Financial institutions have spent a year anticipating and predicting when the Consumer Financial Protection Bureau (CFPB) would put its broad enforcement powers to use. The anticipation ended on July 18, 2012, when the CFPB announced its first enforcement action with the entry of a consent order against Capitol One Bank. See, Stipulation and Consent Order, available at http://files.consumerfinance.gov/f/201207_cfpb_consent_order_0001.pdf. The subject of the consent order was Capital One’s marketing practices for credit card add-on products, such as payment protection and credit monitoring. Capitol One used third-party agents to market these products. The CFPB alleged that Capital One’s third-party agents used deceptive marketing tactics to pressure or mislead consumers to pay for these add-on products and that Capitol One had failed to provide proper oversight. In a press release, Capitol One stated that its “third-party vendors did not always adhere to company sales scripts and sales policies for Payment Protection and Credit Monitoring products, and the bank did not adequately monitor their activities.” As part of its settlement with the CFPB, Capital One will refund $140 million to customers and pay a $25 million penalty to the CFPB. In addition, Capitol One’s prudential regulator, the Office of the Comptroller of the Currency (OCC), assessed a $35 million civil penalty and ordered a $10 million refund, in addition to that required by the CPFB. In total, the enforcement action cost Capital One $210 million, ten times more than the largest settlement ever obtained by the Federal Trade Commission.
In existence for just over a year, the CFPB was created by the Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010. It aims to consolidate federal consumer financial protection authority and, in its own words, “watch out for American consumers in the market for consumer financial products and services. ” The CFPB has a range of powers including the power to write regulations under federal consumer financial laws and the power to gather information about matters relating to financial services. Among other things, it receives consumer complaints (more than 45,000 so far this year), maintains a database of consumer complaints, and shares complaints with other federal and state agencies.
The CFPB also has the power to supervise (i.e., conduct periodic examinations) and bring enforcement actions against a wide range of financial services companies with respect to the federal consumer financial laws. This includes banks, thrifts, and credit unions with more than $10 billion in assets (and their affiliates and service providers) as well as certain nondepository entities that had never before been subject to supervision by any federal financial regulators, such as nonbank mortgage lenders, servicers, and brokers; payday lenders; student lenders; and others.1 The combination of supervisory and enforcement powers is significant because information obtained through the supervisory process can quickly become the basis for an enforcement action, as was the case with Capitol One.
The CFPB used its supervisory power to initiate an investigation into Capital One’s marketing practices for add-on products. Through this investigation, the CFPB found that Capital One’s call center representatives used deceptive and inconsistent marketing tactics to pressure consumers into purchasing add-on products, including “payment protection,” which allows consumers to request that the bank cancel up to 12 months of minimum payments if they encounter certain life events like unemployment and temporary disability; debt forgiveness in the event of death or permanent disability; and “credit monitoring,” with services such as identity-theft protection, access to “credit education specialists,” and, in some cases, daily monitoring and notification.
The CFPB Consent Order with Capitol One requires it to cease and desist from any further marketing and solicitation of add-on products until it submits a compliance plan to the CFPB, pay restitution and a civil penalty, and hire an independent auditor to verify compliance. The Consent Order does contain a provision that Capitol One does not admit liability, which could be useful in any civil litigation brought by consumers.
In an effort to put companies on “notice” of permissible practices for the marketing of add-ons and other similar consumer financial products, the CFPB also issued a compliance bulletin addressing the CFPB’s concern about credit card add-on products and providing guidance for best practices related to these products. While the bulletin specifically focuses on add-on products, its recommendations can serve as guidance for the marketing of similar products. Specifically, it notes that if an institution uses call center marketing it should have explicit scripts from which no deviation is permitted. It also suggests increased oversight of third-party service providers and training programs for employees.
Clearly, the CFPB intended the Capitol One settlement to be a warning to industry. CFPB Director Richard Cordray said in a press release: “We are putting companies on notice that these deceptive practices are against the law and will not be tolerated.” Financial services companies subject to the CFPB’s supervisory and enforcement jurisdiction would be well advised to take note of the Capitol One settlement and consider whether they can take appropriate action to prevent themselves from becoming the target of a CFPB enforcement action before it’s too late. The CFPB has a broad range of enforcement tools and options, including the power to bring an administrative or a federal court action and the power to issue subpoenas and civil investigative demands. It also has a range of remedies that it can use to force a settlement, such as civil money penalties of up to $1 million per day for willful violations; rescission, reformation, refunds, and restitution; disgorgement and damages; and limitations on the activities or functions of a financial services company. The only remedy not available to it is punitive damages, but even without that option it still has plenty of muscle to force a settlement.
Companies subject to the CFPB’s jurisdiction should be proactive in ensuring that their practices comply with CFPB regulations and guidance, such as the bulletin issued with the Capitol One Consent Order. They should establish best practices and compliance mechanisms. And, if they become aware of non-compliance, they should take quick and effective action to correct the situation and thereby avoid the possibility of crushing penalties imposed by the CFPB.