinated its enforcement action against Capital One with a parallel action by the Office of the Comptroller of the Currency (“OCC”), which last week entered into a related Consent Order requiring Capital One to pay a $35 million civil monetary penalty to the OCC for violating Section 5 of the Federal Trade Commission (“FTC”) Act, as well as an additional $10 million in restitution for customers allegedly harmed by unfair billing practices (the OCC Order officially requires payment of $150 million in restitution, which includes the $140 million required by the CFPB order).

Pursuant to the Dodd-Frank Act, the CFPB is authorized to issue consent orders and take actions against covered institutions engaging in unfair, deceptive, or abusive practices. The CFPB’s Consent Order marks the first time the Bureau has imposed a penalty under sections 1053 and 1055 of the Consumer Financial Protection Act, which prohibit any person that offers or provides consumer financial products and services from “engag[ing] in any unfair, deceptive, or abusive act or practice.” 12 U.S.C. § 5536(a)(1)(B).

The CFPB’s enforcement action against Capital One is particularly notable because it makes clear that the CFPB intends to hold financial institutions fully liable for the actions of their third party vendors. While examining Capital One, the CFPB determined that Capital One’s call-center vendors engaged in deceptive tactics to sell the company’s credit-card add-on products such as the company’s “payment protection” service which allowed consumers to request that the bank cancel up to 12 months of minimum payments if they experienced certain hardships and a “credit monitoring” program which allowed a consumer identity theft protection, access to credit education specialists and in some cases, daily monitoring and notification. Capital One has denied all liability in connection with the deceptive practices identified by the CFPB, stating that the alleged misconduct was attributable to third party vendors who failed to adhere to Capital One’s “sales scripts and sales policies for payment protection and credit-monitoring products,” but conceded that the Bank “did not adequately monitor their activities.” In addition to levying monetary penalties on Capital One, the Consent Order also requires Capital One to cease marketing the add-on products at issue until the bank submits an acceptable compliance plan to the CFPB. Capital One must also submit to an independent audit to determine if it has met the conditions of the consent decree, and it must ensure the refunds are automatic so that consumers do not have to take any action to obtain their refunds.

Other Financial Institutions Targeted

Significantly, the CFPB made clear that other card issuers who market similar products may soon face enforcement actions as well. In remarks to reporters, CFPB Director Richard Cordray stated that “these deceptive marketing tactics for credit card add-on products are not unique to a single institution” and that the CFPB “expect[s] announcements about other institutions as [its] ongoing work continues to unfold.” According to the Bureau, “[c]omplaints received by the CFPB indicate—and the Bureau's supervisory experience confirms—that other consumers have been misled by the marketing and sales practices associated with credit card add-on products.” Cordray further stated that the CFPB intends to seek restitution from other companies that are the subject of such future enforcement actions. “Companies engaging in deceptive practices will be expected to refund fees paid by consumers and, particularly where practices are widespread, pay an appropriate penalty.” It is unclear how many more cases against credit-card companies may be in the pipeline. The CFPB and the FDIC, for example, have subpoenaed Discover Financial Services amid a probe into that lender’s marketing of fee-based products, including debt-protection, according to a June filing by the company. Further, a March 2011 Report from the Government Accountability Office stated that the nine largest credit card issuers had 24 million customer accounts with debt protection products in 2009. The report said such products often carry high fees and are difficult for consumers to understand. And state attorneys general have entered the fray, with lawsuits already filed by the Hawaii attorney general, for example, against multiple major financial institutions, targeting marketing practices related to ancillary credit card products. These and similar enforcement actions will only be assisted by the CFPB’s detailed account in its July 18 Consent Order of the alleged misconduct, which provides a roadmap not only for other enforcement agencies, but also for private litigants, and thus may facilitate a wave of follow-on civil litigation targeting such practices.

The Compliance Bulletin

In addition to the July 18 Consent Order, the CFPB also concurrently issued a compliance bulletin which “puts other institutions on notice that the CFPB will not tolerate deceptive marketing practices, and institutions will be held responsible for the actions of their third party vendors.” While focused on credit card add-on products, the bulletin is also intended to serve as guidance for the marketing of similar products offered in connection with other forms of credit or deposit services.

Compliance Bulletin 2012-06 outlines certain proactive measures that companies under its supervision should take in marketing such ancillary products to ensure that they and their service providers comply with federal consumer financial laws. In particular, the CFPB instructs that these measures include, but are not limited to, ensuring that:

• Marketing materials reflect the actual terms and conditions of the product and are not deceptive or misleading to consumers;
• Employee incentive or compensation programs tied to the sale and marketing of add-on products do not create incentives for employees to provide consumers with inaccurate information;
• Scripts and manuals used by the institution’s vendors are clear, complete, and accurate, and that they prohibit enrolling consumers without clear affirmative consent, and provide clear guidance regarding rebuttal language and limits on the number of times that a telemarketer or agent may attempt to rebut consumer requests for additional information or to decline the product;
• Telemarketers and customers service representatives do not deviate from approved scripts;
• Applicants are not required to purchase add-on products as a condition of obtaining credit, and
• Cancellation requests are handled in a manner consistent with the product’s actual terms and conditions and in a manner that does not mislead the consumer.

The Bulletin also provides guidance on the CFPB’s views about the components of effective compliance management programs. Such programs should include written policies and procedures to ensure compliance with applicable federal and state laws and regulations, periodic quality assurance reviews, independent audits, oversight of affiliate or third-party service providers, a system for handling complaints, and an employee training program.

Institutions that offer credit card products and services, as well as similar products in conjunction with other credit or deposit services, should carefully consider the guidance set forth in the Bulletin. The Bulletin reiterates that the CFPB will continue to closely review the operations of credit card issuers and service providers to assess whether additional enforcement actions may be necessary to protect consumers from deceptive sales and marketing practices. In a fact sheet also released on July 18, the CFPB advised that its Compliance Bulletin “warns other financial institutions the CFPB will not tolerate deceptive marketing practices,” and notes that “[t]he Bureau’s Consumer Response Office has received complaints about other credit card add-on products, which the Bureau will monitor.” Among the key lessons from the CFPB and OCC enforcement actions announced July 18 is that financial institutions need to have robust compliance and oversight policies and procedures with respect to their third party vendors, and that they must be vigilant in ensuring that their vendors adhere to the institutions’ compliance policies. Moreover, such institutions must maintain an active audit program to confirm vendor compliance with governing laws, rules, and regulations, as well as the institutions’ internal policies and procedures.

The CFPB’s Enforcement Action in Perspective

While the enforcement action announced July 18 is the first such action by the CFPB, the Bureau has been aggressive in fulfilling its mandate and its efforts to rectify deceptive credit card marketing practices join its other consumer protection efforts. These include the Bureau’s efforts to address financial challenges facing military service members and the elderly, proposing revised, simplified disclosures for mortgages, credit cards, and student loans, encouraging and responding to consumer complaints (facilitated by the use of online consumer complaint databases), and a heightened focus on fair and responsible lending. Although it remains to be seen whether this enforcement action is representative of the approach the CFPB will take in future enforcement actions, notably, the Bureau used its first enforcement action to provide industry-wide guidance regarding its expectations as to the conduct that was the subject of the action. This guidance approach, if it becomes part of the CFPB’s enforcement practice, may provide valuable insights to covered institutions regarding what the CFPB views as unfair, deceptive, or abusive practices, but also may become a form of rule-making that circumvents the administrative procedures and safeguards that otherwise would apply.