On December 23, 2015, the Federal Reserve Board (“Federal Reserve”) and the Federal Deposit Insurance Corp. (“FDIC” and, collectively with the Federal Reserve, the “Agencies”) announced settlements with Higher One, Inc. (“Higher One”) for alleged violations of the prohibition against deceptive acts and practices under Section 5 of the Federal Trade Commission Act (“FTC Act”). In conjunction with its Higher One settlement, the FDIC also announced a settlement with WEX Bank (“WEX”), an insured depository institution that partnered with Higher One to offer a financial aid refund program.

These parallel enforcement actions are a reminder that the federal banking agencies, as well as the Consumer Financial Protection Bureau (“CFPB”), may have both the authority and the appetite to hold nonbank service providers responsible for compliance with federal consumer protection laws.

THE ACTIONS AGAINST HIGHER ONE AND WEX

Higher One provides financial aid disbursement services for colleges and universities by facilitating the disbursement of financial aid refunds to students. The Agencies alleged that Higher One violated Section 5 of the FTC Act by undertaking certain marketing and enrollment practices related to its student debit card program, known as “OneAccount.” Specifically, the Agencies alleged that Higher One omitted material facts about certain fees, features, and limitations of OneAccount from its website and marketing materials, and erroneously implied that the students’ schools endorsed OneAccount as the preferred method of disbursement of financial aid  refunds. WEX partnered with Higher One to establish and maintain OneAccount’s demand deposit accounts.

The Agencies concluded that Higher One was an institution affiliated party (“IAP”) under the Federal Deposit Insurance Act (“FDI Act”) of WEX and other regulated banks.1 According to the Agencies, Higher One’s status as an IAP provided the Agencies with jurisdiction over Higher One.

Separate from its IAP authority, the Federal Reserve emphasized that services provided by third-party vendors, such as Higher One, are “subject to regulation and examination by the Board of Governors to the same extent that such services would be subject to regulation and examination as if performed by the Banks on their own premises,” pursuant to Section 7(c) of the Bank Service Company Act (“BSCA”).2 Higher One was found to have performed demand deposit account services through its contracts with insured depositary institutions and was therefore, subject to the Federal Reserve’s BSCA jurisdiction.

OVERSIGHT OF THIRD-PARTY SERVICE PROVIDERS

The Agencies’ settlements with Higher One serve as reminders of how federal banking agencies can, and will, enforce consumer protection laws against nonbank entities, including third-party vendors and service providers, that partner with banks. Under the FDI Act, federal banking agencies have enforcement authority over “institution affiliated parties,” defined to include in pertinent part:

any . . . consultant, joint venture partner, and any other person as determined by the appropriate Federal banking agency (by regulation or case-by-case) who participates in the conduct of the affairs of an insured depository institution; and

any independent contractor . . . who knowingly or recklessly participates in—

  1. any violation of any law or regulation;
  2. any breach of fiduciary duty; or
  3. any unsafe or unsound practice

which caused or is likely to cause more than a minimal financial loss to, or a significant adverse effect on, the insured depository institution.3

The federal banking agencies also have the authority to regulate and examine services performed for a bank, “by contract or otherwise,” by any third party. Specifically, Section 7(c) of the BSCA provides that the federal banking agencies may regulate and examine certain services performed for a bank, by contract or otherwise, by any third party “to the same extent as if such services were being performed by the bank itself on its own premises.”4

Although the CFPB did not engage in an enforcement action against WEX or Higher One, it has the ability to do so. Under the Dodd-Frank Wall Street Reform and Consumer Protection Act (“Dodd-Frank Act”), the CFPB has the extensive authority to supervise, examine, and enforce federal consumer financial protection laws against service providers to “covered persons” (including banks). The definition of a “service provider” under the Dodd- Frank Act includes “any person that provides a material service to a covered person in connection with the offering or provision by such covered person of a consumer financial product or service…,”5 which could be construed broadly enough to cover a party like Higher One. Moreover, service providers themselves may be deemed “related persons,” which is defined in the Dodd-Frank Act very similarly to IAPs. As such, “related persons” may be subject to the same CFPB authority as the “covered persons” they serve.

The CFPB also has the authority to enforce against any person the Dodd-Frank Act’s prohibition on unfair, deceptive, or abusive acts or practices (“UDAAP”), which parallel the prohibitions under Section 5 of the FTC Act. Accordingly, it is conceivable that Higher One could have faced similar enforcement action under the CFPB’s UDAAP authority.6

TAKE HOME LESSONS FOR VENDORS PROVIDING SERVICES TO BANKS

  • More and more, nonbank entities are partnering with banks to offer a wide range of consumer financial products and services. The Agencies’ actions against Higher One (and WEX) serve as a reminder that the federal banking agencies expect nonbanks offering or facilitating financial products and services to comply with consumer protection laws to the same extent as partner banks themselves. These actions demonstrate that the federal banking agencies will take action to enforce those laws.
  • The CFPB has similar authority over vendors and service providers to banks and financial services companies to that of the federal banking regulators. Previous CFPB actions demonstrate the agency’s ability and willingness to pursue actions against such service providers.
  • Indeed, in the heavily regulated arena of financial services, nonbank vendors and service providers to banks and other financial services providers may be subject to legal and regulatory risks similar to those of the financial institutions for which services are performed.
  • It is notable that the Higher One actions involved depository products, while many enforcement actions of the past several years have involved credit products. As more nonbank entities seek to offer depository products to consumers, partnering with a regulated depository institution, such as those involved in the Agencies’ investigations, may not shield nonbanks from basic regulatory requirements.