Last year the Consumer Financial Protection Bureau (CFPB) settled 59 enforcement actions, of which 10 involved depository institutions. In the coming year, we have learned from the CFPB enforcement chief that the agency plans to target three sectors it sees exhibiting the riskiest behaviors – debt collection, mortgage servicing and student loans.

Have you ever wondered how the CFPB finds the targets for its enforcement actions? Well, one example has been recently revealed in a web of Consent Orders. The quote of Sir Walter Scott seems relevant in this case, “Oh what a tangled web we weave, When first we practise to deceive!” Here is a visual of how the CFPB traveled across a tangled web of alleged deception to bring enforcement actions against covered persons and their service providers, collecting over $9 million in restitution for consumers and penalties.

Click here to view flow chart.

The clear message here is to understand who may be deemed a “service provider” to a “covered person” under the Consumer Financial Protection Act and to continuously monitor the regulatory actions involving business partners. As these actions show, the burden now lies with legal counsel, compliance officers and risk managers to develop and implement robust policies and procedures to ensure all service providers are being adequately vetted and routinely monitored to ensure they remain in compliance to all Federal consumer protection laws.

Overview

It is widely understood the CFPB first focused its attention on larger bank financial institutions. Shortly after it began operations, the CFPB sent teams of examiners and supervisory personnel into these institutions in order to review their operations, as well as their policies and procedures surrounding compliance with federal consumer financial laws. The CFPB’s first interactions were with banks such as Discover, American Express, Capital One, and U.S. Bank. A review of one supervisory thread involving U.S. Bank reveals how it developed into four separate enforcement actions and maybe more to come.

Following the CFPB’s Web

In re U.S. Bank National Association and In re Dealers’ Financial Services, LLC, Administrative Proceedings File No. 2013-CFPB-0003 and 0004 (Consent Orders entered 26 June 2013).

Dealers Financial Services (DFS) was reached by the CFPB in this matter as a “service provider” to U.S. Bank, as DFS designed and marketed an automobile loan program targeted toward military servicemembers, with U.S. Bank simply taking assignment and financing the deals. The program was referred to as the Military Installment Loans and Educational Services (MILES) program, an automobile loan program targeted toward military servicemembers. Again, DFS did not provide financing and was not a creditor, but it was the entity that marketed the MILES program.

CFPB took issue with two aspects of the program: (1) DFS deceptively marketed the prices for add-on vehicle service contracts (VSC) and guaranteed asset protection (GAP) insurance products, and (2) DFS deceptively marketed the scope of the coverage of a VSC during sales calls. More specifically, as to the first point, the MILES Program VSC brochure contained a statement that purchasing the VSC would add “just a few dollars to your monthly payment”; however, the average cost of the program was more like $40 per month on a five-year loan.See Consent Order, ¶¶ 13-14. As to the second point, the DFS call script included statements that the “service contract covers mechanical breakdowns” and “[i]f you visit any MILES dealership for a repair of a covered mechanical breakdown, you will pay $0” but did not prominently disclose the parts excluded from coverage. See id., ¶ 15. The MILES Program brochure listed covered parts but did not prominently disclose the parts excluded from coverage, which were only detailed in the VSC itself, which was not received until after the transaction. See id.

U.S. Bank and DFS were required to repay about $6.5 million to resolve CFPB’s claims they misled servicemembers who participated in the MILES auto lending program. The key takeaway from the DFS Consent Order is the CFPB can reach “service providers” that provide material service to a covered person in connection with the provision of a consumer financial product or service. While the CFPB could not have directly regulated the add-on products being financed, the CFPB was able to reach the service providers making such products available for financing by the bank due to the significant role they played in the challenged conduct.

An easily overlooked allegation in the Consent Order is in Paragraph 8, which discussed the company that processed the allotments from the servicemembers. According to that allegation: “The MILES Program effectively requires servicemembers to use Military Assistance Company, LLC (MAC) for processing allotments. MAC collects, and shares with DFS, a $3 monthly fee for allotment processing.” Less than two years later, MAC was signing its own Consent Order with the CFPB.

In the Matter of Fort Knox National Company and Military Assistance Company, LLC Administrative Proceeding File No. 2015-CFPB-0008 (Consent Order entered 20 April 2015)

Fort Knox National Company, through its subsidiary MAC, was engaged in the payment processing business assisting servicemembers with their allotments. Allotments allow service members to pay bills, insurance premiums, mortgages, support orders and other recurring obligations directly out of their military pay. The military allotment process occurs through the Defense Finance and Accounting Service and can provide a benefit allowing servicemembers to ensure designated amounts of money are automatically distributed on their behalf. The CFPB alleged MAC was a covered person as it processed payroll deductions – the allotments – and paid creditors on behalf of servicemembers from their allotments. This payroll processing activity meant MAC was a “covered person” since the payment processing activities fell within the definition of “financial product or service.” 12 U.S.C. § 5481(6)(A), (15)(A)(iv) & (vii).

The CFPB alleged MAC did not disclose various fees charged. In the core allegation, the CFPB alleged in approximately one-third of accounts, excess funds accumulated in payment accounts often without servicemembers’ knowledge, even after an obligation had been paid off. In these “Residual Balance” situations, MAC charged a fee that was never disclosed to the servicemembers. While MAC sent monthly letters to those who had accumulated Residual Balances, and while accounts could be accessed online, servicemembers were never informed of the amounts or types of Residual-Balance fees to which they would be subject. In fact, the CFPB alleged servicemembers could obtain an account history, reflecting fee charges, only upon paying another $25 fee.

The CFPB alleged these practices were “abusive” as that term is defined in the unfair, deceptive, or abusive act and practices provisions (UDAAP) of the Consumer Financial Protection Act, 15 U.S.C. § 5536. Specifically, CFPB alleged “[s]ervicemembers may not have understood that they would be charged Residual Balance Fees if they accrued a Residual Balance because Respondents did not adequately disclose specific fees and did not notify Servicemembers when they had incurred specific fees.” Consent Order, ¶ 15.

“Service Providers” are on Notice: Ensure Compliance with Consumer Financial Protection Laws

This most recent enforcement action appears to be the end of this web, as there were no new entities disclosed in the MAC Consent Order. This is a very instructive example to show how the CFPB embeds itself within a covered person’s operations and seemingly leaves no stone unturned in reviewing compliance with consumer financial protection laws.

The DFS matter is interesting to the extent the CFPB not only executed a consent order with the “covered person”, U.S. Bank, but it was the first time the CFPB also executed a consent order with the “service provider” over which it has jurisdiction. In prior matters, like the Discover, American Express and Capital One consent orders, the CFPB did not execute consent orders with the third party service providers. However, in the DFS matter, it was the service provider that took a more active role in the sales process. As the CFPB noted, “DFS recruits and trains the MILES dealers, operates the MILES website, and is responsible for the marketing aimed at selling MILES Program loans and add-on products.” See Consent Order, ¶ 20. While the DFS matter is distinguishable on that basis, many in the financial services industry believe this marks a new enforcement focus for the CFPB, and the expectation is CFPB will continue to target service providers going forward.

Who are “Service Providers?”

The difficult issue is determining exactly what entities might be “service providers.” As a preliminary matter, there is a statutory definition. Specifically, this provision provides:

The term ‘‘service provider’’ means any person that provides a material service to a covered person in connection with the offering or provision by such covered person of a consumer financial product or service, including a person that—

(i) participates in designing, operating, or maintaining the consumer financial product or service; or

(ii) processes transactions relating to the consumer financial product or service (other than unknowingly or incidentally transmitting or processing financial data in a manner that such data is undifferentiated from other types of data of the same form as the person transmits or processes).

12 U.S.C. § 5481(26)(A) (emphasis added). The DFS matter shows one example of active participation in the design and operation of a consumer financial produce or service. Yet, there are many vendors banks and other covered persons utilize on a daily basis, ranging from information technology service providers to call centers.

On April 13, 2012, the Consumer Financial Protection Bureau (CFPB) released Bulletin 2012-03, which stated the CFPB would expand its examination scope beyond supervised institutions themselves and examine their service providers as well. CFPB Bulletin 2012-03, Service Providers (April 13, 2012). According to CFPB Director Richard Cordray, “[c]onsumers must not be hurt by unfair, deceptive or abusive practices of service providers, and [b]anks and nonbanks must manage these relationships carefully and can be held accountable if they break the law.” The CFPB’s bulletin expressed concerns about the lack of liability by the lender to the consumer for third party behavior. In other words, the CFPB deputized covered persons to ensure their service providers also follow the law, or they themselves would run enforcement risk for not having a robust vendor management process in place.

The Bulletin is not in the form of a regulation, meaning it does not follow the federal Administrative Procedure Act, which governs most federal rules and regulations. While this is unusual in the regulatory environments in which a number of state-regulated nonbanks operate, it is not uncommon in banking regulation where many similar “guidance” documents have the force of law. For this reason, and in light of the DFS matter, many covered persons are expansively defining what vendors are deemed service providers, and requiring they provide evidence of compliance with CFPB expectations.

Takeaway

With the issuance of the CFPB Bulletin 2012-03 and the U.S. Bank / DFS / MAC matters, the CFPB has clearly demonstrated and asserted its supervision and enforcement authority over a broad area of the consumer financial services industry, touching nearly every player involved with one challenged service. As these actions show, the burden now lies with legal counsel, compliance officers and risk managers to develop, and implement, robust policies and procedures to ensure service providers are being adequately vetted and routinely monitored to ensure they remain in compliance to Federal consumer protection laws.