Charging unfair, deceptive, or abusive acts or practices ("UDAAP") in its first public enforcement action, the Consumer Financial Protection Bureau ("CFPB") issued a Consent Order to Capital One Bank (USA), N.A. (the "Bank") on July 17, 2012 for allegedly "deceptive acts or practices" in connection with the marketing, sales and operation of payment protection and credit monitoring products to credit card consumers (the "CFPB Consent Order")1. Claiming UDAAP violations under Sections 1031 and 1036 of the Dodd-Frank Wall Street Reform and Consumer Protection Act (the "Dodd-Frank Act"),2 the CFPB Consent Order requires refunds totaling $140 million to approximately two million customers, assesses an additional $25 million civil money penalty, imposes disclosure requirements, mandates a new compliance regime and directs an independent review to ensure compliance.

Although the CFPB Consent Order details the CFPB's allegations against the Bank following its investigation and reports its conclusions as "findings," the CFPB Consent Order is, in effect, a statement of position by the CFPB and a settlement by the Bank and the CFPB of all charges. The Bank neither admits nor denies any fact, finding, conclusion, or issue of law and does not concede any violation of law. The CFPB Consent Order also makes clear that, by agreeing to institute a practice pursuant to the CFPB Consent Order, the Bank is not admitting that the Bank's practice was otherwise prior to the date of the CFPB Consent Order. By agreeing to the issuance of the CFPB Consent Order without admitting or denying any fact, finding, conclusion, issue of law or alleged violations of law, the Bank preserves its positions in other contexts; however, the Bank does waive the rights it otherwise would have had to contest the CFPB's charges in an administrative proceeding and, upon further judicial review, in a court, including potential objections to the existence or the scope of the jurisdiction of the CFPB.3

The CFPB Consent Order offers important insights into the CFPB's approach toward UDAAP, its enforcement priorities, specific legal standards that it will employ, and the type of remedial actions and punitive measures that it might impose for UDAAP violations. These perspectives on the evolving CFPB enforcement policies have general applicability and are not limited to the underlying credit card add-on products that are the subject of the CFPB Consent Order. Notably, the CFPB did not allege that the Bank's acts or practices were "abusive," which is a new tool for consumer protection under the CFPB's UDAAP authority conferred by the Dodd-Frank Act. In addition, the CFPB cited the Bank for deceptive practices seemingly originating in the actions of a third party service provider – not in the Bank itself. The CFPB does allege failures by the Bank to prevent or even detect the improper conduct, but that is a qualitatively different violation, even if the Bank is responsible for the actions of its agents. However, this highlights a likely CFPB focus on service providers as a source for violations of Federal consumer financial law.

In conjunction with the CFPB Consent Order, the CFPB also issued a compliance bulletin entitled "Marketing of Credit Card Add-on Products" applicable to similar products offered by entities subject to CFPB jurisdiction ("CFPB Bulletin 2012-06").4 In addition to UDAAP, CFPB Bulletin 2012-06 cites (i) the Truth in Lending Act and its implementing regulation, Regulation Z, and (ii) the Equal Credit Opportunity Act and its implementing regulation, Regulation B, as laws and regulations that restrict the activities of such entities with respect to credit card add-on products. Significantly, CFPB Bulletin 2012-06 sets forth "CFPB Expectations" regarding steps that entities subject to CFPB jurisdiction should take to ensure that they market and sell credit card add-on products in a manner that limits the potential for statutory or regulatory violations and related consumer harm. These steps mirror various elements of the CFPB Consent Order. Moreover, the CFPB expressly intends that CFPB Bulletin 2012-06 serve as guidance applicable to similar consumer financial products, and the generalized principles enunciated therein likely have even broader applicability.

In a parallel development, the Office of the Comptroller of the Currency ("OCC") entered into a separate Consent Order with the Bank, dated July 17, 2012, and a related Consent Order for Civil Money Penalty, also dated July 17, 2012 (collectively, the "OCC Consent Orders").5 The OCC Consent Orders are based on alleged violations of (i) Section 5 of the Federal Trade Commission Act (the "FTC Act")6 and (ii) the safety and soundness regulation pertaining to debt cancellation contracts.7 In addition to remedial actions that are similar to those in the CFPB Consent Order (albeit with the requirement to deposit $150 million in a segregated account for the maximum potential restitution), the OCC levied a $35 million civil money penalty on the Bank through the Consent Order for Civil Money Penalty. The specific OCC allegations centered on "unfair and deceptive practices" ­– the CFPB Consent Order only alleged "deceptive acts or practices" ­– related to the same basic fact pattern as alleged in the CFPB Consent Order as well as "unfair practices" pertaining to certain billing practices dating back to 2002. The OCC undertook its actions in coordination with the CFPB. Although the CFPB and the OCC civil money penalties are separate, restitution paid to consumers pursuant to the CFPB Consent Order will satisfy obligations owed pursuant to the OCC action. As with the CFPB Consent Order, the Bank neither admits nor denies any findings of fact, conclusions of law, or alleged violations in its settlement with the OCC. This analysis focuses on the CFPB Consent Order, which is the first major precedent for the CFPB.

All entities subject to CFPB jurisdiction should carefully consider six primary aspects of the overall CFPB enforcement action, evaluate how such factors may apply to the entity's current business practices – both actual practices and perceived practices when viewed externally – and undertake any prudential or necessary measures in advance of a CFPB examination: (i) identify non-core business areas that may be subject to the expanded scope of a CFPB examination, (ii) prepare for enhanced scrutiny of third party service providers, (iii) review the sufficiency of internal controls, (iv) monitor and address complaints, (v) ensure the accuracy of both formal and informal disclosures and (vi) retain documentation of compliance.

The CFPB Consent Order

Factual Allegations Underpinning the Alleged Statutory Violations

The CFPB Consent Order is premised on CFPB charges of UDAAP violations in connection with the marketing, sale and operation of the Bank's payment protection products and credit monitoring products that were offered and sold to the Bank's consumer credit card accounts over a roughly 17-month time period.8The CFPB alleged that the Bank required consumers who applied for and received a credit card to activate newly issued or re-issued credit cards by telephone through third-party call centers and that the Bank routed consumers differently based on their credit scores and credit limits. Consumers in the Bank's subprime portfolio – or in the prime portfolio but with an initial credit line of $5,000 or less – were routed to a longer, seven-to-eight minute solicitation process for these add-on products. The CFPB indicated that the call center representatives engaged in improper sales practices, deviating from the scripts or misinterpreting the scripts in explaining the products, their terms and consumer eligibility for product benefits. Among the specific acts and practices that the CFPB charged violated UDAAP, representatives allegedly:

  • Indicated that the products would improve the consumer's credit scores and assist the consumer in receiving an increased credit line on the consumer's credit card;
  • Misrepresented the cost of payment protection products (e.g., implied that it was a free feature of the credit card or only cost a nominal amount);
  • Responded to requests for additional information by informing the consumer that they must first purchase the product;
  • Failed to determine employment status or characterized any income as self-employment for payment protection products, when in fact a consumer who was unemployed at enrollment was not eligible to submit a claim based on that unemployment period and would later be denied benefits for a loss prior to enrollment;
  • Cited unsubstantiated statistics and information;
  • Failed to inform the consumer that the products were optional;
  • Failed to obtain sufficient affirmative consent from the consumer before enrollment;
  • Repeated the misleading and incorrect assertions about the benefits and costs of the products when consumers called to cancel.

In viewing these as violations of Sections 1031 and 1036 of the Dodd-Frank Act, the CFPB concluded as a matter of law that the representations of the Bank's representatives were "false or misleading and constitute deceptive acts or practices." According to the CFPB, the Bank's compliance monitoring, service provider management and quality assurance resulted in ineffective oversight that failed to prevent, identify or correct the improper sales practices.  

Compliance Plan

The CFPB Consent Order requires the Bank to cease and desist from all marketing or solicitation of any of the products until it has submitted a compliance plan to the CFPB for a prior determination of supervisory non-objection. The requirements of the compliance plan include sales practices restrictions, disclosure obligations and substantive cancellation/refund requirements.  

  • Sales Practices Restrictions. The CFPB Consent Order places restrictions on the Bank's consumer marketing and solicitation efforts:
    • Marketing materials, telemarketing scripts and/or sales presentations used to solicit consumers must not contain "any material deceptive representation, statement, or omission, expressly or by implication";
    • The Bank may not market or solicit the products in connection with card activation calls unless the consumer is first informed that the card activation process is complete and that listening to the solicitation is optional;
    • Scripts must "clearly and prominently" explain and accurately assess a consumer's eligibility for the products, and they must disclose that the consumer is purchasing a product, the charges therefor and the cancellation and refund policies;
    • The consumer must "affirmatively request or consent to purchase" the product after reading any disclosures required by Federal consumer financial laws;
    • If a consumer requests information about a product prior to purchase, the Bank must provide information that includes, without limitation, its material conditions, benefits and restrictions and may not condition the provision of such information on enrollment;
    • The information may be provided in written or electronic form.  
  • Disclosure Obligations. The CFPB Consent Order requires the Bank, within three (3) days after a consumer purchases a product, to mail the consumer a disclosure that "clearly and prominently" presents certain information:
    • The fact that the consumer purchased a product, the date of purchase and the amount of the fee;
    • The product's material conditions, benefits and restrictions;
    • The fact that the consumer's credit card account has incurred fee charges and the date when the charges were first incurred;
    • The date on which the fee charges will appear on the consumer's account statement;
    • The total cost of the product, how the fee is calculated and the fact that fee will be charged at the end of each billing cycle in which the consumer maintains a balance, even if the balance is paid in full during the applicable grace period;
    • The product's cancellation policy and the phone number to cancel;
    • The product's refund policy, including the date by which the consumer must cancel to avoid incurring a fee;
    • A clear and prominent message on the first page of the periodic statement on which a product charge appears that highlights the inclusion of the charge and notifies the consumer of the right to cancel.
  • Cancellation/Refund Requirements. The CFPB Consent Order imposes substantive requirements with regard to cancellations and refunds:
    • If a consumer requests cancellation within 30 days of receiving the first periodic statement on which a product charge appears, the Bank must refund any and all charges related to the product, including any interest or finance charges accrued as a result of the product charges;
    • If a consumer telephonically indicates, in substance, that the consumer did not authorize the product, the Bank must either (i) immediately agree to cancel the product without attempting to re-sell and refund all fees and charges incurred since enrollment, or (ii) review whether the consumer authorized the purchase and, if the Bank determines that the consumer authorized the purchase, provide the consumer with all information providing the basis for the determination, including audio call recordings;
    • If a consumer telephonically indicates, in substance, that the consumer does not want, does not need or wishes to cancel a product, the Bank must immediately agree to cancel the product without attempting to re-sell.  

Restitution and Remediation

The CFPB Consent Order requires the Bank to prepare a remediation plan within 30 days and to submit it to the CFPB for a prior determination of supervisory non-objection. Remediation to affected consumers will be equal to the greater of (i) restitution of fees, charges and interest or (ii) monetary relief for denied claims under the payment protection product. Remediation will be determined separately for each product. For consumers that receive remediation as a credit that decreases an existing or charged-off balance, the Bank is required to report the updated balance to each credit reporting agency to which it had furnished the balance, delete the account trade line or, for accounts sold to an unaffiliated third party, request that the new third party owner of the debt take either such action. In addition, the Bank's Audit and Risk Committee must prepare a remediation report detailing the Bank's determination of the required restitution or monetary relief, and the Bank must retain an independent certified public accounting firm to determine compliance with the remediation plan in accordance with AICPA attestation standards.

Civil Money Penalty

The CFPB Consent Order imposes a civil money penalty of $25 million payable to the Consumer Financial Civil Penalty Fund.

Compliance Management System

The CFPB Consent Order requires the Bank to revise its compliance management system and to submit the revisions to the CFPB for a prior determination of supervisory non-objection. The revisions must include a written, enterprise-wide program to ensure that all consumer products and services sold by the Bank or through its service providers comply with the UDAAP prohibitions. Indeed, the CFPB Consent Order requires the Bank to prepare a written analysis of any changes to the governance, control, marketing, sales, delivery, servicing and fulfillment of services for consumer products, including any new products, considered to be at "high risk" for UDAAP violations that are marketed or sold by the Bank or through its service providers. The CFPB Consent Order also requires the Bank to develop a written policy governing the management of service providers and to submit the policy to the CFPB for a prior determination of supervisory non-objection. Among other provisions, the policy must require written contracts with service providers that address internal controls, training, termination and the authority to conduct onsite reviews of the service provider. Record retention requirements also apply.

CFPB Bulletin 2012-06

CFPB Bulletin 2012-06 cites (i) the "deceptive practices" element of UDAAP under the Dodd-Frank Act, (ii) the Truth in Lending Act and its implementing regulation, Regulation Z, and (iii) the Equal Credit Opportunity Act and its implementing regulation, Regulation B, as primary statutes and regulations that an entity subject to CFPB jurisdiction might violate if it engages in the same types of acts or practices outlined in the factual findings of the CFPB Consent Order. Although it formally addresses credit card add-on products, CFPB Bulletin 2012-06 by its terms applies to other similar consumer financial products.9 Further, the bulletin sets forth "CFPB Expectations" that can be abstracted into even more general guidance that is potentially applicable to a wide array of consumer financial products and services.

Measures to Minimize Potential Violations

Building upon the provisions of the CFPB Consent Order, CFPB Bulletin 2012-06 indicates that, in order to limit the potential for violations of consumer financial laws in the marketing and sales of products, an institution should ensure that:

  • Marketing materials, including direct mail promotions, telemarketing scripts, internet and print ads, radio recordings, and television commercials, reflect the actual terms and conditions of the product and are not deceptive or misleading to consumers;
  • Employee incentive or compensation programs do not create incentives to provide inaccurate information;
  • Scripts and manuals used by the institution's telemarketing and customer service centers should (i) direct telemarketers and customer service representatives to accurately state the terms and conditions of the various products, including material limitations on eligibility for benefits, (ii) prohibit enrolling consumers in programs without clear affirmative consent obtained after the consumer is informed of the terms and conditions, (iii) provide clear guidance on rebuttal language and any limits on the number of rebuttal attempts regarding the consumer's request for additional information or to decline the product, and (iv) clarify that the purchase is not required as a condition of obtaining credit, unless there is such a requirement;
  • Telemarketers and customer service representatives do not deviate from approved scripts;
  • Applicants are not required to purchase products as a condition of obtaining credit;
  • Cancellation requests are handled in a manner that is consistent with the actual terms and conditions and that does not mislead the consumer.  

Effective Compliance Management

Again building on the provisions of the CFPB Consent Order, CFPB Bulletin 2012-06 indicates that the elements of a proper compliance management program include:

  • Written policies and procedures to ensure compliance with Federal and state consumer financial protection laws and regulations;
  • Periodic quality assurance reviews that include training materials and scripts;
  • Independent audits that also assess possible elevated risks of harming consumers;
  • Oversight of affiliates and third-party service providers that perform marketing or other functions so that such third-parties are held to the same standard, including audits, quality assurance reviews, training, and compensation structure.
  • A consumer complaint resolution processes;
  • Training for employees involved in the marketing, sale, and operation of products.  

The CFPB undoubtedly would apply other factors to different financial products and services, but the express CFPB statement that this guidance has applicability beyond credit card add-on products requires all entities subject to CFPB jurisdiction to consider carefully how their existing policies, procedures and practices conform to the general standards enunciated in CFPB Bulletin 2012-06.

The CFPB Consent Order as a Precedent CFPB Enforcement Approach

Both the form and the substance of the CFPB Consent Order offer insights into the possible CFPB approach toward ensuring compliance with the statutory UDAAP provision in particular and, in all likelihood, the enforcement of consumer finance law violations more generally.

  • Ad Hoc Enforcement Proceedings Instead of a Regulatory Regime. The CFPB Consent Order constitutes the first evidence that the CFPB may define the parameters of permissible activity under the UDAAP prohibitions through enforcement actions and not by promulgating extensive regulations for public comment in advance. The Dodd-Frank Act expressly empowers the CFPB to engage in rulemaking with respect to UDAAP.10 Since the enactment of the Dodd-Frank Act, one open question has centered on whether or not the CFPB would follow the lead of the Federal Trade Commission ("FTC"), which has promulgated relatively few regulations with respect to unfair or deceptive acts or practices ("UDAP" – in contrast to the CFPB's broader UDAAP powers) under the FTC Act and has instead relied on enforcement actions to establish the legal boundaries. In the case of the CFPB, the delay in the appointment of a Director extended the period of uncertainty, but this CFPB Consent Order may reflect CFPB Director Richard Cordray's preferred approach to addressing UDAAP violations. Ad hoc enforcement proceedings in the absence of a regulatory backdrop will afford the CFPB maximum operational flexibility when interpreting statutes and will minimize the opportunity for meaningful consumer financial industry input through an established rulemaking process. For consumer financial industry participants, this enhances the legal uncertainty and places a premium on ensuring that marketing, sales, lending and collection practices do not exceed the boundaries of what the CFPB regards as permissible conduct.
  • Imposition of Detailed Compliance Plan. The compliance plan in the CFPB Consent Order indicates that the CFPB is willing to impose new procedures that extend beyond the products or services that generated the alleged UDAAP violation. The compliance plan mandates detailed requirements affecting sales practices and essential business terms that an entity subject to CFPB jurisdiction could argue exceeds existing statutory or regulatory obligations. These are ongoing obligations that extend for a period of years and require independent, third party oversight.
  • Exportation of Compliance Plan to Industry. Although it is unknown whether the OCC or the CFPB drove the formulation of the compliance plan, the CFPB undertook the additional step of projecting many requirements of the compliance plan on all entities subject to its jurisdiction through the "CFPB Expectations" in CFPB Bulletin 2012-06. As noted earlier, these "expectations" mirror – and, in some instances, arguably build on – elements of the CFPB Consent Order. Moreover, CFPB Bulletin 2012-06 by its very terms extends to consumer financial products beyond the credit card add-on products at issue in the instant matter; CFPB Bulletin 2012-06 is intended to constitute general guidance to entities subject to CFPB jurisdiction. It remains to be seen if the CFPB will adopt as its modus operandi the initiation of a specific enforcement action accompanied by a broader compliance bulletin, but there is no reason to believe that this model could not be applied to other types of financial products and services.
  • Use of Disclosure. Not surprisingly, the CFPB Consent Order focuses on allegedly "false or misleading" disclosures by call center personnel, whether expressly or even "by implication," but it also imposes specific, new disclosure requirements in the compliance plan designed, in the CFPB's view, to prevent future harm to consumers. As noted above, the Bank, within three (3) days after a consumer purchases a product, must mail a written disclosure to the consumer. In addition, periodic statements must highlight the charges and notify the consumer of the right to cancel. Although these disclosure requirements are arguably specific to the Bank, and in any case specific to credit card add-on products, they evidence a willingness of the CFPB to impose substantive, new disclosure requirements on parties to enforcement actions that are very detailed and that leave virtually no discretion. Such requirements could well evolve into de facto industry standards, exposing consumer finance industry participants to allegations in private litigation and the accompanying risks if they do not adhere to these elevated requirements. The CFPB Consent Order represents a settlement, but these risks are real, even if the Bank did not admit any finding of fact or conclusion of law and the charges were not tested in either an administrative proceeding or in a court.
  • Civil Money Penalty. The willingness of the CFPB to impose a meaningful civil money penalty is also relevant. Although the CFPB and OCC monetary penalties in this case were a significant percentage of the restitution payments, such an amount, generally speaking, is not likely to constitute an excessive burden on most larger financial institutions. For a smaller financial institution, monetary restitution plus a significant civil money penalty could threaten its competitive viability. The magnitude of future CFPB levies merits close scrutiny. Unlike the OCC and the other Federal banking regulators, the CFPB does not yet have an established set of criteria for imposing civil money penalties based on specific violations of law, much less one that reflects a long record and is compiled in a publicly available database. Although the CFPB cited generic factors that informed its decision (e.g., the financial resources and good faith of the Bank, severity of losses by consumers, prior conduct of the Bank), it is not entirely clear what specific factors the CFPB considered in arriving at the civil money penalty (e.g., number of verified/unverified complaints, nature of complaints, ease of remediation, cooperation/non-cooperation by the alleged violator) and how the CFPB weighed those factors relative to one another. The CFPB civil money penalty was of the same order of magnitude as the OCC civil money penalty, but that may not be helpful as a predictor for future CFPB assessments. Recent OCC civil money penalties have ranged from nine-digit amounts levied against major financial institutions in connection with deficient residential mortgage loan servicing practices and in connection with faulty underwriting and lending practices involving violations of Regulation B and Regulation Z to a seven-digit amount levied against another major financial institution in a fact pattern involving UDAP violations with respect to the marketing and sale of credit protection services (i.e., similar to the fact pattern in the instant matter, with the exception that the alleged violator initiated a remediation plan).  Although it is difficult to draw reliable conclusions about the size of future assessments by the CFPB of civil money penalties, the CFPB will clearly wield civil money penalties and the threat thereof to discipline institutions for violations of the consumer financial laws.
  • Consumer Complaints as a Driver of Enforcement Actions. The CFPB press release in conjunction with the CFPB Consent Order noted that "[c]omplaints received by the CFPB indicate – and the Bureau's supervisory experience confirms – that other consumers have been misled by the marketing and sales practices associated with credit card add-on products," and a related CFPB website posting urged consumers to file a complaint if they are unable to resolve issues pertaining to unfamiliar fees on a credit card statement. Again, this development is entirely consistent with expectations. The CFPB Supervision and Examination Manual (the "CFPB Manual")11 states that "Target Reviews will generally involve a single entity and will focus on a particular situation such as [a] significant volume of particular customer complaints or a specific concern that has come to the CFPB's attention." The CFPB may receive such complaints directly through its portal, via state regulators, from the institution itself or from other sources (e.g., hearings, town hall meetings), and both the volume and the nature of the complaints are relevant. The CFPB Manual specifically notes that "complaints may provide indications of potential regulatory violations, including unfair, deceptive, or abusive acts or practices" and that "[c]onsumer complaints play a key role in the detection of unfair, deceptive, or abusive practices [and] have been an essential source of information for examinations, enforcement, and rule-making for regulators." Complaints lodged against third parties are relevant to the CFPB, and how an institution handles complaints is a "key element" in the CFPB's evaluation of its compliance management system. The CFPB recently adopted a policy statement on the disclosure of this credit card complaint data through a publicly accessible database.12 The data in the CFPB database suggests that complaint volume against the Bank was significant, which may have been a driving force behind the CFPB Consent Order.
  • Extensive Disclosure of Alleged Facts. The CFPB Consent Order delves into the alleged factual underpinnings of the violation, offering substantial detail. Although the CFPB may have felt a need to document thoroughly its first public enforcement action, this level of specificity provides a roadmap for parallel allegations by class action attorneys and State Attorneys General, even though the "findings" themselves are charges that were neither admitted nor tested in an administrative proceeding or in a court.13Notwithstanding these limits, to the extent that this reflects the CFPB approach to consent orders, CFPB enforcement actions will likely be a significant catalyst for additional private and public litigation.  

CFPB Enforcement Priorities

The CFPB Consent Order also provides clues as to the CFPB's enforcement priorities, both in terms of protected consumers and potential violators.

  • Protecting Specific Consumer Segments. The CFPB specifically noted that the Bank targeted consumers based on (i) low credit scores or (ii) low credit limits. To the extent that the CFPB deems such classes of consumers to be particularly vulnerable to certain sales tactics, an entity subject to CFPB jurisdiction should exercise particular caution with respect to those segments of its customer base. In many respects, this is reminiscent of the groups that mortgage originators targeted with specialized products prior to the mortgage market collapse. This becomes even more relevant in light of the CFPB's factual findings, most notably the misrepresentations regarding eligibility for product benefits based on the failure to ascertain the employment status of the consumer.
  • Responsibility for Third Party Service Providers. The CFPB Consent Order clearly holds the Bank fully responsible for the actions of its third party service provider, in this case a call center. This is not an unexpected development. Earlier in 2012, the CFPB issued a bulletin entitled "Service Providers" to supervised banks and nonbanks, directing them to oversee their relationships with third party service providers in a manner that ensures compliance with Federal consumer financial laws ("CFPB Bulletin 2012-03").14Indeed, CFPB Bulletin 2012-03 itself was not unexpected in view of longstanding OCC policy.15 What is significant about the CFPB Consent Order is that it implements the specific admonition in CFPB Bulletin 2012-03: "The CFPB will exercise the full extent of its supervision authority over supervised service providers, including its authority to examine for compliance with Title X's prohibition on unfair, deceptive, or abusive acts or practices." Furthermore, the compliance plan outlined in the CFPB Consent Order reflects the CFPB's "expectations" in CFPB Bulletin 2012-03, including "[e]stablishing internal controls and on-going monitoring to determine whether the service provider is complying with Federal consumer financial law."  

CFPB Legal Standards

Although the CFPB's conclusions of law are summary in nature, the CFPB Consent Order does offer specific legal guidance in certain areas, confirming that the CFPB will adhere to prior interpretations at least in some instances.  

  • Deceptive. CFPB Bulletin 2012-06 reiterated the standard enunciated in the CFPB Manual that, as a general matter, a representation, omission, act, or practice is deceptive if:
    • The representation, omission, act, or practice misleads or is likely to mislead the consumer;
    • The consumer's interpretation of the representation, omission, act, or practice is reasonable under the circumstances;
    • The misleading representation, omission, act, or practice is material.  

Both the CFPB Manual and CFPB Bulletin 2012-06 contain footnotes to the effect that the CFPB is "informed by the FTC's standard for deception" and cite to the underlying FTC source.16 This suggests a measure of continuity in the application of basic legal principles.  

  • Materiality. The CFPB conclusions of law suggested a standard for "materiality" that may be applicable to all entities subject to CFPB jurisdiction. The CFPB concluded that the "false or misleading" representations were "material" because they "are likely to affect a consumer's choice or conduct regarding the [p]roducts and are likely to mislead consumers acting reasonably under the circumstances." This formulation is consistent with the standard set forth in the CFPB Manual.
  • Clearly and Prominently. The CFPB provided a definition of "clearly and prominently" in the context of written and oral disclosures, although the CFPB noted that the phrase is specific to the CFPB Consent Order.17 There is no reason to believe that the CFPB will not apply this formulation again in the future. Indeed, CFPB Bulletin 2012-06 reiterated that the CFPB considers the following factors generally in evaluating the effectiveness of disclosures at preventing consumers from being misled:
    • Is the statement prominent enough for the consumer to notice?
    • Is the information presented in an easy-to-understand format that does not contradict other information in the package and at a time when the consumer's attention is not distracted elsewhere?
    • Is the information in a location where consumers can be expected to look or hear?
    • Is the information in close proximity to the claim it qualifies?  

These factors appear in the UDAAP narrative in the CFPB Manual and are unambiguously sourced to the FTC, and CFPB Bulletin 2012-06 also noted that these factors track FTC guidance.

  • Abusive Acts or Practices. Conversely, the CFPB Consent Order made no mention of any "abusive" acts or practices. The term "abusive" in the UDAAP formulation is a new element added by the Dodd-Frank Act that does not appear in the FTC Act, and the CFPB's interpretation of the statutory definition of "abusive" is a crucial restriction on entities subject to CFPB jurisdiction with as yet unknown parameters.18 The CFPB Consent Order offers no practical insight into the CFPB's view of the scope of that critical term.

Practical Considerations for Entities Subject to CFPB Jurisdiction

The CFPB Consent Order in Perspective

Although the CFPB Consent Order and the related CFPB Bulletin 2012-06 raise issues that entities subject to CFPB jurisdiction should consider, the CFPB enforcement action against the Bank should not be a cause for immediate, undue alarm. The CFPB Consent Order is the first CFPB public enforcement action of any type, and it is not advisable to draw definitive conclusions from a sample of one. The Bank is a large depository institution with diverse operations that is subject to regulation by both the CFPB and the OCC, which may have cooperated – or competed – in the enforcement process.  Without commenting on what actually might have occurred with respect to the CFPB Consent Order, a financial institution in comparable circumstances, generally speaking, might elect to acquiesce in a consent order with the CFPB precisely because it also confronted a complementary OCC enforcement action premised on the FTC Act and "safety and soundness" considerations. In the case of the Bank, the factual findings were similar in each action, the restitution amounts were similar ($140 million versus $150 million) and the civil money penalties were similar ($25 million versus $35 million). Explaining the marginally higher OCC amounts, the CFPB press release announcing its enforcement action noted that the OCC Consent Orders include separate restitution for additional consumers allegedly harmed by "unfair" billing practices dating back to 2002 (i.e., prior to Dodd-Frank Act and the establishment of the CFPB) and indicated that the higher OCC civil money penalty is attributable to this alleged combined activity.

UDAAP is certainly an area of scrutiny for the CFPB, but it is not certain why the CFPB focused on the specific factual allegations set forth in the CFPB Consent Order for its first public enforcement action, other than, as noted above, consumer complaints and CFPB supervisory experience have revealed potential issues with credit card add-on products. Operating in an intensely political environment in an election year, the CFPB could have made its decision for a variety of different reasons. Even then, the CFPB Consent Order centered on alleged deceptive practices seemingly originating in the actions of a third party service provider and not in the Bank itself. To be sure, both the CFPB Consent Order and the OCC Consent Orders allege failures by the Bank to prevent or even detect the improper conduct, but that is a qualitatively different violation, even if the Bank is responsible for the actions of its agents. Nonetheless, there is nothing at all extraordinary about the CFPB's factual allegations or its stated positions on conclusions of law. In recent years, the OCC levied a civil money penalty against another major financial institution on substantially similar facts. As noted earlier, neither the dollar amount of the restitution nor the civil money penalty imposed by the CFPB is extraordinary by bank regulatory standards. Indeed, if the OCC had undertaken its enforcement action without CFPB involvement, it is an open question how much attention the proceeding would have attracted. Similarly, if this were the tenth CFPB enforcement action instead of the first, it is unclear how much weight external observers would accord it.

Cautionary Elements in the CFPB Consent Order and CFPB Bulletin 2012-06

Notstanding the aforementioned admonition not to read too much into a single enforcement action, entities subject to CFPB jurisdiction should be cognizant of various risks and the actions that they can take now to mitigate potential disruptions to their business operations.  

  • Identify Areas Potentially Subject to an Expanded Scope of a CFPB Examination. Despite the potential for a more general application of the CFPB Consent Order and CFPB Bulletin 2012-06, "add-on" products remain at the center of each action. Entities subject to CFPB jurisdiction should begin their internal review by identifying which of their offerings to customers could fall into this general category, particularly any products that are required in order for a consumer to receive an extension of credit. Recognizing the potential subject areas of a CFPB examination, especially with respect to non-core business products or services, is a useful initial step toward proper preparation for an examination.
  • Prepare for Enhanced Scrutiny of Service Providers. Third party vendor relationships will be part of any CFPB examination, but the CFPB's choice of a fact pattern based substantially on actions by a third party call center is a signal that entities subject to CFPB jurisdiction should not ignore. Such entities should review their policies and procedures governing their relationships with service providers, confirm that those relationships are set forth in written contracts (including indemnity provisions), and ensure that those contracts require the service providers to adhere to the consumer financial laws to the same degree as the entity.
  • Review Internal Controls. The failure of the Bank to monitor its service providers formed an essential element of the CFPB Consent Order.  Entities subject to CFPB jurisdiction should revisit their formal internal controls, review training and evaluation programs, conduct regular internal audits (including on-site compliance audits of service providers), institute quality assurance procedures and, where necessary, impose appropriate discipline on employees or service providers who fail to meet the entity's standards (e.g., deviate from scripts). Given the fact pattern underlying the CFPB Consent Order, entities that utilize call centers for consumer contact (or otherwise outsource functions such as sales/marketing or customer service) should redouble their internal oversight efforts in order to avoid CFPB charges and the imposition of a potentially costly independent oversight requirement.
  • Monitor and Address Complaints. Consumer complaints will be the catalyst for many CFPB enforcement actions (whether based on UDAAP violations or otherwise), particularly those resulting from unscheduled examinations. Complaints related to consumer attempts to cancel a product or service merit special attention, given the CFPB Consent Order. Logging, monitoring, investigating, and resolving consumer complaints fairly and expeditiously will help minimize the risk of an unexpected examination and a potential enforcement action based on the results of the examination. Moreover, public access to the CFPB complaint database means that unresolved complaints could impair the business reputation of an entity or lead to undesired media scrutiny.
  • Ensure the Accuracy of All Disclosures. Entities subject to CFPB jurisdiction should already pay close attention to the statutory and regulatory requirements applicable to formal consumer disclosures (e.g., Regulation Z), but the CFPB Consent Order and CFPB Bulletin 2012-06 underscore the importance of the accuracy of less formal disclosures, such as marketing materials, advertising, and call center or customer service telephone line scripts. The CFPB Consent Order imposed new written disclosure requirements on the Bank in the context of add-on products as a means to minimize the potential harm of false or misleading statements to a consumer by call center personnel. An entity could reduce the risk that the CFPB might seek to impose a potentially costly, additional disclosure requirement by ensuring in advance the accuracy of even informal disclosures (i.e., oral or written product/service descriptions) that it may provide to consumers.
  • Retain Documentation of Compliance. CFPB first day letters may well request call center scripts, audio tapes of consumer calls, data on the duration of calls, procedures manuals and marketing materials. The retention of complete and accurate evidence of compliance will permit prompt responses to CFPB inquiries, will demonstrate the intent to comply with the consumer financial laws, and may forestall enforcement actions.

Addressing potential areas of exposure in a CFPB examination now may enable an entity to avoid adverse consequences in the future.